manualshive.com logo in svg

ZyXEL Communications VANTAGE CNM 2.0 -, User Manual

The ZyXEL Communications VANTAGE CNM 2.0 - User Manual is essential for harnessing the full potential of this product. Download your free manual from our website, ensuring a comprehensive understanding of its features and functionality. Explore a wealth of information to optimize your product experience, exclusively at manualshive.com.

Share
Download
background image

Vantage CNM 2.0 User’s Guide

169

Chapter 12 Configuration > Firewall

Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND" attacks. 
These attacks are executed during the handshake that initiates a communication session 
between two applications. Under normal circumstances, the application that initiates a session 
sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK 
(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK 
(acknowledgment). After this handshake, a connection is established. 

SYN Attack floods a targeted system with a series of SYN packets. 
Each packet causes the targeted system to issue a SYN-ACK 
response. While the targeted system waits for the ACK that follows 
the SYN-ACK, it queues up all outstanding SYN-ACK responses on 
what is known as a backlog queue. SYN-ACKs are moved off the 
queue only when an ACK comes back or when an internal timer 
(which is set at relatively long intervals) terminates the three-way 
handshake. Once the queue is full, the system will ignore all 
incoming SYN requests, making the system unavailable for 
legitimate users.

In  a  LAND Attack, hackers flood SYN packets into the network with 
a spoofed source IP address of the targeted system. This makes it 
appear as if the host computer sent the packets to itself, making the 
system unavailable while the target system tries to respond to itself. 

3

Brute-force attacks that flood a network with useless data. 

brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known 
as directed or subnet broadcasting, to quickly flood the target network with useless data. A 
Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request 
packets (pings). Since the destination IP address of each packet is the broadcast address of the 
network, the router will broadcast the ICMP echo request packet to all hosts on the network. If 
there are numerous hosts, this will create a large amount of ICMP echo request and response 
traffic. If a hacker chooses to spoof the source IP address of the ICMP echo request packet, the 
resulting ICMP traffic will not only clog up the "intermediary" network, but will also congest 
the network of the spoofed source IP address, known as the "victim" network. This flood of 
broadcast traffic consumes all available bandwidth, making communications impossible.

ICMP Vulnerability 

ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types 
trigger an alert:

• Illegal Commands (NetBIOS and SMTP)

Table 60   ICMP Commands That Trigger Alerts

13

TIMESTAMP_REQUEST

5

REDIRECT

14

TIMESTAMP_REPLY

17

ADDRESS_MASK_REQUEST

18

ADDRESS_MASK_REPLY

Summary of Contents for VANTAGE CNM 2.0 -

Page 1: ...Vantage CNM 2 0 Centralized Network Management User s Guide Version 2 0 00 81 10 2 0 00 61 10 July 2004 ...

Page 2: ...n All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Tradema...

Page 3: ...is returned to ZyXEL with a copy of your receipt This Limited Warranty is void if failure of the SOFTWARE has resulted from accident abuse or misapplication Any replacement SOFTWARE will be warranted for the remainder of the original warranty period or thirty 30 days whichever is longer Outside Taiwan neither these remedies nor any product support services offered by ZyXEL are available without pr...

Page 4: ...ww zyxel de ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany sales zyxel de 49 2405 6909 99 FRANCE info zyxel fr 33 0 4 72 52 97 97 www zyxel fr ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France 33 0 4 72 52 19 20 SPAIN support zyxel es 34 902 195 420 www zyxel es ZyXEL Communications Alejandro Villegas 33 1º 28043Madrid Spain sales zyxel es 34 913 005 345 DENMARK supp...

Page 5: ...Building Blocks 30 1 1 4 Multiple Domain Administration 30 1 1 5 Complete Device Configuration 30 1 1 6 Configuration Synchronization 30 1 1 7 Firewall 31 1 1 8 One Click VPN 31 1 1 9 Configuration File Management 31 1 1 10 Firmware Upgrade 31 1 1 11 Monitoring and Notifications 31 1 1 12 Logs 31 1 1 13 Data Maintenance 31 1 1 14 Vantage System Management 31 1 1 15 License Management 31 1 2 Vantag...

Page 6: ...Syntax 50 3 3 2 2 Minimum Mandatory Device Settings 51 3 4 Device Vantage Data Inconsistency Synchronize 52 3 4 1 Vantage Device Override Criteria 53 3 4 1 1 Vantage CNM Override Device 53 3 4 1 2 Device Override Vantage CNM 53 3 4 1 3 Synchronizing Device with Vantage 53 3 5 Firmware Management 53 3 5 1 Add Firmware Screen 54 3 5 2 Firmware Upgrade Select Product Line and Mode 55 3 5 3 Firmware U...

Page 7: ...77 5 6 Configuring LAN IP Alias ZyWALL 78 Chapter 6 Configuration WLAN 82 6 1 Wireless LAN Overview 82 6 1 1 Additional Installation Requirements for using 802 1x 82 6 2 Wireless LAN Basics 82 6 2 1 Channel 82 6 2 2 ESS ID 82 6 2 3 RTS CTS 83 6 2 4 Fragmentation Threshold 84 6 2 5 WEP 84 6 3 Configuring Wireless LAN 84 6 3 1 WLAN Wireless 85 6 4 Configuring MAC Filter 86 6 5 802 1x Overview 87 6 5...

Page 8: ...2 8 3 3 1 AT Command Strings 112 8 3 4 Edit Dial Backup ZyWALL 114 8 4 General WAN Prestige 116 8 4 1 Traffic Shaping 117 8 4 2 Configuring Prestige WAN Setup 117 8 4 3 WAN Backup Prestige 122 8 4 3 1 Traffic Redirect 122 8 4 4 Configuring WAN Backup Prestige 122 8 4 5 Configuring Advanced WAN Backup Prestige 125 8 4 6 Advanced Modem Setup Prestige 128 Chapter 9 Configuration NAT 130 9 1 NAT Overv...

Page 9: ...4 Data Confidentiality 148 11 1 5 Data Integrity 148 11 1 6 Data Origin Authentication 149 11 1 7 IPSec Algorithms 149 11 1 7 1 AH Authentication Header Protocol 149 11 1 7 2 ESP Encapsulating Security Payload Protocol 149 11 1 8 Key Management 150 11 1 9 Encapsulation 150 11 1 9 1 Transport Mode 150 11 1 9 2 Tunnel Mode 150 11 1 10 IPSec and NAT 151 11 1 11 Keep Alive 151 11 1 12 NAT Traversal 15...

Page 10: ...ty 172 12 4 4 UDP ICMP Security 173 12 4 5 Upper Layer Protocols 173 12 4 6 Firewall Policies Overview 173 12 4 7 Rule Checklist 175 12 4 8 Security Ramifications 175 12 4 9 Key Fields For Configuring Rules 176 12 4 9 1 Action 176 12 4 9 2 Service 176 12 4 9 3 Source Address 176 12 4 9 4 Destination Address 176 12 4 10 Alerts 176 12 4 11 Services and Port Numbers 176 12 5 Firewall Configuration Sc...

Page 11: ...tion Select 200 16 3 3 Adding a New BB 200 16 4 Configuration BBs 201 16 4 1 Adding a Configuration BB 202 16 4 2 Editing a Configuration BB 203 16 5 Component BBs 204 16 5 1 Adding a Component BB 205 16 5 1 1 Adding a Component BB IP Type 205 16 5 1 2 Adding a Component BB E mail Type 206 16 5 2 Editing a Component BB 207 Chapter 17 System Administrators 208 17 1 Introduction to Administrators 20...

Page 12: ... 226 18 5 System Maintenance 228 18 5 1 System Maintenance Management 228 18 5 2 Back Up System Maintenance 228 18 5 3 Restore System Maintenance 229 18 6 Address Book 230 18 6 1 Address Book Add Edit 231 18 7 Certificate Management Overview 232 18 7 1 Advantages of Certificates 233 18 7 2 Current Certification Information 233 18 7 3 Create a Certificate 235 18 7 4 Importing Certificates 235 18 8 ...

Page 13: ...255 Appendix B Configuring the Kiwi Syslog Daemon 258 Installing the Kiwi Syslog Daemon 258 Importing the Syslog Configuration File 259 Starting the Telnet Service 261 Setting Up the Syslog Server in Vantage 262 Appendix C FTP and syslog Server Overview 264 Introduction 264 Appendix D Java Console Debug Messages 266 Introduction 266 Appendix E IP Subnetting 270 IP Addressing 270 IP Classes 270 Sub...

Page 14: ... 802 11 292 Benefits of a Wireless LAN 292 IEEE 802 11 292 Ad hoc Wireless LAN Configuration 293 Infrastructure Wireless LAN Configuration 293 Appendix I Wireless LAN With IEEE 802 1x 296 Security Flaws with IEEE 802 11 296 Deployment Issues with IEEE 802 11 296 IEEE 802 1x 296 Advantages of the IEEE 802 1x 296 RADIUS Server Authentication Sequence 297 Appendix J Types of EAP Authentication 298 In...

Page 15: ... 316 Common Public License Version 1 0 317 Cryptix General License 321 TECHNOLOGY LICENSE FROM SUN MICROSYSTEMS INC TO DOUG LEA 322 JAVA Software Technologies 323 Apache License 325 Copyright c 2002 2003 Gargoyle Software Inc All rights reserved 330 GNU LESSER GENERAL PUBLIC LICENSE 331 GNU GENERAL PUBLIC LICENSE 338 End User License Agreement for Vantage CNM 343 Index 348 ...

Page 16: ...on Wizard Choices 48 Figure 17 Device Registration Manual Registration 49 Figure 18 Registration Wizard Configuration File 52 Figure 19 Registration XML File Devices 52 Figure 20 Registration Wizard Finish 52 Figure 21 Device Synchronize 53 Figure 22 Device Firmware Management 54 Figure 23 Device Firmware Management Add Firmware 55 Figure 24 Device Firmware Upgrade 55 Figure 25 TypeView 55 Figure ...

Page 17: ...ration WAN Dial Backup Advanced ZyWALL 113 Figure 58 Configuration WAN Dial Backup Edit ZyWALL 115 Figure 59 Example of Traffic Shaping 117 Figure 60 Configuration WAN Setup Prestige Bridge Mode 118 Figure 61 Configuration WAN Setup Prestige Routing Mode 120 Figure 62 Configuration WAN Backup Prestige 123 Figure 63 Advanced WAN Backup Prestige 126 Figure 64 Configuration NAT 133 Figure 65 Configur...

Page 18: ... BB Add 205 Figure 99 Building Block Component BB Add IP Address 206 Figure 100 Building Block Component BB Add E Mail Address 206 Figure 101 Component BBs Added 207 Figure 102 Building Block Component BB Edit 207 Figure 103 System View Administrator List 210 Figure 104 System Administrator Details 211 Figure 105 System Administrator Permissions 212 Figure 106 System Vantage Status 214 Figure 107 ...

Page 19: ...igure 140 Setup 252 Figure 141 Wizard 1 252 Figure 142 Information 253 Figure 143 Installation Type 253 Figure 144 Installation Directory 254 Figure 145 Create Directory 254 Figure 146 Begin Installation 254 Figure 147 Run WFTPD 255 Figure 148 WFTPD Main Screen 255 Figure 149 Windows Services 256 Figure 150 WFTPD Properties 256 Figure 151 WFTPD Pro Log On 257 Figure 152 Kiwi Syslog Daemon Installa...

Page 20: ...s Properties 283 Figure 172 Windows XP Local Area Connection Properties 283 Figure 173 Windows XP Advanced TCP IP Settings 284 Figure 174 Windows XP Internet Protocol TCP IP Properties 285 Figure 175 Macintosh OS 8 9 Apple Menu 286 Figure 176 Macintosh OS 8 9 TCP IP 286 Figure 177 Macintosh OS X Apple Menu 287 Figure 178 Macintosh OS X Network 288 Figure 179 Virtual Circuit Topology 290 Figure 180...

