ZyXEL Communications ZyXEL ZyWALL P1 User Manual Download Page 99 | Manualshive

Page: 99 / 369

background image

ZyWALL P1 User’s Guide

98

Chapter 6 Firewalls

Figure 34

Stateful Inspection

The previous figure shows the ZyWALL’s default firewall rules in action as well as
demonstrates how stateful inspection works. User A can initiate a Telnet session from within
the LAN and responses to this request are allowed. However other Telnet traffic initiated from
the WAN is blocked.

6.5.1 Stateful Inspection Process

In this example, the following sequence of events occurs when a TCP packet leaves the LAN
network through the firewall's WAN interface. The TCP packet is the first in a session, and the
packet's application layer protocol is configured for a firewall rule inspection:

1

The packet travels from the firewall's LAN to the WAN.

2

The packet is evaluated against the interface's existing outbound access list, and the
packet is permitted (a denied packet would simply be dropped at this point).

3

The firewall inspects packets to determine and record information about the state of the
packet's connection. This information is recorded in a new state table entry created for the
new connection. If there is not a firewall rule for this packet and it is not an attack, then
the

setting in the

Firewall Default Rule

screen determines the action for this packet.

4

Based on the obtained state information, a firewall rule creates a temporary access list
entry that is inserted at the beginning of the WAN interface's inbound extended access
list. This temporary access list entry is designed to permit inbound packets of the same
connection as the outbound packet just inspected.

5

The outbound packet is forwarded out through the interface.

6

Later, an inbound packet reaches the interface. This packet is part of the connection
previously established with the outbound packet. The inbound packet is evaluated against
the inbound access list, and is permitted because of the temporary access list entry
previously created.

7

The packet is inspected by a firewall rule, and the connection's state table entry is updated
as necessary. Based on the updated state information, the inbound extended access list

«
...
97
98
99
100
101
...
»

Summary of Contents for ZyXEL ZyWALL P1

Page 1: ...ZyWALL P1 Internet Security Appliance User s Guide Version 3 64 8 2005...

Page 2: ...EL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it conv...

Page 3: ...ccordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turnin...

Page 4: ...ly is damaged remove it from the power outlet Do NOT attempt to repair the power supply Contact your local vendor to order a new power supply Place connecting cables carefully so that no one will step...

Page 5: ...er to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center for your Return Material Authorization number RMA Products must be returned Postage Prepaid It is recommended...

Page 6: ...ater pipes will be damaged Do NOT install nor use your device during a thunderstorm There may be a remote risk of electric shock from lightning Do NOT expose your device to dampness dust or corrosive...

Page 7: ...5 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448...

Page 8: ...co uk ZyXEL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK sales zyxel co uk 44 0 1344 303034 ftp zyxel co uk a is the prefix number you enter to ma...

Page 9: ...ZyWALL P1 User s Guide 8 Customer Support...

Page 10: ...2 Non Physical Features 32 1 3 Applications 35 1 3 1 Secure Network Access for Telecommuters 35 1 3 2 LAN Network Protection 35 1 4 ZyWALL Hardware Connection 36 1 5 Front Panel LED 36 Chapter 2 Intro...

Page 11: ...ss 59 3 3 4 1 Dynamic Secure Gateway Address 59 3 3 5 VPN Wizard Gateway Policy Setting 59 3 3 6 VPN Wizard Network Setting 60 3 3 7 IKE Phases 62 3 3 7 1 Negotiation Mode 63 3 3 7 2 Pre Shared Key 63...

Page 12: ...w 91 6 2 Types of Firewalls 91 6 2 1 Packet Filtering Firewalls 91 6 2 2 Application level Firewalls 91 6 2 3 Stateful Inspection Firewalls 92 6 3 Introduction to ZyXEL s Firewall 92 6 4 Denial of Ser...

Page 13: ...7 5 Alerts 106 7 6 Configuring Firewall 107 7 6 1 Rule Summary 107 7 6 2 Configuring Firewall Rules 109 7 6 3 Configuring Custom Services 112 7 7 Example Firewall Rule 112 7 8 Predefined Services 116...

Page 14: ...1 9 4 2 Nailed Up 131 9 5 NAT Traversal 131 9 5 1 NAT Traversal Configuration 132 9 5 2 X Auth Extended Authentication 132 9 5 3 Authentication Server 132 9 6 ID Type and Content 133 9 6 1 ID Type and...

Page 15: ...ate Details 171 10 16 Directory Servers 174 10 17 Add or Edit a Directory Server 175 Chapter 11 Network Address Translation NAT 177 11 1 NAT Overview 177 11 1 1 NAT Definitions 177 11 1 2 What NAT Doe...

Page 16: ...irements for Using SSH 202 13 8 Configuring SSH 202 13 9 Secure Telnet Using SSH Examples 203 13 9 1 Example 1 Microsoft Windows 203 13 9 2 Example 2 Linux 203 13 10 Secure FTP Using SSH Example 204 1...

Page 17: ...ance 235 16 1 Maintenance Overview 235 16 1 1 General Setup and System Name 235 16 1 2 Domain Name 235 16 2 Configuring Password 236 16 3 Pre defined NTP Time Servers List 237 16 4 Configuring Time an...

Page 18: ...Troubleshooting 257 18 1 Problems Starting Up the ZyWALL 257 18 2 Problems Accessing the ZyWALL 258 18 2 1 Pop up Windows JavaScripts and Java Permissions 258 18 2 1 1 Internet Explorer Pop up Blocker...

Page 19: ...ng Certificates 317 Appendix I Command Interpreter 329 Appendix J Firewall Commands 331 Appendix K NetBIOS Filter Commands 337 Appendix L Certificates Commands 341 Appendix M Brute Force Password Gues...

Page 20: ...e 14 Internet Access Wizard PPTP Encapsulation 57 Figure 15 Internet Access Wizard Complete 58 Figure 16 VPN Wizard Gateway Policy Setting 60 Figure 17 VPN Wizard Network Setting 61 Figure 18 Two Phas...

Page 21: ...les IKE Network Policy 141 Figure 56 VPN Rule IKE VPN Activation 144 Figure 57 VPN SA Monitor 145 Figure 58 VPN Global Setting 146 Figure 59 Telecommuters Sharing One VPN Rule Example 147 Figure 60 Te...

