Download Print this page

ZyXEL Communications ZyWALL 1050 User Manual

Hide thumbs Also See for ZyWALL 1050:

User manual (892 pages)

,

Support notes (345 pages)

,

Cli reference manual (284 pages)

Table Of Contents

page of 593

/ 593
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Cli Reference Manual

ZyWALL 1050

Internet Security Gateway

User's Guide

Version 1.00

9/2006

Edition 3

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the ZyWALL 1050 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications ZyWALL 1050

Page 1 ZyWALL 1050 Internet Security Gateway User’s Guide Version 1.00 9/2006 Edition 3...
Page 3: Copyright
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 4: Certifications
ZyWALL 1050 User’s Guide Certifications FCC Statement This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions: 1 This switch may not cause harmful interference. 2 This switch must accept any interference received, including interference that may cause undesired operations.
Page 5 ZyWALL 1050 User’s Guide Viewing Certifications 1 Go to www.zyxel.com. 2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page.
Page 6: Safety Warnings
ZyWALL 1050 User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device.
Page 7: Zyxel Limited Warranty
ZyWALL 1050 User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During...
Page 8: Customer Support
ZyWALL 1050 User’s Guide Customer Support Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Page 9 ZyWALL 1050 User’s Guide METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.no +47-22-80-61-80 www.zyxel.no ZyXEL Communications A/S Nils Hansens vei 13 NORWAY sales@zyxel.no +47-22-80-61-81 0667 Oslo Norway info@pl.zyxel.com +48 (22) 333 8250 www.pl.zyxel.com ZyXEL Communications ul.
Page 10 ZyWALL 1050 User’s Guide Customer Support...
Page 11: Table Of Contents
ZyWALL 1050 User’s Guide Table of Contents Copyright ........................3 Certifications ......................4 Safety Warnings ....................... 6 ZyXEL Limited Warranty..................7 Customer Support....................8 Table of Contents ....................11 List of Figures ......................27 List of Tables ......................37 About This User's Guide ..................43 Chapter 1 Introducing the ZyWALL..................
Page 12 ZyWALL 1050 User’s Guide Chapter 3 Web Configurator ....................59 3.1 Web Configurator Requirements ................59 3.2 Web Configurator Access ..................59 3.3 Web Configurator Main Screen ................61 3.3.1 Title Bar ....................61 3.3.2 Navigation Panel ..................62 3.3.3 Main Window ....................64 3.3.4 Status Bar ....................65 Chapter 4 Wizard Setup ......................
Page 13 ZyWALL 1050 User’s Guide 4.8.6 VPN Advanced Wizard - Phase 1 .............98 4.8.6.1 Phase 2 Setting ................99 4.8.7 VPN Advanced Wizard - Phase 2 ............100 4.8.8 VPN Advanced Wizard - Summary ............102 4.8.9 VPN Advanced Wizard - Finish ..............102 Chapter 5 Configuration Basics ..................
Page 14 ZyWALL 1050 User’s Guide 6.4.4 Set up Web Surfing Policies ..............144 6.4.5 Set up Bandwidth Restrictions ..............145 6.4.6 Set up MSN Policies ................146 6.4.7 Set up LAN-to-DMZ Policies ..............147 6.5 Trunks ......................148 6.5.1 Set up Available Bandwidth on Ethernet Interfaces ........149 6.5.2 Change WAN Trunk Algorithm ..............149...
Page 15 ZyWALL 1050 User’s Guide 10.1.3 Interface Parameters ................180 10.1.4 DHCP Settings ..................180 10.1.5 Ping Check Settings ................182 10.1.6 Relationships Between Interfaces ............182 10.2 Ethernet Interfaces ..................183 10.2.1 Ethernet Interfaces Overview ...............183 10.2.2 Ethernet Summary Screen ..............184 10.2.3 Ethernet Edit ..................185 10.3 Port Grouping ....................190...
Page 16 ZyWALL 1050 User’s Guide 11.6 Configuring a Trunk ..................219 Chapter 12 IPSec VPN ......................223 12.1 IPSec VPN Overview ..................223 12.1.1 IPSec SA Overview ................224 12.1.1.1 Local Network and Remote Network ...........224 12.1.1.2 Active Protocol ................224 12.1.1.3 Encapsulation ................225 12.1.1.4 IPSec SA Proposal and Perfect Forward Secrecy ......225 12.1.2 Additional Topics for IPSec SA .............226...
Page 17 ZyWALL 1050 User’s Guide 13.3.1 OSPF Areas ..................258 13.3.2 OSPF Routers ..................259 13.3.3 Virtual Links ..................260 13.3.4 OSPF Configuration ................261 13.4 OSPF Screens ....................261 13.4.1 OSPF Summary ..................261 13.4.2 OSPF Area Add/Edit ................263 Chapter 14 Zones........................267 14.1 Zones Overview .....................267 14.1.1 Effect of Zones on Different Types of Traffic .........267...
Page 18 ZyWALL 1050 User’s Guide Chapter 18 Route ........................291 18.1 Policy Route ....................291 18.1.1 Benefits ....................291 18.2 Routing Policy ....................291 18.2.1 NAT and SNAT ..................292 18.2.2 Port Triggering ..................292 18.3 IP Routing Policy Setup .................293 18.4 Policy Route Edit ....................294 18.4.1 Adding a New Service ................297...
Page 19 ZyWALL 1050 User’s Guide 20.3.1 Configuration Edit .................325 20.4 Other Protocol Screen ..................328 20.4.1 Other Configuration Add/Edit ..............330 Chapter 21 IDP ........................333 21.1 Introduction to IDP ..................333 21.1.1 Host Intrusions ..................333 21.1.2 Network Intrusions ................333 21.1.3 IDP on the ZyWALL ................334 21.2 Protected Zones and Profiles .................334...
Page 20 ZyWALL 1050 User’s Guide 21.11.2 Custom Signature Example ..............366 21.11.2.1 Understand the Vulnerability ............367 21.11.2.2 Analyze Packets ................367 21.11.3 Applying Custom Signatures ...............370 21.11.4 Verifying Custom Signatures ...............370 21.11.5 Snort Signatures .................371 21.12 Updating IDP Signatures ................372 Chapter 22 Content Filtering Screens .................. 375 22.1 Content Filtering Overview ................375...
Page 21 ZyWALL 1050 User’s Guide 25.2 HTTP Redirect, Firewall and Policy Route .............409 25.3 Configuring HTTP Redirect ................410 25.4 HTTP Redirect Edit ..................411 Chapter 26 VoIP Pass Through....................413 26.1 VoIP Pass Through and the ZyWALL .............413 26.1.1 Application Layer Gateway (ALG) and NAT .........413 26.1.2 ALG and Trunks ..................413...
Page 22 ZyWALL 1050 User’s Guide 28.2 Address Screens ....................437 28.2.1 Address Summary ................437 28.2.2 Address Add/Edit ..................438 28.3 Address Group Screens .................439 28.3.1 Address Group Summary ..............439 28.3.2 Address Group Add/Edit ...............440 Chapter 29 Services ....................... 443 29.1 Services Overview ..................443 29.1.1 IP Protocols ..................443...
Page 23 ZyWALL 1050 User’s Guide Chapter 32 Authentication Objects ..................465 32.1 Authentication Objects Overview ..............465 32.2 Viewing Authentication Objects ..............465 32.3 Creating an Authentication Object ..............466 32.3.1 Example: Selecting a VPN Authentication Method .......467 Chapter 33 Certificates......................469 33.1 Certificates Overview ..................469 33.1.1 Advantages of Certificates ..............470...
Page 24 ZyWALL 1050 User’s Guide 34.5.8 Adding a Domain Zone Forwarder ............499 34.5.9 MX Record ....................499 34.5.10 Adding a MX Record ................500 34.5.11 DNS Service Control .................500 Chapter 35 System Remote Management ................503 35.1 Remote Management Overview ..............503 35.1.1 Remote Management Limitations ............503 35.1.2 System Timeout ..................504...
Page 25 ZyWALL 1050 User’s Guide Chapter 37 Reports......................... 537 37.1 Report Screen ....................537 37.2 Session Screen ....................540 Chapter 38 Reboot ........................543 Appendix A Product Specifications ..................545 Appendix B Common Services....................547 Appendix C Open Software Announcements................. 551 Index........................581...
Page 26 ZyWALL 1050 User’s Guide Table of Contents...
Page 27: List Of Figures
ZyWALL 1050 User’s Guide List of Figures Figure 1 Front Panel Ports ....................47 Figure 2 Front Panel ......................48 Figure 3 Managing the ZyWALL: Web Configurator ............49 Figure 4 Managing the ZyWALL: Command-Line Interface ..........49 Figure 5 Applications: VPN Connectivity ................56 Figure 6 Applications: User-Aware Access Control ............
Page 28 ZyWALL 1050 User’s Guide Figure 39 VPN Advanced Wizard: Step 4 ................99 Figure 40 VPN Advanced Wizard: Step 5 ................101 Figure 41 VPN Wizard: Step 6: Advanced ................103 Figure 42 Interfaces and Zones: Example ................108 Figure 43 Status > Interface Status Summary, Initial ............120 Figure 44 Network >...
Page 29 ZyWALL 1050 User’s Guide Figure 82 Status > Interface Status Summary ..............139 Figure 83 Network > Device HA > VRRP Group > add ............139 Figure 84 Network > Device HA > Synchronize ..............139 Figure 85 Network > Device HA > VRRP Group > add ............140 Figure 86 Status >...
Page 30 ZyWALL 1050 User’s Guide Figure 125 File Manager > Shell Script > Copy ..............175 Figure 126 File Manager > Shell Script > Rename ............. 175 Figure 127 Example: Entry in the Routing Table Derived from Interfaces ......179 Figure 128 Network > Interface > Ethernet ................. 184 Figure 129 Network >...
Page 31 ZyWALL 1050 User’s Guide Figure 168 Network > IPSec VPN > Concentrator > Edit ........... 253 Figure 169 Network > IPSec VPN > Concentrator > Edit > Member ........253 Figure 170 Network > IPSec VPN > SA Monitor ..............254 Figure 171 Network >...
Page 32 ZyWALL 1050 User’s Guide Figure 211 Firewall Example: MyService Example Rule Summary ........320 Figure 212 Policy > Application Patrol > Configuration ............324 Figure 213 Policy > Application Patrol > Configuration > Edit ..........326 Figure 214 Policy > Application Patrol > Other Protocol ............. 329 Figure 215 Policy >...
Page 33 ZyWALL 1050 User’s Guide Figure 254 Blue Coat: Report Home ................... 398 Figure 255 Global Report Screen Example ................ 399 Figure 256 Requested URLs Example ................400 Figure 257 Web Page Review Process Screen ..............401 Figure 258 Multiple Servers Behind NAT Example ............. 404 Figure 259 Policy >...
Page 34 ZyWALL 1050 User’s Guide Figure 297 Example: LDAP Client and Server ..............456 Figure 298 Basic LDAP Directory Structure ................ 457 Figure 299 Objects: AAA Server: LDAP: Default ..............458 Figure 300 Objects > AAA Server > LDAP > Group ............459 Figure 301 Objects >...
Page 35 ZyWALL 1050 User’s Guide Figure 340 SSH Example 2: Log in ..................517 Figure 341 Telnet Configuration on a TCP/IP Network ............517 Figure 342 System > Telnet ....................518 Figure 343 System > FTP ....................519 Figure 344 SNMP Management Model ................521 Figure 345 System >...
Page 36 ZyWALL 1050 User’s Guide List of Figures...
Page 37: List Of Tables
ZyWALL 1050 User’s Guide List of Tables Table 1 Front Panel LEDs ....................48 Table 2 Managing the ZyWALL: Console Port ..............49 Table 3 Starting and Stopping the ZyWALL ................. 50 Table 4 Packet Flow Key ..................... 54 Table 5 Title Bar: Web Configurator Icons ................61 Table 6 Navigation Panel Summary (Except for Configuration Menu) ........
Page 38 ZyWALL 1050 User’s Guide Table 39 Configuration Files and Shell Scripts in the ZyWALL ........... 168 Table 40 File Manager > Configuration File ................ 171 Table 41 File Manager > Firmware Package ..............173 Table 42 File Manager > Shell Script .................. 175 Table 43 Ethernet, VLAN, Bridge, PPPoE/PPTP, and Virtual Interfaces Characteristics ..
Page 39 ZyWALL 1050 User’s Guide Table 82 Network > ISP Account ..................271 Table 83 Network > ISP Account > Edit ................272 Table 84 Network > Device HA > VRRP Group ..............278 Table 85 Network > Device HA > VRRP Group > Edit ............280 Table 86 Network >...
Page 40 ZyWALL 1050 User’s Guide Table 125 Configuration > Policy > Content Filtering > Filtering Profiles > Customization . 389 Table 126 Configuration > Policy > Content Filter > Cache ..........392 Table 127 Policy > Virtual Server ..................405 Table 128 Policy > Virtual Server > Edit ................406 Table 129 HTTP Redirect ....................
Page 41 ZyWALL 1050 User’s Guide Table 168 System > Host Name ..................489 Table 169 System > Date and Time ..................490 Table 170 Default Time Servers ..................492 Table 171 System > Console Port Speed ................494 Table 172 System > DNS ....................495 Table 173 System >...
Page 42 ZyWALL 1050 User’s Guide List of Tables...
Page 43: About This User's Guide
ZyWALL 1050 User’s Guide About This User's Guide This manual is designed to guide you through the configuration of your ZyWALL for its various applications. Generally, it is organized as follows. • Introduction (ZyWALL, web configurator) • Features (by menu item in the web configurator) •...
Page 44: Syntax Conventions
ZyWALL 1050 User’s Guide The Command Reference Guide explains how to use the Command-Line Interface (CLI) and CLI commands to configure the ZyWALL. Note: It is recommended you use the web configurator to configure the ZyWALL. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information.
Page 45 ZyWALL 1050 User’s Guide Graphics Icons Key ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router About This User's Guide...
Page 46 ZyWALL 1050 User’s Guide About This User's Guide...
Page 47: Introducing The Zywall
ZyWALL 1050 User’s Guide H A P T E R Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, different ways to start or stop the ZyWALL and shows you how to reset the ZyWALL to its factory default settings.
Page 48: Front Panel Leds
ZyWALL 1050 User’s Guide To enable management access from the WAN, log into the web configurator, go to System > WWW, and change the default Deny to Accept in the rule in the Admin Service Control section. You should configure the Network > Interface screens first to establish network connectivity before configuring security features such as firewall, VPN, content filtering, IDP and so on.
Page 49: Figure 3 Managing The Zywall: Web Configurator
ZyWALL 1050 User’s Guide Web Configurator The web configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the web configurator. Figure 3 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port.
Page 50: Starting And Stopping The Zywall
ZyWALL 1050 User’s Guide Table 2 Managing the ZyWALL: Console Port SETTING VALUE Stop Bit Flow Control 1.4 Starting and Stopping the ZyWALL This section explains some of the ways to start and stop the ZyWALL. These are summarized below.
Page 51 ZyWALL 1050 User’s Guide Note: This procedure removes the current configuration. If you want to reboot the device without changing the current configuration, see Chapter 38 on page 543. 1 Make sure the SYS LED is on and not blinking.
Page 52 ZyWALL 1050 User’s Guide Chapter 1 Introducing the ZyWALL...
Page 53: Features And Applications
ZyWALL 1050 User’s Guide H A P T E R Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, content filtering, IDP (Intrusion Detection and Prevention), and certificates. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features.
Page 54: Packet Flow
ZyWALL 1050 User’s Guide Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) on the ZyWALL is designed to protect against network-based intrusions. See Section 21.7.1 on page 339 for a list of attacks that the ZyWALL can protect against. You can also create your own custom IDP rules.
Page 55: Interface To Interface (Through Zywall)
ZyWALL 1050 User’s Guide Table 4 Packet Flow Key Content Filtering SNAT Source NAT IPSec D/E VPN Decryption/Encryption Bandwidth Management Remote Management (System) 2.2.1 Interface to Interface (Through ZyWALL) Ethernet -> VLAN -> Encap -> ALG -> AC -> DNAT-> Routing -> FW -> AC -> IDP -> AP ->...
Page 56: Vpn Connectivity
ZyWALL 1050 User’s Guide 2.3.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service.
Page 57: Multiple Wan Interfaces
ZyWALL 1050 User’s Guide Figure 6 Applications: User-Aware Access Control 2.3.3 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them.
Page 58: Figure 8 Applications: Device Ha
ZyWALL 1050 User’s Guide Figure 8 Applications: Device HA Chapter 2 Features and Applications...
Page 59: Chapter 3 Web Configurator
ZyWALL 1050 User’s Guide H A P T E R Web Configurator The ZyWALL web configurator allows easy ZyWALL setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the web configurator, you must • Use Internet Explorer 6.0 or later, Netscape Navigator 7.2 or later, or Firefox 1.0.7 or later •...
Page 60: Figure 9 Login Screen
ZyWALL 1050 User’s Guide Figure 9 Login Screen 3 Type the user name (default: “admin”) and password (default: “1234”), and click Login. If you logged in using the default user name and password, the Update Admin Info screen (Figure 10 on page 60) appears.
Page 61: Web Configurator Main Screen
ZyWALL 1050 User’s Guide Figure 11 Main Screen 3.3 Web Configurator Main Screen As illustrated in Figure 11 on page 61, the main screen is divided into these parts: • A - title bar • B - navigation panel • C - main window •...
Page 62: Navigation Panel
ZyWALL 1050 User’s Guide Table 5 Title Bar: Web Configurator Icons (continued) ICON DESCRIPTION Site Map: Click this icon to display the site map for the web configurator. You can use the site map to go directly to any menu item or any tab in the web configurator.
Page 63 ZyWALL 1050 User’s Guide Table 7 Navigation Panel Summary (Configuration Menu Only) (continued) LINK FUNCTION Interface Ethernet Use this screen to manage Ethernet interfaces and virtual Ethernet interfaces. Port Grouping Use this screen to configure physical port groups. VLAN Use this screen to create and manage VLAN interfaces and virtual VLAN interfaces.
Page 64: Main Window
ZyWALL 1050 User’s Guide Table 7 Navigation Panel Summary (Configuration Menu Only) (continued) LINK FUNCTION HTTP Redirect Use this screen to set up and manage HTTP redirection rules. VoIP passThru Use this screen to configure SIP and H.323 pass-through settings.
Page 65: Status Bar
ZyWALL 1050 User’s Guide Right after you log in, the Status screen is displayed. See Chapter 3 on page 59 for more information about the Status screen. 3.3.4 Status Bar Check the status bar when you click Apply or OK to verify that the configuration has been updated.
Page 66 ZyWALL 1050 User’s Guide Chapter 3 Web Configurator...
Page 67: Chapter 4 Wizard Setup
ZyWALL 1050 User’s Guide H A P T E R Wizard Setup This chapter provides information on configuring the Wizard setup screens in the web configurator. See the feature-specific chapters in this User’s Guide for background information. 4.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings.