Page 21: ...guration LAN IP Prestige 76 Table 19 Configuration LAN Static DHCP ZyWALL 78 Table 20 Configuration LAN IP Alias 79 Table 21 Configuration WLAN Wireless 85 Table 22 Configuration WLAN MAC Filter 87 Table 23 Configuration WLAN 802 1x ZyWALL 88 Table 24 Configuration WLAN 802 1x Prestige 89 Table 25 Configuration WLAN Local User 91 Table 26 Configuration WLAN RADIUS 94 Table 27 Configuration DMZ 97 ...

Page 22: ... Table 57 Configuration VPN Tunnel IPSec Detail 157 Table 58 Configuration VPN Manual Tunnel IPSec Detail 162 Table 59 Configuration VPN NetBIOS 164 Table 60 ICMP Commands That Trigger Alerts 169 Table 61 Legal NetBIOS Commands 170 Table 62 Legal SMTP Commands 170 Table 63 Services and Port Numbers 176 Table 64 Configuration Firewall 178 Table 65 Configuration Firewall DoS Settings 180 Table 66 Co...

Page 23: ...able 99 System Preferences Notifications 225 Table 100 System Preferences Permissions 226 Table 101 System Preferences Permissions Add 227 Table 102 System Maintenance Management 228 Table 103 System Maintenance Backup 229 Table 104 System Maintenance Restore 230 Table 105 System Address Book 231 Table 106 System Address Book Add Edit 232 Table 107 System Certificate Management Information 234 Tab...

Page 24: ...1 Table 134 Access Control Logs 301 Table 135 TCP Reset Logs 302 Table 136 Packet Filter Logs 302 Table 137 ICMP Logs 303 Table 138 CDR Logs 303 Table 139 PPP Logs 303 Table 140 UPnP Logs 304 Table 141 Content Filtering Logs 304 Table 142 Attack Logs 305 Table 143 IPSec Logs 306 Table 144 IKE Logs 306 Table 145 PKI Logs 309 Table 146 Certificate Path Verification Failure Reason Codes 310 Table 147...

Page 25: ...Compact Guide The Compact Guide is designed to help you get up and running right away They contain connection information and instructions on getting started Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information ZyXEL Glossary and Web Site Please refer to www zyxel com for an online glossary of networking terms and additional support do...

Page 26: ...ge version that is documented in this User s Guide Enter means for you to type one or more characters and press the carriage return Select or Choose means for you to use one of the predefined choices The choices of a menu item are in Bold Arial font Mouse action sequences are denoted using a For example click Configuration LAN IP Alias means first click Configuration then click LAN and finally cli...

Page 27: ...ly configure both existing and new devices by reusing multiple configurations a device s single configuration or a configuration component ensuring absolute consistency across devices As you use Vantage longer it will become even easier to use as you build up valuable BB repositories 1 1 4 Multiple Domain Administration Associate administrators to domains that you specify in the object tree allowi...

Page 28: ...e alarm screens to know what is going on in your management domain Alarms are warnings of hardware failure security breaches attacks or illegal Vantage login attempts You can configure Vantage to notify you by e mail in the event a device goes down or has triggered an alarm You can also configure Vantage to automatically notify device owners and other administrators when a configuration such as fi...

Page 29: ...Vantage CNM 2 0 User s Guide Chapter 1 Introducing Vantage 32 1 2 Vantage Requirements and Installation For Vantage setup requirements access and installation see the Quick Start Guide ...

Page 30: ...Vantage CNM 2 0 User s Guide 33 Chapter 1 Introducing Vantage ...

Page 31: ... user interface Figure 1 Main Screen Main Menu Components The main screen consists of two non resizable panes the object pane and the content pane 2 1 1 Object Pane The bottom of the object pane consists of an object tree view types list box where you can select a logical view of the devices The top of the object pane has a Search function where you can search for devices ...

Page 32: ...oup folders and account folders up to seven layers deep Figure 3 Details Screen Click Add in this screen to create a new custom view such as by geographic area Give the view a unique name and write a note to further describe it To edit or delete an existing view select the target view in Figure B 3 and then click Edit or Delete Click Close to close the screen 2 3 Searches Select a folder first to ...

Page 33: ...n asking you if you want to delete the root folder and un map the devices within the folder to the Add devices screen or Delete the folder and un map the devices within the folder The device is still registered with Vantage but no longer associated with the folder The latter action also disables Vantage within the device 3 Associate Links an administrator to this folder This folder and all sub fol...

Page 34: ...eric folder Group or customer folder Account where all devices within the folder belong to one customer You can configure the Account folder to display the name of the customer on the folder in the object tree see Configuration General Customer Information When you add a folder you must enter a new folder group name Figure 8 Add New Folder Group Name 5 Alarm Alarms are real time warnings of hardwa...

Page 35: ...ssword you can log in directly and configure any item You should synchronize with Vantage afterwards 2 6 Content Pane The content pane contains the configuration screen which also displays the object path the folder or device you selected in the object tree and the menu path the screen you have open 2 6 1 Object Path The Object Path shows the folder or parent folder of the device you have clicked ...

Page 36: ... For Configuring A Device The default when you first enter Vantage is the root node in the object tree and Device Status menu 1 Select a device in the object pane 2 Select an item from a drop down menu Device Configuration Building Block System or Monitor If the selected device does not have a certain configuration DMZ or wireless for example then DMZ or WLAN will appear grayed out in the Configur...

Page 37: ...e found in step 2 with the one copied in step 1 2 10 Icon Key Note It is not advisable to replace this file if other applications use the Java plug in Vantage CNM 2 0 functions normally whether the replacement is made or not Table 2 Object Tree Icons ICON DESCRIPTION This is an account folder where you can see the devices and folders inside and which contain some devices with an alarm This is an a...

Page 38: ...ce with an alarm and has firmware uploading This is a Prestige device with firmware uploading Click this icon to refresh the current topology tree Click this icon to view the topology detail information for the current user Table 3 Pop up Menus Icons ICON DESCRIPTION Click this icon to Add a new topology view Click this icon to Edit the selected topology view Click this icon to Delete the selected...

Page 39: ...n represents a Web Help link This is a checkbox that allows you to make multiple selections from a group This is a radio button allows you to make one selection from a group Type text in a text box Choose from a list of pre defined choices from a list box This is a Browse icon allowing you to select a file external to Vantage Table 5 VPN Editor Icons ICON DESCRIPTION ICON Description Add a new tun...

Page 40: ...Vantage CNM 2 0 User s Guide 43 Chapter 2 GUI Introduction ...

Page 41: ...ce Menus 3 1 Device Menus Overview The Device menus allow you to register your device synchronize devices and manage firmware and configuration files 3 1 1 Device Main Screen Device Status is the default first screen you see the default folder in the Object pane is root ...

Page 42: ... that will have a firmware upload After they are turned on Vantage will wait up to twenty minutes to upload the firmware On_Alarm_Firmware You can view all devices that have an alarm that is turned on and have firmware uploading Off_Alarm_Firmware You can view all devices that have an alarm that is turned off and will have a firmware upload Device Name This field displays the user defined name for...

Page 43: ...e using the device registration wizard Select a folder not a device in the object tree to have the new devices automatically mapped to that folder Table 7 Device Status Single Device LABEL DESCRIPTION Device Name This field displays the user defined name for example test1 Type This field displays the ZyXEL device model MAC This field displays the LAN MAC address of the ZyXEL device IP This field d...

Page 44: ... name is pre selected here Figure 15 Device Registration Owner Selection In the following screen select a radio button to either Manually add When you choose this option you must enter the information shown in Figure 1 6 for a single device at a time Import from an XML batch registration file choose this option if you want to input a batch of devices in one go Go to the XML folder within the Vanta...

Page 45: ...erface mode SMT 24 8 for devices with SMT menus 2 Type CNM encrymode X where 3 To set the encryption key on the ZyXEL device type CNM encrykey xxxxxxxxx where xxxxxxxxx is the alphanumeric encryption key 0 to 9 a to z or A to Z in the Vantage server 3 3 1 2 Configuring ZyXEL Device using Web Configurator To set the encryption mode on the ZyXEL device do the following Log into the device web config...

Page 46: ...for the ZyXEL device for identification purposes The device name cannot exceed ten characters Device Type Select the ZyXEL device type from the pull down menu Set Vantage CNM configuration to device Select this radio button to have Vantage push all current configurations from Vantage to the device The current device configuration is then reset to the configuration settings that Vantage contains Ge...

Page 47: ...r Vantage will not list that device as a device that can be imported 3 XML fields must not contain a return character For example the format below is forbidden mac 00a0c544e2fc mac You must write the field in one line like this mac 00a0c544e2fc mac 4 A field must contain the correct value type You can t write a string in a field that should contain an integer value For example the following is wro...

Page 48: ...t name type ZyWALL10W type needReset true needReset encryptMode 1 encryptMode encryptKey abcdefgh encryptKey General LAN ZWWAN ZyXELDevice ZyXEL These are the equivalent settings by using the manual device registration wizard screen After you have completed the XML file click Browse to locate it in the next screen and then click Next Note We recommend you either fill in these settings only for eac...

Page 49: ...ices that are displayed in this screen Click Finish to go to a Device Registration Finished screen showing what files you have successfully registered Figure 19 Registration XML File Devices Figure 20 Registration Wizard Finish 3 4 Device Vantage Data Inconsistency Synchronize Click Device Synchronize to have Vantage check for data inconsistencies in the selected object Data inconsistencies may oc...

Page 50: ...s the device web configurator to view discrepancy details between corresponding configurations When you understand the discrepancy you can then decide to allow Vantage to override the device configuration or vice versa Figure 21 Device Synchronize 3 5 Firmware Management Use the Firmware Management screen to download ZyXEL device firmware from the ZyXEL FTP site to Vantage After you download it to...

Page 51: ... This is the file list number FW Alias This is the firmware file name Device Type This field displays the model You must upload firmware to the correct model For example firmware for P650R 11 is not compatible with the P650R 13 model Vantage should automatically detect firmware for the device selected Uploading incorrect firmware may damage the device FW Version This field displays ZyNOS ZyXEL net...

Page 52: ...ade firmware to several homogeneous devices at the same time Vantage can upload firmware from 20 to 50 devices at a time depending on your network bandwidth You can upload firmware in the Main View or in Type View Figure 25 TypeView 3 5 2 Firmware Upgrade Select Product Line and Mode If you select a device in the object tree Figure 27 on page 56 will be shown select a folder in the object tree and...

Page 53: ...gure 9 on page 54 for field descriptions Click Upgrade to begin the device upgrade process 3 5 4 Advisory Notes on Firmware Upgrade It is advisable to upgrade firmware during periods of low network activity since each device must restart after firmware upload You should also notify device owners before you begin the upload See the System Preferences Notifications screen 3 5 5 Configuration File Us...

Page 54: ...omputer from which you re accessing Vantage Once your device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settings Table 10 Device Configuration File Management TYPE DESCRIPTION Index This displays a number assigned...

Page 55: ...ile Back Up TYPE DESCRIPTION Destination Select the radio button to give the download destination to Vantage File Path and Name Type in the location of the file you want to upload in this field Description Type a description of the file backup To Computer Select the radio button to give the download destination to your computer Back Up Click the Backup button to proceed to a dialog box where your ...

Page 56: ...r Select this radio button to upload a configuration file From Vantage File Path and Name Select a file from the drop down list box From Computer Select this radio button to upload a configuration file from your computer File Path and Name Type in the location of the file you want to upload in this field or click Browse to find it Upload Click Upload to begin the upload process ...