Page 22: ...icate 200 Figure 96 SSH Communication Example 200 Figure 97 How SSH Works 201 Figure 98 SSH 202 Figure 99 SSH Example 1 Store Host Key 203 Figure 100 SSH Example 2 Test 204 Figure 101 SSH Example 2 Lo...

Page 23: ...re 144 Security Settings Java 264 Figure 145 Java Sun 265 Figure 146 WIndows 95 98 Me Network Configuration 270 Figure 147 Windows 95 98 Me TCP IP Properties IP Address 271 Figure 148 Windows 95 98 Me...

Page 24: ...e 315 Figure 186 Security Certificate 317 Figure 187 Login Screen 318 Figure 188 Certificate General Information before Import 318 Figure 189 Certificate Import Wizard 1 319 Figure 190 Certificate Imp...

Page 25: ...ZyWALL P1 User s Guide 24 List of Figures...

Page 26: ...Table 15 VPN Wizard IKE Tunnel Setting 66 Table 16 VPN Wizard IPSec Setting 67 Table 17 VPN Wizard VPN Status 69 Table 18 LAN LAN 76 Table 19 LAN Static DHCP 78 Table 20 Example of Network Properties...

Page 27: ...tificate My Certificate Create 156 Table 53 Certificate My Certificate Details 160 Table 54 Certificates Trusted CAs 162 Table 55 Certificates Trusted CA Import 164 Table 56 Certificates Trusted CA De...

Page 28: ...ng the ZyWALL 258 Table 99 Troubleshooting the LAN Interface 265 Table 100 Troubleshooting the WAN Interface 266 Table 101 Troubleshooting Internet Access 266 Table 102 Troubleshooting the Password 26...

Page 29: ...350 Table 129 CDR Logs 350 Table 130 PPP Logs 350 Table 131 UPnP Logs 351 Table 132 Content Filtering Logs 351 Table 133 Attack Logs 352 Table 134 IPSec Logs 353 Table 135 IKE Logs 353 Table 136 PKI...

Page 30: ...Guide is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and c...

Page 31: ...our mouse pointer to Control Panels and then click Modem For brevity s sake we will use e g as a shorthand for for instance and i e for that is or in other words throughout this manual The ZyWALL P1 I...

Page 32: ...solution that protects your computer In addition the embedded web configurator is easy to operate 1 2 ZyWALL Features The following sections describe ZyWALL features 1 2 1 Physical Features 10 100 Mb...

Page 33: ...provide secure communications without the expense of leased site to site lines The ZyWALL VPN is based on the IPSec standard and is fully interoperable with other IPSec based VPN products X Auth Exte...

Page 34: ...er of data from a remote client to a private server creating a Virtual Private Network VPN using a TCP IP based network PPTP supports on demand multi protocol and virtual private networking over publi...

Page 35: ...nt IP address known within another network for example a public IP address used on the Internet Port Forwarding Use this feature to forward incoming service requests to a server on your local network...

Page 36: ...ork example A telecommunter can simply connect the pre configured ZyWALL and enter the VPN account information to establish a VPN connection through the Internet to headquaters Figure 1 Application Te...

Page 37: ...WALL Figure 2 Application LAN Network Protection 1 4 ZyWALL Hardware Connection Refer to the Quick Start Guide for information on hardware connection and basic setup 1 5 Front Panel LED The LED and po...

Page 38: ...N connection Blinking The 100M WAN is sending or receiving packets VPN Off The ZyWALL does not have a VON connection Green On The ZyWALL has a successful VPN connection Blinking The ZyWALL is receivin...

Page 39: ...ZyWALL P1 User s Guide 38 Chapter 1 Getting to Know Your ZyWALL...

Page 40: ...browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the Troublesho...

Page 41: ...some versions the default password appears automatically if this is the case click Login Figure 5 Web Configurator Login Screen 7 You should see a screen asking you to change your password highly reco...

Page 42: ...reen see Figure 8 on page 43 Note The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into...

Page 43: ...le pressing the RESET button turn the ZyWALL on 4 Continue to hold the RESET button The PWR LED will begin to blink This indicates that the defaults have been restored Release the RESET button 5 Wait...

Page 44: ...screen Table 3 Web Configurator HOME LABEL DESCRIPTION Wizards for Quick Setup Internet Access Click Internet Access to use the initial configuration wizard VPN Wizard Click VPN Wizard to create VPN...

Page 45: ...rom green to red when the maximum is being approached Network Status Interface This is the port type Port types are WAN and LAN Status For the LAN port this displays the port speed and duplex setting...

Page 46: ...obing Use this screen to change your anti probing settings Threshold Use this screen to configure the threshold for DoS attacks VPN VPN Rules IKE Use this screen to configure VPN connections using IKE...

Page 47: ...to configure through which interface s and from which IP address es users can send DNS queries to the ZyWALL CNM Use this screen to configure your ZyWALL s CNM Central Network Management settings to a...

Page 48: ...using the ZyWALL s DHCP server Table 5 Home Show Statistics LABEL DESCRIPTION Port This is the WAN or LAN port Status This displays the port speed and duplex setting if you re using Ethernet encapsula...

Page 49: ...his field displays the computer host name MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A networ...

Page 50: ...ion name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase ZyWALL proces...

Page 51: ...ZyWALL P1 User s Guide 50 Chapter 2 Introducing the Web Configurator...

Page 52: ...d blank if you don t have that information 3 2 1 ISP Parameters The ZyWALL offers three choices of encapsulation They are Ethernet PPTP or PPPoE 3 2 2 WAN and DNS The second wizard screen allows you t...

Page 53: ...blished If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 and you must enable the Network Address Translation NAT feature of the ZyWALL The Inter...

Page 54: ...r address from the ISP 3 You can manually enter the IP addresses of other DNS servers These servers can be public or private A DNS server could even be behind a remote IPSec router 3 2 2 4 Ethernet Fo...

Page 55: ...as it requires no specific configuration of the broadband modem at the subscriber s site Table 9 Internet Access Wizard Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Enc...

