Page 1 ZyWALL 5 Security Appliance Support Notes Version 4.01 Jun. 2006...
Page 2: Table Of Contents
FortiNet with ZyWALL VPN Tunneling ........183 Remote Access VPN Scenario ..............197 Using xAuth for User Authentication ..........198 ZyXEL VPN Client to ZyWALL Tunneling ........200 Flexible Wireless Connection and Security ...........209 Deploy the ZyWALL WLAN security policy........210 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 3 A18. What network interface does the new ZyWALL series support?254 A19. How does the ZyWALL support TFTP? ........254 A20. Can the ZyWALL support TFTP over WAN? ......254 A21. How can I upload data to outside Internet over the one-way cable?......................254 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 4 ZyWALL 70 trade-in promotion?........260 B08. What’s the firmware upgrade path for my current ZyWALL 5 and ZyWALL 35?..................260 B09. After a successful firmware upgrade to ZyNOS v4.01, what’s the default setting of AV+IDP, AS and CF? ..........260...
Page 5 ZyNOS v4.01? ........261 B11. What’s the downgrade procedure of ZyWALL 70 running ZyNOS v4.01?...................261 B12. Can I downgrade a ZyWALL 5 or ZyWALL 35 running ZyNOS v4.01 back to ZyNOS v3.64 (or below)?..........261 C. Turbo Card FAQ....................261 C01.
Page 6 G02. Why does ZyWALL bundle Anti-Virus and IDP feature together? ....................274 G03. Can I subscribe to the Anti-Virus service alone or IDP service alone? ......................274 G04. What are the hardware requirements to run AV+IDP security All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 7 I03. What happens when an email with large attachment in size, e.g. 5MB, is downloaded which has virus in it? ...........278 I04. What happens if the virus is in the last part of the email message All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 8 J18. How many ratings does the BlueCoat database contain? ....282 J19. How often does BlueCoat update the database? ......282 J20. How do I locate sites to block?............283 J21. Do humans review the ratings? ............283 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 9 What do I need to know?.................292 K19. Does ZyWALL support dynamic secure gateway IP? ....293 K20. What VPN gateway that has been tested with ZyWALL successfully?....................293 K21. What VPN software that has been tested with ZyWALL successfully?....................293 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 10 L16. Will Self-signed certificate be erased if I reset to default configuration file? ..................302 L17. Will certificates stored in ZyXEL appliance be erased if I reset to default configuration file? ...............302 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 11 Management class tree? And, what is the max depth of a class? ..303 O. Wireless FAQ ....................304 O01. Which wireless cards does it support in ZyWALL 5/35/70? ..304 O02. Which wireless security option can I use while using related wireless cards?..................304...
Page 12: Application Notes
If a router mode firewall is inserted into existing network, user may need to reassign the IP of all servers and hosts and related setting of applications. However, it may be a huge task to administrators. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 13 In the following section, we will explain how to configure ZyWALL as bridge firewall. Therefore, all hosts and servers can keep using the same IP as that of current network. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 14 Admin can activate the rule by clicking the ‘N’ as following picture. Then the rule will be activated right away. Step2. To change the device mode, go to MAINTENANCE >> Device Mode. Select ‘Bridge’ and All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 15 (like 210.242.82.X/24 in this example). In this way, admin doesn’t need to change his PC’s IP address when he wants to access Internet and ZyWALL’s web GUI at the same time.) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 16 IP segment 210.242.82.0/24). Edit the firewall rule via Firewall >> Rule Summary and with packet direction: DMZ to LAN. And enter 210.242.82.2 as the source address and 210.242.82.31~34 as destination address. And then select the service and set the action for ‘Matched Packet’ to ‘BLOCK’. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 17: Internet Connection
ZyWALL to gain the Internet access. Step1. First of all, Select Home menu and click Internet Access Wizard to configure your WAN1 connection. Click “Internet Access” under Home >> Wizards for WAN 1 Quick Setup All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 18 These fields vary depending on what you select in the Encapsulation field. Fill them in with the information exactly as given by the ISP or network administrator. Following picture is an example while PPPoE is selected. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 19: Dhcp Server/Client/Relay + Flexible Port Role Configuration
WLAN ports. Besides, since v4.0, ZyWALL also support flexible port role setting. With these 2 features, admin can take advantage and easily connect servers / clients into a ZyWALL-ready environment. Following are the description about two features. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 20 DHCP server (IP: 10.10.1.1) to handle all DHCP request from LAN hosts. So ZyWALL will be configured as a relay role to pass DHCP request from LAN to the DHCP server. For DMZ, and WLAN, network admin would like to configure them as independent subnet. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 21 Step1. Insert a wireless card in ZyWALL’s PCMCIA slot before booting the ZyWALL. Since we will enable wireless network to allow wireless clients associate with. Step2. Configure DHCP setting for LAN. Choose ‘Relay’ from DHCP setting and enter the IP address of the DHCP server, ‘10.10.1.1’. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 22 ‘192.168.10.33’. Step5. Configure Port Role from either LAN or DMZ or WLAN >> Port Roles. Configure the roles as following. Then click ‘Apply’ to save the setting. (1). port 1-2 for LAN All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 23: Using Nat/Multi-Nat
IP addresses. The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP. In addition, you can designate servers, e.g., a web server and a telnet server, on your local network and make them All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 24 (e.g., the ZyWALL router). The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. • NAT Mapping Types NAT supports five types of IP/port mapping. They are: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 25 NAT Type IP Mapping One-to-One ILA1<--->IGA1 ILA1<--->IGA1 Many-to-One ILA2<--->IGA1 (SUA/PAT) ILA1<--->IGA1 ILA2<--->IGA2 Many-to-Many ILA3<--->IGA1 Overload ILA4<--->IGA2 ILA1<--->IGA1 ILA2<--->IGA2 Many One-to-One ILA3<--->IGA3 ILA4<--->IGA4 Server 1 IP<--->IGA1 Server Server 2 IP<--->IGA1 • SUA Versus Multi-NAT All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 26 Step 1. Applying NAT in WAN Interface You can choose the NAT mapping types to either SUA Only or Full Feature in WAN setup. NETWORK -> WAN or ADVANCED -> NAT -> NAT Overview All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 27 Set this field to 'SUA Only' if you want all clients SUA Only share one IP to Internet. Step 2. Configuring NAT Address Mapping To configure NAT, go to ADVANCED -> NAT -> Address Mapping All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 28 Rule 1 (One-to-One type) to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1 (200.1.1.1). Rule 2 (One-to-One type) to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2 (200.1.1.2). All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 29 Rule 1 Setup: Select One-to-One type to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1 (200.1.1.1). Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2 (200.1.1.2). Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 30 ZyWALL 5 Support Notes Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. When we have configured all four rules in the rule summary page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 31 LAN to forward the incoming connections. If you would like to only allow traffic going to the internal server, you should specify server's private IP address in the field of the destination IP address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 32 IP address. The following figure illustrates this. One rule configured for using Many One-to-One mapping type is shown below. The three rules configured for using One-to-One mapping type is shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 33: Optimize Network Performance & Availability
Additionally, chances are that you would like to grant higher bandwidth for some body special who is using specific IP address in your network. All of these are reasons why we need bandwidth management. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 34 A class needs 300 kbps, B class needs 600 kbps, then the ratio of A and B's actual bandwidth is 1:2. So if we get 450 kbps in total, then A would get 150 kbps, B would get 300 kbps. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 35 Go to ADVANCED->BW MGMT->Class Setup, select the interface on which you would like to setup the Class tree. Click the radio button besides the Root Class, then press 'Add Sub-Class' All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 36 Filter Destination IP Enter the IP address of destination that meats this class. Address Destination Enter the destination subnet mask. Subnet Mask Destination Enter the destination port number of the traffic. Port All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 37 We have a 2M/512kbps ADSL link. At DMZ side, we have one FTP server and one media server, suppose we want to restrict upload FTP traffic at 100kbps, while restrict streaming traffic at 300kbps All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 38 Step2. Go to “Class Setup”. Click on Root Class and then click on “Add Sub-Class” to create and add a new class under root. We add a service and allocate 100kbps for FTP. Select the Service as FTP from drop-down list. Specify All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 39 Step3. Add another class, Medial. In this case the server IP address is 192.168.1.10 and it uses UDP for streaming. We allocate 300kbps for Media. Select the Service as Custom and assign Protocol ID to 17 for UDP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 40 Step 4. Now, two services are added. (FTP & Media) When you go to Monitor, one Default Class is created automatically and its bandwidth is the reset. This class will apply to other kind of traffic like HTTP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 41 Activate Bandwidth Management on the interface on which you want to control. In this example, it is WAN1. Assign the bandwidth of the ADSL upstream because Bandwidth Management only manages traffic that “flow out” the router’s interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 42 Step3. Add another class, Medial. In this case the server IP address is 192.168.1.10 and it uses UDP for streaming. We allocate 300kbps for Media. Select the Service as Custom and assign Protocol ID to 17 for UDP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 43 Class 2: Budget = 800kbps, Dest. IP = FTP Client B’s IP, Service = FTP, Priority = 3, enable Borrow Class 3: Budget = 800kbps, Dest IP = IPTV Client’s IP, Protocol = UDP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 44 We add a service and allocate 400kbps for FTP and destined to FTP Client A. Select the Service as FTP from drop-down list. Input Client A’s IP address as Destination IP Address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 45 Step3. Add another service and allocate 800kbps for FTP and destined to FTP Client B. Select the Service as FTP from drop-down list. Input Client B’s IP address as Destination IP Address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 46 Select the Service as Custom from drop-down list and set Protocol IP as 17 (UDP). Input IPTV user’s IP address as Destination IP Address. Step 5. Three classes are created for FTP Client A, B & IPTV user as below: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 47: Secure Connections Across The Internet And Wireless Lan
If ZyWALL is used as Internet gateway and public IP address is assigned on ZyWALL’s WAN interface. ZyWALL uses this public WAN IP address for terminating the VPN tunnels from remote VPN gateways. In following example, local VPN gateway (ZyWALL) uses a static public IP address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 48: Configure Zywall With Dynamic Wan Ip Address
ISP. Since ZyWALL has no idea about its WAN IP address before it is assigned, it is difficult/impossible to use WAN IP Address for My Address in Gateway Policy. To overcome this problem, Dynamic DNS can be used to resolving the VPN gateway. When new IP All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 49 Therefore the peer VPN gateway can resolve ZyWALL’s IP address to make a VPN tunnel. In following example, local VPN gateway (ZyWALL) uses a dynamic WAN IP address (PPPoE with dynamic IP assignment). All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 50: Configure Zywall Behind Nat Router
However, in some situation, it is inevitable to locate IPSec gateway in public IP address and it must be placed behind the NAT router. For example, the NAT router has a different interface (e.g. leased line, All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 51 (IPSec pass-through) or not. With this option enabled, ZyWALL can detect if it is placed behind NAT when peer VPN entity also support NAT Traversal function. If yes, the IPSec traffic will be encapsulated in UDP packet to avoid traversal problem on NAT routers. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 52: Mapping Multiple Network Policy To Same Gateway Policy
VPN tunnel 2 Dept. 2 PC 2 The configuration goal is to achieve following two : 1) Setup VPN rule to allow PC1 to access Dept.1 through the tunnel between GW1 & GW2 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 53 5) Under Authentication Key, “Pre-Shared Key” or “Certificate” can be used as authentication method. For detailed usage of “Pre-Shared Key” and “Certificate”, please refer to XXX. In this example, “Pre-Shared Key” is used and the string “12345678” is used as example. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 54 7) Under “IKE Proposal”, select the Encryption and Authentication Algorithm. Note the configuration must be consist on both ZyWALLs (GW1 & GW2) 8) Click on “Apply” to save profile 9) The IKE rule will be configured as below: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 55 If you need to change to other pre-defined Gateway Policy, you can select from the drop-down list. 13) Under “Local Network”, choose “Subnet” and input “192.168.71.0” and “255.255.255.0” for Dept1 in this example. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 56 15) Under “IPSec Proposal”, select the Encryption and Authentication Algorithm. Note the configuration must be consist on both ZyWALLs (GW1 & GW2) 16) Click on “Apply” to save profile 17) The new Network Policy, PC1-to-Dept1 is added to the Gateway Policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 57: Using Certificate For Device Authentication
This is usually done using security certificates and a Public Key Infrastructure (PKI). If certificate (Digital Signatures) is used for authentication, there are five available types of identity: IP, All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 58: Using Self-Signed Certificates
ZyWALL has the feature to sign itself a so-called self-signed certificate which can be imported to other ZyWALL for authentication. This feature allows users to use certificate without CA. The certificate must be exchanged and imported into Trusted Remote Hosts before making a VPN connection. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 59 To use self-signed certificate, go to ZyWALL CERTIFICATES->My Certificates and export ZyWALL’s certificate. 1) Press “Export” to save the ZyWALL self-signed certificate to local computer in Binary X.509 format. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 60 Notepad) and then save to you local computer in PEM (Base-64) Encoded Format. Then import the certificate to the other ZyWALL VPN gateway. Go to the other ZyWALL and click “Import” button under CERTIFICATES->Trusted Remote Hosts Select the certificate from local computer. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 61: Online Enroll Certificates
This example displays how to use PKI feature in VPN function of ZyXEL appliance. Through PKI function, users can achieve party identification when doing VPN/IPSec negotiation. With online enrollment, ZyWALL firstly create certification request locally, then send certification request to trusted CA (Certificate Authority) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 62 CA server's certificate will be used to protect the data. You may need to access CA server's WEB interface or contact the administrator to get CA's certificate. Then you can go to SECURITY->CERTIFICATES->Trusted CAs to import the downloaded certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 63 6. In the "CA Server's Address" field, input the URL to access CA server, for example, http://1.1.1.1:8080/scep/ 7. Choose the previously downloaded CA server's certificate from the drop down list. 8. Input user name and password if necessary. 9. Then click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 64 It may take one minutes to complete the whole process. After CA server agrees to issue the corresponding certificate, you will find a newly enrolled certificate in My Certificates. Step 3. Create certificate request and enroll certificate request on ZyWALL B All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 65 6. In the "CA Server's Address" field, input the URL to access CA server, for example, http://1.1.1.1:8080/scep/ 7. Choose the previously downloaded CA server's certificate from the drop down list. 8. Input user name and password if necessary. 9. Then click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 66 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.35" 9. Peer ID type= "ANY" 10. Secure Gateway Address= "192.168.1.36" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 67 ZyWALL 5 Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 68 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.36" 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.35" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 69 ZyWALL 5 Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 70: Offline Enroll Certificates
Step 3. Create certificate request on ZyWALL B. Step 4. Enroll the certificate request to Windows 2000. Step 5. Setup VPN rule on ZyWALL A Step 6. Setup VPN rule on ZyWALL B. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 71 ZyWALL A ZyWALL B LAN 2 LAN: 10.1.133.1 LAN: 192.168.2.1 10.1.133.0/24 192.168.2.0/24 WAN: 192.168.1.35 WAN: 192.168.1.36 Step 1. Create Certificate Reques on ZyWALL A 1. Go to VPN->My Certificates -> Click Create button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 72 3. Wait for 1-2 minutes until "Request Generation Successful" displays. During this period, ZyWALL is working on creation of private, public key pair, and certificate request. 4. After creating certificate request, ZyWALL would return Successful Message. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 73 1. Copy the content of Certificate in PEM Encoded Format, by selecting all of the content, then right click your mouse, and select Copy. Keep your copy in clipboard for later paste. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 74 CA server may be different, you may need to check your CA service provider for details. For how to setup Windows 2000 CA server, users may refer to http://www.microsoft.com. 2. Issue the URL to access the CA server, type in User Name/Password/Domain fields. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 75 ZyWALL 5 Support Notes 3, Select Request a Certificate, then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 76 ZyWALL 5 Support Notes 4. Choose Advanced request, the press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 77 ZyWALL 5 Support Notes 5. Choose "Submit a certificate request using a base64...", then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 78 ZyWALL 5 Support Notes 6. Right click your mouse, then paste the certificate request you get in step 2.1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 79 ZyWALL 5 Support Notes 7. Click "Download CA certification path" 8. A file download would pop out, press Save button, and choose the local folder you would like to store the certification path. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 80 ZyWALL 5 Support Notes 9. Double click the saved file, Select Certificates, right click the Certificate, choose All Tasks-> Export... 10. Certificate Export Wizard would be popped up, then press Next>. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 81 ZyWALL 5 Support Notes 11. Choose DER encoded binary X.509(.CER), then press Nxet>, 12. Specify the path to store your exported Certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 82 13. Click Finish. 14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button. 15. Click Browse... button to find the location you stored ZyWALL's certificate then press Apply button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 83 ZyWALL's certificate, such as zywall_a.cert.cert in this example, and select Certification Path to view the nearest CA server's name, and then - export that CA server's certificate. Import the saved CA server's certificate. Click Browse... button, and then select the location. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 84 ZyWALL 5 Support Notes After import CA's certificate, you will get this display. Step 3. Create Certificate Reques on ZyWALL_B 1. Go to VPN->My Certificates -> Click Create button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 85 Unit, Organization, Country are optional fields, you are free to either enter them or not. Finally, specify the key length and select Create a certification request and save it locally for later manual enrollment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 86 4. After creating certificate request, ZyWALL would return Successful Message. 5. In My Certificates tab, you can get a new entry in grey color. This is the Certificate Request you just created. Click Details to export the request. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 87 CA server may be different, you may need to check your CA service provider for details. For how to setup Windows 2000 CA server, users may refer to http://www.microsoft.com. 2. Issue the URL to access the CA server, type in User Name/Password/Domain fields. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 88 ZyWALL 5 Support Notes 3, Select Request a Certificate, then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 89 ZyWALL 5 Support Notes 4. Choose Advanced request, the press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 90 ZyWALL 5 Support Notes 5. Choose "Submit a certificate request using a base64...", then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 91 ZyWALL 5 Support Notes 6. Right click your mouse, then paste the certificate request you get in step 4.1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 92 ZyWALL 5 Support Notes 7. Click "Download CA certification path" 8. A file download would pop out, press Save button, and choose the local folder you would like to store the certification path. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 93 ZyWALL 5 Support Notes 9. Double click the saved file, Select Certificates, right click the Certificate, choose All Tasks-> Export... 10. Certificate Export Wizard would be popped up, then press Next>. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 94 ZyWALL 5 Support Notes 11. Choose DER encoded binary X.509(.CER), then press Nxet>, All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 95 ZyWALL 5 Support Notes 12. Specify the path to store your exported Certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 96 13. Click Finish. 14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button. 15. Click Browse... button to find the location you stored ZyWALL's certificate then press Apply button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 97 ZyWALL's certificate, such as zywall_a.cert.cert in this example, and select Certification Path to view the nearest CA server's name, and then - export that CA server's certificate. Import the saved CA server's certificate. Click Browse... button, and then select the location. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 98 6. Edit Remote: Address Type="Subnet Address", Starting IP Address="192.168.2.0", End IP Address/Subnet Mask="255.255.255.0" 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.35" All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 99 ZyWALL 5 Support Notes 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.36" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 100 ZyWALL 5 Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 101 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.36" 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.35" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 102 ZyWALL 5 Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 103: Using Pre-Shared Key For Device Authentication
5) When IP is selected as ID Type, the Content must be in the format of X.X.X.X (e.g. 210.242.82.70) 6) When DNS/E-mail are selected as ID Type, the same string must be configured on both entities. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 104: Using Vpn Routing Between Branches
VPN tunnels between branch offices are needed. In this support note, we skip the detailed configuration steps for Internet access and presume that you are familiar with basic ZyNOS VPN configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 105 B are continuous, we merge them into one single rule by including these two segments in Remote section. If by any chance, the two segments are not continuous, we strongly recommend you to setup different rules for these segments. 1. Go to SECURITY->VPN->Press Add button All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 106 11. Select Encryption Algorithm to DES and Authentication Algorithm to SHA-1. These parameters are for IKE phase 2 negotiation. You can set more detailed configuration by pressing Advanced button. 12. Enter the key string 12345678 in the Pre-shared Key text box, and click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 107 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 108 To avoid such situation, we need two separate rules to cover the LAN segment of branch office A and headquarter. This rule is for branch office B to access headquarter's LAN and Branch A's LAN. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 109 ZyWALL 5 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 110 VPN rule in headquarter. 3. Setup VPN in Headquar er t 1. The correspondent rule for Branch_A in headquarter All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 111 ZyWALL 5 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 112 ZyWALL 5 Support Notes 2. The correspondent rule for Branch_B All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 113 ZyWALL 5 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 114: Never Lost Your Vpn Connection (Ipsec High Availability)
In addition, DDNS is updated to the secondary WAN connection. ZyWALL 2 Plus, as a redundant remote gateway, provides always-on Internet and VPN connectivity for network flexibility. You can configure an IP address or domain name depends on the Network deployment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 115: How To Configure The Vpn Ha
Enter the WAN IP address (220.123..23.7 in this example) of the ZyWALL in the My Address field. Enter the WAN address (61.79.95.3 in this example) of the remote VPN gateway in the Primary Remote Gateway IP Address field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 116 IP Address field to set the system to automatically detect the IP address of the active WAN interface. Thus if the primary WAN interface is down, the My Address field is the IP address of the secondary WAN interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 117: Access Control And Security Vpn Connection (Security Policy Enforcement Ipsec)
ZyWALL can inspect the VPN packet before encrypt or after decrypt the packet sending to or receiving from VPN tunnel. Check Encrypt Decrypt IPSec Tunnel Routing Routing packet Packet Packet IPSec Local Gateway IPSec Remote Gateway All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 118: How To Configure Access Control Rule Over Vpn
192.168.2.33 to access local LAN subnet 192.168.1.0/24. The default VPN to LAN traffic is permit and we have to change the VPN to LAN access control rule in rule summary sub menu. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 119 ZyWALL 5 Support Notes Click the Insert button to insert a new rule. Edit the source and destination address as 192.168.2.33 and 192.168.1.0/255.255.255.0 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 120 The service type is Any to block all kind of traffic from 192.168.2.33 to access LAN subnet and Action for Matched Packets is Drop and then click apply to save and activate the configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 121 We can see a new rule had been configured and showed in the rule summary page. This will achieve our goal to block all traffic from VPN remote host 192.168.2.33 to access the LAN subnet. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 122: How To Configure Security Policy (Av/Idp/As) Over Vpn
ZyWALL scan the traffic from VPN to any destination. VPN to VPN traffic means there are more than one tunnel connected to one ZyWALL and the traffic pass thought one VPN tunnel to another VPN tunnel will apply the VPN to VPN traffic type. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 123 The configurable scan direction configuration also applies in AntiVirus and ZyWALL can inspect the packet either from VPN or to VPN as well. The AntiSpam also has the matrix to configure the inspection direction. Thus, we can All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 124: How To Configure Web Filtering Rule Over Vpn - Content Filter124
The content filtering over VPN can only be enabled after the content filter global switch enabled otherwise the enable content filter for VPN traffic option will be gray out. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 125: Zywall Vs 3Rd Party Vpn Gateway
Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for ZyWALL and SonicWALL are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and SonicWALL router. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 126 1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to SECURITY->VPN->Press Add button 3. Give a name for your policy, for example “ToSonicWALL” All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 127 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 128 ZyWALL 5 Support Notes 8. You will see an IKE rule on your VPN page, press L/R button to edit your IPSec rule. 9. Check Active check box and give a name to this policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 129 12. On Remote Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your remote site LAN IP addresses. In this example, you should type 192.168.168.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 130 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. 14. When you finished doing your settings, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 131 Go to VPN page, check Enable VPN check box, and then press Add button, it will bring up a page which you could do your VPN settings. (Note: You could use VPN Policy Wizard to set up your VPN rules as well.) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 132 4. Network IP Address and Subnet Mask are your remote site LAN IP addresses. In this example, you should type 192.168.1.0 on Network text box and then type 255.255.255.0 on Subnet Mask text box, and then press OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 133 Encryption to DES and Authentication to MD5. On IPsec(Phase2) proposal settings, select ESP Protocol, Encryption to DES and Authentication to SHA1. Then, press OK button on this page. 6. When you finished doing your settings, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 134: Netscreen With Zywall Vpn Tunneling
Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for ZyWALL and NetScreen are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and NetScreen router. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 135 15. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. 2. Go to SECURITY->VPN->Press Add button 3. Give a name for your policy, for example “ToNetScreen” All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 136 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then click Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 137 ZyWALL 5 Support Notes 8. You will see an IKE rule on your VPN page, click L/R button to edit your IPSec rule. 9. Check Active check box and give a name to this policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 138 12. On Remote Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your remote site LAN IP addresses. In this example, you should type 192.168.1.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 139 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. 14. When you finished doing your settings, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 140 Click Network -> Inetrfaces, the trust IP/Netmask used for LAN, the untrust IP/Netmask used for WAN. Note: About the settings, you could reference to NetScreen user guide to get the detail info. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 141 ZyWALL's WAN IP address. In this example, select Static IP Address option and set 172.22.3.89 on the text box. Enter the key string 12345678 on Preshared Key text box, and then press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 142 Mode (Initiator). Then, press Return button, and press OK button on next page to save your settings. 7. When you finished doing the settings, you will see an IKE rule on the page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 143 10. On Security Level settings, choose User Defined option, and choose nopfs-esp-des-sha rule on Phase 2 Proposal. The nopfs-esp-des-sha means no PFS, ESP Protocol, Encryption Algorithm to DES and Authentication Algorithm to SHA1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 144 13. On your main page, click Policies to set up your policy rules. To choose From to Trust, and To to Untrust (it means from LAN to WAN), and then press New button to edit your policy rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 145 16. Select Action to Tunnel, and select ToZyWALLIPSecVPN rule. Check Modify matching bidirectional VPN policy check box, it means that you can create/modify the VPN policy for the opposite direction. Then, press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 146 ZyWALL 5 Support Notes 17. When you finished doing the settings, you will see the policy rules on the page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 147 ZyWALL 5 Support Notes 18. Move your policy rules to top, thus your device will check the rule at first. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 148: Check Point With Zywall Vpn Tunneling
ZyWALL and SonicWALL are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and a PC which uses Check Point software. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 149 1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to SECURITY->VPN->Press Add button 3. Give a name for your policy, for example “ToCheckPoint” All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 150 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 151 8. After you press the Apply button, you will see an IKE rule on this page, press L/R button to edit your 9. Check Active check box and give a name to this policy. 10. On Gateway Policy Information, you should choose ToCheckPoint IKE policy for your IPSec rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 152 Address/Subnet field. 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 153 ZyWALL 5 Support Notes 14. After you press the Apply button, you will see the following page. 2. Setup CheckPoint VPN I. Setup Network Objects All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 154 Host) 5. If your check point object is a Check Point Host, select your object and click the right button on your mouse, then choose Convert To Gateway to change its settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 155 6. On General Properties, the IP Addrrss field is the WAN IP of your PC. In this example, you should type 172.22.2.58 IP address on the text box. On Check Point Products settings, check VPN check box here. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 156 ZyWALL 5 Support Notes 7. On Topology settings, you should see two interfaces of IP settings here if your PC has two network cards. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 157 9. Selecting 192.168.2.0 interface, and press Edit button to check its settings. Clicking Topology screen, choose Internal (leads to the local network) and Network defined by the interface IP and Net Mask for the interface, then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 158 ZyWALL 5 Support Notes II. Setup Interoperable Device 10. On the main menu, click Manage -> Network Objects. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 159 ZyWALL 5 Support Notes 11. You will see the network objects window, press new button and select Interoperable Device. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 160 12. On General Properties settings, give a name and an IP address for the Interoperable Device. In this example, the IP address is ZyWALL’s WAN IP address. 13. On Topology settings, pressing Add button to add a new interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 161 ZyWALL’s WAN port settings. 15. Clicking Topology screen, and choose External (leads out to the internet) for the interface. Then, press OK button to save the settings. 16. Pressing Add button to add another interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 162 18. Clicking Topology screen, choose Internal (leads to the local network) and Network defined by the interface IP and Net Mask for the interface, then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 163 ZyWALL 5 Support Notes 19. Pressing OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 164 ZyWALL 5 Support Notes III. Setup Networks All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 165 20. Selecting Networks object and click the right button of your mouse, and choose New Network. 21. Give a name for your network policy, and set the network IP address to 192.168.1.0/24. Then, press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 166 22. To add another network policy, and set the network IP address 192.168.2.0/24. Then, press OK button to save the settings. IV. Setup VPN Communities 23. Click VPN communities tab to do the settings. 24. On VPN communities, click New -> Site To Site -> Star All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 167 ZyWALL 5 Support Notes 25. On General settings, giving a name for your VPN communities. For example, CheckPoint_ZyWALL. 26. On Center Gateways settings, press Add button to add a center gateway. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 168 27. If you have already done the previous settings, you should see a central gateway here. Select the gateway, and then press OK button. 28. On Satellite Gateways settings, press Add button to add a remote gateway. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 169 ZyWALL 5 Support Notes 29. If you have already done the previous settings, you should see a remote gateway here. Select the gateway, and then press OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 170 30. On VPN Properties settings, select Encryption Algorithm to DES, Authentication Algorithm to MD5 on phase 1, and also select Encryption Algorithm to DES, Authentication Algorithm to SHA1 on phase 2. 31. On Tunnel Management, leave the settings to default settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 171 32. On VPN routing settings, choose To center, or through the center to other satellites, to internet and other VPN targets option. 33. On Shared Secret settings, choose ToZyWALL option, and press Edit button All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 172 ZyWALL 5 Support Notes 34. Enter the secret key in the text box, and then press OK button. 35. On Advanced VPN Properties settings, choose Group 1 for Diffie-Hellman settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 173 ZyWALL 5 Support Notes 36. Press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 174 ZyWALL 5 Support Notes 37. After you press OK button, you should see a new object here. IV. Setup Security 38. Click Security tab on the right side to do the security settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 175 39. Press Add button to add a rule. 40. On the default rule, select the source field, and click right button of your mouse, and then choose Add… option to add your network objects. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 176 42. To use the same way to add another network object (Net_192.168.2.0) on the source field. 43. On the destination field, please use the same way to add your network objects: Net_192.168.1.0 and Net_192.168.2.0. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 177 45. On VPN Match Conditions, choose Only connections encrypted in specific VPN Communities option, and press Add button to add community to your rule. 46. Choosing CheckPoint_ZyWALL object for your rule, and press OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 178 ZyWALL 5 Support Notes 47. Clicking OK button to save your settings. 48. On action field, click right button of your mouse, and choose accept option for your rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 179 ZyWALL 5 Support Notes 49. On the track field, click right button of your mouse, and choose Log option for your rule. 50. If you finished the settings, you should see a rule as below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 180 51. Pressing add button to add another rule which could drop packets if it doesn’t match your VPN rule. V. Install Policy 52. On your main menu, click Policy -> Install.. option to Install your policy. 53. Selecting your policy rule, and press OK button to install the policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 181 ZyWALL 5 Support Notes 54. Waiting few seconds for the installation. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 182 ZyWALL 5 Support Notes 55. If you install the policy successfully, your VPN tunnel should work normally with your ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 183: Fortinet With Zywall Vpn Tunneling
Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for ZyWALL and FortiNet are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and FortiNet router. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 184 3. Give a name for your policy, for example “ToFortiNet” 4. My IP Addr is the WAN IP of ZyWALL. In this example, you should type 172.22.1.147 IP address on My ZyWALL text box. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 185 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then click Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 186 8. After you press the Apply button, you will see an IKE rule on this page, click L/R button to edit your IPSec rule. 9. Check Active check box and give a name to this policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 187 12. On Remote Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your remote site LAN IP addresses. In this example, you should type 192.168.1.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 188 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. 14. After you press the Apply button, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 189 ZyWALL's WAN IP address. In this example, select Static IP Address option and set 172.22.1.147 on the text box. Choosing Main mode, and also enter the key string 12345678 on Preshared Key text box. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 190 4. On P1 proposal settings, select Encryption to DES, Authentication to MD5, and DH Group to Group1. Then, press “-” button to delete the second P1 proposal rules. 5. To uncheck the Nat-traversal check box. And then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 191 IPSec rules. 8. Give a name for your VPN, for example “ToZyWALL IPSec”, and choose ToZyWALL policy rule for your Remote Gateway. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 192 9. On P2 Proposal settings, select Encryption to DES, and Authentication to SHA1, and also press “-” button to delete the second P2 proposal rules. 10. To uncheck the Enable perfect forward secrecy(PFS) check box. And then, press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 193 11. After you press the OK button, you will see your IPSec rule(Phase2) on this page. 12. On the main page, click Firewall -> Address, and then press Create New button to edit your address rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 194 192.168.2.0/24 IP Range/Subnet for the ZyWALL network. Then, press OK button to save your settings. 16. After you finished the settings, you should see two address rules on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 195 ZyWALL network rule for your destination address rules. 20. On Action settings, choose ENCRYPT option, and choose ToZyWALL IPSec rule for your VPN Tunnel. Then, press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 196 22. Click VPN -> IPSec -> Monitor, this page displays a table that lists all the VPN rules configured on the FortiNet device. You could check the link states here to know your VPN tunnel is up or down. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 197: Remote Access Vpn Scenario
0.0.0.0 or domain name. If “0.0.0.0” is used as Remote Gateway Address, ZyWALL accepts all attempts from any IP address and authenticate the remote VPN device with pre-shared key or certificate. If the remote entity passes authentication, ZyWALL and remote All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 198: Using Xauth For User Authentication
IKE authentication. Since remote users may use the same pre-shared key for device authentication, it may have some problem once the key is compromised. Otherwise, an extra authentication would be more. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 199 Policy”. Select “Server Mode” on the VPN concentrator. There are two kinds of user_identification (username/password) database can be used for authentication: Local_User & RADIUS. (Note that Local_User first then RADIUS if both exist). Local User RADIUS All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 200: Zyxel Vpn Client To Zywall Tunneling
As the figure shown below, the tunnel between PC 2 and ZyWALL ensures the packets flow between them is secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for the software and ZyWALL are explained in the following sections. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 201 202.132.171.33 WAN: 202.132.170.1 1. Setup ZyWALL VPN Client 1. Open ZyWALL VPN Client Security Policy Editor 2. Add a new connection named 'ZyWALL' as shown below. 3. Select Connection Security to Secure All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 202 4. In ID Type option, please choose IP Address option, and enter the IP address of the remote PC (PC 2 in this case). 5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter ZyWALL's WAN IP address in the following field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 203 7. Click My Identity; click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in ZyWALL in the pop out windows. In this example, we enter 12345678. See below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 204 ZyWALL 5 Support Notes Security Policy Settings: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 205 10. Extend Security Policy icon, you will see two icons, Authentication (Phase 1) and Key Exchange (Phase 2). 11. The settings shown in the following two figures for both Phases are our examples. You can choose any, but they should match whatever you enter in ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 206 ZyWALL 5 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 207 11. Select Encryption Algorithm to DES and Authentication Algorithm to SHA1, as we configured in ZyWALL VPN Client. 12. Enter the key string 12345678 in the Pre-shared Key text box, and click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 208 ZyWALL 5 Support Notes See the VPN rule screen shot You can further adjust IKE Phase 1/Phase 2 parameters by pressing Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 209: Flexible Wireless Connection And Security
LAN or DMZ. Thus, the WLAN interface can be applied separate security policy to fulfill the security requirement. We used the ZyWALL 5 UTM as an example to show how to control the wireless user traffic. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 210: Deploy The Zywall Wlan Security Policy
Switch to NETWORK > WLAN and setup the WLAN interface IP address and configure it as a DHCP server. Thus the PC associated with the AP will be dispatched an IP address from ZyWALL. Click Apply to save the setting. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 211 DHCP. Select the WLAN as selected interface and correctly configure the DNS server IP address. The WLAN host can’t resolve the domain name to IP address if the DNS server miss-configure in this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 212 LAN, DMZ, WLAN and VPN interface. ZyWALL also can granularity setup the access control rule according to different WLAN host (IP address) or packet services type (protocol types and ports). Switch to Rule Summary page and All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 213 There is a traffic direction matrix available in IDP/AV and AS General configuration page. Used the check box to decide if the traffic from WLAN or to WLAN needs to be inspected by scan engine. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 214: Threat Management
IT resource, reduced productivity, data theft, business disruption and even financial lost in a Small and Medium Business networking environment. ZyWALL 5/35/70 UTM is engineered to deliver comprehensive protection against internet threats in an effortless manner.
Page 215: To Protect Computer Networks Against Virus Intrusions And Attacks From Internet
From Internet, public users may need to access the servers in DMZ. In addition to basic access control lists deployed on ZyWALL 5 UTM, IT staff must have additional application layer of protection. It should inspect traffics from/to these network segments to ensure malicious activities will not take place.