Page 68: Installation Setup, One Isp
ZyWALL 1050 User’s Guide Figure 14 Wizard Setup Welcome 4.2 Installation Setup, One ISP The wizard screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Page 69: Step 1 Internet Access
ZyWALL 1050 User’s Guide Figure 15 Internet Access: Step 1 The following table describes the labels in this screen. Table 8 Internet Access: Step 1 LABEL DESCRIPTION ISP Parameters Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 70: Ethernet: Auto Ip Address Assignment
ZyWALL 1050 User’s Guide Zone: Select the security zone to which you want this interface and Internet connection to belong. IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address.
Page 71: Figure 17 Ethernet Encapsulation: Static
ZyWALL 1050 User’s Guide Figure 17 Ethernet Encapsulation: Static The following table describes the labels in this screen. Table 9 Ethernet Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. WAN IP Address...
Page 72: Step 2 Internet Access Ethernet
ZyWALL 1050 User’s Guide 4.3.3 Step 2 Internet Access Ethernet You do not configure this screen if you selected Auto as the IP Address Assignment in the previous screen. Note: Enter the Internet access information exactly as given to you by your ISP.
Page 73: Pppoe: Auto Ip Address Assignment
ZyWALL 1050 User’s Guide 4.3.4 PPPoE: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays after you click Next. Figure 19 PPPoE Encapsulation: Auto The following table describes the labels in this screen.
Page 74: Pppoe: Static Ip Address Assignment
ZyWALL 1050 User’s Guide Table 10 PPPoE Encapsulation: Auto (continued) LABEL DESCRIPTION WAN Interface This displays the identity of the interface you configure to connect with your ISP. Zone This field displays to which security zone this interface and Internet connection will belong.
Page 75: Figure 21 Pppoe Encapsulation: Static
ZyWALL 1050 User’s Guide Figure 21 PPPoE Encapsulation: Static The following table describes the labels in this screen. Table 11 PPPoE Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. Service Name Type the PPPoE service name given to you by your ISP.
Page 76: Step 2 Internet Access Pppoe
ZyWALL 1050 User’s Guide Table 11 PPPoE Encapsulation: Static (continued) LABEL DESCRIPTION DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 77: Pptp: Auto Ip Address Assignment
ZyWALL 1050 User’s Guide Figure 22 PPPoE Encapsulation: Static: Finish You have set up your ZyWALL to access the Internet. Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on...
Page 78: Figure 23 Pptp Encapsulation: Auto
ZyWALL 1050 User’s Guide Figure 23 PPTP Encapsulation: Auto The following table describes the labels in this screen. Table 12 PPTP Encapsulation: Auto LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. User Name Type the user name given to you by your ISP.
Page 79: Figure 24 Pptp Encapsulation: Auto: Finish
ZyWALL 1050 User’s Guide Table 12 PPTP Encapsulation: Auto (continued) LABEL DESCRIPTION Connection ID Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem.
Page 80: Pptp: Static Ip Address Assignment
ZyWALL 1050 User’s Guide Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on...
Page 81: Step 2 Internet Access Pptp
ZyWALL 1050 User’s Guide Table 13 PPTP Encapsulation: Static (continued) LABEL DESCRIPTION User Name Type the user name given to you by your ISP. You can use alphanumeric and - @$./ characters, and it can be up to 31 characters long.
Page 82: Pptp Configuration
ZyWALL 1050 User’s Guide Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server. 4.3.9.2 PPTP Configuration Base Interface: This is the identity of the Ethernet interface you configure to connect with a modem or router.
Page 83: Step 4 Internet Access - Finish
ZyWALL 1050 User’s Guide Figure 26 PPTP Encapsulation: Static: Finish 4.3.10 Step 4 Internet Access - Finish You have set up your ZyWALL to access the Internet. Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.
Page 84: Figure 27 Registration
ZyWALL 1050 User’s Guide Figure 27 Registration The following table describes the labels in this screen. Table 14 Registration LABEL DESCRIPTION Device Registration If you select existing myZyXEL.com account, only the User Name and Password fields are available. new myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and...
Page 85: Figure 28 Registration: Registered Device
ZyWALL 1050 User’s Guide Table 14 Registration (continued) LABEL DESCRIPTION Close Click Close to exit the wizard. Next Click Next to save your changes back to the ZyWALL and activate the selected services. Select existing myZyXEL.com account if you already have an account at myZyXEL.com and enter your user name and password in the fields below to register your ZyWALL.
Page 86: Installation Setup, Two Internet Service Providers
ZyWALL 1050 User’s Guide 4.5 Installation Setup, Two Internet Service Providers This wizard allows you to configure two interfaces for Internet access through either two different Internet Service Providers (ISPs) or two different accounts with the same ISP. The configuration of the following screens is explained in Section 4.2 on page 68...
Page 87: Figure 30 Internet Access: Step 3: Second Wan Interface
ZyWALL 1050 User’s Guide Figure 30 Internet Access: Step 3: Second WAN Interface After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces. Chapter 4 Wizard Setup...
Page 88: Internet Access Wizard Setup Complete
ZyWALL 1050 User’s Guide Figure 31 Internet Access: Finish Note: You can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Use the myZyXEL.com link if you do already have a myZyXEL.com account. If you already have a myZyXEL.com account, you can...
Page 89: Vpn Wizards
A VPN (Virtual Private Network) tunnel is a secure connection to another computer or network. Use the Express wizard to create a VPN connection with another ZyWALL 1050 using a pre- shared key and default security settings. Use the Advanced wizard to configure detailed VPN security settings such as using certificates.
Page 90: Vpn Express Wizard
ZyWALL 1050 User’s Guide 4.7.1 VPN Express Wizard Click the Express radio button as shown in Figure 32 on page 89 to display the following screen. Figure 33 VPN Express Wizard: Step 2 The following table describes the labels in this screen.
Page 91: Vpn Express Wizard - Remote Gateway
ZyWALL 1050 User’s Guide 4.8 VPN Express Wizard - Remote Gateway The Remote Gateway policy identifies the IPSec devices at either end of a VPN tunnel. Name: Type the name used to identify this VPN connection (and VPN gateway). You may use...
Page 92: Vpn Express Wizard - Policy Setting
Type a static local IP address that corresponds to the remote IPSec router's Mask) configured remote IP address (the remote IP address of the other ZyWALL 1050). To specify IP addresses on a network by their subnet mask, type the subnet mask of the LAN behind your ZyWALL.
Page 93: Vpn Express Wizard - Summary
These commands set the matching VPN connection settings for the remote gateway. for Remote If the remote gateway is a ZyWALL 1050, you can copy and paste this list into its Gateway command line interface in order to configure it for the VPN tunnel.
Page 94: Vpn Express Wizard - Finish
IPSec device that can use the tunnel. You can copy and paste the Configuration for Remote Gateway commands into a peer ZyWALL 1050's command line interface. Figure 36 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP.
Page 95: Vpn Advanced Wizard
ZyWALL 1050 User’s Guide Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on...
Page 96: Vpn Advanced Wizard - Remote Gateway
ZyWALL 1050 User’s Guide Table 19 VPN Advanced Wizard: Step 2 (continued) LABEL DESCRIPTION My Address Select an interface from the drop-down list box to use on your ZyWALL. (interface) Authentication Method Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation.
Page 97: Figure 38 Vpn Advanced Wizard: Step 3
ZyWALL 1050 User’s Guide Figure 38 VPN Advanced Wizard: Step 3 The following table describes the labels in this screen. Table 20 VPN Advanced Wizard: Step 3 LABEL DESCRIPTION Negotiation Mode Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.
Page 98: Vpn Advanced Wizard - Phase 1
ZyWALL 1050 User’s Guide Table 20 VPN Advanced Wizard: Step 3 (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 60 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 99: Phase 2 Setting
ZyWALL 1050 User’s Guide Use Dead Peer Detection (DPD) to have the ZyWALL make sure the remote IPSec router is there before transmitting data through the IKE SA. If the remote IPSec server does not respond, the ZyWALL shuts down the IKE SA.
Page 100: Vpn Advanced Wizard - Phase 2
ZyWALL 1050 User’s Guide Table 21 VPN Advanced Wizard: Step 4 (continued) LABEL DESCRIPTION Encryption Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Page 101: Figure 40 Vpn Advanced Wizard: Step 5
ZyWALL 1050 User’s Guide Incoming Interface: The peer IPSec device connects to the ZyWALL via this interface. Remote Policy (IP/Mask): Type the IP address of a computer behind the peer IPSec device. You can also specify a subnet. This must match the local IP address configured on the peer IPSec device.
Page 102: Vpn Advanced Wizard - Summary
These commands set the matching VPN connection settings for the remote gateway. Gateway CLI If the remote gateway is a ZyWALL 1050, you can copy and paste this list into its command line interface in order to configure it for the VPN tunnel.
Page 103: Figure 41 Vpn Wizard: Step 6: Advanced
ZyWALL 1050 User’s Guide Figure 41 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on...
Page 104 ZyWALL 1050 User’s Guide Chapter 4 Wizard Setup...
Page 105: Configuration Basics
ZyWALL 1050 User’s Guide H A P T E R Configuration Basics This section provides a lot of information to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you try configuring various features in the ZyWALL.
Page 106: Terminology In The Zywall
ZyWALL 1050 User’s Guide 5.2 Terminology in the ZyWALL This section highlights some differences in terminology or organization between the ZyWALL and other routers, particularly ZyNOS routers. Table 23 ZyWALL Terminology That is Different Than ZyNOS ZYNOS FEATURE / TERM...
Page 107: Physical Ports, Interfaces, And Zones
ZyWALL 1050 User’s Guide 5.3 Physical Ports, Interfaces, and Zones If you want to configure the ZyWALL effectively, you should understand the differences between physical ports, interfaces, and zones. The following illustration provides an overview of the relationship between physical ports, interfaces, and zones in the ZyWALL. It also identifies the types of features you can configure with each one.
Page 108: Network Topology Example
ZyWALL 1050 User’s Guide Zones are used for security policies. A zone is simply a group of interfaces and/or VPN tunnels; by default, the ZyWALL has LAN, WAN and DMZ zones. Each interface and VPN tunnel can be assigned to one and only one zone. You can add, change, or remove the interfaces and VPN tunnels in each zone without affecting the settings that are based on zones.
Page 109 ZyWALL 1050 User’s Guide Feature This provides a brief description. See the appropriate chapter(s) in this User’s Guide for more information about any feature. This shows you the sequence of menu items and tabs you should click to find MENU ITEM(S) the main screen(s) for this feature.
Page 110 ZyWALL 1050 User’s Guide Trunks Use trunks to set up load balancing using two or more interfaces. Network > Interface > Trunk MENU ITEM(S) Interfaces PREREQUISITES Policy routes WHERE USED Example: See Chapter 6 on page 119. IPSec VPN Use VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication.
Page 111: Policy Routes
ZyWALL 1050 User’s Guide Device HA Use device HA to create redundant backup gateways. The ZyWALL 1050 runs VRRP v2. You can only set up device HA with other ZyWALL 1050s running the same firmware version. Network > Device HA...
Page 112: Static Routes
ZyWALL 1050 User’s Guide 8 For the Next Hop fields, select Interface as the Type if you have a single WAN connection or Trunk if you have multiple WAN connections. 9 Select the interface that you are using for your WAN connection (ge2 and ge3 are WAN interfaces by default).
Page 113 ZyWALL 1050 User’s Guide • In the Source field, select the address object of the VoIP server. • You don’t need to specify the destination address. • Leave the Access field set to Allow and the Log field set to No.
Page 114 ZyWALL 1050 User’s Guide Content Filter Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies). You can define which user accounts (or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering.
Page 115 ZyWALL 1050 User’s Guide 2 Name the entry. 3 Select the WAN interface that the FTP traffic is to come in through (in this example, ge2 or ge3.) 4 Specify the public WAN IP address where the ZyWALL will receive the FTP packets.
Page 116: Objects
ZyWALL 1050 User’s Guide User/Group Use these screens to configure the ZyWALL’s administrator and user accounts. The ZyWALL provides the following user types. TYPE ABILITIES Admin Change ZyWALL configuration (web, CLI) Limited-Admin Look at ZyWALL configuration (web) User Access network services, browse user-mode commands (CLI)
Page 117: System Management
ZyWALL 1050 User’s Guide OBJECT WHERE USED schedules Policy routes (criteria), firewall, application patrol, content filter, user settings (force user authentication) AAA server Authentication methods authentication VPN gateways (extended authentication), WWW (client authentication) methods certificates VPN gateways, WWW, SSH, FTP 5.6 System Management...
Page 118: Logs And Reports
ZyWALL 1050 User’s Guide • Shell scripts. Use shell scripts to run a series of CLI commands. These are useful for large, repetitive configuration changes (for example, creating a lot of VPN tunnels) and for troubleshooting. You can edit configuration files and shell scripts in any text editor.
Page 119: Chapter 6 Tutorials
ZyWALL 1050 User’s Guide H A P T E R Tutorials This chapter provides some examples of using the web configurator to set up features in the ZyWALL. 6.1 Interfaces and Zones The following example shows how to use port grouping, Ethernet interfaces, trunks, and zones to set up the following configuration.
Page 120: Set Up Port Grouping
ZyWALL 1050 User’s Guide Figure 43 Status > Interface Status Summary, Initial 6.1.1 Set up Port Grouping This example creates a port group in ge1 by adding physical port 2 to representative interface ge1. There are no existing port groups.
Page 121: Set Up Ethernet Interfaces
ZyWALL 1050 User’s Guide Figure 45 Network > Interface > Port Grouping, Drag-and-Drop 3 Click Apply. 4 Click Status, and scroll down to the Interface Status Summary, shown below. Ethernet interface ge1 has a status of Port Group Up, and Ethernet interface ge2 is disabled and has a Status of Port Group Inactive.
Page 122: Figure 47 Network > Interface > Ethernet, Initial
ZyWALL 1050 User’s Guide Table 29 Ethernet Interfaces Example (continued) ETHERNET SETTINGS INTERFACE DHCP client 192.168.10.10/24, DHCP server You have decided to use the default settings for ge1 and ge4, so it is not necessary to edit these interfaces. You can also skip ge2 because there are no physical ports associated with it anymore.
Page 123: Figure 49 Network > Interface > Ethernet > Ge5 > Ip Address Assignment
ZyWALL 1050 User’s Guide Figure 49 Network > Interface > Ethernet > ge5 > IP Address Assignment 4 Scroll down to the DHCP Setting section, and set up the DHCP server for ge5, as shown below. Figure 50 Network > Interface > Ethernet > ge5 > DHCP Setting 5 Use the default values for the rest of the settings.
Page 124: Wan Trunk
ZyWALL 1050 User’s Guide Figure 51 Status > Interface Status Summary, After Ethernet Interfaces 6.1.3 WAN Trunk This example sets up trunk WAN_TRUNK with ge3 and ge4. This example uses the default settings for the trunk and shows how to add the interfaces to it.
Page 125: Figure 53 Network > Interface > Trunk > Add, Initial
ZyWALL 1050 User’s Guide Figure 53 Network > Interface > Trunk > add, Initial 3 Enter the name WAN_TRUNK, select Least Load First for the load balancing algorithm (used in this example), and click the Add icon, as shown above. A new member appears, as shown below.
Page 126: Figure 56 Network > Interface > Trunk > Add, Member Ge3
ZyWALL 1050 User’s Guide Figure 56 Network > Interface > Trunk > add, Member ge3 6 Click the Add icon for ge3, as shown above, and repeat steps to add ge4. The screen then appears as shown below. Figure 57 Network > Interface > Trunk > add, Final 7 Use the default values for the rest of the settings.
Page 127: Figure 59 Policy > Route > Policy Route
ZyWALL 1050 User’s Guide Figure 59 Policy > Route > Policy Route 10Click Status, and scroll down to the Interface Status Summary, shown below. There should be no change. Chapter 6 Tutorials...
Page 128: Zones
ZyWALL 1050 User’s Guide Figure 60 Status > Interface Status Summary, After Trunks 6.1.4 Zones This example sets up the LAN, WAN, and DMZ zones as shown below. Table 31 Zones Example ETHERNET DEFAULT ZONE FINAL ZONE INTERFACE Ethernet interface ge2 does not have any physical ports associated with it, so it does not matter to which zone it is assigned or if it is assigned to any zone at all.
Page 129: Figure 62 Network > Zone > Dmz, Initial
ZyWALL 1050 User’s Guide Figure 62 Network > Zone > DMZ, Initial 3 Click the Remove icon for ge4, as shown above. A message box appears, confirming that you want to remove ge4. Click OK in this message box. The screen is updated, as shown below.
Page 130: Figure 65 Network > Zone > Wan, Edit Member
ZyWALL 1050 User’s Guide Figure 65 Network > Zone > WAN, Edit Member 6 Select ge4, and click OK, as shown above. Figure 66 Network > Zone > WAN, Final 7 Keep the default value for Block Intra-Zone Traffic, and click OK to save these changes and return to the previous screen.
Page 131: Vpn
ZyWALL 1050 User’s Guide Figure 67 Status > Interface Status Summary, After Zones 6.2 VPN This example is going to show you how to create the VPN tunnel illustrated below. Figure 68 VPN Example In this example, the ZyWALL is router X (220.123.123.2/24), and the remote IPSec router is router Y (220.123.143.10/24).
Page 132: Figure 69 Network > Interface > Ethernet > Ge3 > Ip Address
ZyWALL 1050 User’s Guide Figure 69 Network > Interface > Ethernet > ge3 > IP Address 3 In Network > Interface > Ethernet, click the Edit icon for ge1. 4 Change the static IP address to 192.168.10.1. Figure 70 Network > Interface > Ethernet > ge1 > IP Address 5 The DHCP server is active, and you have to keep the IP Pool Start Address in the same subnet as the interface.
Page 133: Set Up The Zones For The Ethernet Interfaces
ZyWALL 1050 User’s Guide By default, there is an address object called LAN_SUBNET, whose subnet is the same as that of ge1 (192.168.1.0/24). It is used by a policy route for the default trunk WAN_TRUNK. Normally, you should either delete these objects or change LAN_SUBNET to 192.168.10.0/ 24.
Page 134: Set Up The Policy Route For The Vpn Tunnel
ZyWALL 1050 User’s Guide Figure 73 Object > Address > Address > add 3 Repeat the process to create a new address object for the remote network (“VPN_REMOTE_SUBNET”, 192.168.1.0/24). 4 Click Network > IPSec VPN > VPN Connection. Click the Add icon.
Page 135: Set Up The Zone For The Vpn Tunnel