Page 56: ...E Figure 13 Internet Access Wizard PPPoE Encapsulation The following table describes the related labels in this screen Table 10 Internet Access Wizard PPPoE Encapsulation LABEL DESCRIPTION ISP Paramet...

Page 57: ...demand multi protocol and virtual private networking over public networks such as the Internet Note Refer to Appendix D on page 291 for more information on PPTP The ZyWALL supports one PPTP server con...

Page 58: ...m the drop down list box User Name Type the user name given to you by your ISP Password Type the password associated with the User Name above Retype Password Type your password again for confirmation...

Page 59: ...s services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication Use the VPN wizard screens to configure a VPN rule that use a pre s...

Page 60: ...e gateway has a static WAN IP address enter it in the Secure Gateway Address field You may alternatively enter the remote secure gateway s domain name if it has one in the Secure Gateway Address field...

Page 61: ...ny time Table 12 VPN Wizard Gateway Policy Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy You may use any character including space...

Page 62: ...d is configured to Single enter a static IP address on the LAN behind your ZyWALL When the Local Network field is configured to Range IP enter the beginning static IP address in a range of computers o...

Page 63: ...d the IPSec SA stays connected Starting IP Address When the Remote Network field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Remote Network...

Page 64: ...6 messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity is not revealed in the...

Page 65: ...is built from the authentication provided by the AH and ESP protocols The primary function of key management is to establish and maintain the SA between systems Once the SA is established the transpo...

Page 66: ...oubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data...

Page 67: ...uires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Authentication Algorithm MD5 Message Digest 5...

Page 68: ...with a 0x zero x which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itse...

Page 69: ...Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal s...

Page 70: ...is not applicable When the local network is configured for a range IP address this is the end static IP address in a range of computers on the LAN behind your ZyWALL When the local network is configur...

Page 71: ...ly renegotiates Pre Shared Key This is a pre shared key identifying a communicating party during a phase 1 IKE negotiation IPSec Setting IKE Phase 2 Encapsulation Mode This shows Tunnel mode or Transp...

Page 72: ...ZyWALL P1 User s Guide Chapter 3 Wizard Setup 71 Figure 22 VPN Wizard Complete...

Page 73: ...ZyWALL P1 User s Guide 72 Chapter 3 Wizard Setup...

Page 74: ...e another DHCP server on your LAN or else the computer must be manually configured 4 2 1 IP Pool Setup The ZyWALL is pre configured to provide one IP address of 169 254 1 33 to a DHCP client This conf...

Page 75: ...controls the sending and receiving of RIP packets When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP informat...

Page 76: ...ss D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The addres...

Page 77: ...oadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packet...

Page 78: ...anges to None after you click Apply Select DNS Relay to have the ZyWALL act as a DNS proxy The ZyWALL s LAN IP address displays in the field to the right read only The ZyWALL tells the DHCP client on...

Page 79: ...number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address Type the IP address that you want to assign to the computer on your LAN Alter...

Page 80: ...en 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost The metric sets the priority for the ZyWALL s routes to the Internet Each route must have a unique...

Page 81: ...ic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls Allow...

Page 82: ...nager authentication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields do not appear with the Standard service type User Name Type the user name given to y...

Page 83: ...ng information with other routers The RIP Direction field controls the sending and receiving of RIP packets Choose Both None In Only or Out Only When set to Both or Out Only the ZyWALL will broadcast...

Page 84: ...hat part of the task Furthermore with NAT all of the LANs computers will have access The screen shown next is for PPPoE encapsulation Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Inte...

Page 85: ...uter interacts with a broadband modem i e DSL cable wireless etc connection Operationally PPPoE saves significant effort for both the end user and ISP carrier as it requires no specific configuration...

Page 86: ...g a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The screen shown next is for...

Page 87: ...otocol that enables secure transfer of data from a remote client to a private server creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtu...

Page 88: ...vider s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL 5 4 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourh...

Page 89: ...ype of service that you are registered for from your Dynamic DNS service provider Select Dynamic DNS if you have the Dynamic DNS service Select Static DNS if you have the Static DNS service Select Cus...

Page 90: ...DNS server auto detect IP Address only when there are one or more NAT routers between the ZyWALL and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the...

Page 91: ...ZyWALL P1 User s Guide 90 Chapter 5 WAN Screens...

Page 92: ...ll to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented wi...

Page 93: ...roxies support See Section 6 5 on page 97 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 6 3 I...

Page 94: ...xtension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computer...

Page 95: ...ment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teard...

Page 96: ...arget system tries to respond to itself A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target netwo...

Page 97: ...ing ICMP types trigger an alert 6 4 2 2 Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are the following all others are illegal Table 27 ICMP Commands That Trigger Alerts 5 REDIRECT...

Page 98: ...llowed through the router or firewall The ZyWALL blocks all IP Spoofing attempts 6 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known t...

Page 99: ...information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this packet and it is...

Page 100: ...m rules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator Note The ability to define firewall rul...

Page 101: ...ituation exists for ICMP except that the ZyWALL is even more restrictive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address m...

Page 102: ...rvices to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces 6 Protect against IP spoofing by making sure the firewall is ac...

Page 103: ...rk session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 6 7 2 1 When To Use The Firewall 1 To prevent...

Page 104: ...ed based on the direction of travel of packets to which they apply By default the ZyWALL s stateful packet inspection allows packets traveling in the following directions LAN to LAN ZyWALL This allows...

Page 105: ...nts carefully before configuring rules 7 3 1 Rule Checklist 1 State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus Notes se...

Page 106: ...vice is not listed it is necessary to first define it See Section 7 8 on page 116 for more information on predefined services 7 3 3 3 Source Address What is the connection s source address is it on th...

Page 107: ...for WAN to LAN traffic blocks all incoming connections WAN to LAN If you wish to allow certain WAN users to have access to your LAN you will need to create custom rules to allow it See the following...

Page 108: ...ngle route topology on the network See Appendix E on page 295 for more on triangle route topology Packet Direction This is the direction of travel of packets LAN to LAN ZyWALL LAN to WAN WAN to LAN WA...

Page 109: ...arized below take priority over the general firewall action settings above Rule This is your firewall rule number The ordering of your rules is important as rules are applied in turn Click to expand o...

