manualshive.com logo in svg

ZyXEL Communications ZyWALL 110 Series, User Manual, Page: 313 / 562

Share
Download
ZyXEL Communications ZyWALL 110 Series User Manual Download Page 313

 Chapter 20 IPSec VPN

ZyWALL 110/310/1100 Series User’s Guide

313

Figure 192   

VPN Example: NAT for Inbound and Outbound Traffic

Source Address in Outbound Packets (Outbound Traffic, Source NAT)

This translation lets the ZyWALL route packets from computers that are not part of the specified 
local network (local policy) through the IPSec SA. For example, in 

Figure 192 on page 313

, you 

have to configure this kind of translation if you want computer M to establish a connection with any 
computer in the remote network (B). If you do not configure it, the remote IPSec router may not 
route messages for computer M through the IPSec SA because computer M’s IP address is not part 
of its local policy.

To set up this NAT, you have to specify the following information:

• Source - the original source address; most likely, computer M’s network.
• Destination - the original destination address; the remote network (B).
• SNAT - the translated source address; the local network (A).

Source Address in Inbound Packets (Inbound Traffic, Source NAT)

You can set up this translation if you want to change the source address of computers in the remote 
network. To set up this NAT, you have to specify the following information:

• Source - the original source address; the remote network (B).
• Destination - the original destination address; the local network (A).
• SNAT - the translated source address; a different IP address (range of addresses) to hide the 

original source address.

Destination Address in Inbound Packets (Inbound Traffic, Destination NAT)

You can set up this translation if you want the ZyWALL to forward some packets from the remote 
network to a specific computer in the local network. For example, in 

Figure 192 on page 313

, you 

can configure this kind of translation if you want to forward mail from the remote network to the 
mail server in the local network (A).

Summary of Contents for ZyWALL 110 Series

Page 1: ...com ZyWALL 110 310 1100 Series VPN Firewall Version 3 10 Edition 2 02 2013 Copyright 2013 ZyXEL Communications Corporation User s Guide Default Login Details LAN Port IP Address https 192 168 1 1 Use...

Page 2: ...in this manual is accurate Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the ZyWALL and access the Web Configurator wizards See the wizard real time help for infor...

Page 3: ...2 1 5 ISP Parameters 35 2 1 6 Internet Access Finish 36 Chapter 3 Hardware Introduction 37 3 1 Default Zones Interfaces and Ports 37 3 2 Stopping the ZyWALL 38 3 3 Rack mounting 38 3 4 Wall mounting...

Page 4: ...ation Provisioning Advanced Wizard Phase 1 Settings 64 4 4 7 VPN Settings for Configuration Provisioning Advanced Wizard Phase 2 65 4 4 8 VPN Settings for Configuration Provisioning Advanced Wizard Su...

Page 5: ...Object References 122 7 3 3 Add Edit DHCPv6 Request Release Options 123 7 3 4 Add Edit DHCP Extended Options 124 7 4 PPP Interfaces 125 7 4 1 PPP Interface Summary 126 7 4 2 PPP Interface Add or Edit...

Page 6: ...r 10 Routing Protocols 199 10 1 Routing Protocols Overview 199 10 1 1 What You Can Do in this Chapter 199 10 1 2 What You Need to Know 199 10 2 The RIP Screen 199 10 3 The OSPF Screen 201 10 3 1 Confi...

Page 7: ...rview 233 15 1 1 What You Can Do in this Chapter 233 15 1 2 What You Need to Know 233 15 1 3 Before You Begin 236 15 2 The ALG Screen 236 15 3 ALG Technical Reference 238 Chapter 16 IP MAC Binding 241...

Page 8: ...en 268 19 2 2 The Firewall Add Edit Screen 272 19 3 The Session Limit Screen 273 19 3 1 The Session Limit Add Edit Screen 275 19 4 Firewall Rule Configuration Example 276 19 5 Firewall Rule Example Ap...

Page 9: ...king the ZyWALL 332 22 5 Logging Out of the SSL VPN User Screens 333 22 6 SSL User Application Screen 333 22 7 SSL User File Sharing 334 22 7 1 The Main File Sharing Screen 334 22 7 2 Opening a File o...

Page 10: ...6 3 1 Configuring Active Passive Mode Device HA 363 26 4 Configuring an Active Passive Mode Monitored Interface 365 26 5 Device HA Technical Reference 366 Chapter 27 User Group 371 27 1 Overview 371 2...

Page 11: ...an Do in this Chapter 396 30 1 2 What You Need to Know 396 30 2 The Schedule Summary Screen 397 30 2 1 The One Time Schedule Add Edit Screen 398 30 2 2 The Recurring Schedule Add Edit Screen 399 Chapt...

Page 12: ...424 33 3 2 The Trusted Certificates Import Screen 427 33 4 Certificates Technical Reference 428 Chapter 34 ISP Accounts 429 34 1 Overview 429 34 1 1 What You Can Do in this Chapter 429 34 2 ISP Accoun...

Page 13: ...omain Zone Forwarder 453 37 6 8 MX Record 454 37 6 9 Adding a MX Record 454 37 6 10 Adding a DNS Service Control Rule 455 37 7 WWW Overview 456 37 7 1 Service Access Limitations 456 37 7 2 System Time...

Page 14: ...39 1 1 What You Can Do in this Chapter 499 39 1 2 What you Need to Know 499 39 2 The Configuration File Screen 501 39 3 The Firmware Package Screen 505 39 4 The Shell Script Screen 507 Chapter 40 Dia...

Page 15: ...u Need To Know 525 42 2 The Reboot Screen 525 Chapter 43 Shutdown 526 43 1 Overview 526 43 1 1 What You Need To Know 526 43 2 The Shutdown Screen 526 Chapter 44 Troubleshooting 527 44 1 Resetting the...

Page 16: ...ZyWALL 110 310 1100 Series User s Guide 16...

Page 17: ...IPv6 Ethernet PPP VLAN and bridge routing You may also create IPv6 policy routes and IPv6 objects The ZyWALL can also route IPv6 packets through IPv4 networks using different tunneling methods Figure...

Page 18: ...so he can access network resources in the same way as if he were part of the internal network Figure 3 SSL VPN With Full Tunnel Mode User Aware Access Control Set up security policies to restrict acc...

Page 19: ...ellular interfaces In either case you can balance the traffic loads between them Figure 5 Applications Multiple WAN Interfaces 1 2 Management Overview You can manage the ZyWALL in the following ways W...

Page 20: ...k 2 Enable JavaScripts Java permissions and cookies The recommended screen resolution is 1024 x 768 pixels 1 3 1 Web Configurator Access 1 Make sure your ZyWALL hardware is properly connected See the...

Page 21: ...te Admin Info screen If you change the default password the Login screen appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the ZyWALL is using its default config...

Page 22: ...an overview of links to the Web Configurator screens Object Reference Click this to check which configuration items reference an object Console Click this to open a Java based console window from whic...

Page 23: ...object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is...

Page 24: ...rence Guide for information about the commands Figure 11 Console Window CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator Open the pop up window and then click some menus...

Page 25: ...e arrange to suit your needs See the Web Help for details on the dashboard Monitor Menu The monitor menu screens display status and statistics information Table 6 Monitor Menu Screens Summary FOLDER O...

Page 26: ...n for an installed 3G card Tunnel Configure tunneling between IPv4 and IPv6 networks VLAN Create and manage VLAN interfaces and virtual VLAN interfaces Bridge Create and manage bridges and virtual bri...

Page 27: ...r sessions and rules to force user authentication Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create a...

Page 28: ...ZyWALL here Log Report Email Daily Report Configure where and how to send daily reports and what reports to send Log Settings Configure the system log e mail logs and remote syslog servers Table 8 Mai...

Page 29: ...can do Sort in ascending or descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups Filter by mathematical operators or or searching for tex...

Page 30: ...ct it and click Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red tr...

Page 31: ...list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other In some lists you can also use the Shift or Ctrl k...

Page 32: ...Chapter 1 Introduction ZyWALL 110 310 1100 Series User s Guide 32...

Page 33: ...lick the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access 2 1 1 Int...

Page 34: ...r the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Dom...

Page 35: ...0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it 2 1 4 Internet Access PPTP Note Enter the Inte...

Page 36: ...IP Address Enter your static public IP address Auto displays if you selected Auto as the IP Address Assignment in the previous screen First Second DNS Server These fields display if you selected stat...

Page 37: ...may use the WAN interface rather than wan1 or wan2 ge2 or ge3 An OPT optional Ethernet port can be configured as an additional WAN port LAN WLAN or DMZ port Physical Ports Interfaces Zones P7 ext wlan...

Page 38: ...ack or in a wiring closet with other equipment using a rack mounting kit Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL...

Page 39: ...crew the screws all the way in to the wall leave a small gap between the head of the screw and the wall The gap must be big enough for the screw heads to slide into the screw slots and the connection...

Page 40: ...contact your vendor SYS Green Off The ZyWALL is not ready or has failed On The ZyWALL is ready and running Blinking The ZyWALL is booting Red On The ZyWALL xd an error or has failed USB Green Off No...

Page 41: ...ter equipped with communications software configured to the following parameters Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off CF Card Slot Insert a compact flash card into this...

Page 42: ...Chapter 3 Hardware Introduction ZyWALL 110 310 1100 Series User s Guide 42...

Page 43: ...is wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP See Section 4 2 on page 43 VPN SETUP Use VPN Setup to configure a VPN Virtual Private Network rule for a secure c...

Page 44: ...terface that you want to configure for a WAN connection and click Next Figure 24 Choose an Ethernet Interface 4 2 2 Select WAN Type WAN Type Selection Select the type of encapsulation this connection...

Page 45: ...ether the interface should use a fixed or dynamic IP address Figure 26 WAN Interface Setup Step 2 WAN Interface This is the interface you are configuring for Internet access Zone This is the security...

Page 46: ...ur ZyWALL accepts MSCHAP V2 only User Name Type the user name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long Password Type the password assoc...

Page 47: ...ddress This field is read only when the WAN interface uses a dynamic IP address If your WAN interface uses a static IP address enter it in this field First DNS Server Second DNS Server These fields on...

Page 48: ...service name specified in the ISP account Server IP This field only appears for a PPTP interface It displays the IP address of the PPTP server User Name This is the user name given to you by your ISP...