ZyWALL 1050 User’s Guide 1 Click Policy > Route > Policy Route. You want this policy route to have higher priority than the default policy route for the trunk, so click the Add icon at the top of the column, not the one next to the existing policy route.
Page 136: Device Ha
ZyWALL 1050 User’s Guide 2 Give the zone a name (“VPN”), and add the VPN tunnel to it. To add the VPN tunnel, click the Add icon, and then click the Popup icon next to the new member that appears.
Page 137: Set Up The Ethernet Interfaces On The Master
ZyWALL 1050 User’s Guide The ZyWALL has its default settings. Configure the master first because you can synchronize the backup with the master later. 6.3.1 Set up the Ethernet Interfaces on the Master You should configure at least two interfaces, ge1 and the interface that is connected to the Internet (ge2 or ge3).
Page 138: Set Up Dns For The Virtual Router
ZyWALL 1050 User’s Guide By default, there is an address object called LAN_SUBNET, whose subnet is the same as that of ge1 (192.168.1.0/24). It is used by a policy route for the default trunk WAN_TRUNK. Normally, you should either delete these objects or change LAN_SUBNET to 192.168.10.0/ 24.
Page 139: Set Up The Password For Synchronization
ZyWALL 1050 User’s Guide Figure 82 Status > Interface Status Summary 4 Repeat these steps for the interface that is connected to the Internet. The second VRRP group should have a different VR ID. Part of an example using ge3 is shown below.
Page 140: Set Up The Ethernet Interfaces On The Backup
ZyWALL 1050 User’s Guide 6.3.6 Set up the Ethernet Interfaces on the Backup On the backup ZyWALL, ge1 should be configured exactly the same way it is configured on the master, including the same IP address. Therefore, you should not configure the backup while it is connected to the same network as the master, or there will be an IP address conflict.
Page 141: User-Aware Access Control
ZyWALL 1050 User’s Guide 3 Type the password for synchronization in the Password field. Enter the IP address of the master (on a secure network), and click Sync Now to get the configuration from the master. Figure 87 Network > Device HA > Synchronize You can also set up the backup to synchronize with the master at regular intervals.
Page 142: Set Up User Accounts
ZyWALL 1050 User’s Guide 6.4.1 Set up User Accounts Set up one user account for each user account in the RADIUS server. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead.
Page 143: Set Up User Authentication Using The Radius Server
ZyWALL 1050 User’s Guide Figure 89 User/Group > Group > add 3 Repeat this process to set up the remaining user groups. 6.4.3 Set up User Authentication Using the RADIUS Server This step sets up user authentication (for HTTP/HTTPS access) using the RADIUS server.
Page 144: Set Up Web Surfing Policies
ZyWALL 1050 User’s Guide Figure 91 Object > AAA Server > RADIUS > Default 4 Click System > WWW. In the Authentication section, select the new authentication method in the Client Authentication Method field. Click Apply. Figure 92 System > WWW > Authentication 5 Click User/Group >...
Page 145: Set Up Bandwidth Restrictions
ZyWALL 1050 User’s Guide 1 Click Policy > App Patrol. If application patrol is not enabled, enable it, and click Apply. 2 Click the Edit icon next to http. 3 Change the default policy to drop because you do not want anyone except authorized user groups to browse the web.
Page 146: Set Up Msn Policies
ZyWALL 1050 User’s Guide Figure 95 Policy > Route > Policy Route 2 This policy route is similar to the default policy route, except for user and bandwidth restrictions. Select one of the user groups in the User field, and set the corresponding bandwidth restriction in the Maximum Bandwidth field.
Page 147: Set Up Lan-To-Dmz Policies
ZyWALL 1050 User’s Guide 1 Click Object > Schedule. Click the Add icon for recurring schedules. 2 Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK.
Page 148: Trunks
ZyWALL 1050 User’s Guide Figure 98 Policy > Firewall > LAN > DMZ > edit 3 Click the Add icon at the top of the rule list to create an exception for one of the user groups that is allowed to access the DMZ.
Page 149: Set Up Available Bandwidth On Ethernet Interfaces
ZyWALL 1050 User’s Guide Figure 100 Trunk Example The ZyWALL has its default settings, and you do not have to change many of them to set up this trunk. You only have to set up the bandwidth on ge2 and ge3 and change the algorithm that WAN_TRUNK uses.
Page 150: Nat 1:1 Example
ZyWALL 1050 User’s Guide Figure 102 Network > Interface > Trunk > WAN_TRUNK > edit 6.6 NAT 1:1 Example In this example, C is an SMTP mail server in our LAN zone. It has a private IP address of 172.16.16.241. The public IP address of the server is 1.1.1.1.
Page 151: Interface
ZyWALL 1050 User’s Guide Figure 104 Create Address Objects Figure 105 Address Objects 6.6.2 Interface The ge3 WAN interface has a different IP address than 1.1.1.1, so in order for the ZyWALL gateway to be able to do ARP resolution correctly, you need to create a ge3 virtual interface.
Page 152: Policy Route
ZyWALL 1050 User’s Guide Figure 107 Virtual WAN Interface 6.6.3 Policy Route Now create a policy route (in the Policy > Route > Add screen) that defines the criteria for the address mapping as shown in the next screen. Be careful of where you create the route as routes are ordered in descending priority.
Page 153 ZyWALL 1050 User’s Guide Create a Firewall Rule Chapter 6 Tutorials...
Page 154 ZyWALL 1050 User’s Guide Chapter 6 Tutorials...
Page 155: Chapter 7 Status
ZyWALL 1050 User’s Guide H A P T E R Status This chapter explains the Status screen, which is the screen you see when you first log in to the ZyWALL or when you click Status. 7.1 Status Screen Use these screens to look at the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status.
Page 156: Figure 109 Status
ZyWALL 1050 User’s Guide Figure 109 Status The following table describes the labels in this screen. Table 33 Status LABEL DESCRIPTION Refresh Interval Select how often you want the screen to automatically refresh. Refresh Now Click this to update the screen immediately.
Page 157 ZyWALL 1050 User’s Guide Table 33 Status (continued) LABEL DESCRIPTION Model Name This field displays the model name of this ZyWALL. Serial Number This field displays the serial number of this ZyWALL. MAC Address This field displays the MAC addresses used by the ZyWALL. Each physical port has Range one MAC address.
Page 158 ZyWALL 1050 User’s Guide Table 33 Status (continued) LABEL DESCRIPTION License This field displays the current status of the license and how many days longer it is Status / still valid. If it displays 0 days, the license has expired. If the status is not Licensed, Remaining click this to open the screen where you can activate or extend the license.
Page 159 ZyWALL 1050 User’s Guide Table 33 Status (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For port groups: Inactive - The port group is disabled.
Page 160: Vpn Status
ZyWALL 1050 User’s Guide Table 33 Status (continued) LABEL DESCRIPTION Services This field lists which services the interface provides to the network. Examples include DHCP relay, DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface does not provide any services to the network.
Page 161: Dhcp Table
ZyWALL 1050 User’s Guide 7.3 DHCP Table Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click DHCP Table in the Status screen.
Page 162: Figure 112 Status > Statistics
ZyWALL 1050 User’s Guide Figure 112 Status > Statistics The following table describes the labels in this screen. Table 36 Status > Statistics LABEL DESCRIPTION Port This field displays the physical port number. status This field displays the current status of the physical port.
Page 163: Chapter 8 Registration
ZyWALL 1050 User’s Guide H A P T E R Registration This chapter shows you how to register for IDP and Content Filtering service. 8.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL.
Page 164: Registration
ZyWALL 1050 User’s Guide Note: To update the signature file or use a subscription service, you have to register the ZyWALL and activate the corresponding service at myZyXEL.com (through the ZyWALL). 8.2 Registration To register your ZyWALL with myZyXEL.com and activate a service, such as content filtering, click Registration in the navigation panel to open the screen as shown next.
Page 165: Service
ZyWALL 1050 User’s Guide Table 37 Registration (continued) LABEL DESCRIPTION Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces.
Page 166: Figure 115 Registration: Service
ZyWALL 1050 User’s Guide Figure 115 Registration: Service The following table describes the labels in this screen. Table 38 Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
Page 167: Chapter 9 File Manager
ZyWALL 1050 User’s Guide H A P T E R File Manager This chapter covers how to use the ZyWALL’s File Manager screens to handle the ZyWALL’s configuration, firmware and shell script files. 9.1 Configuration Files and Shell Scripts Overview The File Manager screens allow you to store multiple configuration files and shell script files.
Page 168: Comments In Configuration Files Or Shell Scripts
ZyWALL 1050 User’s Guide While configuration files and shell scripts have the same syntax, the ZyWALL applies configuration files differently than it runs shell scripts. This is explained below. Table 39 Configuration Files and Shell Scripts in the ZyWALL Configuration Files (.conf) Shell Scripts (.zysh)
Page 169: Errors In Configuration Files Or Shell Scripts
ZyWALL 1050 User’s Guide Lines 1 and 2 are comments. Line 5 exits sub command mode. ! this is from Joe # on 2006/06/05 interface ge1 ip address dhcp 9.1.2 Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script, the ZyWALL processes the file line- by-line.
Page 170: Configuration File Screen
ZyWALL 1050 User’s Guide If there is a startup-config.conf, the ZyWALL checks it for errors and applies it. If there are no errors, the ZyWALL uses it and copies it to the lastgood.conf configuration file. If there is an error, the ZyWALL generates a log and copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf...
Page 171: Figure 118 File Manager > Configuration File > Copy
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 40 File Manager > Configuration File LABEL DESCRIPTION Download Click a configuration file’s row to select it and click Download to save the configuration to your computer.
Page 172: Firmware Package Screen
ZyWALL 1050 User’s Guide Table 40 File Manager > Configuration File (continued) LABEL DESCRIPTION This column displays the number for each configuration file entry. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space.
Page 173: Figure 120 File Manager > Firmware Package
ZyWALL 1050 User’s Guide Figure 120 File Manager > Firmware Package The following table describes the labels in this screen. Table 41 File Manager > Firmware Package LABEL DESCRIPTION Boot This is the version of the boot module that is currently on the ZyWALL.
Page 174: Shell Script Screen
ZyWALL 1050 User’s Guide Figure 122 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following message appears in the status bar at the bottom of the screen.
Page 175: Figure 125 File Manager > Shell Script > Copy
ZyWALL 1050 User’s Guide Each field is described in the following table. Table 42 File Manager > Shell Script LABEL DESCRIPTION Download Click a shell script file’s row to select it and click Download to save the configuration to your computer.
Page 176 ZyWALL 1050 User’s Guide Table 42 File Manager > Shell Script (continued) LABEL DESCRIPTION Modify This column displays the date and time that the individual shell script files were last changed or saved. The bottom part of the screen allows you to upload a new or previously saved shell script file from your computer to your ZyWALL.
Page 177: Chapter 10 Interface
ZyWALL 1050 User’s Guide H A P T E R Interface See the Interface section in the Configuration Overview chapter for related information on these screens. 10.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass.
Page 178: Ip Address Assignment
ZyWALL 1050 User’s Guide • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the DIAL BACKUP port.
Page 179: Figure 127 Example: Entry In The Routing Table Derived From Interfaces
ZyWALL 1050 User’s Guide Figure 127 Example: Entry in the Routing Table Derived from Interfaces Table 44 Example: Routing Table Entries for Interfaces IP ADDRESS(ES) DESTINATION 100.100.1.1/16 200.200.200.1/24 For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface ge1.
Page 180: Interface Parameters
ZyWALL 1050 User’s Guide The gateway is an optional setting for each interface. If there is more than one gateway, the ZyWALL uses the gateway with the lowest metric, or cost. If two or more gateways have the same metric, the ZyWALL uses the one that was set up first (the first entry in the routing table).
Page 181: Table 46 Example: Assigning Ip Addresses From A Pool
ZyWALL 1050 User’s Guide As a DHCP relay, the interface routes DHCP requests to DHCP servers on different networks. You can specify more than one DHCP server. If you do, the interface routes DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously.
Page 182: Ping Check Settings
ZyWALL 1050 User’s Guide 10.1.5 Ping Check Settings The interface can regularly ping the gateway you specified (see Section 10.1.2 on page 178) to make sure it is still available. You specify how often the interface pings the gateway, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Page 183: Ethernet Interfaces
ZyWALL 1050 User’s Guide 10.2 Ethernet Interfaces This section introduces Ethernet interfaces and then explains the screens for Ethernet interfaces. 10.2.1 Ethernet Interfaces Overview The ZyWALL has five Ethernet interfaces: ge1, ge2, ge3, ge4, and ge5. Unlike other types of interfaces, you cannot create new Ethernet interfaces nor can you delete any of these five.
Page 184: Ethernet Summary Screen
ZyWALL 1050 User’s Guide 10.2.2 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. To access this screen, click Network > Interface. Figure 128 Network > Interface > Ethernet Each field is described in the following table.
Page 185: Ethernet Edit
ZyWALL 1050 User’s Guide 10.2.3 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, and ping check settings. To access this screen, click an Edit icon in the Ethernet Summary screen. (See Section 10.2.2 on page...
Page 186: Figure 129 Network > Interface > Ethernet > Edit
ZyWALL 1050 User’s Guide Figure 129 Network > Interface > Ethernet > Edit Chapter 10 Interface...
Page 187: Table 49 Network > Interface > Ethernet > Edit
ZyWALL 1050 User’s Guide Each field is described in the table below. Table 49 Network > Interface > Ethernet > Edit LABEL DESCRIPTION Ethernet Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only.
Page 188 ZyWALL 1050 User’s Guide Table 49 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information.
Page 189 ZyWALL 1050 User’s Guide Table 49 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.
Page 190: Port Grouping
ZyWALL 1050 User’s Guide Table 49 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Add Static DHCP Click this if you want the ZyWALL to assign static IP addresses to computers. The Static DHCP screen appears. Figure 130 Network > Interface > Edit > Add Static DHCP The ZyWALL checks this table when it assigns IP addresses.
Page 191: Figure 131 Port Grouping Example: Network
ZyWALL 1050 User’s Guide Each physical port is assigned to one Ethernet interface. In port grouping, the Ethernet interfaces are called representative interfaces. If you assign more than one physical port to a representative interface, you create a port group. Port groups have the following characteristics: •...
Page 192: Port Grouping Screen
ZyWALL 1050 User’s Guide 10.3.2 Port Grouping Screen You can maintain the relationship between physical ports, port groups, and Ethernet interfaces in the Port Grouping screen. To access this screen, click Network > Interface > Port Grouping. Figure 133 Network > Interface > Port Grouping Each section in this screen is described below.
Page 193: Vlan Overview
ZyWALL 1050 User’s Guide 10.4.1 VLAN Overview A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 134 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router.
Page 194: Vlan Interfaces Overview
ZyWALL 1050 User’s Guide This approach provides a few advantages. • Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users.
Page 195: Vlan Add/Edit
ZyWALL 1050 User’s Guide Figure 136 Network > Interface > VLAN Each field is explained in the following table. Table 51 Network > Interface > VLAN LABEL DESCRIPTION This field is a sequential value, and it is not associated with any interface.
Page 196: Figure 137 Network > Interface > Vlan > Edit
ZyWALL 1050 User’s Guide Figure 137 Network > Interface > VLAN > Edit Each field is explained in the following table. Table 52 Network > Interface > VLAN > Edit LABEL DESCRIPTION VLAN Interface Properties Enable Select this to enable this interface. Clear this to disable this interface.
Page 197 ZyWALL 1050 User’s Guide Table 52 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Interface Name This field is read-only if you are editing the interface. Enter the name of the VLAN interface. The format is vlanx, where x is 0 - 31. For example, vlan0, vlan8, and so on.
Page 198 ZyWALL 1050 User’s Guide Table 52 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are: None - the ZyWALL does not provide any DHCP services. There is already a DHCP server on the network.
Page 199: Bridge Interfaces
ZyWALL 1050 User’s Guide Table 52 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Add Static DHCP Click this if you want the ZyWALL to assign static IP addresses to computers. The Static DHCP screen appears. Figure 138 Network > Interface > Edit > Add Static DHCP The ZyWALL checks this table when it assigns IP addresses.
Page 200: Bridge Overview
ZyWALL 1050 User’s Guide 10.5.1 Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table.
Page 201: Bridge Interface Overview
ZyWALL 1050 User’s Guide If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly.
Page 202: Bridge Add/Edit
ZyWALL 1050 User’s Guide Figure 139 Network > Interface > Bridge Each field is described in the following table. Table 56 Network > Interface > Bridge LABEL DESCRIPTION This field is a sequential value, and it is not associated with any interface.
Page 203: Figure 140 Network > Interface > Bridge > Edit
ZyWALL 1050 User’s Guide Figure 140 Network > Interface > Bridge > Edit In this example, you are creating a new bridge. If you are editing a bridge, the Interface Name Chapter 10 Interface...
Page 204: Table 57 Network > Interface > Bridge > Edit
ZyWALL 1050 User’s Guide field is read-only. Each field is described in the table below. Table 57 Network > Interface > Bridge > Edit LABEL DESCRIPTION Bridge Interface Properties Enable Select this to enable this interface. Clear this to disable this interface.
Page 205 ZyWALL 1050 User’s Guide Table 57 Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments.
Page 206: Pppoe/Pptp Interfaces
ZyWALL 1050 User’s Guide Table 57 Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Add Static DHCP Click this if you want the ZyWALL to assign static IP addresses to computers. The Static DHCP screen appears. Figure 141 Network > Interface > Edit > Add Static DHCP The ZyWALL checks this table when it assigns IP addresses.
Page 207: Pppoe/Pptp Overview
ZyWALL 1050 User’s Guide 10.6.1 PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: •...
Page 208: Pppoe/Pptp Interface Summary
ZyWALL 1050 User’s Guide 2 You do not set up the subnet mask or gateway. PPPoE/PPTP interfaces are interfaces between the ZyWALL and only one computer. Therefore, the subnet mask is always 255.255.255.255. In addition, the ZyWALL always treats the ISP as a gateway.
Page 209: Pppoe/Pptp Interface Add/Edit
ZyWALL 1050 User’s Guide 10.6.4 PPPoE/PPTP Interface Add/Edit Note: You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure new or existing PPPoE/PPTP interfaces. To access this screen, click the Add icon or an Edit icon in the PPPoE/PPTP Interface Summary screen.
Page 210 ZyWALL 1050 User’s Guide Table 59 Network > Interface > PPPoE/PPTP > Edit (continued) LABEL DESCRIPTION Interface Name This field is read-only if you are editing the interface. Enter the name of the bridge interface. The format is pppx, where x is 0 - 11. For example, ppp0, ppp7, and so on.
Page 211: Auxiliary Interface
ZyWALL 1050 User’s Guide Table 59 Network > Interface > PPPoE/PPTP > Edit (continued) LABEL DESCRIPTION Enable Select this to enable the ping check. Check Period Enter the number of seconds between ping attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.
Page 212: Figure 145 Network > Interface > Auxiliary
ZyWALL 1050 User’s Guide Figure 145 Network > Interface > Auxiliary Each field is described in the table below. Table 60 Network > Interface > Auxiliary LABEL DESCRIPTION Auxiliary Interface Properties Enable Select this to turn on the auxiliary dial up interface. The interface does not dial out, however, unless it is part of a trunk and load-balancing conditions are satisfied.
Page 213: Virtual Interfaces
ZyWALL 1050 User’s Guide Table 60 Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Authentication Select the authentication protocol to use for outgoing calls. Choices are: Type CHAP/PAP - Your ZyWALL accepts either CHAP or PAP, as requested by the computer you are dialing.
Page 214: Figure 146 Network > Interface > Edit
ZyWALL 1050 User’s Guide Figure 146 Network > Interface > Edit Each field is described in the table below. Table 61 Network > Interface > Edit LABEL DESCRIPTION Virtual Interface Properties Interface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface.
Page 215: Chapter 11 Trunks
ZyWALL 1050 User’s Guide H A P T E R Trunks This chapter shows you how to configure trunks on your ZyWALL. See the Trunks section the Configuration Overview chapter for related information on these screens. 11.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability.
Page 216: Load Balancing Algorithms
ZyWALL 1050 User’s Guide Maybe you have two connections with different bandwidths. For jitter-sensitive traffic (like video for example), you could set up a trunk group that uses spillover or weighted round robin load balancing to make sure that most of the jitter-sensitive traffic goes through the higher- bandwidth interface.
Page 217: Weighted Round Robin
ZyWALL 1050 User’s Guide Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2. Table 62 Least Load First: Example 1...
Page 218: Spillover
ZyWALL 1050 User’s Guide 11.4.3 Spillover With the spillover load balancing algorithm, the ZyWALL sends network traffic to the first interface in the trunk member list until the interface’s maximum allowable load is reached, then the ZyWALL sends the excess network traffic of new sessions to the next interface in the trunk member list.
Page 219: Configuring A Trunk
ZyWALL 1050 User’s Guide The following table describes the items in this screen. Table 63 Network > Interface > Trunk LABEL DESCRIPTION Name This field displays the label that you specified to identify the trunk. Algorithm This field displays the load balancing method that the trunk is set to use.
Page 220: Figure 152 Network > Interface > Trunk > Members Select
ZyWALL 1050 User’s Guide Each field is described in the table below. Table 64 Network > Interface > Trunk > Members LABEL DESCRIPTION Name Enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 221 ZyWALL 1050 User’s Guide Table 64 Network > Interface > Trunk > Members (continued) LABEL DESCRIPTION Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface.
Page 222 ZyWALL 1050 User’s Guide Chapter 11 Trunks...
Page 223: Chapter 12 Ipsec Vpn
ZyWALL 1050 User’s Guide H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. See the IPSec VPN section in the Configuration Overview chapter for related information on these screens.
Page 224: Ipsec Sa Overview
ZyWALL 1050 User’s Guide Figure 154 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 225: Encapsulation
ZyWALL 1050 User’s Guide 12.1.1.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Page 226: Additional Topics For Ipsec Sa
ZyWALL 1050 User’s Guide If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
Page 227: Figure 156 Vpn Example: Nat For Inbound And Outbound Traffic
ZyWALL 1050 User’s Guide • Source address in outbound packets - this translation is necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec • Source address in inbound packets - this translation hides the source address of computers in the remote network.
Page 228: Related Configuration
ZyWALL 1050 User’s Guide 12.1.2.2.2 Source Address in Inbound Packets (Inbound Traffic, Source NAT) You can set up this translation if you want to change the source address of computers in the remote network. To set up this NAT, you have to specify the following information: •...
Page 229: Vpn Connection Screens
ZyWALL 1050 User’s Guide • In a VPN gateway, you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or virtual VLAN interface to specify what address the ZyWALL uses IP address when it establishes the IKE SA. You should set up the interface first. See...
Page 230: Vpn Connection Add/Edit Ike
ZyWALL 1050 User’s Guide Figure 157 Network > IPSec VPN > VPN Connection Each field is discussed in the following table. See Section 12.3.3 on page 234 Section 12.3.2 on page 230 for more information. Table 65 Network > IPSec VPN > VPN Connection...
Page 231: Figure 158 Network > Ipsec Vpn > Vpn Connection > Edit (Ike)
ZyWALL 1050 User’s Guide Figure 158 Network > IPSec VPN > VPN Connection > Edit (IKE) Each field is described in the following table. Table 66 Network > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION VPN Connection Connection Type the name used to identify this IPSec SA.
Page 232 ZyWALL 1050 User’s Guide Table 66 Network > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Active Protocol Select which protocol you want to use in the IPSec SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption.
Page 233 ZyWALL 1050 User’s Guide Table 66 Network > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Policy Select this if you want the ZyWALL to drop traffic whose source and destination Enforcement IP addresses do not match the local and remote policy. This makes the IPSec SA more secure.
Page 234: Vpn Connection Add/Edit Manual Key
ZyWALL 1050 User’s Guide Table 66 Network > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Destination NAT This translation forwards packets (for example, mail) from the remote network to a specific computer (for example, the mail server) in the local network.
Page 235: Figure 159 Network > Ipsec Vpn > Vpn Connection > Manual Key > Edit
ZyWALL 1050 User’s Guide Figure 159 Network > IPSec VPN > VPN Connection > Manual Key > Edit The following table describes the labels in this screen. Table 67 Network > IPSec VPN > VPN Connection > Manual Key > Edit...
Page 236 ZyWALL 1050 User’s Guide Table 67 Network > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL DESCRIPTION Encapsulation Select which type of encapsulation the IPSec SA uses. Choices are Mode Tunnel - this mode encrypts the IP header information and the data Transport - this mode only encrypts the data.
Page 237 ZyWALL 1050 User’s Guide Table 67 Network > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL DESCRIPTION Authentication Enter the authentication key, which depends on the authentication algorithm. MD5 - type a unique key 16-20 characters long SHA1 - type a unique key 20 characters long You can use any alphanumeric characters or ;|`~!@#$%^&*()_+\{}':./<>=-.
Page 238: Vpn Gateway Screens
ZyWALL 1050 User’s Guide Table 67 Network > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL DESCRIPTION Source Select the address object that represents the original source address. This is the address object for the remote network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
Page 239: Ip Addresses Of The Zywall And Remote Ipsec Router
ZyWALL 1050 User’s Guide It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Note: Both routers must use the same negotiation mode.
Page 240: Diffie-Hellman (Dh) Key Exchange
ZyWALL 1050 User’s Guide Note: Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest.
Page 241: Authentication
ZyWALL 1050 User’s Guide 12.4.1.4 Authentication Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity. This process is based on pre-shared keys and router identities. In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below.
Page 242: Additional Topics For Ike Sa
ZyWALL 1050 User’s Guide For example, in Table 68 on page 242, the ZyWALL and the remote IPSec router authenticate each other successfully. In contrast, in Table 69 on page 242, the ZyWALL and the remote IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA.
Page 243: Vpn, Nat, And Nat Traversal
ZyWALL 1050 User’s Guide In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does not provide as much security because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used in remote-access situations, where the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication.
Page 244: Certificates
ZyWALL 1050 User’s Guide In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password. If the user name or password is wrong, the routers do not establish an IKE SA.
Page 245: Vpn Gateway Add/Edit
ZyWALL 1050 User’s Guide Figure 164 Network > IPSec VPN > VPN Gateway Each field is discussed in the following table. See Section 12.4.4 on page 245 for more information. Table 70 Network > IPSec VPN > VPN Gateway LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific gateway.
Page 246: Figure 165 Network > Ipsec Vpn > Vpn Gateway > Edit
ZyWALL 1050 User’s Guide Figure 165 Network > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. Table 71 Network > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION VPN Gateway VPN Gateway Type the name used to identify this VPN gateway.
Page 247 ZyWALL 1050 User’s Guide Table 71 Network > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Negotiation Select which negotiation mode you want to use to negotiate the IKE SA. Choices Mode Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes...
Page 248 ZyWALL 1050 User’s Guide Table 71 Network > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION My Address Select how the IP address of the ZyWALL in the IKE SA is defined. Choices are Interface and Domain Name.
Page 249 ZyWALL 1050 User’s Guide Table 71 Network > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Content This field is read-only if the ZyWALL and remote IPSec router use certificates to identify each other. Type the identity of the ZyWALL during authentication. The identity depends on the Local ID Type.
Page 250: Vpn Concentrator
ZyWALL 1050 User’s Guide Table 71 Network > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Extended Authentication Enable Extended Select this if one of the routers (the ZyWALL or the remote IPSec router) verifies a Authentication user name and password from the other router using the local user database and/ or an external server.
Page 251: Vpn Concentrator Summary
ZyWALL 1050 User’s Guide Figure 166 VPN Topologies The VPN concentrator is used in the second approach. In the first (fully-meshed) approach, there is a VPN connection between every pair of routers. In the second (hub-and-spoke) approach, there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A), which uses the VPN concentrator.
Page 252: Vpn Concentrator Add/Edit
ZyWALL 1050 User’s Guide Figure 167 Network > IPSec VPN > Concentrator Each field is discussed in the following table. See Section 12.5.2 on page 252 for more information. Table 72 Network > IPSec VPN > Concentrator LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific concentrator.
Page 253: Figure 168 Network > Ipsec Vpn > Concentrator > Edit
ZyWALL 1050 User’s Guide Figure 168 Network > IPSec VPN > Concentrator > Edit Each field is described in the following table. Table 73 Network > IPSec VPN > Concentrator > Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 254: Sa Monitor Screen
ZyWALL 1050 User’s Guide 12.6 SA Monitor Screen You can use the SA Monitor screen to display and to manage active IPSec SA. To access this screen, click Configuration > Network > IPSec VPN > SA Monitor. The following screen appears.
Page 255: Chapter 13 Routing Protocol
ZyWALL 1050 User’s Guide H A P T E R Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the ZyWALL. First, it provides an overview of RIP and OSPF, and, then, it introduces the RIP and OSPF screens used to configure routing protocols.
Page 256: Authentication Types
ZyWALL 1050 User’s Guide Second, the ZyWALL can also redistribute routing information from non-RIP networks, specifically OSPF networks and static routes, to the RIP network. Costs might be calculated differently, however, so you use the Metric field to specify the cost in RIP terms.
Page 257: Figure 171 Network > Routing Protocol > Rip
ZyWALL 1050 User’s Guide To access this screen, login to the web configurator. When the main screen appears, click once on Network to open the Network tree, and then click once on Routing Protocol. The RIP tab is selected by default. The following screen appears.
Page 258: Ospf Overview
ZyWALL 1050 User’s Guide 13.3 OSPF Overview OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF offers some advantages over vector-space routing protocols like RIP.
Page 259: Ospf Routers
ZyWALL 1050 User’s Guide Figure 172 OSPF: Types of Areas This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y.
Page 260: Virtual Links
ZyWALL 1050 User’s Guide • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF. Table 77 OSPF: Redistribution from Other Sources to Each Type of Area...
Page 261: Ospf Configuration
ZyWALL 1050 User’s Guide Figure 174 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone.
Page 262: Figure 175 Network > Routing Protocol > Ospf
ZyWALL 1050 User’s Guide Figure 175 Network > Routing Protocol > OSPF The following table describes the labels in this screen. See Section 13.4.2 on page 263 more information as well. Table 78 Network > Routing Protocol > OSPF LABEL...
Page 263: Ospf Area Add/Edit
ZyWALL 1050 User’s Guide Table 78 Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Authentication This field displays the default authentication method in the area. Add icon This column provides icons to add, edit, and remove areas. To add an area, click the Add icon at the top of the column. The OSPF Area Add/ Edit screen appears.
Page 264: Figure 176 Network > Routing Protocol > Ospf > Edit
ZyWALL 1050 User’s Guide Figure 176 Network > Routing Protocol > OSPF > Edit The following table describes the labels in this screen. Table 79 Network > Routing Protocol > OSPF > Edit LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format.
Page 265 ZyWALL 1050 User’s Guide Table 79 Network > Routing Protocol > OSPF > Edit (continued) LABEL DESCRIPTION Authentication Select which authentication method to use in the virtual link. Choices are: None, Text, MD5, and Same as Area. In this case, Same as Area refers to the Authentication settings above.
Page 266 ZyWALL 1050 User’s Guide Chapter 13 Routing Protocol...
Page 267: Chapter 14 Zones
ZyWALL 1050 User’s Guide H A P T E R Zones Set up zones to configure network security and network policies in the ZyWALL. See the Zones section in the Configuration Overview chapter for related information on these screens. 14.1 Zones Overview A zone is a group of interfaces and VPN tunnels.
Page 268: Zone Summary
ZyWALL 1050 User’s Guide Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, Figure 177 on page 267, traffic between VLAN 2 and the Ethernet is intra-zone traffic. In each zone, you can either allow or prohibit all intra-zone traffic. For example, in...
Page 269: Zone Add/Edit
ZyWALL 1050 User’s Guide 14.3 Zone Add/Edit The Zone Add/Edit screen allows you to define a zone or edit an existing one. To access this screen, go to the Zone screen (see Section 14.2 on page 268), and click either the Add icon or an Edit icon.
Page 270 ZyWALL 1050 User’s Guide Chapter 14 Zones...
Page 271: Chapter 15 Isp Accounts
ZyWALL 1050 User’s Guide H A P T E R ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PPTP interfaces. See the Objects section in the Configuration Overview chapter for related information on these screens.
Page 272: Isp Account Edit
ZyWALL 1050 User’s Guide Table 82 Network > ISP Account (continued) LABEL DESCRIPTION User Name This field displays the user name of the ISP account. Add icon This column provides icons to add, edit, and remove ISP accounts. To add information about a new ISP account, click the Add icon at the top of the column.
Page 273 ZyWALL 1050 User’s Guide Table 83 Network > ISP Account > Edit (continued) LABEL DESCRIPTION Encryption This field is available if this ISP account uses the PPTP protocol. Use the drop- Method down list box to select the type of Microsoft Point-to-Point Encryption (MPPE).
Page 274 ZyWALL 1050 User’s Guide Chapter 15 ISP Accounts...
Page 275: Chapter 16 Device Ha
Virtual Router Redundancy Protocol (VRRP) allows you to create redundant backup gateways to ensure that the default gateway is always available. Note: The ZyWALL 1050 runs VRRP v2. You can only set up device HA with other ZyWALL 1050s running the same firmware version.
Page 276: Additional Vrrp Notes
ZyWALL 1050 User’s Guide Figure 183 Example: VRRP, Master Becomes Unavailable Router B is now using the IP address of the default gateway, and it is forwarding packets for the network. The loss of Router A has no effect on the network.
Page 277: Vrrp Group Overview
ZyWALL 1050 User’s Guide 16.2 VRRP Group Overview In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router. You can add any Ethernet interface, VLAN interface, or virtual interface (created on top of Ethernet interfaces or VLAN interfaces) with a static IP address.
Page 278: Vrrp Group Summary
ZyWALL 1050 User’s Guide 16.4 VRRP Group Summary The VRRP Group summary screen provides information about which interfaces are in virtual routers and the role and status of each interface in the virtual router. To access this screen, click Network > Device HA.
Page 279: Vrrp Group Add/Edit
ZyWALL 1050 User’s Guide Table 84 Network > Device HA > VRRP Group (continued) LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router.
Page 280: Figure 186 Network > Device Ha > Vrrp Group > Edit
ZyWALL 1050 User’s Guide Figure 186 Network > Device HA > VRRP Group > Edit The following table describes the labels in this screen. Table 85 Network > Device HA > VRRP Group > Edit LABEL DESCRIPTION Enable Select this to make the specified interface part of the virtual router. Clear this to take the specified interface out of the virtual router.
Page 281: Synchronization Overview
ZyWALL 1050 User’s Guide Table 85 Network > Device HA > VRRP Group > Edit (continued) LABEL DESCRIPTION Priority This field is available if the selected interface is a Backup interface. Type the priority of the backup interface. The backup interface with the highest value takes over the role of the master interface if the master interface becomes unavailable.
Page 282: Synchronize Screen
ZyWALL 1050 User’s Guide Backup ZyWALLs cannot get updates for services to which they have not subscribed. For example, if a backup ZyWALL has not subscribed to IDP, it does not get IDP updates from the master ZyWALL. Synchronization affects the entire device configuration. You can only configure one set of settings for synchronization, regardless of how many VRRP groups you might configure.
Page 283: Figure 187 Network > Device Ha > Synchronize
ZyWALL 1050 User’s Guide Figure 187 Network > Device HA > Synchronize For synchronization, every ZyWALL in a virtual router should usually have the same Password, Synchronize From, and on port values. In addition, the management IP address must be in the same subnet as the interface (in other words, the virtual router). The following table describes the labels in this screen.
Page 284 ZyWALL 1050 User’s Guide Chapter 16 Device HA...
Page 285: Chapter 17 Ddns
ZyWALL 1050 User’s Guide H A P T E R DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. First, it provides an overview, and then it introduces the screens. See the DDNS section in the Configuration Overview chapter for related information on these screens.
Page 286: Mail Exchanger
ZyWALL 1050 User’s Guide 17.1.3 Mail Exchanger DynDNS can route e-mail for your domain name to a specified mail server. The server is called a mail exchanger. For example, if there is e-mail for john-doe@yourhost.dyndns.org, DynDNS routes the e-mail to the IP address you specify for the mail exchanger.
Page 287: Ddns Summary
ZyWALL 1050 User’s Guide 17.3 DDNS Summary The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names.
Page 288: Dynamic Dns Add/Edit
ZyWALL 1050 User’s Guide Table 87 Network > DDNS (continued) LABEL DESCRIPTION HA Interface This field applies when the IP Address Update Policy is iface. This field displays which alternative interface is mapped to the domain name if the WAN interface is not available.
Page 289 ZyWALL 1050 User’s Guide Table 88 Network > DDNS > Edit (continued) LABEL DESCRIPTION Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed.
Page 290 ZyWALL 1050 User’s Guide Chapter 17 DDNS...
Page 291: Chapter 18 Route
ZyWALL 1050 User’s Guide H A P T E R Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. See the Policy Routes section in the Configuration Overview chapter for related information on these screens.
Page 292: Nat And Snat
ZyWALL 1050 User’s Guide IPPR follows the existing packet filtering facility of RAS in style and in implementation. 18.2.1 NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.
Page 293: Ip Routing Policy Setup
ZyWALL 1050 User’s Guide Figure 190 Trigger Port Forwarding Example 18.3 IP Routing Policy Setup Click Configuration > Policy > Route to open the Policy Route screen. Figure 191 Policy Route The following table describes the labels in this screen.
Page 294: Policy Route Edit
ZyWALL 1050 User’s Guide Table 89 Policy Route (continued) LABEL DESCRIPTION Source This is the name of the source IP address (group) object. any means all IP addresses. Destination This is the name of the destination IP address (group) object. any means all IP addresses.
Page 295: Figure 192 Policy Route Edit
ZyWALL 1050 User’s Guide Figure 192 Policy Route Edit The following table describes the labels in this screen. Table 90 Policy Route Edit LABEL DESCRIPTION Configuration Enable Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy.
Page 296 ZyWALL 1050 User’s Guide Table 90 Policy Route Edit (continued) LABEL DESCRIPTION Schedule Select a schedule. Service Select a service or service group from the drop-down list box. New... Click New... to add a new service. See Table 91 on page 298 for more information.
Page 297: Adding A New Service
ZyWALL 1050 User’s Guide Table 90 Policy Route Edit (continued) LABEL DESCRIPTION In a numbered list, click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
Page 298: Ip Static Routes
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 91 Policy Route Edit: Service LABEL DESCRIPTION Configuration Name Enter a unique name for your customized service. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed...
Page 299: Static Route Summary
ZyWALL 1050 User’s Guide 18.6 Static Route Summary Click Configuration > Policy > Route > Static Route to open the Static Route screen. Figure 195 IP Static Route The following table describes the labels in this screen. Table 92 IP Static Route...
Page 300: Figure 196 Ip Static Route Edit
ZyWALL 1050 User’s Guide Figure 196 IP Static Route Edit The following table describes the labels in this screen. Table 93 IP Static Route Edit LABEL DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Page 301: Chapter 19 Firewall
ZyWALL 1050 User’s Guide H A P T E R Firewall This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. See the Firewall section in the Configuration Overview chapter for related information on these screens.
Page 302: Firewall Rules
ZyWALL 1050 User’s Guide Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
Page 303: Global Through-Zywall Rules
ZyWALL 1050 User’s Guide Table 94 Default Through-ZyWALL Firewall Rules FROM ZONE TO ZONE STATEFUL PACKET INSPECTION From DMZ to LAN Traffic from the DMZ to the LAN is dropped. From DMZ to WAN Traffic from the DMZ to the WAN is allowed.
Page 304: Firewall And Vpn Traffic
ZyWALL 1050 User’s Guide 19.2.3 Firewall and VPN Traffic After you create a VPN tunnel and apply it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN zone for example), you can configure a new LAN to LAN firewall rule or use intra-zone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone.
Page 305: Figure 199 Limited Lan To Wan Irc Traffic Example
ZyWALL 1050 User’s Guide The ZyWALL applies the firewall rules in order. So for this example, when the ZyWALL receives traffic from the LAN, it checks it against the first rule. If the traffic matches (if it is IRC traffic) the firewall takes the action in the rule (drop) and stops checking the firewall rules.
Page 306: Alerts
ZyWALL 1050 User’s Guide • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN. • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN.
Page 307: Virtual Interfaces And Asymmetrical Routes
ZyWALL 1050 User’s Guide Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets.
Page 308: Figure 201 Firewall: Zone Pairs
ZyWALL 1050 User’s Guide Select Zone Pairs and specify from which zone packets come and to which zone packets travel to display only the rules specific to the selected direction. Figure 201 Firewall: Zone Pairs The following table describes the labels in this screen.
Page 309 ZyWALL 1050 User’s Guide Table 98 Firewall: Zone Pairs (continued) LABEL DESCRIPTION Maximum Use this field to set the highest number of sessions that the ZyWALL will permit a session per host computer with the same IP address to have at one time.
Page 310: Through Firewall Rules With All Rules
ZyWALL 1050 User’s Guide Table 98 Firewall: Zone Pairs (continued) LABEL DESCRIPTION Click the Add icon in an entry to add a rule below the current entry. Click the Remove icon to delete an existing rule from the ZyWALL. A window displays asking you to confirm that you want to delete the rule.
Page 311: Table 99 Firewall: All Rules
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 99 Firewall: All Rules LABEL DESCRIPTION Global Setting Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated.
Page 312: To-Zywall Rules
ZyWALL 1050 User’s Guide Table 99 Firewall: All Rules (continued) LABEL DESCRIPTION Destination This displays the destination address object to which this firewall rule applies. Service This displays the service object to which this firewall rule applies. Access This field displays whether the firewall silently discards packets (deny), discards packets and sends a TCP reset packet to the sender (reject) or permits the passage of packets (allow).
Page 313: Figure 203 Firewall: To-Zywall Rules
ZyWALL 1050 User’s Guide Figure 203 Firewall: To-ZyWALL Rules The following table describes the labels in this screen. Table 100 Firewall: To-ZyWALL Rules LABEL DESCRIPTION Global Setting Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated.
Page 314 ZyWALL 1050 User’s Guide Table 100 Firewall: To-ZyWALL Rules (continued) LABEL DESCRIPTION Maximum Use this field to set the highest number of sessions that the ZyWALL will permit a session per host computer with the same IP address to have at one time.
Page 315: Edit A Firewall Rule
ZyWALL 1050 User’s Guide Table 100 Firewall: To-ZyWALL Rules (continued) LABEL DESCRIPTION Click the Remove icon to delete an existing rule from the ZyWALL. A window displays asking you to confirm that you want to delete the rule. Note that subsequent firewall rules move up by one when you take this action.
Page 316: Table 101 Firewall Rule Edit
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 101 Firewall Rule Edit LABEL DESCRIPTION Enable Select this check box to activate the firewall rule. From For through-ZyWALL rules, these are read-only and display the direction of travel of packets to which the rule applies.
Page 317: Firewall Rule Configuration Example
ZyWALL 1050 User’s Guide 19.7 Firewall Rule Configuration Example The following Internet firewall rule example allows a hypothetical MyService from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 (Dest_1) on the LAN. You need to configure the service and address objects before you create a firewall rule.
Page 318: Figure 207 Firewall Example: Object > Address
ZyWALL 1050 User’s Guide Figure 207 Firewall Example: Object > Address 4 Configure it as follows and click OK. Figure 208 Firewall Example: Create an Address Object 5 Click Configuration > Policy > Firewall. Select Through-ZyWALL rules and Zone Pairs and then the From WAN to LAN packet direction.
Page 319: Figure 209 Firewall Example: Select The Traveling Direction Of Traffic
ZyWALL 1050 User’s Guide Figure 209 Firewall Example: Select the Traveling Direction of Traffic 7 Enter the name of the firewall rule. 8 Select Any in the Source drop-down list box, Dest_1 in the Destination drop-down list box and MyService in the Service drop-down list box to configure it as follows. Click OK when you are done.
Page 320: Figure 211 Firewall Example: Myservice Example Rule Summary
ZyWALL 1050 User’s Guide Figure 211 Firewall Example: MyService Example Rule Summary Chapter 19 Firewall...
Page 321: Chapter 20 Application Patrol
ZyWALL 1050 User’s Guide H A P T E R Application Patrol This chapter describes how to set up application patrol for the ZyWALL. First, it provides an overview, and, then, it introduces the screens. See the Application Patrol section in the Configuration Overview chapter for related information on these screens.
Page 322: Exceptions To The Default Action
ZyWALL 1050 User’s Guide • Forward - the ZyWALL routes the packets for this application. • Drop - the ZyWALL does not route the packets for this application, and it does not notify the client of this decision. • Reject - the ZyWALL does not route the packets for this application, and it notifies the client of this decision.
Page 323: Configuration Summary
ZyWALL 1050 User’s Guide 20.3 Configuration Summary You can use the Configuration summary screen to enable and disable application patrol. This screen also lists every application the ZyWALL can recognize, displays the settings for each one, and lets you open the Configuration Edit screen to change the settings.
Page 324: Figure 212 Policy > Application Patrol > Configuration
ZyWALL 1050 User’s Guide Figure 212 Policy > Application Patrol > Configuration The following table describes the labels in this screen. See Section 20.3.1 on page 325 more information as well. Table 102 Policy > Application Patrol > Configuration LABEL...
Page 325: Configuration Edit
ZyWALL 1050 User’s Guide Table 102 Policy > Application Patrol > Configuration (continued) LABEL DESCRIPTION Service This field displays the name of the application. Access This field displays what the ZyWALL does with packets for this application. Choices are: forward, drop, and reject.
Page 326: Figure 213 Policy > Application Patrol > Configuration > Edit
ZyWALL 1050 User’s Guide Figure 213 Policy > Application Patrol > Configuration > Edit The following table describes the labels in this screen. Table 103 Policy > Application Patrol > Configuration > Edit LABEL DESCRIPTION Service Enable Select this check box to turn on patrol for this application.
Page 327 ZyWALL 1050 User’s Guide Table 103 Policy > Application Patrol > Configuration > Edit (continued) LABEL DESCRIPTION Default Policy Access This field controls what the ZyWALL does with packets for this application. Choices are: Forward - the ZyWALL routes the packets for this application.
Page 328: Other Protocol Screen
ZyWALL 1050 User’s Guide Table 103 Policy > Application Patrol > Configuration > Edit (continued) LABEL DESCRIPTION Destination Select a destination address or address group for whom this condition applies. Select any if the condition is effective for every destination.
Page 329: Figure 214 Policy > Application Patrol > Other Protocol
ZyWALL 1050 User’s Guide Figure 214 Policy > Application Patrol > Other Protocol The following table describes the labels in this screen. See Section 20.4.1 on page 330 more information as well. Table 104 Policy > Application Patrol > Other Protocol...
Page 330: Other Configuration Add/Edit
ZyWALL 1050 User’s Guide Table 104 Policy > Application Patrol > Other Protocol (continued) LABEL DESCRIPTION This field displays what kind of record the ZyWALL creates when the condition is satisfied. Choices are: no, log, and log alert. Add icon This column provides icons to add, move, and remove conditions for the exception.
Page 331 ZyWALL 1050 User’s Guide Table 105 Policy > Application Patrol > Other Protocol > Edit (continued) LABEL DESCRIPTION Protocol Select the protocol for which this condition applies. Choices are: TCP and UDP. Access This field controls what the ZyWALL does with packets when this condition is satisfied.
Page 332 ZyWALL 1050 User’s Guide Chapter 20 Application Patrol...
Page 333: Chapter 21 Idp
ZyWALL 1050 User’s Guide H A P T E R This chapter introduces IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a zone, custom signatures and updating signatures. See the IDP section in the Configuration Overview chapter for related information on these screens.
Page 334: Idp On The Zywall
ZyWALL 1050 User’s Guide 21.1.3 IDP on the ZyWALL IDP on the ZyWALL protects against network-based intrusions. See Section 21.7.1 on page for a list of attacks that the ZyWALL can protect against. You can also create your own custom IDP rules.
Page 335: Figure 217 Idp > General
ZyWALL 1050 User’s Guide Figure 217 IDP > General The following table describes the screens in this screen. Table 106 IDP > General LABEL DESCRIPTION General Setup Enable IDP Select this check box to enable IDP on the ZyWALL. You can enable IDP if IDP service is not registered but only traffic anomaly and protocol anomaly detection applies;...
Page 336: Introducing Idp Profiles
ZyWALL 1050 User’s Guide 21.4 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures, traffic anomaly rules and protocol anomaly rules. • Packet inspection signatures examine packet content for malicious data. Packet inspection applies to OSI (Open System Interconnection) layer-4 to layer-7 contents. You need to subscribe for IDP service in order to be able to download new signatures.
Page 337: Profile Summary Screen
ZyWALL 1050 User’s Guide These are the default base profiles at the time of writing. Table 107 Base Profiles BASE PROFILE DESCRIPTION This profile is most suitable for networks containing your servers. Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled.
Page 338: Creating New Profiles
ZyWALL 1050 User’s Guide Figure 219 Policy > IDP > Profile The following table describes the fields in this screen. Table 108 Policy > IDP > Profile LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created.
Page 339: Profiles: Packet Inspection
ZyWALL 1050 User’s Guide 4 Enable or disable individual signature and or rules 5 Edit the default log options and actions. 21.7 Profiles: Packet Inspection Select Policy > IDP > Profile and then add a new or edit an existing profile select. Packet inspection (group view) is the first screen in the profile.
Page 340: Idp Service Groups
ZyWALL 1050 User’s Guide Table 109 Policy Types (continued) POLICY TYPE DESCRIPTION Buffer Overflow A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. The excess information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
Page 341: Profile > Packet Inspection > Group View Screen
ZyWALL 1050 User’s Guide Logs and actions applied to a service group apply to all signatures within that group. If you select original setting for service group logs and/or actions, all signatures within that group are returned to their last-saved settings.
Page 342: Figure 221 Policy > Idp > Profile > Packet Inspection_Group View
ZyWALL 1050 User’s Guide Figure 221 Policy > IDP > Profile > Packet Inspection_Group View Chapter 21 IDP...
Page 343 ZyWALL 1050 User’s Guide The following table describes the fields in this screen. Table 111 Policy > IDP > Profile > Packet Inspection_Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 344: Profile > Packet Inspection > Query View Screen
ZyWALL 1050 User’s Guide Table 111 Policy > IDP > Profile > Packet Inspection_Group View (continued) LABEL DESCRIPTION Action Select what action the ZyWALL should take when a packet matches a signature here. original setting: Select this action to return each signature in a service group to its previously saved configuration.
Page 345: Figure 222 Policy > Idp > Profile > Packet Inspection_Query View
ZyWALL 1050 User’s Guide Figure 222 Policy > IDP > Profile > Packet Inspection_Query View The following table describes the fields in this screen. Table 112 Policy > IDP > Profile > Packet Inspection_Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Packet Inspection group view screen.
Page 346: Query Example
ZyWALL 1050 User’s Guide Table 112 Policy > IDP > Profile > Packet Inspection_Query View (continued) LABEL DESCRIPTION Platform Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections.
Page 347: Figure 223 Query Example Search Criteria
ZyWALL 1050 User’s Guide Figure 223 Query Example Search Criteria Figure 224 Query Example Search Results Chapter 21 IDP...
Page 348: Profiles: Traffic Anomaly
ZyWALL 1050 User’s Guide 21.8 Profiles: Traffic Anomaly The traffic anomaly screen is the second screen in an IDP profile. Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. Select Policy > IDP > Profile > Traffic Anomaly. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab.
Page 349: Port Sweeps
ZyWALL 1050 User’s Guide 21.8.1.3 Port Sweeps Many different connection attempts to the same port (service) may indicate a port sweep, that is, they are one-to-many port scans. One host scans a single port on multiple hosts. This may occur when a new exploit comes out and the attacker is looking for a specific service. These are some port sweep types: •...