Page 110: ...Click the edit icon to go to the screen where you can edit the rule Click the delete icon to delete an existing firewall rule A window display asking you to confirm that you want to delete the firewal...

Page 111: ...ZyWALL P1 User s Guide 110 Chapter 7 Firewall Screens Figure 39 Firewall Creating Editing A Firewall Rule The following table describes the labels in this screen...

Page 112: ...rvice from the Available Services box on the left then click to add it to the Selected Service s box on the right To remove a service highlight it in the Selected Service s box on the right then click...

Page 113: ...ule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet Apply Click Apply to save your customized settings and exit this screen Cancel Click Canc...

Page 114: ...ule Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 3 Click Inse...

Page 115: ...and click Apply Figure 43 Firewall Example Edit Custom Service 7 In the Edit Rule screen use the arrows between Available Services and Selected Service s to configure it as follows Click Apply when yo...

Page 116: ...ZyWALL P1 User s Guide Chapter 7 Firewall Screens 115 Figure 44 Firewall Example My Service Rule Configuration...

Page 117: ...that defines the service Note that there may be more than one IP protocol type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port 53 and TCP port 53 Custom services m...

Page 118: ...ble a computer to connect to and communicate with a LAN NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transpare...

Page 119: ...Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including main...

Page 120: ...s on the LAN and WAN Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyWALL by probing for unused ports If you select this option the ZyWALL...

Page 121: ...olute number or measured as the arrival rate could indicate that a Denial of Service attack is occurring The ZyWALL measures both the total number of existing half open sessions and the rate of sessio...

Page 122: ...ection requests to the host giving the server time to handle the present connections The ZyWALL continues to block all new connection requests until the Blocking Time expires The ZyWALL also sends ale...

Page 123: ...nnection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the...

Page 124: ...r secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authenticat...

Page 125: ...VPN applications 8 1 4 1 Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compar...

Page 126: ...ithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms The Authentication Algorithms...

Page 127: ...forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 8 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP pa...

Page 128: ...ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destinati...

Page 129: ...ZyWALL P1 User s Guide 128 Chapter 8 Introduction to IPSec...

Page 130: ...ed for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not require...

Page 131: ...of data encryption using a secret key DES applies a 56 bit key to each 64 bit block of data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits...

Page 132: ...ress may be configured as 0 0 0 0 only when using IKE key management and not Manual key management 9 4 2 Nailed Up When you initiate an IPSec tunnel with nailed up enabled the ZyWALL automatically ren...

Page 133: ...tunnel mode Use IKE keying mode Enable NAT traversal on both IPSec endpoints In order for IPSec router A see Figure 51 on page 132 to receive an initiating IPSec packet from IPSec router B set the NAT...

Page 134: ...lgorithms DES 3DES and AES two authentication algorithms MD5 and SHA1 and two key groups DH1 and DH2 when you configure a VPN rule see Section 9 8 2 on page 140 The ID type and content act as an extra...

Page 135: ...which to identify the remote IPSec router This option is available only when you set Authentication Method to Certificate The domain name or e mail address that you use in the Content field is used fo...

Page 136: ...tic Click VPN display the VPN Rules IKE screen This is a read only menu of your IPSec rule tunnel To add a rule click the add icon Edit an IPSec rule by clicking the edit icon to configure the associa...

Page 137: ...routers between the two IPSec routers The remote IPSec router must also have NAT traversal enabled You can use NAT traversal with ESP protocol using Transport or Tunnel mode but not with AH protocol n...

Page 138: ...own list box to select the certificate to use for this VPN tunnel You must have certificates already configured in the My Certificates screen Click My Certificates to go to the My Certificates screen...

Page 139: ...n name or e mail address by which to identify the remote IPSec router Use up to 31 ASCII characters including spaces although trailing spaces are truncated The domain name or e mail address is for ide...

Page 140: ...168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is...

Page 141: ...the policy name Local Network This field displays one or a range of IP address es of the computer s behind the ZyWALL Remote Network This field displays one or a range of IP address es of the remote...

Page 142: ...IKE Add Policy LABEL DESCRIPTION Active Select this check box to activate this VPN tunnel This option determines whether a VPN rule is applied Name Type a name to identify this VPN policy You may use...

Page 143: ...ame Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Add...

Page 144: ...er must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES...

Page 145: ...ead only The following table describes the fields in this tab Enable Multiple Proposal Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2 encryption and authentication algo...

Page 146: ...screen appears as shown Table 46 SA Monitor LABEL DESCRIPTION This is the security association index number Name This field displays the identification name for this VPN policy Local Network This fiel...

Page 147: ...ply with an acknowledgement the ZyWALL automatically disconnects the VPN tunnel Enter 0 to disable this feature Input Idle Timer Enter the time period between 30 and 3600 seconds to wait before the Zy...

Page 148: ...use Dynamic DNS to do this With aggressive negotiation mode see Section 3 3 7 1 on page 63 the ZyWALL can use the ID types and contents to distinguish between VPN rules Telecommuters can each use a s...

Page 149: ...HEADQUARTERS All Telecommuter Rules All Headquarters Rules My IP Address 0 0 0 0 My IP Address bigcompanyhq com Secure Gateway Address bigcompanyhq com Local IP Address 192 168 1 10 Remote IP Address...

Page 150: ...low access for that service Telecommuter C telecommuterc dydns org Headquarters ZyWALL Rule 3 Local ID Type E mail Peer ID Type E mail Local ID Content myVPN myplace com Peer ID Content myVPN myplace...

Page 151: ...ZyWALL P1 User s Guide 150 Chapter 9 VPN Screens...

Page 152: ...ryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the...

Page 153: ...ed to transmit private keys 10 2 Self signed Certificates Until public key infrastructure becomes more mature it may not be available in some areas You can have the ZyWALL act as a certification autho...

Page 154: ...address This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is recommended that yo...

Page 155: ...certificate is about to expire or has already expired Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the cer...

Page 156: ...onding certification request that was generated by the ZyWALL The certificate you import replaces the corresponding request in the My Certificates screen You must remove any spaces from the certificat...

Page 157: ...te The following table describes the labels in this screen Table 52 Certificate My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters not including spaces to identify...