Page 57: ...e screen shows the current device configuration If you re unfamiliar with ZyXEL device configurations please consult your device User s Guide Configuration General can be saved as one Configuration BB 4 1 Select Device BB A device BB Building Block is a combination of configuration BBs A device s device BB varies by model type The following figures show device BBs for the ZyWALL 10W and ZyWALL 70 ...

Page 58: ...Vantage CNM 2 0 User s Guide 61 Chapter 4 Configuration Select Device BB General Figure 31 ZyWALL 10W Device BB Figure 32 ZyWALL 70 35 5 Device BB ...

Page 59: ... with a unique device BB name 4 Select the device to which you want to paste this configuration 5 Click Configuration Select Device BB to display the next screen 6 Click the Load a BB icon and select the BB you just saved 7 Click the Apply button to save that configuration to the device 8 This device configuration can then be further fine tuned using the regular configuration menus and saved as an...

Page 60: ...ered when you manually register the ZyXEL device Device Type This field displays the ZyXEL device type selected in the object tree Encryption Mode You may choose to encrypt traffic between the ZyXEL device and the Vantage server here Choose from None no encryption DES or 3DES The ZyXEL device must be set to the same encryption mode and have the same encryption key as the Vantage server You do not ...

Page 61: ...e minutes log back into the device First DNS Server Second DNS Server Third DNS Server DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa These DNS servers refer to the device system DNS server The device uses a system DNS server in the order you specify here to resolve domain names for VPN DDNS and the timeserver Select From ISP if the ISP dynamical...

Page 62: ...d Select the check box to enable DYNDNS Wildcard Host Names 1 3 Enter the host names in the three fields provided You can specify up to two host names in each field separated by a comma Off Line This option is available when CustomDNS is selected in the DDNS Type field Check with your Dynamic DNS service provider to have traffic redirected to a URL that you can specify while you are off line Edit ...

Page 63: ...BEL DESCRIPTION Time Protocol or Use Time Server when Bootup Select the time service protocol that your timeserver sends when you turn on the device Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main difference between them is the format Daytime RFC 867 format is day month year time z...

Page 64: ...light in the evening Start Date Enter the month and day that your daylight savings time starts on if you selected Daylight Savings End Date Enter the month and day that your daylight savings time ends on if you selected Daylight Savings Calibrate Prestige only Select the check box to have your Prestige use the timeserver that you configured above to set its internal system clock Apply Click Apply ...

Page 65: ...ode here Region Select the country or region from the list Telephone Number Type the customer s telephone number including country code and area code here E mail Type the customer s e mail address here or select from a previously created e mail component BB You may also save a newly entered e mail address as a new e mail component BB Apply Click Apply to create the BB This BB is then available in ...

Page 66: ...Vantage CNM 2 0 User s Guide 69 Chapter 4 Configuration Select Device BB General ...

Page 67: ...for the clients If set to None DHCP service will be disabled and you must have another DHCP server on your LAN or else the computer must be manually configured 5 2 1 IP Pool Setup The ZyXEL device is pre configured with a pool of 32 IP addresses starting from 192 168 1 33 to 192 168 1 64 This configuration leaves 31 IP addresses excluding the ZyXEL device itself in the lower range for other server...

Page 68: ...ted but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M send routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so...

Page 69: ...assigned to the multicast routers group The ZyXEL device supports both IGMP version 1 IGMP v1 and IGMP version 2 IGMP v2 At start up the ZyXEL device queries all directly connected networks to gather group membership After that the ZyXEL device periodically updates this information IP multicasting can be enabled disabled on the ZyXEL device LAN and or WAN interfaces in the web configurator LAN WAN...

Page 70: ...to obtain TCP IP configuration at startup from a server When configured as a server the ZyXEL device provides TCP IP configuration for the clients If not DHCP service is disabled and you must have another DHCP server on your LAN or else the computer must be manually configured When set as a server fill in the rest of the DHCP setup fields IP Pool Starting Address This field specifies the first of ...

Page 71: ... click Apply Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it TCP IP IP Address Type the IP address of the ZyXEL device in dotted decimal notation 192 168 1 1 is the factory default IP Subnet Mask The subnet mask specifies the network number portion of an IP address The ZyXEL device automati...

Page 72: ...ity between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls However it may sometimes be necessary to allow NetBIOS p...

Page 73: ... on the LAN that the ZyXEL device itself is the DNS server When a computer on the LAN sends a DNS query to the ZyXEL device the ZyXEL device forwards the query to the ZyXEL device s system DNS server and relays the response back to the computer You can select Relay and enter an IP Pool Starting Address The First DNS Server IP and Second DNS Server IP will appear as read only fields IP Pool Startin...

Page 74: ...oes not send any RIP packets and ignores any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual netwo...

Page 75: ... itself being the gateway for each LAN network When you use IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets Select a device and then click Configuration LAN IP Alias Table 19 Configuration LAN Static DHCP ZyWALL LABEL DESCRIPTION Index This is the index number of the Static IP table entry row MAC Address This is the MAC address of a compu...

Page 76: ...nly the ZyXEL device broadcasts its routing table periodically When set to Both or In Only it incorporates the RIP information that it receives when set to None it does not send any RIP packets and ignores any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL device sends it recognizes both formats when receivin...

Page 77: ... Guide Chapter 5 Configuration LAN 80 Apply Click Apply to save your changes back to the ZyXEL device Reset Click Reset to begin configuring this screen afresh Table 20 Configuration LAN IP Alias continued LABEL DESCRIPTION ...

Page 78: ...Vantage CNM 2 0 User s Guide 81 Chapter 5 Configuration LAN ...

Page 79: ...authentication and accounting 6 2 Wireless LAN Basics This section provides background information on WLAN 6 2 1 Channel IEEE 802 11b wireless devices use radio frequencies called channels Choose the radio channel depending on your geographical area Adjacent Access Points APs should use different channels to reduce crosstalk Crosstalk occurs when radio signals from access points overlap and cause ...

Page 80: ...Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserve...

Page 81: ...end handshake will never occur as data frames will be fragmented before they reach RTS Threshold size 6 2 5 WEP WEP provides a mechanism for encrypting data using encryption keys Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data The ZyXEL device allows you to configure up to four 64 bit or 128 bit WEP keys but only one key can be enabled at any one time 6 ...

Page 82: ...ID Extended Service Set IDentification The ESSID identifies the Service Set the station is to connect to Wireless clients associating to the Access Point must have the same ESSID Enter a descriptive name up to 32 characters for the wireless LAN Hide ESSID Select to hide the ESSID in the outgoing beacon frame so a station cannot obtain the ESSID through passive scanning Choose Channel ID This allow...

Page 83: ...he RTS CTS handshake Enter a value between 0 and 2432 Fragmentation Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2432 WEP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over th...

Page 84: ... wireless stations based on MAC addresses Disable MAC address filtering to have the router not perform MAC filtering on the wireless stations Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table Select Deny Association to block access to the router MAC addresses not listed will be allowed to access the router Select Allow Association to permit access...

Page 85: ...thentication Control Select Authentication Required to authenticate all wireless clients before they can access the wired network Select No Authentication Required to allow all wireless clients to access your wired network without authentication Select No Access to deny all wireless clients access to your wired network Reauthentication Timer Specify the time interval between the RADIUS server s au...

Page 86: ... deny all wireless clients access to your wired network Reauthentication Timer Specify the time interval between the RADIUS server s authentication checks of wireless users connected to the network This field is activated only when you select Authentication Required in the Authentication Type field Idle Timeout The Prestige automatically disconnects a wireless station from the wired network after ...

Page 87: ...Only to have the Prestige just check the built in user database on the Prestige for a wireless station s username and password Select RADIUS Only to have the Prestige just check the user database on the specified RADIUS server for a wireless station s username and password Select Local first then RADIUS to have the Prestige first check the user database on the Prestige for a wireless station s use...

Page 88: ...llowing tasks among others Authentication Determines the identity of the users Accounting Table 25 Configuration WLAN Local User LABEL DESCRIPTION Active Select this check box to enable the user profile Index This is the local user index number User ID Enter the user name of the user profile Password Enter a password up to 31 characters long for this user profile Next Select Next to view the next ...

Page 89: ...nged between the access point and the RADIUS server for user accounting Accounting Request Sent by the ZyXEL device requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the ZyXEL device and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the...

Page 90: ...ds a start message to the ZyXEL device The ZyXEL device sends a request identity message to the wireless station for identity information The wireless station replies with identity information including username and password The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station 6 7 Configuring RADIUS Use t...

Page 91: ... notation Port The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the access points The key is not sent over the network This key must be the sam...

Page 92: ...he external accounting server and the access points The key is not sent over the network This key must be the same on the external accounting server and ZyXEL device Apply Click Apply to save your changes back to the ZyXEL device Reset Click Reset to begin configuring this screen afresh Table 26 Configuration WLAN RADIUS continued LABEL DESCRIPTION ...

Page 93: ...ser is an authorized remote user It is highly recommended that you connect all of your public servers to the DMZ port If you have more than one public server connect a hub to the DMZ port It is also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port Store sensitive information on LAN computers 7 2 DMZ Addresses You can assign public or pr...

Page 94: ...ckets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data...

Page 95: ...k this option to forward NetBIOS packets from the DMZ port to the LAN Allow from DMZ to WAN Click this option to forward NetBIOS packets from the DMZ port to the WAN port Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to refresh the current screen Table 27 Configuration DMZ continued LABEL DESCRIPTION ...

Page 96: ...Vantage CNM 2 0 User s Guide 99 Chapter 7 Configuration DMZ ...

Page 97: ...s have the same metric the ZyXEL device uses the following pre defined priorities Normal route designated by the ISP Traffic redirect route Traffic redirect forwards WAN traffic to a backup gateway when the ZyXEL device cannot connect to the Internet through its normal gateway Connect the backup gateway on the WAN so that the ZyXEL device still provides firewall protection Dial backup route For ex...

Page 98: ... your regular WAN connection goes down If Dial Backup is preferred to Traffic Redirect then type 14 in the Dial Backup Priority metric field and leave the Traffic Redirect Priority metric at the default of 15 Active Select this check box to have the ZyXEL device use traffic redirect if the normal WAN connection goes down Backup Gateway IP Address Type the IP address of your backup gateway in dotte...

Page 99: ...s in the Check WAN IP Address field before it times out The WAN connection is considered down after the ZyXEL device times out the number of times specified in the Fail Tolerance field Use a higher value in this field if your network is busy or congested Apply Click Apply to save your changes back to the ZyXEL device Reset Click Reset to begin configuring this screen afresh Table 28 Configuration ...

Page 100: ...soft Dial Up Networking software can activate and therefore requires no new learning or procedures for Windows users One of the benefits of PPPoE is the ability to let you access one of multiple network services a function known as dynamic service selection This enables the service provider to easily create and offer new IP services for individuals Operationally PPPoE saves significant effort for ...

Page 101: ... implementing PPPoE directly on the router rather than individual computers the computers on the LAN do not need PPPoE software installed since the router does that part of the task Further with NAT all of the LAN s computers will have access Service Name Type the PPPoE service name provided to you PPPoE uses a service name to identify and reach the PPPoE server User Name Type the user name given ...

Page 102: ...yWALL LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point to Point Tunneling Protocol PPTP is a network protocol that enables secure transfer of data from a remote client to a private server creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The ZyXEL...

Page 103: ...My IP Address Type the static IP address assigned to you by your ISP My IP Subnet Mask The ZyXEL device will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyXEL device Server IP Address Type the IP address of the PPTP server Connection ID Name Type your identification name for the PPTP serv...

Page 104: ...a fixed IP address My WAN IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address My WAN IP Subnet Mask Enter the IP subnet mask if your ISP gave you one in this field if you selected Use Fixed IP Address Gateway IP Address Enter the gateway IP address if your ISP gave you one in this field if you selected Use Fixed IP Address Private This parameter determines if th...