Page 350: Smurf
ZyWALL 1050 User’s Guide 21.8.2.2 Smurf A smurf attacker (A) floods a router (B) with Internet Control Message Protocol (ICMP) echo request packets (pings) with the destination IP address of each packet as the broadcast address of the network. The router will broadcast the ICMP echo request packet to all hosts on the network.
Page 351: Land Attack
ZyWALL 1050 User’s Guide Figure 227 SYN Flood 21.8.2.4 LAND Attack In a LAND attack, hackers flood SYN packets into a network with a spoofed source IP address of the network itself. This makes it appear as if the computers in the network sent the packets to themselves, so the network is unavailable while they try to respond to themselves.
Page 352: Profile > Traffic Anomaly Screen
ZyWALL 1050 User’s Guide 21.8.3 Profile > Traffic Anomaly Screen Figure 228 Profiles: Traffic Anomaly Chapter 21 IDP...
Page 353: Profiles: Protocol Anomaly
ZyWALL 1050 User’s Guide The following table describes the fields in this screen. Table 113 IDP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the IDP profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 354: Http Inspection And Tcp/Udp/Icmp Decoders
ZyWALL 1050 User’s Guide Protocol anomaly rules may be updated when you upload new firmware. 21.9.1 HTTP Inspection and TCP/UDP/ICMP Decoders The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.
Page 355 ZyWALL 1050 User’s Guide Table 114 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION OVERSIZE-CHUNK- This rule is an anomaly detector for abnormally large chunk sizes. ENCODING ATTACK This picks up the apache chunk encoding exploits and may also be triggered on HTTP tunneling that uses chunk encoding.
Page 356: Protocol Anomaly Configuration
ZyWALL 1050 User’s Guide Table 114 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of greater than the actual packet length. This may cause some applications to crash.
Page 357: Figure 229 Profiles: Protocol Anomaly
ZyWALL 1050 User’s Guide Figure 229 Profiles: Protocol Anomaly Chapter 21 IDP...
Page 358: Introducing Idp Custom Signatures
ZyWALL 1050 User’s Guide The following table describes the fields in this screen. Table 115 IDP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 359: Figure 230 Ip V4 Packet Headers
ZyWALL 1050 User’s Guide Figure 230 IP v4 Packet Headers The header fields are discussed below: Table 116 IP v4 Packet Headers HEADER DESCRIPTION Version The value 4 indicates IP version 4. IP Header Length is the number of 32 bit words forming the total length of the header (usually five).
Page 360: Configuring Custom Signatures
ZyWALL 1050 User’s Guide Table 116 IP v4 Packet Headers (continued) HEADER DESCRIPTION Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each...
Page 361: Figure 231 Policy > Idp > Custom Signatures
ZyWALL 1050 User’s Guide Figure 231 Policy > IDP > Custom Signatures The following table describes the fields in this screen. Table 117 Policy > IDP > Custom Signatures LABEL DESCRIPTION Creating Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures.
Page 362: Creating Or Editing A Custom Signature
ZyWALL 1050 User’s Guide Table 117 Policy > IDP > Custom Signatures (continued) LABEL DESCRIPTION Importing Use this part of the screen to import custom signatures (previously saved to your computer) to the ZyWALL. Note: The name of the complete custom signature file on the ZyWALL is ‘custom.rules’.
Page 363: Figure 232 Policy > Idp > Custom Signatures > Add/Edit
ZyWALL 1050 User’s Guide Figure 232 Policy > IDP > Custom Signatures > Add/Edit Chapter 21 IDP...
Page 364: Table 118 Policy > Idp > Custom Signatures > Add/Edit
ZyWALL 1050 User’s Guide The following table describes the fields in this screen. Table 118 Policy > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 365 ZyWALL 1050 User’s Guide Table 118 Policy > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Time to Live Time to Live is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. Usually it’s used to set an upper limit on the number of routers a datagram can pass through.
Page 366: Custom Signature Example
ZyWALL 1050 User’s Guide Table 118 Policy > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Use this field to check for a specific ICMP ID value. This is useful for covert channel programs that use static ICMP fields when they communicate.
Page 367: Understand The Vulnerability
ZyWALL 1050 User’s Guide 21.11.2.1 Understand the Vulnerability Check the ZyWALL logs when the attack occurs. Use web sites such as Google and security focus to get as much information about the attack as you can. The more specific your signature, the less chance it will cause false positives.
Page 368: Figure 234 Custom Signature Example Pattern 2
ZyWALL 1050 User’s Guide Figure 234 Custom Signature Example Pattern 2 Figure 235 Custom Signature Example Patterns 3 and 4 Our final custom signature should look like as shown in the following figure. If the attack occurs, check the logs for a log of your custom signature. This indicates the signature works correctly.
Page 369: Figure 236 Example Custom Signature
ZyWALL 1050 User’s Guide Figure 236 Example Custom Signature Chapter 21 IDP...
Page 370: Applying Custom Signatures
ZyWALL 1050 User’s Guide 21.11.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 to 9999999.
Page 371: Snort Signatures
ZyWALL 1050 User’s Guide Figure 238 Custom Signature Log 21.11.5 Snort Signatures You may want to refer to open source Snort signatures when creating custom ZyWALL ones. Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the rule header and the rule options as shown in the following example: alert tcp any any ->...
Page 372: Updating Idp Signatures
ZyWALL 1050 User’s Guide Table 119 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM SNORT EQUIVALENT TERM Same IP sameip Transport Protocol Transport Protocol: TCP Port (In Snort rule header) Flow flow Flags flags Sequence Number Ack Number Window Size...
Page 373: Figure 239 Idp Update
ZyWALL 1050 User’s Guide Figure 239 IDP Update The following table describes the fields in this screen. Table 120 IDP Update LABEL DESCRIPTION Signature The following fields display information on the current signature set that the Information ZyWALL is using.
Page 374: Figure 240 Downloading Idp Signatures
ZyWALL 1050 User’s Guide Figure 240 Downloading IDP Signatures Figure 241 Successful IDP Signature Download Chapter 21 IDP...
Page 375: Content Filtering Screens
ZyWALL 1050 User’s Guide H A P T E R Content Filtering Screens This chapter covers how to use the content filtering feature to control web access. See the Content Filter section in the Configuration Overview chapter for related information on these screens.
Page 376: Customize Web Site Access
ZyWALL 1050 User’s Guide 22.1.2.3 Customize Web Site Access You can specify URLs to which the ZyWALL blocks access. You can alternatively block access to all URLs except ones that you specify. You can also have the ZyWALL block access to URLs that contain particular keywords.
Page 377: Figure 242 Configuration > Policy > Content Filter > General
ZyWALL 1050 User’s Guide Figure 242 Configuration > Policy > Content Filter > General The following table describes the labels in this screen. Table 121 Configuration > Policy > Content Filter > General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter.
Page 378 ZyWALL 1050 User’s Guide Table 121 Configuration > Policy > Content Filter > General (continued) LABEL DESCRIPTION Click the Add icon at the top of the column to create a new content filtering policy at the top of the list.
Page 379: Content Filter Policy Screen
ZyWALL 1050 User’s Guide Table 121 Configuration > Policy > Content Filter > General (continued) LABEL DESCRIPTION Registration Type This read-only field displays what kind of service registration you have for the content-filtering database. Not Licensed displays if you have not successfully registered and activated the service.
Page 380: Content Filtering Profile Screen
ZyWALL 1050 User’s Guide Figure 243 Configuration > Policy > Content Filter > General > Add l The following table describes the labels in this screen. Table 122 Configuration > Policy > Content Filter > General > Add LABEL DESCRIPTION Schedule Select a schedule to define when to apply this content filtering policy.
Page 381: External Web Filtering Service
ZyWALL 1050 User’s Guide Figure 244 Configuration > Policy > Content Filter > Filtering Profile The following table describes the labels in this screen. Table 123 Configuration > Policy > Content Filter > Filtering Profile LABEL DESCRIPTION This column lists the index numbers of the content filtering profiles.
Page 382: Content Filter Categories Screen
ZyWALL 1050 User’s Guide 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration.
Page 383: Figure 246 Configuration > Policy > Content Filtering > Filtering Profile > Add
ZyWALL 1050 User’s Guide Figure 246 Configuration > Policy > Content Filtering > Filtering Profile > Add The following table describes the labels in this screen. Table 124 Configuration > Policy > Content Filtering > Filtering Profile > Add LABEL...
Page 384 ZyWALL 1050 User’s Guide Table 124 Configuration > Policy > Content Filtering > Filtering Profile > Add (continued) LABEL DESCRIPTION Enable External Web Enable external database content filtering to have the ZyWALL check an Filtering Service external database to find to which category a requested web page belongs.
Page 385 ZyWALL 1050 User’s Guide Table 124 Configuration > Policy > Content Filtering > Filtering Profile > Add (continued) LABEL DESCRIPTION Intimate Apparel/Swimsuit Selecting this category excludes pages that contain images or offer the sale of swimsuits or intimate apparel or other types of suggestive clothing.
Page 386 ZyWALL 1050 User’s Guide Table 124 Configuration > Policy > Content Filtering > Filtering Profile > Add (continued) LABEL DESCRIPTION Cult/Occult Selecting this category excludes pages that promote or offer methods, means of instruction, or other resources to affect or influence real events through the use of spells, curses, magic powers and satanic or supernatural beings.
Page 387 ZyWALL 1050 User’s Guide Table 124 Configuration > Policy > Content Filtering > Filtering Profile > Add (continued) LABEL DESCRIPTION Search Engines/Portals Selecting this category excludes pages that support searching the Internet, indices, and directories. Web Communications Selecting this category excludes pages that allow or offer Web-based communication via e-mail, chat, instant messaging, message boards, etc.
Page 388: Content Filter Customization Screen
ZyWALL 1050 User’s Guide Table 124 Configuration > Policy > Content Filtering > Filtering Profile > Add (continued) LABEL DESCRIPTION Travel Selecting this category excludes pages that promote or provide opportunity for travel planning, including finding and making travel reservations, vehicle rentals, descriptions of travel destinations, or promotions for hotels or casinos.
Page 389: Figure 247 Configuration > Policy > Content Filtering > Filtering Profiles > Customization
ZyWALL 1050 User’s Guide Figure 247 Configuration > Policy > Content Filtering > Filtering Profiles > Customization The following table describes the labels in this screen. Table 125 Configuration > Policy > Content Filtering > Filtering Profiles > Customization LABEL...
Page 390 ZyWALL 1050 User’s Guide Table 125 Configuration > Policy > Content Filtering > Filtering Profiles > Customization LABEL DESCRIPTION Allow Web traffic for trusted When this box is selected, the ZyWALL blocks Web access to sites that web sites only are not on the Trusted Web Sites list.
Page 391: Keyword Blocking Url Checking
ZyWALL 1050 User’s Guide Table 125 Configuration > Policy > Content Filtering > Filtering Profiles > Customization LABEL DESCRIPTION Blocked URL Keywords This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address. You can enter up to 256 keywords.
Page 392: Figure 248 Configuration > Policy > Content Filter > Cache
ZyWALL 1050 User’s Guide You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site’s category has been changed.
Page 393 ZyWALL 1050 User’s Guide Table 126 Configuration > Policy > Content Filter > Cache (continued) LABEL DESCRIPTION Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to keep an entry in the URL cache before discarding it.
Page 394 ZyWALL 1050 User’s Guide Chapter 22 Content Filtering Screens...
Page 395: Content Filtering Reports
ZyWALL 1050 User’s Guide H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 8 on page 163 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.
Page 396: Figure 250 Myzyxel.com: Welcome
ZyWALL 1050 User’s Guide ZyWALL using the Rename button in the Service Management screen (see Figure 251 on page 397). Figure 250 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen.
Page 397: Figure 251 Myzyxel.com: Service Management
ZyWALL 1050 User’s Guide Figure 251 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 251 on page 397). Type your myZyXEL.com account password in the Password field.
Page 398: Figure 253 Blue Coat Content Filtering Reports Main Screen
ZyWALL 1050 User’s Guide Figure 253 Blue Coat Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 254 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected...
Page 399: Figure 255 Global Report Screen Example
ZyWALL 1050 User’s Guide Figure 255 Global Report Screen Example 11You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Chapter 23 Content Filtering Reports...
Page 400: Web Site Submission
ZyWALL 1050 User’s Guide Figure 256 Requested URLs Example 23.2 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Page 401: Figure 257 Web Page Review Process Screen
ZyWALL 1050 User’s Guide Figure 257 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. Chapter 23 Content Filtering Reports...
Page 402 ZyWALL 1050 User’s Guide Chapter 23 Content Filtering Reports...
Page 403: Chapter 24 Virtual Servers
ZyWALL 1050 User’s Guide H A P T E R Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. First, it provides an overview of virtual servers, and, then, it introduces the virtual server screens and commands.
Page 404: Virtual Server Example
ZyWALL 1050 User’s Guide 24.2 Virtual Server Example Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example).
Page 405: Virtual Server Add/Edit
ZyWALL 1050 User’s Guide Figure 259 Policy > Virtual Server The following table describes the labels in this screen. See Section 24.4.1 on page 405 below for more information as well. Table 127 Policy > Virtual Server LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific virtual server.
Page 406: Figure 260 Policy > Virtual Server > Edit
ZyWALL 1050 User’s Guide Figure 260 Policy > Virtual Server > Edit The following table describes the labels in this screen. Table 128 Policy > Virtual Server > Edit LABEL DESCRIPTION Name Type in the name of the virtual server. The name is used to refer to the virtual server.
Page 407 ZyWALL 1050 User’s Guide Table 128 Policy > Virtual Server > Edit (continued) LABEL DESCRIPTION Original End Port This field is available if Mapping Type is Ports. Enter the end of the range of original destination ports this virtual server supports.
Page 408 ZyWALL 1050 User’s Guide Chapter 24 Virtual Servers...
Page 409: Chapter 25 Http Redirect
ZyWALL 1050 User’s Guide H A P T E R HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL. See the HTTP Redirect section in the Configuration Overview chapter for related information on these screens.
Page 410: Configuring Http Redirect
ZyWALL 1050 User’s Guide Figure 261 HTTP Redirect Example In the example, proxy server A is connected to ge4 in the DMZ zone. When a client connected to ge1 wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Page 411: Http Redirect Edit
ZyWALL 1050 User’s Guide Figure 262 HTTP Redirect The following table describes the labels in this screen. Table 129 HTTP Redirect LABEL DESCRIPTION Name This is the descriptive name (up to 31 printable characters) of a rule. Interface This is the interface on which the request must be received.
Page 412: Figure 263 Http Redirect Edit
ZyWALL 1050 User’s Guide Figure 263 HTTP Redirect Edit The following table describes the labels in this screen. Table 130 HTTP Redirect Edit LABEL DESCRIPTION Name Enter a name to identify this rule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 413: Chapter 26 Voip Pass Through
ZyWALL 1050 User’s Guide H A P T E R VoIP Pass Through This chapter covers how to use the ZyWALL’s VoIP pass through feature to allow SIP and H.323 VoIP applications to pass through the ZyWALL. See the VoIP PassThru section in the Configuration Overview chapter for related information on these screens.
Page 414: 414
ZyWALL 1050 User’s Guide You could also have a trunk with one interface set to active and a second interface set to passive. The ZyWALL does not automatically change the VoIP connection to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the VoIP client needs to re-register through the second interface...
Page 415: Sip
ZyWALL 1050 User’s Guide Figure 264 H.323 ALG Example 26.1.5 SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
Page 416: Sip Signaling Session Timeout
ZyWALL 1050 User’s Guide Figure 265 SIP ALG Example 26.1.5.2 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.
Page 417: Voip With Multiple Wan Ip Addresses
ZyWALL 1050 User’s Guide Figure 266 VoIP Calls from the WAN with Multiple Outgoing Calls 26.2.2 VoIP with Multiple WAN IP Addresses With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and virtual server (port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ).
Page 418: Figure 268 Policy > Voip Passthru
ZyWALL 1050 User’s Guide Figure 268 Policy > VoIP Passthru The following table describes the labels in this screen. Table 131 Policy > VoIP Passthru LABEL DESCRIPTION Enable SIP SIP is a signaling protocol used in VoIP (Voice over IP), the sending of voice signals Transformations over Internet Protocol.
Page 419: Wan To Lan Sip Peer-To-Peer Calls Example
ZyWALL 1050 User’s Guide 26.4 WAN to LAN SIP Peer-to-peer Calls Example This example shows how to configure firewall and virtual server (port forwarding) rules to allow H.323 calls to come in through WAN IP address 10.0.0.8 to computer A at IP address 192.168.1.56 on the LAN.
Page 420: Figure 271 Object > Address > Add
ZyWALL 1050 User’s Guide Figure 271 Object > Address > Add Now configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN IP address 192.168.1.56. 5 Click Policy > Firewall. In From Zone, select WAN; in To Zone, select LAN.
Page 421: Figure 273 Policy > Firewall > Wan > Lan > Add
ZyWALL 1050 User’s Guide Figure 273 Policy > Firewall > WAN > LAN > Add Chapter 26 VoIP Pass Through...
Page 422 ZyWALL 1050 User’s Guide Chapter 26 VoIP Pass Through...
Page 423: Chapter 27 User/Group
ZyWALL 1050 User’s Guide H A P T E R User/Group This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 424: Setting Up User Attributes In An External Server
ZyWALL 1050 User’s Guide Ext-User users should be authenticated by an external server, such as LDAP or RADIUS. If the ZyWALL tries to use the local database to authenticate an Ext-User, the authentication attempt always fails. (This is related to AAA servers and authentication methods, which are...
Page 425: Creating A Large Number Of Ext-User Accounts
ZyWALL 1050 User’s Guide Figure 275 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 27.1.2.2 Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.
Page 426: User Summary
ZyWALL 1050 User’s Guide The ZyWALL does not automatically route the request that prompted the login, however, so users have to make this request again. 27.2 User Summary The User screen provides a summary of all user accounts. To access this screen, login to the web configurator, and click User/Group.
Page 427: Figure 277 User/Group > User > Edit
ZyWALL 1050 User’s Guide Figure 277 User/Group > User > Edit The following table describes the labels in this screen. Table 135 User/Group > User > Edit LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric...
Page 428: Rules For User Names
ZyWALL 1050 User’s Guide 27.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-).
Page 429: Group Add/Edit
ZyWALL 1050 User’s Guide Figure 278 User/Group > Group The following table describes the labels in this screen. See Section 27.3.1 on page 429 more information as well. Table 137 User/Group > Group LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific user group.
Page 430: Figure 279 User/Group > Group > Edit
ZyWALL 1050 User’s Guide Figure 279 User/Group > Group > Edit The following table describes the labels in this screen. Table 138 User/Group > Group > Edit LABEL DESCRIPTION Name Type the name for this user group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 431: Setting Screen
ZyWALL 1050 User’s Guide 27.4 Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them.
Page 432 ZyWALL 1050 User’s Guide Table 139 User/Group > Setting (continued) LABEL DESCRIPTION Lease Time Select the default lease time when you create a new user account. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. You can still change the lease time for each user account.
Page 433: Force User Authentication Policy Add/Edit
ZyWALL 1050 User’s Guide Table 139 User/Group > Setting (continued) LABEL DESCRIPTION Force User Use this section to specify when users must log in to the ZyWALL before the Authentication ZyWALL routes HTTP traffic for them. Once users have logged in, the ZyWALL can Policy enforce user-aware policies.s...
Page 434: Web Configurator For Non-Admin Users
ZyWALL 1050 User’s Guide Figure 282 User/Group > Setting > Force User Authentication Policy > add/edit The following table describes the labels in this screen. Table 140 User/Group > Setting > Force User Authentication Policy > add/edit LABEL DESCRIPTION Enable Select this if you want this condition to be active.
Page 435: Figure 283 Web Configurator For Non-Admin Users
ZyWALL 1050 User’s Guide Figure 283 Web Configurator for Non-Admin Users The following table describes the labels in this screen. Table 141 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined Access users can specify a lease time shorter than or equal to the one that you lease time (max specified.
Page 436 ZyWALL 1050 User’s Guide Chapter 27 User/Group...
Page 437: Chapter 28 Addresses
ZyWALL 1050 User’s Guide H A P T E R Addresses This chapter describes how to set up addresses and address groups for the ZyWALL. See the Objects section in the Configuration Overview chapter for related information on these screens.
Page 438: Address Add/Edit
ZyWALL 1050 User’s Guide Figure 284 Object > Address > Address The following table describes the labels in this screen. See Section 28.2.2 on page 438 more information as well. Table 142 Object > Address > Address LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address.
Page 439: Address Group Screens
ZyWALL 1050 User’s Guide Figure 285 Object > Address > Address > Edit The following table describes the labels in this screen. Table 143 Object > Address > Address > Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric...
Page 440: Address Group Add/Edit
ZyWALL 1050 User’s Guide Figure 286 Object > Address > Address Group The following table describes the labels in this screen. See Section 28.3.2 on page 440 more information as well. Table 144 Object > Address > Address Group LABEL...
Page 441: Figure 287 Objects > Address > Address Group > Edit
ZyWALL 1050 User’s Guide Figure 287 Objects > Address > Address Group > Edit The following table describes the labels in this screen. Table 145 Object > Address > Address Group > Edit LABEL DESCRIPTION Name This field displays the name of each address group. You may use 1-31...
Page 442 ZyWALL 1050 User’s Guide Chapter 28 Addresses...
Page 443: Chapter 29 Services
ZyWALL 1050 User’s Guide H A P T E R Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. See the...
Page 444: Service Objects And Service Groups
ZyWALL 1050 User’s Guide 29.1.2 Service Objects and Service Groups Use service objects to define IP protocols. • TCP applications • UDP applications • ICMP messages • user-defined services (for other types of IP protocols) These objects are used in policy routes, firewall rules, and IDP profiles.
Page 445: Service Add/Edit
ZyWALL 1050 User’s Guide Table 146 Object > Service > Service (continued) LABEL DESCRIPTION Content This field displays a description of each service. Add icon This column provides icons to add, edit, and remove services. To add a service, click the Add icon at the top of the column. The Service Add/Edit screen appears.
Page 446: Service Group Summary Screen
ZyWALL 1050 User’s Guide 29.3 Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. To access this screen, log in to the web configurator, and click Object > Service > Service Group.
Page 447: Figure 292 Object > Service > Service Group > Edit
ZyWALL 1050 User’s Guide Figure 292 Object > Service > Service Group > Edit The following table describes the labels in this screen. Table 149 Object > Service > Service Group > Edit LABEL DESCRIPTION Name Enter the name of each service group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 448: Figure 293 Object > Service > Service Group > Member
ZyWALL 1050 User’s Guide Table 149 Object > Service > Service Group > Edit (continued) LABEL DESCRIPTION Member List This field displays the name of each member in the service group. The word in front of the name indicates whether this member is a service or service group.
Page 449: Chapter 30 Schedules
ZyWALL 1050 User’s Guide H A P T E R Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. See the Objects section in the Configuration Overview chapter for related information on these screens.
Page 450: Figure 294 Configuration > Object > Schedule
ZyWALL 1050 User’s Guide Figure 294 Configuration > Object > Schedule The following table describes the labels in this screen. See Section 30.2.2 on page 451 Section 30.2.3 on page 452 for more information as well. Table 150 Configuration > Object > Schedule...
Page 451: One-Time Schedule Add/Edit
ZyWALL 1050 User’s Guide 30.2.2 One-Time Schedule Add/Edit The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 30.2.1 on page 449), and click either the Add icon or an Edit icon in the One Time section.
Page 452: Recurring Schedule Add/Edit
ZyWALL 1050 User’s Guide 30.2.3 Recurring Schedule Add/Edit The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 30.2.1 on page 449), and click either the Add icon or an Edit icon in the Recurring section.
Page 453 ZyWALL 1050 User’s Guide Table 152 Configuration > Object > Schedule > Recurring_1 (continued) LABEL DESCRIPTION Weekly Weekdays Select each day of the week the recurring schedule is effective. Chapter 30 Schedules...
Page 454 ZyWALL 1050 User’s Guide Chapter 30 Schedules...
Page 455: Chapter 31 Aaa Server
ZyWALL 1050 User’s Guide H A P T E R AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 31.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.
Page 456: Ldap Directory Structure
ZyWALL 1050 User’s Guide Figure 297 Example: LDAP Client and Server The following describes the user authentication procedure via an LDAP server. 1 The ZyWALL is set to use LDAP authentication for user authentication. 2 A user logs in with a user name and password pair.
Page 457: Distinguished Name (Dn)
ZyWALL 1050 User’s Guide Figure 298 Basic LDAP Directory Structure Sales Sprint Root Sales Japan Organizations (o) Organization Units (ou) Unique Countries (c) Common Name (cn) 31.2.2 Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas.
Page 458: Ldap Group Summary
ZyWALL 1050 User’s Guide Figure 299 Objects: AAA Server: LDAP: Default The following table describes the labels in this screen. Table 153 Objects: AAA Server: LDAP: Default LABEL DESCRIPTION Host Enter the IP address (in dotted decimal notation) or the fully-qualified domain name (up to 63 alphanumerical characters) of an LDAP server.
Page 459: Figure 300 Objects > Aaa Server > Ldap > Group
ZyWALL 1050 User’s Guide 1 Click Objects > AAA Server > LDAP > Group to display the screen. Figure 300 Objects > AAA Server > LDAP > Group The following table describes the labels in this screen. Table 154 Objects > AAA Server > LDAP > Group...
Page 460: Creating An Ldap Group
ZyWALL 1050 User’s Guide 31.3.1 Creating an LDAP Group Figure 301 Objects > AAA Server > LDAP > Group > Add The following table describes the labels in this screen. Table 155 Objects > AAA Server > LDAP > Group > Add...
Page 461: Radius Server
ZyWALL 1050 User’s Guide Table 155 Objects > AAA Server > LDAP > Group > Add (continued) LABEL DESCRIPTION Members Specify the URI (Uniform Resource Identifier) of an LDAP server. You can enter the IP address (in dotted decimal notation) or the fully qualified domain name (FQDN;...
Page 462: Configuring A Group Of Radius Servers
ZyWALL 1050 User’s Guide Figure 303 Objects > AAA Server > RADIUS > Default The following table describes the labels in this screen. Table 156 Objects > AAA Server > RADIUS > Default LABEL DESCRIPTION Host Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server.
Page 463: Figure 304 Objects > Aaa Server > Radius > Group
ZyWALL 1050 User’s Guide Figure 304 Objects > AAA Server > RADIUS > Group The following table describes the labels in this screen. Table 157 Objects > AAA Server > RADIUS > Group LABEL DESCRIPTION This field displays the index number.
Page 464: Adding A Radius Server Member
ZyWALL 1050 User’s Guide 31.6.1 Adding a RADIUS Server Member Figure 305 Objects > AAA Server > RADIUS > Group > Add The following table describes the labels in this screen. Table 158 Objects > AAA Server > RADIUS > Group > Add...
Page 465: Authentication Objects
ZyWALL 1050 User’s Guide H A P T E R Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 32.1 Authentication Objects Overview After you have created the AAA server objects in the AAA Server screens, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 466: Creating An Authentication Object
ZyWALL 1050 User’s Guide Table 159 Objects > Auth. Method (continued) LABEL DESCRIPTION Method List This field displays the authentication method(s) for this entry. Click to add a new entry. Click to edit the settings of an entry. Click to delete an entry.
Page 467: Example: Selecting A Vpn Authentication Method
ZyWALL 1050 User’s Guide Figure 307 Objects > Auth. Method > Add The following table describes the labels in this screen. Table 160 Objects > Auth. Method > Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Page 468: Figure 308 Example: Using Authentication Method In Vpn
ZyWALL 1050 User’s Guide 4 Click OK to save the settings. Figure 308 Example: Using Authentication Method in VPN Chapter 32 Authentication Objects...
Page 469: Chapter 33 Certificates
ZyWALL 1050 User’s Guide H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use the Certificates screens. See the Objects section in the Configuration Overview chapter for related information on these screens.
Page 470: Advantages Of Certificates
ZyWALL 1050 User’s Guide A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities maintain directory servers with databases of valid and revoked certificates.
Page 471: Certificate Configuration Screens Summary
ZyWALL 1050 User’s Guide • Binary PKCS#12: This is a format for transferring public key and private key certificates.The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords.
Page 472: My Certificates Screen
ZyWALL 1050 User’s Guide Figure 310 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Page 473: Figure 311 My Certificates Screen
ZyWALL 1050 User’s Guide Figure 311 My Certificates Screen The following table describes the labels in this screen. Table 161 My Certificates Screen LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 474: My Certificates Add Screen
ZyWALL 1050 User’s Guide Table 161 My Certificates Screen (continued) LABEL DESCRIPTION Modify Click the Add icon to go to the screen where you can have the ZyWALL generate a certificate or a certification request. Click the Edit icon to open a screen with an in-depth list of information about the certificate.
Page 475: Figure 312 My Certificates Add Screen
ZyWALL 1050 User’s Guide Figure 312 My Certificates Add Screen The following table describes the labels in this screen. Table 162 My Certificates Add Screen LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 476 ZyWALL 1050 User’s Guide Table 162 My Certificates Add Screen (continued) LABEL DESCRIPTION Common Name Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided.
Page 477: My Certificate Edit Screen
ZyWALL 1050 User’s Guide Table 162 My Certificates Add Screen (continued) LABEL DESCRIPTION CA Server Address This field applies when you select Create a certification request and enroll for a certificate immediately online. Enter the IP address (or URL) of the certification authority server.
Page 478: Figure 313 My Certificate Edit Screen
ZyWALL 1050 User’s Guide Figure 313 My Certificate Edit Screen Chapter 33 Certificates...
Page 479: Table 163 My Certificate Edit Screen
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 163 My Certificate Edit Screen LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 480: My Certificate Import Screen
ZyWALL 1050 User’s Guide Table 163 My Certificate Edit Screen (continued) LABEL DESCRIPTION Basic Constraint This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path.
Page 481: Trusted Certificates Screen
ZyWALL 1050 User’s Guide Note: You can import a certificate that matches a corresponding certification request that was generated by the ZyWALL. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys. The certificate you import replaces the corresponding request in the My Certificates screen.
Page 482: Ocsp
ZyWALL 1050 User’s Guide 33.7.1 OCSP OCSP (Online Certificate Status Protocol) allows an application or device to check whether a certificate is valid. With OCSP the ZyWALL checks the status of individual certificates instead of downloading a Certificate Revocation List (CRL). OCSP has two main advantages over a CRL.
Page 483: Trusted Certificates Edit Screen
ZyWALL 1050 User’s Guide Table 165 Trusted Certificates Screen (continued) LABEL DESCRIPTION Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. Modify Click the Edit icon to open a screen with an in-depth list of information about the certificate.
Page 484: Figure 316 Trusted Certificates Edit Screen
ZyWALL 1050 User’s Guide Figure 316 Trusted Certificates Edit Screen Chapter 33 Certificates...
Page 485: Table 166 Trusted Certificates Edit Screen
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 166 Trusted Certificates Edit Screen LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 486 ZyWALL 1050 User’s Guide Table 166 Trusted Certificates Edit Screen (continued) LABEL DESCRIPTION Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.
Page 487: Trusted Certificates Import Screen
ZyWALL 1050 User’s Guide 33.9 Trusted Certificates Import Screen Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the ZyWALL.
Page 488 ZyWALL 1050 User’s Guide Chapter 33 Certificates...
Page 489: Chapter 34 System
ZyWALL 1050 User’s Guide H A P T E R System This chapter provides information on the system screens. 34.1 System Overview The system screens can help you configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program. The screens also allow you to configure DNS settings and determine which services/protocols can access which ZyWALL zones (if any) from which computers.
Page 490: Time And Date
ZyWALL 1050 User’s Guide 34.3 Time and Date This section shows you how: 1 To manually set the ZyWALL date and time. 2 To get the ZyWALL date and time from a time server. For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date.
Page 491 ZyWALL 1050 User’s Guide Table 169 System > Date and Time (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered.
Page 492: Pre-Defined Ntp Time Servers List
ZyWALL 1050 User’s Guide Table 169 System > Date and Time (continued) LABEL DESCRIPTION Offset Specify how much the clock changes when daylight saving begins and ends. Enter a number from 1 to 5.5 (by 0.5 increments). For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M.
Page 493: Figure 320 Synchronization In Process
ZyWALL 1050 User’s Guide Figure 320 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful. If the synchronization was not successful, a log displays in the View Log screen. Try reconfiguring the Date/Time screen.
Page 494: Console Port Speed
ZyWALL 1050 User’s Guide 34.4 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program. See Table 2 on page 49 for default console port settings.
Page 495: Dns Servers
ZyWALL 1050 User’s Guide • You can manually enter the IP addresses of other DNS servers. 34.5.2 DNS Servers Use the DNS screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN, DDNS and the time server. You can also configure the ZyWALL to accept or discard DNS queries.
Page 496 ZyWALL 1050 User’s Guide Table 172 System > DNS (continued) LABEL DESCRIPTION Click the Add icon in the heading row to open a screen where you can add a new address/PTR record. Refer to Table 173 on page 498 for information on the fields.
Page 497: Address Record
ZyWALL 1050 User’s Guide Table 172 System > DNS (continued) LABEL DESCRIPTION Click the Add icon in the heading row to open a screen where you can add a new MX record. Refer to Table 175 on page 500 for information on the fields.
Page 498: Ptr Record
ZyWALL 1050 User’s Guide The ZyWALL allows you to configure address records about the ZyWALL itself or another device. This way you can keep a record of DNS names and addresses that people on your network may use frequently. If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response without having to query a DNS name server.
Page 499: Adding A Domain Zone Forwarder
ZyWALL 1050 User’s Guide 34.5.8 Adding a Domain Zone Forwarder Click the Add ( ) icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 324 System > DNS > Domain Zone Forwarder Edit The following table describes the labels in this screen.
Page 500: Adding A Mx Record
ZyWALL 1050 User’s Guide 34.5.10 Adding a MX Record Click the Add ( ) icon in the MX Record table to add a MX record. Figure 325 System > DNS > MX Record Edit The following table describes the labels in this screen.
Page 501: Table 176 System > Dns > Service Control Rule Edit
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 176 System > DNS > Service Control Rule Edit LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL.
Page 502 ZyWALL 1050 User’s Guide Chapter 34 System...
Page 503: System Remote Management
ZyWALL 1050 User’s Guide H A P T E R System Remote Management This chapter shows you how to determine what services may access what zones on the ZyWALL. 35.1 Remote Management Overview The WWW, SSH, Telnet, FTP and SNMP screens allow you to determine which services/ protocols can access which ZyWALL zones (if any) from which computers.
Page 504: System Timeout
ZyWALL 1050 User’s Guide 35.1.2 System Timeout There is a lease timeout for administrators. The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Page 505: Configuring Www
ZyWALL 1050 User’s Guide Figure 327 HTTP/HTTPS Implementation Note: If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts. 35.3 Configuring WWW Click Configuration > System > WWW to open the WWW screen. Use this screen to change your ZyWALL’s web settings.
Page 506: Figure 328 System > Www
ZyWALL 1050 User’s Guide Figure 328 System > WWW The following table describes the labels in this screen. Table 177 System > WWW LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using secure HTTPs connections.
Page 507 ZyWALL 1050 User’s Guide Table 177 System > WWW (continued) LABEL DESCRIPTION Admin/User This specifies from which computers an administrator or non-administrator can Service Control access the specified ZyWALL zones. This the index number of the service control rule. Zone This is the zone on the ZyWALL the user is allowed or denied to access.
Page 508: Service Control Rules
ZyWALL 1050 User’s Guide Table 177 System > WWW (continued) LABEL DESCRIPTION Click the Add icon in the heading row to open a screen where you can add a new rule. Refer to Table 178 on page 509 for information on the fields.
Page 509: Https Example
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 178 Edit Service Control Rule LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service. Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the ZyWALL using this service.
Page 510: Netscape Navigator Warning Messages
ZyWALL 1050 User’s Guide Figure 330 Security Alert Dialog Box (Internet Explorer) 35.5.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 511: Avoiding Browser Warning Messages
ZyWALL 1050 User’s Guide Figure 332 Security Certificate 2 (Netscape) 35.5.3 Avoiding Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings.
Page 512: Figure 333 Login Screen (Internet Explorer)
ZyWALL 1050 User’s Guide Figure 333 Login Screen (Internet Explorer) Figure 334 Login Screen (Netscape) Chapter 35 System Remote Management...
Page 513: Ssh
ZyWALL 1050 User’s Guide 35.6 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 514: Ssh Implementation On The Zywall
ZyWALL 1050 User’s Guide 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. 3 Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server.
Page 515: Secure Telnet Using Ssh Examples
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 179 System > SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Page 516: Example 1: Microsoft Windows
ZyWALL 1050 User’s Guide 35.7.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program. 1 Launch the SSH client and specify the connection information (IP address, port number) for the ZyWALL.
Page 517: Telnet
ZyWALL 1050 User’s Guide ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL. Type “yes” and press [ENTER]. Then enter the password to log in to the ZyWALL. Figure 340 SSH Example 2: Log in $ ssh –1 192.168.1.1...
Page 518: Figure 342 System > Telnet
ZyWALL 1050 User’s Guide Figure 342 System > Telnet The following table describes the labels in this screen. Table 180 System > Telnet LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Page 519: Configuring Ftp
ZyWALL 1050 User’s Guide 35.9 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. Please see Chapter 9 on page 167 more information about firmware and configuration files.
Page 520: Snmp
ZyWALL 1050 User’s Guide Table 181 System > FTP (continued) LABEL DESCRIPTION Click the Add icon in the heading row to open a screen where you can add a new rule. Refer to Table 178 on page 509 for information on the fields.
Page 521: Figure 344 Snmp Management Model
ZyWALL 1050 User’s Guide Figure 344 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 522: Supported Mibs
ZyWALL 1050 User’s Guide 35.10.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 35.10.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs.
Page 523: Table 183 System > Snmp
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 183 System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
Page 524 ZyWALL 1050 User’s Guide Chapter 35 System Remote Management...
Page 525: Chapter 36 Logs
ZyWALL 1050 User’s Guide H A P T E R Logs This chapter provides information about the ZyWALL’s logs. The following table displays the maximum number of system log messages in the ZyWALL. Table 184 Specifications: Logs LABEL DESCRIPTION Maximum Number of Log Messages (System Log)
Page 526: Figure 346 Maintenance > Logs > View Log
ZyWALL 1050 User’s Guide Figure 346 Maintenance > Logs > View Log If an event generates log messages and alerts, it is displayed in red. Otherwise, it is displayed in black. The following table describes the labels in this screen.
Page 527: Log Settings Screens
ZyWALL 1050 User’s Guide Table 185 Maintenance > Logs > View Log (continued) LABEL DESCRIPTION Priority This field is read-only if the Category is Debug Log. Select the lowest-priority log messages you would like to see. The log will display every log message with this priority or higher.
Page 528: Log Settings Summary
ZyWALL 1050 User’s Guide The ZyWALL provides a system log and supports e-mail profiles and remote syslog servers. The system log is available on the View Log tab, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers.
Page 529: Log Settings Edit E-Mail
ZyWALL 1050 User’s Guide Figure 347 Maintenance > Logs > Log Setting The following table describes the labels in this screen. Table 186 Maintenance > Logs > Log Setting LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific log.
Page 530: Figure 348 Maintenance > Logs > Log Setting > E-Mail > Edit
ZyWALL 1050 User’s Guide Figure 348 Maintenance > Logs > Log Setting > E-mail > Edit Chapter 36 Logs...
Page 531: Table 187 Maintenance > Logs > Log Setting > E-Mail > Edit
ZyWALL 1050 User’s Guide The following table describes the labels in this screen. Table 187 Maintenance > Logs > Log Setting > E-mail > Edit LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
Page 532: Log Settings Edit Syslog
ZyWALL 1050 User’s Guide Table 187 Maintenance > Logs > Log Setting > E-mail > Edit (continued) LABEL DESCRIPTION E-mail Server Select whether this category of events should be included in log messages when it is e-mailed (green checkmark) and/or in alerts (yellow exclamation point) for the e- mail settings specified in E-Mail Server 2.
Page 533: Figure 349 Maintenance > Logs > Log Setting > Remote Server > Edit
ZyWALL 1050 User’s Guide Figure 349 Maintenance > Logs > Log Setting > Remote Server > Edit The following table describes the labels in this screen. Table 188 Maintenance > Logs > Log Setting > Remote Server > Edit LABEL...
Page 534: Active Log Summary
ZyWALL 1050 User’s Guide Table 188 Maintenance > Logs > Log Setting > Remote Server > Edit (continued) LABEL DESCRIPTION Log Format This field displays the format of the log information. It is read-only. Internal - system log; you can view the log on the View Log tab.
Page 535: Figure 350 Active Log Summary
ZyWALL 1050 User’s Guide Figure 350 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 36.3.1 on page 529, where this process is discussed.
Page 536: Table 189 Maintenance > Logs > Log Setting > Active Log Summary
ZyWALL 1050 User’s Guide The following table describes the fields in this screen. Table 189 Maintenance > Logs > Log Setting > Active Log Summary LABEL DESCRIPTION Active Log Summary Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab.
Page 537: Chapter 37 Reports
ZyWALL 1050 User’s Guide H A P T E R Reports This chapter provides information about the report screen, active session screen, and associated commands. 37.1 Report Screen The Report screen provides basic information about the following metrics: • Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the ZyWALL counts HTTP GET packets.
Page 538: Figure 351 Maintenance > Report > Report
ZyWALL 1050 User’s Guide Figure 351 Maintenance > Report > Report There is a limit on the number of records shown in the report. Please see Table 191 on page for more information. The following table describes the labels in this screen.
Page 539 ZyWALL 1050 User’s Guide Table 190 Maintenance > Report > Report (continued) LABEL DESCRIPTION Report Type Select the type of report to display. Choices are: IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one.
Page 540: Session Screen
ZyWALL 1050 User’s Guide Table 190 Maintenance > Report > Report (continued) LABEL DESCRIPTION Web Site This field displays the domain names most often visited. The ZyWALL counts each page viewed on a Web site as another hit. The maximum number of domain names...
Page 541: Figure 352 Maintenance > Report > Session
ZyWALL 1050 User’s Guide Figure 352 Maintenance > Report > Session The following table describes the labels in this screen. Table 192 Maintenance > Report > Session LABEL DESCRIPTION View Select how you want the information to be displayed. Choices are:...
Page 542 ZyWALL 1050 User’s Guide Table 192 Maintenance > Report > Session (continued) LABEL DESCRIPTION Search Click this button to update the information on the screen using the filter criteria in the User, Service, Source Address, and Destination Address fields. sessions per Select the number of active sessions displayed on each page.
Page 543: Chapter 38 Reboot
ZyWALL 1050 User’s Guide H A P T E R Reboot Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.4 on page 50 for information on different ways to start and stop the ZyWALL.
Page 544 ZyWALL 1050 User’s Guide Chapter 38 Reboot...
Page 545: Product Specifications
ZyWALL 1050 User’s Guide Appendix A Product Specifications The following specifications are subject to change without notice. See the Introduction chapter for a general overview of key features. This table provides basic device specifications. Table 193 Device Specifications ATTRIBUTE SPECIFICATION Default IP Address (ge1) 192.168.1.1...
Page 546 ZyWALL 1050 User’s Guide Appendix A Product Specifications...
Page 547: Appendix B Common Services
ZyWALL 1050 User’s Guide Appendix B Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site.
Page 548 ZyWALL 1050 User’s Guide Table 195 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce.
Page 549 ZyWALL 1050 User’s Guide Table 195 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Page 550 ZyWALL 1050 User’s Guide Appendix B Common Services...
Page 551: Open Software Announcements
No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. Note: This Product includes ppp-2.4.2 software under the PPP License.
Page 552 ZyWALL 1050 User’s Guide Note: This Product includes Netkit Telnet -0.17 software under the Netkit Telnet License Netkit Telnet License Copyright (c) 1989 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.Redistributions of source code must retain the above copyright notice, this list of conditions...
Page 553 ZyWALL 1050 User’s Guide 2.The name of the above contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 554 ZyWALL 1050 User’s Guide Expat License Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without...
Page 555 ZyWALL 1050 User’s Guide Note: This Product includes openssl-0.9.7d software under the OpenSSL License OpenSSL TN3270 Plus and SDI FTP SSL utilize the “OpenSSL toolkit” functionality provided by “The Open SSL Project” at http://www.openssl.org. SDI Limited acknowledges all patent rights therein.”...
Page 556 ZyWALL 1050 User’s Guide CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).This product includes software written by Tim Hudson...
Page 557 ZyWALL 1050 User’s Guide SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT...
Page 558 ZyWALL 1050 User’s Guide LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Page 559 ZyWALL 1050 User’s Guide Use is subject to license terms which appear in the file named ISC-LICENSE that should have accompanied this file when you received it. If a file named ISC-LICENSE did not accompany this file, or you are not sure the one you have is correct, you may obtain an applicable copy of the license at: http://www.isc.org/isc-license-1.0.html...
Page 560 ZyWALL 1050 User’s Guide “Work” shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
Page 561 ZyWALL 1050 User’s Guide (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works;...
Page 562 ZyWALL 1050 User’s Guide 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License.
Page 563 ZyWALL 1050 User’s Guide This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>. Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign.
Page 564 ZyWALL 1050 User’s Guide For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code.
Page 565 ZyWALL 1050 User’s Guide Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.
Page 566 ZyWALL 1050 User’s Guide License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
Page 567 ZyWALL 1050 User’s Guide However, linking a “work that uses the Library” with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a “work that uses the library”. The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
Page 568 ZyWALL 1050 User’s Guide It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.
Page 569 ZyWALL 1050 User’s Guide through that system in reliance on consistent application of that system; it is up to the author/ donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
Page 570 ZyWALL 1050 User’s Guide END OF TERMS AND CONDITIONS. Note: This Product includes bridge-utils, dhcpcd-1.3.22-pl4, rp-pppoe-3.5, vlan-1.8, keepalived-1.1.11-p1, L7 Filter, snort, dietlibc, quagga-0.99.2, ez-ipupdate- 3.0.11b7, proftpd-1.2.10, pam-0.76, tzcode2006c, iproute2, iptables-1.2.11/ netfilter(kernel), dhcp-helper, busybox, Linux kernel, and pptp-linux-1.4.0 software under GPL license.
Page 571 ZyWALL 1050 User’s Guide Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
Page 572 ZyWALL 1050 User’s Guide These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
Page 573 ZyWALL 1050 User’s Guide 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or...
Page 574 ZyWALL 1050 User’s Guide 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
Page 575 ZyWALL 1050 User’s Guide Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the University nor of the Laboratory may be used to endorse or promote products derived from this software without specific prior written permission.
Page 576 ZyWALL 1050 User’s Guide The Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation(“Software”), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2.
Page 577 ZyWALL 1050 User’s Guide Note: Some components of the ZYWALL 1050 incorporate source code covered under the Apache License, GPL License, LGPL License, BSD License, Open SSL License, OpenLDAP License, X11-style License, A 3 clause BSD License, NTP License, Expat License, PPP License, Netkit-telnet License and MIT License.
Page 578 ZyWALL 1050 User’s Guide You may not publish, display, disclose, sell, rent, lease, modify, store, loan, distribute, or create derivative works of the Software, or any part thereof. You may not assign, sublicense, convey or otherwise transfer, pledge as security or otherwise encumber the rights and licenses granted hereunder with respect to the Software.
Page 579 ZyWALL 1050 User’s Guide AGGREGATE LIABILITY WITH RESPECT TO ITS OBLIGATIONS UNDER THIS AGREEMENT OR OTHERWISE WITH RESPECT TO THE SOFTWARE AND DOCUMENTATION OR OTHERWISE SHALL BE EQUAL TO THE PURCHASE PRICE, BUT SHALL IN NO EVENT EXCEED $1,000. BECAUSE SOME STATES/COUNTRIES...
Page 580 ZyWALL 1050 User’s Guide only be effective if it is in writing and signed by both parties hereto. If any part of this License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties.
Page 581: Index
ZyWALL 1050 User’s Guide Index Numerics and content filtering 375, 376, 380 and firewall and force user authentication policies 3DES and FTP and NAT and policy routes 295, 296 and SNMP and SSH and Telnet and virtual servers AAA servers...
Page 582 ZyWALL 1050 User’s Guide asymmetrical routes vs virtual interfaces asymmetrical routes (firewall) 308, 311, 313 authentication algorithms 239, 240, 256 and certificates and active protocol CE Mark and routing protocols Certificate Management Protocol (CMP) 240, 256 SHA1 Certificate Revocation List (CRL)
Page 583 ZyWALL 1050 User’s Guide uploading uploading with FTP use without restart Data Encryption Standard. See DES. way the ZyWALL runs daylight savings console port speed DDNS backup contact information configuration overview content (pattern) high availability (HA) content filtering 375, 376...
Page 584 ZyWALL 1050 User’s Guide and IPSec SA and logs and port triggering e-Donkey and schedules EGP (Exterior Gateway Protocol) and service groups and services 316, 444 e-Mule and SIP Encapsulating Security Payload. See ESP. and SIP (VoIP pass through) encapsulation...
Page 585 ZyWALL 1050 User’s Guide prerequisites registration status trial service activation H.323 upgrading license and firewall IDP (Intrusion, Detection and Prevention) and RTP IDP policy types H.323. See also ALG. IDP profiles header checksum IDP registration status host-based intrusions IDP service group...
Page 586 ZyWALL 1050 User’s Guide and VPN gateways and firewall 229, 304 and VRRP groups and to-ZyWALL firewall and zones 107, 177 authentication algorithms 239, 240 as DHCP relays authentication key (manual keys) as DHCP servers 181, 489 configuration overview auxiliary. See also auxiliary interface.
Page 587 ZyWALL 1050 User’s Guide user attributes least load first (for load balancing) License Active 378, 383 292, 404 License Inactive 378, 383 address mapping. See policy routes. Lightweight Directory Access Protocol. See LDAP. ALG. See ALG. and address objects load balancing...
Page 588 ZyWALL 1050 User’s Guide priority and trunks 215, 296 redistribute and user groups redistribute type (cost) and users routers. See OSPF routers. and VoIP pass through 413, 416, 417 virtual links and VPN connections 229, 295, 296 vs RIP bandwidth management...
Page 589 ZyWALL 1050 User’s Guide advantages RFC 2890. See GRE. and IKE SA RFC 3261. See SIP. and PPPoE and users and Ethernet interfaces user attributes and OSPF Real-time Transport Protocol. See RTP. and static routes reboot 50, 543 and to-ZyWALL firewall...
Page 590 ZyWALL 1050 User’s Guide Session Initiation Protocol. See SIP. spillover (for load balancing) sessions SQL slammer severity (IDP) 337, 343 and address groups SHA1 and address objects shell scripts and certificates and users and zones downloading client requirements editing encryption methods...
Page 591 ZyWALL 1050 User’s Guide syslog servers. See logs. to-ZyWALL firewall. See also firewall. system log. See logs. trademarks system name traffic anomaly 336, 348 system reports. See reports. Transmission Control Protocol. See TCP. system uptime Transport Layer Security (TLS) system-default.conf...
Page 592 ZyWALL 1050 User’s Guide user groups Virtual Router Redundancy Protocol. See VRRP. and content filtering 375, 380 virtual servers and firewall and address objects (HOST) and policy routes and firewall configuration overview and interfaces user names and to-ZyWALL firewall rules...
Page 593 ZyWALL 1050 User’s Guide VRRP advertisement interval and to-ZyWALL firewall zones 108, 267 backup router and firewall 301, 309 management IP and FTP master router and IDP preempt and interfaces 107, 267 router priority and SNMP virtual router ID (VR ID)