Page 158: ...a request for a certificate Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority Copy the certification request from the My Certif...

Page 159: ...TES and then My Certificates to open the My Certificates screen see Figure 62 on page 153 Click the details icon to open the My Certificate Details screen You can use this screen to view in depth cert...

Page 160: ...ZyWALL P1 User s Guide Chapter 10 Certificates 159 Figure 65 Certificate My Certificate Details The following table describes the labels in this screen...

Page 161: ...his field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate...

Page 162: ...WALL calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This rea...

Page 163: ...bject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended th...

Page 164: ...has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the ZyWALL check the CRL before trusting any certificates issued by...

Page 165: ...ame and set whether or not you want the ZyWALL to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Table 55 Certificat...

Page 166: ...name type up to 31 characters to identify this key certificate You may use any character not including spaces Property Check incoming certificates issued by this CA against a CRL Select this check box...

Page 167: ...ing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm...

Page 168: ...rtificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone...

Page 169: ...cate on the ZyWALL that the ZyWALL uses to sign the trusted remote host certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field...

Page 170: ...the remote host s certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name extension Figure 70 Remote Host Certificates 3 Double click the certificate s icon to o...

Page 171: ...Remote Host s Certificate Click CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen Follow the instructions in...

Page 172: ...emote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name Table 58 Certificates Trusted Remote Hos...

Page 173: ...1 characters to identify this key certificate You may use any character not including spaces Certification Path Click the Refresh button to have this read only text box display the end entity s own ce...

Page 174: ...ired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses R...

Page 175: ...e labels in this screen Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII charac...

Page 176: ...xpired or unnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to ident...

Page 177: ...decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change...

Page 178: ...e IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside...

Page 179: ...ALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 11 1 3...

Page 180: ...to a unique global IP address Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Note Port numbers do not change for One...

Page 181: ...host to have at one time Enable NAT Select this check box to turn on the NAT feature for the WAN port Clear this check box to turn off the NAT feature for the WAN port Note Your ZyWALL supports SUA w...

Page 182: ...P accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any acti...

Page 183: ...her B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears a...

Page 184: ...s 192 168 1 34 Both servers use port 80 The letters a b c d represent the WAN port s IP address The ZyWALL translates port 8080 of traffic received on the WAN port IP address a b c d to port 80 and se...

Page 185: ...ers This is the number of an individual port forwarding server entry Active Select this check box to enable the port forwarding server entry Clear this check box to disallow forwarding of these ports...

Page 186: ...nd protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the L...

Page 187: ...articular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Type a port number or the starting port numbe...

Page 188: ...k N3 because it doesn t know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you to tell the ZyWALL about the networks beyond the remote node...

Page 189: ...ute Active This field shows whether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network nu...

Page 190: ...ss Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Metric Metr...

Page 191: ...ZyWALL P1 User s Guide 190 Chapter 12 Static Route...

Page 192: ...e WAN only or LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field You may only have on...

Page 193: ...r SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthoriz...

Page 194: ...by default on the ZyWALL s WS web server Figure 86 HTTPS Implementation Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen then the ZyWALL blocks all HTTP connection attempt...

Page 195: ...ed to access the ZyWALL web configurator to use https ZyWALL IP Address 8443 as the URL Server Access Select a ZyWALL interface from Server Access on which incoming HTTPS access is allowed You can all...

Page 196: ...r login screen if you select No then web configurator access is blocked Figure 88 Security Alert Dialog Box Internet Explorer 13 4 2 Netscape Navigator Warning Messages When you attempt to access the...

Page 197: ...ALL s HTTPS server certificate is not one of the browser s trusted certificate authorities The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWALL itself since the...

Page 198: ...ple Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL s actual IP address You cannot use this procedure if you need to access the WAN port and it uses...

Page 199: ...ZyWALL P1 User s Guide 198 Chapter 13 Remote Management Figure 91 Login Screen Internet Explorer Figure 92 Login Screen Netscape...

Page 200: ...ertificate screen to create a certificate using your ZyWALL s MAC address that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to...

Page 201: ...in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network...

Page 202: ...ryption Method Once the identification is verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data Transmission After the identification is veri...

Page 203: ...connections You must have certificates already configured in the My Certificates screen click My Certificates and refer to Chapter 10 on page 151 for details Server Port You may change the server port...

Page 204: ...r or device name for the ZyWALL 2 Configure the SSH client to accept connection using SSH version 1 3 A window displays prompting you to store the host key in you computer Click Yes to continue Figure...

Page 205: ...ur SSH client program user s guide 1 Enter sftp 1 192 168 167 1 This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1 If this is the first time you ar...

Page 206: ...pears as shown sftp 1 192 168 167 1 Connecting to 192 168 167 1 The authenticity of host 192 168 167 1 192 168 167 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d...

Page 207: ...Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s th...

Page 208: ...ed Note SNMP is only available if TCP IP is configured Table 73 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port numbe...

Page 209: ...f variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the...

Page 210: ...CRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215...

Page 211: ...fault is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed howeve...

Page 212: ...that allows an administrator from any location to easily configure manage monitor and troubleshoot ZyWALL devices located worldwide See the Vantage CNM User s Guide for details Table 76 DNS LABEL DESC...

Page 213: ...Registration Status This read only field displays Not Registered when Enable is not selected It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered aft...

Page 214: ...uter here and configure the NAT router to forward UDP port 1864 traffic to the Vantage CNM server If the Vantage CNM server is behind a firewall you may have to create a rule on the firewall to allow...

Page 215: ...ZyWALL P1 User s Guide 214 Chapter 13 Remote Management...

Page 216: ...he icon of a UPnP device will allow you to access the information and properties of that device 14 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate thro...

Page 217: ...only sends UPnP multicasts to the LAN Please see later in this User s Guide for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 14 3 Configurin...

Page 218: ...he firewall Clear this check box to have the firewall block all UPnP application packets for example MSN packets Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin co...

Page 219: ...ZyWALL ignores the Internal Port value and forwards requests on all external port numbers that are otherwise unmapped to the Internal Client Protocol This field displays the protocol of the NAT mappin...

Page 220: ...anel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details 3 In the Communications window select the Universal Plug a...