Page 49: ...address of the ZyWALL in the ZyWALL IPSec VPN Client to get the VPN settings automatically from the ZyWALL Figure 30 VPN Wizard Welcome 4 3 2 VPN Setup Wizard Wizard Type Choose Express to create a VP...

Page 50: ...cribes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site The remote IPSec device has a static IP address or a domain name This ZyW...

Page 51: ...racters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a c...

Page 52: ...he remote IPSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure Gateway commands into...

Page 53: ...110 310 1100 Series User s Guide 53 Figure 35 VPN Express Wizard Finish Click Close to exit the wizard 4 3 7 VPN Advanced Wizard Scenario Click the Advanced radio button as shown in Figure 31 on page...

Page 54: ...or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer The remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote...

Page 55: ...e DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in...

Page 56: ...est 5 and SHA Secure Hash Algorithm are hash algorithms used to authenticate packet data The stronger the algorithm the slower it is SA Life Time Set how often the ZyWALL renegotiates the IKE SA A sho...

Page 57: ...up the VPN tunnel Local Policy IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy IP address and subnet mask of the computers on the n...

Page 58: ...tion Provisioning Wizard Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the ZyWALL IPSec VPN Client VPN rules for the ZyWALL IPSec VPN Clie...

Page 59: ...pre shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key in the VPN rule Figure 41 VPN Settings for Configuration Provisioning Express Wizard...

Page 60: ...ection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the Remote Acc...

Page 61: ...racters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a c...

Page 62: ...the computers on the network behind your ZyWALL that can be accessed using the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard The Configuration for Secu...

Page 63: ...ress Wizard Finish Click Close to exit the wizard 4 4 5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Click the Advanced radio button as shown in the screen shown in Figure 41 o...

Page 64: ...configurable in this wizard It allows incoming connections from the ZyWALL IPSec VPN Client My Address interface Select an interface from the drop down list box to use on your ZyWALL Negotiation Mode...

Page 65: ...Wizard Phase 2 Active Protocol ESP is compatible with NAT AH is not available in this wizard Encapsulation Tunnel is compatible with NAT Transport is not Encryption Algorithm 3DES and AES use encrypt...

Page 66: ...field because it is not configurable in this wizard It allows incoming connections from the ZyWALL IPSec VPN Client Pre Shared Key VPN tunnel password Certificate The certificate the ZyWALL uses to i...

Page 67: ...r s Guide 67 VPN Connection screen Enter the IP address of the ZyWALL in the ZyWALL IPSec VPN Client to get all these VPN settings automatically from the ZyWALL Figure 50 VPN for Configuration Provisi...

Page 68: ...Chapter 4 Quick Setup Wizards ZyWALL 110 310 1100 Series User s Guide 68...

Page 69: ...76 to look at the VPN tunnels that are currently established Use the DHCP Table screen see Section 5 2 5 on page 77 to look at the IP addresses currently assigned to DHCP clients and the IP addresses...

Page 70: ...date the widget s information immediately Close Widget E Click this to close the widget Use Widget Setting to re open it Virtual Device Rear Panel Click this to view details about the ZyWALL s rear pa...

Page 71: ...field displays the model name of this ZyWALL Serial Number This field displays the serial number of this ZyWALL The serial number is used for device tracking and control MAC Address Range This field...

Page 72: ...the ZyWALL s recent memory usage Flash Usage This field displays what percentage of the ZyWALL s onboard flash memory is currently being used USB Storage Usage This field shows how much storage in th...

Page 73: ...nnect icon to have the ZyWALL try to connect a PPPoE PPTP interface If the interface cannot use one of these ways to get or to update its IP address this field displays n a Click the Disconnect icon t...

Page 74: ...y of the log Category This field displays the type of log generated Message This field displays the actual log message Source This field displays the source address if any in the packet that generated...

Page 75: ...this screen 5 2 3 The Active Sessions Screen Use this screen to look at a chart of the ZyWALL s recent traffic session usage To access this screen click Session Usage in the dashboard Table 16 Dashboa...

Page 76: ...shed To access this screen click VPN Status in System Status in the dashboard Figure 55 Dashboard System Status VPN Status Table 17 Dashboard Session Usage LABEL DESCRIPTION Sessions The y axis repres...

Page 77: ...ies the interface that assigned an IP address to a DHCP client IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address Click the column...

Page 78: ...any entry User ID This field displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amou...

Page 79: ...domain names Use the System Status IP MAC Binding screen Section 6 7 on page 91 to view a list of devices that have received an IP address from ZyWALL interfaces with IP MAC binding enabled Use the S...

Page 80: ...the physical port number Status This field displays the current status of the physical port Down The physical port is not connected Speed Duplex The physical port is connected This field displays the...

Page 81: ...ck this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the po...

Page 82: ...ALL 110 310 1100 Series User s Guide 82 6 3 Interface Status Screen This screen lists all of the ZyWALL s interfaces and gives packet statistics for them Click Monitor System Status Interface Status t...

Page 83: ...Chapter 6 Monitor ZyWALL 110 310 1100 Series User s Guide 83 Figure 60 Monitor System Status Interface Status...

Page 84: ...s not appear in the list For PPP interfaces Connected The PPP interface is connected Disconnected The PPP interface is not connected If the PPP interface is disabled it does not appear in the list Zon...

Page 85: ...ick this to look at the status of virtual interfaces on top of this interface Port This field displays the physical port number Status This field displays the current status of each interface The poss...

Page 86: ...e IP address for the interface Click Renew to send a new DHCP request to a DHCP server Click Connect to try to connect a PPPoE PPTP interface If the interface cannot use one of these ways to get or to...

Page 87: ...on page 89 for more information The following table describes the labels in this screen Table 24 Monitor System Status Traffic Statistics LABEL DESCRIPTION Data Collection Collect Statistics Select t...

Page 88: ...e 25 on page 89 These fields are available when the Traffic Type is Service Port This field is the rank of each record The protocols and service ports are sorted by the amount of traffic Service Port...

Page 89: ...s Destination address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all established sessions that passed through the ZyWALL by user service source...

Page 90: ...to the protocol and port of each services that is defined See Chapter 29 on page 390 for more information about services Source This field displays when View is set to all sessions Type the source IP...

Page 91: ...ZyWALL do not display in the list Figure 64 Monitor System Status IP MAC Binding Table 27 Monitor System Status DDNS Status LABEL DESCRIPTION Update Click this to have the ZyWALL update the profile t...

Page 92: ...name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests MAC Address This field displays the MAC address to which the IP address is cur...

Page 93: ...shown Force Logout Select a user ID and click this icon to end a user s session Refresh Click this button to update the information in the screen Table 29 Monitor System Status Login Users continued...

Page 94: ...ion Searching network The 3G device is searching for a network Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is a...

Page 95: ...shows Limited Service if the service provider has stopped service to the 3G SIM card For example if the bill has not been paid or the account has expired Cellular System This field displays what type...

Page 96: ...ard IMSI IMSI International Mobile Subscriber Identity is a 15 digit code that identifies the SIM card Table 31 Monitor System Status More Information continued LABEL DESCRIPTION Table 32 Monitor Syst...

Page 97: ...nted by using the Remove Now button or for some reason the ZyWALL cannot mount it Click Use It to have the ZyWALL mount a connected USB storage device This button is grayed out if the file system is n...

Page 98: ...tion 6 11 1 on page 98 for more details Search Click this button to search for an IPSec SA that matches the information you specified above Disconnect Select an IPSec SA and click this button to disco...

Page 99: ...over IPSec to open the following screen Use this screen to display and manage the ZyWALL s connected L2TP VPN sessions Table 34 Monitor VPN Monitor SSL LABEL DESCRIPTION Disconnect Select a connectio...

Page 100: ...est existing log message first The maximum possible number of log messages in the ZyWALL varies by model Events that generate an alert as well as a log message display in red Regular logs display in b...

Page 101: ...clude the port in this filter Destination Address This displays when you show the filter Type the IP address of the destination of the incoming packet when the log message was generated Do not include...

Page 102: ...message It has the same range of values as the Priority field above Category This field displays the log that generated the log message It is the same value used in the Display and other Category fiel...

Page 103: ...5 for PPPoE or PPTP Internet connections Use the Cellular screens Section 7 5 on page 132 to configure settings for interfaces for Internet connections through an installed 3G card Use the Tunnel scre...

Page 104: ...software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Unlike port groups bridge interfaces can take advantage of some security features in the ZyWALL You...

Page 105: ...rface Relationships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups...

Page 106: ...tten as 2001 0db8 1a2f 0000 0000 0015 2001 0db8 0000 0000 1a2f 0015 2001 db8 1a2f 0 0 15 or 2001 db8 0 0 1a2f 15 Prefix and Prefix Length Similar to an IPv4 subnet mask IPv6 uses an address prefix to...

Page 107: ...ed from the ISP or a connected uplink router for its LAN The ZyWALL uses the received IPv6 prefix for example 2001 db2 48 to generate its LAN IP address Through sending Router Advertisements RAs regul...

Page 108: ...ALL s lan1 lan2 ext wlan or dmz IP address Use the appropriate lan1 lan2 ext wlan or dmz IP address to access the ZyWALL Figure 73 Configuration Network Interface Port Role 110 The physical Ethernet p...

Page 109: ...removed from the ZyWALL but you can still configure it Ethernet interfaces are similar to other types of interfaces in many ways They have an IP address subnet mask and gateway used to make routing d...

Page 110: ...lick Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an interface select it and click Activate Inactivate To turn off an interface select it and click Inactivate C...

Page 111: ...y RIP 2 packets The ZyWALL can use subnet broadcasting or multicasting With OSPF you can use Ethernet interfaces to do the following things Enable and disable OSPF in the underlying physical port or p...

Page 112: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 112 Figure 75 Configuration Network Interface Ethernet Edit External Type...

Page 113: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 113 Figure 76 Configuration Network Interface Ethernet Edit Internal Type...

Page 114: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 114 Figure 77 Configuration Network Interface Ethernet Edit OPT...

Page 115: ...matically adds this interface to the default WAN trunk For general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT s...

Page 116: ...Gateway Enter the IPv6 address of the default outgoing gateway using colon hexadecimal notation Metric Enter the priority of the gateway if any on this interface The ZyWALL decides which gateway to us...

Page 117: ...CPv6 server use this section to configure DHCPv6 lease settings that determine what additional information to offer to the DHCPv6 clients Add Click this to create an entry in this table See Section 7...

Page 118: ...t associated with any entry IPv6 Address Prefix Length Enter the IPv6 network prefix address and the prefix length The prefix length indicates what the left most part of the IP address is the same for...

Page 119: ...y perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of s...

Page 120: ...ess of this interface and the ZyWALL works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP...

Page 121: ...formation about RIP Enable RIP Select this to enable RIP in this interface Direction This field is effective when RIP is enabled Select the RIP direction from the drop down list box BiDir This interfa...

Page 122: ...e either the factory assigned default MAC address a manually specified MAC address or clone the MAC address of another device or computer Use Default MAC Address Select this option to have the interfa...

Page 123: ...t Lease Options Table 42 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display th...

Page 124: ...characters a z A Z 0 9 and _ with no spaces allowed The first character must be alphabetical a z A Z Code This field displays the code number of the selected DHCP option If you selected User Defined i...

Page 125: ...is option is used to identify a bootfile when the file field in the DHCP header has been used for DHCP options The minimum length of the value is 1 SIP Server 120 This option carries either an IPv4 ad...

Page 126: ...PTP interface to use Each ISP account specifies the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PP...

Page 127: ...it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect...

Page 128: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 128 Figure 83 Configuration Network Interface PPP Add...

Page 129: ...up to 60 characters long Connectivity Nailed Up Select this if the PPPoE PPTP connection should always be up Clear this to have the ZyWALL establish the PPPoE PPTP connection only when there is traffi...

Page 130: ...external interface must be a DHCPv6 client You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix delegation Assign the prefix delegation to an internal i...

Page 131: ...Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum si...

Page 132: ...work to which you are originally subscribed You can set the 3G device to connect to other networks if the signal strength of the home network is too low or it is unavailable Check this address Select...

Page 133: ...5G 3G protocol of mobile telecommunications standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air in...

Page 134: ...erface select it and click Connect You might use this in testing the interface or to manually establish the connection Disconnect To disconnect an interface select it and click Disconnect You might us...

Page 135: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 135 Figure 85 Configuration Network Interface Cellular Add...

Page 136: ...s 0 360 that elapses before the ZyWALL automatically disconnects from the ISP s server Zero disables the idle timeout ISP Settings Profile Selection Select Device to use one of the 3G device s profile...

Page 137: ...unt to access the Internet If your ISP disabled PIN code authentication enter an arbitrary number Retype to Confirm Type the PIN code again to confirm it Interface Parameters Egress Bandwidth Enter th...

Page 138: ...s Assignment Enter the cellular interface s WAN IP address in this field if you selected Use Fixed IP Address Metric Enter the priority of the gateway if any on this interface The ZyWALL decides which...

Page 139: ...ted is not available in a month such as 30th or 31st the ZyWALL resets the budget on the last day of the month Reset time and data budget counters This button is available only when you enable budget...

Page 140: ...IPv6 over IPv4 tunnel has to be used Figure 87 IPv6 over IPv4 Network On the ZyWALL you can either set up a manual IPv6 in IPv4 tunnel or an automatic 6to4 tunnel The following describes each method I...

Page 141: ...a policy route for a 6to4 tunnel Through your properly pre configuring the destination router s IP address in the IP address assignments to hosts the ZyWALL can automatically forward 6to4 packets to t...

Page 142: ...a new GRE tunnel interface Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Z...

Page 143: ...Remote Gateway Address Tunnel Mode This is the tunnel mode of the interface GRE IPv6 in IPv4 or 6to4 This field also displays the interface s IPv4 IP address and subnet mask if it is a GRE tunnel Othe...

Page 144: ...reater or lesser number of configuration fields General Settings Enable Select this to enable this interface Clear this to disable this interface Interface Properties Interface Name This field is read...

Page 145: ...he hosts in the matched network If you enter a prefix starting with 2002 the ZyWALL will forward the matched packets to the IPv4 IP address converted from the packets destination address The IPv4 IP a...

Page 146: ...ctivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you...

Page 147: ...arate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and the...

Page 148: ...he router and VLAN 2 Between the router and VLAN 3 VLAN Interfaces Overview In the ZyWALL each VLAN is called a VLAN interface As a router the ZyWALL routes traffic between VLAN interfaces but it does...

Page 149: ...ce To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object Reference to open a screen that...

Page 150: ...settings and connectivity check for each VLAN interface To access this screen click the Create Virtual Interface icon in the VLAN Summary screen The following screen appears Apply Click Apply to save...

Page 151: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 151 Figure 95 Configuration Network Interface VLAN Create Virtual Interface...

Page 152: ...o the default WAN trunk For general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface Inter...

Page 153: ...se based on this priority The lower the number the higher the priority If two or more gateways have the same priority the ZyWALL uses the one that was configured first Address from DHCPv6 Prefix Deleg...

Page 154: ...able See Section 7 3 3 on page 123 for more information Remove Select an entry and click this to change the settings Object Reference Select an entry and click this to delete it from this table This f...

Page 155: ...ion Use this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix Add Click this to create an entry in this table Edit Select an entr...

Page 156: ...heck Check this address Select this to specify a domain name or IP address for the connectivity check Enter that domain name or IP address in the field next to it Check Port This field only displays w...

Page 157: ...e default router select Custom Defined and enter the IP address Lease time Specify how long each computer can use the information especially the IP address before it has to request the information aga...

Page 158: ...OSPF Setting See Section 10 3 on page 201 for more information about OSPF Area Select the area in which this interface belongs Select None to disable OSPF in this interface Priority Enter the priority...

Page 159: ...computer B Bridge X records the source address 0A 0A 0A 0A 0A 0A and port 2 in the table It also looks up 0B 0B 0B 0B 0B 0B in the table There is no entry yet so the bridge broadcasts the packet on p...

Page 160: ...m the routing table and adds the bridge interface s entries to the routing table For example this table shows the routing table before and after you create bridge interface br0 250 250 250 0 23 betwee...

Page 161: ...irtual Interface To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object Reference to open...

Page 162: ...Add Edit This screen lets you configure IP address assignment interface bandwidth parameters DHCP settings and connectivity check for each bridge interface To access this screen click the Create Virt...

Page 163: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 163 Figure 97 Configuration Network Interface Bridge Create Virtual Interface...

Page 164: ...utomatically adds this interface to the default WAN trunk For general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNA...

Page 165: ...ou want to use a static IP address This field is optional The prefix length indicates what the left most part of the IP address is the same for all computers in the network that is the network address...

Page 166: ...ect this to get an IPv6 IP address for this interface from the DHCP server Clear this to not get any IP address information through DHCPv6 DHCPv6 Request Options DHCPv6 Lease Options If this interface...

Page 167: ...dvertise a fixed prefix to the network Add Click this to create an IPv6 prefix address Edit Select an entry in this table and click this to modify it Remove Select an entry in this table and click thi...

Page 168: ...lay Server 2 This field is optional Enter the IP address of another DHCP server for the network These fields appear if the ZyWALL is a DHCP Server IP Pool Start Address Enter the IP address from which...

Page 169: ...e links between specific IP addresses and specific MAC addresses This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only t...

Page 170: ...Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TC...

Page 171: ...ere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment IP Address Enter the IP address for this interface Subnet Mask Enter the subnet mask of this...

Page 172: ...For these interfaces you can only enter the IP address In many interfaces you can also let the IP address and subnet mask be assigned by an external DHCP server on the network In this case the interfa...

Page 173: ...erface from the network 2 If you set the bandwidth restrictions very high you effectively remove the restrictions The ZyWALL also restricts the size of each data packet The maximum number of bytes in...

Page 174: ...1 and subnet mask is 255 255 255 0 the starting IP address in the pool is 9 9 9 2 and the pool size is 253 Subnet mask The interface provides the same subnet mask you specify for the interface See IP...

Page 175: ...sting systems including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuratio...

Page 176: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 176...

Page 177: ...terface connected to the VoIP service provider set to active and another interface connected to another ISP set to passive This way VoIP traffic goes through the interface connected to the VoIP servic...

Page 178: ...ad balancing algorithms the ZyWALL can use to decide which interface the traffic from the LAN should use for a session3 The available bandwidth you configure on the ZyWALL refers to the actual bandwid...

Page 179: ...ing on the number of queues being used This works in a looping fashion until a queue is empty The Weighted Round Robin WRR algorithm is best suited for situations when the bandwidths set for the two W...

Page 180: ...first trunk member interface uses an unlimited access Internet connection and the second is billed by usage Spillover load balancing only uses the second interface when the traffic load exceeds the th...

Page 181: ...s of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks The ZyWALL automatically adds SNAT settings for traffic it routes from internal interfaces to ex...

Page 182: ...to send network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used and so on Load Balancing Index es This field is av...

Page 183: ...face The weights of the different member interfaces form a ratio This ratio determines how much traffic the ZyWALL assigns to each member interface The higher an interface s weight is relative to the...

Page 184: ...ond interface needs to be used and so on The table lists the trunk s member interfaces This table is read only This column displays the priorities of the group s interfaces The order of the interfaces...

Page 185: ...n this spillover bandwidth limit is exceeded the ZyWALL sends new session traffic through the next interface The traffic of existing sessions still goes through the interface on which they started The...

Page 186: ...Chapter 8 Trunk ZyWALL 110 310 1100 Series User s Guide 186...

Page 187: ...route to connect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 107 Exampl...

Page 188: ...inistrators to have traffic received on a specified interface use a specified IP address as the source IP address Note The ZyWALL automatically uses SNAT for traffic it routes from internal interfaces...

Page 189: ...ith the DSCP mapping The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic c...

Page 190: ...n a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select...

Page 191: ...object The ZyWALL applies the policy route to the packets sent from the corresponding service port any means all service ports Next Hop This is the next hop to which packets are directed It helps forw...

Page 192: ...Chapter 9 Policy and Static Routes ZyWALL 110 310 1100 Series User s Guide 192 Figure 109 Configuration Network Routing Policy Route Add Edit IPv4 Configuration...

Page 193: ...ptive name of up to 31 printable ASCII characters for the policy Criteria User Select a user name or user group from which the packets are sent Incoming Select where the packets are coming from any an...

Page 194: ...N tunnel Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm Select Interface to route the matched packets through the specified o...

Page 195: ...ckets original DSCP value Select default to have the ZyWALL set the DSCP value of the packets to 0 User Defined DSCP Code Use this field to specify a custom DSCP value Address Translation Use this sec...

Page 196: ...nnect your ZyWALL to an IPv6 network Both sections have similar fields as described below Add Click this to create a new static route Edit Double click an entry or select it and click Edit to open a s...

Page 197: ...to a single host enter the specific IP address here and use a subnet mask of 255 255 255 255 for IPv4 in the Subnet Mask field or a prefix of 128 for IPv6 in the Prefix Length field to force the netw...

Page 198: ...at is unbudgeted or unused by the policy routes depending on how many policy routes require more bandwidth and on their priority levels When only one policy route requires more bandwidth the ZyWALL gi...

Page 199: ...age 201 to configure general OSPF settings and manage OSPF areas Use the OSPF Area Add Edit screen see Section 10 3 2 on page 206 to create or edit an OSPF area 10 1 2 What You Need to Know The ZyWALL...

Page 200: ...pen the following screen Figure 114 Configuration Network Routing RIP The following table describes the labels in this screen Table 73 Configuration Network Routing Protocol RIP LABEL DESCRIPTION Auth...

Page 201: ...may be expressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbo...

Page 202: ...and networks X and Y Area 2 is a stub area It has routing information about the OSPF AS but it depends on a default route to send information to networks X and Y Area 3 is a NSSA It has routing infor...

Page 203: ...mation with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR and BDR are selected by priority if two routers have the same priority the highest ro...

Page 204: ...ea OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 7 3 1 on page 110 4 Set up virtu...

Page 205: ...Metric Type 2 cost external cost Metric the OSPF AS cost is ignored Metric Type the external cost for routes provided by RIP The metric represents the cost of transmission for routing purposes The way...

Page 206: ...e you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This field is a sequential value and it is not asso...

Page 207: ...5 authentication in the area The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the default password for MD5 authentication in the area Th...

Page 208: ...uthentication protects the integrity but not the confidentiality of routing updates None uses no authentication Text uses a plain text password that is sent over the network not very secure MD5 uses a...

Page 209: ...password and authentication ID MD5 is an authentication method that produces a 128 bit checksum called a message digest for each packet It also includes an authentication ID which can be set to any va...

Page 210: ...Chapter 10 Routing Protocols ZyWALL 110 310 1100 Series User s Guide 210...

Page 211: ...rface bridge interface PPPoE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure...

Page 212: ...ic is traffic between interfaces or VPN tunnels in different zones For example in Figure 121 on page 211 traffic between VLAN 1 and the Internet is inter zone traffic This is the normal case when zone...

Page 213: ...n create your own User Configuration zones Add Click this to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s...

Page 214: ...cter cannot be a number This value is case sensitive Member List Available lists the interfaces and VPN tunnels that do not belong to any zone Select the interfaces and VPN tunnels that you want to ad...

Page 215: ...current IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services wit...

Page 216: ...is inactive Profile Name This field displays the descriptive profile name for this entry DDNS Type This field displays which DDNS service you are using Domain Name This field displays each domain name...

Page 217: ...he screen to its last saved settings Table 81 Configuration Network DDNS continued LABEL DESCRIPTION Table 82 Configuration Network DDNS Add LABEL DESCRIPTION Show Advanced Settings Hide Advanced Sett...

Page 218: ...tween the ZyWALL and the DDNS server Note The ZyWALL may not determine the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server Custom If you have a static IP addr...

Page 219: ...org to the host record specified as the mail exchanger If you are using this service type the host record of your mail server here Otherwise leave the field blank See www dyndns org for more informati...

Page 220: ...Chapter 12 DDNS ZyWALL 110 310 1100 Series User s Guide 220...

Page 221: ...IP address Suppose you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a th...

Page 222: ...c entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the entry Mapping Type This field displays what kind of NAT this ent...

Page 223: ...value is case sensitive Classification Select what kind of NAT this rule is to perform Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside...

Page 224: ...e IP address specified by the address object User Defined Original IP This field is available if Mapped IP is User Defined Type the translated destination IP address that this NAT rule supports Mapped...

Page 225: ...es that interface s IP address as the source address for the traffic it sends from the users to the Mapped IP device For example if you configure a NAT rule to forward traffic from the WAN to a LAN se...

Page 226: ...replies to the ZyWALL s LAN IP address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN user The return traffic s source matches the original destination address 1 1 1...

Page 227: ...Chapter 13 NAT ZyWALL 110 310 1100 Series User s Guide 227 Figure 131 LAN to LAN Return Traffic 192 168 1 21 LAN 192 168 1 89 Source 1 1 1 1 SMTP NAT Source 192 168 1 21 SMTP...

Page 228: ...Chapter 13 NAT ZyWALL 110 310 1100 Series User s Guide 228...

Page 229: ...oute allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 132 HTTP Redirect Example 14 1 1 What You Can Do in this Chapter Use the...

Page 230: ...HTTP requests from the client to the proxy server You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet To make the example in Figure 132...

Page 231: ...ou can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activ...

Page 232: ...ou may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be...

Page 233: ...ions between SIP clients A and B and the SIP server Figure 135 SIP ALG Example The ALG feature is only needed for traffic that goes through the ZyWALL s NAT 15 1 1 What You Can Do in this Chapter Use...

Page 234: ...2 sessions between H 323 devices A and B Figure 136 H 323 ALG Example SIP ALG SIP phones can be in any zone including LAN DMZ WAN and the SIP server and SIP clients can be in the same network or diffe...

Page 235: ...s from LAN IP addresses B and C go out through WAN IP address 2 Even though only LAN IP address A can receive incoming calls from the Internet LAN IP addresses B and C can still make calls out to the...

Page 236: ...rmation 15 1 3 Before You Begin You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN 15 2 The ALG Screen Click Configuration Network ALG to open t...

Page 237: ...meout period Enter the SIP signaling session timeout value 1 86400 SIP Signaling Port If you are using a custom UDP port number not 5060 for SIP traffic enter it here Enable H 323 ALG Turn on the H 32...

Page 238: ...ace s connection fails the client needs to re initialize the connection through the second interface that was set to passive in order to have the connection go through the second interface VoIP client...

Page 239: ...15 ALG ZyWALL 110 310 1100 Series User s Guide 239 RTP When you make a VoIP call using H 323 or SIP the RTP Real time Transport Protocol is used to handle voice data transfer See RFC 1889 for details...

Page 240: ...Chapter 15 ALG ZyWALL 110 310 1100 Series User s Guide 240...

Page 241: ...address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with an...

Page 242: ...tion Network IP MAC Binding Edit to open the IP MAC Binding Edit screen Use this screen to configure an interface s IP to MAC address binding settings Table 88 Configuration Network IP MAC Binding Sum...

Page 243: ...IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this interface attempts to use an IP address not assigned by the Zy...

Page 244: ...Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the ZyWALL and the interface s IP address and subnet mask IP Address Enter the IP address that the ZyWALL is...

Page 245: ...first IP address in a range of IP addresses for which the ZyWALL does not apply IP MAC binding End IP Enter the last IP address in a range of IP addresses for which the ZyWALL does not apply IP MAC bi...

Page 246: ...Chapter 16 IP MAC Binding ZyWALL 110 310 1100 Series User s Guide 246...

Page 247: ...s of 1 1 1 1 The ZyWALL receives the DNS query message and responds to it with the WAN2 s IP address 2 2 2 2 because the WAN2 has the least load at that moment Another Internet host B also sends a DNS...

Page 248: ...SCRIPTION Global Setting Enable DNS Load Balancing Select this to enable DNS load balancing Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to...

Page 249: ...ncing method the ZyWALL uses for this DNS load balancing rule Weighted Round Robin Each member interface is assigned a weight An interface with a larger weight gets more chances to transmit traffic th...

Page 250: ...ts to keep the DNS entry in their caches before removing it Enter 0 to have the ZyWALL not recommend this so the DNS request hosts will follow their DNS server s TTL setting Query From Setting IP Addr...

Page 251: ...ount of incoming traffic Select Least Load Total to have the ZyWALL choose the member interface which is handling the least amount of outgoing and incoming traffic Failover IP Address Enter an alterna...

Page 252: ...ress Static dynamically assigned Dynamic or obtained from a DHCP server DHCP Client as well as the IP address and subnet mask Weight This field is available if you selected Weighted Round Robin for th...

Page 253: ...thentication and the endpoint security check and is given access Local user B passes authentication but fails the endpoint security check and is denied access Figure 149 Authentication Policy Using En...

Page 254: ...licies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged...

Page 255: ...ut logging in Click Add to change the list s membership A screen appears Available services appear on the left Select any services you want users to be able to access without logging in and click the...

Page 256: ...he list The priority is important as the policies are applied in order of priority Default displays for the default authentication policy that the ZyWALL uses on traffic that does not match any except...

Page 257: ...ss group for whom this policy applies Select any if the policy is effective for every source This is any and not configurable for the default policy Destination Address Select a destination address or...

Page 258: ...n export user names from the RADIUS server to a text file then you might configure a script to create the user accounts instead 1 Click Configuration Object User Group User Click the Add icon 2 Enter...

Page 259: ...ion Object User Group Group Add 3 Repeat this process to set up the remaining user groups 18 3 3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADI...

Page 260: ...ick OK Figure 156 Configuration Object Auth method Edit 3 Click Configuration Auth Policy In the Authentication Policy Summary section click the Add icon 4 Set up a default policy that forces every us...

Page 261: ...n the Login screen appears They have to log in using the user name and password in the RADIUS server 18 3 4 User Group Authentication Using the RADIUS Server The previous example showed how to have a...

Page 262: ...values are Finance Engineer Sales and Boss Select case sensitive if the RADIUS server checks user name casing Figure 159 Configuration Object AAA Server RADIUS Add 2 Now you add ext group user user ob...

Page 263: ...Chapter 18 Authentication Policy ZyWALL 110 310 1100 Series User s Guide 263...

Page 264: ...Chapter 18 Authentication Policy ZyWALL 110 310 1100 Series User s Guide 264...

Page 265: ...sion Limit screens see Section 19 3 on page 273 to limit the number of concurrent NAT firewall sessions a client can use 19 1 2 What You Need to Know Stateful Inspection The ZyWALL has a stateful insp...