Page 105: ... 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Multicast Choose None default IGMP V1 or IGMP V2 IGMP Internet Group ...

Page 106: ... you to avoid triangle route security issues see ZyWALL Appendices when the backup gateway is connected to the LAN or DMZ Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN ZyWALL f...

Page 107: ... this screen Table 33 Configuration WAN Dial Backup ZyWALL LABEL DESCRIPTION Enable Dial Backup Select this check box to turn on dial backup Basic Settings User Name Type the user name assigned by your ISP Password Type the password assigned by your ISP Retype to confirm Password Type your password again to make sure that you have entered it correctly ...

Page 108: ... Options screen PPP Options PPP Encapsulation Select CISCO PPP from the drop down list box if your dial backup WAN device uses Cisco PPP encapsulation otherwise select Standard PPP Enable Compression Select this check box to turn on stac compression Budget Always On Select this check box to have the dial backup connection on all of the time Configure Budget Select this check box to have the dial b...

Page 109: ...ing up the current call when the DTR Data Terminal Ready signal is dropped by the DTE When the Drop DTR When Hang Up check box is selected the ZyXEL device uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH 8 3 3 1 2 Response Strings The response strings tell the ZyXEL device the tags or labels immediately preceding the various call parameters ...

Page 110: ...ring to answer a call ata Drop DTR When Hang Up Select this check box to have the ZyXEL device drop the DTR Data Terminal Ready signal after the AT Command String Drop is sent out AT Response Strings CLID Type the keyword that precedes the CLID Calling Line Identification in the AT response string This lets the ZyXEL device capture the CLID in the AT response string that comes from the WAN device ...

Page 111: ...all after a call has failed This applies before a phone number is blacklisted 10 Drop Timeout sec Type the number of seconds for the ZyXEL device to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation 20 Call Back Delay sec Type a number of seconds for the ZyXEL device to wait between dropping a callback request call and dialing the corresponding callback ...

Page 112: ...d set to 0 0 0 0 default to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know it Type your WAN IP address here if you know it static This is the address assigned to your local ZyXEL device not the remote router Remote Node IP Address Leave this field set to 0 0 0 0 default to have the ISP or other remote router dynamically automatically sen...

Page 113: ...n Protocol which allows a router to exchange routing information with other routers RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the ZyXEL device broa...

Page 114: ... because it is dependent on the line speed Sustained Cell Rate SCR is the mean cell rate of each bursty traffic source It specifies the maximum average rate at which cells can be sent over the virtual connection SCR may not be greater than the PCR Maximum Burst Size MBS is the maximum number of cells that can be sent at the PCR After MBS is reached cell rates fall below SCR until cell rate average...

Page 115: ...ode Select Routing default from the drop down list box if your ISP allows multiple computers to share an Internet account Otherwise select Bridge Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in ...

Page 116: ...e SCR which must be less than the PCR Note that system default is 0 cells sec Maximum Burst Size Maximum Burst Size MBS refers to the maximum number of cells that can be sent at the peak rate Type the MBS which is less than 65535 Login Information PPPoA and PPPoE encapsulation only User Name Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain id...

Page 117: ...et account Otherwise select Bridge Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplex Select the method of multiplexing used by yo...

Page 118: ...Client_PC PPPo E encapsulation only This field is only available when PPPoE encapsulation is selected Select the checkbox to enable PPPoE pass through In addition to the Prestige s built in PPPoE client you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Prestige Each host can have a separate account an...

Page 119: ...ettings click WAN then Backup The screen appears as shown Nailed Up Connection Select Nailed Up Connection when you want your connection up all the time The Prestige will try to bring up the connection automatically if it is disconnected Connect on Demand Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in the Max Idle Timeout field Max Idle ...

Page 120: ...ect ICMP to have the Prestige periodically ping the IP addresses configured in the Check WAN IP Address type fields Check WAN IP Address1 3 Configure this field to test your Prestige s WAN accessibility Type the IP address of a reliable nearby computer for example your ISP s DNS server address If you activate either traffic redirect or dial backup you must configure at least one IP address here Wh...

Page 121: ... best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost Backup Gateway Type the IP address of your backup gateway in dotted decimal notation The Prestige a...

Page 122: ... click WAN WAN Backup and then the Advanced Backup button The screen appears as shown next Advanced Backup Click this button to display the Advanced Backup screen and edit more details of your WAN backup setup Apply Click Apply to save the changes Reset Click Reset to begin configuring this screen afresh Table 38 WAN Backup Prestige continued LABEL DESCRIPTION ...

Page 123: ... this screen Table 39 Advanced WAN Backup Prestige LABEL DESCRIPTION Basic Authentication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your Prestige accepts either CHAP or PAP when requested by this remote node CHAP Your Prestige accepts CHAP only PAP Your Prestige accept PAP only ...

Page 124: ...Prestige will broadcast its routing table periodically When set to Both or In Only the Prestige will incorporate RIP information that it receives RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Prestige sends it recognizes both formats when receiving Choose RIP 1 RIP 2B or RIP 2M RIP 1 is universally supported but RIP 2 carries more inf...

Page 125: ...out Budget The configuration in the Budget fields has priority over your Connection settings Allocated Budget Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the time period configured in the Period field If you set the Allocated Budget to 0 you will not be able to use the dial backup conn...

Page 126: ...Vantage CNM 2 0 User s Guide 129 Chapter 8 Configuration WAN ...

Page 127: ... is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packet is still in the local network while a...

Page 128: ... 1631 The IP Network Address Translator NAT 9 1 3 How NAT Works Each packet has two addresses a source address and a destination address For outgoing packets the ILA Inside Local Address is the source address on the LAN and the IGA Inside Global Address is the source address on the WAN For incoming packets the ILA is the destination address on the LAN and the IGA is the destination address on the ...

Page 129: ...N to LAN and WAN to DMZ multiple address translation That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping if you re using SUA Only NAT mapping If this is not your intention then select Full Feature NAT and don t configure NAT mapping rules to those computers with public IP addresses on the DMZ 9 2 Configuring NAT You must create a firewall rule in a...

Page 130: ...ice is on port 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service it might be better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports Many residential broadband ISP accounts do not allow you to run any server processes such a...

Page 131: ...e If you do not assign a Default Server IP Address the ZyXEL device discards all packets received for ports that are not specified here or in the remote management setup Note Many residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any ...

Page 132: ...forwarding rule To delete a SUA server entry erase the name and click Apply Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address then all packets received for ports not specified in this screen or remote management will be dis...

Page 133: ...UA server entry Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address then all packets received for ports not specified in this screen or remote management will be discarded Start Port End Port Type the start and end port numbe...

Page 134: ... Address Mapping screen for that rule Local Start IP This refers to the Inside Local Address ILA which is the starting local IP address Local IP addresses are N A for Server port mapping Local End IP This is the end Inside Local Address ILA If the rule is for all local IP addresses then this field displays 0 0 0 0 and 255 255 255 255 as the Local End IP address This field is N A for One to One and...

Page 135: ...dress translation ZyXEL s Single User Account feature that previous ZyXEL routers supported only 3 Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One mode maps each local IP address to unique global IP addresses 5 Server allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Delete Sel...

Page 136: ...ervers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end Inside Local IP Address ILA If your rule is for all local IP addresses then enter 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This f...

Page 137: ...mputer that sends traffic to the WAN to request a service with a specific port number and protocol a trigger port When the ZyXEL device s WAN port receives a response with a specific port number and protocol incoming port the ZyXEL device forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the...

Page 138: ...rwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port This field displays a port number or the starting port number in a range of port numbers End Port This field displays a port number or the ending port number in a range of port numbers Trigger The trigger port is a port or a range of ports that causes or triggers the ZyXEL de...

Page 139: ...uding spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The ZyXEL device forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number...

Page 140: ...Vantage CNM 2 0 User s Guide 143 Chapter 9 Configuration NAT ...

Page 141: ...his chapter shows you how to configure static route 10 1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected and the ZyXEL device has no knowledge of the networks beyond 10 1 1 Static Route Summary Select a device and then click Configuration Static Route ...

Page 142: ...twork address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is an immediate neighbor of the ZyXEL device that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as the ZyXEL device over the WAN the gateway must be the IP address of one of the remote nodes Next Select a...

Page 143: ...ediate neighbor of the ZyXEL device that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as the ZyXEL device over the WAN the gateway must be the IP address of one of the Remote Nodes Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly conn...

Page 144: ...Vantage CNM 2 0 User s Guide 147 Chapter 10 Configuration Static Route ...

Page 145: ...ardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 11 1 2 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 11 1 3 Encryption Encryption is a mathematical operation that transforms data from plaintext readable to ciphertext scramble...

Page 146: ...t protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator 11 1 7 2 ESP Encapsulating Security Payload Protocol The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH ESP authenticating properties are limited compared to the AH due to the non inclusion of the IP header in...

Page 147: ...grity of the entire packet by use of portions of the original IP header in the hashing process 11 1 9 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mod...

Page 148: ...ource address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet are encrypted The encrypted contents but not the new headers are signed with a hash value appended to the packet Tunnel mode ESP with authent...

Page 149: ...t 500 header to the IPSec packet The NAT router forwards the IPSec packet with the UDP port 500 header unchanged IPSec router B checks the UDP port 500 header and responds IPSec routers A and B build a VPN connection 11 1 12 1 NAT Traversal Configuration For NAT traversal to work you must Use ESP security protocol in either transport or tunnel mode Use IKE keying mode Enable NAT traversal on both ...

Page 150: ...ose an encryption algorithm Table 54 Local ID Type and Content Fields LOCAL ID TYPE CONTENT IP Type the IP address of your computer or leave the field blank to have the ZyXEL device automatically use its own IP address DNS Type a domain name up to 31 characters by which to identify this ZyXEL device E mail Type an e mail address up to 31 characters by which to identify this ZyXEL device The domain...

Page 151: ...ffic 11 1 15 Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6 messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces...

Page 152: ...ult in the ZyXEL device Disabling PFS means new authentication and encryption keys are derived from the same root secret which may have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange 11 1 18 Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called pre shared because you have to shar...

Page 153: ...N tunnel terminates These fields display the device administrators at both ends of a VPN tunnel respectively If one end of the tunnel cannot be managed the device exists in another administrators domain and cannot be seen Unknown ZyXEL Device is displayed in this field If you configure a Single Side VPN tunnel then a Non ZyXEL Device is supported at the Z End Status This field displays whether the...

Page 154: ...TION Name This is a VPN name for identification purposes Enable Select this checkbox to make the VPN rule active IKE Manual Select either IKE or Manual to manage encryption keys If you select the IKE method you must configure the IKE fields Manual is useful for troubleshooting if you have problems using IKE key management DNS Address Type a domain name up to 31 characters by which to identify the ...

Page 155: ...L device because the ZyXEL A End Z End NAT Traversal Only Available in ZyWALL Select this check box to enable NAT traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers The remote IPSec router must also have NAT traversal enabled You can use NAT traversal with ESP protocol using Transport or Tunnel mode but not with AH protocol nor wi...

Page 156: ...onfigured to Range A static IP address and a subnet mask are displayed when the Address Type field is configured to Subnet These addresses cannot be automatically generated by Vantage Address Start Enter the beginning IP address of the computers behind the ZyXEL device Address End Enter the ending IP address of the computers behind the ZyXEL device Port Start 0 is the default and signifies any por...

Page 157: ...security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Key Group Diffie Hellman DH is a public key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within IKE SA ...

Page 158: ...echanism for the AH and ESP protocols Select MD5 for minimal security and SHA 1 for maximum security MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data SHA 1 Secure Hash Algorithm produces a 160 bit digest to authenticate packet data SA Life Time Seconds Define the length of time before an IKE Security Association automatically renegotiates in this field It may range from 6...

Page 159: ...shooting if you have problems using IKE key management DNS Address Type a domain name up to 31 characters by which to identify the local or remote IPSec router A End Z End Local Remote IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same loc...

Page 160: ... was designed If you select AH here you must select options from the Authentication Algorithm field Encapsulation Select Tunnel mode or Transport mode from the drop down list box Encryption Algorithm Select DES 3DES or NULL from the drop down list box When you use DES or 3DES both sender and receiver must know the Encryption Key which can be used to encrypt and decrypt the messages The DES encrypt...

Page 161: ...ing up the next screen Figure 76 Configuration VPN NetBIOS The following table describes the labels in this screen Apply Click Apply to save your changes back to the ZyXEL device Cancel Click Cancel to begin configuring this screen afresh Table 58 Configuration VPN Manual Tunnel IPSec Detail continued LABEL DESCRIPTION Table 59 Configuration VPN NetBIOS LABEL DESCRIPTION Windows Networking NetBIOS...

Page 162: ...Vantage CNM 2 0 User s Guide 165 Chapter 11 Configuration VPN ...

Page 163: ...ewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself 12 2 Types of Firewalls There are three main types of firewalls 1 Packet Filtering Firewalls 2 Application level Firewalls 3 Stateful Inspection Firewalls 12 2 1 Packet Fil...

Page 164: ...ay lack the granular application level access control or caching that some proxies support Firewalls of one type or another have become an integral part of standard security solutions for enterprises 12 3 Introduction to ZyXEL s Firewall The ZyXEL device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated in SMT menu 21 2 or in the...

Page 165: ...e port such as Web on port 80 other ports are also active If the person configuring or managing the computer is not careful a hacker could attack it over an unprotected port Some of the most common IP ports are shown in Table 63 on page 176 12 3 3 Types of DoS Attacks There are four types of DoS attacks 1 Those that exploit bugs in a TCP IP implementation Ping of Death and Teardrop attacks exploit...

Page 166: ...argeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 3 Brute force attacks that flood a network with useless data A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with use...

Page 167: ...cking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall The ZyXEL device blocks all IP Spoofing attempts 12 4 Stateful Inspection With stateful inspection fields of...

Page 168: ...for this packet and it is not an attack then Firewall Summary screen s Action for packets that don t match firewall rules field determines the action for this packet 4 Based on the obtained state information a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is designed to perm...

Page 169: ...All packets that do not have this flag structure are called subsequent packets since they represent data that occurs later in the TCP stream If an initiation packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper Layer Protocols shown next these packets are dropped and logged If an initiation packet...

Page 170: ...te traffic through attacking machines 12 4 5 Upper Layer Protocols Some higher layer protocols such as FTP and RealAudio utilize multiple network connections simultaneously In general terms they usually have a control connection which is used for sending commands between endpoints and then data connections which are used for transmitting bulk information Consider the FTP protocol A user on the LAN...

Page 171: ...ters on the WAN from using the ZyXEL device as a gateway to communicate with other computers on the WAN and or managing the ZyXEL device DMZ to LAN DMZ to DMZ ZyWALL This prevents computers on the DMZ from communicating between networks or subnets connected to the DMZ interface and or managing the ZyXEL device You may define additional rules and sets or modify existing ones but please exercise ext...

Page 172: ...be affected The more specific the better For example if traffic is being allowed from the Internet to the LAN it is better to allow only certain machines on the Internet to access the LAN 12 4 8 Security Ramifications Once the logic of the rule has been defined it is critical to consider the security ramifications created by the rule 1 Does this rule stop LAN users from accessing critical resource...

Page 173: ... 10 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when an attack is detected by selecting the Generate alert when attack detected checkbox Configure the Log Settings screen to have the ZyXEL device send an immediate e mail message to you when an event generates an alert Refer to the chapter on logs for details 12 ...

Page 174: ...ded to the end of the list Use the Move selected item to beginning index number textbox and Move button to put a single rule in a different place Select a device and then click Configuration Firewall HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tun...

Page 175: ...which you want to configure firewall rules Log packets that don t match these rules Select the check box to create a log when the above action is taken for packets that are traveling in the selected direction and do not match any of the rules below Action for packets that don t match firewall rules Select whether to Block silently discard or Forward allow the passage of packets that don t match an...

Page 176: ...s you whether this rule generates an alert Yes or not No when the rule is matched Move Select a rule s Index option button and type a number for where you want to put that rule Click Move to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering Apply Click Apply to save your changes back to the ZyXEL device Add Click Add ...

Page 177: ...blishment attempts have been detected in the last minute and to stop deleting half open sessions when fewer than 80 session establishment attempts have been detected in the last minute Maximum Incomplete Low This is the number of existing half open sessions that causes the firewall to stop deleting half open sessions The ZyXEL device continues to delete half open requests as necessary until the nu...

Page 178: ...lower system or limited bandwidth 10 existing half open TCP sessions Blocking Time When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked If you check Blocking Time any new sessions will be blocked for the length of time you specify in the next field min and all old incomplete sessions will be cleared during this period If you want strong security it...

Page 179: ... that match the rule Match don t match the rule Not Match both Both or no log is created None Go to the Log Settings page and select the Access Control logs category to have the ZyXEL device record these logs Alert Check the Alert check box to determine that this rule generates an alert when the rule is matched Source Address Click Add to add a new address Edit to edit an existing one or Delete to...

Page 180: ...s button to remove the service Apply Click Apply to save the current rule setting to the device Cancel Click Cancel to exit this screen without saving Table 66 Configuration Firewall Edit continued LABEL DESCRIPTION Table 67 Configuration Firewall IP Address LABEL DESCRIPTION Address Type Do you want your rule to apply to packets with a particular single IP a range of IP addresses e g 192 168 1 10...

Page 181: ...BEL DESCRIPTION Service Name Enter a unique name for your custom port All custom ports must begin with to identify it as such in the Available Services list box in Figure 79 on page 182 Service Type Choose the IP port TCP UDP or Both that defines your customized port from the drop down list box Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that d...

Page 182: ...Vantage CNM 2 0 User s Guide 185 Chapter 12 Configuration Firewall ...

Page 183: ...ce IP address and the port number of the incoming packet Dest This field lists the destination IP address and the port number of the packet Time This field displays the time the log was recorded See the chapter on system maintenance and information to configure the ZyXEL device s time and date Content This field states the reason for the log Note This field displays a short description Retrieve Cl...

Page 184: ... blocked web sites or web sites with restricted web features such as cookies active X and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the Device screen Alerts display in red and logs display in black Alerts are e mailed as soon as they happen Logs may be e mailed as soon as the log is full see Log Schedule Selecting many ...

Page 185: ...erver for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via e mail Mail Subject Type a title that you want to be in the subject line of the log e mail message that the ZyXEL device sends Send Log To Logs are sent to the e mail address specified in this field If this field is left blank logs will not be sent via e mail Send Alerts To Alert...

Page 186: ...f log messages being sent as E mail Daily Weekly Hourly When Log is Full None If you select Weekly or Daily specify a time of day when the E mail should be sent If you select Weekly then also specify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down ...

Page 187: ...t the checkbox and enter valid e mail address es of those who should receive a report on logs that have been purged Separate more than one E mail address by a comma Export Report Select this checkbox to send a report on logs that have been purged to the e mail addresses defined in notifications Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to begin con...

Page 188: ...Vantage CNM 2 0 User s Guide 191 Chapter 13 Configuration Device Log ...

Page 189: ...ble with the ADSL ADSL2 ADSL2 standards Maximum data rates attainable by the Prestige for each standard are shown in the next table 14 2 Configuring ADSL Monitor Select an ADSL device and click Configuration ADSL Monitor Click a label to have the information displayed in the text box Table 72 ADSL Standards DATA RATE STANDARD UPSTREAM DOWNSTREAM ADSL 832 Kips 8Mbps ADSL2 3 5Mbps 12Mbps ADSL2 3 5Mb...

Page 190: ...oise Margin Click this button to display the upstream noise margin Downstream Noise Margin Click this button to display the downstream noise margin ADSL Line Rate Click this button to display the upstream and downstream rates of your ADSL link ADSL CRC Error Counter Click this computer to have your device perform a Cyclic Redundancy Checksum The Prestige sends a sequence of bits to every block of ...

Page 191: ...his is an alarm such as unrecoverable hardware failure Major This is an alarm such as an attack Minor This is an alarm such as a recoverable hardware error Warning This is an alarm such as an illegal Vantage login attempt Table 75 Alarm States STATE DESCRIPTION Active This is the initial state of an alarm which means this alarm is new and no one has assumed responsibility for handling it yet Ackno...

Page 192: ... the alarm see above for which you wish to view logs Select Responder Select All or root to display all of the administrators or root administrators that have responded to the cause of this alarm Other administrators see that person s name in their alarm screen and so duplicate effort in solving the same problem is avoided Index This is a number assigned to an alarm record Type The field displays ...

Page 193: ...arms Historical LABEL DESCRIPTION Select Time Period Select the time period 24 48 or 72 hours for which you wish to view logs Select Severity of Alarm Select the severity of the alarm see above for which you wish to view logs Select Responder Select All or root to display all of the administrators or root administrators that have responded to the cause of this alarm Other administrators see that p...

Page 194: ...time of response since an administrator first received the alarm Description This field displays a brief explanation of the administrator s response Retrieve Click Retrieve for Vantage to pull the selected logs from the selected device Table 77 Configuration Device Alarms Historical continued LABEL DESCRIPTION ...

Page 195: ...e a new configuration BB or save an existing configuration item as a BB and it is then available to apply to other devices of the same model type Configuration BBs may vary by model type For example you should not apply a ZyWALL 10W firewall configuration BB to a ZyWALL 70 A component BB is the template a portion of a configuration menu item such as IP address e mail address etc 16 2 BB Properties...

Page 196: ...the fields in this screen Table 78 Building Block Device BB TYPE DESCRIPTION Index This is the building block list number Name A building block should have a unique name Click this hyperlink to go to a BB info screen that allows you to edit the name and add some extra description of the BB Type This field displays the device model for example ZyWALL70 Note This field displays some extra descriptio...

Page 197: ...ancel to return to the previous screen Figure 90 Building Block Device BB Edit Configuration 16 3 3 Adding a New BB Click Add from Figure 88 on page 199 The next screen asks you what model type BB you want to add This should be the same as the model types supported by Vantage Next Click to proceed to the following screen Cancel Click to return to the previous screen Table 79 Building Block Device ...

Page 198: ...name for the building block Device Select the device model Note Type some extra description of the BB Next Click to proceed to the following screen Cancel Click to return to the previous screen Table 81 Building Block Configuration TYPE DESCRIPTION Index This is the building block list number Name A building block should have a unique name Click this hyperlink to go to a BB info screen that allows...

Page 199: ...LL 10 device Create the BB as shown in the screen Refer to the corresponding Configuration chapter for details on fields in the screen Click Apply to save BB changes you may click Reset to begin configuring the screen afresh and then click Finish to complete the BB Add Click to proceed to the next screen Delete Click to delete a selected device BB Table 81 Building Block Configuration continued TY...

Page 200: ...it this BB by clicking the Name hyperlink Figure 95 Building Block Configuration BB Added 16 4 2 Editing a Configuration BB Click the Name hyperlink in the Building Block Configuration BB screen as shown in Figure 95 on page 203 for example to edit an existing configuration What you can edit in a configuration building block depends on the configuration type and device ...

Page 201: ...ame You may change the name for this configuration building block Note You may change the description of the BB here Next Click Next to continue to edit the configuration BB details for the device type selected as shown in Figure 94 on page 203 Cancel Click Cancel to return to the previous screen Table 84 Building Block Component BB TYPE DESCRIPTION Index This is the building block list number Nam...

Page 202: ...ter your IP Type Start and End IP Subnet Mask details Add Click Add to create a new configuration BB Alternatively create new component BBs directly from the configuration menus by using the save as new BB icon Delete Click to delete a selected device BB Table 84 Building Block Component BB continued TYPE DESCRIPTION Table 85 Building Block Component Add TYPE DESCRIPTION Name Type a unique name fo...

Page 203: ... edit the BB Table 86 Building Block Component BB Add IP Address TYPE DESCRIPTION IP Type Select from Single Range or Subnet Start IP Type the IP address or the first IP address in a range End IP Subnet Mask Type the last IP address in a range or the subnet mask See the appendices for information on IP subnetting Apply Click Apply to create the BB This BB is then displayed in the component BB summ...

Page 204: ...gure 102 Building Block Component BB Edit The following table describes the fields in this screen Table 88 Building Block Component BB Edit TYPE DESCRIPTION Name You may change the name for the building block Note You may change the description of the BB Next Click Next to proceed to the next screen to edit the component BB details as shown in Figure 99 on page 206 or Figure 100 on page 206 Cancel...

Page 205: ...ild Administrators you will see a warning message You must first delete the child Administrators 17 1 1 Administrator Types There are four types of administrators root super normal and custom Only root can do everything including managing the Vantage system Super and normal are predefined administrator profiles that come with a default set of permissions You can alter normal permissions but not su...

Page 206: ...stem status and Vantage logs but cannot purge or change log options 4 Super Administrators at same management level can t disassociate each other from that management level 17 1 1 3 Normal Administrators These administrators have default permissions enabled as shown on the screen Some permissions are not allowed The Administrator who creates the Normal Administrator determines which of the enabled...

Page 207: ...d e mail address of the person who should receive a report on logs that have been purged Index This is the administrator index number Name This is the administrator name for identification purposes Login ID This is the administrator login name associated with the password that you log into Vantage with The Login ID is displayed in the object tree when you associate an administrator to a folder The...

Page 208: ...e Login ID cannot be changed after an Administrator account is created but her name can be Password Type a password associated with the Login ID above Password Retype Type the same password again here to make sure that the one you typed above was typed as intended E mail Address Type a valid e mail address for this Administrator Contact Address Type a mailing address for this Administrator Telepho...

Page 209: ...egistration deletion mapping unmapping This permission allows the Administrator to register and delete devices as well as associate and disassociate devices to a folder Administrator Management This permission allows the Administrator to create edit and delete Administrators as well as associate and disassociate Administrators to a folder Device Configuration This permission allows the Administrat...

Page 210: ...tem Management is defined as follows Vantage Upgrade License Preference Log option and purge log Maintenance Apply Click Apply to save your settings in Vantage Cancel Click Cancel to begin configuring the screen afresh Table 91 System Administrator Permissions continued LABEL DESCRIPTION ...

Page 211: ... Status LABEL DESCRIPTION Vantage CNM Server public IP This field displays the IP address of the communications server If the COM server is on the same computer as Vantage then this address is the same IP address as that of the Vantage server computer FTP server This field displays the IP address of the FTP server Click the Check button to test if the connection to the server is up Mail Server Thi...

Page 212: ...red CPU Utilization This field displays the Vantage server CPU processing power usage Heavy usage may necessitate upgrading to a more powerful CPU Memory Usage This field displays the Vantage server memory usage Heavy usage may necessitate installing more RAM Vantage CNM server disk space available This field displays the Vantage server computer hard drive free space Heavy usage may necessitate bu...

Page 213: ...uld have already downloaded the upgraded Vantage software from the ZyXEL website The next screen asks you to Browse to the location on your computer where you have previously downloaded the software upgrade file The software upgrade file has a zip extension Click Next to proceed Figure 108 System Upgrade Vantage Upgrade 3 The next screen reminds you that Vantage will restart automatically after yo...

Page 214: ...lowing table details the format of this version code The version code of the Vantage CNM 2 0 for Windows XP SP1 without a patch is 2 0 00 61 00 The version code of the Vantage CNM 2 0 for RedHat Linux 9 0 without a patch is 2 0 00 81 00 Table 93 Vantage Version Number CODE DESCRIPTION A This represents a major upgrade such as major new features or upgrade modules B This represents a non major upgr...

Page 215: ...able 94 System License License Management LABEL DESCRIPTION Number of devices allowed with this license This field displays the number of devices you are allowed to manage with this license If you want to manage more devices you need to purchase another license Current number of devices being managed This field displays the number of devices currently registered with Vantage Activation Key This ke...

Page 216: ...antage Preferences This is a read only screen Table 95 System License License Management Upgrade LABEL DESCRIPTION Activation Key Copy and paste or type the Activation Key that is generated in the myZyXEL com website Service Set Key Copy and paste or type the Service Set Key that is generated in the myZyXEL com website Apply Click Apply to begin the license upgrade process Vantage must have an Int...

Page 217: ... this screen Brute Force Password Guessing Protection is a protection mechanism to discourage brute force password guessing attacks on a device s management interface You can specify a wait time that must expire before entering a fourth password after three incorrect passwords have been entered You can also force all administrators to periodically change their passwords in this screen Table 96 Sys...

Page 218: ...ax Count of Users Online Type the maximum number of administrators allowed to log into Vantage at any one time Admin Idle Activity Timeout Type the length of time an Administrator can leave the Vantage web configurator idle before he is automatically logged out Brute Force Password Protection Configure the next two fields to apply this Allowed Attempts Before Failure Type the number of times an in...

Page 219: ...ntage if these are incorrectly configured See the User s Guide appendices for examples of setting up syslog and FTP servers The syslog server must be either a Linux syslog server or Kiwi for Windows1 Vantage communicates with a Linux syslog server using SSH so you must enable the SSH daemon on the Linux syslog server Vantage communicates with a Windows Kiwi syslog server using Telnet so you must e...

Page 220: ...fields below IP Address Type the IP address of the FTP server here User Name Type your login name to this FTP server Password Type the FTP server password associated with the login name Syslog Server The FTP server is used for Vantage logs Select the checkbox to activate the fields below IP Address Type the IP address of the syslog server here User Name Type your login name to this syslog server P...

Page 221: ...don t have to restart the computer on which Vantage CNM is installed Right click the Vantage icon in the system tray and select STOP Figure 116 Vantage Icon Stop Right click the icon again and select START Figure 117 Figure 2 5 Vantage Icon Start 5 When you register new devices with Vantage make sure the new device can ping the Vantage server the new Vantage CNM Public IP address and then set the ...

Page 222: ...n you upload firmware to a device Device Owner Select to have an e mail automatically sent to the selected device owner e mail address configured in Configuration General Owner Info E mail Select a BB or enter multiple e mail addresses separated by commas Logs Set who should receive e mailed logs Device Owner Select to have an e mail automatically sent to the selected device owner e mail address c...

Page 223: ...ssion templates here Figure 119 System Preferences User Group The following table describes the fields in this screen 18 4 5 1 Add User Group Create a new user group administrator permission template by clicking Add in the previous screen to display the next one as shown Table 100 System Preferences Permissions LABEL DESCRIPTION Index This is the template index number 1 and 2 are default templates...

Page 224: ...s the Administrator to upload device firmware and configuration files to Vantage download device firmware and configuration files as well as remove them from Vantage Monitor Management This field allows the Administrator access to the Monitor screens Device Configuration This field allows the Administrator access to all the System Configuration screens Device data synchronization This field allows...

Page 225: ...ation on the file in the Description text box Backup configuration allows you to back up save the current configuration to a file on your computer Once your device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settin...

Page 226: ... Vantage Table 103 System Maintenance Backup LABEL DESCRIPTION Destination Select the radio button to give the download destination to server To Server Select this option to back up the file to the Vantage CNM server File Name Type in the location of the file you want to upload in this field Description Type a description of the file backup To your Computer Select the radio button to give the down...

Page 227: ... screen Table 104 System Maintenance Restore LABEL DESCRIPTION Destination Select this radio button to upload a configuration file From Server From Server Select this option to restore the file from the Vantage CNM server File Name Select a file from the drop down list box From Your Computer Select this radio button to upload a configuration file From Your Computer File Name Type in the location o...

Page 228: ...erlink to edit it Table 105 System Address Book LABEL DESCRIPTION This is a number defining an address book entry Index This field displays the address book entry index number Name This field displays the person s name Email This field displays the person s e mail address Description This field displays some extra information about the person Add Click Add to create a new customer record Delete Se...

Page 229: ...of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You can use the ZyXEL device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority Table 106 System Address Book Add Edit LABEL DESCRIPTION Name Type the ...

Page 230: ...lgorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The ZyXEL device does not trust a certificate if any certificate on its path has expired or been revoked Certification authorit...

Page 231: ...presents a certificate issued by a certification authority Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing cert...

Page 232: ...plete the certificate import Table 108 System Certificate Management Create CSR LABEL DESCRIPTION Input Certificate Request Information Certificate Alias Type a name to identify the certificate Common Name Type a name to identify the certificates owner Organization Unit Type the organization unit or department in this field Organization Name Type the organization name or company in this field Loca...

Page 233: ...antage system log preferences 18 8 1 CNM Server You can view system logs for previous day the last two days or up to one week here Table 109 System Certificate Management Import Certificate LABEL DESCRIPTION Input Certificate Input Your Certificate Path Type in the location of the certificate you want to upload in this field or click Browse to find it Apply Click Apply to save these changes Back C...

Page 234: ...LABEL DESCRIPTION Select Time Period Select the time period for which you wish to view Vantage logs Source This field displays the source of the Vantage log Time This field displays the date the Vantage log occurred Content This field displays a message describing for the log Retrieve Click Retrieve for Vantage to pull the logs from the selected device Purge Select Purge to delete system logs from...

Page 235: ... Guide Chapter 18 Other System Screens 238 Figure 130 System Logging Options 18 9 About Vantage The About screen provides some basic information about Vantage as shown in the following screen Figure 131 System About Vantage ...

Page 236: ...Vantage CNM 2 0 User s Guide 239 Chapter 18 Other System Screens ...

Page 237: ...e four alarm severity classifications Table 111 Types of Alarms TYPE DESCRIPTION All This displays all types of alarms Device This is an alarm such as hardware failure or the network connection is down CNM This is an alarm such as server communication error or illegal Vantage login attempt Table 112 Alarm Severity SEVERITY DESCRIPTION All This displays all alarm severities Fatal This is an alarm s...

Page 238: ...rical after selecting Clear Table 113 Alarm States STATE DESCRIPTION Active This is the initial state of an alarm which means this alarm is new and no one has assumed responsibility for handling it yet Acknowledged This means that one administrator has decided to respond to the cause of this alarm Other administrators see that person s name in their alarm screen and so duplicate effort in solving ...

Page 239: ...Vantage CNM 2 0 User s Guide Chapter 19 Monitor Alarms 242 Figure 132 Monitor Current Alarms ...

Page 240: ...istrator has responded to Checkbox Select All Select a checkbox es and then click Clear to erase those alarms Index This is the alarm index number Type This is the type of alarm Severity This is the alarm severity Time This is the time the alarm occurred Status This is the state of the alarm Responder This is the administrator who responded to the alarm Response Time This is the time the alarm occ...

Page 241: ...Vantage CNM 2 0 User s Guide Chapter 19 Monitor Alarms 244 Figure 133 Monitor Historical Alarms 4See Table 114 on page 243 for more information on fields in this table ...

Page 242: ...Vantage CNM 2 0 User s Guide 245 Chapter 19 Monitor Alarms ...

Page 243: ... This is a real time message monitor that displays messages such as urgent alerts and when an administrator has logged in or logged out Click Monitor Status Monitor and wait for Vantage to retrieve information and display it Table 115 Monitor Firmware Upgrade Report LABEL DESCRIPTION Index This is the upgrade list number Administrator This displays the administrator who performed the upgrade Actio...

Page 244: ...ore clearly Save this view by clicking Save 2 Right click a ZyXEL device A End and select VPN in the popup menu Click the ZyXEL device again and drag you should see a red line to another ZyXEL device Z End then release the mouse button 3 You see the Tunnel IPSec Detail screen as shown next Note that information in some fields has been automatically generated for you when you configure VPN this way...

Page 245: ...ure 136 Monitor VPN Editor Tunnel IPSec Detail 4 See Table 57 on page 157 for more information on the fields in this screen Click Apply to go to a Tunnel Summary screen The Tunnel Summary shows the Name of your tunnel A End and Z End devices and the current tunnel Status ...

Page 246: ... 3 2 Graphical Tunnel Depictions A gray dashed line means that the Vantage server has not yet synchronized VPN tunnel information with both devices This may be because Vantage has not so far communicated with one of the devices A gray solid line means that the VPN tunnel is set up between the devices but the tunnel is not active yet no traffic A green solid line means an active tunnel with traffic...

Page 247: ...VPN Monitor Graphical Tunnel 20 3 3 Map Click the Map button to upload a background image such as a map Click the Map button in the IPSec Summary to upload a background gif only image Type a file and path name or browse for your required file Click Upload Figure 139 Monitor VPN Add MAP ...

Page 248: ...Vantage CNM 2 0 User s Guide 251 Chapter 20 Other Monitor Screens ...

Page 249: ...lling WFTPD 1 Download the WFTPD software from www wftpd com to where you want to install it 2 Double click setup exe to begin the wizard Figure 140 Setup 3 Click Next to begin and then follow the wizard prompts Figure 141 Wizard 1 4 Enter your details here as shown and click Next ...

Page 250: ...Vantage CNM 2 0 User s Guide 253 Figure 142 Information 5 Select the installation type and click Next Figure 143 Installation Type 6 Select where to install WFTPD Pro and click Next ...

Page 251: ...prompted to create the directory if it doesn t already exist Click Yes to create a new directory Figure 145 Create Directory 8 Click Next to begin the installation Figure 146 Begin Installation 9 WFTPD has been installed Click Run to start it Make sure the check box is selected ...

Page 252: ...ing WFTPD Figure 147 Run WFTPD 10 Click Start Service form the WFTPD main screen WFTPD main screen Figure 148 WFTPD Main Screen 11 Open Administrative Tools in the Windows Control Panel and then select Services to see the WFTPD Pro service ...

Page 253: ...ndows Services 12 Right click WFTPD Pro service and then click Properties Figure 150 WFTPD Properties 13 Click the Log On tab to configure a user name and password for this server This must be the same username and password that you use in Vantage ...

Page 254: ...Vantage CNM 2 0 User s Guide 257 Figure 151 WFTPD Pro Log On ...

Page 255: ...Syslog Daemon Follow the steps below to install the KiWi Syslog Daemon 1 Download the latest version of the KiWi Syslog Daemon from www kiwisyslog com to your computer 2 Double click on the setup program A screen displays as shown Click I Agree to accept the license agreement Figure 152 Kiwi Syslog Daemon Installation License Agreement 3 Select the installation type the default is Normal and click...

Page 256: ...tes Importing the Syslog Configuration File After installing the Kiwi Syslog Daemon follow the steps below to import the configuration file 1 Copy and save the Syslog Daemon Settings ini file to your computer 2 Start the Kiwi Syslog Daemon In the main Kiwi Syslog Daemon screen click File Setup A screen displays as shown Note You must install Kiwi in the C Program Files Syslog directory for the Van...

Page 257: ... Import Settings and Rules from INI file Figure 155 Kiwi Syslog Daemon Setup 5 Locate the ini syslog configuration file you saved to your computer in step 1 and click Open Figure 156 Kiwi Syslog Daemon Setup Import Configuration File 6 Click Yes to confirm the configuration file import ...

Page 258: ...gging on the computer you install Kiwi 1 Right click on My Computer on the desktop and click Manage Figure 158 Windows XP My Computer 2 A Computer Management screen displays as shown next Click Services under Services and Applications on the left panel 3 Search for the Telnet service on the right panel you may have to scroll down the screen Right click on Telnet and click Start to start the Telnet...

Page 259: ...arted the Telnet service on the computer configure the syslog settings in Vantage CNM 2 0 Set the syslog server username and password to be the same as the Windows username and password in the Vantage system Server screen Setting Up the Syslog Server in Vantage 1 Log in to Vantage using the root account 2 Go to System Preferences Server screen ...

Page 260: ...er s Guide 263 Figure 160 Vantage System Servers 3 Select Syslog Server then enter the IP address of the computer on which you installed the Syslog server and the user name and password that you configured 4 Click Apply ...

Page 261: ...r B This is any ZyXEL device C This is a syslog server D This is an FTP server 1 Vantage sends syslog server and FTP server information to the device when you register the device with Vantage 2 The syslog server must receive the log at local facility 2a and then writes the log file to var log vantage log 3 Vantage communicates with the syslog server using Telnet if Vantage is installed on Windows ...

Page 262: ...yslog server to an FTP server for retrieval 5 Vantage uses the FTP protocol to retrieve the vantage log ZyXEL devices logs from the FTP server a This is how it works at the time of writing Note Vantage instructs the syslog server to send the vantage log ZyXEL devices logs from the syslog server to an FTP server for retrieval once every ten minutes see footnote a Table 116 FTP and syslog Server Ove...

Page 263: ...support may ask you to find Java console debug messages This appendix shows you how to do this 1 Click Start Control Panel and double click on Java Plug in Figure 161 Control Panel Java Plug in Icon 2 Make sure that your settings match those of the Basic tab in the Java Plug in Control Panel as shown in the following screenshot ...

Page 264: ...fter successful login a Java plug in icon should appear in your Windows system tray If there is no icon present return to step 2 Figure 163 Java Plug in Icon 4 Right click on the Java plug in icon and select Open Control Panel to view the Java Console screen Figure 164 Open Control Panel 5 In the Java Console window click Copy ...

Page 265: ...Vantage CNM 2 0 User s Guide 268 Figure 165 Java Console 6 Paste this data into an e mail and send it to customer support ...

Page 266: ...Vantage CNM 2 0 User s Guide 269 ...

Page 267: ...rst two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting There is also a class E address It is reserved for future use The...

Page 268: ...the class arrangement of an IP address is ignored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With subnetting some of the host ID bits are converted into network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask followed by a continuous sequence of zeros for a t...

Page 269: ...0 or 1 thus giving two subnets 192 168 1 0 with mask 255 255 255 128 and 192 168 1 128 with mask 255 255 255 128 Table 120 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK 1 BITS LAST OCTET BIT VALUE 255 255 255 0 24 0000 0000 255 255 255 128 25 1000 0000 255 255 255 192 26 1100 0000 255 255 255 224 27 1110 0000 255 255 255 240 28 1111 0000 255 255 255 248 29 1111 1000 255 255 2...

Page 270: ... 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for the second subnet is 192 168 1 129 to 192 168 1 254 Table 122 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask 255 255 255 128 Subnet Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broad...

Page 271: ...ss Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Table 125 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 110000...

Page 272: ...11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 128 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 223 254 255 Table 129 Class C Subnet Planning NO BORROW...

Page 273: ...following table is a summary for class B subnet planning Table 130 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 ...

Page 274: ...Vantage CNM 2 0 User s Guide 277 ...

Page 275: ... of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP a...

Page 276: ... you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client fo...

Page 277: ...and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 167 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS ...

Page 278: ... TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Prestige and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default gateway...

Page 279: ...2 Figure 169 Windows XP Start Menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 170 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 280: ... 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Figure 172 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically ...

Page 281: ...lick Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the numbe...

Page 282: ...XP Internet Protocol TCP IP Properties 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties window 10Turn on your Prestige and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Ne...

Page 283: ...s Guide 286 Figure 175 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 176 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list ...

Page 284: ... save changes to your configuration 7 Turn on your Prestige and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 177 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the Location list Selec...

Page 285: ...ox select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box 5 Click Apply Now and close the window 6 Turn on your Prestige and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window ...

Page 286: ...Vantage CNM 2 0 User s Guide 289 ...

Page 287: ...end points Figure 179 Virtual Circuit Topology Think of a virtual path as a cable that contains a bundle of wires The cable connects two points and wires within the cable provide individual circuits between the two points In an ATM cell header a VPI Virtual Path Identifier identifies a link formed by a virtual path a VCI Virtual Channel Identifier identifies a channel within a virtual path The VPI...

Page 288: ...Vantage CNM 2 0 User s Guide 291 ...

Page 289: ...cess to the network as they move from meeting to meeting getting up to date access to information and the ability to communicate decisions while on the go It provides campus wide networking mobility allowing enterprises the roaming capability to set up easy to use wireless networks that cover the entire campus transparently IEEE 802 11 The 1997 completion of the IEEE 802 11 standard for wireless L...

Page 290: ... Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs multiple Access Points APs link the WLAN to the wired network and allow users to efficiently share network resources The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood Multiple Access Points can provide wireless coverage for an ent...

Page 291: ...Vantage CNM 2 0 User s Guide 294 Figure 181 ESS Provides Campus Wide Coverage ...

Page 292: ...Vantage CNM 2 0 User s Guide 295 ...

Page 293: ... not provide any central user account management User access control is done through manual modification of the MAC address table on the access point Although WEP data encryption offers a form of data security you have to reset the WEP key on the clients each time you change your WEP key on the access point IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IE...

Page 294: ...97 RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL EAP Over LAN Figure 182 Sequences for EAP MD5 Challenge Authentication ...

Page 295: ... method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless stations for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different cer...

Page 296: ...en Card for client authentication EAP GTC is implemented only by Cisco LEAP LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE802 1x Table 131 Comparison of EAP Authentication Types EAP MD5 EAP TLS EAP TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynamic Key Exchange No...

Page 297: ...g on to the router s web configurator interface Successful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the router via ftp FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table entries ...

Page 298: ...d per host setNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings readNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings WAN connection is down A WAN connection is down You cannot access the network through this interface Table 134 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP IGM...

Page 299: ...ssion time out sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out Default timeout values ICMP idle timeout s 60UDP idle timeout s 60TCP connection three way handshaking timeout s 30TCP FIN wait timeout s 60TCP idle established timeout s 3600 Exceed MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of incomplete connections TCP and...

Page 300: ...sender Table 138 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is the reference count number of the call dev is the device type 3 is for dial up 6 is for PPPoE 10 is for PPTP channel or ch is the call channel ID For example board 0 line 0 channel 0 call 3 C01 Outgoing Call dev 6 ch 0 Mean...

Page 301: ...nt filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the blocked category list and returned the category type s cache hit The system detected that the web site is in the blocked list from the local cache but does not know the category type s s cache hit The system detecte...

Page 302: ...l detected an ICMP echo attack For type and code details see Table 149 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop attack teardrop UDP The firewall detected an UDP teardrop attack teardrop ICMP type d code d The firewall detected an ICMP teardrop attack For type and code det...

Page 303: ... IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s Local Remote Addresses don t match IKE Packet Retransmit The router retransmitted the last packet sent because there was no response from the peer Failed to send IKE Packet An Ethernet error stopped the router from se...

Page 304: ...Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local ID Type Phase 1 ID content mismatch This router s Peer ID Content is different from the peer IPSec router s Local ID Content No known phase 1 ID type found The router could not find a known phase 1 ID in the co...

Page 305: ...d the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE phase 2 perfect forward secret pfs setting did not match between the router and the peer Rule d Phase 1 ID mismatch The listed rule s IKE phase 1 ID did not match between the router and the peer Rule d Phase 1 h...

Page 306: ...name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert subject name The router received a user certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd CRL size issuer name The router received a CR...

Page 307: ...tch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9 Certificate decoding failed 10 Certificate was not found ...

Page 308: ...ser logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from which there was no authentication response User logout because of idle timeout expired The router logged out a user whose idle timeout period expired User logout because of user request A user logged out Local User...

Page 309: ...et for packets traveling from the WAN to the WAN or the ZyWALL D to D ZW DMZ to DMZ ZyWALL ACL set for packets traveling from the DMZ to the DM or the ZyWALL Table 149 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it ...

Page 310: ...IP dstPort msg msg note note devID mac address last three numbers cat category This message is sent by the system RAS displays as the system name if you haven t configured one when the router generates a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s syslog class The definition of messages and notes are defined in the various log charts through...

Page 311: ...Vantage CNM 2 0 User s Guide 314 SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 151 RFC 2408 ISAKMP Payload Types continued LOG DISPLAY PAYLOAD TYPE ...

Page 312: ...Vantage CNM 2 0 User s Guide 315 ...

Page 313: ...ibutions must also contain a copy of this document 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name ExoLab must not be used to endorse or promote products derived from this Software without prior written permission of ExoLab Group For ...

Page 314: ...r the initial code and documentation distributed under this Agreement and b in the case of each subsequent Contributor i changes to the Program and ii additions to the Program where such changes and or additions to the Program originate from and are distributed by that particular Contributor A Contribution originates from a Contributor if it was added to the Program by such Contributor itself or a...

Page 315: ...ercising the rights and licenses granted hereunder each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed if any For example if a third party patent license is required to allow Recipient to distribute the Program it is Recipient s responsibility to acquire that license before distributing the Program d Each Contributor represents that to its know...

Page 316: ...ly notify the Commercial Contributor in writing of such claim and b allow the Commercial Contributor to control and cooperate with the Commercial Contributor in the defense and any related settlement negotiations The Indemnified Contributor may participate in any such claim at its own expense For example a Contributor might include the Program in a commercial product offering Product X That Contri...

Page 317: ...date such litigation is filed All Recipient s rights under this Agreement shall terminate if it fails to comply with any of the material terms or conditions of this Agreement and does not cure such failure in a reasonable period of time after becoming aware of such noncompliance If all Recipient s rights under this Agreement terminate Recipient agrees to cease use and distribution of the Program a...

Page 318: ...sclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABIL...

Page 319: ...ftware and derivative works thereof in source and binary forms as part of a larger work and to sublicense the right to use reproduce and distribute the Java Software and Doug Lea s derivative works as the part of larger works through multiple tiers of sublicensees provided that the following conditions are met Neither the name of or trademarks of Sun may be used to endorse or promote products incl...

Page 320: ...ng terms in the Binary Code License Agreement or in any license contained within the Software 1 Software Internal Use and Development License Grant Subject to the terms and conditions of this Agreement including but not limited to Section 4 Java Technology Restrictions of these Supplemental Terms Sun grants you a non exclusive non transferable limited license without fees to reproduce internally a...

Page 321: ...ent that you create an additional class and associated API s which i extends the functionality of the Java platform and ii is exposed to third party software developers for the purpose of developing additional software which invokes such additional API you must promptly publish broadly an accurate specification for such API for free use by all developers You may not create or authorize your licens...

Page 322: ...ks and Logos You acknowledge and agree as between you and Sun that Sun owns the SUN SOLARIS JAVA JINI FORTE and iPLANET trademarks and all SUN SOLARIS JAVA JINI FORTE and iPLANET related trademarks service marks logos and other brand designations Sun Marks and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http www sun com policies trademarks Any use yo...

Page 323: ... or attached to the work an example is provided in the Appendix below Derivative Works shall mean any work whether in Source or Object form that is based on or derived from the Work and for which the editorial revisions annotations elaborations or other modifications represent as a whole an original work of authorship For the purposes of this License Derivative Works shall not include works that r...

Page 324: ...ns a You must give any other recipients of the Work or Derivative Works a copy of this License and b You must cause any modified files to carry prominent notices stating that You changed the files and c You must retain in the Source form of any Derivative Works that You distribute all copyright patent trademark and attribution notices from the Source form of the Work excluding those notices that d...

Page 325: ...o event and under no legal theory whether in tort including negligence contract or otherwise unless required by applicable law such as deliberate and grossly negligent acts or agreed to in writing shall any Contributor be liable to You for damages including any direct indirect special incidental or consequential damages of any character arising as a result of this License or out of the use or inab...

Page 326: ...ARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOO...

Page 327: ...he name Gargoyle Software must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact info GargoyleSoftware com 5 Products derived from this software may not be called HtmlUnit nor may HtmlUnit appear in their name without prior written permission of Gargoyle Software Inc THIS SOFTWARE IS PROVIDED AS IS AND ANY E...

Page 328: ...ral Public License applies to some specially designated software packages typically libraries of the Free Software Foundation and other authors who decide to use it You can use it too but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case based on the explanations below When we speak of free so...

Page 329: ...libraries and is quite different from the ordinary General Public License We use this license for certain libraries in order to permit linking those libraries into non free programs When a program is linked with a library whether statically or using a shared library the combination of the two is legally speaking a combined work a derivative of the original library The ordinary General Public Licen...

Page 330: ...nguage Hereinafter translation is included without limitation in the term modification Source code for a work means the preferred form of the work for making modifications to it For a library complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the library Activitie...

Page 331: ...ary In addition mere aggregation of another work not based on the Library with the Library or with a work based on the Library on a volume of a storage or distribution medium does not bring the other work under the scope of this License 3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library To do this you must alter all th...

Page 332: ...he Library and its use are covered by this License You must supply a copy of this License If the work during execution displays copyright notices you must include the copyright notice for the Library among them as well as a reference directing the user to the copy of this License Also you must do one of these things a Accompany the work with the complete corresponding machine readable source code ...

Page 333: ...terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 9 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Library or its derivative works These action...

Page 334: ...h revised and or new versions of the Lesser General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Library specifies a version number of this License which applies to it and any later version you have the option of following ...

Page 335: ...e is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This General Public L...

Page 336: ... 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either the Program or any derivative work under copyright law that is to say a work containing the Program or a portion of it...

Page 337: ...s of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a sto...

Page 338: ...copy distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this License 7 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions...

Page 339: ...re Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICAB...

Page 340: ...the number of users specified in sales order and invoice You have the right to make one backup copy of the Software and Documentation solely for archival back up or disaster recovery purposes You shall not exceed the scope of the license granted hereunder Any rights not expressly granted by ZyXEL to you are reserved by ZyXEL and all implied licenses are disclaimed 2 Ownership You have no ownership...

Page 341: ...ation You agree to reasonably communicate the terms and conditions of this License Agreement to those persons employed by you who come into contact with the Software and to use reasonable best efforts to ensure their compliance with such terms and conditions including without limitation not knowingly permitting such persons to use any portion of the Software for the purpose of deriving the source ...

Page 342: ...XPORT THE SOFTWARE DOCUMENTATION OR INFORMATION ABOUT THE SOFTWARE AND DOCUMENTATION WITHOUT COMPLYING WITH SUCH LAWS REGULATIONS ORDERS OR OTHER RESTRICTIONS YOU AGREE TO INDEMNIFY ZyXEL AGAINST ALL CLAIMS LOSSES DAMAGES LIABILITIES COSTS AND EXPENSES INCLUDING REASONABLE ATTORNEYS FEES TO THE EXTENT SUCH CLAIMS ARISE OUT OF ANY BREACH OF THIS SECTION 8 9 Audit Rights ZyXEL SHALL HAVE THE RIGHT A...

Page 343: ...nse Agreement shall constitute the entire Agreement between the parties hereto This License Agreement the rights granted hereunder the Software and Documentation shall not be assigned by you without the prior written consent of ZyXEL Any waiver or modification of this License Agreement shall only be effective if it is in writing and signed by both parties hereto If any part of this License Agreeme...

Page 344: ... 292 Distribution System 293 DMZ 96 And the Firewall 96 Domain Name 64 DoS Basics 168 Types 168 DS 293 DSSS 292 DTR 112 E EAP Authentication 298 Enable Wireless LAN 85 Encapsulation 161 encrymode 63 Encryption Algorithm 160 161 EnterSee Syntax Conventions 29 ESS 293 ESS ID 82 Extended Service Set 293 Extended Service Set IDentification 85 F Factory LAN Defaults 70 FHSS 292 Firewall Address Type 18...

Page 345: ...col 177 Point to Point Tunneling ProtocolSee PPTP 105 POP3 168 Port Configuration 184 Port Number 176 Port Numbers 176 Public Servers 96 R RADIUS 91 Shared Secret Key 92 RADIUS Message Types 92 Read Me First 28 Related Documentation 28 RF signals 292 RIP 71 RTS Threshold 83 RTS CTS handshake 86 Rules Checklist 175 Key Fields 176 S SA Life Time 160 161 Saving the State 170 Secret Key 64 Security Ra...

Page 346: ... Index 350 U UDP ICMP Security 173 Upper Layer Protocols 172 173 User Name 65 User Profiles 90 V VPN 105 W WAN Backup 122 Web Configurator 167 173 175 WEP Encryption 86 Wireless LAN 292 WLAN 292 Z ZyXEL s Firewall Introduction 167 ...

Reviews:

No comments

Related manuals for VANTAGE CNM 2.0 -

Samsung CLX 6210FX - Color Laser - All-in-One Admin Manual preview
CLX 6210FX - Color Laser - All-in-One
Brand: Samsung Pages: 65
Samsung 4116 - SCX B/W Laser Driver Manual preview
4116 - SCX B/W Laser
Brand: Samsung Pages: 16
Garmin 010-10307-00 - MapSource Fishing Hot Spots Manual Do Usuário preview
010-10307-00 - MapSource Fishing Hot Spots
Brand: Garmin Pages: 30
Novell LINUX ENTERPRISE DESKTOP 11 - KDE Manual preview
LINUX ENTERPRISE DESKTOP 11 - KDE
Brand: Novell Pages: 102
Arturia Analog Factory S.E. User Manual preview
Analog Factory S.E.
Brand: Arturia Pages: 31
MacroSystem Digital Video DVD-Arabesk 2 User Manual preview
DVD-Arabesk 2
Brand: MacroSystem Digital Video Pages: 28
YOKOGAWA 735070 Operation Manual preview
735070
Brand: YOKOGAWA Pages: 29
Nikon View DX Reference Manual preview
View DX
Brand: Nikon Pages: 38
GRASS VALLEY EDIUS SP Datasheet preview
EDIUS SP
Brand: GRASS VALLEY Pages: 4
FieldServer FS-8700-73 Driver Manual preview
FS-8700-73
Brand: FieldServer Pages: 48
Pharos Ostia 3.x User Manual preview
Ostia 3.x
Brand: Pharos Pages: 93
ZENEC Z-EMAP50 User Manual preview
Z-EMAP50
Brand: ZENEC Pages: 80
MACROMEDIA FLASH MX 2004-DATA Tutorials Manual preview
FLASH MX 2004-DATA
Brand: MACROMEDIA Pages: 20
Xerox DocuColor 250 Online Help Manual preview
DocuColor 250
Brand: Xerox Pages: 378
NEC Storage Manager Reference preview
Storage Manager
Brand: NEC Pages: 134
Cabletron Systems SmartSwitch 9A100 Upgrade Instructions preview
SmartSwitch 9A100
Brand: Cabletron Systems Pages: 2
Novell SUSE LINUX ENTERPRISE SERVER 10 STORAGE Installation Manual preview
SUSE LINUX ENTERPRISE SERVER 10 STORAGE
Brand: Novell Pages: 7
Novell SUPPORT ADVISOR 2.0.1 Administration Manual preview
SUPPORT ADVISOR 2.0.1
Brand: Novell Pages: 22

Brands by name

Popular brands

Load more brands