Page 221: ...rt of the ZyXEL device Turn on your computer and the ZyXEL device 1 Click Start Settings and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the...

Page 222: ...nel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties 3 In the Internet Connection Properties window click Settings to see the port...

Page 223: ...is disconnected from your computer all port mappings will be deleted automatically 4 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tra...

Page 224: ...ful if you do not know the IP address of the ZyXEL device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Netw...

Page 225: ...ZyWALL P1 User s Guide 224 Chapter 14 UPnP 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device...

Page 226: ...iew Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 15 3 on page 227 Options include logs about system maintenance system errors access control a...

Page 227: ...P address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information...

Page 228: ...and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black Note A...

Page 229: ...ZyWALL P1 User s Guide 228 Chapter 15 Logs Screens Figure 114 Log Settings The following table describes the labels in this screen...

Page 230: ...ay of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs SMTP Authentication SMTP Simple Mail Transfer Protoc...

Page 231: ...when an individual web page loads it may contain references to other web sites that also get counted as hits The ZyWALL records web site hits by counting the HTTP GET packets Many web sites include H...

Page 232: ...og Settings screen Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Report Type Use the drop down list box to select the type of repo...

Page 233: ...to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Table 84 Web Site Hits Report LABE...

Page 234: ...puter Table 85 Protocol Port Report LABEL DESCRIPTION Protocol Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL The protocols or service por...

Page 235: ...m the WAN to the LAN This field displays Outgoing to denote traffic that is going out from the LAN to the WAN Amount This column displays how much traffic has gone to and from the listed LAN IP addres...

Page 236: ...tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and...

Page 237: ...owed but dashes and underscores _ are accepted Domain Name Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by...

Page 238: ...servers it randomly selects one server and tries to synchronize with it If the synchronization fails then the ZyWALL goes through the rest of the list in order from the first one tried until either it...

Page 239: ...e screen appears as shown Use this screen to configure the ZyWALL s time based on your local time zone Figure 121 Time and Date The following table describes the labels in this screen tock usno navy m...

Page 240: ...ton to have the ZyWALL get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server sends when you turn on the ZyWALL Not all tim...

Page 241: ...at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance you would type...

Page 242: ...Fail 16 5 F W Upload Screen Find firmware at www zyxel com in a file that usually uses the system model name with a bin extension e g zywall bin The upload process may take up to two minutes After a s...

Page 243: ...ocess The ZyWALL automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Table 92 Firmware Upload LABEL DESC...

Page 244: ...was not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 128 Firmware Upload Error 16 6 Configuration Screen See Section 17 5 on page 254 for transfe...

Page 245: ...in case you need to return to your previous settings Click Backup to save the ZyWALL s current configuration to your computer 16 6 2 Restore Configuration Restore Configuration allows you to upload a...

Page 246: ...a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 131 Network Temporarily Disconnected If you uploaded the default configuration file you m...

Page 247: ...screen The following warning screen will appear Figure 133 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL Refer to Section 2...

Page 248: ...ZyWALL P1 User s Guide Chapter 16 Maintenance 247 Figure 134 Restart Screen...

Page 249: ...ZyWALL P1 User s Guide 248 Chapter 16 Maintenance...

Page 250: ...e ZyWALL s available features and functionality You can download new firmware releases from your nearest ZyXEL FTP site to use to upgrade your ZyWALL s performance 17 2 Filename Conventions The config...

Page 251: ...to transfer from the ZyWALL to the computer while upload means from your computer to the ZyWALL 17 3 1 Using the FTP Command from the Command Line 1 Launch the FTP client on your computer 2 Enter open...

Page 252: ...word 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes se...

Page 253: ...to restore the five minute SMT timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyWALL Set the transfer mode to binary before starting da...

Page 254: ...as this may PERMANENTLY DAMAGE YOUR ZyWALL When the Restore Configuration process is complete the ZyWALL will automatically restart 17 4 1 Restore Using FTP For details about backup using T FTP please...

Page 255: ...e and Configuration Files This section shows you how to upload firmware and configuration files You can upload configuration files by following the procedure in Section 17 4 on page 253 Note WARNING D...

Page 256: ...WAN 17 5 4 TFTP File Upload The ZyWALL also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommende...

Page 257: ...wing example please consult the documentation of your TFTP client program For UNIX use get to transfer from the ZyWALL to the computer put the other way around and binary to set binary transfer mode 1...

Page 258: ...WALL Table 97 Troubleshooting the Start Up of Your ZyWALL PROBLEM CORRECTIVE ACTION None of the LEDs turn on when you turn on the ZyWALL If supplying power via the USB port use only the included USB c...

Page 259: ...ess the ZyWALL The username is admin The default password is 1234 The Password and Username fields are case sensitive Make sure that you enter the correct password and username using the proper casing...

Page 260: ...rivacy 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 139 Internet Options 3 Click Apply to save this...

Page 261: ...to open the Pop up Blocker Settings screen Figure 140 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192...

Page 262: ...Click Close to return to the Privacy screen 6 Click Apply to save this setting 18 2 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts...

Page 263: ...142 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that...

Page 264: ...Java Scripting 18 2 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java per...

Page 265: ...bleshooting Figure 144 Security Settings Java 18 2 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun...

Page 266: ...connections Refer to the Quick Start Guide for LAN connection instructions Make sure the computer s Ethernet adapter is installed and functioning properly Cannot ping any computer on the LAN Check th...

Page 267: ...ess Refer to Chapter 4 on page 65 It is recommended that you clone your computer s MAC address even if your ISP presently does not require MAC address authentication If your ISP requires host name aut...

Page 268: ...r to Section 15 1 1 on page 232 for scenarios when remote management may not be possible When NAT is enabled Use the ZyWALL s WAN IP address when configuring from the WAN Use the ZyWALL s LAN IP addre...

Page 269: ...ZyWALL P1 User s Guide 268 Chapter 18 Troubleshooting...

Page 270: ...requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropr...

Page 271: ...icrosoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you nee...

Page 272: ...pter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address...

Page 273: ...se the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyWALL and restart your computer when prompted Verifying Settings 1 Click Start...

Page 274: ...r s IP Address 273 Figure 149 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 150 Windows XP Control Panel 3 Rig...