Page 266: ...fic from any interface to the ZyWALL is allowed DHCPv6 and Default_Allow_ICMPv6_Group traffic from any interface to the ZyWALL is allowed From LAN to any other than the ZyWALL Traffic from the LAN to...

Page 267: ...u also apply a schedule to the firewall rule the user can only access the network at the scheduled time A user aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disa...

Page 268: ...e interface See the chapter about interfaces for more information By putting LAN 1 and the alternate gateway A in the figure in different subnets all returning network traffic must pass through the Zy...

Page 269: ...page 221 for more information The ZyWALL applies NAT Destination NAT settings before applying the firewall rules So for example if you configure a NAT entry that sends WAN traffic to a LAN IP address...

Page 270: ...Chapter 19 Firewall ZyWALL 110 310 1100 Series User s Guide 270 Figure 163 Configuration Firewall...

Page 271: ...displays all the firewall rules for traffic going to the selected To Zone To any displays all the firewall rules for traffic coming from the selected From Zone From any to any displays all of the fire...

Page 272: ...the IPv4 or IPv6 destination address object to which this firewall rule applies Service This displays the service object to which this firewall rule applies Access This field displays whether the fire...

Page 273: ...ress range Source Select an IPv4 address or address group to apply an IPv4 rule to traffic coming from it Select an IPv6 address or address group to apply an IPv6 rule to traffic coming from it Select...

Page 274: ...specific users or addresses Rule Summary This table lists the rules for limiting the number of concurrent sessions hosts can have Add Click this to create a new entry Select an entry and click Add to...

Page 275: ...n to its last saved settings Table 100 Configuration Firewall Session Limit continued LABEL DESCRIPTION Table 101 Configuration Firewall Session Limit Edit LABEL DESCRIPTION Create new Object Use to c...

Page 276: ...Address to configure an address object Configure it as follows and click OK Figure 168 Firewall Example Create an Address Object 3 Click Create new Object Service to configure a service object for Doo...

Page 277: ...and enter a name for the firewall rule Select Dest_1 for the Destination and Doom as the Service Enter a description and configure the rest of the screen as follows Click OK when you are done Figure 1...

Page 278: ...s traffic from the LAN it checks it against the first rule If the traffic matches if it is IRC traffic the firewall takes the action in the rule drop and stops checking the firewall rules Any traffic...

Page 279: ...raffic from the LAN1 to go to the WAN Alternatively you configure a LAN1 to WAN rule with the CEO s user name say CEO to allow IRC traffic from any source IP address to go to any destination address Y...

Page 280: ...The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic If the rule that blocks all LAN1 to WAN IRC traffic came first the CEO s IRC traffic would match that rule and t...

Page 281: ...etwork IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The ZyWALL can also combine multiple IPSec V...

Page 282: ...IPSec VPN connection policy uses which devices behind the IPSec routers can use the VPN tunnel and the IPSec SA settings phase 2 settings You can also activate or deactivate and connect or disconnect...

Page 283: ...o securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure Fi...

Page 284: ...ic IP address or a domain name Choose this if the remote IPSec router has a dynamic IP address You don t specify the remote IPSec router s address but you specify the remote policy the addresses of th...

Page 285: ...uthentication method specifies how the ZyWALL authenticates the remote IPSec router See Chapter 31 on page 400 In a VPN gateway the ZyWALL and remote IPSec router can use certificates to authenticate...

Page 286: ...der turned on Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it...

Page 287: ...Chapter 20 IPSec VPN ZyWALL 110 310 1100 Series User s Guide 287 Figure 179 Configuration VPN IPSec VPN VPN Connection Edit IKE...

Page 288: ...a specific number of bytes for the Maximum Segment Size MSS meaning the largest amount of data in a single TCP segment or IP datagram for this VPN connection Select Auto to have the ZyWALL automatical...

Page 289: ...WALL and remote IPSec router must use the same active protocol Encapsulation Select which type of encapsulation the IPSec SA uses Choices are Tunnel this mode encrypts the IP header information and th...

Page 290: ...on The peer must be configured to respond to the method you select Select icmp to have the ZyWALL regularly ping the address you specify to make sure traffic can still go through the connection You ma...

Page 291: ...to configure a new one This is the address that hides the original source address The size of the original source address range Source must be equal to the size of the translated source address range...

Page 292: ...y screen see Section 20 2 on page 285 click either the Add icon or an existing manual key entry s Edit icon and click Show Advanced Settings In the VPN Gateway section of the screen select Manual Key...

Page 293: ...Active Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryp...

Page 294: ...ust have the same encryption key The ZyWALL ignores any characters above the minimum number of characters required by the algorithm For example if you enter 1234567890XYZ for a DES encryption key the...

Page 295: ...ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object References Select...

Page 296: ...Chapter 20 IPSec VPN ZyWALL 110 310 1100 Series User s Guide 296 Figure 182 Configuration VPN IPSec VPN VPN Gateway Edit...

Page 297: ...ec router You can provide a second IP address or domain name for the ZyWALL to try if it cannot establish an IKE SA with the first one Fall back to Primary Peer Gateway when possible When you select t...

Page 298: ...during authentication The identity depends on the Local ID Type IP type an IP address if you type 0 0 0 0 the ZyWALL uses the IP address specified in the My Address field This is not recommended in t...

Page 299: ...ollowing situations There is a NAT router between the ZyWALL and remote IPSec router You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers w...

Page 300: ...a similar feature The remote IPSec router must also enable NAT traversal and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged Dead Peer Detection DPD Select th...

Page 301: ...ionally maintenance for example There is also more burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out to which spoke to route it encrypts it and sends...

Page 302: ...splays the VPN concentrators in the ZyWALL To access this screen click Configuration VPN IPSec VPN Concentrator Figure 184 Configuration VPN IPSec VPN Concentrator Each field is discussed in the follo...

Page 303: ...on SHA512 authentication A subnet or range remote policy Table 112 VPN IPSec VPN Concentrator Edit LABEL DESCRIPTION Name Enter the name of the concentrator You may use 1 31 alphanumeric characters un...

Page 304: ...ration When you add or edit a configuration provisioning entry you are allowed to set the VPN Connection and Allowed User fields Duplicate entries are not allowed You cannot select the same VPN Connec...

Page 305: ...e an IKE SA because the ZyWALL does not know the IP address of the remote IPSec router This is often used for telecommuters Move Use Move to reorder a selected entry Select an entry click Move type th...

Page 306: ...are listed in order from weakest to strongest Data Encryption Standard DES is a widely used method of data encryption It applies a 56 bit key to each 64 bit block of data Triple DES 3DES is a variant...

Page 307: ...longer to encrypt and decrypt Authentication Before the ZyWALL and remote IPSec router establish an IKE SA they have to verify each other s identity This process is based on pre shared keys and route...

Page 308: ...ticate each other successfully In contrast in Table 115 on page 308 the ZyWALL and the remote IPSec router cannot authenticate each other and therefore cannot establish an IKE SA It is also possible t...

Page 309: ...another router A between router X and router Y Figure 190 VPN NAT Example If router A does NAT it might change the IP addresses port numbers or both If router X and router Y try to establish a VPN tu...

Page 310: ...set up the pre shared key local identity or remote identity because the certificates provide this information instead Instead of using the pre shared key the ZyWALL and remote IPSec router check the s...

Page 311: ...uter The header for the active protocol AH or ESP appears between the IP headers In transport mode the encapsulation depends on the active protocol With AH the ZyWALL includes part of the original IP...

Page 312: ...only specify one encryption algorithm and one authentication algorithm You cannot specify several proposals There is no DH key exchange so you have to provide the encryption key and the authenticatio...

Page 313: ...uter M s network Destination the original destination address the remote network B SNAT the translated source address the local network A Source Address in Inbound Packets Inbound Traffic Source NAT Y...

Page 314: ...e mail server in the local network A Mapped Port the translated destination port or range of destination ports The original port range and the mapped port range must be the same size IPSec VPN Example...

Page 315: ...ddress to create an address object for the remote network Set the Address Type to SUBNET the Network field to 172 16 1 0 and the Netmask to 255 255 255 0 2 Enable the VPN connection and name it VPN_CO...

Page 316: ...Chapter 20 IPSec VPN ZyWALL 110 310 1100 Series User s Guide 316...

Page 317: ...enter access messages or upload a custom logo to be displayed on the remote user screen 21 1 2 What You Need to Know Full Tunnel Mode In full tunnel mode a virtual connection is created for remote use...

Page 318: ...This screen lists the configured SSL access policies Figure 195 VPN SSL VPN Access Privilege Table 116 Objects OBJECT TYPE OBJECT SCREEN DESCRIPTION User Accounts User Account User Group Configure a...

Page 319: ...entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Ob...

Page 320: ...e following table describes the labels in this screen Table 118 VPN SSL VPN Access Privilege Add Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use...

Page 321: ...and click the left arrow button Note To allow access to shared files on a Windows 7 computer within Windows 7 you must enable sharing on the folder and also go to the Network and Sharing Center s Adv...

Page 322: ...list and click the right arrow button to add to the Selected Address Objects list You can select more than one network To block access to a network select the network name in the Selected Address Obj...

Page 323: ...tablished successfully You can enter up to 60 characters 0 9 a z A Z _ with spaces allowed Logout Message Specify a message to display on the screen when a user logs out and the SSL VPN connection is...

Page 324: ...ilege Add and click Create New Object Application to create an SSL application object Set the Type to Web Application the Server Type to Web Server and the URL to http info Select Web Page Encryption...

Page 325: ...nd password and click SSL VPN to establish an SSL VPN connection 4 Your computer starts establishing a secure connection to the ZyWALL after the login This may take up to two minutes If you get a mess...

Page 326: ...isplays after the connection is up In this example click the Web Server link to go to http info If the user account is not included in an SSL VPN access policy the ZyWALL redirects the user to the use...

Page 327: ...ethods Using a supported web browser Once you have successfully logged in through the ZyWALL you can access intranet sites web based applications or web based e mails using one of the supported web br...

Page 328: ...The remote user s computer establishes an HTTPS connection to the ZyWALL to access the login screen If instructed by your network administrator you must install or import a certificate provided by th...

Page 329: ...twork to access network resources Figure 202 Login Screen 4 Your computer starts establishing a secure connection to the ZyWALL after a successful login This may take up to two minutes If you get a me...

Page 330: ...wser Figure 205 SecuExtender Blocked by Internet Explorer 6 The ZyWALL tries to run the ssltun application You may need to click something to get your browser to allow this In Internet Explorer click...

Page 331: ...SecuExtender client on your computer Figure 208 Installation Warning 9 The Application screen displays showing the list of resources available to you See Figure 209 on page 332 for a screen example No...

Page 332: ...in the Name field or enter a descriptive name to identify this link Table 120 Remote User Screen Overview DESCRIPTION 1 Click on a menu tab to go to the Application or File Sharing screen 2 Click thi...

Page 333: ...ogout Prompt 22 6 SSL User Application Screen Use the Application tab s screen to access web based applications such as web sites and e mail on the network through the SSL VPN connection Which applica...

Page 334: ...ons Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folde...

Page 335: ...y the web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon 3 If an access user name and passwo...

Page 336: ...ick on a doc file to open the Word document Figure 215 File Sharing Open a Word File 22 7 3 Downloading a File You are prompted to download a file which cannot be opened using a web browser Follow the...

Page 337: ...the New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the...

Page 338: ...Figure 219 File Sharing Rename 22 7 7 Deleting a File or Folder Click the Delete icon next to a file or folder to remove it 22 7 8 Uploading a File Follow the steps below to upload a file to the file...

Page 339: ...er 22 SSL User Screens ZyWALL 110 310 1100 Series User s Guide 339 Note Uploading a file with the same name and file extension replaces the existing file on the file server No warning message is displ...

Page 340: ...Chapter 22 SSL User Screens ZyWALL 110 310 1100 Series User s Guide 340...

Page 341: ...C remote desktop program you must have the VNC client installed on your computer 23 1 The ZyWALL SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status F...

Page 342: ...n name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it Your computer uses th...

Page 343: ...nder Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG...

Page 344: ...WALL SecuExtender ZyWALL 110 310 1100 Series User s Guide 344 Figure 224 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 225 ZyWALL SecuExtender U...

Page 345: ...to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is e...

Page 346: ...access LAN_SUBNET in the following figure Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP_POOL in the following figure Set the next hop to be the VP...

Page 347: ...e L2TP Over IPSec Use this field to turn the ZyWALL s L2TP VPN function on or off VPN Connection Select the IPSec VPN connection the ZyWALL uses for L2TP VPN All of the configured VPN connections disp...

Page 348: ...essage after waiting this long without receiving any traffic from the remote user The ZyWALL disconnects the VPN tunnel if the remote user does not respond First DNS Server Second DNS Server Specify t...

Page 349: ...anagement rules for traffic going through the ZyWALL Bandwidth management examines every TCP and UDP connection passing through the ZyWALL Then you can specify by port whether or not the ZyWALL contin...

Page 350: ...Inbound traffic comes back from the WAN device to the LAN1 device Bandwidth management is applied before sending the traffic out a LAN1 interface Figure 229 LAN1 to WAN Connection and Packet Directio...

Page 351: ...h usage enabled to borrow any unused bandwidth on the out going interface After each application gets its configured bandwidth rate the ZyWALL uses the fairness based scheduler to divide any unused ba...

Page 352: ...A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps Then the ZyWALL divides the remaining bandwidth 1000 500 500 equally between the two 500 2 250 kbps for each T...

Page 353: ...interface destination port schedule user source destination information DSCP code and service type as criteria to create a sequence of specific conditions similar to the sequence of rules used by fire...

Page 354: ...up to which the policy applies If any displays the policy applies to all users Schedule This is the schedule that defines when the policy applies none means the policy always applies Incoming Interfac...

Page 355: ...g the first Pri value or outgoing the second Pri value traffic that matches this policy The smaller the number the higher the priority Traffic with a higher priority is given bandwidth before traffic...

Page 356: ...used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Criteria Use this section to configure the conditions of traffic to which this policy applies User Sele...

Page 357: ...which this policy applies any means all services DSCP Marking Set how the ZyWALL handles the DSCP value of the incoming and outgoing packets that match this policy Inbound refers to the traffic the Z...

Page 358: ...er priority The ZyWALL uses a fairness based round robin scheduler to divide bandwidth between traffic flows with the same priority The number in this field is ignored if the incoming and outgoing lim...

Page 359: ...passive mode device HA You can configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs 26 1 2 What You Need to Know Act...

Page 360: ...ng with a summary of the monitored interfaces Figure 236 Configuration Device HA General The following table describes the labels in this screen Table 129 Configuration Device HA General LABEL DESCRIP...

Page 361: ...tatus This tells whether the monitored interface s connection is down or up HA Status The text before the slash shows whether the device is configured as the master or the backup role This text after...

Page 362: ...ster ZyWALL Virtual Router and Management IP Addresses If a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each inter...

Page 363: ...rface has priority 255 Enable Preemption This field is available for a backup ZyWALL Select this if this ZyWALL should become the master ZyWALL if a lower priority ZyWALL is the master when this one i...

Page 364: ...role this field displays the ZyWALL s IP addresses and or Fully Qualified Domain Names FQDN through which ZyWALLs in backup role can get updated configuration from this ZyWALL Sync Now This displays...

Page 365: ...the interface s device HA settings and uses them again if you later remove the interface from the bridge If the bridge is later deleted or the interface is removed from it Device HA will recover the i...

Page 366: ...bridge interfaces on two ZyWALLs without device HA activated on both Doing so could cause a broadcast storm Either activate device HA before connecting the bridge interfaces or disable the bridge inte...

Page 367: ...ace on the master ZyWALL set the bridge interface as a monitored interface and activate device HA 3 Configure the bridge interface on the backup ZyWALL set the bridge interface as a monitored interfac...

Page 368: ...ple 1 In this case the ZyWALLs are already connected but the bridge faces have not been configured yet Configure a disabled bridge interface on the master ZyWALL but disable it Then set the bridge int...

Page 369: ...n only configure one set of settings for synchronization regardless of how many VRRP groups you might configure The ZyWALL uses Secure FTP on a port number you can change to synchronize but it is stil...

Page 370: ...26 Device HA ZyWALL 110 310 1100 Series User s Guide 370 The backup ZyWALL cannot be the master This refers to the actual role at the time of synchronization not the role setting in the configuration...

Page 371: ...lt settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them 27 1 2...

Page 372: ...132 on page 371 from the external server If the external server does not have the information the ZyWALL sets the user type for this session to User For the rest of the user attributes such as reauthe...

Page 373: ...2 User Summary Screen The User screen provides a summary of all user accounts To access this screen login to the Web Configurator and click Configuration Object User Group Figure 242 Configuration Ob...

Page 374: ...or an Edit icon User Type This field displays the types of user accounts the ZyWALL uses admin this user can look at and change the configuration of the ZyWALL limited admin this user can look at the...

Page 375: ...s on page 372 for more information about this type ext group user this user account is maintained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 372 for more information...

Page 376: ...page 378 the users can select this check box on their screen as well In this case the session is automatically renewed before the lease time expires Reauthentication Time If you select Use Default Se...

Page 377: ...Configuration Object User Group Group continued LABEL DESCRIPTION Table 136 Configuration User Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 alphanumeric c...

Page 378: ...46 Configuration Object User Group Setting The following table describes the labels in this screen Table 137 Configuration Object User Group Setting LABEL DESCRIPTION User Authentication Timeout Setti...

Page 379: ...to the ZyWALL in one session before having to log in again Unlike Lease Time the user has no opportunity to renew the session without logging out Miscellaneous Settings Allow renewing lease time autom...

Page 380: ...s account is checked Type the maximum number of simultaneous logins by each access user User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each...

Page 381: ...is type ext group user this user account is maintained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 372 for more information about this type Lease Time Enter the numbe...

Page 382: ...ease time field in this screen Lease time field in the User Add Edit screen see Section 27 2 1 on page 374 Lease time field in the Setting screen see Section 27 4 on page 378 Updating lease time autom...

Page 383: ...counts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the LDAP or RADIUS server and create a shell script that creates the user accounts...

Page 384: ...N connection policies Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and addre...

Page 385: ...eld displays the configured name of each address object Type This field displays the type of each address object INTERFACE means the object uses the settings of one of the ZyWALL s interfaces IPv4 Add...

Page 386: ...RANGE SUBNET INTERFACE IP INTERFACE SUBNET and INTERFACE GATEWAY Note The ZyWALL automatically updates address objects that are based on an interface s IP address subnet or gateway if the interface s...

Page 387: ...address settings change For example if you change 1 s IP address the ZyWALL automatically updates the corresponding interface based LAN subnet address object IPv6 Address This field is only available...

Page 388: ...ve it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 7 3 2 on page 122 for an example This field is...

Page 389: ...alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You...

Page 390: ...ore complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some uses are DHCP DNS RIP and SNMP TCP creates connections between computers to exchange data Once th...

Page 391: ...for each service Service groups may consist of services and other service groups The sequence of members in the service group is not important 29 2 The Service Summary Screen The Service summary scre...

Page 392: ...t associated with a specific service Name This field displays the name of each service Content This field displays a description of each service Table 147 Configuration Object Service Service Edit LAB...

Page 393: ...els in this screen See Section 29 3 1 on page 394 for more information as well Table 148 Configuration Object Service Service Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double c...

Page 394: ...types of families Supports IPv4 only Supports IPv6 only Supports both IPv4 and IPv6 Name This field displays the name of each service group By default the ZyWALL uses services starting with Default_Al...

Page 395: ...hat you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them...

Page 396: ...reen Section 30 2 1 on page 398 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 30 2 2 on page 399 to create or edit a recurring schedule 30 1 2 What You Need...

Page 397: ...122 for an example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Da...

Page 398: ...r to the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartDate Specify the year...

Page 399: ...table describes the remaining labels in this screen Table 152 Configuration Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule Y...

Page 400: ...xt Figure 263 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWA...

Page 401: ...he ASAS as a RADIUS server in the ZyWALL s Configuration Object AAA Server screens 6 Give the OTP tokens to local or remote users 31 1 4 What You Can Do in this Chapter Use the Configuration Object AA...

Page 402: ...Normally the directory structure reflects the geographical or organizational boundaries The following figure shows a basic directory structure branching from countries to organizations to organization...

Page 403: ...lowing table describes the labels in this screen 31 2 1 Adding an Active Directory or LDAP Server Click Object AAA Server Active Directory or LDAP to display the Active Directory or LDAP screen Click...

Page 404: ...alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the AD...

Page 405: ...hip Attribute An AD or LDAP server defines attributes for its accounts Enter the name of the attribute that the ZyWALL is to check to determine to which group a user belongs The value for this attribu...

Page 406: ...or LDAP entry or edit an existing one Table 155 Configuration Object AAA Server RADIUS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to...

Page 407: ...ckup Server Address If the RADIUS server has a backup server enter its address here Backup Authentication Port Specify the port number on the RADIUS server to which the ZyWALL sends authentication req...

Page 408: ...ed a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attrib...

Page 409: ...to create and manage authentication method objects Finding Out More 32 1 2 Before You Begin Configure AAA server objects see Chapter 31 on page 400 before you configure authentication method objects...

Page 410: ...ck Configuration Object Auth Method Table 157 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a s...

Page 411: ...arch on the second authentication server when you enter the username and password that doesn t match the one on the first authentication server Note You can NOT select two server objects of the same t...

Page 412: ...ct from the drop down list box You can create a server object in the AAA Server screen see Chapter 31 on page 400 for more information The ZyWALL authenticates the users using the databases in the loc...

Page 413: ...e openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates are often referred to as digital signatures Only you can write you...

Page 414: ...ublic key infrastructure Advantages of Certificates Certificates offer the following benefits The ZyWALL only has to store the certificates of the certification authorities that you decide to trust no...

Page 415: ...t More See Section 33 4 on page 428 for certificate background information 33 1 3 Verifying a Certificate Before you import a trusted certificate into the ZyWALL you should verify that you have the co...

Page 416: ...and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS connection 33 2 The My Certificates Screen Click Configurati...

Page 417: ...erences to open a screen that shows which settings use the entry See Section 7 3 2 on page 122 for an example This field displays the certificate index number The certificates are listed in alphabetic...

Page 418: ...tion domain name or e mail address in the field provided The domain name or e mail address is for identification purposes only and can be any string A domain name can be up to 255 characters You can u...

Page 419: ...hm Select DSA to use the Digital Signature Algorithm public key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer th...

Page 420: ...request Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certificati...

Page 421: ...cate has expired none displays for a certification request Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption a...

Page 422: ...ate Only Use this button to save a copy of the certificate without its private key Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you...

Page 423: ...ZyWALL Browse Click Browse to find the certificate file you want to upload Password This field only applies when you import a binary PKCS 12 format file Type the file s password that was created when...

Page 424: ...entify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Co...

Page 425: ...Chapter 33 Certificates ZyWALL 110 310 1100 Series User s Guide 425 Figure 280 Configuration Object Certificate Trusted Certificates Edit...

Page 426: ...ASCII characters from the entity maintaining the server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the OCSP server usually a ce...

Page 427: ...ays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt...

Page 428: ...dvantages over a CRL The first is real time status information The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a hug...

Page 429: ...ALL To access this screen click Configuration Object ISP Account Figure 282 Configuration Object ISP Account The following table describes the labels in this screen See the ISP Account Edit section be...

Page 430: ...y the ISP account Authentication Type This field displays the authentication type used by the ISP account User Name This field displays the user name of the ISP account Table 166 Configuration Object...

Page 431: ...dress of the PPTP server Connection ID This field is available if this ISP account uses the PPTP protocol Type your identification name for the PPTP server This field can be blank Service Name If this...

Page 432: ...Edit screen to specify the name of a folder on a Linux or Windows file server which remote users can access using a standard web browser Section 35 2 1 on page 435 35 1 2 What You Need to Know Applic...

Page 433: ...Remote Management Weblinks You can configure weblink SSL applications to allow remote users to access web sites 35 1 3 Example Specifying a Web Site for Access This example shows you how to create a...

Page 434: ...describes the labels in this screen Table 168 Configuration Object SSL Application LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be...

Page 435: ...on in the SSL Application screen and select Web Application or File Sharing in the Type field The screen differs depending on what object type you choose Note If you are creating a file sharing SSL ap...

Page 436: ...The ZyWALL supports one OWA object Select VNC to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed Select RDP to allow users to manage L...

Page 437: ...ou choose Web Application as the object type Select this option to prevent users from saving the web content Shared Path This field only appears when you choose File Sharing as the object type Specify...

Page 438: ...uration Object DHCPv6 Request Figure 289 Configuration Object DHCPv6 Request The following table describes the labels in this screen Table 170 Configuration Object DHCPv6 Request LABEL DESCRIPTION Con...

Page 439: ...pe This field displays the request type of each request object Interface This field displays the interface used for each request object Value This field displays the value for each request object Tabl...

Page 440: ...s to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWAL...

Page 441: ...ser Defined in the DNS Server field and enter the IP address of the DNS server in the User Defined Address field below Starting IP Address If you select Address Pool in the Lease Type field enter the...

Page 442: ...Chapter 36 DHCPv6 ZyWALL 110 310 1100 Series User s Guide 442...

Page 443: ...access the ZyWALL s command line interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen see Section 37 9 on page 476 to conf...

Page 444: ...t be read only and use the FAT16 FAT32 EXT2 or EXT3 file system Click Configuration System USB Storage to open the screen as shown next Table 174 Configuration System Host Name LABEL DESCRIPTION Syste...

Page 445: ...our local time zone and date click Configuration System Date Time The screen displays as shown You can manually set the ZyWALL s time and date or have the ZyWALL get the date and time from a time serv...

Page 446: ...gure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the Zy...

Page 447: ...ch and type 2 in the at field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same mom...

Page 448: ...time servers have been tried 37 4 2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field When the P...

Page 449: ...sole port using a terminal emulation program See Table 2 on page 20 for default console port settings Click Configuration System Console Speed to open the Console Speed screen Figure 297 Configuration...

Page 450: ...ually enter them in the DNS server fields If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address fro...

Page 451: ...e that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for wher...

Page 452: ...om which computers and zones you can send DNS queries to the ZyWALL Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click...

Page 453: ...main name 37 6 7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record Table 180 Configuration System DNS Address PTR Record Edit L...

Page 454: ...corded name server IP address Enter if all domain zones are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also...

Page 455: ...ings and exit this screen Cancel Click Cancel to exit this screen without saving Table 183 Configuration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure a...

Page 456: ...in the allowed zone or the action is set to Deny 4 There is a firewall rule that blocks it 37 7 2 System Timeout There is a lease timeout for administrators The ZyWALL automatically logs you out if th...

Page 457: ...a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL Please refer to the following figure 1 HTTPS connection requests from an SSL aware web brows...

Page 458: ...check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections Server...

Page 459: ...e method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control r...

Page 460: ...en instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavi...

Page 461: ...to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined...

Page 462: ...Chapter 37 System ZyWALL 110 310 1100 Series User s Guide 462 Figure 306 Configuration System WWW Login Page The following figures identify the parts you can customize in the login and access pages...

Page 463: ...tion You can specify colors in one of the following ways Click Color to display a screen of web safe colors from which to choose Enter the name of the desired color Logo Title Message Note Message Bac...

Page 464: ...ransfer the specified graphic file from your computer to the ZyWALL Customized Login Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the s...

Page 465: ...ssages When you attempt to access the ZyWALL HTTPS server a The Connection is Untrusted screen appears as shown in the following screen Click Technical Details if you want to verify more information a...

Page 466: ...icate authorities The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWALL itself since the certificate is a self signed certificate For the browser to trust a self...

Page 467: ...icate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA Web...

Page 468: ...rd as shown earlier in this appendix 37 7 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment...

Page 469: ...cate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Fig...

Page 470: ...rt Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 318 Person...

Page 471: ...7 7 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 321 A...

Page 472: ...urely access the ZyWALL s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication...

Page 473: ...ey with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against...

Page 474: ...wing table describes the labels in this screen Table 187 Configuration System SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the I...

Page 475: ...he selected entry Refer to Table 185 on page 461 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove...

Page 476: ...yWALL Type yes and press ENTER Then enter the password to log in to the ZyWALL Figure 329 SSH Example 2 Log in 3 The CLI screen displays next 37 9 Telnet You can use Telnet to access the ZyWALL s comm...

Page 477: ...ove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the m...

Page 478: ...ice Control table to access the ZyWALL using this service TLS required Select the check box to use FTP over TLS Transport Layer Security to encrypt communication This implements TLS as a security mech...

Page 479: ...to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule The entry with a hyphen instead of a number is the ZyWALL s non configurable...

Page 480: ...P allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request...

Page 481: ...ned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up authenticationFailur...

Page 482: ...station The default is private and allows all requests Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all reques...

Page 483: ...rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access...

Page 484: ...TION Enable IPv6 Select this to have the ZyWALL support IPv6 and make IPv6 settings be available on the screens that the functions support such as the Configuration Network Interface Ethernet VLAN and...

Page 485: ...page 487 to specify settings for recording log messages and alerts e mailing them storing them on a connected USB storage device and sending them to remote syslog servers 38 2 Email Daily Report Use t...

Page 486: ...outgoing e mail Select Append system name to add the ZyWALL s system name to the subject Select Append date time to add the ZyWALL s system date and time to the subject Mail From Type the e mail addre...

Page 487: ...t screens to configure settings such as log categories e mail addresses and server names for any log Use the Log Category Settings screen to edit what information is included in the system log USB sto...

Page 488: ...d with a specific log Name This field displays the type of log setting entry system log logs stored on a USB storage device connected to the ZyWALL or one of the remote servers Log Format This field d...

Page 489: ...ngs The Log Settings Edit screen controls the detailed settings for each log in the system log which includes the e mail profiles Go to the Log Settings Summary screen see Section 38 3 1 on page 487 a...

Page 490: ...f it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the user name to provide to the SMTP ser...

Page 491: ...ation from this category the ZyWALL does not e mail debugging information however even if this setting is selected E mail Server 1 Select whether each category of events should be included in the log...

Page 492: ...Chapter 38 Log and Report ZyWALL 110 310 1100 Series User s Guide 492 Figure 339 Configuration Log Report Log Setting Edit USB Storage...

Page 493: ...ny log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log...

Page 494: ...Chapter 38 Log and Report ZyWALL 110 310 1100 Series User s Guide 494 Figure 340 Configuration Log Report Log Setting Edit Remote Server...

Page 495: ...log facility allows you to log the messages to different files in the syslog server Please see the documentation for your syslog program for more information Active Log Selection Use the Selection dr...

Page 496: ...ry Settings This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 38 3 2 on page 489 where this process is d...

Page 497: ...Use the E Mail Server 1 drop down list to change the settings for e mailing logs to e mail server 1 for all log categories Using the System Log drop down list to disable all logs overrides your e mail...

Page 498: ...es when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The ZyWALL does not e mail debugging information even if it is recor...

Page 499: ...Use the Configuration File screen see Section 39 2 on page 501 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuratio...

Page 500: ...t sub command mode Note exit or must follow sub commands if it is to make the ZyWALL exit sub command mode Figure 342 Configuration File Shell Script Example enter configuration mode configure termina...

Page 501: ...in the configuration file or shell script The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands The ZyWALL still generates a log for any errors...

Page 502: ...file If there is an error the ZyWALL generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf confi...

Page 503: ...a duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the ZyWALL You can only delete manually saved configuration files You can...

Page 504: ...ion this gets the ZyWALL started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration...

Page 505: ...applied to this configuration file The ZyWALL applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK It applies configuration changes made via...

Page 506: ...ck your new firmware version in the Dashboard screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Table 202 Maintenance File Manager Fir...

Page 507: ...ension Click Maintenance File Manager Shell Script to open the Shell Script screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple shell scr...

Page 508: ...screen without deleting the shell script file Download Click a shell script file s row to select it and click Download to save the configuration to your computer Copy Use this button to save a duplic...

Page 509: ...ipt file from your computer to your ZyWALL File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the zysh file you want to...

Page 510: ...screens see Section 40 4 on page 515 to have the ZyWALL save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer...

Page 511: ...is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagnostic file Copy the diagnostic file to USB sto...

Page 512: ...sting files of the same name Change the File Suffix field s setting to avoid this Figure 356 Maintenance Diagnostics Packet Capture This column displays the number for each file entry The total number...

Page 513: ...ve data to USB storage Select this to have the ZyWALL store packet capture entries only on a USB storage device connected to the ZyWALL if the ZyWALL allows this Status Unused the connected USB storag...

Page 514: ...fix cap for example vlan2 packet capture cap Number Of Bytes To Capture Per Packet Specify the maximum number of bytes to capture per packet The ZyWALL automatically truncates packets that exceed this...

Page 515: ...asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The tot...

Page 516: ...n comma separated value csv format You can download them to your computer and open them in a tool like Microsoft s Excel Table 209 Maintenance Diagnostics Core Dump Files LABEL DESCRIPTION Remove Sele...

Page 517: ...to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number f...

Page 518: ...function s settings 41 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Rout...

Page 519: ...ure 361 Maintenance Packet Flow Explore Routing Status Direct Route Figure 362 Maintenance Packet Flow Explore Routing Status Policy Route Figure 363 Maintenance Packet Flow Explore Routing Status 1 1...

Page 520: ...5 Maintenance Packet Flow Explore Routing Status Dynamic VPN Figure 366 Maintenance Packet Flow Explore Routing Status Static Dynamic Route Figure 367 Maintenance Packet Flow Explore Routing Status De...

Page 521: ...sive route Persist This is the remaining time of a dynamically learned route The ZyWALL removes the route after this time period is counted down to zero The following fields are available if you click...

Page 522: ...is the name of an interface which transmits packets out of the ZyWALL Gateway This is the IP address of the gateway in the same network of the outgoing interface The following fields are available if...

Page 523: ...ed settings in the SNAT Table section SNAT Table The table fields in this section vary depending on the function box you select in the SNAT Flow section The following fields are available if you click...

Page 524: ...his indicates which source IP address the SNAT rule uses finally For example Outgoing Interface IP means that the ZyWALL uses the IP address of the outgoing interface as the source IP address for the...

Page 525: ...ve to use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 44 1 on page 535 reset returns the devic...

Page 526: ...off the ZyWALL or remove the power Not doing so can cause the firmware to become corrupt 43 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processe...

Page 527: ...net card is installed and functioning properly Also make sure that its IP address is in the same subnet as the ZyWALL s In the computer click Start All Programs Accessories and then Command Prompt In...

Page 528: ...ace names is very strict Each name consists of 2 4 letters interface type followed by a number x limited by the maximum number of each type of interface For example VLAN interfaces are vlan0 vlan1 vla...

Page 529: ...ted a cellular interface but cannot connect through it Make sure you have a compatible 3G device installed or connected See www zyxel com for details Make sure you have the cellular interface enabled...

Page 530: ...operly in the ZyWALL You may need to configure the DDNS entry s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the ZyWALL and the DDN...

Page 531: ...same pre shared key The ZyWALL s local and peer ID type and content must match the remote IPSec router s peer and local ID type and content respectively The ZyWALL and remote IPSec router must use th...

Page 532: ...s certificate Multiple SAs connecting through a secure gateway must have the same negotiation mode The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel If you have the...

Page 533: ...not being applied at the configured times Make sure the ZyWALL s current date and time are correct I cannot get a certificate to import into the ZyWALL 1 For My Certificates you can import a certific...

Page 534: ...o the Internet Check the service control rules and to ZyWALL firewall rules I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not d...

Page 535: ...ize of all the capture files on the ZyWALL including any existing capture files and any new capture files you generate If you have existing capture files you may need to set this size larger or delete...

Page 536: ...s on and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the ZyWALL to restart You sho...

Page 537: ...s 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the rec...

Page 538: ...purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact your vendor You may also refer to the...

Page 539: ...Direttive 2002 95 CE 2002 96 CE e 2003 108 CE relative alla riduzione dell uso di sostanze pericolose nelle apparecchiature elettriche ed elettroniche nonch allo smaltimento dei rifiuti Il simbolo del...

Page 540: ...Appendix A Legal Information ZyWALL 110 310 1100 Series User s Guide 540...

Page 541: ...cing login 254 idle timeout 379 logging in 254 multiple logins 380 see also users 371 Web Configurator 381 access users see also force user authentication policies account user 371 438 accounting serv...

Page 542: ...er 400 authentication algorithms 209 306 and active protocol 306 and routing protocols 209 MD5 209 306 SHA1 306 text 209 Authentication Header see AH authentication method objects 409 and users 372 an...

Page 543: ...Authentication Protocol CHAP 431 CHAP Challenge Handshake Authentication Protocol 431 CHAP PAP 431 CLI 20 24 button 24 messages 24 popup window 24 Reference Guide 2 client 341 cluster ID 361 commands...

Page 544: ...es 362 device High Availability see device HA 359 DHCP 173 444 and DNS servers 174 and domain name 444 and interfaces 174 client list 77 pool 174 static DHCP 174 DHCP Unique IDentifier 107 DHCPv6 438...

Page 545: ...ion files 499 shell scripts 499 file manager 499 file sharing SSL application create 435 Firefox 20 firewall 265 actions 273 and address groups 257 and address objects 257 and ALG 233 235 and H 323 AL...

Page 546: ...nts 457 avoiding warning messages 466 example 465 vs HTTP 457 with Internet Explorer 465 with Netscape Navigator 465 hub and spoke VPN see VPN concentrator HyperText Transfer Protocol over Secure Sock...

Page 547: ...Message Protocol see ICMP Internet Explorer 20 Internet Protocol Security see IPSec Internet Protocol version 6 see IPv6 IP policy routing see policy routes IP pool 321 IP protocols 390 and service ob...

Page 548: ...efix delegation 107 prefix length 106 stateless autoconfiguration 107 IPv6 tunnelings 6in4 tunneling 140 6to4 tunneling 141 IPv6 in IPv4 tunneling 140 ISP account CHAP 431 CHAP PAP 431 MPPE 431 MSCHAP...

Page 549: ...ement access troubleshooting 534 management access and device HA 359 Management Information Base MIB 480 manual key IPSec 288 MD5 306 memory usage 72 75 Message Digest 5 see MD5 messages CLI 24 metric...

Page 550: ...n method 111 autonomous system AS 201 backbone 202 configuration steps 204 direction 111 link cost 111 priority 111 redistribute 203 redistribute type cost 205 routers see OSPF routers virtual links 2...

Page 551: ...e NAT power off 526 PPP 175 troubleshooting 529 PPP interfaces subnet mask 172 PPPoE 175 and RADIUS 175 TCP port 1723 175 PPPoE PPTP interfaces 104 125 and ISP accounts 126 429 basic characteristics 1...

Page 552: ...mir and Adleman public key algorithm RSA 419 round robin 179 routing troubleshooting 530 Routing Information Protocol see RIP routing protocols 199 and authentication algorithms 209 and Ethernet inter...

Page 553: ...tificates 474 and zones 475 client requirements 474 encryption methods 474 for secure Telnet 475 how connection is established 473 versions 474 with Linux 476 with Microsoft Windows 475 SSL 317 321 45...

Page 554: ...efault conf 505 T TCP 390 connections 390 port numbers 390 Telnet 476 and address groups 477 and address objects 477 and zones 477 with SSH 475 throughput rate troubleshooting 534 TightVNC 432 time 44...

Page 555: ...3 User Datagram Protocol see UDP user group objects 371 438 user groups 371 372 438 and firewall 273 275 and policy routes 193 354 356 user name rules 374 user objects 371 438 user portal links 432 lo...

Page 556: ...e firewall 267 basic troubleshooting 531 hub and spoke see VPN concentrator IKE SA see IKE SA IPSec 281 IPSec SA proposal 306 security associations SA 283 see also IKE SA see also IPSec 281 see also I...

Page 557: ...d authentication method objects 460 and certificates 459 and zones 461 see also HTTP HTTPS 457 Z zipped files troubleshooting 529 zones 211 and firewall 265 271 and FTP 479 and interfaces 211 and SNMP...

Page 558: ...Index ZyWALL 110 310 1100 Series User s Guide 558...

Page 559: ...Index ZyWALL 110 310 1100 Series User s Guide 559...

Page 560: ...Index ZyWALL 110 310 1100 Series User s Guide 560...

Page 561: ...Index ZyWALL 110 310 1100 Series User s Guide 561...

Page 562: ...Index ZyWALL 110 310 1100 Series User s Guide 562...

Reviews:

No comments