Page 216 AV/IDP service in ZyWALL 5 UTM, it is mandatory to have a ZyWALL Turbo Card inserted in the Expansion Card Slot at the back of your ZyWALL 5 UTM. This Turbo Card will guarantee your ZyWALL 5 UTM can deliver its best performance.
Page 217 ZyWALL 5 UTM. In addition, the ZyWALL 5 UTM has a stream based AV scan engine that will scan all traffics as them pass through ZyWALL. This stream based AV scan engine can precisely detect virus/worms and then destroy these infected files before they reach intranet hosts.
Page 218 6. Click on the Apply button to save the settings. TIPS: Remember to make sure the AV signatures are most updated thereby the ZyWALL 5 UTM AV engine can stay in the best status. (The “update” can be done manually or automatically).
Page 219 In order to protect servers (WEB/Mail/FTP/etc) located on the DMZ of ZyWALL 5 UTM, user can enable the IDP service on ZyWALL 5 UTM to inspect inbound traffic to these servers. A ZyWALL 5 UTM with IDP service enabled can effectively stop hackers from intruding these servers and also stop DoS & DDoS attacks from paralyze the network.
Page 220 TIPS: IDP/AV scan/detection engine will bypass IPSec VPN traffic, because IPSec VPN traffic are protected in a secure tunnel. IDP/AV services would not be able to scan/detect any files or packets that are protected by either password or secure tunnels. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 221: To Control Im/P2P Applications Usage To Increase Employee Productivity
AV/IDP service in ZyWALL 5 UTM, it is mandatory to have a ZyWALL Turbo Card inserted in the Expansion Card Slot at the back of your ZyWALL 5 UTM. This Turbo Card will guarantee your ZyWALL 5 UTM can deliver its best performance.
Page 222 2. To setup policies for the IM applications, say MSN, we use “Signature search” “By Name” with “MSN” keyword to query all signatures about MSN and will get a searched result list. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 223 Select Drop Packet in the Action field of all the MSN related signatures. 1.2.1.2 Block MSN (Chat only, no File transfer) Select Drop Packet in the Action field of the MSN file transfer related signatures and keep other signatures No Action. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 224 1. In IDP->Signature, click on Switch to query view to search the specified signature and set them up optionally. 2. To setup policies for the P2P applications, say eDonkey, use the “eDonkey” keyword to query all signatures about eDonkey and will get a searched result list. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 225 1.2.2.1 IDP signature update To keep the ZyWALL 5 UTM IDP engine stay in the best status, make sure the IDP signature are most updated (The “update” can be done manually or automatically) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 226: To Filter Non-Work Related And Unproductive Web Surfing To Mitigate Spyware And Phishing Threats
Also, the non-business web surfing such as the sports, financial and gambling web sites should be prevented to increase company productivity. With ZyWALL 35 UTM Content Filter service, network administrator can effectively allow/prevent network users from viewing different categories of web sites. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 227 As mentioned earlier, pornography websites are known to contain Spyware and Trojans, thus it is recommended to use ZyWALL 5 UTM to prevent users from access these types of websites. Below is an example to illustrate how to configure ZyWALL to fulfill this purpose 1.1 CF License Activation...
Page 228 1.3 Demonstrate Content Filtering by an example: Using a browser to browse the nudity website, for example, www.nudistweb.net, it will be blocked and redirected to www.zyxel.com with “(Website Blocking)” message displayed at the moment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 229 With the combination of CF and AS services in ZyWALL 5 UTM, network administrator can dramatically lower the chance of company network users from receiving possible phishing emails and also prevent users from accessing known phishing websites.
Page 230 Enter the distrusted web site in the Forbidden Web Site list. (The forbidden list is similar to the black list.) 2.2.3 Demonstrate “Customization” Content filtering by an example: Using a browser to browse “www.phishbank.com”, the attempt will be blocked (because “www. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 231 In Action taken when mail sessions threshold reached, select Forward to bypass AS inspection while the concurrent mail sessions is over 15 sessions. TIPS: the AS engine support maximum 15 mail sessions concurrently. Click on the Apply button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 232 IT staff to adjudge whether the POP3/SMTP mails are phishing mails or not. TIPS:To activate the “External DB” option, the ANTI-SPAM service must be registered at first. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 233 How a PHISHING mail looked like as it was received? 2.3.1 According to the above settings, if the user behind the ZyWALL 5 UTM LAN zone that received a POP3 mail which is treated as phishing, the mail will be tagged “[PHISHING]” in the original mail subject (“Bank”...
Page 234 FILTER -> Categories page, with selecting the categories check boxes to specify the types of contents to be filtered while accessing a website which contains these specified categories of contents. As the figure listed below, “Sports/Recreation/Hobbies” and “Financial Services” are selected. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 235 Demonstrate Content Filtering by an example: Using a browser to browse the sports website, for example, www.nba.com, it will be blocked and redirected www.zyxel.com with “(Website Blocking)” message displayed at the moment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 236: To Eliminate Spam Mails To Block Unwanted Messages Everyday
Thus for productivity, spam emails should be managed. Activate the ZyWALL 5 UTM AS service can filter the spam e-mail. TIPS: the AS engine do not support IMAP4, only SMTP (tcp port 25) and POP3 (tcp port 110 ) are supported.
Page 237 4. Click on the Apply to save the settings. TIPS: For SMTP protocol, the AS engine support “Discard” or “Forward” it with the specified tag text, but for POP3 protocol, ”Forward” is supported only. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 238 IT staff to adjudge whether the POP3/SMTP mails are spam mails or not. TIPS: To activate the “External DB” option, the ANTI-SPAM service license must be activated. 2. Protect Self-hosted Mail Servers (SMTP) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 239 4. Click on the Apply to save the settings. TIPS: For SMTP protocol, the AS engine support “Discard” or “Forward” it with the specified tag text, but for POP3 protocol, ”Forward” is supported only. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 240 Customize the Anti-Spam policies as our own by using black list to let policies be applied and using white list to bypass the policies. The lists are added as in the ANTI-SPAM -> List, after finished adding the specified lists, click on the Apply button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 241: Threat Reports
How’s a SPAM mail looked like as it was received? According to the above situations, if the user behind the ZyWALL 5 UTM LAN zone that received a POP3 mail which is a spam, the mail will be tagged “!!!SPAM!!!” in the original mail subject (“Hello” is the original subject) and the new subject will looks like “!!!SPAM!!!Hello”...
Page 242 The IDP report types will be categorized by different Top entry; they are Signature name, Source and Destination. These reports can help administrator to manage and control the most dangerous source and most damage victim in the real time. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 243 The Anti-Virus report types will be categorized by different Top entry; they are Virus name, Source and Destination. These reports can help administrator to manage and control the most dangerous source and most damage victim in the real time. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 244 Source. These reports can help administrator to manage and control the most dangerous source and they may report it to Spam analysis organization or block the source by firewall rule straight away. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 245 ZyWALL 5 Support Notes The Anti-Spam report also has a Score Distribution map and this can help administrator to setup a valuable Spam Threshold to make the spam tag more suitable to the local environment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 246: Centralized Management
ZyWALLs through Vantage CNM, user needs to prepare Vantage CNM server and 3rd party FTP/Syslog/Telnet servers. For the detailed installation & registration process (to myZyXEL.com), please refer to Vantage CNM Support Note. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 247 (imported) to Vantage CNM through XML files. For detailed operation, please refer to Vantage CNM Support Note. Please check CNM Reference Guide for XML description files.pdf for detailed description. Add device manually Step 1. Left click on the folder (e.g. AAA) and go to Device>>Registration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 248 2. device name 3. device's LAN MAC address The XML file can be used for mass deployment. User can assign a device owner or leave it to the owner of folder AAA. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 249 Vantage CNM Server Address in the filed. If Encryption Algorithm is enabled, you must select the same algorithm and secret key on both device and Vantage CNM. In the following case, the Encryption Algorithm is disabled. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 250 Vantage CNM. On Vantage CNM, the device icon will turn green and the device status will change to “On” and the WAN IP of the device will be shown on the content screen. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 251: A. Product Faq
PPP dialer such as 'Dial-Up Networking' user interface. PPPoE supports a broad range of existing applications and service including authentication, accounting, secure access and configuration management. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 252: A05. Does The Zywall Support Pppoe
IP from ISP, instead, can be recognized or pinged by another real IP on the internet. The ZyWALL Internet Access Sharing Router works like an intelligent router that route between the virtual IP and the real IP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 253: A12. How Does E-Mail Work Through The Zywall
The coverage range typically is 50m~80m indoor, 150m~300m outdoor. The actual range may very depend on environment, as to obstacles and walls, RF interference, in the environment. A17. How do I used the reset button, more over what field of parameter will be reset by All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 254: A20. Can The Zywall Support Tftp Over Wan
Currently, there are various ways that ISPs control their users. That is, the WAN IP is provided only when the user is checked as an authorized user. The ISPs currently use three ways: 1. Check if the 'MAC address' is valid 2. Check if the 'Host Name' is valid, e.g., @home All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 255: A23. What Is Bootp/Dhcp
When the ISP assigns the ZyWALL a new IP, the ZyWALL updates this IP to DDNS server so that the server can update its IP-to-DNS entry. Once the IP-to-DNS table in the DDNS server is updated, the DNS All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 256: A25. When Do I Need Ddns Service
For outgoing IPSec tunnels, no extra setting is required. For forwarding the inbound IPSec ESP tunnel, A 'Default' server set in menu 15 is required. It is because NAT makes your LAN appear as a single machine to All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 257: A31. What Is Stp (Spanning Tree Protocol) /Rstp (Rapid Stp)
Armed with the UTM appliance, the IT staff can manage the emerging threats from Internet, having lower TCO and reduced management overhead. A34. What are the differences between ZyWALL UTM models and previous ZyWALL All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 258: A35. What Are The Key New Features Of Zywall Utm
B01. Which ZyWALL models are eligible to be upgraded to run ZyNOS v4.01? 1. ZyWALL 5, ZyWALL 35 and ZyWALL 70 can be upgraded to run ZyNOS v4.01. 2. However, for ZyWALL 70, upgrade to v4.00 and above is conditional. Details are available in the next few questions.
Page 259: B04. What Happens If I Wrongfully Upgrade Firmware Of A Zywall 70 With Only 32Mb Of Ram To Zynos V4.01 Directly
B04. What happens if I wrongfully upgrade firmware of a ZyWALL 70 with only 32MB of RAM to ZyNOS v4.01 directly? Because of the built-in protection mechanism, the upgrade will fail and you will receive an error message saying the device is not supported. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 260: B05. What Happened If I Upgrade A Zywall 70 Running Zynos V3.62/3.63/3.64 To V4.01 Directly
You can keep using the Content Filtering feature on your new ZyWALL 70 UTM until the end of your current CF license period. B08. What’s the firmware upgrade path for my current ZyWALL 5 and ZyWALL 35? For ZyWALL 5 running ZyNOS v3.62/v3.64 and ZyWALL 35 running ZyNOS v3.62/v3.63/v3.64, you can upgrade the firmware to ZyNOS v4.00 and above directly.
Page 261: Successful Firmware Upgrade To Zynos V4
Always backup your current ROM file prior to any firmware operation. B12. Can I downgrade a ZyWALL 5 or ZyWALL 35 running ZyNOS v4.01 back to ZyNOS v3.64 (or below)? Yes, downgrade is supported.
Page 262: C02. Except Zywall Turbo Card Is A Must When Use Av+Idp Service What Exactly I Can Get Benefit From It
No, you can NOT insert both ZyWALL Turbo Card and wireless card into ZyWALL device since there is only one expansion slot available on the ZyWALL 5, ZyWALL 35 or ZyWALL 70. C02. Except ZyWALL Turbo Card is a must when use AV+IDP service, what exactly I can get benefit from it? With ZyWALL Turbo Card inserted, customers can enjoy ZyXEL’s unique SecuASIC technology which...
Page 263: D03. What Are The Basic Types Of Firewalls
3. The ZyWALL's firewall uses session filtering, i.e., smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 264: D05. Why Do You Need A Firewall When Your Router Has Packet Filtering And Nat Built-In
The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 265: D09. What Is Syn Flood Attack
There are two default ACLs pre-configured in the ZyWALL, one allows all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 266: D14. In Zywall, Is Dmz Behind Nat Or Not
ZyWALL. In such case, the network topology is the most important issue. Here is a common example that people mis-deploy the LAN traffic redirect and static route. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 267 (A) Deploying your second gateway in IP alias segment is a better solution. In this way, your connection can be always under control of firewall. And thus there won't be Triangle Route problem. (B) Deploying your second gateway on WAN side. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 268: D17. How Can I Protect Against Ip Spoofing Attacks
Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask: For the output data filters: • Deny bounce back packet • Allow packets that originate from us Filter rule setup: • Filter Type =TCP/IP Filter Rule • Active =Yes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 269: E. Security Service Licenses Faq
ZyNOS v4.01? V4.01 is a major new release of ZyNOS and it includes the following security services which require license purchase and activation: 1. Anti-Virus + IDP security service 2. Anti-Spam security service All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 270: E07. If I Violate The Mappings Described Above, For Example, Using A Silver Icard For Zywall 35 Or Zywall 70, What Will Happen
Yes, you can try the Content Filtering service for free. The free trial period is 30 days and is available to ZyWALL 2, ZyWALL 5, ZyWALL 35, ZyWALL 70, ZyWALL 5 UTM, ZyWALL 35 UTM and ZyWALL 70 UTM owners.
Page 271: E10. Does Zyxel Provide Customers Free Trial For Anti-Spam Service How Long Is It
ZyWALL security services. Instead of registering each ZyWALL product individually, using myZyXEL.com you have a single user profile where you can manage all your product registration and service activation. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 272: Launch Of Zynos V4.00? Which Zywall Models Can Be Registered Via Myzyxel.com
F05. If I were new to myZyXEL.com, what are the required fields when I register my ZyWALL device on myZyXEL.com? The required fields include: user name, password, valid email address and country. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 273: Registered User On Myzyxel.com
F09. Who maintains mySecurityZone & Update Server? It’s maintained by ZyXEL Security Response Team (ZSRT) who manages backend support from the beginning of outbreak happen to attack sample collection, analyze it and output it as policy, and finally All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 274: F10. What's The Url For These Service Portals
G03. Can I subscribe to the Anti-Virus service alone or IDP service alone? No. Because the Anti-Virus and IDP services are bundled together, you can not subscribe to any one of them alone. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 275: Service
G04. What are the hardware requirements to run AV+IDP security service? 1. For ZyWALL 5 UTM, ZyWALL 35 UTM or ZyWALL 70 UTM owners, you don’t have to acquire additional hardware accessories to activate the AV+IDP security service because the ZyWALL Turbo Card is already inside the package.
Page 276: H01. Why Does Zywall Bundle Anti-Virus And Idp Feature Together
H03. What are the hardware requirements to run AV+IDP security service? 1. For ZyWALL 5 UTM, ZyWALL 35 UTM or ZyWALL 70 UTM owners, you don’t have to acquire additional hardware accessories to activate the AV+IDP security service because the ZyWALL Turbo Card is already inside the package.
Page 277: H06. How Do I Keep Signatures Of Av+Idp Service Updated
3. Outlook’s AS filter is updated monthly with Windows Update, while ZyWALL’s AS is updated in real-time. Furthermore, ZyWALL’s Anti-Spam feature is complementary with client-based Anti-Spam filter. I02. A customer already has her/his own exchange server including the Anti-Spam All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 278: Her/Him To Use Zyxel's Anti-Spam Service In Addition To The Current Solution
1. There two actions ZyWALL can take against identified spam emails: to block or to tag. 2. Pros and Cons If you choose to block them, then you have no control over false-positives. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 279: I08. How Do I Keep Signatures Of Anti-Spam Service Update
10 seconds (by default setting), ZyXEL appliance will block (by default setting) the HTTP response to the PC. If the query is back, ZyXEL appliance will drop or forward the request according to All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 280: J02. How Many Entries Can The Cache Of Web Site Auto Categorization Keep At Most
J08. What types of content filter does ZyWALL provide? ZyWALL supports three types of content filtering. • Restrict Web Data including ActiveX, Java Applet, Cookie, Web proxy • URL keywords blocking • BlueCoat filter list All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 281: J09. What Are The Primary Features Of Zyxel Content Filtering
J12. How many policies can I create? Two. One is for all users, the other is exempting zone. With exempting zone, you can define a specific range of IP exempting from the policy for all users. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 282: J13. Can I Create My Own Categories
BlueCoat continuously updates the ratings database, but BlueCoat's outsourced model does not require customers to update a local database. Unlike other Internet content filtering solutions, BlueCoat's outsourced solution does not require clients to All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 283: J20. How Do I Locate Sites To Block
When you find a web site is not categorized as you expect, you can report to either support@zyxel.com.tw or BlueCoat Site Submissions. J23. How many and what categories do you provide? ZyXEL Content Filtering provides 52 categories. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 284 · Education · Email · Financial Services · For Kids · Games · Gay & Lesbian · Government/Legal · Health · Humor/Jokes · Job Search/Careers · Military · News & Media · Newsgroups All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 285: J24. How Does The Zyxel Content Filtering Handle Dynamically Generated Sites
J27. How can I get Content Filtering report? You can get report for content filtering by clicking Register button from ZyXEL appliance's WEB GUI, and then you will be redirected to http://myZyXEL.com web server. By clicking Content Filtering All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 286: J28. Can I Change The Password For Bluecoat Service
2. If your ZyWALL is using Static (or Fixed) WAN IP address, please make sure that you have configured DNS server's IP address for the device in "System->General->System DNS Servers" or "Maintenance->General->System DNS Server". All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 287: K. Ipsec Faq
ZyWALL counts the Network policies as VPN tunnels. In following example, two network policies, Netowrk_1 & Network_2 are mapped to same gateway policy, Gateway_1. In this case, this will be counted as two VPN tunnels. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 288: K03. What Is Vpn
Because users typically dial the their local ISP for VPN, thus, long distance phone charge is reduced than making a long direct connection to the remote office. 2).Reducing number of access lines All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 289: K05. What Are Most Common Vpn Protocols
The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 290: K10. What Is Pre-Shared Key
However, in some application, remote VPN box or client software is using an IP address dynamically assigned from ISP, so ZyWALL needs additional information All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 291: K12. What Are Local Id And Peer Id
By upgrading the firmware and also configurations (romfile) to ZyNOS V3.50, the IPSec VPN capability is ready in your ZyWALL. You then can configure VPN via web configurator. Please download the firmware from our web site. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 292: K14. How Do I Configure Zywall Vpn
Source IP/Destination IP-- Please do not number the LANs (local and remote) using the same exact range of private IP addresses. This will make VPN destination addresses and the local LAN addresses are All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 293: K19. Does Zywall Support Dynamic Secure Gateway Ip
We have tested ZyWALL successfully with the following third party VPN software. SafeNet Soft-PK, 3DES edition Checkpoint Software SSH Sentinel, 1.4 SecGo IPSec for Windows F-Secure IPSec for Windows KAME IPSec for UNIX Nortel IPSec for UNIX All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 294: K22. Will Zyxel Support Secure Remote Management
However, if both NAT and IPSec is enabled in ZyWALL, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none NAT server settings are required since private IP is reachable in the VPN case. For example: host----ZyWALL(NAT)----ADSL Modem----Internet----Secure host Non-secure host All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 295: Need To Know
IP is used. For example: host----ZyWALL----NAT Router----Internet----Secure host Non-secure host K27. Where can I configure Phase 1 ID in ZyWALL? Phase 1 ID can be configured in VPN setup menu as following.. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 296: K28. How Can I Keep A Tunnel Alive
Anti-Spam feature in ZyWALL ZyNOS v4.0? No, VPN traffic will not be inspected by be scanned by Anti-Virus, IDP and Anti-Spam module. However, we manage to support this feature in the forthcoming ZyNOS firmware. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 297: L01. Basic Cryptography Concept
L03. What are the security services PKI provides? PKI brings to the electronic world the security and confidentiality features provided by the physical All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 298: L04. What Are The Main Elements Of A Pki
The issuing Certification Authority's distinguished name The user's public key The validity period The certificate's serial number The issuing Certification Authority's digital signature is for verifying the information in the digital certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 299: L09. How Does A Pki Ensure Data Confidentiality
Because Alice keeps her private key secret, Bob can be assured that, even if his message were to be intercepted, only Alice can read it. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 300: L10. What Is A Digital Signature
The best thing about all these encryption, decryption, verifying and authenticating processes is that special software does them all transparently, so that Bob and Alice receive the assurances they need without having actually to engage in computations themselves. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 301: L12. Does Zyxel Provide Ca Service
L14. How can I have Self-signed certificate for ZyXEL appliance? Each ZyXEL appliance would provide a Self-signed certificate along with default configuration file. You can check content of Self-signed certificate in WEB GUI. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 302: L15. Can I Create Self-Signed Certificates In Addition To The Default One
No, you can't reuse them. Each certificate stored in My Certificates has corresponding private key. When you erase the configuration, the corresponding private keys are also deleted. So you can't reuse the certificates by importing them afterward. M. Dual WAN Auto Fail-over/Fail-back and Load Balance FAQ All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 303: M01. How Do Zywalls Dispatch Outgoing Sessions To Different Wan Connections
Number of classes and max depth of a class supported on ZyWALL’s Bandwidth management is model specific. (1) Max depth of a classes ZyWALL 70: 5 ZyWALL 35: 3 ZyWALL 5: 1 (2) Number of classes ZyWALL 70: 100 ZyWALL 35: 50 ZyWALL 5: 20 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 304: O. Wireless Faq
ZyWALL 5 Support Notes O. Wireless FAQ O01. Which wireless cards does it support in ZyWALL 5/35/70? (ZW1000 doesn’t support wireless function) Following table illustrates which wireless cards are supported by ZyWALL. For example: B-120/G-100/G-110 are supported on ZW70 since firmware 3.63 and later.
Page 305 ZyWALL 5 Support Notes If "802.1x+ Dynamic WEP" is selected, external radius must be used for authentication. All contents copyright (c) 2006 ZyXEL Communications Corporation.

ZyXEL Communications ZyWALL 5 Support Notes

Quick Links

Related Manuals for ZyXEL Communications ZyWALL 5

Summary of Contents for ZyXEL Communications ZyWALL 5

Table of Contents