Page 275: ...ections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 152 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Pro...

Page 276: ...re additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two...

Page 277: ...e General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server...

Page 278: ...ork Connections window Network and Dial up Connections in Windows 2000 NT 11Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then...

Page 279: ...g up Your Computer s IP Address Figure 156 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 157 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings selec...

Page 280: ...Save if prompted to save changes to your configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window M...

Page 281: ...ng From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click A...

Page 282: ...s the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets...

Page 283: ...ost ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Subnetting With subnetting the class arrangement...

Page 284: ...s 192 168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up the network number class C You want to have two separate networks Divide the network 192 168 1 0 into two...

Page 285: ...255 255 128 is the directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168...

Page 286: ...IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highe...

Page 287: ...1111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 115 Eight Subnets SUBNET SUBNET ADDRESS FIRST AD...

Page 288: ...ubnetting The following table is a summary for class B subnet planning Table 117 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 2...

Page 289: ...ZyWALL P1 User s Guide 288 Appendix B IP Subnetting...

Page 290: ...a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the...

Page 291: ...ss Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is betw...

Page 292: ...s that it requires one separate ATM VC per destination Figure 162 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a computer to the ANT...

Page 293: ...ity The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Figure 163 PPTP Protocol Overview Mi...

Page 294: ...ssage Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tu...

Page 295: ...ZyWALL P1 User s Guide 294 Appendix D PPTP...

Page 296: ...ng data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The...

Page 297: ...aces with the ZyWALL being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyWALL to your LAN The follow...

Page 298: ...his ensures that all incoming network traffic passes through your ZyWALL to your LAN Therefore your LAN is protected Figure 168 Gateways on the WAN Side How To Configure Triangle Route 1 From the SMT...

Page 299: ...ZyWALL P1 User s Guide 298 Appendix E Triangle Route...

Page 300: ...P address A complete SIP identity is called a SIP URI Uniform Resource Identifier A SIP account s URI identifies the SIP account in a way similar to the way an e mail address identifies an e mail acco...

Page 301: ...P requests A SIP server responds to the SIP requests When you use SIP to make a VoIP call it originates at a client and terminates at a server A SIP client could be a computer or a SIP phone One devic...

Page 302: ...an IP address and sends the translated IP address back to the device that sent the request Then the client device that originally sent the request can send requests to the IP address that it received...

Page 303: ...ugh NAT by examining and translating IP addresses embedded in the data stream When a VoIP device SIP client behind the SIP ALG registers with the SIP register server the SIP ALG translates the device...

Page 304: ...amically creates an implicit port forwarding rule for SIP traffic from the WAN to the LAN The SIP ALG on the ZyWALL supports all NAT mapping types including One to One Many to One Many to Many Overloa...

Page 305: ...ind the ZyWALL without STUN use the ip alg enable ALG_SIP command to activate the SIP ALG Signaling Session Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessi...

Page 306: ...anually create any static IP routes for the remote VPN site They are not required Dynamic IPSec Rule Create a dynamic rule by setting the Secure Gateway Address to 0 0 0 0 A single dynamic rule can su...

Page 307: ...mote IP Address Start settings with your own values VPN Configuration via Web Configurator This section gives a VPN rule configuration example using the web configurator 1 Click VPN to display the fol...

Page 308: ...ZyWALL P1 User s Guide Appendix G VPN Setup 307 Figure 174 Headquarters VPN Rule Edit IP addresses on different subnets The IP address of the branch office IPSec router...

Page 309: ...P1 User s Guide 308 Appendix G VPN Setup Figure 175 Branch Office VPN Rule Edit Dialing the VPN Tunnel via Web Configurator IP addresses on different subnets The IP address of the headquarters IPSec...

Page 310: ...e dial icon in the VPN Rules screen s Modify column to have the IPSec routers set up the tunnel 1 Figure 176 VPN Rule Configured The following screen displays Figure 177 VPN Dial This screen displays...

Page 311: ...o display the first VPN menu shown next Figure 179 Menu 27 VPN IPSec Setup 2 Type 1 in menu 27 and then press ENTER to display Menu 27 1 IPSec Summary This is a summary read only menu of your IPSec ru...

Page 312: ...Press Space Bar to Toggle Menu 27 1 1 IPSec Setup Index 1 Name BRANCH Active Yes Keep Alive Yes Nat Traversal No Local ID type E MAIL Content test example com My IP Addr 0 0 0 0 Peer ID type E MAIL Co...

Page 313: ...e same on both IPSec routers Use a simple key and or copy and paste the setting into the other IPSec router to avoid typos Menu 27 1 1 IPSec Setup Index 1 Name HQ Active Yes Keep Alive Yes Nat Travers...

Page 314: ...f the IPSec routers The following steps will help you to rapidly identify and correct configuration problems Log into the SMTs of both ZyXEL IPSec routers via telnet Position the telnet windows side b...

Page 315: ...3 43 172 21 3 185 IKE Send HASH 2 09 21 2004 05 45 08 172 21 3 43 172 21 3 185 IKE Adjust TCP MSS to 1398 3 09 21 2004 05 45 07 172 21 3 185 172 21 3 43 IKE Recv HASH SA NONCE ID ID 4 09 21 2004 05 45...

Page 316: ...le 1 Original on off 2 IKE on off 3 IPSec SPI on off 4 XAUTH on off 5 CERT on off 6 All ras ipsec debug level 0 None 1 User 2 Low 3 High ras ipsec debug type 1 on ras ipsec debug type 2 on ras ipsec d...

Page 317: ...ec router at headquarters The server s IP address 192 168 10 33 is in the subnet configured in the Local Policy fields in Figure 174 on page 307 C Documents and Settings Administrator ftp 192 168 10 3...

Page 318: ...Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your opera...

Page 319: ...ndix H Importing Certificates Figure 187 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 188 Certificate General Information before Import 3 Click Next to begin...

Page 320: ...mporting Certificates 319 Figure 189 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 190 Certificate Import Wizard 2 5 Click Finish to com...

Page 321: ...ZyWALL P1 User s Guide 320 Appendix H Importing Certificates Figure 191 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 192 Root Certificate Store...

Page 322: ...ds a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be acti...

Page 323: ...CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Doubl...

Page 324: ...wizard as shown earlier in this appendix Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double...

Page 325: ...cate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Fig...

Page 326: ...rt Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 199 Person...

Page 327: ...6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 202 Access...

Page 328: ...ZyWALL P1 User s Guide Appendix H Importing Certificates 327 Figure 203 SSL Client Authentication 3 You next see the ZyWALL login screen Figure 204 ZyWALL Secure Login Screen...

Page 329: ...ZyWALL P1 User s Guide 328 Appendix H Importing Certificates...

Page 330: ...it and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclos...

Page 331: ...ZyWALL P1 User s Guide 330 Appendix I Command Interpreter...

Page 332: ...onfig display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a...

Page 333: ...mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the ZyWALL is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59 This...

Page 334: ...the same destination where the ZyWALL starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specified set C...

Page 335: ...ommand sets the ZyWALL to log traffic that matches the rule doesn t match both or neither Config edit firewall set set rule rule alert yes no This command sets whether or not the ZyWALL sends an alert...

Page 336: ...a rule to have the ZyWALL check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyWALL check...

Page 337: ...ZyWALL P1 User s Guide 336 Appendix J Firewall Commands...

Page 338: ...ng of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the sen...

Page 339: ...r dial This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter numbe...

Page 340: ...er s Guide Appendix K NetBIOS Filter Commands 339 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets sys filter netbios config 4 off This command stops NetBIOS commands from init...

Page 341: ...ZyWALL P1 User s Guide 340 Appendix K NetBIOS Filter Commands...

Page 342: ...name specifies a descriptive name for the generated certification request subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If t...

Page 343: ...ve name is not specified for the imported certificate the certificate will adopt the descriptive name of the certification request export name Export the PEM encoded certificate to stdout for user to...

Page 344: ...usted CA certificate names and basic information rename old name new name Rename the specified trusted CA certificate old name specifies the name of the certificate to be renamed new name specifies th...

Page 345: ...d if required The format is login password delete name Delete the specified directory service name specifies the name of the directory server to be deleted view name View the specified directory servi...

Page 346: ...n on the command structure Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered Table 12...

Page 347: ...ZyWALL P1 User s Guide 346 Appendix M Brute Force Password Guessing Protection...

Page 348: ...sful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the router via...

Page 349: ...filter settings WAN connection is down A WAN connection is down You cannot access the network through this interface Table 125 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP...

Page 350: ...nutes UDP idle timeout 3 minutes TCP connection three way handshaking timeout 270 seconds TCP FIN wait timeout 2 MSL Maximum Segment Lifetime set in the TCP header TCP idle established timeout s 150 m...

Page 351: ...P reply packet to the sender Table 129 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is t...

Page 352: ...The content filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the block...

Page 353: ...ewall detected an ICMP echo attack For type and code details see Table 140 on page 359 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan a...

Page 354: ...led during IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s Local R...

Page 355: ...s Remote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local...

Page 356: ...router and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE p...

Page 357: ...t subject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert su...

Page 358: ...Algorithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not us...

Page 359: ...expired User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from whic...

Page 360: ...WALL ACL set for packets traveling from the WAN to the WAN or the ZyWALL D to D ZW DMZ to DMZ ZyWALL ACL set for packets traveling from the DMZ to the DM or the ZyWALL Table 140 ICMP Notes TYPE CODE D...

Page 361: ...rt dst dstIP dstPort msg msg note note devID mac address last three numbers cat category This message is sent by the system RAS displays as the system name if you haven t configured one when the route...

Page 362: ...e 3 Use sys logs category followed by a log category to display the parameters that are available for the category Figure 206 Displaying Log Parameters Example 4 Use sys logs category followed by a lo...

Page 363: ...ar command to erase all of the ZyWALL s logs Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results ras sys logs load ras sys logs...

Page 364: ...te force Attack 95 BYE Request 300 C Cable Modem 92 Cables Connecting 3 5 Central Network Management 34 certificate 137 certificates 32 Client server Protocol 300 Command Line 250 Configuration 47 73...

Page 365: ...re File Maintenance 249 firmware version 43 France Contact Information 6 FTP 73 87 182 191 206 250 File Upload 254 GUI based Clients 251 Restoring Files 253 FTP File Transfer 254 FTP Restrictions 191...

Page 366: ...l 44 Negotiation Mode 63 Aggressive Mode 63 Main Mode 63 NetBIOS Network Basic Input Output System 77 80 NetBIOS commands 96 Network Address Translation NAT 34 Network Address Translators 302 Network...

Page 367: ...rity Association 59 Safety Warnings 3 Saving the State 97 Secure FTP Using SSH Example 204 Secure Gateway Address 59 Secure Telnet Using SSH Example 203 Security Association 59 63 Security Ramificatio...

Page 368: ...hake 94 Threshold Values 120 Thunderstorm 3 5 Time and Date 32 Time Zone 238 Traceroute 97 Tracing 34 Trivial File Transfer Protocol 252 U UDP ICMP Security 100 Uniform Resource Identifier 299 Univers...

Page 369: ...ZyWALL P1 User s Guide 368 Index X X Auth 132 Z ZyNOS 250 ZyXEL Limited Warranty Note 4 ZyXEL s Firewall Introduction 92...

Reviews:

No comments

Related manuals for ZyXEL ZyWALL P1

Brand: Pace Pages: 2

Brand: ICP DAS USA Pages: 7

Brand: ICP DAS USA Pages: 4

Brand: B&B Electronics Pages: 68

Brand: Ubee Pages: 6

Brand: Eaton Pages: 2

GHP Reactor Steer-by-Wire Volvo

Brand: Garmin Pages: 6

Brand: Rath Pages: 9

SBG3500-N Series

Brand: ZyXEL Communications Pages: 10

Brand: Moxa Technologies Pages: 7

Brand: THOMSON Pages: 110

Brand: AXIOMTEK Pages: 57

Brand: DoorKing Pages: 72

Brand: DAUDIN Pages: 24

Brand: Rose Point Pages: 27

SpeedStream 5450

Brand: Siemens Pages: 83

SpeedStream 6500 Series

Brand: Siemens Pages: 98

Brand: Telos Pages: 258

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands