ZyXEL Communications ADSL 2+ Security Gateway User Manual Download Page 411 | Manualshive

Page: 411 / 686

background image

ZyWALL 2 Plus User’s Guide

411

C

H A P T E R

24

ALG Screen

This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to
pass through the ZyWALL.

24.1 ALG Introduction

An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or
FTP) at the application layer. The ZyWALL can function as an ALG to allow certain NAT un-
friendly applications (such as SIP) to operate properly through the ZyWALL.
Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP
addresses and port numbers in their packets’ data payload. The ZyWALL examines and uses
IP address and port number information embedded in the data stream. When a device behind
the ZyWALL uses an application for which the ZyWALL has ALG service enabled, the
ZyWALL translates the device’s private IP address inside the data stream to a public IP
address. It also records session port numbers and dynamically creates implicit NAT port
forwarding and firewall rules for the application’s traffic to come in from the WAN to the
LAN.

24.1.1 ALG and NAT

The ZyWALL dynamically creates an implicit NAT session for the application’s traffic from
the WAN to the LAN.
The ALG on the ZyWALL supports all NAT mapping types, including

One to One

,

Many to

One

,

Many to Many Overload

and

Many One to One

.

24.1.2 ALG and the Firewall

The ZyWALL uses the dynamic port that the session uses for data transfer in creating an
implicit temporary firewall rule for the session’s traffic. The firewall rule only allows the
session’s traffic to go through in the direction that the ZyWALL determines from its
inspection of the data payload of the application’s packets. The firewall rule is automatically
deleted after the application’s traffic has gone through.

«
...
409
410
411
412
413
...
»

Summary of Contents for ADSL 2+ Security Gateway

Page 1: ...www zyxel com ZyWALL 2 Plus Internet Security Appliance User s Guide Version 4 03 12 2007 Edition 1 ...

Page 2: ......

Page 3: ...nternet access Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information It is recommended you use the web configurator to configure the ZyWALL Supporting Disk Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help u...

Page 4: ...stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click Main...

Page 5: ...r s Guide 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ...

Page 6: ...t the cables to the correct ports Place connecting cables carefully so that no one will step on them or stumble over them Always disconnect all cables from this device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow any...

Page 7: ...3 Bridge Screens 145 WAN Screens 151 DMZ Screens 171 Wireless LAN 181 Security 189 Firewall 191 Content Filtering Screens 223 Content Filtering Reports 245 IPSec VPN 253 Certificates 295 Authentication Server 323 Advanced 329 Network Address Translation NAT 331 Static Route 347 Bandwidth Management 351 DNS 365 Remote Management 377 UPnP 399 Custom Application 409 ALG Screen 411 Logs and Maintenanc...

Page 8: ...p 509 IP Static Route Setup 519 Network Address Translation NAT 521 Introducing the ZyWALL Firewall 539 Filter Configuration 541 SNMP Configuration 557 System Information Diagnosis 559 Firmware and Configuration File Maintenance 571 System Maintenance Menus 8 to 10 587 Remote Management 595 Call Scheduling 599 Troubleshooting and Specifications 603 Troubleshooting 605 Product Specifications 613 Ap...

Page 9: ...oadband Internet Access via Cable or DSL Modem 47 1 2 2 VPN Application 48 1 3 Ways to Manage the ZyWALL 48 1 4 Good Habits for Managing the ZyWALL 49 1 5 LEDs 49 Chapter 2 Introducing the Web Configurator 51 2 1 Web Configurator Overview 51 2 2 Accessing the ZyWALL Web Configurator 51 2 3 Resetting the ZyWALL 53 2 3 1 Procedure To Use The Reset Button 53 2 3 2 Uploading a Configuration File Via C...

Page 10: ...he VPN Rule 90 4 1 3 Configuring the Firewall Rules 93 4 2 Using NAT with Multiple Public IP Addresses 97 4 2 1 Example Parameters and Scenario 97 4 2 2 Configuring the WAN Connection with a Static IP Address 98 4 2 3 Public IP Address Mapping 101 4 2 4 Forwarding Traffic from the WAN to a Local Computer 105 4 2 5 Allow WAN to LAN Traffic through the Firewall 107 4 2 6 Testing the Connections 114 ...

Page 11: ...sses 134 6 3 DHCP 135 6 3 1 IP Pool Setup 135 6 4 RIP Setup 135 6 5 Multicast 135 6 6 WINS 136 6 7 LAN 136 6 8 LAN Static DHCP 139 6 9 LAN IP Alias 140 6 10 LAN Port Roles 142 Chapter 7 Bridge Screens 145 7 1 Bridge Loop 145 7 2 Spanning Tree Protocol STP 146 7 2 1 Rapid STP 146 7 2 2 STP Terminology 146 7 2 3 How STP Works 146 7 2 4 STP Port States 147 7 3 Bridge 147 7 4 Bridge Port Roles 149 Cha...

Page 12: ... Strings 169 8 12 Configuring Advanced Modem Setup 169 Chapter 9 DMZ Screens 171 9 1 DMZ 171 9 2 Configuring DMZ 171 9 3 DMZ Static DHCP 174 9 4 DMZ IP Alias 175 9 5 DMZ Public IP Address Example 177 9 6 DMZ Private and Public IP Address Example 177 9 7 DMZ Port Roles 178 Chapter 10 Wireless LAN 181 10 1 Wireless LAN Introduction 181 10 2 Configuring WLAN 181 10 3 WLAN Static DHCP 184 10 4 WLAN IP...

Page 13: ...ering Screens 223 12 1 Content Filtering Overview 223 12 1 1 Restrict Web Features 223 12 1 2 Create a Filter List 223 12 1 3 Customize Web Site Access 223 12 2 Content Filtering with an External Database 223 12 3 Content Filter General Screen 224 12 4 Content Filter Policy 227 12 5 Content Filter Policy General 229 12 6 Content Filter Policy External Database 230 12 7 Content Filter Policy Custom...

Page 14: ... Port Forwarding 278 14 9 Network Policy Move 280 14 10 IPSec SA Using Manual Keys 281 14 10 1 IPSec SA Proposal Using Manual Keys 281 14 10 2 Authentication and the Security Parameter Index SPI 281 14 11 VPN Rules Manual 281 14 12 VPN Rules Manual Edit 283 14 13 VPN SA Monitor 285 14 14 VPN Global Setting 286 14 14 1 Local and Remote IP Address Conflict Resolution 286 14 15 Telecommuter VPN IPSec...

Page 15: ...d Remote Hosts 315 15 14 Trusted Remote Host Certificate Details 316 15 15 Trusted Remote Hosts Import 319 15 16 Directory Servers 320 15 17 Directory Server Add or Edit 321 Chapter 16 Authentication Server 323 16 1 Authentication Server Overview 323 16 1 1 Local User Database 323 16 1 2 RADIUS 323 16 1 3 Types of RADIUS Messages 323 16 2 Local User Database 324 16 3 RADIUS 326 Part IV Advanced 32...

Page 16: ... Classes and Filters 351 19 3 Proportional Bandwidth Allocation 352 19 4 Application based Bandwidth Management 352 19 5 Subnet based Bandwidth Management 352 19 6 Application and Subnet based Bandwidth Management 352 19 7 Scheduler 353 19 7 1 Priority based Scheduler 353 19 7 2 Fairness based Scheduler 353 19 7 3 Maximize Bandwidth Usage 353 19 7 4 Reserving Bandwidth for Non Bandwidth Class Traf...

Page 17: ...1 1 Remote Management Overview 377 21 1 1 Remote Management Limitations 378 21 1 2 System Timeout 378 21 2 WWW HTTP and HTTPS 378 21 3 WWW Configuration 379 21 4 HTTPS Example 380 21 4 1 Internet Explorer Warning Messages 381 21 4 2 Netscape Navigator Warning Messages 381 21 4 3 Avoiding the Browser Warning Messages 382 21 4 4 Login Screen 383 21 5 SSH 385 21 6 How SSH Works 385 21 7 SSH Implement...

Page 18: ...stalling UPnP in Windows Example 402 22 4 1 Installing UPnP in Windows Me 403 22 4 2 Installing UPnP in Windows XP 404 22 5 Using UPnP in Windows XP Example 404 22 5 1 Auto discover Your UPnP enabled Network Device 405 22 5 2 Web Configurator Easy Access 406 Chapter 23 Custom Application 409 23 1 Custom Applicaton 409 23 2 Custom Applicaton Configuration 409 Chapter 24 ALG Screen 411 24 1 ALG Intr...

Page 19: ...445 Chapter 26 Maintenance 447 26 1 Maintenance Overview 447 26 2 General Setup and System Name 447 26 2 1 General Setup 447 26 3 Configuring Password 448 26 4 Time and Date 449 26 5 Pre defined NTP Time Server Pools 452 26 5 1 Resetting the Time 452 26 5 2 Time Server Synchronization 452 26 6 Introduction To Transparent Bridging 453 26 7 Transparent Firewalls 454 26 8 Configuring Device Mode Rout...

Page 20: ...Configuring Dynamic DNS 476 Chapter 29 WAN and Dial Backup Setup 481 29 1 Introduction to WAN and Dial Backup Setup 481 29 2 WAN Setup 481 29 3 Dial Backup 482 29 4 Configuring Dial Backup in Menu 2 482 29 5 Advanced WAN Setup 483 29 6 Remote Node Profile Backup ISP 485 29 7 Editing TCP IP Options 487 29 8 Editing Login Script 488 29 9 Remote Node Filter 489 Chapter 30 LAN Setup 491 30 1 Introduct...

Page 21: ...duction to Remote Node Setup 509 34 2 Remote Node Setup 509 34 3 Remote Node Profile Setup 509 34 3 1 Ethernet Encapsulation 510 34 3 2 PPPoE Encapsulation 511 34 3 3 PPTP Encapsulation 513 34 4 Edit IP 514 34 5 Remote Node Filter 516 34 6 Traffic Redirect 517 Chapter 35 IP Static Route Setup 519 35 1 IP Static Route Setup 519 Chapter 36 Network Address Translation NAT 521 36 1 Using NAT 521 36 1 ...

Page 22: ...ring a Filter Set 544 38 2 1 Configuring a Filter Rule 546 38 2 2 Configuring a TCP IP Filter Rule 546 38 2 3 Configuring a Generic Filter Rule 549 38 3 Example Filter 550 38 4 Filter Types and NAT 552 38 5 Firewall Versus Filters 552 38 5 1 Packet Filtering 552 38 5 2 Firewall 553 38 6 Applying a Filter 553 38 6 1 Applying LAN Filters 554 38 6 2 Applying DMZ Filters 554 38 6 3 Applying Remote Nod...

Page 23: ...4 1 Restore Using FTP 577 41 4 2 Restore Using FTP Session Example 578 41 4 3 Restore Via Console Port 579 41 5 Uploading Firmware and Configuration Files 579 41 5 1 Firmware File Upload 580 41 5 2 Configuration File Upload 580 41 5 3 FTP File Upload Command from the DOS Prompt Example 581 41 5 4 FTP Session Example of Firmware File Upload 582 41 5 5 TFTP File Upload 582 41 5 6 TFTP Upload Command...

Page 24: ...Ds 605 45 2 ZyWALL Access and Login 606 45 3 Internet Access 608 45 4 Wireless Router AP Troubleshooting 610 45 5 UPnP 610 Chapter 46 Product Specifications 613 46 1 General ZyWALL Specifications 613 46 2 Cable Pin Assignments 615 46 3 Wall mounting Instructions 617 Part VIII Appendices and Index 619 Appendix A Setting up Your Computer s IP Address 621 Appendix B Pop up Windows JavaScripts and Jav...

Page 25: ...Table of Contents ZyWALL 2 Plus User s Guide 25 Index 679 ...

Page 26: ...Table of Contents ZyWALL 2 Plus User s Guide 26 ...

Page 27: ...ond Screen 75 Figure 19 Internet Access Setup Complete 76 Figure 20 Internet Access Wizard Registration 77 Figure 21 Internet Access Wizard Registration in Progress 78 Figure 22 Internet Access Wizard Status 78 Figure 23 Internet Access Wizard Registration Failed 78 Figure 24 Internet Access Wizard Registered Device 79 Figure 25 Internet Access Wizard Activated Services 79 Figure 26 VPN Wizard Gat...

Page 28: ... Traffic to a Local Computer 107 Figure 60 Tutorial Example Firewall Default Rule 108 Figure 61 Tutorial Example Firewall Rule WAN to LAN 108 Figure 62 Tutorial Example Firewall Rule WAN to LAN Address Edit for Web Server 109 Figure 63 Tutorial Example Firewall Rule WAN to LAN Service Edit for Web Server 110 Figure 64 Tutorial Example Firewall Rule WAN to LAN Address Edit for Mail Server 111 Figur...

Page 29: ... Bridge Port Roles 150 Figure 101 Port Roles Change Complete 150 Figure 102 NETWORK WAN Route 152 Figure 103 NETWORK WAN WAN Ethernet Encapsulation 155 Figure 104 NETWORK WAN WAN PPPoE Encapsulation 158 Figure 105 NETWORK WAN WAN PPTP Encapsulation 161 Figure 106 Traffic Redirect WAN Setup 164 Figure 107 Traffic Redirect LAN Setup 164 Figure 108 NETWORK WAN Traffic Redirect 164 Figure 109 NETWORK ...

Page 30: ...wall Rule Example Service 217 Figure 145 My Service Firewall Rule Example Edit Custom Service 217 Figure 146 My Service Firewall Rule Example Rule Summary 218 Figure 147 My Service Firewall Rule Example Rule Edit Source and Destination Addresses 218 Figure 148 My Service Firewall Rule Example Edit Rule Service Configuration 220 Figure 149 My Service Firewall Rule Example Rule Summary Completed 221...

Page 31: ...ic VPN Rule 287 Figure 188 Overlap in IP Alias and VPN Remote Networks 287 Figure 189 SECURITY VPN Global Setting 288 Figure 190 Telecommuters Sharing One VPN Rule Example 289 Figure 191 Telecommuters Using Unique VPN Rules Example 290 Figure 192 VPN for Remote Management Example 292 Figure 193 VPN Topologies 292 Figure 194 Hub and spoke VPN Example 293 Figure 195 Certificates on Your Computer 296...

Page 32: ...9 Subnet based Bandwidth Management Example 352 Figure 230 ADVANCED BW MGMT Summary 357 Figure 231 ADVANCED BW MGMT Class Setup 358 Figure 232 ADVANCED BW MGMT Class Setup Add Sub Class 360 Figure 233 ADVANCED BW MGMT Class Setup Statistics 362 Figure 234 ADVANCED BW MGMT Monitor 363 Figure 235 Private DNS Server Example 367 Figure 236 ADVANCED DNS System DNS 367 Figure 237 ADVANCED DNS Add Addres...

Page 33: ...ownload 422 Figure 274 LOGS Log Settings 423 Figure 275 LOGS Reports 426 Figure 276 LOGS Reports Web Site Hits Example 427 Figure 277 LOGS Reports Host IP Address Example 428 Figure 278 LOGS Reports Protocol Port Example 429 Figure 279 MAINTENANCE General Setup 448 Figure 280 MAINTENANCE Password 449 Figure 281 MAINTENANCE Time and Date 450 Figure 282 Synchronization in Process 452 Figure 283 Sync...

Page 34: ...92 Figure 318 Menu 3 2 TCP IP and DHCP Ethernet Setup 493 Figure 319 Menu 3 2 1 IP Alias Setup 495 Figure 320 Menu 4 Internet Access Setup Ethernet 497 Figure 321 Internet Access Setup PPTP 499 Figure 322 Internet Access Setup PPPoE 500 Figure 323 Menu 5 DMZ Setup 501 Figure 324 Menu 5 1 DMZ Port Filter Setup 501 Figure 325 Menu 5 DMZ Setup 502 Figure 326 Menu 5 2 TCP IP and DHCP Ethernet Setup 50...

Page 35: ... 1 1 1 534 Figure 359 Example 3 Final Menu 15 1 1 535 Figure 360 Example 3 Menu 15 2 535 Figure 361 NAT Example 4 536 Figure 362 Example 4 Menu 15 1 1 1 Address Mapping Rule 536 Figure 363 Example 4 Menu 15 1 1 Address Mapping Rules 537 Figure 364 Menu 15 3 1 Trigger Port Setup 538 Figure 365 Menu 21 Filter and Firewall Setup 539 Figure 366 Menu 21 2 Firewall Setup 540 Figure 367 Outgoing Packet F...

Page 36: ...Using FTP Session Example 578 Figure 402 System Maintenance Restore Configuration 579 Figure 403 System Maintenance Starting Xmodem Download Screen 579 Figure 404 Restore Configuration Example 579 Figure 405 Successful Restoration Confirmation Screen 579 Figure 406 Telnet Into Menu 24 7 1 Upload System Firmware 580 Figure 407 Telnet Into Menu 24 7 2 System Maintenance 581 Figure 408 FTP Session Ex...

Page 37: ...633 Figure 444 Red Hat 9 0 KDE Network Configuration DNS 634 Figure 445 Red Hat 9 0 KDE Network Configuration Activate 634 Figure 446 Red Hat 9 0 Dynamic IP Address Setting in ifconfig eth0 635 Figure 447 Red Hat 9 0 Static IP Address Setting in ifconfig eth0 635 Figure 448 Red Hat 9 0 DNS Settings in resolv conf 635 Figure 449 Red Hat 9 0 Restart Ethernet Card 635 Figure 450 Red Hat 9 0 Checking ...

Page 38: ...te Example 663 Figure 474 Personal Certificate Import Wizard 1 664 Figure 475 Personal Certificate Import Wizard 2 664 Figure 476 Personal Certificate Import Wizard 3 665 Figure 477 Personal Certificate Import Wizard 4 665 Figure 478 Personal Certificate Import Wizard 5 666 Figure 479 Personal Certificate Import Wizard 6 666 Figure 480 Access the ZyWALL Via HTTPS 666 Figure 481 SSL Client Authenti...

Page 39: ...ard Gateway Setting 80 Table 16 VPN Wizard Network Setting 81 Table 17 VPN Wizard IKE Tunnel Setting 83 Table 18 VPN Wizard IPSec Setting 84 Table 19 VPN Wizard VPN Status 86 Table 20 REGISTRATION 128 Table 21 REGISTRATION Service 130 Table 22 NETWORK LAN 137 Table 23 NETWORK LAN Static DHCP 140 Table 24 NETWORK LAN IP Alias 141 Table 25 NETWORK LAN Port Roles 142 Table 26 STP Path Costs 146 Table...

Page 40: ...le 60 SECURITY CONTENT FILTER Policy Customization 238 Table 61 SECURITY CONTENT FILTER Policy Schedule 240 Table 62 SECURITY CONTENT FILTER Object 241 Table 63 SECURITY CONTENT FILTER Cache 244 Table 64 SECURITY VPN VPN Rules IKE 256 Table 65 VPN Example Matching ID Type and Content 259 Table 66 VPN Example Mismatching ID Type and Content 259 Table 67 SECURITY VPN VPN Rules IKE Edit Gateway Polic...

Page 41: ...OUTE IP Static Route 348 Table 101 ADVANCED STATIC ROUTE IP Static Route Edit 349 Table 102 Application and Subnet based Bandwidth Management Example 352 Table 103 Maximize Bandwidth Usage Example 354 Table 104 Priority based Allotment of Unused and Unbudgeted Bandwidth Example 354 Table 105 Fairness based Allotment of Unused and Unbudgeted Bandwidth Example 355 Table 106 Bandwidth Borrowing Examp...

Page 42: ...rol Logs 432 Table 143 TCP Reset Logs 433 Table 144 Packet Filter Logs 433 Table 145 ICMP Logs 433 Table 146 CDR Logs 434 Table 147 PPP Logs 434 Table 148 UPnP Logs 434 Table 149 Content Filtering Logs 435 Table 150 Attack Logs 435 Table 151 Remote Management Logs 437 Table 152 IPSec Logs 437 Table 153 IKE Logs 438 Table 154 PKI Logs 441 Table 155 Certificate Path Verification Failure Reason Codes...

Page 43: ...le 188 New Fields in Menu 4 PPTP Screen 499 Table 189 New Fields in Menu 4 PPPoE screen 500 Table 190 Menu 11 1 Remote Node Profile for Ethernet Encapsulation 510 Table 191 Fields in Menu 11 1 PPPoE Encapsulation Specific 513 Table 192 Menu 11 1 Remote Node Profile for PPTP Encapsulation 514 Table 193 Remote Node Network Layer Options Menu Fields 515 Table 194 Menu 11 1 5 Traffic Redirect Setup 51...

Page 44: ...221 Hardware Specifications 613 Table 222 Firmware Specifications 613 Table 223 Feature and Performance Specifications 615 Table 224 Console Cable Pin Assignments 616 Table 225 Dial Backup Cable Pin Assignments 616 Table 226 Ethernet Cable Pin Assignments 616 Table 227 IP Address Network Number and Host ID Example 646 Table 228 Subnet Masks 647 Table 229 Maximum Host Numbers 647 Table 230 Alternat...

Page 45: ...45 PART I Introduction and Registration Getting to Know Your ZyWALL 47 Introducing the Web Configurator 51 Wizard Setup 69 Tutorials 89 Registration 127 ...

Page 46: ...46 ...

Page 47: ...on The ZyWALL provides bandwidth management NAT port forwarding DHCP server and many other powerful features You can add an IEEE 802 11a b g compliant wireless LAN by connecting an access point AP to an Ethernet port in a WLAN port role See Chapter 46 on page 613 for a complete list of features 1 2 Applications for the ZyWALL Here are some examples of what you can do with your ZyWALL 1 2 1 Secure ...

Page 48: ... methods to manage the ZyWALL Web Configurator This is recommended for everyday management of the ZyWALL using a supported web browser Command Line Interface Line commands are mostly used for troubleshooting by service engineers SMT System Management Terminal is a text based configuration menu that you can use to configure your device FTP for firmware upgrades and configuration backup restore Chap...

Page 49: ...ngs If you backed up an earlier configuration file you would not have to totally re configure the ZyWALL You could simply restore your last configuration 1 5 LEDs Figure 3 Front Panel The following table describes the lights Table 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyWALL is turned off Green On The ZyWALL is ready and running Flashing The ZyWALL is restarting Red On The po...

Page 50: ...ready or has failed Green On The ZyWALL has a successful 10Mbps WAN connection Flashing The 10M WAN is sending or receiving packets Orange On The ZyWALL has a successful 100Mbps WAN connection Flashing The 100M WAN is sending or receiving packets Table 1 Front Panel LEDs continued LED COLOR STATUS DESCRIPTION ...

Page 51: ... Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See Appendix B on page 637 if you want to make sure these functions are allowed in Internet Explorer or Netscape Navigator 2 2 Accessing the ZyWALL Web Configurator By default the packets from WLAN to WLAN ZyWALL are dropped and users cannot configure the Zy...

Page 52: ...reate a certificate using your ZyWALL s MAC address that will be specific to this device If you do not replace the default certificate here or in the CERTIFICATES screen this screen displays every time you access the web configurator Figure 5 Replace Certificate Screen 7 You should now see the HOME screen see Figure 8 on page 55 The management session automatically times out when the time period s...

Page 53: ...ff 3 While pressing the RESET button turn the ZyWALL on 4 Continue to hold the RESET button The PWR LED will begin to blink and flicker very quickly after about 20 seconds This indicates that the defaults have been restored and the ZyWALL is now restarting 5 Release the RESET button and wait for the ZyWALL to finish restarting 2 3 2 Uploading a Configuration File Via Console Port 1 Download the de...

Page 54: ...els Figure 7 HOME Screen As illustrated above the main screen is divided into these parts A title bar B navigation panel C main window D status bar 2 4 1 Title Bar The title bar provides some icons in the upper right corner The icons provide the following functions C D B A Table 2 Title Bar Web Configurator Icons ICON DESCRIPTION Wizard Click this icon to open one of the web configurator wizards S...

Page 55: ...eb Configurator HOME Screen in Router Mode The following table describes the labels in this screen Table 3 Web Configurator HOME Screen in Router Mode LABEL DESCRIPTION Automatic Refresh Interval Select a number of seconds or None from the drop down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics Refresh Click this but...

Page 56: ...y in megabytes The bar displays what percent of the ZyWALL s heap memory is in use The bar turns from green to red when the maximum is being approached Sessions The first number shows how many sessions are currently open on the ZyWALL This includes all sessions that are currently traversing the ZyWALL terminating at the ZyWALL or Initiated from the ZyWALL The second number is the maximum number of...

Page 57: ...e you must have another DHCP server on your LAN or else the computers must be manually configured For the dial backup port this shows N A when dial backup is disabled and IPCP client when dial backup is enabled Renew If you are using Ethernet encapsulation and the WAN port is configured to get the IP address automatically from the ISP click Renew to release the WAN port s dynamically assigned IP a...

Page 58: ...ton to update the screen s statistics immediately System Information System Name This is the System Name you enter in the MAINTENANCE General screen It is for identification purposes Click the field label to go to the screen where you can specify a name for this ZyWALL Model This is the model name of your ZyWALL Bootbase Version This is the bootbase version and the date created Firmware Version Th...

Page 59: ...he ZyWALL This includes all sessions that are currently traversing the ZyWALL terminating at the ZyWALL or initiated from the ZyWALL The second number is the maximum number of sessions that can be open at one time The bar displays what percent of the maximum number of sessions is in use The bar turns from green to red when the maximum is being approached CPU This field displays what percentage of ...

Page 60: ...the field label to go to the screen where you can update your service subscription Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last started up N A displays when the service subscription has expired Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL You can see more information in the View Log screen such as the source and ...

Page 61: ...l device and network status information Use this screen to access the wizards statistics and DHCP table REGISTRATIO N Registration Use this screen to register your ZyWALL and activate the trial service subscriptions Service Use this to manage and update the service status and license information NETWORK LAN LAN Use this screen to configure LAN DHCP and TCP IP settings Static DHCP Use this screen t...

Page 62: ... this screen to change your anti probing settings Threshold Use this screen to configure the threshold for DoS attacks Service Use this screen to configure custom services CONTENT FILTER General This screen allows you to enable content filtering and block certain web features Policy Use this screen to select which categories of web pages to filter out as well as to register for external database c...

Page 63: ...ic DNS REMOTE MGMT WWW Use this screen to configure through which interface s and from which IP address es users can use HTTPS or HTTP to manage the ZyWALL SSH Use this screen to configure through which interface s and from which IP address es users can use Secure Shell to manage the ZyWALL TELNET Use this screen to configure through which interface s and from which IP address es users can use Tel...

Page 64: ...d have your ZyWALL work as a router or a bridge F W Upload Use this screen to upload firmware to your ZyWALL Backup Restore Use this screen to backup and restore the configuration or reset the factory defaults to your ZyWALL Restart This screen allows you to reboot the ZyWALL without turning the power off Diagnosis Use this screen to have the ZyWALL generate and send diagnostic files by e mail and...

Page 65: ...the number of transmitted packets on this port RxPkts This is the number of received packets on this port Collisions This is the number of collisions on this port Tx B s This displays the transmission speed in bytes per second on this port Rx B s This displays the reception speed in bytes per second on this port Up Time This is the total amount of time the line has been up System Up Time This is t...

Page 66: ...o other adapter has a similar address Reserve Select the check box in the heading row to automatically select all check boxes or select the check box es in each entry to have the ZyWALL always assign the selected entry ies s IP address es to the corresponding MAC address es and host name s You can select up to 32 entries in this table After you click Apply the MAC address and IP address also displ...

Page 67: ...d of every time interval or to not update the screen statistics Refresh Click this button to update the screen s statistics immediately Table 9 HOME VPN Status LABEL DESCRIPTION Table 10 ADVANCED BW MGMT Monitor LABEL DESCRIPTION Interface Select an interface from the drop down list box to view the bandwidth usage of its bandwidth classes Class This field displays the name of the bandwidth class A...

Page 68: ...ically at the end of every time interval or to not update the screen statistics Refresh Click this button to update the screen s statistics immediately A If you allocate all the root class s bandwidth to the bandwidth classes the default class still displays a budget of 2 kbps the minimum amount of bandwidth that can be assigned to a bandwidth class Table 10 ADVANCED BW MGMT Monitor LABEL DESCRIPT...

Page 69: ...onnection settings In the HOME screen click the wizard icon to open the Wizard Setup Welcome screen The following summarizes the wizards you can select Internet Access Setup Click this link to open a wizard to set up an Internet connection for the WAN port on the ZyWALL in router mode VPN Setup Use VPN Setup to configure a VPN connection that uses a pre shared key If you want to set the rule to us...

Page 70: ...ect in the Encapsulation field 3 2 1 1 Ethernet For ISPs such as Telstra that send UDP heartbeat packets to verify that the customer is still online please create a WAN to WAN ZyWALL firewall rule for those packets Contact your ISP to find the correct port number Choose Ethernet when the WAN port is used as a regular Ethernet Figure 15 ISP Parameters Ethernet Encapsulation The following table desc...

Page 71: ...the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field My WAN IP Subnet Mask Enter the IP subnet mask in this field Gateway IP Address Enter the gateway IP address in this field First DNS Server Second DNS Server Enter the DNS server s IP address es in the field s to the right Leave the field as 0 0 0...

Page 72: ... Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server The default time is 100 seconds WAN I...

Page 73: ...et The ZyWALL supports one PPTP server connection at any given time My WAN IP Address Enter your WAN IP address in this field First DNS Server Second DNS Server Enter the DNS server s IP address es in the field s to the right Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it Ba...

Page 74: ...e User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection User Name Type the user name given to you by your ISP Password Type the password associated with the User Name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses ...

Page 75: ...r N My ISP This field is optional and depends on the requirements of your xDSL modem WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field Fi...

Page 76: ...n the previous screen see Figure 18 on page 75 the following screen displays Use this screen to register the ZyWALL with myZyXEL com You must register your ZyWALL before you can activate trial application of service like content filtering If you want to activate a standard service with your iCard s PIN number license key use the REGISTRATION Service screen ...

Page 77: ... com account If you already have an account at myZyXEL com select this option and enter your user name and password in the fields below to register your ZyWALL User Name Enter a user name for your myZyXEL com account The name should be from six to 20 alphanumeric characters and the underscore Spaces are not allowed Check Click this button to check with the myZyXEL com database to verify the user n...

Page 78: ...t Access Wizard Status The following screen appears if the registration was not successful Click Return to go back to the Device Registration screen and check your settings Figure 23 Internet Access Wizard Registration Failed If the ZyWALL has been registered the Device Registration screen is read only and the Service Activation screen appears indicating what trial applications are activated after...

Page 79: ...cess Wizard Activated Services 3 3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy IKE SA and identify the IPSec routers at either end of the VPN tunnel Click VPN Setup in the Wizard Setup Welcome screen Figure 14 on page 69 to open the VPN configuration wizard The first screen displays as shown next ...

Page 80: ...of your ZyWALL or leave the field set to 0 0 0 0 The ZyWALL uses its current WAN IP address static or dynamic in setting up the VPN tunnel if you leave this field as 0 0 0 0 If the WAN connection goes down the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect The VPN tunnel has to be rebuilt if this IP address changes...

Page 81: ...L drops trailing spaces Network Policy Setting Local Network Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Select Single for a single IP address Select Range IP for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subnet mask Starting IP Address When the Local Network field is configured to S...

Page 82: ...the network behind the remote IPSec router When the Remote Network field is configured to Range IP enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Remote Network field is configured to Subnet enter a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the Remote Network field is conf...

Page 83: ... stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security Key Group You must choose a key group for phase 1 IKE setup DH1 default refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field The ...

Page 84: ...der and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput...

Page 85: ...ward Secret PFS Perfect Forward Secret PFS is disabled None by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Select DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower Back Click Back to return to the previous screen Next Click Next to c...

Page 86: ...k on the LAN behind your ZyWALL Remote Network Starting IP Address This is a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the remote network is configured for a single IP address this field is N A When the remote network is configured for a range IP address this is the end static IP address in a range of computers on the network behind the remo...

Page 87: ...thod of data encryption Options can be DES 3DES AES or NULL Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data SA Life Time Seconds This is the length of time before an IKE SA automatically renegotiates Perfect Forward Secret PFS Perfect Forward Secret PFS is disabled None by default in phase 2 IPSec SA setup Otherwise ...

Page 88: ...Chapter 3 Wizard Setup ZyWALL 2 Plus User s Guide 88 ...

Page 89: ... turn on content filtering for all of the ZyWALL s VPN traffic regardless of its direction of travel You can apply firewall security to VPN traffic based on its direction of travel The following examples show how you do this for the firewall 4 1 1 Firewall Rule for VPN Example The firewall provides even more fine tuned control for VPN tunnels You can configure default and custom firewall rules for...

Page 90: ...ce A to let the network behind B access the FTP server You would also have to configure a corresponding rule on device B 1 Click Security VPN to open the following screen Click the Add Gateway Policy icon Figure 33 SECURITY VPN VPN Rules IKE 2 Use this screen to set up the connection between the routers Configure the fields that are circled as follows and click Apply ...

Page 91: ...Chapter 4 Tutorials ZyWALL 2 Plus User s Guide 91 Figure 34 SECURITY VPN VPN Rules IKE Add Gateway Policy 3 Click the Add Network Policy icon ...

Page 92: ...le does not specify the port numbers This is due to the following reasons While FTP uses a control session on port 20 the port for the data session is not fixed So this example uses the firewall s FTP application layer gateway ALG to handle this instead of specifying port numbers in this VPN network policy The firewall provides better security because it operates at layer 4 and checks traffic sess...

Page 93: ...allow device B s network to access the FTP server You also only want FTP traffic to go to the FTP server so you want to block all other traffic types like chat e mail web and so on The following sections show how to configure firewall rules to enforce these restrictions 4 1 3 1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP ser...

Page 94: ...mmary 2 Select VPN to LAN as the packet direction and click Refresh 3 Click the insert icon Figure 37 SECURITY FIREWALL Rule Summary 4 Configure the rule as follows and click Apply The source addresses are the VPN rule s remote network and the destination address is the LAN FTP server ...

Page 95: ...Chapter 4 Tutorials ZyWALL 2 Plus User s Guide 95 Figure 38 SECURITY FIREWALL Rule Summary Edit Allow 5 The rule displays in the summary list of VPN to LAN firewall rules ...

Page 96: ...rewall rule to block all VPN to LAN traffic This blocks any other types of access from VPN tunnels to the LAN FTP server This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN 1 Click SECURITY FIREWALL Default Rule 2 Configure the screen as follows and click Apply Figure 40 SECURITY FIREWALL Default Rule Block From VPN To LAN ...

Page 97: ...ctively for traffic in both directions Map the first public address 1 2 3 4 to outgoing traffic from other local computers Map the first public address 1 2 3 4 to incoming traffic from the WAN Forward FTP traffic using port 21 from the WAN to a specific local computer 192 168 1 39 The last public IP address 1 2 3 7 is not mapped to any device and is reserved for future use Figure 41 Tutorial Examp...

Page 98: ...E PPP over Ethernet from the Encapsulation drop down list box 3 In the ISP Parameters for Internet Access section enter the information such as the user name and password provided by your ISP If your ISP didn t give you the service name leave the field blank 4 In the WAN IP Address Assignment section select Use Fixed IP Address and enter the first fixed public IP address 1 2 3 4 in this example 5 ...

Page 99: ... ADVANCED DNS 7 The System screen displays Click the Insert button to configure the IP address of the DNS server the ZyWALL can query to resolve domain names Figure 44 Tutorial Example DNS System 8 Select Public DNS Server and enter the first DNS server s IP address given by your ISP Click Apply ...

Page 100: ...o put the second record and click the Insert button to configure the second DNS server s IP address as follows Click Apply To resolve a domain name theZyWALL checks it against the name server record entries in the order that they appear in this list Figure 46 Tutorial Example DNS System Edit 2 10 The DNS System screen should look as shown ...

Page 101: ...em Done 11 Go to the Home screen to check your WAN connection status Make sure the status is not down Figure 48 Tutorial Example Status 4 2 3 Public IP Address Mapping To have the local computers and servers use specific WAN IP addresses you need to map static public IP addresses to them ...

Page 102: ...ap the internal web server 192 168 1 12 and mail server 192 168 1 13 to different static public IP addresses The many to one rule maps a public IP address 1 2 3 4 that is the ZyWALL s WAN IP address to outgoing LAN traffic It allows other local computers on the same subnet as the ZyWALL s LAN IP address to use this IP address to access the Internet Figure 49 Tutorial Example Mapping Multiple Publi...

Page 103: ...b 4 Click the first rule s Edit icon in the Modify column to display the Address Mapping Rule screen Figure 51 Tutorial Example NAT Address Mapping 5 Map a public IP address to the web server Select the One to One type and enter 192 168 1 12 as the local start IP address and 1 2 3 5 as the global start IP address Click Apply ...

Page 104: ...rt IP address and 1 2 3 6 as the global start IP address Click Apply Figure 53 Tutorial Example NAT Address Mapping Edit One to One 2 8 Click the third rule s Edit icon 9 Map a public IP address to other outgoing LAN traffic Select the Many to One type and enter 192 168 1 1 as the local start IP address 192 168 1 254 as the local end IP address and 1 2 3 4 as the global start IP address Click Appl...

Page 105: ...rough the ZyXEL Device you must also create a firewall rule Refer to Section 4 2 5 on page 107 for more information 4 2 4 Forwarding Traffic from the WAN to a Local Computer A server NAT address mapping rule allows computers behind the NAT be accessible to the outside world To have the ZyWALL forward incoming traffic to a specific computer on your local network you should also create a port forwar...

Page 106: ...lick ADVANCED NAT Address Mapping 2 Click the forth rule s Edit icon to configure a server rule Figure 57 Tutorial Example NAT Address Mapping Edit Server 3 Click the Port Forwarding tab 4 Select the Active check box enter a descriptive name FTP for example incoming port number 21 and 192 168 1 39 as the server IP address Click Apply ...

Page 107: ...raffic initiated from the WAN to a local computer or server on the LAN you need to configure a firewall rule to allow it In this example you create the firewall rules to allow traffic from the WAN to the following servers on the LAN Web server Mail server FTP server Figure 59 Tutorial Example Forwarding Incoming FTP Traffic to a Local Computer 1 Click SECURITY FIREWALL 2 Make sure the firewall is ...

Page 108: ...Refresh 5 Click the insert icon to create a new firewall rule Figure 61 Tutorial Example Firewall Rule WAN to LAN 6 Configure a firewall rule to allow HTTP traffic from the WAN to the web server Enter a descriptive name W L_Web for example Select Any in the Destination Address es box and click Delete Select Single Address as the destination address type Enter 192 168 1 12 and click Add ...

Page 109: ...ide 109 Figure 62 Tutorial Example Firewall Rule WAN to LAN Address Edit for Web Server 7 Select HTTP TCP 80 and HTTPS TCP 443 in the Available Services box on the left and click to add them to the Selected Service s box on the right Click Apply ...

Page 110: ...it for Web Server 8 Click the insert icon to configure a firewall rule to allow traffic from the WAN to the mail server Enter a descriptive name W L_Mail for example Select Any in the Destination Address es box and click Delete Select Single Address as the destination address type Enter 192 168 1 13 and click Add ...

Page 111: ...ample Firewall Rule WAN to LAN Address Edit for Mail Server 9 Select Any All in the Available Services box on the left and click to add it to the Selected Service s box on the right Click Apply Figure 65 Tutorial Example Firewall Rule WAN to LAN Service Edit for Mail Server ...

Page 112: ..._FTP for example Select Any in the Destination Address es box and click Delete Select Single Address as the destination address type Enter 192 168 1 39 and click Add Figure 66 Tutorial Example Firewall Rule WAN to LAN Address Edit for FTP Server 11Select FTP TCP 20 21 in the Available Services box on the left and click to add it to the Selected Service s box on the right Click Apply ...

Page 113: ...s ZyWALL 2 Plus User s Guide 113 Figure 67 Tutorial Example Firewall Rule WAN to LAN Service Edit for FTP Server 12When you are done the Rule Summary screen looks as shown Figure 68 Tutorial Example Firewall Rule Summary ...

Page 114: ...4 from the outside network to send or retrieve a file If you cannot access the FTP server make sure the NAT port forwarding rule is active and there is a firewall rule to allow FTP traffic from the WAN to FTP server 4 3 Using NAT with Multiple Game Players If two users behind the ZyWALL want to connect to the same server to play online games at the same time but the server does not allow more than...

Page 115: ...is section shows you examples of how to allocate bandwidth and apply priorities to traffic that flows out through the ZyWALL s WAN port 4 4 1 Example Parameters and Scenario The following figure shows the network you want to set up in this example The WAN port has an upstream outgoing speed of 512 kbps To prevent SIP based VoIP Voice over IP traffic from getting delayed due to heavy WWW or FTP tra...

Page 116: ...dth management to traffic that is forwarded out through the WAN port 3 Enter the WAN port s upstream speed 4 Select Priority Based to have the ZyWALL give preference to bandwidth classes with higher priorities 5 Deselect the Maximize Bandwidth Usage option to reserve bandwidth for traffic that is not defined in a bandwidth class 6 Click Apply Total Bandwidth Budget WAN Upstream Speed 512 Kbps Band...

Page 117: ...VoIP traffic Figure 72 Tutorial Example Bandwidth Management Class Setup 9 Enter a descriptive name WAN_VoIP for example the maximum bandwidth allowed and a priority for VoIP traffic The higher the number the higher the priority 10Enable this filter and select the SIP service 11Leave the IP address and subnet mask fields blank so that the filter will be applied to any outgoing traffic through the ...

Page 118: ...Bandwidth Management Class Setup VoIP 12Click the Add Sub Class button to create a rule for FTP traffic as follows Click Apply Figure 74 Tutorial Example Bandwidth Management Class Setup FTP 13Click the Add Sub Class button to create a rule for WWW traffic as follows Click Apply ...

Page 119: ...rial Example Bandwidth Management Class Setup WWW 14When you are finished the Class Setup screen looks as shown Figure 76 Tutorial Example Bandwidth Management Class Setup Done 15Use the Monitor screen to view the bandwidth usage and allotments for the WAN interface ...

Page 120: ... the ZyWALL applies policies in the order they are listed The ZyWALL applies the content filter policies based on the source address and the schedule So for this example when the ZyWALL receives a request from the LAN for a web page it checks the request against the first policy If the traffic matches that is if it is from Bob s computer and the time is between 12 00 and 13 00 the ZyWALL applies t...

Page 121: ...filter and external database content filtering 3 Click Apply Figure 78 SECURITY CONTENT FILTER General 4 5 2 Block Categories of Web Content Here is how to block access to web pages by category of content 1 Click SECURITY CONTENT FILTER Policy and then the external database icon next to the default policy ...

Page 122: ...Tutorials ZyWALL 2 Plus User s Guide 122 Figure 79 SECURITY CONTENT FILTER Policy 2 Select Active 3 Select the categories to block 4 Click Apply Figure 80 SECURITY CONTENT FILTER Policy External Database Default ...

Page 123: ...for Bob s computer and select the Reserve check box as shown next 3 Click Apply Figure 81 HOME DHCP Table 4 5 4 Create a Content Filter Policy for Bob Do the following to create a content filtering policy for traffic from Bob s computer 1 Click SECURITY CONTENT FILTER Policy and then the Insert button The ZyWALL applies the content filter policies in order so make sure you add the new policy befor...

Page 124: ...s but only during lunch So you configure a schedule to only apply the Bob policy from 12 00 to 13 00 For the rest of the time the ZyWALL applies the default content filter policy which blocks access to arts and entertainment web pages 1 Click SECURITY CONTENT FILTER Policy and then the Bob policy s schedule icon Figure 84 SECURITY CONTENT FILTER Policy 2 Select Everyday and enter 12 00 to 13 00 3 ...

Page 125: ... you select the categories of web pages to block Bob from accessing 1 Click SECURITY CONTENT FILTER Policy and then the Bob policy s external database icon Figure 86 SECURITY CONTENT FILTER Policy 2 Select Active 3 Select the categories to block This is very similar to Section 4 5 2 on page 121 except you do not select the arts and entertainment category ...

Page 126: ...Chapter 4 Tutorials ZyWALL 2 Plus User s Guide 126 4 Click Apply Figure 87 SECURITY CONTENT FILTER Policy External Database Bob ...

Page 127: ...e web site s on line help for details To activate a service on a ZyWALL you need to access myZyXEL com via that ZyWALL 5 1 1 Content Filtering Subscription Service The ZyWALL can use the content filtering subscription service Content filtering allows or blocks access to web sites Subscribe to category based content filtering to block access to categories of web sites based on content Your ZyWALL a...

Page 128: ...elect this option and enter your user name and password in the fields below to register your ZyWALL User Name Enter a user name for your myZyXEL com account The name should be from six to 20 alphanumeric characters and the underscore Spaces are not allowed Check Click this button to check with the myZyXEL com database to verify the user name you entered has not been used Password Enter a password ...

Page 129: ... your iCard s PIN number license key Click REGISTRATION Service to open the screen as shown next If you restore the ZyWALL to the default configuration file or upload a different configuration file after you register click the Service License Refresh button to update license information Content Filtering 1 month Trial Select the check box to activate a trial The trial period starts the day you act...

Page 130: ...s whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard Expiration Day This field displays the date your service expires License Upgrade License Key Enter your iCard s PIN number and click Update to activate or extend a standard service subscription If a standard service subscription runs out you need to buy a new iCard specific to your ZyW...

Page 131: ...131 PART II Network LAN Screens 133 Bridge Screens 145 WAN Screens 151 DMZ Screens 171 Wireless LAN 181 ...

Page 132: ...132 ...

Page 133: ... office that you connect to the ZyWALL s LAN ports The Wide Area Network WAN is another network most likely the Internet that you connect to the ZyWALL s WAN port See Chapter 8 on page 151 for how to use the WAN screens to set up your WAN connection The LAN and the WAN are two separate networks The ZyWALL controls the traffic that goes between them The following graphic gives an example Figure 91 ...

Page 134: ...ther device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyWALL will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise 6 2 1 Private IP Addresses Every machine on the Internet must have a unique...

Page 135: ...of the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M send routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can...

Page 136: ...elect None to disable IP multicasting on these interfaces 6 6 WINS WINS Windows Internet Naming Service is a Windows implementation of NetBIOS Name Server NBNS on Windows It keeps track of NetBIOS computer names It stores a mapping table of your network s computer names and IP addresses The table is dynamically updated for IP addresses assigned by DHCP This helps reduce broadcast traffic since com...

Page 137: ...y None When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Z...

Page 138: ...ype the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with...

Page 139: ...rs based on their MAC addresses Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 To change your ZyWALL s static DHCP settings click NETWORK LAN Static DHCP The screen appears as shown Figure 93 NETWORK LAN Static DHCP ...

Page 140: ...as you can also configure firewall rules to control access between the LAN s logical networks subnets Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 94 Physical Network Partitioned Logical Networks To change your ZyWALL s IP alias settings click NETWORK LAN IP Alias The screen appears as shown Table 23 NETWOR...

Page 141: ...ll broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is univer...

Page 142: ...ck NETWORK LAN Port Roles The screen appears as shown The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL On the ZyWALL ports 1 to 4 are all LAN ports by default Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens Figure 96 NETWORK LAN Port Roles The following table describes the labels in this screen Table 25 NETWORK LAN Port Roles LABEL D...

Page 143: ...se wait for few seconds until the following screen appears Click Return to go back to the Port Roles screen Figure 97 Port Roles Change Complete Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 25 NETWORK LAN Port Roles continued LABEL DESCRIPTION ...

Page 144: ...Chapter 6 LAN Screens ZyWALL 2 Plus User s Guide 144 ...

Page 145: ...raffic to circle the network endlessly resulting in possible throughput degradation and disruption of communications The following example shows the network topology that can lead to this problem If your ZyWALL in bridge mode is connected to a wired LAN while communicating with another bridge or a switch that is also connected to the same wired LAN as shown next Figure 98 Bridge Loop Bridge Connec...

Page 146: ...ext table On each bridge the root port is the port through which this bridge communicates with the root It is the port on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root amon...

Page 147: ... known as a bridge firewall The ZyWALL bridges traffic traveling between the ZyWALL s interfaces and still filters and inspects packets You do not need to change the configuration of your existing network You can use the firewall and VPN in bridge mode See the user s guide for a list of other features that are available in bridge mode Click NETWORK BRIDGE to display the screen shown next Use this ...

Page 148: ...work IP Subnet Mask The subnet mask specifies the network number portion of an IP address Gateway IP Address Enter the gateway IP address First Second Third DNS Server DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The ZyWAL...

Page 149: ...t The lower the numeric value you assign the higher the priority for this bridge Bridge Priority determines the root bridge which in turn determines Hello Time Max Age and Forward Delay Bridge Hello Time Enter an interval between 1 and 10 in seconds that the root bridge waits before sending a hello packet Bridge Max Age Enter an interval between 6 and 40 in seconds that a bridge waits to get a Hel...

Page 150: ...Click Return to go back to the Port Roles screen Figure 101 Port Roles Change Complete Table 29 NETWORK Bridge Port Roles LABEL DESCRIPTION LAN Select a port s LAN radio button to use the port as part of the LAN DMZ Select a port s DMZ radio button to use the port as part of the DMZ WLAN Select a port s WLAN radio button to use the port as part of the WLAN Apply Click Apply to save your changes ba...

Page 151: ... 15 means the link is down The smaller the number the lower the cost 1 The metric sets the priority for the ZyWALL s routes to the Internet Each route must have a unique metric 2 The priorities of the WAN port routes must always be higher than the dial backup and traffic redirect route priorities If the WAN port route has a metric of 1 and the traffic redirect route has a metric of 2 and dial back...

Page 152: ...er TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls Allow between WAN and LAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN If your firewall is enabled with the default poli...

Page 153: ... RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 8 5 DNS Server Address Assignment Use DNS Domain Name System to map a domain name to its corresponding IP address and vice versa for instance the IP address of www zyxel com is 204 217 0 2 The DNS server is extremely important because without it you must know the IP address of a computer b...

Page 154: ...ss by either using the factory default or cloning the MAC address from a computer on your LAN Once it is successfully configured the address will be copied to the rom file ZyNOS configuration file It will not change unless you change the setting or upload a different rom file 8 7 WAN To change your ZyWALL s WAN ISP IP and MAC settings click NETWORK WAN WAN The screen differs by the encapsulation 8...

Page 155: ...d RR Manager Roadrunner Manager authentication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields do not appear with the Standard service type User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type your password again to make sure that you have entered is correctly Login...

Page 156: ...e RIP Direction field controls the sending and receiving of RIP packets Choose Both None In Only or Out Only When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only the ZyWALL will incorporate RIP information that it receives When set to None the ZyWALL will not send any RIP packets and will ignore any RIP packets received By default RIP Di...

Page 157: ...wn next is for PPPoE encapsulation Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information...

Page 158: ...PPoE saves significant effort for both the end user and ISP carrier as it requires no specific configuration of the broadband modem at the customer site By implementing PPPoE directly on the router rather than individual computers the computers on the LAN do not need PPPoE software installed since the router does that part of the task Further with NAT all of the LAN s computers will have access Se...

Page 159: ...outing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Choose Both None In Only or Out Only When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only the ZyWALL will incorporate RIP information that it receives When set to None the ZyWALL will not send any RIP packets and will ignore an...

Page 160: ...e to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Spoof WAN MAC Address You can use the factory assigned default MAC Address or cloning the MAC address from a computer on your LAN Otherwise select the check box next to Spoof WAN MAC Address and enter the IP address of the computer on the LAN whose MAC you are clo...

Page 161: ...r creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The ZyWALL supports only one PPTP server connection at any given time To configure a PPTP client you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection Us...

Page 162: ...IP address This is the default selection Use Fixed IP Address Select this option If the ISP assigned a fixed IP address My WAN IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address Advanced Setup Enable NAT Network Address Translation Network Address Translation NAT allows the translation of an Internet protocol address used within one network for example a privat...

Page 163: ...s a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP versio...

Page 164: ...he gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN ZyWALL firewall rule that forwards packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 107 Traffic Redirect LAN Setup 8 9 Configuring Traffic Redirect To change your ZyWALL s traffic redirect settings...

Page 165: ...this field to test your ZyWALL s WAN accessibility Type the IP address of a reliable nearby computer for example your ISP s DNS server address Fail Tolerance Type how many WAN connection checks can fail 1 to 10 before the connection is considered down not connected The ZyWALL still checks a down connection to detect if it reconnects Period The ZyWALL tests a WAN connection by periodically sending ...

Page 166: ...kup Basic Settings Login Name Type the login name assigned by your ISP Password Type the password assigned by your ISP Retype to Confirm Type your password again to make sure that you have entered is correctly Authentication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by this remo...

Page 167: ...allows the translation of an Internet protocol address used within one network to a different IP address known within another network Select the check box to enable NAT Clear the check box to disable NAT so the ZyWALL does not perform any NAT mapping for the dial backup connection Enable RIP Select this check box to turn on RIP Routing Information Protocol which allows a router to exchange routing...

Page 168: ...ll in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Budget Always On Select this check box to have the dial backup connection on all of the time Configure Budget Select this check box to have the dial backup connection on during the time that you select Allocated Budget Type the amoun...

Page 169: ...dit button in the Dial Backup screen to display the Advanced Setup screen Consult the manual of your WAN device connected to your dial backup port for specific AT commands Figure 110 NETWORK WAN Dial Backup Edit The following table describes the labels in this screen Table 37 NETWORK WAN Dial Backup Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call Drop Type ...

Page 170: ...o try to set up an outgoing call before timing out stopping Retry Count Type a number of times for the ZyWALL to retry a busy or no answer phone number before blacklisting the number Retry Interval sec Type a number of seconds for the ZyWALL to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Type the number of seconds for t...

Page 171: ...s also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port Store sensitive information on LAN computers 9 2 Configuring DMZ The DMZ and the connected computers can have private or public IP addresses When the DMZ uses public IP addresses the WAN and DMZ ports must use public IP addresses that are on separate subnets See Appendix C on page ...

Page 172: ...y None When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Z...

Page 173: ...ZyWALL to relay DHCP requests Use dotted decimal notation Alternatively click the right mouse button to copy and or paste the IP address DHCP WINS Server 1 2 Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Wi...

Page 174: ...ed on their MAC addresses Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 To change your ZyWALL s static DHCP settings on the DMZ click NETWORK DMZ Static DHCP The screen appears as shown Figure 112 NETWORK DMZ Static DHCP ...

Page 175: ...DMZ interface is set to use a private or public IP address Use NAT if you want to make DMZ computers with private IP addresses publicly accessible see Chapter 17 on page 331 for more information When you use IP alias you can have the DMZ use both public and private IP addresses at the same time Make sure that the subnets of the logical networks do not overlap To change your ZyWALL s IP alias setti...

Page 176: ...will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is univ...

Page 177: ...wing figure shows a network setup with both private and public IP addresses on the DMZ Lower case letters represent public IP addresses like a b c d for example The LAN port and connected computers A through C use private IP addresses that are in one subnet The DMZ port and server F use private IP addresses that are in one subnet The private IP addresses of the LAN and DMZ are on separate subnets ...

Page 178: ...port and changing the port s role 1 A port s IP address varies as its role changes make sure your computer s IP address is in the same subnet as the ZyWALL s LAN DMZ or WLAN IP address 2 Use the appropriate LAN DMZ or WLAN IP address to access the ZyWALL To change your ZyWALL s port role settings click NETWORK DMZ Port Roles The screen appears as shown The radio buttons correspond to Ethernet port...

Page 179: ... the LAN The port will use the ZyWALL s LAN IP address and MAC address DMZ Select a port s DMZ radio button to use the port as part of the DMZ The port will use the ZyWALL s DMZ IP address and MAC address WLAN Select a port s WLAN radio button to use the port as part of the WLAN The port will use the ZyWALL s WLAN IP address and MAC address Apply Click Apply to save your changes back to the ZyWALL...

Page 180: ...Chapter 9 DMZ Screens ZyWALL 2 Plus User s Guide 180 ...

Page 181: ...adapters communicating through access points which bridge network traffic to the wired LAN To add a wireless network to the ZyWALL you can connect an Access Point to a port in the WLAN role 10 2 Configuring WLAN To add wireless functionality to the ZyWALL use the Port Roles screen see Figure 121 on page 188 to set a port to be part of the WLAN and connect an access point AP to the WLAN interface C...

Page 182: ... direction from Both In Only Out Only None When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting ...

Page 183: ...e button to copy and or paste the IP address DHCP WINS Server 1 2 Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UD...

Page 184: ... based on their MAC addresses Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 To change your ZyWALL s WLAN static DHCP settings click NETWORK WLAN Static DHCP The screen appears as shown Figure 118 NETWORK WLAN Static DHCP ...

Page 185: ...eway for each of the logical WLAN networks When you use IP alias you can also configure firewall rules to control access between the WLAN s logical networks subnets Make sure that the subnets of the logical networks do not overlap To change your ZyWALL s IP alias settings click NETWORK WLAN IP Alias The screen appears as shown Table 43 NETWORK WLAN Static DHCP LABEL DESCRIPTION This is the index n...

Page 186: ... will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is uni...

Page 187: ...following figure shows the ZyWALL with an AP connected to an Ethernet port in the WLAN port role Figure 120 WLAN Port Role Example Do the following if you are configuring from a computer connected to a LAN DMZ or WLAN port and changing the port s role 1 A port s IP address varies as its role changes make sure your computer s IP address is in the same subnet as the ZyWALL s LAN DMZ or WLAN IP addre...

Page 188: ...WORK WLAN Port Roles Change Complete Table 45 NETWORK WLAN Port Roles LABEL DESCRIPTION LAN Select a port s LAN radio button to use the port as part of the LAN The port will use the LAN IP address DMZ Select a port s DMZ radio button to use the port as part of the DMZ The port will use the DMZ IP address WLAN Select a port s WLAN radio button to use the port as part of the WLAN The port will use t...

Page 189: ...189 PART III Security Firewall 191 Content Filtering Screens 223 Content Filtering Reports 245 IPSec VPN 253 Certificates 295 Authentication Server 323 ...

Page 190: ...190 ...

Page 191: ...irewall to protect your LAN computers from attacks by hackers on the Internet and control access between the LAN DMZ WLAN and WAN By default the firewall allows traffic that originates from your LAN computers to go to all of the networks blocks traffic that originates on the other networks from going to the LAN allows traffic that originates on the WLAN to go to the WAN allows traffic that origina...

Page 192: ...all rules in the order you list them When the traffic matches a rule the ZyWALL takes the action specified in the rule 11 2 Packet Direction Matrix The ZyWALL s packet direction matrix allows you to apply certain security settings like firewall to traffic flowing in specific directions For example click SECURITY FIREWALL to open the following screen This screen configures general firewall settings...

Page 193: ...ng to the DMZ interfaces you would find where the From WAN row and the To DMZ column intersect and set the field to Drop as shown Figure 125 Default Block Traffic From WAN to DMZ Example 11 3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply This section gives some examples of why you might configure firewall rules for specific con...

Page 194: ...puters on the LAN can access which computers or services connected to the WAN See Section 11 5 on page 200 for an example WAN to LAN These rules specify which computers connected to the WAN can access which computers or services on the LAN For example you may create rules to Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific ...

Page 195: ...s For example by default the From LAN To VPN default firewall rule allows traffic from the LAN computers to go out through any of the ZyWALL s VPN tunnels You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL s VPN tunnels Figure 126 From LAN to VPN Example WAN to WAN By default the ZyWALL st...

Page 196: ...gh the ZyWALL s VPN tunnels The ZyWALL decrypts the VPN traffic and then applies the firewall rules From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected to interface For example by default the firewall allows traffic from any VPN tunnel to go to any of the ZyWALL s interfaces the ZyWALL itself and other VPN tunnels You could edit the From VPN To LAN de...

Page 197: ...all ZyWALL 2 Plus User s Guide 197 Figure 128 From VPN to LAN Example In order to do this you would configure the SECURITY FIREWALL Default Rule screen as follows Figure 129 Block VPN to LAN Traffic by Default Example ...

Page 198: ...ion 14 17 on page 292 for details The ZyWALL decrypts the traffic and applies the firewall rules before re encrypting it or allowing the traffic to terminate at the ZyWALL In the following example the From VPN To VPN default firewall rule silently blocks the traffic that the ZyWALL receives from any VPN tunnel either A or B that is destined for the other VPN tunnel or the ZyWALL itself VPN traffic...

Page 199: ...e 1 Does this rule stop LAN users from accessing critical resources on the Internet For example if IRC is blocked are there users that require this service 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective 3 Does a rule that allows Internet users access to resources on the LAN create a se...

Page 200: ...efault policy that allows all traffic from the LAN to go to the WAN The ZyWALL applies the firewall rules in order So for this example when the ZyWALL receives traffic from the LAN it checks it against the first rule If the traffic matches if it is IRC traffic the firewall takes the action in the rule drop and stops checking the firewall rules Any traffic that does not match the first firewall rul...

Page 201: ...wing all traffic from the LAN to go to the WAN The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic If the rule that blocks all LAN to WAN IRC traffic came first the CEO s IRC traffic would match that rule and the ZyWALL would drop it and not check any other firewall rules 11 6 Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same sub...

Page 202: ...nd Gateway A in different subnets all returning network traffic must pass through the ZyWALL to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the packet to Gateway A which is in Subnet 2 3 The reply from the WAN goes to the ZyWALL 4 The ZyWALL then sends it to the c...

Page 203: ...is activated Note When you activate the firewall all current connections through the ZyWALL are dropped when you apply your changes Allow Asymmetrical Route If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL s LAN IP address return traffic may not go through the ZyWALL This is called an asymmetrical or triangle route This causes the ZyWALL to reset the connection...

Page 204: ...o the traffic before encrypting it From VPN To VPN means traffic that comes in through a VPN tunnel and goes out through another VPN tunnel or terminates at the ZyWALL This is the case when the ZyWALL is the hub in a hub and spoke VPN This is also the case if you allow someone to use a service like Telnet or HTTP through a VPN tunnel to manage the ZyWALL The ZyWALL applies the firewall to the traf...

Page 205: ...L s firewall rules storage space that is currently in use When the storage space is almost full you should consider deleting unnecessary firewall rules before adding more firewall rules Enable Firewall Select this check box to activate the firewall The ZyWALL performs access control and protects against Denial of Service DoS attacks when the firewall is activated Note When you activate the firewal...

Page 206: ...net or HTTP through a VPN tunnel to manage the ZyWALL The ZyWALL applies the firewall to the traffic after decrypting it Note The VPN connection directions apply to the traffic going to or from the ZyWALL s VPN tunnels They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways VPN pass through traffic Use the drop down list box to set the firewall s default actions base...

Page 207: ...L Rule Summary The following table describes the labels in this screen Table 50 SECURITY FIREWALL Rule Summary LABEL DESCRIPTION Packet Direction Use the drop down list boxes and click Refresh to select a direction of travel of packets for which you want to display firewall rules Note The VPN connection directions apply to the traffic going to or from the ZyWALL s VPN tunnels They do not apply to ...

Page 208: ...le applies Please note that a blank source or destination address is equivalent to Any Service Type This drop down list box displays the services to which this firewall rule applies Custom services have an before the name See Appendix D on page 653 for a list of common services Action This field displays whether the firewall silently discards packets Drop discards packets and sends a TCP reset pac...

Page 209: ...Chapter 11 Firewall ZyWALL 2 Plus User s Guide 209 Figure 138 SECURITY FIREWALL Rule Summary Edit ...

Page 210: ... it Edit Service Available Selected Services Highlight a service from the Available Services box on the left then click to add it to the Selected Service s box on the right To remove a service highlight it in the Selected Service s box on the right then click Next to the name of a service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field ...

Page 211: ...TCP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP reset packet for a TCP packet or an ICMP destination unreachable message for a UDP packet to the sender Select Permit to allow the passage of the packets Note You also need to configure NAT port forwarding or full featured NAT address mapping rules if you want to allow compute...

Page 212: ...pond to PING on Select the check boxes of the interfaces that you want to reply to incoming Ping requests Clear an interface s check box to have the ZyWALL not respond to any Ping requests that come into that interface Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyWALL by probing for unused ports If you select this option the ZyWALL w...

Page 213: ...n your LAN network 3 The CPU power of servers in your LAN network 4 Network bandwidth 5 Type of traffic for certain servers Reduce the threshold values if your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy If you often use P2P applications such as file sharing with eMule or eDonkey it s recommended that ...

Page 214: ... existing half open sessions that causes the firewall to stop deleting half open sessions The ZyWALL continues to delete half open requests as necessary until the number of existing half open sessions drops below this number Maximum Incomplete High This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of existing half open s...

Page 215: ... services that are predefined in the ZyWALL See Section 11 1 on page 191 for more information about the firewall Figure 142 SECURITY FIREWALL Service The following table describes the labels in this screen Table 54 SECURITY FIREWALL Service LABEL DESCRIPTION Custom Service This table shows all configured custom services This is the index number of the custom service Service Name This is the name o...

Page 216: ...s move up by one when you take this action Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Predefined Service This table shows all the services that are already configured for use in firewall rules See Appendix D on page 653 for a list of common services This is the index number of the predefined service Ser...

Page 217: ...cted direction of travel of packets Port Range Enter the port number from 1 to 255 that defines the customized service To specify one port only enter the port number in the From field and enter it again in the To field To specify a span of ports enter the first port in the From field and enter the last port in the To field Type Code This field is available only when you select ICMP in the IP Proto...

Page 218: ...een displays Enter the name of the firewall rule 6 Select Any in the Destination Address es box and then click Delete 7 Configure the destination address fields as follows and click Add Figure 147 My Service Firewall Rule Example Rule Edit Source and Destination Addresses 8 In the Edit Service section use the arrows between Available Services and Selected Service s to configure it as follows Click...

Page 219: ...Chapter 11 Firewall ZyWALL 2 Plus User s Guide 219 Custom services show up with an before their names in the Services list boxes and the Rule Summary screen s Service Type list box ...

Page 220: ...wall ZyWALL 2 Plus User s Guide 220 Figure 148 My Service Firewall Rule Example Edit Rule Service Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN ...

Page 221: ...Chapter 11 Firewall ZyWALL 2 Plus User s Guide 221 Figure 149 My Service Firewall Rule Example Rule Summary Completed ...

Page 222: ...Chapter 11 Firewall ZyWALL 2 Plus User s Guide 222 ...

Page 223: ...ries such as pornography or racial intolerance to block from a pre defined list 12 1 3 Customize Web Site Access You can specify URLs to which the ZyWALL blocks access You can alternatively block access to all URLs except ones that you specify You can also have the ZyWALL block access to URLs that contain key words that you specify 12 2 Content Filtering with an External Database When you register...

Page 224: ...yWALL has no record of the web site it will query the external content filtering database and simultaneously send the request to the web server The external content filtering database may change a web site s category or categorize a previously uncategorized web site 5 The external content filtering server sends the category information back to the ZyWALL which then blocks and or logs access to the...

Page 225: ...fic that the ZyWALL sends out through a VPN tunnel or receives through a VPN tunnel The ZyWALL applies the content filter to the traffic before encrypting it or after decrypting it Note The ZyWALL can apply content filtering on the traffic going to or from the ZyWALL s VPN tunnels It does not apply to other VPN traffic for which the ZyWALL is not one of the gateways VPN pass through traffic Extern...

Page 226: ...ponse from the external content filtering database This can be caused by an expired content filtering registration External content filtering s license key is invalid Select Log to record attempts to access web pages that occur when the external content filtering database is unavailable Content Filter Server Unavailable Timeout Specify a number of seconds 1 to 30 for the ZyWALL to wait for a respo...

Page 227: ...WALL and activated the category based content filtering service Trial Active and the trial subscription expiration date display if you have registered the ZyWALL and activated the category based content filtering service License Inactive and the date your subscription expired display if your subscription to the category based content filtering service has expired Note After you register for conten...

Page 228: ...eld displays whether a content filter policy is turned on Y or not N Click the setting to change it Group Address This drop down list box displays the source user addresses or ranges of addresses to which the content filter policy applies Please note that a blank source or destination address is equivalent to Any Modify Click the general icon to restrict web features and edit the source user addre...

Page 229: ... policy becomes number 6 and the previous content filter policy 6 if there is one becomes content filter policy 7 Click Insert to display the screens where you configure the content filter policy Move Type a content filter policy s index number and the number for where you want to put that policy Click Move to move the policy to the number that you typed The ordering of your policies is important ...

Page 230: ...and provide service based on ID Web Proxy A server that acts as an intermediary between a user and the Internet to provide security administrative control and caching service When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server Address Setup Address Type Do you want the policy to apply to packets from a particular s...

Page 231: ...icted pages and a web page matches more than one category you selected you will see a log showing this page matches one category the first matched one only Select All Categories Select this check box to restrict access to all site categories listed below Clear All Categories Select this check box to clear the selected categories below Adult Mature Content Selecting this category excludes pages tha...

Page 232: ...t also includes pages that provide or sell questionable educational materials such as term papers Note This category includes sites identified as being malicious in any way such as having viruses spyware and etc Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool including lotteries online It also includes pages that provide information ass...

Page 233: ...s Illegal Drugs Selecting this category excludes pages that promote offer sell supply encourage or otherwise advocate the illegal use cultivation manufacture or distribution of drugs pharmaceuticals intoxicating plants or chemicals and their related paraphernalia Education Selecting this category excludes pages that offer educational information distance learning and trade school information or pr...

Page 234: ...ormation This includes drive by downloads browser hijackers dialers intrusive advertising any program which modifies your homepage bookmarks or security settings and keyloggers It also includes any software which bundles spyware as defined above as part of its offering Information collected or reported is personal if it contains uniquely identifying data such as email addresses name social securit...

Page 235: ...to connect with others to form an online community Typically members describe themselves in personal web page policies and form interactive networks linking them with other members based on common interests or acquaintances Instant messaging file sharing and web logs blogs are common features of Social Networking sites Note These sites may contain offensive material in the community created conten...

Page 236: ...ine purchase of vehicles or parts Humor Jokes Selecting this category excludes pages that primarily focus on comedy jokes fun etc This may include pages containing jokes of adult or mature nature Pages containing humorous Adult Mature content also have an Adult Mature category rating Software Downloads Selecting this category excludes pages that are dedicated to the electronic download of software...

Page 237: ...xcludes pages of organizations that provide top level domain pages as well as web communities or hosting services Advanced Basic Click Advanced to see an expanded list of categories or click Basic to see a smaller list Test Web Site Attribute Test if Web site is blocked You can check whether or not the content filter policy currently blocks any given web page Enter a web site URL in the text box T...

Page 238: ...rbidden web sites Content filter list customization may be enabled and disabled without re entering these site names Disable all Web traffic except for trusted Web sites When this box is selected the ZyWALL only allows Web access to sites on the Trusted Web Site list If they are chosen carefully this is the most effective way to block objectionable material Don t block Java ActiveX Cookies Web pro...

Page 239: ...se the arrow button to move them to the Forbidden Web Sites list Forbidden Web Sites This list displays web sites to which this content filtering policy blocks access Select an entry and use the arrow button to remove it from the list Keyword Blocking Keyword blocking allows you to block websites with URLs that contain certain keywords in the domain name or IP address See Section 12 10 on page 242...

Page 240: ... that you are configuring Schedule Setup Content filtering scheduling applies to the filter list customized sites and keywords Restricted web server data such as ActiveX Java Cookies and Web Proxy are not affected Always Select this option to have content filtering active all the time Everyday from to Select this option to have content filtering active during the specified time interval s of each ...

Page 241: ...t to allow access to regardless of their content rating can be allowed by adding them to this list You can enter up to 32 entries Add Trusted Web Site Enter host names such as www good site com into this text field Do not enter the complete URL of the site that is do not include http All subdomains are allowed For example entering zyxel com also allows www zyxel com partner zyxel com press zyxel c...

Page 242: ...ot include http All subdomains are blocked For example entering bad site com also blocks www bad site com partner bad site com press bad site com etc Forbidden Web Sites This list displays the forbidden web sites already added Add Click this button when you have finished adding the host name in the text field above Delete Select a web site name from the Forbidden Web Site list and then click this ...

Page 243: ...ble command to extend or not extend the keyword blocking search to include the URL s complete filename 12 11 Content Filtering Cache Click SECURITY CONTENT FILTER Cache to display the CONTENT FILTER Cache screen Use this screen to view and configure your ZyWALL s URL caching You can also configure how long a categorized web site address remains in the cache as well as view those web site addresses...

Page 244: ...k to the ZyWALL Reset Click Reset to begin configuring this screen afresh URL Cache Entry Flush Click this button to clear all web site addresses from the cache manually Refresh Click this button to reload the cache This is the index number of a categorized web site address record Category This field shows the site category to which requested access belongs URL This is a web site s address that th...

Page 245: ...web configurator s CONTENT FILTER Categories screen 2 Select at least one category and click Apply 3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and click the Test Against Internet Server button When content filtering is active you should see an access blocked or access forwarded message An error message displays if content filtering is not active 13 2 Vi...

Page 246: ... model name and or MAC address under Registered ZyXEL Products You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen see Figure 161 on page 247 Figure 160 myZyXEL com Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen ...

Page 247: ... Enter your ZyXEL device s MAC address in lower case in the Name field You can find this MAC address in the Service Management screen Figure 161 on page 247 Type your myZyXEL com account password in the Password field 6 Click Submit Figure 162 Blue Coat Login 7 In the Web Filter Home screen click the Reports tab ...

Page 248: ...Figure 164 Blue Coat Report Home 9 Select a time period in the Date Range field either Allowed or Blocked in the Action Taken field and a category or enter the user name if you want to view single user reports and click Run Report The screens vary according to the report type you selected in the Report Home screen 10 A chart and or list of requested web site categories display in the lower half of...

Page 249: ...t Filtering Reports ZyWALL 2 Plus User s Guide 249 Figure 165 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested ...

Page 250: ...tegorized or that a web site s contents have changed and the content filtering category needs to be updated Use the following procedure to submit the web site for review 1 Log into the content filtering reports web site see Section 13 2 on page 245 2 In the Web Filter Home screen see Figure 163 on page 248 click Site Submissions to open the Web Page Review Process screen shown next ...

Page 251: ...Chapter 13 Content Filtering Reports ZyWALL 2 Plus User s Guide 251 Figure 167 Web Page Review Process Screen 3 Type the web site s URL in the field and click Submit to have the web site reviewed ...

Page 252: ...Chapter 13 Content Filtering Reports ZyWALL 2 Plus User s Guide 252 ...

Page 253: ...trol and auditing It is used to transport traffic over the Internet or any insecure network that uses TCP IP for communication Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integri...

Page 254: ...works Between routers X and Y the data is protected by tunneling encryption authentication and other security features of the IPSec SA The IPSec SA is established securely using the IKE SA that routers X and Y established first The rest of this section discusses IKE SA and IPSec SA in more detail 14 1 1 IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec rou...

Page 255: ... SA but only the remote IPSec router can initiate an IKE SA 14 2 VPN Rules IKE A VPN Virtual Private Network tunnel gives you a secure connection to another computer or network A gateway policy contains the IKE SA settings It identifies the IPSec routers at either end of a VPN tunnel A network policy contains the IPSec SA settings It specifies which devices behind the IPSec routers can use the VPN...

Page 256: ...ress domain name or dynamic domain name of your ZyWALL displays in router mode The ZyWALL s IP address displays in bridge mode Remote Gateway This represents the remote secure gateway The IP address domain name or dynamic domain name of the remote IPSec router displays if you specify it otherwise Dynamic displays Click this icon to add a VPN network policy Network Policies The subsequent rows in a...

Page 257: ...Sec router cannot establish an IKE SA Click this icon to display a screen in which you can change the settings of a gateway or network policy Click this icon to delete a gateway or network policy When you delete a gateway the ZyWALL automatically moves the associated network policy ies to the recycle bin When you delete a network policy it is just deleted Click this icon to establish a VPN connect...

Page 258: ...h key group is a fixed number of bits long The longer the key the more secure the encryption keys but also the longer it takes to encrypt and decrypt information For example DH2 keys 1024 bits are more secure than DH1 keys 768 bits but DH2 encryption keys take longer to encrypt and decrypt 14 3 1 2 Authentication Before the ZyWALL and remote IPSec router establish an IKE SA they have to verify eac...

Page 259: ...type and content match so the ZyWALL and the remote IPSec router authenticate each other successfully In the following example the ID type and content do not match so the authentication fails and the ZyWALL and the remote IPSec router cannot establish an IKE SA It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router In this case you usually set the peer ID typ...

Page 260: ...ser name and password to the other router which uses a local user database and or an external server to verify the user name and password If the user name or password is wrong the routers do not establish an IKE SA You can set up the ZyWALL to provide a user name and password to the remote IPSec router or you can set up the ZyWALL to check a user name and password that is provided by the remote IP...

Page 261: ...ot establish a VPN tunnel Most routers like router A now have an IPSec pass through feature This feature helps router A recognize VPN packets and route them appropriately If router A has this feature router X and router Y can establish a VPN tunnel as long as the active protocol is ESP See Section 14 6 3 on page 272 for more information about active protocols If router A does not have an IPSec pas...

Page 262: ... minutes of outbound traffic with no inbound traffic If you set the IPSec SA to nailed up the ZyWALL automatically renegotiates the IPSec SA when the SA life time expires and it does not drop the IPSec SA if there is no inbound traffic The SA life time and nailed up settings only apply if the rule identifies the remote IPSec router by a static IP address or a domain name If the Primary Remote Gate...

Page 263: ...ng encryption algorithms for each proposal The encryption algorithms are listed here in order from weakest to strongest Data Encryption Standard DES is a widely used but breakable method of data encryption It applies a 56 bit key to each 64 bit block of data Triple DES 3DES is a variant of DES It iterates three times with three separate keys effectively tripling the strength of DES Advanced Encryp...

Page 264: ...eway policy icon or the edit icon to display the VPN Gateway Policy Edit screen Use this screen to configure a VPN gateway policy The gateway policy identifies the IPSec routers at either end of a VPN tunnel My ZyWALL and Remote Gateway and specifies the authentication encryption and other settings needed to negotiate a phase 1 IKE SA ...

Page 265: ...Chapter 14 IPSec VPN ZyWALL 2 Plus User s Guide 265 Figure 178 SECURITY VPN VPN Rules IKE Edit Gateway Policy ...

Page 266: ...s when using traffic redirect Otherwise you can select My Domain Name and choose one of the dynamic domain names that you have configured in the DDNS screen to have the ZyWALL use that dynamic domain name s IP address When the ZyWALL is in bridge mode this field is read only and displays the ZyWALL s IP address The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after setup Primar...

Page 267: ...sed on both ends Certificate Select the Certificate radio button to identify the ZyWALL by a certificate Use the drop down list box to select the certificate to use for this VPN tunnel You must have certificates already configured in the My Certificates screen Click My Certificates to go to the My Certificates screen where you can view the ZyWALL s list of certificates Local ID Type Select IP to i...

Page 268: ...ain name or e mail address by which to identify the remote IPSec router Use up to 31 ASCII characters including spaces although trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string It is recommended that you type an IP address other than 0 0 0 0 or use the DNS or E mail ID type in the following situations 1 When there is a NAT ro...

Page 269: ...iation mode Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA Choices are DES a 56 bit key with the DES encryption algorithm 3DES a 168 bit key with the DES encryption algorithm AES a 128 bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must use the same algorithms and keys Longer keys require more processing power resulting in...

Page 270: ...e unknown or there are many remote networks using one VPN rule see Section 14 15 1 on page 289 for an example of telecommuters sharing one VPN rule It is not recommended to set a VPN rule s local and remote network settings both to 0 0 0 0 any Associated Network Policies The following table shows the policy ies you configure for this rule To add a VPN policy click the add network policy icon in th...

Page 271: ...ng local and remote IP addresses You can set up virtual address mapping on both IPSec routers to allow computers on network X to access network X and network Y computers with the same IP address You set ZyWALL A to change the source IP addresses of packets from local network X 192 168 1 2 to 192 168 1 4 to virtual IP addresses 10 0 0 2 to 10 0 0 4 before sending them through the VPN tunnel You set...

Page 272: ...cation between the ZyWALL and remote IPSec router for example for remote management not between computers on the local and remote networks The ZyWALL and remote IPSec router must use the same encapsulation These modes are illustrated below In tunnel mode the ZyWALL uses the active protocol to encapsulate the entire IP packet As a result there are two IP headers Outside header The outside IP header...

Page 273: ...nd remote IPSec router perform a DH key exchange every time an IPSec SA is established changing the root key from which encryption keys are generated As a result if one encryption key is compromised other encryption keys remain secure If you do not enable PFS the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys The ...

Page 274: ...Chapter 14 IPSec VPN ZyWALL 2 Plus User s Guide 274 Figure 181 SECURITY VPN VPN Rules IKE Edit Network Policy ...

Page 275: ...ote network and vice versa Select this check box to send NetBIOS packets through the VPN connection Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router The ZyWALL pings the IP address every minute The ZyWALL starts the IPSec connection idle timeout timer when i...

Page 276: ... an IP address as the translated IP address Many to one rules are only for traffic going to the remote network Use port forwarding rules to allow incoming traffic from the remote network When you select Many One to One in the Type field enter the beginning IP address of a range of translated IP addresses Virtual Ending IP Address When you select Many One to One in the Type field enter the ending s...

Page 277: ...r the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Address Type field is configured to Subnet Address enter a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Addre...

Page 278: ...r encryption Choices are NONE disable PFS DH1 enable PFS and use a 768 bit random number DH2 enable PFS and use a 1024 bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA It is more secure but takes more time Enable Replay Detection As a VPN setup is processing intensive the system is vulnerable to Denial of Service DOS attacks The IPSec receiver c...

Page 279: ...the port forwarding server entry Name Enter a descriptive name for identifying purposes Start Port Type a port number in this field To forward only one port type the port number again in the End Port field To forward a series of ports type the start port number here and the end port number in the End Port field End Port Type a port number in this field To forward only one port type the port number...

Page 280: ...rk Policy LABEL DESCRIPTION Network Policy Information The following fields display the general network settings of this VPN policy Name This field displays the policy name Local Network This field displays one or a range of IP address es of the computer s behind the ZyWALL Remote Network This field displays one or a range of IP address es of the remote network behind the remote IPsec router Gatew...

Page 281: ...m and one authentication algorithm You cannot specify several proposals There is no DH key exchange so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use The ZyWALL and remote IPSec router must use the same encryption key and authentication key 14 10 2 Authentication and the Security Parameter Index SPI For authentication the ZyWALL and remote ...

Page 282: ...ter s on the remote network behind the remote IPSec router This field displays N A when the Remote Gateway Address field displays 0 0 0 0 In this case only the remote IPSec router can initiate the VPN The same static IP address is displayed twice when the Remote Network Address Type field in the VPN Manual Key Edit screen is configured to Single Address The beginning and ending static IP addresses...

Page 283: ... VPN Rules Manual Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy Name Type up to 32 characters to identify this VPN policy You may use any character including spaces but the ZyWALL drops trailing spaces Allow NetBIOS Traffic Through IPSec Tunnel This field is not available when the ZyWALL is in bridge mode NetBIOS Network Basic Input Output System are TCP ...

Page 284: ... and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Address Type Use the drop down list box to choose Single Address Range Address or Subnet Address Select Single Address with a single IP address Select Range Address fo...

Page 285: ...LL from the drop down list box When DES is used for data communications both sender and receiver must know the Encryption Key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also require...

Page 286: ...24 and the remote network as any 0 0 0 0 The any includes all possible IP addresses It will forward traffic from network A to network B even if both the sender for example 192 168 1 8 and the receiver for example 192 168 1 9 are in network A Note that the remote access can still use the VPN tunnel to access computers on ZyWALL X s network Table 73 SECURITY VPN SA Monitor LABEL DESCRIPTION This is ...

Page 287: ... 1 2 IP Alias You could have an IP alias network that overlaps with the VPN remote network see Figure 188 For example you have an IP alias network M 10 1 2 0 24 in ZyWALL X s LAN For the VPN rule you configure the VPN network as follows Local IP address start 192 168 1 1 end 192 168 1 254 Remote IP address start 10 1 2 240 end 10 1 2 254 IP addresses 10 1 2 240 to 10 1 2 254 overlap Figure 188 Ove...

Page 288: ...e the ZyWALL updates the domain name and IP address mapping through a DNS server The ZyWALL rebuilds the VPN tunnel if it finds that the domain name is now using a different IP address any users of the VPN tunnel will be temporarily disconnected Enter 0 to disable this feature Adjust TCP Maximum Segment Size The TCP packets are larger after the ZyWALL encrypts them for VPN The ZyWALL fragments pac...

Page 289: ...ould not overlap Figure 190 Telecommuters Sharing One VPN Rule Example Local and Remote IP Address Conflict Resolution Select The Local Network to send packets destined for overlapping local and remote IP addresses to the local network you can access the local devices but not the remote devices Select The Remote Network via VPN Tunnel to send packets destined for overlapping local and remote IP ad...

Page 290: ...nd figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyWALL located at headquarters The ZyWALL at headquarters HQ in the figure identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection The ZyWALL at headquarters can also initiate VPN connections to the telecommuters since it can ...

Page 291: ...dquarters Rules My ZyWALL 0 0 0 0 My ZyWALL bigcompanyhq com Remote Gateway Address bigcompanyhq com Local Network Single IP Address 192 168 1 10 Remote Network Single IP Address 192 168 1 10 Local ID Type E mail Peer ID Type E mail Local ID Content bob bigcompanyhq com Peer ID Content bob bigcompanyhq com Telecommuter A telecommutera dydns org Headquarters ZyWALL Rule 1 Local ID Type IP Peer ID T...

Page 292: ...a limited number of VPN tunnels are also able to use VPN to connect to more networks Hub and spoke VPN makes it easier for the hub router to manage the traffic between the spoke routers If you have the spoke routers access the Internet through the hub and spoke VPN tunnel the hub router can also provide content filtering protection for the spoke routers You should not use a hub and spoke VPN in ev...

Page 293: ...ddresses The VPN rules for this hub and spoke example would use the following address settings Branch Office A Remote Gateway 10 0 0 1 Local IP address 192 168 167 0 255 255 255 0 Remote IP address 192 168 168 0 192 168 169 255 Headquarters Rule 1 Remote Gateway 10 0 0 2 Local IP address 192 168 168 0 192 168 169 255 Remote IP address 192 168 167 0 255 255 255 0 Rule 2 Remote Gateway 10 0 0 3 Loca...

Page 294: ...arate VPN rule for each spoke In the local IP address specify the IP addresses of the hub and spoke networks with which the spoke is to be able to have a VPN tunnel This may require you to use more than one VPN rule If you want to have the spoke routers access the Internet through the hub and spoke VPN tunnel set the VPN rules in the spoke routers to use 0 0 0 0 any as the remote IP address Make s...

Page 295: ...e kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public private key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encrypt the message and sends it to Jenny 4 Jenny receives the message and uses ...

Page 296: ... keys 15 2 Self signed Certificates You can have the ZyWALL act as a certification authority and sign its own certificates 15 3 Verifying a Certificate Before you import a trusted CA or trusted remote host certificate into the ZyWALL you should verify that you have the actual certificate This is especially true of trusted CA certificates since the ZyWALL also trusts any valid certificate signed by...

Page 297: ...to manage certificates on the ZyWALL Figure 197 Certificate Configuration Overview Use the My Certificate screens to generate and export self signed certificates or certification requests and import the ZyWALL s CA signed certificates Use the Trusted CA screens to save the certificates of trusted CAs to the ZyWALL You can also export the certificates to a computer Use the Trusted Remote Hosts scre...

Page 298: ...lt certificate The factory default certificate is common to all ZyWALLs that use certificates ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL s MAC address This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is rec...

Page 299: ...e a certificate that one or more features is configured to use Do the following to delete a certificate that shows SELF in the Type field 1 Make sure that no other features such as HTTPS VPN SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select...

Page 300: ...e you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates Figure 199 SECURITY CERTIFICATES My Certificates Details The following table describes the labels in this screen Table 78 SECURITY CERTIFICATES My Certificates Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate If you want to change the name type up to...

Page 301: ...f the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This fi...

Page 302: ...y and private key certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL Figure 200 SECURITY CERTIFICATES My Certificates Export Apply Click Apply to save...

Page 303: ...le form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The ZyWALL currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into a printable form Table 79 SECURITY CER...

Page 304: ...ing the transfer process It is easy for this to occur since many programs use text files by default Figure 201 SECURITY CERTIFICATES My Certificates Import The following table describes the labels in this screen When you import a binary PKCS 12 format certificate another screen displays for you to enter the password Table 80 SECURITY CERTIFICATES My Certificates Import LABEL DESCRIPTION File Path ...

Page 305: ...ertificate Create screen Use this screen to have the ZyWALL create a self signed certificate enroll a certificate with a certification authority or generate a certification request Table 81 SECURITY CERTIFICATES My Certificates Import PKCS 12 LABEL DESCRIPTION Password Type the file s password that was created when the PKCS 12 file was exported Apply Click Apply to save the certificate on the ZyWA...

Page 306: ...Chapter 15 Certificates ZyWALL 2 Plus User s Guide 306 Figure 203 SECURITY CERTIFICATES My Certificates Create Basic ...

Page 307: ...cters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field but the Common Name is mandatory if you click Basic The certification authority may add fields such as a serial number to the subject information when it issues a certificate It is recommended that eac...

Page 308: ...cters O organization select this and enter an organization to identify the owner of the certificate You can use up to 63 characters DC domain component select this and enter the domain component of a domain to identify the owner of the certificate For example if the domain is zyxel com the domain component is zyxel or com You can use up to 63 characters L locality name select this and enter the pl...

Page 309: ...a certificate immediately online to have the ZyWALL generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority s certificate already imported in the Trusted CAs screen When you select this option you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop d...

Page 310: ...A select the CA s RA signing certificate from the drop down list box You must have the certificate already imported in the Trusted CAs screen Click Trusted CAs to go to the Trusted CAs screen where you can view and manage the ZyWALL s list of certificates of trusted certification authorities RA Encryption Certificate If you select Enrollment via an RA select the CA s RA encryption certificate from...

Page 311: ...rmation as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or ...

Page 312: ... and set whether or not you want the ZyWALL to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 206 SECURITY CERTIFICATES Trusted CAs Details Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the ZyWALL Refresh Click this b...

Page 313: ...gned means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification...

Page 314: ...lso displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA...

Page 315: ...ot need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy Figure 208 SECURITY CERTIFICATES Trusted Remote Hosts Table 85 SECURITY CERTIFICATES Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the fi...

Page 316: ... field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certifica...

Page 317: ... certificates in the hierarchy of certification authorities that validate a certificate s issuing certification authority For a trusted host the list consists of the end entity s own certificate and the default self signed certificate that the ZyWALL uses to sign remote host certificates Refresh Click Refresh to display the certification path Certificate Information These read only fields display ...

Page 318: ...means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path MD5...

Page 319: ... certificate signed by a trusted certification authority as being trustworthy The trusted remote host certificate must be a self signed certificate and you must remove any spaces from its filename before you can import it Figure 210 SECURITY CERTIFICATES Trusted Remote Hosts Import The following table describes the labels in this screen Apply Click Apply to save your changes back to the ZyWALL You...

Page 320: ... describes the labels in this screen Apply Click Apply to save the certificate on the ZyWALL Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen Table 88 SECURITY CERTIFICATES Trusted Remote Hosts Import LABEL DESCRIPTION Table 89 SECURITY CERTIFICATES Directory Servers LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL s PKI storage spa...

Page 321: ... want to delete the directory server Note that subsequent certificates move up by one when you take this action Add Click Add to open a screen where you can configure information about a directory server so that the ZyWALL can access it Table 89 SECURITY CERTIFICATES Directory Servers LABEL DESCRIPTION Table 90 SECURITY CERTIFICATES Directory Server Add LABEL DESCRIPTION Directory Service Setting ...

Page 322: ...lf in order to assess the directory server Type the login name up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Apply Click Apply to save your changes back to the ZyWALL Cancel Click Cancel to quit config...

Page 323: ...mit on the number of users you may authenticate in this way 16 1 2 RADIUS The ZyWALL can use a RADIUS server to authenticate an unlimited number of users RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the iden...

Page 324: ...ng Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the ZyWALL and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypte...

Page 325: ...creen Table 91 SECURITY AUTH SERVER Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile User Name Enter the user name of the user profile Password Enter a password up to 31 characters long for this user profile Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh ...

Page 326: ...ed decimal notation Port Number The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the ZyWALL The key is not sent over the network This key must ...

Page 327: ...hared between the external accounting server and the ZyWALL The key is not sent over the network This key must be the same on the external accounting server and ZyWALL Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 92 SECURITY AUTH SERVER RADIUS LABEL DESCRIPTION ...

Page 328: ...Chapter 16 Authentication Server ZyWALL 2 Plus User s Guide 328 ...

Page 329: ...329 PART IV Advanced Network Address Translation NAT 331 Static Route 347 Bandwidth Management 351 DNS 365 Remote Management 377 UPnP 399 ALG Screen 411 ...

Page 330: ...330 ...

Page 331: ...l address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a ...

Page 332: ...rs to the DMZ port instead If you do not define any servers for Many to One and Many to Many Overload mapping NAT offers the additional benefit of firewall protection With no servers defined your ZyWALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 17 1 3 ...

Page 333: ...orks 17 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP alias behind the ZyWALL can communicate with three distinct WAN networks More examples follow at the end of this chapter Figure 216 NAT Application With IP Alias ...

Page 334: ...D The ZyWALL changes the server s IP address to 2 and port to B Since 1 A has already sent packets to 3 C and 4 D they can send packets back to 2 B and the ZyWALL will perform NAT on them and send them to the server at IP address 1 port A Packets have not been sent from 1 A to 4 E or 5 so they cannot send packets to 1 A Figure 217 Port Restricted Cone NAT Example 17 1 6 NAT Mapping Types NAT suppo...

Page 335: ...d through the ZyWALL 17 2 1 SUA Single User Account Versus NAT SUA Single User Account is a ZyNOS implementation of a subset of NAT that supports two types of mapping Many to One and Server The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Select either SUA or Full Feature in NAT Overview Tab...

Page 336: ...l permit at one time Max Concurrent Sessions Per Host Use this field to set the highest number of NAT sessions that the ZyWALL will permit a host to have at one time Enable NAT Select this check box to turn on the NAT feature for the WAN port Clear this check box to turn off the NAT feature for the WAN port Address Mapping Rules Select SUA if you have just one public WAN IP address for your ZyWALL...

Page 337: ...ere are any empty rules before your new configured rule your configured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so old rules 5 6 and 7 become new rul...

Page 338: ... is for all local IP addresses then this field displays 0 0 0 0 as the Local Start IP address Local IP addresses are N A for Server port mapping Local End IP This is the end Inside Local Address ILA If the rule is for all local IP addresses then this field displays 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start IP This refers to t...

Page 339: ... Single User Account feature that previous ZyXEL routers supported only 3 Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One mode maps each local IP address to unique global IP addresses 5 Server allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Modify Click the edit icon to go to...

Page 340: ...ified in this screen Table 97 ADVANCED NAT Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following 1 One to One One to One mode maps one local IP address to one global IP address Note that port numbers do not change for One to One NAT mapping type 2 Many to One Many to One mode maps multiple local IP addresses to one global IP address This is equivalent t...

Page 341: ...s 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 221 Multiple Servers Behind NAT Example 17 5 4 Port Translation The ZyWALL can translat...

Page 342: ...P address 192 168 1 34 In this example anyone wanting to access server A from the Internet must use port 8080 Anyone wanting to access server B from the Internet must use port 8100 Figure 222 Port Translation Example 17 6 Port Forwarding Screen Click ADVANCED NAT Port Forwarding to open the Port Forwarding screen If you do not assign a Default Server IP address the ZyWALL discards all packets rece...

Page 343: ...orwarding server entry Active Select this check box to enable the port forwarding server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry Name Enter a name to identify this port forwarding rule Incoming Port s Enter a port number here To forward only one port enter it again in the second field To specify a range of ports enter ...

Page 344: ...pecific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you do not need to configure a new IP address each time you want a different LAN computer to use the application For example Fig...

Page 345: ...raffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Trigger The trigger port is a port or a range of ports that causes or triggers the ZyWALL to record the IP address of the LAN compute...

Page 346: ...Chapter 17 Network Address Translation NAT ZyWALL 2 Plus User s Guide 346 ...

Page 347: ...not reachable through the default gateway use static routes For example the next figure shows a computer A connected to the ZyWALL s LAN interface The ZyWALL routes most traffic from A to the Internet through the default gateway R1 You create one static route to connect to services offered by your ISP behind router R2 You create another static route to communicate with a separate network behind a ...

Page 348: ...BEL DESCRIPTION This is the number of an individual static route Name This is the name that describes or identifies this route Active This field shows whether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or...

Page 349: ...o force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here Gateway IP Address Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Metric Metric represents the cost of transmission for routing purposes IP routing uses hop c...

Page 350: ...Chapter 18 Static Route ZyWALL 2 Plus User s Guide 350 ...

Page 351: ...ckets at the next routing device For example you can set the WAN interface speed to 1024 kbps or less if the broadband device connected to the WAN port has an upstream speed of 1024 kbps 19 2 Bandwidth Classes and Filters Use bandwidth classes and sub classes to allocate specific amounts of bandwidth capacity bandwidth budgets Configure a bandwidth filter to define a bandwidth class or sub class b...

Page 352: ...Bandwidth Management You can create bandwidth classes based on subnets The following figure shows LAN subnets You could configure one bandwidth class for subnet A and another for subnet B Figure 229 Subnet based Bandwidth Management Example 19 6 Application and Subnet based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application The follow...

Page 353: ... using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels...

Page 354: ...dgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The sales and marketing are first to get extra bandwidth because...

Page 355: ...llow the sub class to use its parent class s unused bandwidth A parent class s unused bandwidth is given to the highest priority sub class first The sub class can also borrow bandwidth from a higher parent class grandparent class if the sub class s parent class is also configured to borrow bandwidth from its parent class This can go on for as many levels as are configured to borrow bandwidth from ...

Page 356: ...geted bandwidth on the interface to any class that requires it The ZyWALL gives priority to classes of higher priority and treats classes of the same level equally 4 If the bandwidth requirements of all of the traffic classes are met and there is still some unbudgeted bandwidth the ZyWALL assigns it to traffic that does not match any of the classes 19 10 Over Allotment of Bandwidth It is possible ...

Page 357: ...anagement on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN or DMZ to DMZ traffic to pass through the ZyWALL and be managed by bandwidth management Active Select an interface s check box to enable bandwidth management on that interface Speed kbps Enter th...

Page 358: ...ses Figure 231 ADVANCED BW MGMT Class Setup Scheduler Select either Priority Based or Fairness Based from the drop down menu to control the traffic flow Select Priority Based to give preference to bandwidth classes with higher priorities Select Fairness Based to treat all bandwidth classes equally See Section 19 7 on page 353 Maximize Bandwidth Usage Select this check box to have the ZyWALL divide...

Page 359: ...sub classes You cannot delete the root class Statistics Click Statistics to display the status of the selected class Enabled classes Search Order This list displays the interface s active bandwidth management classes the ones that have the bandwidth filter enabled The ZyWALL applies the classes in the order that they appear here Once a connection matches a bandwidth management class the ZyWALL app...

Page 360: ...is option to allow a sub class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth budget Bandwidth borrowing is governed by the priority of the sub classes That is a sub class with the highest priority 7 is the first to borrow bandwidth from its parent class Do not select this for the classes directly below the root class if you want to leave bandwidth avai...

Page 361: ...e following fields other than the Subnet Mask fields which you only enter if you also enter a corresponding destination or source IP address Destination Address Type Do you want your rule to apply to packets going to a particular single IP a range of IP addresses for example 192 168 1 10 to 192 169 1 50 or a subnet Select Single Address Range Address or Subnet Address Destination IP Address Enter ...

Page 362: ...MP 6 for TCP or 17 for UDP Apply Click Apply to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 111 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network N...

Page 363: ...tal number of packets transmitted Tx Bytes This field displays the total number of bytes transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in bps for the past one to eight seconds For example t 1 me...

Page 364: ...ocated to bandwidth classes If you do not enable maximize bandwidth usage on an interface the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes A A If you allocate all the root class s bandwidth to the bandwidth classes the default class still displays a budget of 2 kbps the minimum amount of bandwidth that can be assigned to a bandwid...

Page 365: ...s you DNS server addresses manually enter them in the DNS server fields 2 If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address from the ISP 3 You can manually enter the IP addresses of other DNS servers These servers can be public or private A DNS server could even be behind a remote IPSec router ...

Page 366: ...ed to the same IP address as yourhost com This feature is useful if you want to be able to use for example www yourhost com and still reach your hostname 20 5 Name Server Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server A domain zone may also be included A domain zone is a fully...

Page 367: ...anet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote private network 20 6 System Screen Click ADVANCED DNS to display the following screen Use this screen to configure your ZyWALL s DNS address and name server records Figure 236 ADVANCED DNS System DNS ...

Page 368: ...ver s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server When the ZyWALL needs to resolve a domain name it checks it against the name server record entries in the order that they appear in this list A indicates a name server record without a domain zone The default record is grayed out The ZyWALL uses this default record if the dom...

Page 369: ... The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server A domain zone may also be included A domain zone is a fully qualified domain name without the host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name Table 115 ADVANCED DNS Add Address Record LABEL DESCRIPTION FQDN Type a fully qualified domain n...

Page 370: ...ress N A displays for all of the DNS server IP address fields if the ZyWALL has a fixed WAN IP address Select Public DNS Server if you have the IP address of a DNS server The IP address must be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right Public DNS Server entries with the IP address set to 0 0 0 0 are not allowed Select Private DNS Serv...

Page 371: ...d DNS timeout period A negative response means that the ZyWALL did not receive a response for a query it sent to a DNS server within the five second DNS timeout period When the ZyWALL receives DNS queries it compares them against the DNS cache before querying a DNS server If the DNS query matches a positive entry the ZyWALL responses with the IP address from the entry If the DNS query matches a ne...

Page 372: ...of commonly queried domain names for which DNS resolution has failed and reduces the amount of traffic that the ZyWALL sends out to the WAN Negative Cache Period Type the time 60 to 3600 seconds that the ZyWALL is to allow a negative resolution entry to remain in the DNS cache before discarding it Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this...

Page 373: ...second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select DNS Relay to have the ZyWALL act as a DNS proxy The ZyWALL s LAN DMZ or WLAN IP address displays in the field to the right read only The ZyWALL tells the DHCP clients on the LAN DMZ or WLAN that the ZyWALL itself is the DNS server When a computer on the LAN DMZ or WLAN s...

Page 374: ...S account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key You must go to the Dynamic DNS service provider s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL 20 10 1 DYNDNS Wildcard Enabli...

Page 375: ... name above You can use up to 31 alphanumeric characters and the underscore Spaces are not allowed My Domain Names Domain Name 1 5 Enter the host names in these fields DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Select Dynamic if you have the Dynamic DNS service Select Static if you have the Static DNS service Select Custom if you have th...

Page 376: ...here are one or more NAT routers between the ZyWALL and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server Apply Click Apply to save your changes back to the ZyWALL Reset...

Page 377: ... Management From the WAN When you configure remote management to allow management from any network except the LAN you still need to configure a firewall rule to allow access See Chapter 11 on page 191 for details on configuring firewall rules You can also disable a service on the ZyWALL by not allowing access for the service protocol through any of the ZyWALL interfaces You may only have one remot...

Page 378: ...et the ZyWALL to use HTTP or HTTPS HTTPS adds security for web configurator sessions Specify which interfaces allow web configurator access and from which IP address the access can come HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transa...

Page 379: ...rom a web browser go to port 80 by default on the ZyWALL s WS web server Figure 243 HTTPS Implementation If you disable the HTTP service in the REMOTE MGMT WWW screen then the ZyWALL blocks all HTTP connection attempts 21 3 WWW Configuration Click ADVANCED REMOTE MGMT to open the WWW screen Use this screen to configure the ZyWALL s HTTP and HTTPS management settings Figure 244 ADVANCED REMOTE MGMT...

Page 380: ...ed to access the ZyWALL web configurator to use https ZyWALL IP Address 8443 as the URL Server Access Select the interface s through which a computer may access the ZyWALL using this service You can allow only secure web configurator access by clearing all of the interface check boxes in the HTTP Server Access field and setting the HTTPS Server Access field to an interface s Secure Client IP Addre...

Page 381: ...ator login screen if you select No then web configurator access is blocked Figure 245 Security Alert Dialog Box Internet Explorer 21 4 2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is fr...

Page 382: ...te is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to Appendix E on page 657 for details The actual...

Page 383: ... of the ZyWALL s port that you are trying to access as the certificate s common name For example to use HTTPS to access a LAN port with IP address 192 168 1 1 create a certificate that uses 192 168 1 1 as the common name Go to the remote management WWW screen and select the newly created certificate in the Server Certificate field Click Apply 21 4 4 Login Screen After you accept the certificate th...

Page 384: ...ess that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to that shown in the following figure Figure 250 Device specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate You will then see this information in the My Certificates screen Figure 251 Common ZyWALL Certificate ...

Page 385: ...text SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session Figure 252 SSH Communication Over the WAN Example 21 6 How SSH Works The following tab...

Page 386: ...d data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in to the server 21 7 SSH Implementation on the ZyWALL Your ZyWALL supports SSH version 1 5 using RSA authentication and three encryption methods DES 3DES and Blowfish The SSH server is implemented on the ZyWAL...

Page 387: ...ue Table 121 ADVANCED REMOTE MGMT SSH LABEL DESCRIPTION Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 15 on page 295 for details Server Port You may change the server port number for a service if needed h...

Page 388: ...ENTER The computer attempts to connect to port 22 on the ZyWALL using the default IP address of 192 168 1 1 A message displays indicating the SSH protocol version supported by the ZyWALL Figure 256 SSH Example 2 Test 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the ZyWALL using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message...

Page 389: ... 3 Use the put command to upload a new firmware to the ZyWALL Figure 258 Secure FTP Firmware Upload Example ssh 1 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Admini...

Page 390: ...he labels in this screen Table 122 ADVANCED REMOTE MGMT TELNET LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a tru...

Page 391: ...260 ADVANCED REMOTE MGMT FTP The following table describes the labels in this screen Table 123 ADVANCED REMOTE MGMT FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this ...

Page 392: ...o main types of component agents and a manager An agent is a management software module that resides in a managed device the ZyWALL An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed...

Page 393: ...cal data and monitor status and performance 21 14 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs 21 14 3 REMOTE MANAGEMENT SNMP To change your ZyWALL s SNMP settings click ADVANCED REMOTE MGMT SNMP The screen appears as shown Table 124 SNMP Traps TRAP TRAP NAME DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on...

Page 394: ...o the SNMP manager The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the ZyWALL usi...

Page 395: ...ily configure manage monitor and troubleshoot ZyXEL devices located worldwide See the Vantage CNM User s Guide for details If you allow your ZyWALL to be managed by the Vantage CNM server then you should not configure the ZyWALL using either the web configurator SMT menus or commands without notifying the Vantage CNM administrator Table 126 ADVANCED REMOTE MGMT DNS LABEL DESCRIPTION Service Port T...

Page 396: ...P address is incorrect The Vantage CNM server is behind a NAT router or firewall that does not forward packets through to the Vantage CNM server The encryption algorithms and or encryption keys do not match between the ZyWALL and the Vantage CNM server Last Registration Time This field displays the last date year month date and time hours minutes seconds that the ZyWALL registered with the Vantage...

Page 397: ...ver Choose from None no encryption DES or 3DES The Encryption Key field appears when you select DES or 3DES The ZyWALL must use the same encryption algorithm as the Vantage CNM server Encryption Key Type eight alphanumeric characters 0 to 9 a to z or A to Z when you choose the DES encryption algorithm and 24 alphanumeric characters 0 to 9 a to z or A to Z when you choose the 3DES encryption algori...

Page 398: ...Chapter 21 Remote Management ZyWALL 2 Plus User s Guide 398 ...

Page 399: ... a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 22 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple produ...

Page 400: ...This identifies the ZyXEL device in UPnP applications Enable the Universal Plug and Play UPnP feature Select this check box to activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen without entering the ZyWALL s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through ...

Page 401: ...WALL s NAT routing table This is the index number of the UPnP created NAT mapping rule entry Remote Host This field displays the source IP address on the WAN of inbound IP packets Since this is often a wildcard the field may be blank When the field is blank the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port When this field dis...

Page 402: ...lays whether or not this UPnP created NAT mapping rule is turned on The UPnP enabled device that connected to the ZyWALL and configured the UPnP created NAT mapping rule on the ZyWALL determines whether or not the rule is enabled Description This field displays a text explanation of the NAT mapping rule Lease Duration This field displays a dynamic port mapping rule s time to live in seconds It dis...

Page 403: ...l Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details 3 In the Communications window select the Universal Plug and Play check box in the Components selection box 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted ...

Page 404: ... port of the ZyXEL device Turn on your computer and the ZyXEL device 1 Click Start Settings and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays 4 Select Networking Service in the Components selection box and click Details 5...

Page 405: ... Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 406: ... With UPnP you can access the web based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first This is helpful if you do not know the IP address of the ZyXEL device 4 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tray 5 Double click the icon to display your current Internet connection status ...

Page 407: ...ck Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your ZyXEL device and select Invoke The web configurator login screen displays ...

Page 408: ...Chapter 22 UPnP ZyWALL 2 Plus User s Guide 408 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device ...

Page 409: ...n to the default ports By default these ZyWALL features monitor traffic for the following protocols on these port numbers FTP 21 SIP 5060 H 323 1720 SMTP 25 POP3 110 HTTP 80 Changes in the Custom APP screen do not apply to the firewall 23 2 Custom Applicaton Configuration Click ADVANCED Custom APP to open the Custom Application screen This screen only specifies what port numbers the ZyWALL checks ...

Page 410: ...e than one entry To remove an entry select Select a Type Description Enter information about the reason for monitoring custom port numbers for this protocol Start Port Enter the starting port for the range that the ZyWALL is to monitor for this application If you are only entering a single port number enter it here End Port Enter the ending port for the range that the ZyWALL is to monitor for this...

Page 411: ... ZyWALL translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application s traffic to come in from the WAN to the LAN 24 1 1 ALG and NAT The ZyWALL dynamically creates an implicit NAT session for the application s traffic from the WAN to the LAN T...

Page 412: ...aranteed quality of service NetMeeting uses H 323 24 4 RTP When you make a VoIP call using H 323 or SIP the RTP Real time Transport Protocol is used to handle voice data transfer See RFC 1889 for details on RTP 24 4 1 H 323 ALG Details The H 323 ALG supports peer to peer H 323 calls The H 323 ALG handles H 323 calls that go through NAT or that the ZyWALL routes You can also make other H 323 calls ...

Page 413: ... Translators allows the VoIP device to find the presence and types of NAT routers and or firewalls between it and the public Internet STUN also allows the VoIP device to find the public IP address that NAT assigned so the VoIP device can embed it in the SIP data stream See RFC 3489 for details on STUN You do not need to use STUN for devices behind the ZyWALL if you enable the SIP ALG 24 5 2 SIP AL...

Page 414: ...WALL SIP ALG drops any incoming calls after the timeout period 24 5 4 SIP Audio Session Timeout If no voice packets go through the SIP ALG before the timeout period default 5 minutes expires the SIP ALG does not drop the call but blocks all voice traffic and deletes the audio session You cannot hear anything and you will need to make a new call to continue your conversation 24 6 ALG Screen Click A...

Page 415: ...e SIP ALG Select this check box to allow SIP sessions to pass through the ZyWALL SIP is a signaling protocol used in VoIP Voice over IP the sending of voice signals over Internet Protocol SIP Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ...

Page 416: ...Chapter 24 ALG Screen ZyWALL 2 Plus User s Guide 416 ...

Page 417: ...417 PART V Logs and Maintenance Logs Screens 419 Maintenance 447 ...

Page 418: ...418 ...

Page 419: ... screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 25 3 on page 422 Options include logs about system maintenance system errors access control allowed or blocked web sites blocked web features such as ActiveX controls java and cookies attacks such as DoS and IPSec Log entries in red indicate system error logs The log wraps ar...

Page 420: ...g was recorded See Section 26 4 on page 449 to configure the ZyWALL s time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information about the log entry Email Log N...

Page 421: ...fault configuration file you can download a CA certificate signed by VeriSign from myZyXEL com and import it into the ZyWALL as a trusted CA This will stop the ZyWALL from generating this log every time it attempts to connect with myzyxel com and the update server Follow the steps below to download the certificate from myZyXEL com 1 Go to http www myZyXEL com and log in with your account 2 Click D...

Page 422: ...is a type of log that warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites or web sites with restricted web features such as cookies active X and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in ...

Page 423: ...Chapter 25 Logs Screens ZyWALL 2 Plus User s Guide 423 Figure 274 LOGS Log Settings ...

Page 424: ...specify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs SMTP Authenticatio...

Page 425: ...r web sites that also get counted as hits The ZyWALL records web site hits by counting the HTTP GET packets Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits thus the web hit count is not yet 100 accurate Click LOGS Reports to display the following screen Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instant...

Page 426: ... this screen afresh Interface Select on which interface LAN DMZ or WLAN the logs will be collected The logs on the DMZ LAN or WLAN IP alias 1 and 2 are also recorded Report Type Use the drop down list box to select the type of reports to display Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited Protocol Port displays t...

Page 427: ...rop down list box to have the ZyWALL record and display the LAN DMZ or WLAN IP addresses that the most traffic has been sent to and or from and how much traffic has been sent to and or from those IP addresses Table 136 LOGS Reports Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN DMZ or WLAN The names a...

Page 428: ...BEL DESCRIPTION IP Address This column lists the LAN DMZ or WLAN IP addresses to and or from which the most traffic has been sent The LAN DMZ or WLAN IP addresses are listed in descending order with the LAN DMZ or WLAN IP address to and or from which the most traffic was sent listed first Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN DMZ or WLAN...

Page 429: ...ost used protocol or service port listed first Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN DMZ or WLAN This field displays Outgoing to denote traffic that is going out from the LAN DMZ or WLAN to the WAN Amount This column lists how much traffic has been sent and or received for each protocol or service port The measurement unit shown bytes Kb...

Page 430: ...DHCP PPPoE PPTP or dial up server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client Successful SMT login Someone has logged on to the router s SMT interface SMT login failed Someone has failed to log on to the router s SMT interface Successful WEB login Someone has logged on to the router s web configurator interf...

Page 431: ...omeone has failed to log on to the router s web configurator interface using HTTPS protocol DNS server s was not responding to last 32 consecutive queries The specified DNS server did not respond to the last 32 consecutive queries DDNS update IP s host d successfully The device updated the IP address of the specified DDNS host name SMTP successfully The device sent an e mail myZyXEL com registrati...

Page 432: ...e with the SMTP server error message included Table 142 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP IGMP ESP GRE OSPF Packet Direction Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting Firewall rule NOT match TCP UDP IGMP ESP GRE OSPF Packet Direction rule d Attempted TCP UDP ...

Page 433: ...eout 10 seconds Exceed MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of incomplete connections TCP and UDP exceeded the user configured threshold Incomplete count is for all TCP and UDP connections through the firewall Note When the number of incomplete connections TCP UDP Maximum Incomplete High the router sends TCP RST packets for TCP connections and destroys TOS...

Page 434: ...3 times board d line d channel d call d s C02 OutCall Connected d s The PPPoE PPTP or dial up call is connected board d line d channel d call d s C02 Call Terminated The PPPoE PPTP or dial up call was disconnected Table 147 PPP Logs LOG MESSAGE DESCRIPTION ppp LCP Starting The PPP connection s Link Control Protocol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage ...

Page 435: ...ow the category type s s cache hit The system detected that the web site is in blocked list from the local cache and knows the category type s Trusted Web site The web site is in a trusted domain s When the content filter is not on according to the time schedule or you didn t select the Block Matched Web Site check box the system forwards the web content Waiting content filter server timeout The e...

Page 436: ...fied an ICMP packet with no source routing entry as an IP spoofing attack vulnerability ICMP type d code d The firewall detected an ICMP vulnerability attack traceroute ICMP type d code d The firewall detected an ICMP traceroute attack ports scan UDP The firewall detected a UDP port scan attack Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS...

Page 437: ...ervice was blocked according to remote management settings Table 152 IPSec Logs LOG MESSAGE DESCRIPTION Discard REPLAY packet The router received and discarded a packet with an incorrect sequence number Inbound packet authentication failed The router received a packet that has been altered A third party may have altered or tampered with the packet Receive IPSec packet but no corresponding tunnel e...

Page 438: ... or phase 2 parameters don t match Please check all protocols settings Ex One device being configured for 3DES and the other being configured for DES causes the connection to fail Local remote IPs of incoming request conflict with rule d The security gateway is set to 0 0 0 0 and the router used the peer s Local Address as the router s Remote Address This information conflicted with static rule d ...

Page 439: ...TCP Maximum Segment Size value after establishing a tunnel Rule d input idle time out disconnect The tunnel for the listed rule was dropped because there was no inbound traffic within the idle timeout period XAUTH succeed Username Username The router used extended authentication to authenticate the listed username XAUTH fail Username Username The router was not able to use extended authentication ...

Page 440: ...ing IKE request IKE sent an IKE request for the listed rule Rule d Receiving IKE request IKE received an IKE request for the listed rule Swap rule to rule d The router changed to using the listed rule Rule d Phase 1 key length mismatch The listed rule s IKE phase 1 key length with the AES encryption algorithm did not match between the router and the peer Rule d phase 1 mismatch The listed rule s I...

Page 441: ...suer name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd ARL size issuer name The router received an ARL Authority Revocation List with size and issuer name as recorded from the LDAP server whose address and port are recorded in the Source field Failed to decode the received ca cert The router received a corrupted certification authority certificat...

Page 442: ...used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CRL decoding failed 21 CRL is not currently valid but in the future 22 CRL contains duplicate serial numbers 23 Time interval is not continuous 24 Time information not available 25 Database method failed due to timeout 26 Database method failed 2...

Page 443: ... for packets traveling from the WLAN to the DMZ WL to WL WLAN to WLAN ZyWALL ACL set for packets traveling from the WLAN to the WLAN or the ZyWALL Table 157 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to ...

Page 444: ...bly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 157 ICMP Notes continued TYPE CODE DESCRIPTION ...

Page 445: ...Bytes rcvd receiveBytes dir from to protoID IPProtocolID proto serviceName trans IPSec Normal This message is sent by the device when the connection session is closed The facility is defined in the Log Settings screen The severity is the traffic log type The message and note always display Traffic Log The proto field lists the service name The dir field lists the incoming and outgoing interfaces L...

Page 446: ... log descriptions Event Log Facility 8 Severity Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort ob 0 1 ob_mac mac address msg msg note note devID mac address cat Anti Spam 1stReIP IP This message is sent by the device RAS displays as the system name if you haven t configured one at the time when this syslog is generated The facility is defined in the web MAIN MENU LOGS Log Settings pa...

Page 447: ...indows 95 98 click Start Settings Control Panel Network Click the Identification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP cli...

Page 448: ...If you leave this blank the domain name obtained by DHCP from the ISP is used While you must enter the host name System Name the domain name can be assigned from the ZyWALL via DHCP Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactiv...

Page 449: ...se this screen to configure the ZyWALL s time based on your local time zone Table 161 MAINTENANCE Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field If you forget the password you may have to use the hardware RESET button This restores the default password of 1234 New Password Type your new system password up to 30 ...

Page 450: ...ving at the same time the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it New Time hh mm ss This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Setup to Manual enter the new time in this field and then click Apply New Date yyyy mm dd This field displays the last upd...

Page 451: ...st parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and type 2 in the o clock field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at...

Page 452: ... selects one pool and tries to synchronize with a server in it If the synchronization fails then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time server pools have been tried 26 5 1 Resetting the Time The ZyWALL resets time and date settings from the time server under the following circumstances When the Zy...

Page 453: ...f a network in that it does not modify the frames it forwards The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port All future communications to that MAC address will only be sent on that port The bridge gradually builds a host MAC address to port mapping table such as in the following example during the learning process Table 163 ...

Page 454: ...g As it only moves frames between ports after inspecting them it is completely transparent 2 Performance is improved as there s less processing overhead 3 As a transparent bridge does not modify the frames it forwards it is effectively stealth as it is invisible to attackers Bridging devices are most useful in complex environments that require a rapid or new firewall deployment A transparent bridg...

Page 455: ... DMZ or WLAN to go to the LAN WAN DMZ or WLAN screen where you can view and or change the corresponding settings Bridge Select this radio button and configure the following fields then click Apply to set the ZyWALL to bridge mode IP Address Enter the IP address of your ZyWALL in dotted decimal notation Use an IP address in the same subnet as the network to which you connect the ZyWALL Make sure th...

Page 456: ...ed to assign your computer a static IP address in the same subnet as the ZyWALL s IP address in order to access the ZyWALL You can use the firewall and VPN in bridge mode See the user s guide for a list of other features that are available in bridge mode Figure 286 MAINTENANCE Device Mode Bridge Mode The following table describes the labels in this screen Table 165 MAINTENANCE Device Mode Bridge M...

Page 457: ...to stop the ZyWALL from acting as a DHCP server When configured as a server the ZyWALL provides TCP IP configuration for the clients If not DHCP service is disabled and you must have another DHCP server on your LAN or else the computers must be manually configured When set as a server fill in the rest of the DHCP setup fields IP Pool Starting Address This field specifies the first of the contiguou...

Page 458: ...ng icon on your desktop Figure 289 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the HOME screen If the upload was not successful the following screen will appear Click Return to go back to the F W Upload screen Table 166 MAINTENANCE Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field...

Page 459: ...Backup and Restore See Section 41 5 on page 579 for transferring configuration files using FTP TFTP commands Click MAINTENANCE Backup Restore Information related to factory defaults backup configuration and restoring configuration appears as shown next Figure 291 MAINTENANCE Backup and Restore ...

Page 460: ...to your ZyWALL 1 Do not turn off the ZyWALL while configuration file upload is in progress After you see a restore configuration successful screen you must then wait one minute before logging into the ZyWALL again Figure 292 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon ...

Page 461: ... Back to Factory Defaults Click the Reset button to clear all user entered configuration information and return the ZyWALL to its factory defaults as shown on the screen The following warning screen appears Figure 295 Reset Warning Message You can also press the hardware RESET button to reset the factory defaults of your ZyWALL Refer to Section 2 3 on page 53 for more information on the RESET butt...

Page 462: ...ic files by e mail and or the console port The diagnostics files contain the ZyWALL s configuration and diagnostic information You may need to generate this file and send it to customer support during troubleshooting Click MAINTENANCE Diagnostics to open the following screen The ZyWALL sends only one diagnosis mail within five minutes unless you click Perform Diagnostics Now ...

Page 463: ... than 60 seconds Enter 0 to have the ZyWALL not generate and send diagnostic files based on CPU usage going over a specific level Periodic Diagnostics Use these fields to set the ZyWALL to generate and send diagnostic files at regular intervals Even if you enable both CPU utilization based and periodic diagnosis the ZyWALL only sends one diagnostic file within five minutes unless you click Perform...

Page 464: ...Type a title that you want to be in the subject line of the diagnostic e mail message that the ZyWALL sends Mail Sender Enter the e mail address that you want to be in the from sender line of the diagnostic e mail message that the ZyWALL sends If you activate SMTP authentication the e mail address must be able to be authenticated by the mail server as well Send Log to Diagnostic files are sent to ...

Page 465: ... Setup 501 Remote Node Setup 509 IP Static Route Setup 519 Network Address Translation NAT 521 Introducing the ZyWALL Firewall 539 Filter Configuration 541 SNMP Configuration 557 System Information Diagnosis 559 Firmware and Configuration File Maintenance 571 System Maintenance Menus 8 to 10 587 Remote Management 595 Call Scheduling 599 ...

Page 466: ...466 ...

Page 467: ...us via console port how to navigate the SMT and how to configure SMT menus 27 2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide When configuring using the console port you need a computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud No parity 8 ...

Page 468: ...e you attempt to modify the configuration are listed in the table below Copyright c 1994 2007 ZyXEL Communications Corp initialize ch 0 ethernet address 00 A0 C5 01 23 45 initialize ch 1 ethernet address 00 A0 C5 01 23 46 initialize ch 2 ethernet address 00 A0 C5 01 23 47 initialize ch 3 ethernet address 00 A0 C5 01 23 48 initialize ch 4 ethernet address 00 00 00 00 00 00 AUX port init done Modem ...

Page 469: ...e to save the new configuration N A fields N A Some of the fields in the SMT will show a N A This symbol refers to an option that is Not Applicable Save your configuration ENTER Save your configuration by pressing ENTER at the message Press ENTER to confirm or ESC to cancel Saving the data on the screen will take you in most cases to the previous menu Make sure you save your settings in each scree...

Page 470: ...ernet access setup Internet address gateway login etc with this menu 5 DMZ Setup Use this menu to apply DMZ filters and configure DHCP and TCP IP settings for the DMZ port 7 Wireless Setup Use this menu to configure WLAN DHCP and TCP IP settings for the wireless LAN interface 11 Remote Node Setup Use this menu to configure detailed remote node settings your ISP is also a remote node as well as app...

Page 471: ... IP and DHCP Ethernet Setup 7 2 1 IP Alias Setup 11 Remote Node Setup 11 1 Remote Node Profile 11 1 2 Remote Node Network Layer Options 11 1 4 Remote Node Filter 11 1 5 Traffic Redirect Setup 11 2 Remote Node Profile Backup ISP 11 2 2 Remote Node Network Layer Options 11 2 3 Remote Node Script 11 2 4 Remote Node Filter 12 Static Routing Setup 12 1 Edit IP Static Route 15 NAT Setup 15 1 Address Map...

Page 472: ...ation and Console Port Speed 24 2 1 System Information 24 2 2 Console Port Speed 24 3 Log and Trace 24 3 1 View Error Log 24 3 2 Syslog Logging 24 3 4 Call Triggering Packet 24 4 Diagnostic 24 5 Backup Configuration 24 6 Restore Configuration 24 7 Upload Firmware 24 7 1 Upload System Firmware 24 7 2 Upload System Configuration File 24 8 Command Interpreter Mode 24 9 Call Control 24 9 1 Budget Mana...

Page 473: ...ing the SMT ZyWALL 2 Plus User s Guide 473 Note that as you type a password the screen displays an x for each character you type 27 5 Resetting the ZyWALL See Section 2 3 on page 53 for directions on resetting the ZyWALL ...

Page 474: ...Chapter 27 Introducing the SMT ZyWALL 2 Plus User s Guide 474 ...

Page 475: ...e Mode Router Mode Edit Dynamic DNS No Press ENTER to Confirm or ESC to Cancel Table 172 Menu 1 General Setup Router Mode FIELD DESCRIPTION System Name Choose a descriptive name for identification purposes It is recommended you enter your computer s Computer name in this field This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted Do...

Page 476: ...ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Menu 1 General Setup System Name Domain Name Device Mode Bridge Mode IP Address 192 168 1 1 Network Mask 255 255 255 0 Gateway 0 0 0 0 First System DNS Server IP Address 0 0 0 0 Second System DNS Server IP Address 0 0 0 0 Third System DNS Server IP Address 0 0 0 0 Press ENTER to Confirm or ESC ...

Page 477: ...o select Yes in the Edit Host field Press ENTER to display Menu 1 1 1 DDNS Host Summary Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active No Username Password Edit Host No Press ENTER to Confirm or ESC to Cancel Table 174 Menu 1 1 Configure Dynamic DNS FIELD DESCRIPTION Service Provider This is the name of your Dynamic DNS service provider Active Press SPACE BAR to select Yes a...

Page 478: ...______________________________________________________ Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Table 175 Menu 1 1 1 DDNS Host Summary FIELD DESCRIPTION This is the DDNS host index number Summary This displays the details about the DDNS host Select Command Press SPACE BAR to choose from None Edit Delete Next Page or Previous Page and then press ENTER You must sel...

Page 479: ...selected http www dyndns org traffic is redirected to a URL that you have previously specified see www dyndns org for details IP Address Update Policy You can select Yes in either the Let DDNS Server Auto Detect field recommended or the Use User Defined field but not both With the Let DDNS Server Auto Detect and Use User Defined fields both set to No the DDNS server automatically updates the IP ad...

Page 480: ...DHCP client renewal Use WAN IP Address Enter the static public IP address if you select Yes in the Use User Defined field When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 176 Menu 1 1 1 DDNS Edit Host continued FIELD DESCRIPTION ...

Page 481: ...pter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection 29 2 WAN Setup From the main menu enter 2 to open menu 2 Figure 308 MAC Address Cloning in WAN Setup Menu 2 WAN Setup MAC Address Assigned By Factory default IP Address N A Dial Backup Active No Port Speed 115200 AT Command String Init at fs0 0 Edit Advanced Setup No Press ENTER t...

Page 482: ...direct for information on an alternate backup WAN connection 29 4 Configuring Dial Backup in Menu 2 From the main menu enter 2 to open menu 2 Table 177 MAC Address Cloning in WAN Setup FIELD DESCRIPTION MAC Address Assigned By Press SPACE BAR and then ENTER to choose one of two methods to assign a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP addre...

Page 483: ...ield to turn the dial backup feature on Yes or off No Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command String Init Enter the AT command string to initialize the WAN device Consult the manual of your WAN device connected to your Dial B...

Page 484: ...AT Commands Fields FIELD DESCRIPTION AT Command Strings Dial Enter the AT Command string to make a call Drop Enter the AT Command string to drop a call represents a one second wait e g ath can be used if your modem has a slow response time Answer Enter the AT Command string to answer a call Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default the DT...

Page 485: ...er before blacklisting the number Retry Interval sec Enter a number of seconds for the ZyWALL to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Enter a number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Enter a number of seco...

Page 486: ...ion Edit Script Options Press SPACE BAR to select Yes and press ENTER to edit the AT script for the dial backup remote node Menu 11 2 3 Remote Node Script See Section 29 8 on page 488 for more information Telco Option Allocated Budget Enter the maximum number of minutes that this remote node may be called within the time period configured in the Period field The default for this field is 0 meaning...

Page 487: ...your ISP static IP address assignment is selected in the previous field Rem Subnet Mask Enter the subnet mask associated with your static IP My WAN Addr Leave the field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know it Enter your WAN IP address here if you know it static This is the address assigned to your local ZyWALL...

Page 488: ...he ordering of the sets is significant i e starting from set 1 the ZyWALL will wait until the Expect string is matched before it proceeds to set 2 and so on for the rest of the script When both the Expect and the Send fields of the current set are empty the ZyWALL will terminate the script processing and start PPP negotiation This implies two things first the sets must be contiguous the sets after...

Page 489: ...t the value to Yes Press ENTER to open Menu 11 2 4 Remote Node Filter Use menu 11 2 4 to specify the filter set s to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls You can specify up to four filter sets separated by commas for example 1 5 9 12 in each filter field Note that spaces are accepted in this field Please...

Page 490: ...490 Figure 314 Menu 11 2 4 Remote Node Filter Menu 11 2 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL ...

Page 491: ...N Menus From the main menu enter 3 to open Menu 3 LAN Setup Figure 315 Menu 3 LAN Setup 30 3 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TC...

Page 492: ...HCP Setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Not all fields are available on all models Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LA...

Page 493: ... No Third DNS Server From ISP IP Address N A DHCP Server Address N A Press ENTER to Confirm or ESC to Cancel Table 184 Menu 3 2 DHCP Ethernet Setup Fields FIELD DESCRIPTION DHCP This field enables or disables the DHCP server If set to Server your ZyWALL will act as a DHCP server If set to None the DHCP server will be disabled If set to Relay the ZyWALL acts as a surrogate DHCP server and relays re...

Page 494: ... third DNS server that choice changes to None after you save your changes Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it DHCP Server Address If Relay is selected in the DHCP field above then type the IP address of the actual remote DHCP server here Table 184 Menu 3 2 DHCP Ethernet Setup Fi...

Page 495: ...P Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL Table 186 Menu 3 2 1 IP Alias Setup FIELD DESCRIPTION IP Alias 1 2 Choose Yes to configure the LAN network for the ZyWALL IP Address Enter the IP address of your ZyWALL in dotted decimal notation IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based...

Page 496: ...Chapter 30 LAN Setup ZyWALL 2 Plus User s Guide 496 ...

Page 497: ...TP or PPPoE Encapsulation Contact your ISP to determine what encapsulation type you should use 31 2 Ethernet Encapsulation If you choose Ethernet in menu 4 you will see the next menu Figure 320 Menu 4 Internet Access Setup Ethernet Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin E...

Page 498: ... number of minutes from 1 to 59 30 recommended for the ZyWALL to wait between logins IP Address Assignment If your ISP did not assign you a fixed IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Static and enter the IP address and subnet mask in the following fields IP Address Enter the fixed IP address assigned to you by your ISP static IP address assignment is selecte...

Page 499: ...ons about the new fields when you choose PPTP in the Encapsulation field in menu 4 31 4 Configuring the PPPoE Client If you enable PPPoE in menu 4 you will see the next screen Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation PPTP Service Type N A My Login My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address ...

Page 500: ...e Internet You may deactivate the firewall in menu 21 2 or via the ZyWALL embedded web configurator You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so See the chapters on firewall for more information on the firewall Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation PPPoE Service Type N A My Login My Password Retype to...

Page 501: ...p 32 2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server s traffic Figure 324 Menu 5 1 DMZ Port Filter Setup Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP and DHCP Setup Enter Menu Selection Number Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters P...

Page 502: ... TCP IP setup fields are the same as the ones in Menu 3 2 TCP IP and DHCP Ethernet Setup Each public server will need a unique IP address Refer to Section 30 4 on page 492 for information on how to configure these fields Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP and DHCP Setup Enter Menu Selection Number Menu 5 2 TCP IP and DHCP Ethernet Setup DHCP None TCP IP Setup Client IP Pool Starting...

Page 503: ... open Menu 5 2 1 IP Alias Setup as shown next Use this menu to configure the second and third networks Figure 327 Menu 5 2 1 IP Alias Setup Refer to Table 186 on page 495 for instructions on configuring IP alias parameters Menu 5 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A IP Alias 2 No...

Page 504: ...Chapter 32 DMZ Setup ZyWALL 2 Plus User s Guide 504 ...

Page 505: ... IP Multicast and IP alias please refer to Chapter 6 on page 133 33 1 1 IP Address From the main menu enter 7 to open Menu 7 WLAN Setup to configure TCP IP RFC 1155 Figure 328 Menu 7 WLAN Setup From menu 7 select the submenu option 2 TCP IP and DHCP Setup and press ENTER The screen now displays Menu 7 2 TCP IP and DHCP Ethernet Setup as shown next Menu 7 WLAN Setup 2 TCP IP and DHCP Setup Enter Me...

Page 506: ... 1 and 15 2 33 1 2 IP Alias Setup You must use menu 7 2 to configure the first network Move the cursor to the Edit IP Alias field press SPACE BAR to choose Yes and press ENTER to configure the second and third network Pressing ENTER opens Menu 7 2 1 IP Alias Setup as shown next Menu 7 2 TCP IP and DHCP Ethernet Setup DHCP None TCP IP Setup Client IP Pool Starting Address N A IP Address 0 0 0 0 Siz...

Page 507: ...r to Table 186 on page 495 for instructions on configuring IP alias parameters Menu 7 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A IP Alias 2 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Enter here to CONFIRM or ESC to CANCEL ...

Page 508: ...Chapter 33 Wireless Setup ZyWALL 2 Plus User s Guide 508 ...

Page 509: ... Remote Node Profile Menu 11 1 2 Remote Node Network Layer Options and Menu 11 1 4 Remote Node Filter 34 2 Remote Node Setup From the main menu select menu option 11 to open Menu 11 Remote Node Setup shown below Enter 1 to open Menu 11 1 Remote Node Profile and configure the setup for your WAN port Enter 2 to open Menu 11 2 Remote Node Profile Backup ISP and configure the setup for your Dial Backu...

Page 510: ...apsulation FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters Active Press SPACE BAR and then ENTER to select Yes activate remote node or No deactivate remote node Encapsulation Ethernet is the default encapsulation Press SPACE BAR and then ENTER to change to PPPoE or PPTP encapsulation Service Type Press SPACE BAR and then ENTER t...

Page 511: ...wait between logins Route This field refers to the protocol that will be routed by your ZyWALL IP is the only option for the ZyWALL Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 1 2 Remote Node Network Layer Options Session Options Schedules You can apply up to four schedule sets here For more details please refer to Chapter 44 on page 599...

Page 512: ...n is always up regardless of traffic demand The ZyWALL does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the ZyWALL will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone comp...

Page 513: ...Budget The field sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control Period hr This field is the time period that the budget should be reset For example if we are allowed to call this remote node for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour Schedules You can apply up to fo...

Page 514: ...My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Edit Traffic Redirect No Press ENTER to Confirm or ESC to Cancel Table 192 Menu 11 1 Remote Node Profile for PPTP Encapsulation FIELD DESCRIPTION Encapsulation Press SPACE BAR and then ENTER to select PPTP You must also go to menu 11 3 to check the IP Address setting once you have selected the encapsulation method My IP Addr Enter t...

Page 515: ...ation only Enter the gateway IP address assigned to you if you are using a static IP address My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number If this is the case enter the IP addre...

Page 516: ...n its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node will be propagated to other hosts through RIP broadcasts RIP Direction Press SPACE BAR and then ENTER to select the RIP direction from Both None In Only Out Only See Chapter 6 on page 133 for more information on RIP The default for RIP on the WAN side is None It is re...

Page 517: ...Redirect Setup Active Yes Configuration Backup Gateway IP Address 0 0 0 0 Metric 14 Check WAN IP Address 0 0 0 0 Fail Tolerance 10 Period sec 300 Timeout sec 8 Press ENTER to Confirm or ESC to Cancel Table 194 Menu 11 1 5 Traffic Redirect Setup FIELD DESCRIPTION Active Press SPACE BAR and select Yes to enable or No to disable traffic redirect setup The default is No Configuration Backup Gateway IP...

Page 518: ...ed to the backup gateway Two to five is usually a good number Period sec Enter the time interval in seconds between WAN connection checks Five to 60 is usually a good number Timeout sec Enter the number of seconds the ZyWALL waits for a ping response from the IP Address in the Check WAN IP Address field before it times out The number in this field should be less than the number in the Period field...

Page 519: ...N route on the ZyWALL You cannot modify or delete a static default route The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address The before a route name indicates the static route is inactive Figure 339 Menu 12 IP Static Route Setup Now enter the index number of the static route that you want to configure Menu 12 IP Static Route Setup 1 Reserved 2 test1...

Page 520: ... 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask for this destination Gateway IP Address Enter the IP address of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyWALL over the WAN the...

Page 521: ...any to One and Server See Section 36 2 1 on page 523 for a detailed description of the NAT set for SUA The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Choose SUA Only if you have just one public WAN IP address for your ZyWALL Choose Full Feature if you have multiple public WAN IP addresses ...

Page 522: ...plying NAT to the Remote Node Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Menu 11 1 2 Remote Nod...

Page 523: ...onfigure DMZ WLAN and LAN IP addresses in NAT menus 15 1 and 15 2 DMZ WLAN and LAN IP addresses must be on separate subnets 36 2 1 Address Mapping Sets Enter 1 to bring up Menu 15 1 Address Mapping Sets Table 196 Applying NAT in Menus 4 11 1 2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 menu 15 1 see Section 36 2 1 on pag...

Page 524: ...e changed Figure 345 Menu 15 1 255 SUA Address Mapping Rules The following table explains the fields in this menu Menu 15 1 255 is read only Menu 15 1 Address Mapping Sets 1 NAT_SET 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name SUA Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 0 0 0 0 Server 3...

Page 525: ... you selected in menu 15 1 or enter the name of a new set you want to create Idx This is the index or rule number Local Start IP Local Start IP is the starting local IP address ILA Local End IP Local End IP is the ending local IP address ILA If the rule is for all local IPs then the start IP is 0 0 0 0 and the end IP is 255 255 255 255 Global Start IP This is the starting global IP address IGA If ...

Page 526: ...le 5 becomes rule 4 old rule 6 becomes rule 5 and old rule 7 becomes rule 6 Menu 15 1 1 Address Mapping Rules Set Name NAT_SET Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 0 0 0 0 Server 3 4 5 6 7 8 9 10 Action None Select Rule N A Press ENTER to Confirm or ESC to Cancel Table 198 Fields in Menu 15 1 1 FIELD DESCRIPTION Set Name Enter a...

Page 527: ...le describes the fields in this menu Menu 15 1 1 1 Address Mapping Rule Type Server Local IP Start N A End N A Global IP Start 10 10 1 1 End N A Press ENTER to Confirm or ESC to Cancel Table 199 Menu 15 1 1 1 Editing Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press SPACE BAR and then ENTER to select from a total of five types These are the mapping types discussed in Chapter 17 ...

Page 528: ...igure Start Enter the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start can be set to 0 0 0 0 only if the types are Many to One or Server End Enter the ending global IP address IGA This field is N A for One to One Many to One and Server types Once you have finished configuring a rule in this menu press ENTER at the message Press ...

Page 529: ... press ESC at any time to cancel 15 2 1 NAT Server Configuration Index 1 Name test Active Yes Start port 21 End port 25 IP Address 192 168 1 33 Press ENTER to Confirm or ESC to Cancel Table 200 15 2 1 NAT Server Configuration FIELD DESCRIPTION Index This is the index number of an individual port forwarding server entry Name Enter a name to identify this port forwarding rule Active Press SPACE BAR ...

Page 530: ...6 4 1 Internet Access Only In the following Internet access example you only need one rule where all your ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by your ISP Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 21 25 192 168 1 33 002 No 0 0 0 0 0 0 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No ...

Page 531: ...on page 530 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 1 2 is specifically pre configured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mas...

Page 532: ...e IGA for each department with an FTP server and all departments use the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two bi directional and two uni directional as follows 1 Map the first IGA to the first inside FTP server for FTP traffic in both directio...

Page 533: ...ing Set 1 from Menu 15 1 Address Mapping Sets Therefore you must choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 357 on page 534 2 Then enter 15 from the main menu 3 Enter 1 to configure the Address Mapping Sets 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule field Pr...

Page 534: ...mote Node Network Layer Options IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Addr N A Network Address Translation SUA Only Metric 2 Private RIP Direction None Version N A Multicast None Enter here to CONFIRM or ESC to CANCEL Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Press ENTER to Confirm...

Page 535: ... IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to Confirm or ESC to Cancel Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80 80 192 168 1 21 002 Yes 25 25 192 168 1 20 003 No 0 0 0 0 ...

Page 536: ...ch as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even when using One to One and Many One to One mapping types Follow the steps outlined in example 3 above to configure these two menus as follows Figure 362 Example 4 Menu 15 1 1 1 Address Mapping Rule After you ve configured your rule you should be a...

Page 537: ... sends traffic to the WAN to request a service with a specific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the servic...

Page 538: ...for identification purposes You may enter up to 15 characters in this field All characters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Enter a port number or t...

Page 539: ...screen shown next Figure 365 Menu 21 Filter and Firewall Setup 37 1 1 Activating the Firewall Enter option 2 in this menu to bring up the following screen Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the web configurator to configure firewall rules Menu 21 Filter and Firewa...

Page 540: ...ects against Denial of Service DoS attacks when it is active Your network is vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the Web Configurator to configure the firewall Press ENTER to...

Page 541: ...Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet should be allowed to trigger a call Remote node call filtering is only applicable when using PPPoE encapsulation Outgoing packets must undergo data filtering befor...

Page 542: ...r rules and protocol filter rules within the same set You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming Telnet ...

Page 543: ...s User s Guide 543 Figure 368 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port ...

Page 544: ...ENTER 4 Enter a descriptive name or comment in the Edit Comments field and press ENTER 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 1 Filter Rules Summary Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _____________...

Page 545: ...Rules These parameters are displayed here M More Y means there are more rules to check which form a rule chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken i e forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checke...

Page 546: ...l warn you and will not allow you to save 38 2 2 Configuring a TCP IP Filter Rule This section shows you how to configure a TCP IP filter rule TCP IP rules allow you to base the rule on the fields in the IP and the upper layer protocol for example UDP and TCP headers To configure TCP IP rules select TCP IP Filter Rule from the Filter Type field and press ENTER to open Menu 21 1 1 1 TCP IP Filter R...

Page 547: ... of the packets that you wish to filter The range of this field is 0 to 65535 This field is ignored if it is 0 Port Comp Press SPACE BAR and then ENTER to select the comparison to apply to the source port in the packet against the value given in Source Port Options are None Equal Not Equal Less and Greater TCP Estab This field is applicable only when the IP Protocol field is 6 TCP Press SPACE BAR ...

Page 548: ...Chapter 38 Filter Configuration ZyWALL 2 Plus User s Guide 548 The following figure illustrates the logic flow of an IP filter Figure 373 Executing an IP Filter ...

Page 549: ...escribes the fields in the Generic Filter Rule menu Menu 21 1 1 1 Generic Filter Rule Filter 1 1 Filter Type Generic Filter Rule Active No Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 205 Generic Filter Rule Menu Fields FIELD DESCRIPTION Filter This is the filter set filter rule...

Page 550: ...ing packet is passed to the next filter rule before an action is taken else the packet is disposed of according to the action fields If More is Yes then Action Matched and Action Not Matched will be No Log Select the logging option from the following None No packets will be logged Action Matched Only packets that match the rule parameters will be logged Action Not Matched Only packets that do not ...

Page 551: ...on is to drop the packet m D if the action is matched and to forward the packet immediately n F if the action is not matched no matter whether there are more rules to be checked there aren t in this example Menu 21 1 3 1 TCP IP Filter Rule Filter 3 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 23 Port Comp Equal Source...

Page 552: ...ber are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Therefore the ZyWALL applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the other hand the generic or device filters are applied to the raw packets that appear on the wire They are appl...

Page 553: ...o a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 38 5 2 1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracking y...

Page 554: ...MZ Filters DMZ traffic filter sets may be useful to block certain packets reduce traffic and prevent security breaches Go to menu 5 1 shown next and enter the number s of the filter set s that you want to apply as appropriate You can choose up to four filter sets from twelve by entering their numbers separated by commas e g 3 4 6 11 Input filter sets filter incoming traffic to the ZyWALL and outpu...

Page 555: ...ppropriate You can cascade up to four filter sets by entering their numbers separated by commas The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls and block incoming Telnet FTP and HTTP connections Figure 381 Filtering Remote Node Traffic Menu 11 1 4 Remote Node Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device fi...

Page 556: ...Chapter 38 Filter Configuration ZyWALL 2 Plus User s Guide 556 ...

Page 557: ... 0 0 Trap Community public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 206 SNMP Configuration Menu Fields FIELD DESCRIPTION Get Community Type the Get community which is the password for the incoming Get and GetNext requests from the management station Set Community Type the Set community which is the password for incoming Set requests from the management station Trusted Host...

Page 558: ...SCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before reboo...

Page 559: ...n of your system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor your ZyWALL Specifically it gives you information on your system firmware version number of packets sent and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu enter 1 to open Sy...

Page 560: ...3 10 2 3 4 255 0 0 0 None System up Time 1 50 17 Press Command COMMANDS 1 Drop WAN 9 Reset Counters ESC Exit Table 208 System Maintenance Status Menu Fields FIELD DESCRIPTION Port This field identifies a port WAN LAN DMZ or WLAN on the ZyWALL Status For the LAN DMZ and WLAN Interfaces this displays the port speed and duplex setting For the WAN port it displays the port speed and duplex setting if ...

Page 561: ...our system as shown below More specifically it gives you information on your routing protocol Ethernet address IP address etc Figure 386 Menu 24 2 1 System Maintenance Information System up Time This is the total time the ZyWALL has been on You may enter 1 to drop the WAN connection 9 to reset the counters or ESC to return to menu 24 Table 208 System Maintenance Status Menu Fields continued FIELD ...

Page 562: ... error trace log 1 Select option 24 from the main menu to open Menu 24 System Maintenance 2 From menu 24 select option 3 to open Menu 24 3 System Maintenance Log and Trace Table 209 Fields in System Maintenance Information FIELD DESCRIPTION Name This is the ZyWALL s system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing...

Page 563: ...ng Menu 24 3 System Maintenance Log and Trace 1 View Error Log 2 UNIX Syslog 4 Call Triggering Packet Please enter selection 52 Thu Jul 1 05 54 53 2004 PP05 ERROR Wireless LAN init fail code 15 53 Thu Jul 1 05 54 53 2004 PINI INFO Channel 0 ok 54 Thu Jul 1 05 54 56 2004 PP05 WARN SNMP TRAP 3 interface 3 link up 55 Thu Jul 1 05 54 56 2004 PP0d INFO LAN promiscuous mode 0 57 Thu Jul 1 05 54 56 2004 ...

Page 564: ...s in the syslog server Refer to the documentation of your syslog program for more details When finished configuring this screen press ENTER to confirm or ESC to cancel CDR Message Format SdcmdSyslogSend SYSLOG_CDR SYSLOG_INFO String String board xx line xx channel xx call xx str board the hardware board ID line the WAN ID in a board Channel channel ID within the WAN call the call reference number ...

Page 565: ...12c0a86614ca849a7b0427001700195b451d143013500400007 7600000 Filter log Message Format SdcmdSyslogSend SYSLOG_FILLOG SYSLOG_NOTICE String String IP Src xx xx xx xx Dst xx xx xx xx prot spo xxxx dpo xxxx S04 R01mD IP is the packet header and S04 R01mD means filter set 4 S and rule 1 R match m drop D Src Source Address Dst Destination Address prot Protocol TCP UDP ICMP spo Source port dpo Destination...

Page 566: ...pp CCP Closing Firewall Log Message Format SdcmdSyslogSend SYSLOG_FIREWALL SYSLOG_NOTICE buf buf IP Src xx xx xx xx spo xxxx Dst xx xx xx xx dpo xxxx prot rule action Src Source Address spo Source port empty means no source port information Dst Destination Address dpo Destination port empty means no destination port information prot Protocol TCP UDP ICMP IGMP GRE ESP rule a b where a means set num...

Page 567: ...en Menu 24 4 System Maintenance Diagnostic IP Frame ENET0 RECV Size 44 44 Time 17 02 44 262 Frame Type IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Source P...

Page 568: ...niently allow you to release and or renew the assigned WAN IP address subnet mask and default gateway in a fashion similar to winipcfg Figure 393 WAN LAN DHCP The following table describes the diagnostic tests available in menu 24 4 for your ZyWALL and associated connections Menu 24 4 System Maintenance Diagnostic TCP IP 1 Ping Host 2 WAN DHCP Release 3 WAN DHCP Renewal 4 PPPoE PPTP Setup Test Sys...

Page 569: ... Chapter 31 on page 497 for more details This feature is only available for dial up connections using PPPoE or PPTP encapsulation Reboot System Enter 11 to reboot the ZyWALL Host IP Address If you entered 1in the Enter Menu Selection Number field then enter the IP address of the computer you want to ping in this field Enter the number of the selection you would like to perform or press ESC to canc...

Page 570: ...Chapter 40 System Information Diagnosis ZyWALL 2 Plus User s Guide 570 ...

Page 571: ...r ZyWALL s performance 41 2 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password DHCP Setup TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the ZyWALL s settings they can be saved back to your computer under a filename of your choosing ZyNOS ZyXEL Network Opera...

Page 572: ... ZyWALL configuration to your computer Backup is highly recommended once your ZyWALL is functioning properly FTP is the preferred method for backing up your current configuration to your computer since it is faster You can also perform backup and restore using menu 24 through the console port Any serial communications program should work fine however you must use Xmodem protocol to perform the dow...

Page 573: ... the ZyWALL to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt Menu 24 5 Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password a...

Page 574: ... session immediately 5 You have an SMT console session running 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Table 213 General Commands for GUI based FTP Clients COMMAND DESCRIPTION Host Address Enter the add...

Page 575: ...o transfer files between the ZyWALL and the computer The file name for the configuration file is rom 0 rom zero not capital o Note that the Telnet connection must be active and the SMT in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to transfer from the ZyWALL to the comp...

Page 576: ...ted Figure 397 System Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Receive File as shown in the following screen Figure 398 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one Choose the Xmodem protocol Then click Receive Remote File This is the filename on the ZyWALL The filename f...

Page 577: ... restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster Please note that you must wait for the system to automatically restart after the file transfer is complete WARNING Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL When the Restore C...

Page 578: ...xample Refer to Section 41 3 5 on page 574 to read about configurations that disallow TFTP and FTP over WAN Menu 24 6 Restore Configuration To transfer the firmware and the configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Type put backupfilename rom 0 where backupfi...

Page 579: ...igure 404 Restore Configuration Example 4 After a successful restoration you will see the following screen Press any key to restart the ZyWALL and return to the SMT menu Figure 405 Successful Restoration Confirmation Screen 41 5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files You can upload configuration files by following the proced...

Page 580: ...g screen when you Telnet into menu 24 7 2 Menu 24 7 1 System Maintenance Upload System Firmware To upload the system firmware follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your system Then type root and SMT password as requested 3 Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your worksta...

Page 581: ...et rom 0 config rom transfers the configuration file on the ZyWALL to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type...

Page 582: ...MT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance 3 Enter the command sys stdio 0 to disable the console timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute console timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyWALL Set the transfer mode to binary be...

Page 583: ...hould work fine however you must use the Xmodem protocol to perform the download upload 41 5 8 Uploading Firmware File Via Console Port 1 Select 1 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 1 System Maintenance Upload System Firmware and then follow the instructions as shown in the following screen Figure 409 Menu 24 7 1 As Seen Using the Console Port 2 After the Starti...

Page 584: ... program The procedure for other serial communications programs should be similar 3 Enter atgo to restart the ZyWALL Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your termi...

Page 585: ...us User s Guide 585 41 5 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Figure 412 Example Xmodem Upload After the configuration upload process has completed restart the ZyWALL by entering atgo ...

Page 586: ...Chapter 41 Firmware and Configuration File Maintenance ZyWALL 2 Plus User s Guide 586 ...

Page 587: ...o the console port although some commands are only available with a serial connection See the included disk or zyxel com for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 413 Command Mode in Menu 24 Menu 24 System Maintenance 1 System Status 2 System Inform...

Page 588: ...t c 1994 2007 ZyXEL Communications Corp ras Valid commands are sys exit device ether poe pptp aux config radius ip ipsec ppp bridge bm certificates cnm radius ras Table 215 Valid Commands COMMAND DESCRIPTION sys The system commands display device information and configure device settings exit This command returns you to the SMT main menu device The device commands deal with the dial backup connect...

Page 589: ...ill be blocked Call history chronicles preceding incoming and outgoing calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 415 Call Control 42 2 1 Budget Management Menu 24 9 1 shows the budget management statistics for outgoing calls Enter 1 from Menu 24 9 System Maintenance Call Control to bring up ...

Page 590: ...tion about past incoming and outgoing calls Enter 2 from Menu 24 9 System Maintenance Call Control to bring up the following menu Figure 417 Call History Table 216 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total connection time that has gone by within the alloc...

Page 591: ... time and date settings of your ZyWALL as shown in the following screen Table 217 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here Dir This shows whether the call was incoming or outgoing Rate This is the transfer rate of the call call This is the number of calls made to or received from that telephone number Max This is the length of time of the longest telephone...

Page 592: ...ne of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP RFC 1305 is similar to Time RFC 868 Select Manual to enter the new time and new date manually Time Server Address Enter the IP address or domain name of your timeserver Check with your ISP network administrator if you are unsure of this information Current Time ...

Page 593: ...e hour ahead of GMT or UTC GMT 1 End Date mm nth week hr Configure the day and time when Daylight Saving Time ends if you selected Yes in the Daylight Saving field The hr field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the last Sunday of October Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So ...

Page 594: ...Chapter 42 System Maintenance Menus 8 to 10 ZyWALL 2 Plus User s Guide 594 ...

Page 595: ...e remote management to allow management from any network except the LAN you still need to configure a firewall rule to allow access See Chapter 11 on page 191 for details on configuring firewall rules You can also disable a service on the ZyWALL by not allowing access for the service protocol through any of the ZyWALL interfaces To disable remote management of a service select Disable in the corre...

Page 596: ...e Management Control FIELD DESCRIPTION Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read only labels denotes a service that you may use to remotely manage the ZyWALL Port This field shows the port number for the service or protocol You may change the port number if needed but you must use the same port number to access the ZyWALL Access Select...

Page 597: ...e management session with an equal or higher priority running You may only have one remote management session running at one time 6 There is a firewall rule that blocks it Authenticate Client Certificates Select Yes by pressing SPACE BAR then ENTER to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate To do that the SSL client must have a CA signed cert...

Page 598: ...Chapter 43 Remote Management ZyWALL 2 Plus User s Guide 598 ...

Page 599: ...bered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the ZyWALL by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can design up to 12 schedule sets but you can only apply up to four schedu...

Page 600: ...A Thursday N A Friday N A Saturday N A Start Time hh mm 00 00 Duration hh mm 00 00 Action Forced On Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 220 Schedule Set Setup FIELD DESCRIPTION Active Press SPACE BAR to select Yes or No Choose Yes and press ENTER to activate the schedule set How Often Should this schedule set recur weekly or be used just once only Press SPACE BA...

Page 601: ...igured in the Action field Enter the maximum length of time in hour minute format Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this sched...

Page 602: ...Encapsulation PPTP Edit IP No Service Type Standard Telco Option Allocated Budget min 0 Outgoing Period hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections No Retype to Confirm Authen CHAP PAP PPTP Session Options My IP Addr Edit Filter Sets No My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Edit Traffic Redirect No Press ENTER to Confirm or ESC to Cancel ...

Page 603: ...603 PART VII Troubleshooting and Specifications Troubleshooting 605 Product Specifications 613 ...

Page 604: ...604 ...

Page 605: ...tor or cord included with the ZyWALL 8 Make sure the power adaptor or cord is connected to the ZyWALL and plugged in to an appropriate power source Make sure the power source is turned on 9 Disconnect and re connect the power adaptor or cord to the ZyWALL 10 If the problem continues contact the vendor V One of the LEDs does not behave as expected 1 Make sure you understand the normal behavior of t...

Page 606: ...ss the Login screen in the web configurator 1 Make sure you are using the correct IP address The default LAN IP address is 192 168 1 1 If you changed the LAN IP address Section 6 7 on page 136 enter the new one as the URL If you changed the LAN IP address and have forgotten it see the troubleshooting suggestions for I forgot the IP address for the ZyWALL Use the ZyWALL s WAN IP address when config...

Page 607: ...ote management settings firewall rules and SMT filters to find out why the ZyWALL does not respond to HTTP If your computer is connected to the WAN port or is connected wirelessly use a computer that is connected to a LAN port V I can see the Login screen but I cannot log in to the ZyWALL 1 Make sure you have entered the user name and password correctly The default user name is admin and the defau...

Page 608: ...k the 10M 100M LAN LEDs on the front panel One of these LEDs should be on If they are both off check the cables between your ZyWALL and hub or the station 2 Verify that the IP address and the subnet mask of the ZyWALL and the computers are on the same subnet V I cannot access servers on the DMZ from the LAN 1 Check your Ethernet cable type and connections Refer to the Quick Start Guide for DMZ con...

Page 609: ... cables from your device and follow the directions in the Quick Start Guide again 5 If the problem continues contact your ISP V I cannot access the Internet anymore I had access to the Internet with the ZyWALL but my Internet connection is not available anymore 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 5 on page 49 2 Ch...

Page 610: ...operly 3 Make sure the wireless adapter installed on your computer is IEEE 802 11 compatible and supports the same wireless standard as the ZyWALL 4 Make sure your computer with a wireless adapter installed is within the transmission range of the ZyWALL 5 Check that both the ZyWALL and your wireless station are using the same wireless and wireless security settings 6 Make sure traffic between the ...

Page 611: ...ing ZyWALL 2 Plus User s Guide 611 Restart your computer V I cannot open special applications such as white board file transfer and video when I use the MSN messenger 1 Wait more than three minutes 2 Restart the applications ...

Page 612: ...Chapter 45 Troubleshooting ZyWALL 2 Plus User s Guide 612 ...

Page 613: ... Restores factory default settings Console RJ 45 port for RS 232 null modem connection Dial Backup RJ 45 port for RS 232 connection Operation Temperature 0º C 50º C Storage Temperature 30º C 60º C Operation Humidity 20 95 RH non condensing Storage Humidity 20 95 RH non condensing Distance between the centers of the holes for wall mounting on the ZyWALL s back 125 mm Recommended type of screws for ...

Page 614: ...ame Ethernet interface with the ZyWALL itself as the gateway for each subnet Time and Date Get the current time and date from an external server when you turn on your ZyWALL You can also set the time manually These dates and times are then used in logs Logging and Tracing Use packet tracing and logs for troubleshooting You can send logs from the ZyWALL to an external syslog server PPPoE PPPoE mimi...

Page 615: ...of traffic and or to particular computers Remote Management This allows you to decide whether a service HTTP or FTP traffic for example from a computer on a network LAN or WAN for example can access the ZyWALL Table 223 Feature and Performance Specifications FEATURE SPECIFICATION Local User Database Entries 32 Static DHCP Table Entries 32 Static Routes 12 Port Forwarding Rules 20 Concurrent Sessio...

Page 616: ...N RJ 45 END DB 9M MALE END DSR 1 6 DTR 2 4 TX 3 3 RTS 4 7 GND 5 5 RX 6 2 CTS 7 8 DCD 8 1 N A 9 Table 225 Dial Backup Cable Pin Assignments PIN DEFINITION RJ 45 END DB 9M MALE END DTR 1 4 DSR 2 6 RX 3 2 CTS 4 8 GND 5 5 TX 6 3 RTS 7 7 DCD 8 1 N A 9 Table 226 Ethernet Cable Pin Assignments WAN LAN ETHERNET CABLE PIN LAYOUT Straight through Crossover Switch Adapter Switch Switch ...

Page 617: ...cated inside the wall when drilling holes for the screws 3 Do not insert the screws all the way into the wall Leave a small gap of about 0 5 cm between the heads of the screws and the wall 4 Make sure the screws are snugly fastened to the wall They need to hold the weight of the ZyWALL with the connection cables 5 Align the holes on the back of the ZyWALL with the screws on the wall Hang the ZyWAL...

Page 618: ...s ZyWALL 2 Plus User s Guide 618 Figure 426 Wall mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting All measurements are in millimeters mm Figure 427 Masonry Plug and M4 Tap Screw ...

Page 619: ...ation Some details may not apply to your ZyWALL Setting up Your Computer s IP Address 621 Pop up Windows JavaScripts and Java Permissions 637 IP Addresses and Subnetting 645 Common Services 653 Importing Certificates 657 Legal Information 669 Customer Support 673 Index 679 ...

Page 620: ...620 ...

Page 621: ... of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP a...

Page 622: ...then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks 1 Click Add 2 Select Client and then click Add 3 Select ...

Page 623: ... select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 429 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information i...

Page 624: ...close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyWALL and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default ...

Page 625: ...Plus User s Guide 625 Figure 431 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 432 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 626: ...tab in Win XP and then click Properties Figure 434 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advance...

Page 627: ... Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of...

Page 628: ... the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 629: ...twork Connections window Network and Dial up Connections in Windows 2000 NT 11 Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab ...

Page 630: ... Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 439 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually ...

Page 631: ...configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 440 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from...

Page 632: ...net mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window Linux This section shows you how to configure your computer s TCP IP settings in Red Hat Linux 9 0 Procedure screens and file location may...

Page 633: ...elow to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 442 Red Hat 9 0 KDE Network Configuration Devices 2 Double click on the profile of the network card you wish to configure The Ethernet Device General screen displays as shown Figure 443 Red Hat 9 0 KDE Ethernet Device General ...

Page 634: ...9 0 KDE Network Configuration DNS 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 445 Red Hat 9 0 KDE Network Configuration Activate 7 After the network card restart process is complete make sure the Status is Active in the Network Configuration screen Using Configuration Files Follow the ste...

Page 635: ...n the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 448 Red Hat 9 0 DNS Settings in resolv conf 3 After you edit and save the configuration files you must restart the network card Enter network restart in the etc rc d init d directory The following figure shows an example Figure 449 Red Hat 9 0 Restart Ethernet Card DEVICE eth0 ONBOOT ye...

Page 636: ...s root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 16 19 129 Bcast 172 16 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 717 errors 0 dropped 0 overruns 0 frame 0 TX packets 13 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 RX bytes 730412 713 2 Kb TX bytes 1570 1 5 Kb Interrupt 10 Base address 0x100...

Page 637: ...ternet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable Pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 451 Pop up Blocker You...

Page 638: ...y web pop up blockers you may have enabled Figure 452 Internet Options Privacy 3 Click Apply to save this setting Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen ...

Page 639: ...uide 639 Figure 453 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to move the IP address to the list of Allowed sites Figure 454 Pop up Blocker Settings ...

Page 640: ...splay properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 455 Internet Options Security 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 Cl...

Page 641: ...ettings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window Figure 457 Security Settings Java ...

Page 642: ... and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window Figure 458 Java Sun Mozilla Firefox Mozilla Firefox 2 0 screens are used here Screens for other versions may vary You can enable Java Javascripts and pop ups in one screen Click Tools then click Options in the screen that appears ...

Page 643: ...pts and Java Permissions ZyWALL 2 Plus User s Guide 643 Figure 459 Mozilla Firefox Tools Options Click Content to show the screen below Select the check boxes as shown in the following screen Figure 460 Mozilla Firefox Content Security ...

Page 644: ...Appendix B Pop up Windows JavaScripts and Java Permissions ZyWALL 2 Plus User s Guide 644 ...

Page 645: ... share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of fou...

Page 646: ... is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred to by the size of...

Page 647: ...ed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet mask...

Page 648: ...shows the company network before subnetting Figure 462 Subnetting Example Before Subnetting You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either 0 or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 The following figure shows the comp...

Page 649: ...168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits givin...

Page 650: ...Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 234 Subnet 4 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 1...

Page 651: ...OST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 Table 237 16 bit Network Number Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16...

Page 652: ...red You don t need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IA...

Page 653: ...ne if you like Protocol This is the type of IP protocol used by the service If this is TCP UDP then the service uses the same port number with TCP and UDP If this is USER DEFINED the Port s is the IP protocol number not the port number Port s This value depends on the Protocol Please refer to RFC 1700 for further information about port numbers If the Protocol is TCP UDP or TCP UDP this is the IP p...

Page 654: ...ogged on FTP TCP TCP 20 21 File Transfer Program a program to enable fast transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web HTTPS TCP 443 HTTPS is a secured http session often used in e commerce ICMP User Defined 1 Internet Control Message P...

Page 655: ...b REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e ma...

Page 656: ... IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution Table 238 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION ...

Page 657: ...porting the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a ZyWALL certificate issued by a certificate authority import the certificate authority s certificate into your operating system as a...

Page 658: ...s ZyWALL 2 Plus User s Guide 658 Figure 465 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 466 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard ...

Page 659: ...WALL 2 Plus User s Guide 659 Figure 467 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 468 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard ...

Page 660: ...Appendix E Importing Certificates ZyWALL 2 Plus User s Guide 660 Figure 469 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 470 Root Certificate Store ...

Page 661: ...needs a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web configurator screen ...

Page 662: ...ted CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next ...

Page 663: ...the wizard as shown earlier in this appendix Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 664: ...ificate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 475 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 665: ...mport Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 477 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 666: ...rd 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 480 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the ZyWALL This screen displays eve...

Page 667: ...Appendix E Importing Certificates ZyWALL 2 Plus User s Guide 667 Figure 481 SSL Client Authentication 3 You next see the ZyWALL login screen Figure 482 ZyWALL Secure Login Screen ...

Page 668: ...Appendix E Importing Certificates ZyWALL 2 Plus User s Guide 668 ...

Page 669: ...tice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the follo...

Page 670: ... the date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condi...

Page 671: ...d by ZyXEL to the corresponding return address Postage Paid This warranty gives you specific legal rights and you may also have other rights that vary from country to country Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com for global products or at www us zyxel com for North American products ...

Page 672: ...Appendix F Legal Information ZyWALL 2 Plus User s Guide 672 ...

Page 673: ...E mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com www europe zyxel com FTP ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan Costa Rica Support E mail soporte zyxel co cr Sales E mail sales zyxel co cr Telephone 506 2017878 Fax 506 2015098 Web www zyx...

Page 674: ...0 8448 Web www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web www zyxel fr Regular Mail ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France Germany Support E mail support zyxel de Sales E mail sales zyxel de Telephone 49 2405 6909 69 Fax 49 2405 6909 99 Web www zyxel de Reg...

Page 675: ...inagawa ku Tokyo 141 0022 Japan Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz Telephone 7 3272 590 698 Fax 7 3272 590 689 Web www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk Ave Office 414 Dostyk Business Centre 050010 Almaty Republic of Kazakhstan Malaysia Support E mail support zyxel com my Sales E mail sales zyxel com my Telephone 603 8076 9933 Fax 603 8076 9833 Web ...

Page 676: ... Okrzei 1A 03 715 Warszawa Poland Russia Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova 37a Str Moscow 117279 Russia Singapore Support E mail support zyxel com sg Sales E mail sales zyxel com sg Telephone 65 6899 6678 Fax 65 6899 8887 Web http www zyxel com sg Regular Mail ZyXEL Singa...

Page 677: ...Mail ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand Ukraine Support E mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine United Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone 44 ...

Page 678: ...Appendix G Customer Support ZyWALL 2 Plus User s Guide 678 ...

Page 679: ...andwidth management 351 address type 361 bandwidth borrowing 355 bandwidth class 351 bandwidth filter 351 360 class configuration 359 class setup 358 fairness based scheduler 353 maximize bandwidth usage 353 358 monitor 363 priority based scheduler 353 proportional allocation 352 root class 358 scheduler 353 358 statistics 362 sub class layers 358 baud 467 BPDU 146 bridge firewall 57 147 456 Bridg...

Page 680: ...col 451 DDNS configuration 476 477 host 479 offline 479 type 479 use server detected IP 479 wildcard 479 default configuration 53 default server IP address 340 default settings 461 Denial of Service See DoS device introduction 47 DHCP 65 135 136 374 493 Relay 493 Server 493 WAN 568 DHCP clients 448 DHCP table 65 diagnostic 567 diagnostics 462 dial timeout 485 Diffie Hellman key group 258 Perfect F...

Page 681: ...g rules 208 custom ports 216 DoS 214 Dos threshold 214 maximum incomplete high 214 maximum incomplete low 214 one minute high 214 one minute low 214 rules 191 rules for VPN 89 93 service type 216 SMT menus 539 stateful inspection 191 TCP maximum incomplete 214 three way handshake 212 threshold 213 VPN 93 when to use 553 firmware file maintenance 571 upload 457 firmware upload 579 FTP 580 flow cont...

Page 682: ...263 encryption key manual keys 281 local and remote network any 270 local policy 270 manual keys 281 misconfiguration 270 nail up 262 Perfect Forward Secrecy PFS 273 proposal 273 remote policy 270 SA life time 262 Security Parameter Index SPI manual keys 281 transport mode 272 tunnel mode 272 when IKE SA is disconnected 262 270 IPSec SA See also VPN IPSec See also VPN ISP parameters 70 L LAN 136 p...

Page 683: ...48 468 path cost 146 Perfect Forward Secrecy see PFS PFS 273 Diffie Hellman key group 273 PIN number 129 ping 568 Point to Point Protocol over Ethernet See PPPoE Point to Point Tunneling Protocol See PPTP pool of IP addresses 135 138 port filter setup DMZ 501 LAN 491 port forwarding 340 port restricted cone NAT 334 port statistics 64 Power Specification 613 PPPoE client 499 encapsulation 71 157 49...

Page 684: ...4 495 516 direction 135 495 version 135 495 516 Routing Information Protocol See RIP RSTP 146 RTC 449 591 RTP 412 S SA life time 262 safety warnings 6 schedule 511 514 duration 600 scheduler 353 screws 617 secure FTP using SSH 389 secure Telnet using SSH 387 security associations See VPN security settings for VPN traffic 89 server set 523 service type 216 498 510 services 127 Session Initiation Pr...

Page 685: ...l 451 Daytime 451 NTP 451 Time 451 time setting 591 timeout system 378 trace 562 trademarks 669 traffic redirect 163 transparent firewall 57 147 456 triangle routes 202 vs virtual interfaces 202 trigger port forwarding 537 Trivial File Transfer Protocol See TFTP troubleshooting 462 U unicast 135 Universal Plug and Play See UPnP upgrading firmware 457 upload 583 firmware 579 UPnP 399 400 examples 4...

Page 686: ...terminal emulation 467 W WAN file maintenance 574 WAN DHCP 568 WAN IP address 153 WAN setup 481 warranty 670 note 670 web configurator 51 web site hits 426 427 Windows Internet Naming Service See WINS WINS 136 138 WINS server 138 wireless channel 610 wireless LAN 610 wireless security 610 wizard setup 69 WLAN IP alias 506 setup 505 TCP IP setup 506 WWW 379 www dyndns org 479 X Xmodem 583 file uplo...

Reviews:

No comments

Related manuals for ADSL 2+ Security Gateway

Brand: GajShield Pages: 12

M4050 - Network Security Platform

Brand: McAfee Pages: 95

Brand: Fortinet Pages: 12

FortiGate 1000D

Brand: Fortinet Pages: 14

Brand: Fortinet Pages: 20

Brand: Fortinet Pages: 54

Brand: Fortinet Pages: 56

FortiGate 310B-LENC

Brand: Fortinet Pages: 2

SecPath F1000-AI-5 Series

Brand: H3C Pages: 70

Brand: Hillstone Pages: 50

Brand: Sophos Pages: 2

Brand: Sophos Pages: 4

Brand: Sophos Pages: 2

Brand: Sophos Pages: 8

Brand: Sophos Pages: 9

Brand: Sophos Pages: 15

Brand: Sophos Pages: 14

Brand: Sophos Pages: 28

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands