background image

 www.zyxel.com

ZyWALL 2WG

Internet Security Appliance

User’s Guide

Version 4.03
12/2007
Edition 1

Summary of Contents for ZYWALL 2 WG

Page 1: ...www zyxel com ZyWALL 2WG Internet Security Appliance User s Guide Version 4 03 12 2007 Edition 1 ...

Page 2: ......

Page 3: ...your network and configuring for Internet access Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information Supporting Disk Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Send all User Guide relate...

Page 4: ...oke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click Mainten...

Page 5: ...s Guide 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ...

Page 6: ...pply voltage for example 110V AC in North America or 230V AC in Europe Do NOT remove the plug and connect it to a power outlet by itself always attach the plug to the power adaptor first before connecting it to a power outlet Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power ...

Page 7: ...vice meets ETSI and FCC certification requirements when using the included antenna s Only use the included antenna s If you wall mount your device make sure that no electrical lines gas or water pipes will be damaged This product is recyclable Dispose of it properly ...

Page 8: ...Safety Warnings ZyWALL 2WG User s Guide 8 ...

Page 9: ...eens 159 WAN Screens 165 DMZ Screens 201 Wireless LAN 211 Security 237 Firewall 239 Content Filtering Screens 271 Content Filtering Reports 293 IPSec VPN 301 Certificates 349 Authentication Server 379 Advanced 383 Network Address Translation NAT 385 Static Route 401 Policy Route 405 Bandwidth Management 411 DNS 427 Remote Management 439 UPnP 461 Custom Application 471 ALG Screen 473 Logs and Maint...

Page 10: ...3 IP Static Route Setup 591 Network Address Translation NAT 595 Introducing the ZyWALL Firewall 615 Filter Configuration 617 SNMP Configuration 633 System Information Diagnosis 635 Firmware and Configuration File Maintenance 647 System Maintenance Menus 8 to 10 661 Remote Management 669 IP Policy Routing 673 Call Scheduling 681 Troubleshooting and Specifications 685 Troubleshooting 687 Product Spe...

Page 11: ...WALL 54 1 4 Applications for the ZyWALL 54 1 4 1 Secure Broadband Internet Access via Cable or DSL Modem 54 1 4 2 VPN Application 55 1 4 3 3G WAN Application 55 1 4 4 Front Panel Lights 56 Chapter 2 Introducing the Web Configurator 57 2 1 Web Configurator Overview 57 2 2 Accessing the ZyWALL Web Configurator 57 2 3 Resetting the ZyWALL 59 2 3 1 Procedure To Use The Reset Button 59 2 3 2 Uploading ...

Page 12: ...us Summary 96 3 8 VPN Wizard Setup Complete 99 Chapter 4 Tutorial 101 4 1 Security Settings for VPN Traffic 101 4 1 1 Firewall Rule for VPN Example 101 4 1 2 Configuring the VPN Rule 102 4 1 3 Configuring the Firewall Rules 105 4 2 Using NAT with Multiple Public IP Addresses 109 4 2 1 Example Parameters and Scenario 109 4 2 2 Configuring the WAN Connection with a Static IP Address 110 4 2 3 Public...

Page 13: ...ce 143 Part II Network and Wireless 145 Chapter 6 LAN Screens 147 6 1 LAN WAN and the ZyWALL 147 6 2 IP Address and Subnet Mask 147 6 2 1 Private IP Addresses 148 6 3 DHCP 149 6 3 1 IP Pool Setup 149 6 4 RIP Setup 149 6 5 Multicast 149 6 6 WINS 150 6 7 LAN 150 6 8 LAN Static DHCP 153 6 9 LAN IP Alias 154 6 10 LAN Port Roles 156 Chapter 7 Bridge Screens 159 7 1 Bridge Loop 159 7 2 Spanning Tree Pro...

Page 14: ... DNS Server Address Assignment 177 8 11 WAN MAC Address 178 8 12 WAN 1 178 8 12 1 WAN Ethernet Encapsulation 178 8 12 2 PPPoE Encapsulation 181 8 12 3 PPTP Encapsulation 184 8 13 WAN 2 3G WAN 187 8 14 Traffic Redirect 193 8 15 Configuring Traffic Redirect 194 8 16 Configuring Dial Backup 195 8 17 Advanced Modem Setup 197 8 17 1 AT Command Strings 197 8 17 2 DTR Signal 198 8 17 3 Response Strings 1...

Page 15: ... 8 3 IEEE 802 1x Only 230 10 8 4 IEEE 802 1x Static WEP 231 10 8 5 WPA WPA2 WPA2 MIX 232 10 8 6 WPA PSK WPA2 PSK WPA2 PSK MIX 233 10 9 MAC Filter 235 Part III Security 237 Chapter 11 Firewall 239 11 1 Firewall Overview 239 11 2 Packet Direction Matrix 240 11 3 Packet Direction Examples 242 11 3 1 To VPN Packet Direction 243 11 3 2 From VPN Packet Direction 244 11 3 3 From VPN To VPN Packet Directi...

Page 16: ... 6 Content Filter Policy External Database 278 12 7 Content Filter Policy Customization 285 12 8 Content Filter Policy Schedule 287 12 9 Content Filter Object 288 12 10 Customizing Keyword Blocking URL Checking 290 12 10 1 Domain Name or IP Address URL Checking 290 12 10 2 Full Path URL Checking 291 12 10 3 File Name URL Checking 291 12 11 Content Filtering Cache 291 Chapter 13 Content Filtering R...

Page 17: ...rameter Index SPI 333 14 14 VPN Rules Manual 333 14 15 VPN Rules Manual Edit 335 14 16 VPN SA Monitor 338 14 17 VPN Global Setting 338 14 17 1 Local and Remote IP Address Conflict Resolution 338 14 18 Telecommuter VPN IPSec Examples 341 14 18 1 Telecommuters Sharing One VPN Rule Example 342 14 18 2 Telecommuters Using Unique VPN Rules Example 342 14 19 VPN and Remote Management 344 14 20 Hub and s...

Page 18: ...6 1 Authentication Server Overview 379 16 1 1 Local User Database 379 16 1 2 RADIUS 379 16 2 Local User Database 379 16 3 RADIUS 381 Part IV Advanced 383 Chapter 17 Network Address Translation NAT 385 17 1 NAT Overview 385 17 1 1 NAT Definitions 385 17 1 2 What NAT Does 386 17 1 3 How NAT Works 386 17 1 4 NAT Application 387 17 1 5 Port Restricted Cone NAT 388 17 1 6 NAT Mapping Types 388 17 2 Usi...

Page 19: ...ers 411 20 3 Proportional Bandwidth Allocation 412 20 4 Application based Bandwidth Management 412 20 5 Subnet based Bandwidth Management 412 20 6 Application and Subnet based Bandwidth Management 412 20 7 Scheduler 413 20 7 1 Priority based Scheduler 413 20 7 2 Fairness based Scheduler 413 20 7 3 Maximize Bandwidth Usage 413 20 7 4 Reserving Bandwidth for Non Bandwidth Class Traffic 413 20 7 5 Ma...

Page 20: ...iguring Dynamic DNS 437 Chapter 22 Remote Management 439 22 1 Remote Management Overview 439 22 1 1 Remote Management Limitations 440 22 1 2 System Timeout 440 22 2 WWW HTTP and HTTPS 440 22 3 WWW 441 22 4 HTTPS Example 443 22 4 1 Internet Explorer Warning Messages 443 22 4 2 Netscape Navigator Warning Messages 443 22 4 3 Avoiding the Browser Warning Messages 444 22 4 4 Login Screen 445 22 5 SSH 4...

Page 21: ...2 23 2 Configuring UPnP 462 23 3 Displaying UPnP Port Mapping 463 23 4 Installing UPnP in Windows Example 464 23 4 1 Installing UPnP in Windows Me 465 23 4 2 Installing UPnP in Windows XP 466 23 5 Using UPnP in Windows XP Example 466 23 5 1 Auto discover Your UPnP enabled Network Device 467 23 5 2 Web Configurator Easy Access 468 Chapter 24 Custom Application 471 24 1 Custom Applicaton 471 24 2 Cu...

Page 22: ... 4 System Reports Specifications 492 26 5 Log Descriptions 492 26 6 Syslog Logs 508 Chapter 27 Maintenance 511 27 1 Maintenance Overview 511 27 2 General Setup and System Name 511 27 2 1 General Setup 511 27 3 Configuring Password 512 27 4 Time and Date 513 27 5 Pre defined NTP Time Server Pools 516 27 5 1 Resetting the Time 516 27 5 2 Time Server Synchronization 516 27 6 Introduction To Transpare...

Page 23: ...l Setup 539 29 1 Introduction to General Setup 539 29 2 Configuring General Setup 539 29 2 1 Configuring Dynamic DNS 541 Chapter 30 WAN and Dial Backup Setup 545 30 1 Introduction to WAN 3G WAN and Dial Backup Setup 545 30 2 WAN Setup 545 30 3 Dial Backup 546 30 3 1 Configuring Dial Backup in Menu 2 546 30 3 2 Advanced WAN Setup 547 30 3 3 Remote Node Profile Backup ISP 549 30 3 4 Editing TCP IP O...

Page 24: ...71 33 2 DMZ Port Filter Setup 571 33 3 TCP IP Setup 572 33 3 1 IP Address 572 33 3 2 IP Alias Setup 573 Chapter 34 Route Setup 575 34 1 Configuring Route Setup 575 34 2 Route Assessment 575 34 3 Traffic Redirect 576 34 4 Route Failover 577 Chapter 35 Wireless Setup 579 35 1 TCP IP Setup 579 35 1 1 IP Address 579 35 1 2 IP Alias Setup 580 Chapter 36 Remote Node Setup 583 36 1 Introduction to Remote...

Page 25: ...Application Programs 610 38 5 Trigger Port Forwarding 612 38 5 1 Two Points To Remember About Trigger Ports 612 Chapter 39 Introducing the ZyWALL Firewall 615 39 1 Using ZyWALL SMT Menus 615 39 1 1 Activating the Firewall 615 Chapter 40 Filter Configuration 617 40 1 Introduction to Filters 617 40 1 1 The Filter Structure of the ZyWALL 618 40 2 Configuring a Filter Set 620 40 2 1 Configuring a Filt...

Page 26: ...ns 647 43 3 Backup Configuration 648 43 3 1 Backup Configuration 648 43 3 2 Using the FTP Command from the Command Line 649 43 3 3 Example of FTP Commands from the Command Line 649 43 3 4 GUI based FTP Clients 650 43 3 5 File Maintenance Over WAN 650 43 3 6 Backup Configuration Using TFTP 650 43 3 7 TFTP Command Example 651 43 3 8 GUI based TFTP Clients 651 43 3 9 Backup Via Console Port 651 43 4 ...

Page 27: ...2 44 1 2 Command Usage 662 44 2 Call Control Support 663 44 2 1 Budget Management 663 44 2 2 Call History 664 44 3 Time and Date Setting 665 Chapter 45 Remote Management 669 45 1 Remote Management 669 45 1 1 Remote Management Limitations 671 Chapter 46 IP Policy Routing 673 46 1 IP Routing Policy Summary 673 46 2 IP Routing Policy Setup 674 46 2 1 Applying Policy to Packets 676 46 3 IP Policy Rout...

Page 28: ...er Adaptor Specifications 699 49 6 Cable Pin Assignments 700 Part VIII Appendices and Index 703 Appendix A Pop up Windows JavaScripts and Java Permissions 705 Appendix B Setting up Your Computer s IP Address 713 Appendix C IP Addresses and Subnetting 729 Appendix D Common Services 737 Appendix E Wireless LANs 741 Appendix F Importing Certificates 755 Appendix G Legal Information 765 Appendix H Cus...

Page 29: ...ure 19 ISP Parameters PPTP Encapsulation 85 Figure 20 Internet Access Wizard Second Screen 86 Figure 21 Internet Access Setup Complete 87 Figure 22 Internet Access Wizard Registration 88 Figure 23 Internet Access Wizard Registration in Progress 89 Figure 24 Internet Access Wizard Status 89 Figure 25 Internet Access Wizard Registration Failed 89 Figure 26 Internet Access Wizard Registered Device 90...

Page 30: ...9 Figure 60 Tutorial Example NAT Port Forwarding 120 Figure 61 Tutorial Example Forwarding Incoming FTP Traffic to a Local Computer 120 Figure 62 Tutorial Example Firewall Default Rule 121 Figure 63 Tutorial Example Firewall Rule WAN1 to LAN 121 Figure 64 Tutorial Example Firewall Rule WAN to LAN Address Edit for Web Server 122 Figure 65 Tutorial Example Firewall Rule WAN to LAN Service Edit for W...

Page 31: ...idge Connected to Wired LAN 159 Figure 101 NETWORK Bridge 162 Figure 102 NETWORK Bridge Port Roles 164 Figure 103 Port Roles Change Complete 164 Figure 104 Least Load First Example 167 Figure 105 Weighted Round Robin Algorithm Example 168 Figure 106 Spillover Algorithm Example 168 Figure 107 Different WAN IP Addresses 169 Figure 108 NETWORK WAN General 171 Figure 109 Load Balancing Least Load Firs...

Page 32: ...Rule Router Mode 240 Figure 146 Default Block Traffic From WAN1 to DMZ Example 241 Figure 147 From LAN to VPN Example 243 Figure 148 Block DMZ to VPN Traffic by Default Example 244 Figure 149 From VPN to LAN Example 245 Figure 150 Block VPN to LAN Traffic by Default Example 246 Figure 151 From VPN to VPN Example 247 Figure 152 Block VPN to VPN Traffic by Default Example 247 Figure 153 Blocking All...

Page 33: ... 186 Global Report Screen Example 297 Figure 187 Requested URLs Example 298 Figure 188 Web Page Review Process Screen 299 Figure 189 VPN Example 301 Figure 190 VPN IKE SA and IPSec SA 302 Figure 191 Gateway and Network Policies 303 Figure 192 IPSec Fields Summary 303 Figure 193 SECURITY VPN VPN Rules IKE 304 Figure 194 IKE SA Main Negotiation Mode Steps 1 2 IKE SA Proposal 305 Figure 195 IKE SA Ma...

Page 34: ...re 230 SECURITY CERTIFICATES My Certificates Create Advanced 361 Figure 231 SECURITY CERTIFICATES Trusted CAs 365 Figure 232 SECURITY CERTIFICATES Trusted CAs Details 367 Figure 233 SECURITY CERTIFICATES Trusted CAs Import 370 Figure 234 SECURITY CERTIFICATES Trusted Remote Hosts 371 Figure 235 SECURITY CERTIFICATES Trusted Remote Hosts Import 372 Figure 236 SECURITY CERTIFICATES Trusted Remote Ho...

Page 35: ...TPS Implementation 441 Figure 272 ADVANCED REMOTE MGMT WWW 442 Figure 273 Security Alert Dialog Box Internet Explorer 443 Figure 274 Security Certificate 1 Netscape 444 Figure 275 Security Certificate 2 Netscape 444 Figure 276 Example Lock Denoting a Secure Connection 445 Figure 277 Replace Certificate 446 Figure 278 Device specific Certificate 446 Figure 279 Common ZyWALL Certificate 447 Figure 2...

Page 36: ...e Mode Router Mode 519 Figure 316 MAINTENANCE Device Mode Bridge Mode 520 Figure 317 MAINTENANCE Firmware Upload 521 Figure 318 Firmware Upload In Process 522 Figure 319 Network Temporarily Disconnected 522 Figure 320 Firmware Upload Error 523 Figure 321 MAINTENANCE Backup and Restore 523 Figure 322 Configuration Upload Successful 524 Figure 323 Network Temporarily Disconnected 524 Figure 324 Conf...

Page 37: ...5 Figure 361 Menu 6 1 Route Assessment 575 Figure 362 Menu 6 2 Traffic Redirect 576 Figure 363 Menu 6 3 Route Failover 577 Figure 364 Menu 7 WLAN Setup 579 Figure 365 Menu 7 2 TCP IP and DHCP Ethernet Setup 580 Figure 366 Menu 7 2 1 IP Alias Setup 581 Figure 367 Menu 11 Remote Node Setup 583 Figure 368 Menu 11 1 Remote Node Profile for Ethernet Encapsulation 584 Figure 369 Menu 11 1 Remote Node Pr...

Page 38: ...g Packet Filtering Process 617 Figure 404 Filter Rule Process 619 Figure 405 Menu 21 Filter and Firewall Setup 620 Figure 406 Menu 21 1 Filter Set Configuration 620 Figure 407 Menu 21 1 1 1 TCP IP Filter Rule 622 Figure 408 Executing an IP Filter 624 Figure 409 Menu 21 1 1 1 Generic Filter Rule 625 Figure 410 Telnet Filter Example 626 Figure 411 Example Filter Menu 21 1 3 1 627 Figure 412 Example ...

Page 39: ...ile Upload 657 Figure 444 Menu 24 7 1 As Seen Using the Console Port 659 Figure 445 Example Xmodem Upload 659 Figure 446 Menu 24 7 2 As Seen Using the Console Port 660 Figure 447 Example Xmodem Upload 660 Figure 448 Command Mode in Menu 24 661 Figure 449 Valid Commands 662 Figure 450 Call Control 663 Figure 451 Budget Management 664 Figure 452 Call History 665 Figure 453 Menu 24 System Maintenance...

Page 40: ... Internet Protocol TCP IP Properties 721 Figure 489 Macintosh OS 8 9 Apple Menu 722 Figure 490 Macintosh OS 8 9 TCP IP 722 Figure 491 Macintosh OS X Apple Menu 723 Figure 492 Macintosh OS X Network 724 Figure 493 Red Hat 9 0 KDE Network Configuration Devices 725 Figure 494 Red Hat 9 0 KDE Ethernet Device General 725 Figure 495 Red Hat 9 0 KDE Network Configuration DNS 726 Figure 496 Red Hat 9 0 KD...

Page 41: ...ation after Import 759 Figure 519 ZyWALL Trusted CA Screen 760 Figure 520 CA Certificate Example 761 Figure 521 Personal Certificate Import Wizard 1 761 Figure 522 Personal Certificate Import Wizard 2 762 Figure 523 Personal Certificate Import Wizard 3 762 Figure 524 Personal Certificate Import Wizard 4 763 Figure 525 Personal Certificate Import Wizard 5 763 Figure 526 Personal Certificate Import ...

Page 42: ...List of Figures ZyWALL 2WG User s Guide 42 ...

Page 43: ...rd Registration 88 Table 16 VPN Wizard Gateway Setting 91 Table 17 VPN Wizard Network Setting 92 Table 18 VPN Wizard IKE Tunnel Setting 94 Table 19 VPN Wizard IPSec Setting 96 Table 20 VPN Wizard VPN Status 97 Table 21 REGISTRATION 142 Table 22 REGISTRATION Service 144 Table 23 NETWORK LAN 151 Table 24 NETWORK LAN Static DHCP 154 Table 25 NETWORK LAN IP Alias 156 Table 26 NETWORK LAN Port Roles 15...

Page 44: ...le 60 WIRELESS Wi Fi Security WEP 230 Table 61 WIRELESS Wi Fi Security 802 1x Only 230 Table 62 WIRELESS Wi Fi Security 802 1x Static WEP 231 Table 63 WIRELESS Wi Fi Security WPA WPA2 or WPA2 MIX 233 Table 64 WIRELESS Wi Fi Security WPA 2 PSK 234 Table 65 WIRELESS Wi Fi MAC Filter 235 Table 66 Blocking All LAN to WAN IRC Traffic Example 249 Table 67 Limited LAN to WAN IRC Traffic Example 249 Table...

Page 45: ...rtificates Import 358 Table 101 SECURITY CERTIFICATES My Certificates Import PKCS 12 359 Table 102 SECURITY CERTIFICATES My Certificates Create 361 Table 103 SECURITY CERTIFICATES Trusted CAs 365 Table 104 SECURITY CERTIFICATES Trusted CAs Details 367 Table 105 SECURITY CERTIFICATES Trusted CAs Import 370 Table 106 SECURITY CERTIFICATES Trusted Remote Hosts 371 Table 107 SECURITY CERTIFICATES Trus...

Page 46: ... Name Server Record 433 Table 140 ADVANCED DNS Cache 434 Table 141 ADVANCED DNS DHCP 435 Table 142 ADVANCED DNS DDNS 437 Table 143 ADVANCED REMOTE MGMT WWW 442 Table 144 ADVANCED REMOTE MGMT SSH 449 Table 145 ADVANCED REMOTE MGMT Telnet 453 Table 146 ADVANCED REMOTE MGMT FTP 454 Table 147 SNMP Traps 456 Table 148 ADVANCED REMOTE MGMT SNMP 457 Table 149 ADVANCED REMOTE MGMT DNS 458 Table 150 ADVANC...

Page 47: ...Mode Bridge Mode 520 Table 190 MAINTENANCE Firmware Upload 522 Table 191 Restore Configuration 524 Table 192 MAINTENANCE Diagnostics 527 Table 193 Main Menu Commands 533 Table 194 Main Menu Summary 534 Table 195 SMT Menus Overview 535 Table 196 Menu 1 General Setup Router Mode 539 Table 197 Menu 1 General Setup Bridge Mode 540 Table 198 Menu 1 1 Configure Dynamic DNS 541 Table 199 Menu 1 1 1 DDNS ...

Page 48: ...04 Table 229 Menu 15 3 1 Trigger Port Setup 613 Table 230 Abbreviations Used in the Filter Rules Summary Menu 621 Table 231 Rule Abbreviations Used 621 Table 232 Menu 21 1 1 1 TCP IP Filter Rule 622 Table 233 Generic Filter Rule Menu Fields 625 Table 234 SNMP Configuration Menu Fields 633 Table 235 SNMP Traps 634 Table 236 System Maintenance Status Menu Fields 636 Table 237 Fields in System Mainte...

Page 49: ... ID Example 730 Table 261 Subnet Masks 731 Table 262 Maximum Host Numbers 731 Table 263 Alternative Subnet Mask Notation 731 Table 264 Subnet 1 733 Table 265 Subnet 2 734 Table 266 Subnet 3 734 Table 267 Subnet 4 734 Table 268 Eight Subnets 734 Table 269 24 bit Network Number Subnet Planning 735 Table 270 16 bit Network Number Subnet Planning 735 Table 271 Commonly Used Services 737 Table 272 IEEE...

Page 50: ...List of Tables ZyWALL 2WG User s Guide 50 ...

Page 51: ...51 PART I Introduction Getting to Know Your ZyWALL 53 Introducing the Web Configurator 57 Wizard Setup 81 Tutorial 101 Registration 141 ...

Page 52: ...52 ...

Page 53: ...AT port forwarding policy routing DHCP server and many other powerful features The ZyWALL has a built in wireless card that allows IEEE 802 11a IEEE 802 11b or IEEE 802 11g compatible clients to securely communicate with the ZyWALL and access the wired network behind it You can use the wireless card as part of the LAN DMZ or WLAN Note Only use firmware for your ZyWALL s specific model See Chapter ...

Page 54: ...e becomes unstable or even crashes If you forget your password you will have to reset the ZyWALL to its factory default settings If you backed up an earlier configuration file you would not have to totally re configure the ZyWALL You could simply restore your last configuration 1 4 Applications for the ZyWALL Here are some examples of what you can do with your ZyWALL 1 4 1 Secure Broadband Interne...

Page 55: ...etween sites Figure 2 VPN Application 1 4 3 3G WAN Application Insert a 3G card to have the ZyWALL in router mode wirelessly access the Internet via a 3G base station See Section 8 13 on page 187 for more information about 3G With both the primary WAN physical WAN port and 3G WAN connections enabled you can use load balancing to improve quality of service and maximize bandwidth utilization or set ...

Page 56: ...nection is not ready or has failed Green On The ZyWALL has a successful 10Mbps WAN connection Flashing The 10M WAN is sending or receiving packets Orange On The ZyWALL has a successful 100Mbps WAN connection Flashing The 100M WAN is sending or receiving packets AUX Green Off The backup port is not connected On The backup port is connected Flashing The backup port is sending or receiving packets WL...

Page 57: ...Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See Appendix A on page 705 if you want to make sure these functions are allowed in Internet Explorer or Netscape Navigator 2 2 Accessing the ZyWALL Web Configurator By default the packets from WLAN to WLAN ZyWALL are dropped and users cannot configure the ZyW...

Page 58: ...ate a certificate using your ZyWALL s MAC address that will be specific to this device If you do not replace the default certificate here or in the CERTIFICATES screen this screen displays every time you access the web configurator Figure 6 Replace Certificate Screen 7 You should now see the HOME screen see Figure 9 on page 61 The management session automatically times out when the time period set...

Page 59: ...f 3 While pressing the RESET button turn the ZyWALL on 4 Continue to hold the RESET button The PWR LED will begin to blink and flicker very quickly after about 20 seconds This indicates that the defaults have been restored and the ZyWALL is now restarting 5 Release the RESET button and wait for the ZyWALL to finish restarting 2 3 2 Uploading a Configuration File Via Console Port 1 Download the def...

Page 60: ...een is divided into these parts A title bar B main window C navigation panel D status bar 2 4 1 Title Bar The title bar provides some icons in the upper right corner The icons provide the following functions C D B A Table 2 Title Bar Web Configurator Icons ICON DESCRIPTION Wizard Click this icon to open one of the web configurator wizards See Chapter 3 on page 81 for more information Help Click th...

Page 61: ...OME screen is displayed The screen varies according to the device mode you select in the MAINTENANCE Device Mode screen 2 4 3 HOME Screen Router Mode The following screen displays when the ZyWALL is set to router mode This screen displays general status information about the ZyWALL The ZyWALL is set to router mode by default WAN 2 refers to the 3G card on the supported ZyWALL in router mode Figure...

Page 62: ...eld label to go to the screen where you can modify the ZyWALL s date and time settings Device Mode This displays whether the ZyWALL is functioning as a router or a bridge Click the field label to go to the screen where you can configure the ZyWALL as a router or a bridge Firewall This displays whether or not the ZyWALL s firewall is activated Click the field label to go to the screen where you can...

Page 63: ...on Static displays if the WAN port is using a manually entered static fixed IP address For the LAN WLAN or DMZ DHCP server displays when the ZyWALL is set to automatically give IP address information to the computers connected to the LAN DHCP relay displays when the ZyWALL is set to forward IP address assignment requests to another DHCP server Static displays if the LAN port is using a manually en...

Page 64: ...dio signal and is in dormant state to reduce bandwidth usage Signal Strength This displays the signal strength of the wireless network in dBm The status bar shows the strength of the signal The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider s base station You can see a signal strength indication even when the ZyWALL does not...

Page 65: ... configured budget control Select this option to have the ZyWALL do budget calculation starting from 0 but use the previous settings Resume budget control This field displays if you have enabled budget control but insert a 3G card with a different user account from the one for which you configured budget control Select this option to have the ZyWALL keep the existing statistics and continue counti...

Page 66: ...dentify the ZyWALL in the wireless LAN Bridge to This displays whether the wireless LAN card is used as part of the LAN DMZ or WLAN 802 11 mode This displays the wireless standard 802 11a 802 11b 802 11g or 802 11b g of the wireless LAN Channel This displays the radio channel the ZyWALL is currently using for the wireless LAN Security mode This shows the type of wireless security the ZyWALL is usi...

Page 67: ...n order to access the ZyWALL for management If you connect your computer directly to the ZyWALL you also need to assign your computer a static IP address in the same subnet as the ZyWALL s IP address in order to access the ZyWALL You can use the firewall and VPN in bridge mode See the user s guide for a list of other features that are available in bridge mode Figure 10 Web Configurator HOME Screen...

Page 68: ...ivated Click the field label to go to the screen where you can turn the firewall on or off System Resources Flash The first number shows how many megabytes of the flash the ZyWALL is using Memory The first number shows how many megabytes of the heap memory the ZyWALL is using Heap memory refers to the memory that is not used by ZyNOS ZyXEL Network Operating System and is thus available for running...

Page 69: ... cost of transmitting a frame from the root bridge to the corresponding port Security Services Content Filter Expiration Date This is the date the category based content filtering service subscription expires Click the field label to go to the screen where you can update your service subscription Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last started up ...

Page 70: ... to display the active VPN connections Bandwidth Click Bandwidth to view the ZyWALL s bandwidth usage and allotments Table 4 Web Configurator HOME Screen in Bridge Mode continued LABEL DESCRIPTION Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE Internet Access Setup Wizard Y VPN Setup Wizard Y Y Port Statistics Y Y DHCP Table Y Registration Y Y LAN Y WAN Y DMZ Y ...

Page 71: ...dge Use this screen to change the bridge settings on the ZyWALL Port Roles Use this screen to change the LAN DMZ WLAN port roles on the ZyWALL WAN General This screen allows you to configure load balancing route priority and connection test WAN1 Use this screen to configure the WAN1 connection for Internet access 3G WAN 2 Use this screen to configure the WAN2 connection for Internet access Traffic...

Page 72: ...for external database content filtering and view reports Customization Use this screen to customize the content filter list Cache Use this screen to view and configure the ZyWALL s URL caching VPN VPN Rules IKE Use this screen to configure VPN connections using IKE key management and view the rule summary VPN Rules Manual Use this screen to configure VPN connections using manual key management and...

Page 73: ...screen to configure through which interface s and from which IP address es users can use HTTPS or HTTP to manage the ZyWALL SSH Use this screen to configure through which interface s and from which IP address es users can use Secure Shell to manage the ZyWALL TELNET Use this screen to configure through which interface s and from which IP address es users can use Telnet to manage the ZyWALL FTP Use...

Page 74: ...TENANCE General This screen contains administrative Password Use this screen to change your password Time and Date Use this screen to change your ZyWALL s time and date Device Mode Use this screen to configure and have your ZyWALL work as a router or a bridge F W Upload Use this screen to upload firmware to your ZyWALL Backup Restore Use this screen to backup and restore the configuration or reset...

Page 75: ...l if you re using PPPoE encapsulation Dial backup is not available in bridge mode For the LAN DMZ and WLAN ports this displays the port speed and duplex setting For the WLAN card this displays the transmission rate when WLAN is enabled or Down when WLAN is disabled TxPkts This is the number of transmitted packets on this port RxPkts This is the number of received packets on this port Collisions Th...

Page 76: ...r Figure 13 HOME DHCP Table The following table describes the labels in this screen Table 8 HOME Show Statistics Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen Port Select the check box es to display the throughput statistics of the corresponding interface s B s Specify the direction of the traffic for which you want to show throughput statistics in this table...

Page 77: ... the check box in the heading row to automatically select all check boxes or select the check box es in each entry to have the ZyWALL always assign the selected entry ies s IP address es to the corresponding MAC address es and host name s You can select up to 128 entries in this table After you click Apply the MAC address and IP address also display in the corresponding LAN DMZ or WLAN Static DHCP...

Page 78: ...not update the screen statistics Refresh Click this button to update the screen s statistics immediately Table 10 HOME VPN Status LABEL DESCRIPTION Table 11 ADVANCED BW MGMT Monitor LABEL DESCRIPTION Interface Select an interface from the drop down list box to view the bandwidth usage of its bandwidth classes Class This field displays the name of the bandwidth class A Default Class automatically d...

Page 79: ...cally at the end of every time interval or to not update the screen statistics Refresh Click this button to update the screen s statistics immediately A If you allocate all the root class s bandwidth to the bandwidth classes the default class still displays a budget of 2 kbps the minimum amount of bandwidth that can be assigned to a bandwidth class Table 11 ADVANCED BW MGMT Monitor LABEL DESCRIPTI...

Page 80: ...Chapter 2 Introducing the Web Configurator ZyWALL 2WG User s Guide 80 ...

Page 81: ...zards you can select Internet Access Setup Click this link to open a wizard to set up an Internet connection for WAN 1 the WAN port on the ZyWALL in router mode VPN Setup Use VPN SETUP to configure a VPN connection that uses a pre shared key If you want to set the rule to use a certificate please go to the VPN screens for configuration See Section 3 3 on page 90 Figure 16 Wizard Setup Welcome 3 2 ...

Page 82: ...t number Choose Ethernet when the WAN port is used as a regular Ethernet Figure 17 ISP Parameters Ethernet Encapsulation The following table describes the labels in this screen Table 12 ISP Parameters Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet Otherwise choose PPPoE or...

Page 83: ...dress Enter your WAN IP address in this field My WAN IP Subnet Mask Enter the IP subnet mask in this field Gateway IP Address Enter the gateway IP address in this field First DNS Server Second DNS Server Enter the DNS server s IP address es in the field s to the right Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP ad...

Page 84: ...Type the password associated with the user name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server The default time is 100 seconds WAN IP Address Assignment IP Address Assignment Select Dynamic I...

Page 85: ... User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection User Name Type the user name given to you by your ISP Password Type the password associated with the User Name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses b...

Page 86: ...N My ISP This field is optional and depends on the requirements of your xDSL modem WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field Firs...

Page 87: ...reen see Figure 20 on page 86 the following screen displays Use this screen to register the ZyWALL with myZyXEL com You must register your ZyWALL before you can activate trial applications of services like content filtering anti spam anti virus and IDP If you want to activate a standard service with your iCard s PIN number license key use the REGISTRATION Service screen ...

Page 88: ...om account If you already have an account at myZyXEL com select this option and enter your user name and password in the fields below to register your ZyWALL User Name Enter a user name for your myZyXEL com account The name should be from six to 20 alphanumeric characters and the underscore Spaces are not allowed Check Click this button to check with the myZyXEL com database to verify the user nam...

Page 89: ...e registration and service subscription status Click Close to leave the wizard screen when the registration and activation are done Figure 24 Internet Access Wizard Status The following screen appears if the registration was not successful Click Return to go back to the Device Registration screen and check your settings Figure 25 Internet Access Wizard Registration Failed ...

Page 90: ...lications are activated after you click Next Figure 26 Internet Access Wizard Registered Device Figure 27 Internet Access Wizard Activated Services 3 3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy IKE SA and identify the IPSec routers at either end of the VPN tunnel Click VPN Setup in the Wizard Setup Welcome screen Figure 16 on page 81 to open the VPN configuration wi...

Page 91: ... Active Active the ZyWALL uses the IP address static or dynamic of the primary highest priority WAN interface to set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up If the corresponding WAN1 or WAN2 connection goes down the ZyWALL uses the IP address of the other WAN interface If both WAN connections go down the ZyWALL uses the dial backup IP address for the VPN tunnel...

Page 92: ...Table 17 VPN Wizard Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected packets for the tunnel trigger the ZyWALL to build the tunnel Clear the Active check box to turn the network policy off The ZyWALL does not apply the policy Packets for the tunnel do not trigger the tunnel Name Type up to 32 characters to identify this VPN network policy You may...

Page 93: ...tatic and correspond to the remote IPSec router s configured local IP addresses Select Single for a single IP address Select Range IP for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subnet mask Starting IP Address When the Remote Network field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Re...

Page 94: ...t 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower...

Page 95: ...h them over a secure connection Type from 8 to 31 case sensitive ASCII characters or from 16 to 62 hexadecimal 0 9 A F characters You must precede a hexadecimal key with a 0x zero x which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself Both ends of the VPN tunnel must ...

Page 96: ...ication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL y...

Page 97: ...ame of this VPN gateway policy Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router mode or the ZyWALL s IP address in bridge mode Remote Gateway Address This is the IP address or the domain name used to identify the remote IPSec router Network Policy Property Active This displays whether this VPN network policy is enabled or not Name This is the ...

Page 98: ...ng through a secure gateway must have the same negotiation mode Encryption Algorithm This is the method of data encryption Options can be DES 3DES or AES Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data Key Group This is the key group you chose for phase 1 IKE setup SA Life Time Seconds This is the length of time befo...

Page 99: ...99 3 8 VPN Wizard Setup Complete Congratulations You have successfully set up the VPN rule for your ZyWALL If you already had VPN rules configured the wizard adds the new VPN rule after the last existing VPN rule Figure 33 VPN Wizard Setup Complete ...

Page 100: ...Chapter 3 Wizard Setup ZyWALL 2WG User s Guide 100 ...

Page 101: ...n turn on content filtering for all of the ZyWALL s VPN traffic regardless of its direction of travel You can apply firewall security to VPN traffic based on its direction of travel The following examples show how you do this for the firewall 4 1 1 Firewall Rule for VPN Example The firewall provides even more fine tuned control for VPN tunnels You can configure default and custom firewall rules fo...

Page 102: ... A to let the network behind B access the FTP server You would also have to configure a corresponding rule on device B 1 Click Security VPN to open the following screen Click the Add Gateway Policy icon Figure 35 SECURITY VPN VPN Rules IKE 2 Use this screen to set up the connection between the routers Configure the fields that are circled as follows and click Apply ...

Page 103: ...Chapter 4 Tutorial ZyWALL 2WG User s Guide 103 Figure 36 SECURITY VPN VPN Rules IKE Add Gateway Policy 3 Click the Add Network Policy icon ...

Page 104: ... does not specify the port numbers This is due to the following reasons While FTP uses a control session on port 20 the port for the data session is not fixed So this example uses the firewall s FTP application layer gateway ALG to handle this instead of specifying port numbers in this VPN network policy The firewall provides better security because it operates at layer 4 and checks traffic sessio...

Page 105: ... Rules Suppose you have several VPN tunnels but you only want to allow device B s network to access the FTP server You also only want FTP traffic to go to the FTP server so you want to block all other traffic types like chat e mail web and so on The following sections show how to configure firewall rules to enforce these restrictions ...

Page 106: ...he VPN tunnel to the FTP server 1 Click Security Firewall Rule Summary 2 Select VPN to LAN as the packet direction and click Refresh 3 Click the insert icon Figure 39 SECURITY FIREWALL Rule Summary 4 Configure the rule as follows and click Apply The source addresses are the VPN rule s remote network and the destination address is the LAN FTP server ...

Page 107: ...Chapter 4 Tutorial ZyWALL 2WG User s Guide 107 Figure 40 SECURITY FIREWALL Rule Summary Edit Allow 5 The rule displays in the summary list of VPN to LAN firewall rules ...

Page 108: ...wall rule to block all VPN to LAN traffic This blocks any other types of access from VPN tunnels to the LAN FTP server This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN 1 Click SECURITY FIREWALL Default Rule 2 Configure the screen as follows and click Apply Figure 42 SECURITY FIREWALL Default Rule Block From VPN To LAN ...

Page 109: ...ectively for traffic in both directions Map the first public address 1 2 3 4 to outgoing traffic from other local computers Map the first public address 1 2 3 4 to incoming traffic from WAN 1 Forward FTP traffic using port 21 from WAN 1 to a specific local computer 192 168 1 39 The last public IP address 1 2 3 7 is not mapped to any device and is reserved for future use Figure 43 Tutorial Example ...

Page 110: ...E PPP over Ethernet from the Encapsulation drop down list box 3 In the ISP Parameters for Internet Access section enter the information such as the user name and password provided by your ISP If your ISP didn t give you the service name leave the field blank 4 In the WAN IP Address Assignment section select Use Fixed IP Address and enter the first fixed public IP address 1 2 3 4 in this example 5 ...

Page 111: ... ADVANCED DNS 7 The System screen displays Click the Insert button to configure the IP address of the DNS server the ZyWALL can query to resolve domain names Figure 46 Tutorial Example DNS System 8 Select Public DNS Server and enter the first DNS server s IP address given by your ISP Click Apply ...

Page 112: ...put the second record and click the Insert button to configure the second DNS server s IP address as follows Click Apply To resolve a domain name theZyWALL checks it against the name server record entries in the order that they appear in this list Figure 48 Tutorial Example DNS System Edit 2 10 The DNS System screen should look as shown ...

Page 113: ... Done 11 Go to the Home screen to check your WAN connection status Make sure the status is not down Figure 50 Tutorial Example Status 4 2 3 Public IP Address Mapping To have the local computers and servers use specific WAN IP addresses you need to map static public IP addresses to them ...

Page 114: ... web server 192 168 1 12 and mail server 192 168 1 13 to different static public IP addresses The many to one rule maps a public IP address 1 2 3 4 that is the ZyWALL s WAN 1 IP address to outgoing LAN traffic It allows other local computers on the same subnet as the ZyWALL s LAN IP address to use this IP address to access the Internet Figure 51 Tutorial Example Mapping Multiple Public IP Addresse...

Page 115: ...l ZyWALL 2WG User s Guide 115 Figure 52 Tutorial Example NAT NAT Overview 3 Click the Address Mapping tab 4 Select WAN 1 5 Click the first rule s Edit icon in the Modify column to display the Address Mapping Rule screen ...

Page 116: ...92 168 1 12 as the local start IP address and 1 2 3 5 as the global start IP address Click Apply Figure 54 Tutorial Example NAT Address Mapping Edit One to One 1 7 Click the second rule s Edit icon 8 Map a public IP address to the mail server Select the One to One type and enter 192 168 1 13 as the local start IP address and 1 2 3 6 as the global start IP address Click Apply ...

Page 117: ... Many to One type and enter 192 168 1 1 as the local start IP address 192 168 1 254 as the local end IP address and 1 2 3 4 as the global start IP address Click Apply Figure 56 Tutorial Example NAT Address Mapping Edit Many to One 11 After the configurations the Address Mapping screen looks as shown You still have one IP address 1 2 3 7 that can be assigned to another internal server when you expa...

Page 118: ...for more information 4 2 4 Forwarding Traffic from the WAN to a Local Computer A server NAT address mapping rule allows computers behind the NAT be accessible to the outside world To have the ZyWALL forward incoming traffic to a specific computer on your local network you should also create a port forwarding server mapping rule In this example you want to forward FTP traffic using port 21 to the c...

Page 119: ...CED NAT Address Mapping 2 Click the forth rule s Edit icon to configure a server rule Figure 59 Tutorial Example NAT Address Mapping Edit Server 3 Click the Port Forwarding tab 4 Select WAN 1 5 Select the Active check box enter a descriptive name FTP for example incoming port number 21 and 192 168 1 39 as the server IP address Click Apply ...

Page 120: ...raffic initiated from WAN 1 to a local computer or server on the LAN you need to configure a firewall rule to allow it In this example you create the firewall rules to allow traffic from the WAN to the following servers on the LAN Web server Mail server FTP server Figure 61 Tutorial Example Forwarding Incoming FTP Traffic to a Local Computer 1 Click SECURITY FIREWALL 2 Make sure the firewall is en...

Page 121: ...lt Rule 3 Go to the Rule Summary screen 4 Select WAN1 to LAN as the packet direction and click Refresh 5 Click the insert icon to create a new firewall rule Figure 63 Tutorial Example Firewall Rule WAN1 to LAN 6 Configure a firewall rule to allow HTTP traffic from the WAN to the web server ...

Page 122: ...nd click Delete Select Single Address as the destination address type Enter 192 168 1 12 and click Add Figure 64 Tutorial Example Firewall Rule WAN to LAN Address Edit for Web Server 7 Select HTTP TCP 80 and HTTPS TCP 443 in the Available Services box on the left and click to add them to the Selected Service s box on the right Click Apply ...

Page 123: ... for Web Server 8 Click the insert icon to configure a firewall rule to allow traffic from the WAN to the mail server Enter a descriptive name W L_Mail for example Select Any in the Destination Address es box and click Delete Select Single Address as the destination address type Enter 192 168 1 13 and click Add ...

Page 124: ...ple Firewall Rule WAN to LAN Address Edit for Mail Server 9 Select Any All in the Available Services box on the left and click to add it to the Selected Service s box on the right Click Apply Figure 67 Tutorial Example Firewall Rule WAN to LAN Service Edit for Mail Server ...

Page 125: ...TP for example Select Any in the Destination Address es box and click Delete Select Single Address as the destination address type Enter 192 168 1 39 and click Add Figure 68 Tutorial Example Firewall Rule WAN to LAN Address Edit for FTP Server 11Select FTP TCP 20 21 in the Available Services box on the left and click to add it to the Selected Service s box on the right Click Apply ...

Page 126: ...al ZyWALL 2WG User s Guide 126 Figure 69 Tutorial Example Firewall Rule WAN to LAN Service Edit for FTP Server 12When you are done the Rule Summary screen looks as shown Figure 70 Tutorial Example Firewall Rule Summary ...

Page 127: ...from the outside network to send or retrieve a file If you cannot access the FTP server make sure the NAT port forwarding rule is active and there is a firewall rule to allow FTP traffic from the WAN to FTP server 4 3 Using NAT with Multiple Game Players If two users behind the ZyWALL want to connect to the same server to play online games at the same time but the server does not allow more than o...

Page 128: ... section shows you examples of how to allocate bandwidth and apply priorities to traffic that flows out through the ZyWALL s WAN port 4 4 1 Example Parameters and Scenario The following figure shows the network you want to set up in this example The WAN port has an upstream outgoing speed of 512 kbps To prevent SIP based VoIP Voice over IP traffic from getting delayed due to heavy WWW or FTP traff...

Page 129: ...management to traffic that is forwarded out through the WAN 1 port 3 Enter the WAN 1 port s upstream speed 4 Select Priority Based to have the ZyWALL give preference to bandwidth classes with higher priorities 5 Deselect the Maximize Bandwidth Usage option to reserve bandwidth for traffic that is not defined in a bandwidth class 6 Click Apply Total Bandwidth Budget WAN Upstream Speed 512 Kbps Band...

Page 130: ...xample Bandwidth Management Class Setup 9 Enter a descriptive name WAN1_VoIP for example the maximum bandwidth allowed and a priority for VoIP traffic The higher the number the higher the priority 10Enable this filter and select the SIP service Make sure you also use the ALG screen to turn on the SIP ALG 11Leave the IP address and subnet mask fields blank so that the filter will be applied to any ...

Page 131: ...ndwidth Management Class Setup VoIP 12Click the Add Sub Class button to create a rule for FTP traffic as follows Click Apply Figure 76 Tutorial Example Bandwidth Management Class Setup FTP 13Click the Add Sub Class button to create a rule for WWW traffic as follows Click Apply ...

Page 132: ...al Example Bandwidth Management Class Setup WWW 14When you are finished the Class Setup screen looks as shown Figure 78 Tutorial Example Bandwidth Management Class Setup Done 15Use the Monitor screen to view the bandwidth usage and allotments for the WAN interface ...

Page 133: ...he ZyWALL applies policies in the order they are listed The ZyWALL applies the content filter policies based on the source address and the schedule So for this example when the ZyWALL receives a request from the LAN for a web page it checks the request against the first policy If the traffic matches that is if it is from Bob s computer and the time is between 12 00 and 13 00 the ZyWALL applies the...

Page 134: ...lter and external database content filtering 3 Click Apply Figure 80 SECURITY CONTENT FILTER General 4 5 2 Block Categories of Web Content Here is how to block access to web pages by category of content 1 Click SECURITY CONTENT FILTER Policy and then the external database icon next to the default policy ...

Page 135: ...4 Tutorial ZyWALL 2WG User s Guide 135 Figure 81 SECURITY CONTENT FILTER Policy 2 Select Active 3 Select the categories to block 4 Click Apply Figure 82 SECURITY CONTENT FILTER Policy External Database Default ...

Page 136: ...r Bob s computer and select the Reserve check box as shown next 3 Click Apply Figure 83 HOME DHCP Table 4 5 4 Create a Content Filter Policy for Bob Do the following to create a content filtering policy for traffic from Bob s computer 1 Click SECURITY CONTENT FILTER Policy and then the Insert button The ZyWALL applies the content filter policies in order so make sure you add the new policy before ...

Page 137: ...ut only during lunch So you configure a schedule to only apply the Bob policy from 12 00 to 13 00 For the rest of the time the ZyWALL applies the default content filter policy which blocks access to arts and entertainment web pages 1 Click SECURITY CONTENT FILTER Policy and then the Bob policy s schedule icon Figure 86 SECURITY CONTENT FILTER Policy 2 Select Active 3 Select Everyday and enter 12 0...

Page 138: ...y Figure 87 SECURITY CONTENT FILTER Policy Schedule Bob 4 5 6 Block Categories of Web Content for Bob Now you select the categories of web pages to block Bob from accessing 1 Click SECURITY CONTENT FILTER Policy and then the Bob policy s external database icon ...

Page 139: ...RITY CONTENT FILTER Policy 2 Select Active 3 Select the categories to block This is very similar to Section 4 5 2 on page 134 except you do not select the arts and entertainment category 4 Click Apply Figure 89 SECURITY CONTENT FILTER Policy External Database Bob ...

Page 140: ...Chapter 4 Tutorial ZyWALL 2WG User s Guide 140 ...

Page 141: ...web site s on line help for details To activate a service on a ZyWALL you need to access myZyXEL com via that ZyWALL 5 1 1 Content Filtering Subscription Service The ZyWALL can use the content filtering subscription service Content filtering allows or blocks access to web sites Subscribe to category based content filtering to block access to categories of web sites based on content Your ZyWALL acc...

Page 142: ...w to register your ZyWALL User Name Enter a user name for your myZyXEL com account The name should be from six to 20 alphanumeric characters and the underscore Spaces are not allowed Check Click this button to check with the myZyXEL com database to verify the user name you entered has not been used Password Enter a password of between six and 20 alphanumeric characters and the underscore Spaces ar...

Page 143: ...rial you can also use the Service screen to register and enter your iCard s PIN number license key Click REGISTRATION Service to open the screen as shown next If you restore the ZyWALL to the default configuration file or upload a different configuration file after you register click the Service License Refresh button to update license information Apply Click Apply to save your changes back to the...

Page 144: ...whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard Expiration Day This field displays the date your service expires License Upgrade License Key Enter your iCard s PIN number and click Update to activate or extend a standard service subscription If a standard service subscription runs out you need to buy a new iCard specific to your ZyWAL...

Page 145: ...145 PART II Network and Wireless LAN Screens 147 Bridge Screens 159 WAN Screens 165 DMZ Screens 201 Wireless LAN 211 ...

Page 146: ...146 ...

Page 147: ...office that you connect to the ZyWALL s LAN ports The Wide Area Network WAN is another network most likely the Internet that you connect to the ZyWALL s WAN port See Chapter 8 on page 165 for how to use the WAN screens to set up your WAN connection The LAN and the WAN are two separate networks The ZyWALL controls the traffic that goes between them The following graphic gives an example Figure 93 L...

Page 148: ...her device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyWALL will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise 6 2 1 Private IP Addresses Every machine on the Internet must have a unique ...

Page 149: ... the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M send routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can r...

Page 150: ...ect None to disable IP multicasting on these interfaces 6 6 WINS WINS Windows Internet Naming Service is a Windows implementation of NetBIOS Name Server NBNS on Windows It keeps track of NetBIOS computer names It stores a mapping table of your network s computer names and IP addresses The table is dynamically updated for IP addresses assigned by DHCP This helps reduce broadcast traffic since compu...

Page 151: ...s the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only...

Page 152: ...l in the IP Pool Starting Address and Pool Size fields Select Relay to have the ZyWALL forward DHCP requests to another DHCP server When set to Relay fill in the DHCP Server Address field Select None to stop the ZyWALL from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured IP Pool Starting Address This field...

Page 153: ...rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to WAN 2 and from WAN 2 to the LAN Allow between LAN and DMZ Select this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN If your firewall is enabled with the default policy set to block DMZ to LAN traffic you also need to enable the default DMZ to LAN fir...

Page 154: ...rnet interface Table 24 NETWORK LAN Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry row MAC Address Type the MAC address of a computer on your LAN IP Address Type the IP address that you want to assign to the computer on your LAN Alternatively click the right mouse button to copy and or paste the IP address Apply Click Apply to save your changes back to the ZyWA...

Page 155: ...AN Ethernet interface The ZyWALL itself is the gateway for each of the logical LAN networks When you use IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 96 Physical Network Partitioned Logical Networks T...

Page 156: ...tting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the ZyWALL will broadcast its routing table periodicall...

Page 157: ... 99 Port Roles Change Complete Table 26 NETWORK LAN Port Roles LABEL DESCRIPTION LAN Select a port s LAN radio button to use the port as part of the LAN The port will use the ZyWALL s LAN IP address and MAC address DMZ Select a port s DMZ radio button to use the port as part of the DMZ The port will use the ZyWALL s DMZ IP address and MAC address WLAN Select a port s WLAN radio button to use the p...

Page 158: ...Chapter 6 LAN Screens ZyWALL 2WG User s Guide 158 ...

Page 159: ...ffic to circle the network endlessly resulting in possible throughput degradation and disruption of communications The following example shows the network topology that can lead to this problem If your ZyWALL in bridge mode is connected to a wired LAN while communicating with another bridge or a switch that is also connected to the same wired LAN as shown next Figure 100 Bridge Loop Bridge Connect...

Page 160: ...t table On each bridge the root port is the port through which this bridge communicates with the root It is the port on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root among ...

Page 161: ...ion as a bridge In bridge mode the ZyWALL functions as a transparent firewall also known as a bridge firewall The ZyWALL bridges traffic traveling between the ZyWALL s interfaces and still filters and inspects packets You do not need to change the configuration of your existing network You can use the firewall and VPN in bridge mode See the user s guide for a list of other features that are availa...

Page 162: ...econd Third DNS Server DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for content filtering the time server etc If you have the IP add...

Page 163: ...y for this bridge Bridge Priority determines the root bridge which in turn determines Hello Time Max Age and Forward Delay Bridge Hello Time Enter an interval between 1 and 10 in seconds that the root bridge waits before sending a hello packet Bridge Max Age Enter an interval between 6 and 40 in seconds that a bridge waits to get a Hello BPDU from the root bridge Forward Delay Enter the length of ...

Page 164: ...lick Return to go back to the Port Roles screen Figure 103 Port Roles Change Complete Table 30 NETWORK Bridge Port Roles LABEL DESCRIPTION LAN Select a port s LAN radio button to use the port as part of the LAN DMZ Select a port s DMZ radio button to use the port as part of the DMZ WLAN Select a port s WLAN radio button to use the port as part of the WLAN Apply Click Apply to save your changes bac...

Page 165: ...p to enhance network reliability The ZyWALL has one WAN port When the ZyWALL is in router mode you can optionally insert a 3G card to add a second WAN interface You can connect one interface to one ISP or network and connect the other to a second ISP or network The ZyWALL can balance the load between the two WAN interfaces see Section 8 3 on page 166 You can use policy routing to specify the WAN i...

Page 166: ...ace 8 4 Load Balancing Algorithms The ZyWALL uses three load balancing methods least load first weighted round robin and spillover to decide which WAN interface the traffic for a session1 from the LAN uses The following sections describe each load balancing method The available bandwidth you configure on the ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refer...

Page 167: ... 4 2 Weighted Round Robin Round Robin routes traffic on a rotating basis and is activated only when a WAN interface has more traffic than the configured available bandwidth On the ZyWALL with two WAN interfaces an amount of traffic is sent through the first interface The second interface is also given an equal amount of traffic and then the same amount of traffic is sent through the first interfac...

Page 168: ...owable load is reached then the ZyWALL sends the excess network traffic of new sessions to the secondary WAN interface Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs In cases where the primary WAN interface uses an unlimited access Internet connection and the secondary WAN uses a per use timed access plan the ZyWALL will only use the seco...

Page 169: ...107 Different WAN IP Addresses 1 LAN user A wants to download a file from a remote server on the Internet The ZyWALL is using active active load balancing and sends the request to an update server B through WAN 1 2 Update server B sends a file list to LAN user A The download address of the desired file is a file server C At the same time update server B informs file server C that a computer locate...

Page 170: ...WAN operation mode set to active passive meaning the ZyWALL use the second highest priority WAN interface as a back up The WAN 1 route has a metric of 2 the WAN 2 route has a metric of 3 the traffic redirect route has a metric of 14 and the dial backup route has a metric of 15 In this case the WAN 1 route acts as the primary default route If the WAN 1 route fails to connect to the Internet the ZyW...

Page 171: ...Chapter 8 WAN Screens ZyWALL 2WG User s Guide 171 Figure 108 NETWORK WAN General ...

Page 172: ...omputer s traffic through the same WAN interface for the period of time that you specify 1 to 600 seconds This is useful when a redirect server forwards a local user s request for a file and informs the file server that a particular WAN IP address is requesting the file If the user s subsequent sessions came from a different WAN IP address the file server would deny the request This field is confi...

Page 173: ... from WAN 1 to the LAN port and from the LAN port to WAN1 If your firewall is enabled with the default policy set to block WAN 1 to LAN traffic you also need to enable the default WAN1 to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from WAN 1 to the LAN port and from LAN port to WAN1 Allow between WAN1 and DMZ Select this check box to for...

Page 174: ...ly Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 33 NETWORK WAN General continued LABEL DESCRIPTION Table 34 Load Balancing Least Load First LABEL DESCRIPTION Active Active Mode Select Active Active Mode and set the related fields to enable load balancing on the ZyWALL Load Balancing Algorithm Set the load balancing method to Le...

Page 175: ...face This should be the actual downstream bandwidth that your ISP provides Available Outbound Bandwidth This field is applicable when you select Outbound Inbound or Outbound Only in the Load Balancing Index es field Specify the outbound or upstream bandwidth in kilo bites per second for the interface This should be the actual upstream bandwidth that your ISP provides Table 34 Load Balancing Least ...

Page 176: ...to enable load balancing on the ZyWALL Load Balancing Algorithm Set the load balancing method to Spillover WAN Interface to Local Host Mapping Timeout Select this option to have the ZyWALL send all of a local computer s traffic through the same WAN interface for the period of time that you specify 1 to 600 seconds This is useful when a redirect server forwards a local user s request for a file and...

Page 177: ...ss assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 8 10 DNS Server Address Assignment Use DNS Domain Name System to map a domain name to its corresponding IP address and vice versa for instance the IP address of www zyxel com is 204 217 0 2 The DNS server is extremely important because without it you must know ...

Page 178: ...pied to the rom file ZyNOS configuration file It will not change unless you change the setting or upload a different rom file 8 12 WAN 1 To change your ZyWALL s WAN 1 ISP IP and MAC settings click NETWORK WAN WAN 1 The screen differs by the encapsulation The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets 8 12 1 WAN Ethernet Encapsulation For ISPs...

Page 179: ...andard Telstra RoadRunner Telstra authentication method RR Manager Roadrunner Manager authentication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields do not appear with the Standard service type User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type your password again...

Page 180: ...exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Choose Both None In Only or Out Only When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only the ZyWALL will incorporate RIP information that it receives When set to None the ZyWALL will not send any RIP packets and will...

Page 181: ...roup Multicast Protocol is a session layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Spoof ...

Page 182: ...eters for Internet Access Encapsulation Select PPPoE for a dial up connection using PPPoE Service Name Type the PPPoE service name provided to you by your ISP PPPoE uses a service name to identify and reach the PPPoE server User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type your password again to make sure tha...

Page 183: ...dress used on the Internet Select this checkbox to enable NAT For more information about NAT see Chapter 17 on page 385 RIP Direction RIP Routing Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Choose Both None In Only or Out Only When set to Both or Out Only the ZyWALL will broadcast ...

Page 184: ... read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Spoof WAN MAC Address from LAN You can configure the WAN port s MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN By default the ZyWALL uses the factory assigned MAC Address to identify itself on ...

Page 185: ...ion Set the encapsulation method to PPTP The ZyWALL supports only one PPTP server connection at any given time To configure a PPTP client you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type yo...

Page 186: ...gnment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address This is the default selection Use Fixed IP Address Select this option If the ISP assigned a fixed IP address My WAN IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address Advanced Setup Enable NAT Network Address Translation Network Address Translation NAT allows ...

Page 187: ...roup it is not used to carry user data Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed informa...

Page 188: ...eral Packet Radio Services High Speed Circuit Switched Data HSCSD etc CDMA2000 is a hybrid 2 5G 3G protocol of mobile telecommunications standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 ...

Page 189: ...r 8 WAN Screens ZyWALL 2WG User s Guide 189 Turn the ZyWALL off before you install or remove the 3G card The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets ...

Page 190: ...5 NETWORK WAN WAN 2 3G WAN The following table describes the labels in this screen Table 42 NETWORK WAN WAN 2 3G WAN LABEL DESCRIPTION WAN2 Setup Enable Select this option to enable WAN 2 3G Card Configuration The fields below display only when you enable WAN 2 ...

Page 191: ...initial string and APN if you know how to configure or your ISP provides a string which would include the APN to initialize the 3G card You can enter up to 72 ASCII printable characters Spaces are allowed This field is available only when you insert a GSM 3G card Authentication Type The ZyWALL supports PAP Password Authentication Protocol and CHAP Challenge Handshake Authentication Protocol CHAP i...

Page 192: ...oup Multicast Protocol is a session layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Enable ...

Page 193: ...nutes to send the log and alert if selected Select Allow to permit new 3G connections or Disallow to drop block new 3G connections Select Keep to maintain the existing 3G connection or Drop to disconnect it You cannot select Allow and Drop at the same time If you select Disallow and Keep the ZyWALL allows you to transmit data using the current connection but you cannot build a new connection if th...

Page 194: ...Traffic Redirect LAN Setup 8 15 Configuring Traffic Redirect To change your ZyWALL s traffic redirect settings click NETWORK WAN Traffic Redirect The screen appears as shown Figure 118 NETWORK WAN Traffic Redirect The following table describes the labels in this screen Table 43 NETWORK WAN Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if th...

Page 195: ...he Dial Backup screen Use this screen to configure the backup WAN dial up connection Figure 119 NETWORK WAN Dial Backup The following table describes the labels in this screen Table 44 NETWORK WAN Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup Basic Settings ...

Page 196: ...this check box if your ISP assigned you a fixed IP address then enter the IP address in the following field My WAN IP Address Leave the field set to 0 0 0 0 default to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know it Type your WAN IP address here if you know it static This is the address assigned to your local ZyWALL not the remote rout...

Page 197: ...P version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Budget Always On Select this check box to have the dial backup connection on all of the time Configure Budget Select this check box to have the d...

Page 198: ...p command ATH 8 17 3 Response Strings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been standardized please consult the documentation of your WAN device to find the correct tags 8 18 Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advan...

Page 199: ... is required for CLID authentication Called ID Type the keyword preceding the dialed number Speed Type the keyword preceding the connection speed Call Control Dial Timeout sec Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out stopping Retry Count Type a number of times for the ZyWALL to retry a busy or no answer phone number before blacklisting the number ...

Page 200: ...Chapter 8 WAN Screens ZyWALL 2WG User s Guide 200 ...

Page 201: ...also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port Store sensitive information on LAN computers 9 2 Configuring DMZ The DMZ and the connected computers can have private or public IP addresses When the DMZ uses public IP addresses the WAN and DMZ ports must use public IP addresses that are on separate subnets See Appendix C on page 72...

Page 202: ...ask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL 255 255 255 0 RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only...

Page 203: ... IP configuration for the clients When set as a server fill in the IP Pool Starting Address and Pool Size fields Select Relay to have the ZyWALL forward DHCP requests to another DHCP server When set to Relay fill in the DHCP Server Address field Select None to stop the ZyWALL from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must ...

Page 204: ...kets from the DMZ to WAN 2 and from WAN 2 to the DMZ Clear this check box to block all NetBIOS packets going from the DMZ to WAN 2 and from WAN 2 to the DMZ Allow between DMZ and WLAN Select this check box to forward NetBIOS packets from the WLAN to the DMZ and from the DMZ to the WLAN If your firewall is enabled with the default policy set to block DMZ to WLAN traffic and WLAN to DMZ traffic you ...

Page 205: ...ernet interface Table 47 NETWORK DMZ Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry row MAC Address Type the MAC address of a computer on your DMZ IP Address Type the IP address that you want to assign to the computer on your DMZ Alternatively click the right mouse button to copy and or paste the IP address Apply Click Apply to save your changes back to the ZyW...

Page 206: ...T if you want to make DMZ computers with private IP addresses publicly accessible see Chapter 17 on page 385 for more information When you use IP alias you can have the DMZ use both public and private IP addresses at the same time Make sure that the subnets of the logical networks do not overlap To change your ZyWALL s IP alias settings click NETWORK DMZ IP Alias The screen appears as shown Figure...

Page 207: ...to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both forma...

Page 208: ...et The DMZ port and server F use private IP addresses that are in one subnet The private IP addresses of the LAN and DMZ are on separate subnets The DMZ port and connected servers D and E use public IP addresses that are in one subnet The public IP addresses of the DMZ and WAN are on separate subnets Configure one subnet either the public or the private in the Network DMZ screen see Figure 9 2 on ...

Page 209: ...rt and changing the port s role 1 A port s IP address varies as its role changes make sure your computer s IP address is in the same subnet as the ZyWALL s LAN DMZ or WLAN IP address 2 Use the appropriate LAN DMZ or WLAN IP address to access the ZyWALL To change your ZyWALL s port role settings click NETWORK DMZ Port Roles The screen appears as shown The radio buttons correspond to Ethernet ports ...

Page 210: ...he LAN The port will use the ZyWALL s LAN IP address and MAC address DMZ Select a port s DMZ radio button to use the port as part of the DMZ The port will use the ZyWALL s DMZ IP address and MAC address WLAN Select a port s WLAN radio button to use the port as part of the WLAN The port will use the ZyWALL s WLAN IP address and MAC address Apply Click Apply to save your changes back to the ZyWALL R...

Page 211: ...s LAN adapters communicating through access points which bridge network traffic to the wired LAN The following figure provides an example of a wireless network Figure 127 Example of a Wireless Network The wireless network is the part in the blue circle In this wireless network devices A and B are called wireless clients The wireless clients use the access point AP to interact with other devices su...

Page 212: ...zed devices from using the wireless network It can also protect the information that is sent in the wireless network See the WLAN appendix for more detailed information on WLANs 10 2 Configuring WLAN The built in wireless card is used as part of the LAN by default You can use the Port Roles screen see Figure 132 on page 220 to set a port to be part of the WLAN Then connect an access point AP to it...

Page 213: ... Your ZyWALL automatically calculates the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP ...

Page 214: ...and Pool Size fields Select Relay to have the ZyWALL forward DHCP requests to another DHCP server When set to Relay fill in the DHCP Server Address field Select None to stop the ZyWALL from acting as a DHCP server When you select None you must have another DHCP server on your WLAN or else the computers must be manually configured IP Pool Starting Address This field specifies the first of the conti...

Page 215: ...ts from the WLAN to WAN 2 and from WAN 2 to the WLAN Clear this check box to block all NetBIOS packets going from the WLAN to WAN 2 and from WAN 2 to the WLAN Allow between WLAN and DMZ Select this check box to forward NetBIOS packets from the WLAN to the DMZ and from the DMZ to the WLAN If your firewall is enabled with the default policy set to block WLAN to DMZ traffic and DMZ to WLAN traffic yo...

Page 216: ...hernet interface Table 51 NETWORK WLAN Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry row MAC Address Type the MAC address of a computer on your WLAN IP Address Type the IP address that you want to assign to the computer on your WLAN Alternatively click the right mouse button to copy and or paste the IP address Apply Click Apply to save your changes back to the...

Page 217: ...nets Make sure that the subnets of the logical networks do not overlap To change your ZyWALL s IP alias settings click NETWORK WLAN IP Alias The screen appears as shown Figure 130 NETWORK WLAN IP Alias The following table describes the labels in this screen Table 52 NETWORK WLAN IP Alias LABEL DESCRIPTION Enable IP Alias 1 2 Select the check box to configure another WLAN network for the ZyWALL IP ...

Page 218: ...ut Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both formats when rece...

Page 219: ...our computer s IP address is in the same subnet as the ZyWALL s LAN DMZ or WLAN IP address 2 Use the appropriate LAN DMZ or WLAN IP address to access the ZyWALL To change your ZyWALL s port role settings click NETWORK WLAN Port Roles The screen appears as shown The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL On the ZyWALL ports 1 to 4 are all LAN ports by default Yo...

Page 220: ... following sections introduce different types of wireless security you can set up in the wireless network Table 53 NETWORK WLAN Port Roles LABEL DESCRIPTION LAN Select a port s LAN radio button to use the port as part of the LAN The port will use the LAN IP address DMZ Select a port s DMZ radio button to use the port as part of the DMZ The port will use the DMZ IP address WLAN Select a port s WLAN...

Page 221: ...ettings SSID channel and security If a wireless client is not allowed to use the wireless network it does not matter if it has the correct settings This type of security does not protect the information that is sent in the wireless network Furthermore there are ways for unauthorized devices to get the MAC address of an authorized wireless client Then they can use that MAC address to use the wirele...

Page 222: ...network has a RADIUS server you can choose WPA or WPA2 If users do not log in to the wireless network you can choose no encryption Static WEP WPA PSK or WPA2 PSK Usually you should set up the strongest encryption that every wireless client in the wireless network supports For example suppose the AP does not have a local user database and you do not have a RADIUS server Therefore there is no user a...

Page 223: ...t in the wireless network must have the same key 10 6 5 Additional Installation Requirements for Using 802 1x A computer with an IEEE 802 11a b g wireless LAN card A computer equipped with a web browser with JavaScript enabled and or Telnet A wireless station must be running IEEE 802 1x compliant software Currently this is offered in Windows XP An optional network RADIUS server for remote user aut...

Page 224: ...etting MAC filters and or 802 1x security otherwise your wireless LAN will be vulnerable upon enabling it Select the check box to enable the wireless LAN Bridge to Select LAN to use the wireless card as part of the LAN Select DMZ to use the wireless card as part of the DMZ Select WLAN to use the wireless card as part of the WLAN The ZyWALL restarts after you change the wireless card setting Note I...

Page 225: ...ragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2346 If you select Super Mode this field is grayed out and the ZyWALL uses 2346 automatically Output Power Set the output power of the ZyWALL in this field If there is a high density of APs in an area decrease the output power to reduce interference with other APs Select ...

Page 226: ...rofile In the Wireless Card screen click the edit icon next to an SSID profile to display the following screen Figure 135 Configuring SSID SSID This field displays the name of the wireless profile on the network When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Security This field indicates which security profile is ...

Page 227: ...r an AP will not find this SSID Security Select a security profile to use with this SSID profile See Section 10 8 on page 227 for more information RADIUS This displays N A if the security profile you selected does not use RADIUS authentication See Section 10 8 on page 227 for more information This displays Radius Configuration if you select a security profile that uses RADIUS authentication Click ...

Page 228: ...lect this to use either WPA PSK or WPA2 PSK depending on which security mode the wireless client uses Table 58 WIRELESS Wi Fi Security LABEL DESCRIPTION Security Profile Index This is the index number of the security profile Profile Name This field displays a name given to a security profile in the Security configuration screen Security Mode This field displays the security mode this security prof...

Page 229: ...our 64 bit 128 bit or 152 bit WEP keys but only one key can be used at any one time In order to configure and enable WEP encryption click WIRELESS Wi Fi Security Edit Figure 138 WIRELESS Wi Fi Security WEP Table 59 WIRELESS Wi Fi Security None LABEL DESCRIPTION Name Type a name up to 32 printable 7 bit ASCII characters to identify this security profile Security Mode Select None to allow wireless c...

Page 230: ...stem the wireless clients and AP do not share a secret key for authentication modes automatically The default setting is Auto Key 1 to Key 4 The WEP keys are used to encrypt data Both the ZyWALL and the wireless clients must use the same WEP key for data transmission If you chose 64 bit WEP in the WEP Encryption field then enter any 5 ASCII characters or 10 hexadecimal characters 0 9 A F preceded ...

Page 231: ...ntials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this va...

Page 232: ...ALL automatically disconnects a wireless client from the wireless network after a period of inactivity The wireless client needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client l...

Page 233: ...is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this value higher to reduce the number of delays caused by logging in again Enter a time interval between 600 and 65535 seconds Group K...

Page 234: ...network after a period of inactivity The wireless client needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller...

Page 235: ...RELESS Wi Fi MAC Filter The screen appears as shown To activate MAC filtering on a profile select Enable from the Enable MAC Filtering drop down list box in the Wireless Card Edit screen and click Apply Figure 143 NETWORK WIRELESS CARD MAC Filter The following table describes the labels in this menu Table 65 WIRELESS Wi Fi MAC Filter LABEL DESCRIPTION Association Define the filter action for the l...

Page 236: ... XX XX XX XX XX XX format of the wireless stations that are allowed or denied access to the ZyWALL in these address fields Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 65 WIRELESS Wi Fi MAC Filter LABEL DESCRIPTION ...

Page 237: ...237 PART III Security Firewall 239 Content Filtering Screens 271 Content Filtering Reports 293 IPSec VPN 301 Certificates 349 Authentication Server 379 ...

Page 238: ...238 ...

Page 239: ...ewall to protect your LAN computers from attacks by hackers on the Internet and control access between the LAN DMZ WLAN and WAN By default the firewall allows traffic that originates from your LAN computers to go to all of the networks blocks traffic that originates on the other networks from going to the LAN allows traffic that originates on the WLAN to go to the WAN allows traffic that originate...

Page 240: ...l rules in the order you list them When the traffic matches a rule the ZyWALL takes the action specified in the rule 11 2 Packet Direction Matrix The ZyWALL s packet direction matrix allows you to apply certain security settings like firewall to traffic flowing in specific directions For example click SECURITY FIREWALL to open the following screen This screen configures general firewall settings F...

Page 241: ...o not match any of the firewall rules To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ interfaces you would find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown Figure 146 Default Block Traffic From WAN1 to DMZ Example A specific interface or any of the ZyWALL s VPN connections A specific interface or any of the ZyWA...

Page 242: ...anagement settings to allow only a specific computer to manage the ZyWALL LAN to WAN 1 These rules specify which computers on the LAN can access which computers or services connected to WAN 1 See Section 11 5 on page 248 for an example WAN 1 to LAN These rules specify which computers connected to WAN 1 can access which computers or services on the LAN For example you may create rules to Allow cert...

Page 243: ...or example by default the From LAN To VPN default firewall rule allows traffic from the LAN computers to go out through any of the ZyWALL s VPN tunnels You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL s VPN tunnels Figure 147 From LAN to VPN Example WAN to WAN By default the ZyWALL stops...

Page 244: ... the ZyWALL s VPN tunnels The ZyWALL decrypts the VPN traffic and then applies the firewall rules From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected to interface For example by default the firewall allows traffic from any VPN tunnel to go to any of the ZyWALL s interfaces the ZyWALL itself and other VPN tunnels You could edit the From VPN To LAN defa...

Page 245: ...Chapter 11 Firewall ZyWALL 2WG User s Guide 245 Figure 149 From VPN to LAN Example In order to do this you would configure the SECURITY FIREWALL Default Rule screen as follows ...

Page 246: ...gh another of the ZyWALL s VPN tunnels this is called hub and spoke VPN see Section 14 20 on page 344 for details The ZyWALL decrypts the traffic and applies the firewall rules before re encrypting it or allowing the traffic to terminate at the ZyWALL In the following example the From VPN To VPN default firewall rule silently blocks the traffic that the ZyWALL receives from any VPN tunnel either A...

Page 247: ...ter 11 Firewall ZyWALL 2WG User s Guide 247 Figure 151 From VPN to VPN Example You would configure the SECURITY FIREWALL Default Rule screen as follows Figure 152 Block VPN to VPN Traffic by Default Example ...

Page 248: ...rs access to resources on the LAN create a security vulnerability For example if FTP ports TCP 20 21 are allowed from the Internet to the LAN Internet users may be able to connect to computers with running FTP servers 4 Does this rule conflict with any existing rules Once these questions have been answered adding rules is simply a matter of entering the information into the correct fields in the w...

Page 249: ...order to make sure that the CEO s computer always uses the same IP address make sure it either has a static IP address or you configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address see Section 6 8 on page 153 for information on static DHCP Now you configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO s computer 192 168 1 7 for...

Page 250: ...set the connection as the connection has not been acknowledged You can have the ZyWALL permit the use of asymmetrical route topology on the network not reset the connection Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use IP alias to put the ZyWALL and the backup gateway on separate subnets 11 6 1 Asymme...

Page 251: ...o Solve the Triangle Route Problem 11 7 Firewall Default Rule Router Mode Click SECURITY FIREWALL to open the Default Rule screen Use this screen to configure general firewall settings when the ZyWALL is set to router mode Figure 156 SECURITY FIREWALL Default Rule Router Mode ...

Page 252: ...ctivate the firewall all current connections through the ZyWALL are dropped when you apply your changes Allow Asymmetrical Route If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL s LAN IP address return traffic may not go through the ZyWALL This is called an asymmetrical or triangle route This causes the ZyWALL to reset the connection as the connection has not b...

Page 253: ... the traffic before encrypting it From VPN To VPN means traffic that comes in through a VPN tunnel and goes out through another VPN tunnel or terminates at the ZyWALL This is the case when the ZyWALL is the hub in a hub and spoke VPN This is also the case if you allow someone to use a service like Telnet or HTTP through a VPN tunnel to manage the ZyWALL The ZyWALL applies the firewall to the traff...

Page 254: ...s firewall rules storage space that is currently in use When the storage space is almost full you should consider deleting unnecessary firewall rules before adding more firewall rules Enable Firewall Select this check box to activate the firewall The ZyWALL performs access control and protects against Denial of Service DoS attacks when the firewall is activated Note When you activate the firewall ...

Page 255: ...et or HTTP through a VPN tunnel to manage the ZyWALL The ZyWALL applies the firewall to the traffic after decrypting it Note The VPN connection directions apply to the traffic going to or from the ZyWALL s VPN tunnels They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways VPN pass through traffic Use the drop down list box to set the firewall s default actions based...

Page 256: ...te The VPN connection directions apply to the traffic going to or from the ZyWALL s VPN tunnels They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways VPN pass through traffic In the heading row click to expand or to collapse the Source Address Destination Address and Service Type drop down lists for all of the displayed rules Default Policy This field displays the ...

Page 257: ...x displays the services to which this firewall rule applies Custom services have an before the name See Appendix D on page 737 for a list of common services Action This field displays whether the firewall silently discards packets Drop discards packets and sends a TCP reset packet or an ICMP destination unreachable message to the sender Reject or allows the passage of packets Permit Sch This field...

Page 258: ...Chapter 11 Firewall ZyWALL 2WG User s Guide 258 Figure 159 SECURITY FIREWALL Rule Summary Edit ...

Page 259: ...t Edit Service Available Selected Services Highlight a service from the Available Services box on the left then click to add it to the Selected Service s box on the right To remove a service highlight it in the Selected Service s box on the right then click Next to the name of a service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field in...

Page 260: ...CP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP reset packet for a TCP packet or an ICMP destination unreachable message for a UDP packet to the sender Select Permit to allow the passage of the packets Note You also need to configure NAT port forwarding or full featured NAT address mapping rules if you want to allow computer...

Page 261: ...nd to PING on Select the check boxes of the interfaces that you want to reply to incoming Ping requests Clear an interface s check box to have the ZyWALL not respond to any Ping requests that come into that interface Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyWALL by probing for unused ports If you select this option the ZyWALL wil...

Page 262: ...your LAN network 3 The CPU power of servers in your LAN network 4 Network bandwidth 5 Type of traffic for certain servers Reduce the threshold values if your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy If you often use P2P applications such as file sharing with eMule or eDonkey it s recommended that yo...

Page 263: ...existing half open sessions that causes the firewall to stop deleting half open sessions The ZyWALL continues to delete half open requests as necessary until the number of existing half open sessions drops below this number Maximum Incomplete High This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of existing half open se...

Page 264: ...services that are predefined in the ZyWALL See Section 11 1 on page 239 for more information about the firewall Figure 163 SECURITY FIREWALL Service The following table describes the labels in this screen Table 74 SECURITY FIREWALL Service LABEL DESCRIPTION Custom Service This table shows all configured custom services This is the index number of the custom service Service Name This is the name of...

Page 265: ...o go to the screen where you can edit the service Click the delete icon to remove an existing service A window displays asking you to confirm that you want to delete the service Note that subsequent services move up by one when you take this action Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Predefined S...

Page 266: ...rotocol TCP UDP TCP UDP ICMP or Custom that defines your customized service from the drop down list box If you select Custom specify the protocol s number For example ICMP is 1 TCP is 6 UDP is 17 and so on Port Range Enter the port number from 1 to 255 that defines the customized service To specify one port only enter the port number in the From field and enter it again in the To field To specify ...

Page 267: ... existing firewall rules for the selected direction of travel of packets 4 Click the insert icon at the top of the row to create the new firewall rule before the others Figure 167 My Service Firewall Rule Example Rule Summary 5 The Edit Rule screen displays Enter the name of the firewall rule 6 Select Any in the Destination Address es box and then click Delete 7 Configure the destination address f...

Page 268: ...e and Destination Addresses 8 In the Edit Service section use the arrows between Available Services and Selected Service s to configure it as follows Click Apply when you are done Custom services show up with an before their names in the Services list boxes and the Rule Summary screen s Service Type list box ...

Page 269: ...rewall ZyWALL 2WG User s Guide 269 Figure 169 My Service Firewall Rule Example Edit Rule Service Configuration Rule 1 allows a My Service connection from WAN 1 to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN ...

Page 270: ...Chapter 11 Firewall ZyWALL 2WG User s Guide 270 Figure 170 My Service Firewall Rule Example Rule Summary Completed ...

Page 271: ...ies such as pornography or racial intolerance to block from a pre defined list 12 1 3 Customize Web Site Access You can specify URLs to which the ZyWALL blocks access You can alternatively block access to all URLs except ones that you specify You can also have the ZyWALL block access to URLs that contain key words that you specify 12 2 Content Filtering with an External Database When you register ...

Page 272: ...ALL has no record of the web site it will query the external content filtering database and simultaneously send the request to the web server The external content filtering database may change a web site s category or categorize a previously uncategorized web site 5 The external content filtering server sends the category information back to the ZyWALL which then blocks and or logs access to the w...

Page 273: ...ic that the ZyWALL sends out through a VPN tunnel or receives through a VPN tunnel The ZyWALL applies the content filter to the traffic before encrypting it or after decrypting it Note The ZyWALL can apply content filtering on the traffic going to or from the ZyWALL s VPN tunnels It does not apply to other VPN traffic for which the ZyWALL is not one of the gateways VPN pass through traffic Externa...

Page 274: ...nse from the external content filtering database This can be caused by an expired content filtering registration External content filtering s license key is invalid Select Log to record attempts to access web pages that occur when the external content filtering database is unavailable Content Filter Server Unavailable Timeout Specify a number of seconds 1 to 30 for the ZyWALL to wait for a respons...

Page 275: ...LL and activated the category based content filtering service Trial Active and the trial subscription expiration date display if you have registered the ZyWALL and activated the category based content filtering service License Inactive and the date your subscription expired display if your subscription to the category based content filtering service has expired Note After you register for content ...

Page 276: ...d displays whether a content filter policy is turned on Y or not N Click the setting to change it Group Address This drop down list box displays the source user addresses or ranges of addresses to which the content filter policy applies Please note that a blank source or destination address is equivalent to Any Modify Click the general icon to restrict web features and edit the source user address...

Page 277: ...policy becomes number 6 and the previous content filter policy 6 if there is one becomes content filter policy 7 Click Insert to display the screens where you configure the content filter policy Move Type a content filter policy s index number and the number for where you want to put that policy Click Move to move the policy to the number that you typed The ordering of your policies is important a...

Page 278: ...nd provide service based on ID Web Proxy A server that acts as an intermediary between a user and the Internet to provide security administrative control and caching service When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server Address Setup Address Type Do you want the policy to apply to packets from a particular si...

Page 279: ...cted pages and a web page matches more than one category you selected you will see a log showing this page matches one category the first matched one only Select All Categories Select this check box to restrict access to all site categories listed below Clear All Categories Select this check box to clear the selected categories below Adult Mature Content Selecting this category excludes pages that...

Page 280: ... also includes pages that provide or sell questionable educational materials such as term papers Note This category includes sites identified as being malicious in any way such as having viruses spyware and etc Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool including lotteries online It also includes pages that provide information assi...

Page 281: ... Illegal Drugs Selecting this category excludes pages that promote offer sell supply encourage or otherwise advocate the illegal use cultivation manufacture or distribution of drugs pharmaceuticals intoxicating plants or chemicals and their related paraphernalia Education Selecting this category excludes pages that offer educational information distance learning and trade school information or pro...

Page 282: ...rmation This includes drive by downloads browser hijackers dialers intrusive advertising any program which modifies your homepage bookmarks or security settings and keyloggers It also includes any software which bundles spyware as defined above as part of its offering Information collected or reported is personal if it contains uniquely identifying data such as email addresses name social security...

Page 283: ... connect with others to form an online community Typically members describe themselves in personal web page policies and form interactive networks linking them with other members based on common interests or acquaintances Instant messaging file sharing and web logs blogs are common features of Social Networking sites Note These sites may contain offensive material in the community created content ...

Page 284: ...ne purchase of vehicles or parts Humor Jokes Selecting this category excludes pages that primarily focus on comedy jokes fun etc This may include pages containing jokes of adult or mature nature Pages containing humorous Adult Mature content also have an Adult Mature category rating Software Downloads Selecting this category excludes pages that are dedicated to the electronic download of software ...

Page 285: ...cludes pages of organizations that provide top level domain pages as well as web communities or hosting services Advanced Basic Click Advanced to see an expanded list of categories or click Basic to see a smaller list Test Web Site Attribute Test if Web site is blocked You can check whether or not the content filter policy currently blocks any given web page Enter a web site URL in the text box Te...

Page 286: ...idden web sites Content filter list customization may be enabled and disabled without re entering these site names Disable all Web traffic except for trusted Web sites When this box is selected the ZyWALL only allows Web access to sites on the Trusted Web Site list If they are chosen carefully this is the most effective way to block objectionable material Don t block Java ActiveX Cookies Web proxy...

Page 287: ... the arrow button to move them to the Forbidden Web Sites list Forbidden Web Sites This list displays web sites to which this content filtering policy blocks access Select an entry and use the arrow button to remove it from the list Keyword Blocking Keyword blocking allows you to block websites with URLs that contain certain keywords in the domain name or IP address See Section 12 10 on page 290 f...

Page 288: ...erver data such as ActiveX Java Cookies and Web Proxy are not affected Always Select this option to have content filtering active all the time Everyday from to Select this option to have content filtering active during the specified time interval s of each day In the from and to fields enter the time period s in 24 hour format during which content filtering will be enforced Customization Select th...

Page 289: ...re 178 SECURITY CONTENT FILTER Object The following table describes the labels in this screen Table 82 SECURITY CONTENT FILTER Object LABEL DESCRIPTION Trusted Web Sites These are sites that you want to allow access to regardless of their content rating can be allowed by adding them to this list You can enter up to 32 entries Add Trusted Web Site Enter host names such as www good site com into thi...

Page 290: ...d Do not enter the complete URL of the site that is do not include http All subdomains are blocked For example entering bad site com also blocks www bad site com partner bad site com press bad site com etc Forbidden Web Sites This list displays the forbidden web sites already added Add Click this button when you have finished adding the host name in the text field above Delete Select a web site na...

Page 291: ...e command to extend or not extend the keyword blocking search to include the URL s complete filename 12 11 Content Filtering Cache Click SECURITY CONTENT FILTER Cache to display the CONTENT FILTER Cache screen Use this screen to view and configure your ZyWALL s URL caching You can also configure how long a categorized web site address remains in the cache as well as view those web site addresses t...

Page 292: ...to the ZyWALL Reset Click Reset to begin configuring this screen afresh URL Cache Entry Flush Click this button to clear all web site addresses from the cache manually Refresh Click this button to reload the cache This is the index number of a categorized web site address record Category This field shows the site category to which requested access belongs URL This is a web site s address that the ...

Page 293: ...b configurator s CONTENT FILTER Categories screen 2 Select at least one category and click Apply 3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and click the Test Against Internet Server button When content filtering is active you should see an access blocked or access forwarded message An error message displays if content filtering is not active 13 2 View...

Page 294: ...odel name and or MAC address under Registered ZyXEL Products You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen see Figure 182 on page 295 Figure 181 myZyXEL com Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen ...

Page 295: ...nter your ZyXEL device s MAC address in lower case in the Name field You can find this MAC address in the Service Management screen Figure 182 on page 295 Type your myZyXEL com account password in the Password field 6 Click Submit Figure 183 Blue Coat Login 7 In the Web Filter Home screen click the Reports tab ...

Page 296: ...igure 185 Blue Coat Report Home 9 Select a time period in the Date Range field either Allowed or Blocked in the Action Taken field and a category or enter the user name if you want to view single user reports and click Run Report The screens vary according to the report type you selected in the Report Home screen 10 A chart and or list of requested web site categories display in the lower half of ...

Page 297: ...nt Filtering Reports ZyWALL 2WG User s Guide 297 Figure 186 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested ...

Page 298: ...gorized or that a web site s contents have changed and the content filtering category needs to be updated Use the following procedure to submit the web site for review 1 Log into the content filtering reports web site see Section 13 2 on page 293 2 In the Web Filter Home screen see Figure 184 on page 296 click Site Submissions to open the Web Page Review Process screen shown next ...

Page 299: ...Chapter 13 Content Filtering Reports ZyWALL 2WG User s Guide 299 Figure 188 Web Page Review Process Screen 3 Type the web site s URL in the field and click Submit to have the web site reviewed ...

Page 300: ...Chapter 13 Content Filtering Reports ZyWALL 2WG User s Guide 300 ...

Page 301: ...rol and auditing It is used to transport traffic over the Internet or any insecure network that uses TCP IP for communication Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrit...

Page 302: ...rks Between routers X and Y the data is protected by tunneling encryption authentication and other security features of the IPSec SA The IPSec SA is established securely using the IKE SA that routers X and Y established first The rest of this section discusses IKE SA and IPSec SA in more detail 14 1 1 IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec route...

Page 303: ...SA but only the remote IPSec router can initiate an IKE SA 14 2 VPN Rules IKE A VPN Virtual Private Network tunnel gives you a secure connection to another computer or network A gateway policy contains the IKE SA settings It identifies the IPSec routers at either end of a VPN tunnel A network policy contains the IPSec SA settings It specifies which devices behind the IPSec routers can use the VPN ...

Page 304: ...ss domain name or dynamic domain name of your ZyWALL displays in router mode The ZyWALL s IP address displays in bridge mode Remote Gateway This represents the remote secure gateway The IP address domain name or dynamic domain name of the remote IPSec router displays if you specify it otherwise Dynamic displays Click this icon to add a VPN network policy Network Policies The subsequent rows in a V...

Page 305: ...c router cannot establish an IKE SA Click this icon to display a screen in which you can change the settings of a gateway or network policy Click this icon to delete a gateway or network policy When you delete a gateway the ZyWALL automatically moves the associated network policy ies to the recycle bin When you delete a network policy it is just deleted Click this icon to establish a VPN connectio...

Page 306: ...key group is a fixed number of bits long The longer the key the more secure the encryption keys but also the longer it takes to encrypt and decrypt information For example DH2 keys 1024 bits are more secure than DH1 keys 768 bits but DH2 encryption keys take longer to encrypt and decrypt 14 3 1 2 Authentication Before the ZyWALL and remote IPSec router establish an IKE SA they have to verify each ...

Page 307: ...ype and content match so the ZyWALL and the remote IPSec router authenticate each other successfully In the following example the ID type and content do not match so the authentication fails and the ZyWALL and the remote IPSec router cannot establish an IKE SA It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router In this case you usually set the peer ID type...

Page 308: ...er name and password to the other router which uses a local user database and or an external server to verify the user name and password If the user name or password is wrong the routers do not establish an IKE SA You can set up the ZyWALL to provide a user name and password to the remote IPSec router or you can set up the ZyWALL to check a user name and password that is provided by the remote IPS...

Page 309: ...t establish a VPN tunnel Most routers like router A now have an IPSec pass through feature This feature helps router A recognize VPN packets and route them appropriately If router A has this feature router X and router Y can establish a VPN tunnel as long as the active protocol is ESP See Section 14 6 3 on page 320 for more information about active protocols If router A does not have an IPSec pass...

Page 310: ...inutes of outbound traffic with no inbound traffic If you set the IPSec SA to nailed up the ZyWALL automatically renegotiates the IPSec SA when the SA life time expires and it does not drop the IPSec SA if there is no inbound traffic The SA life time and nailed up settings only apply if the rule identifies the remote IPSec router by a static IP address or a domain name If the Primary Remote Gatewa...

Page 311: ... encryption algorithms for each proposal The encryption algorithms are listed here in order from weakest to strongest Data Encryption Standard DES is a widely used but breakable method of data encryption It applies a 56 bit key to each 64 bit block of data Triple DES 3DES is a variant of DES It iterates three times with three separate keys effectively tripling the strength of DES Advanced Encrypti...

Page 312: ...way policy icon or the edit icon to display the VPN Gateway Policy Edit screen Use this screen to configure a VPN gateway policy The gateway policy identifies the IPSec routers at either end of a VPN tunnel My ZyWALL and Remote Gateway and specifies the authentication encryption and other settings needed to negotiate a phase 1 IKE SA ...

Page 313: ...Chapter 14 IPSec VPN ZyWALL 2WG User s Guide 313 Figure 199 SECURITY VPN VPN Rules IKE Edit Gateway Policy ...

Page 314: ... when using traffic redirect Otherwise you can select My Domain Name and choose one of the dynamic domain names that you have configured in the DDNS screen to have the ZyWALL use that dynamic domain name s IP address When the ZyWALL is in bridge mode this field is read only and displays the ZyWALL s IP address The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after setup Primary...

Page 315: ...ed on both ends Certificate Select the Certificate radio button to identify the ZyWALL by a certificate Use the drop down list box to select the certificate to use for this VPN tunnel You must have certificates already configured in the My Certificates screen Click My Certificates to go to the My Certificates screen where you can view the ZyWALL s list of certificates Local ID Type Select IP to id...

Page 316: ...n name or e mail address by which to identify the remote IPSec router Use up to 31 ASCII characters including spaces although trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string It is recommended that you type an IP address other than 0 0 0 0 or use the DNS or E mail ID type in the following situations 1 When there is a NAT rout...

Page 317: ...tion mode Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA Choices are DES a 56 bit key with the DES encryption algorithm 3DES a 168 bit key with the DES encryption algorithm AES a 128 bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must use the same algorithms and keys Longer keys require more processing power resulting in i...

Page 318: ...nown or there are many remote networks using one VPN rule see Section 14 18 1 on page 342 for an example of telecommuters sharing one VPN rule It is not recommended to set a VPN rule s local and remote network settings both to 0 0 0 0 any Associated Network Policies The following table shows the policy ies you configure for this rule To add a VPN policy click the add network policy icon in the VPN...

Page 319: ...g local and remote IP addresses You can set up virtual address mapping on both IPSec routers to allow computers on network X to access network X and network Y computers with the same IP address You set ZyWALL A to change the source IP addresses of packets from local network X 192 168 1 2 to 192 168 1 4 to virtual IP addresses 10 0 0 2 to 10 0 0 4 before sending them through the VPN tunnel You set ...

Page 320: ...tion between the ZyWALL and remote IPSec router for example for remote management not between computers on the local and remote networks The ZyWALL and remote IPSec router must use the same encapsulation These modes are illustrated below In tunnel mode the ZyWALL uses the active protocol to encapsulate the entire IP packet As a result there are two IP headers Outside header The outside IP header c...

Page 321: ... remote IPSec router perform a DH key exchange every time an IPSec SA is established changing the root key from which encryption keys are generated As a result if one encryption key is compromised other encryption keys remain secure If you do not enable PFS the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys The DH...

Page 322: ...Chapter 14 IPSec VPN ZyWALL 2WG User s Guide 322 Figure 202 SECURITY VPN VPN Rules IKE Edit Network Policy ...

Page 323: ...te network and vice versa Select this check box to send NetBIOS packets through the VPN connection Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router The ZyWALL pings the IP address every minute The ZyWALL starts the IPSec connection idle timeout timer when it...

Page 324: ...One or Many to One in the Type field enter an IP address as the translated IP address Many to one rules are only for traffic going to the remote network Use port forwarding rules to allow incoming traffic from the remote network When you select Many One to One in the Type field enter the beginning IP address of a range of translated IP addresses Virtual Ending IP Address When you select Many One t...

Page 325: ...the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Address Type field is configured to Subnet Address enter a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Address...

Page 326: ...encryption Choices are NONE disable PFS DH1 enable PFS and use a 768 bit random number DH2 enable PFS and use a 1024 bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA It is more secure but takes more time Enable Replay Detection As a VPN setup is processing intensive the system is vulnerable to Denial of Service DOS attacks The IPSec receiver can...

Page 327: ...e port forwarding server entry Name Enter a descriptive name for identifying purposes Start Port Type a port number in this field To forward only one port type the port number again in the End Port field To forward a series of ports type the start port number here and the end port number in the End Port field End Port Type a port number in this field To forward only one port type the port number i...

Page 328: ... Policy LABEL DESCRIPTION Network Policy Information The following fields display the general network settings of this VPN policy Name This field displays the policy name Local Network This field displays one or a range of IP address es of the computer s behind the ZyWALL Remote Network This field displays one or a range of IP address es of the remote network behind the remote IPsec router Gateway...

Page 329: ...rs set up the tunnel If you find a disconnect icon next to the rule you just created in the VPN Rules IKE screen the ZyWALL automatically built the VPN tunnel Go to the SA Monitor screen to view a list of connected VPN tunnels See Section 14 16 on page 338 for more information Figure 205 VPN Rule Configured The following screen displays Figure 206 VPN Dial This screen displays later if the IPSec r...

Page 330: ...oth ZyXEL IPSec routers Check the settings in each field methodically and slowly 14 11 1 VPN Log The system log can often help to identify a configuration problem Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends clear the log and then build the tunnel View the log via the web configurator LOGS View Log screen or type sys log disp from SMT Menu 24 8 See...

Page 331: ... 5 6 7 8 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 7 01 11 2001 18 47 21 5 6 7 8 5 1 2 3 IKE IKE Packet Retransmit 8 01 11 2001 18 47 21 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 9 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Send HASH SA NONCE ID ID 10 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA ...

Page 332: ...psec debug type 2 on ras ipsec debug level 3 ras ipsec dial 1 get_ipsec_sa_by_policyIndex Start dialing for tunnel rule 1 ikeStartNegotiate saIndex 0 peerIp 5 1 2 3 protocol IPSEC_ESP 3 peer Ip 5 1 2 3 initiator type IPSEC_ESP exch Main initiator protocol IPSEC_ESP exchange mode Main mode find_ipsec_sa find ipsec saNot found Not found isadb_is_outstanding_req isakmp is outstanding req SA not found...

Page 333: ...and one authentication algorithm You cannot specify several proposals There is no DH key exchange so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use The ZyWALL and remote IPSec router must use the same encryption key and authentication key 14 13 2 Authentication and the Security Parameter Index SPI For authentication the ZyWALL and remote IP...

Page 334: ...r s on the remote network behind the remote IPSec router This field displays N A when the Remote Gateway Address field displays 0 0 0 0 In this case only the remote IPSec router can initiate the VPN The same static IP address is displayed twice when the Remote Network Address Type field in the VPN Manual Key Edit screen is configured to Single Address The beginning and ending static IP addresses i...

Page 335: ...oblems with IKE key management See Section 14 13 on page 333 for more information about IPSec SAs using manual keys Figure 211 SECURITY VPN VPN Rules Manual Edit The following table describes the labels in this screen Table 92 SECURITY VPN VPN Rules Manual Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy Name Type up to 32 characters to identify this VPN pol...

Page 336: ...s N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the LAN behind your ZyWALL When the Address Type field is configured to Subnet Address this is a subnet mask on the LAN behind your ZyWALL Remote Network Specify the IP addresses of the devices behind the remote IPSec router that can use the VPN tunnel The remote IP addresses...

Page 337: ...you must select options from the Authentication Algorithm field described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the Encryption Key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit k...

Page 338: ... addresses see Section 14 6 2 on page 319 For example you usually would not configure both with 192 168 1 0 However overlapping local and remote network IP addresses can occur with dynamic VPN rules or IP alias Table 93 SECURITY VPN SA Monitor LABEL DESCRIPTION This is the security association index number Name This field displays the identification name for this VPN policy Local Network This fiel...

Page 339: ...Figure 213 Overlap in a Dynamic VPN Rule Setting Local and Remote IP Address Conflict Resolution to The Local Network has the ZyWALL check if a packet s destination is also at the local network before forwarding the packet If it is the ZyWALL sends the traffic to the local network Setting Local and Remote IP Address Conflict Resolution to The Remote Network disables the checking for local network ...

Page 340: ...ITY VPN Global Setting The following table describes the labels in this screen Table 94 SECURITY VPN Global Setting LABEL DESCRIPTION Output Idle Timer The ZyWALL disconnects a VPN tunnel if the remote IPSec router does not reply for this number of seconds Input Idle Timer When no traffic is received from a remote IPSec router after the specified time period the ZyWALL disconnects the VPN tunnel 0...

Page 341: ...ypts them for VPN The ZyWALL fragments packets that are larger than a connection s MTU Maximum Transmit Unit In most cases you should leave this set to Auto The ZyWALL automatically sets the Maximum Segment Size MSS of the TCP packets that are to be encrypted by VPN based on the encapsulation type Select Off to not adjust the MSS for the encrypted TCP packets If your network environment causes fra...

Page 342: ...c DNS to do this With aggressive negotiation mode see Section 14 3 1 4 on page 308 the ZyWALL can use the ID types and contents to distinguish between VPN rules Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters They can use different IPSec parameters The local IP addresses or ranges of addresses of the rules configured on the ZyWALL at headquarters ca...

Page 343: ... Telecommuter Rules All Headquarters Rules My ZyWALL 0 0 0 0 My ZyWALL bigcompanyhq com Remote Gateway Address bigcompanyhq com Local Network Single IP Address 192 168 1 10 Remote Network Single IP Address 192 168 1 10 Local ID Type E mail Peer ID Type E mail Local ID Content bob bigcompanyhq com Peer ID Content bob bigcompanyhq com Telecommuter A telecommutera dydns org Headquarters ZyWALL Rule 1...

Page 344: ...nagement must also be configured to allow HTTP access on the ZyWALL s LAN interface Figure 218 VPN for Remote Management Example 14 20 Hub and spoke VPN Hub and spoke VPN connects VPN tunnels to form one secure network Figure 219 on page 345 shows some example network topologies In the first fully meshed approach there is a VPN connection between every pair of routers In the second hub and spoke a...

Page 345: ...e a hub and spoke VPN in every situation however The hub router is a single point of failure so a hub and spoke VPN may not be appropriate if the connection between the spoke routers cannot be down occasionally for maintenance for example In addition there is a significant burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out where to send it encrypts ...

Page 346: ...rs Rule 1 Remote Gateway 10 0 0 2 Local IP address 192 168 168 0 192 168 169 255 Remote IP address 192 168 167 0 255 255 255 0 Rule 2 Remote Gateway 10 0 0 3 Local IP address 192 168 167 0 192 168 168 255 Remote IP address 192 168 169 0 255 255 255 0 Branch Office B Remote Gateway 10 0 0 1 Local IP address 192 168 169 0 255 255 255 0 Remote IP address 192 168 167 0 192 168 168 255 14 20 3 Hub and ...

Page 347: ... spoke networks with which the spoke is to be able to have a VPN tunnel This may require you to use more than one VPN rule If you want to have the spoke routers access the Internet through the hub and spoke VPN tunnel set the VPN rules in the spoke routers to use 0 0 0 0 any as the remote IP address Make sure that your From VPN and To VPN firewall rules do not block the VPN packets ...

Page 348: ...Chapter 14 IPSec VPN ZyWALL 2WG User s Guide 348 ...

Page 349: ... kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public private key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encrypt the message and sends it to Jenny 4 Jenny receives the message and uses T...

Page 350: ...eys 15 2 Self signed Certificates You can have the ZyWALL act as a certification authority and sign its own certificates 15 3 Verifying a Certificate Before you import a trusted CA or trusted remote host certificate into the ZyWALL you should verify that you have the actual certificate This is especially true of trusted CA certificates since the ZyWALL also trusts any valid certificate signed by a...

Page 351: ...o manage certificates on the ZyWALL Figure 223 Certificate Configuration Overview Use the My Certificate screens to generate and export self signed certificates or certification requests and import the ZyWALL s CA signed certificates Use the Trusted CA screens to save the certificates of trusted CAs to the ZyWALL You can also export the certificates to a computer Use the Trusted Remote Hosts scree...

Page 352: ...t certificate The factory default certificate is common to all ZyWALLs that use certificates ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL s MAC address This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is reco...

Page 353: ...a certificate that one or more features is configured to use Do the following to delete a certificate that shows SELF in the Type field 1 Make sure that no other features such as HTTPS VPN SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select t...

Page 354: ...you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates Figure 225 SECURITY CERTIFICATES My Certificates Details The following table describes the labels in this screen Table 98 SECURITY CERTIFICATES My Certificates Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate If you want to change the name type up to 3...

Page 355: ...the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This fiel...

Page 356: ...port the file into the ZyWALL Figure 226 SECURITY CERTIFICATES My Certificates Export The following table describes the labels in this screen Apply Click Apply to save your changes back to the ZyWALL You can only change the name except in the case of a self signed certificate which you can also set to be the default self signed certificate that signs the imported trusted remote host certificates C...

Page 357: ...ion that defines the formats for X 509 certificates PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The ZyWALL currently allows the importation of a PKS 7 file that contains a si...

Page 358: ...g the transfer process It is easy for this to occur since many programs use text files by default Figure 227 SECURITY CERTIFICATES My Certificates Import The following table describes the labels in this screen When you import a binary PKCS 12 format certificate another screen displays for you to enter the password Table 100 SECURITY CERTIFICATES My Certificates Import LABEL DESCRIPTION File Path T...

Page 359: ...tificate Create screen Use this screen to have the ZyWALL create a self signed certificate enroll a certificate with a certification authority or generate a certification request Table 101 SECURITY CERTIFICATES My Certificates Import PKCS 12 LABEL DESCRIPTION Password Type the file s password that was created when the PKCS 12 file was exported Apply Click Apply to save the certificate on the ZyWAL...

Page 360: ...Chapter 15 Certificates ZyWALL 2WG User s Guide 360 Figure 229 SECURITY CERTIFICATES My Certificates Create Basic ...

Page 361: ...ters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field but the Common Name is mandatory if you click Basic The certification authority may add fields such as a serial number to the subject information when it issues a certificate It is recommended that each...

Page 362: ...ers O organization select this and enter an organization to identify the owner of the certificate You can use up to 63 characters DC domain component select this and enter the domain component of a domain to identify the owner of the certificate For example if the domain is zyxel com the domain component is zyxel or com You can use up to 63 characters L locality name select this and enter the plac...

Page 363: ...certificate immediately online to have the ZyWALL generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority s certificate already imported in the Trusted CAs screen When you select this option you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop dow...

Page 364: ...select the CA s RA signing certificate from the drop down list box You must have the certificate already imported in the Trusted CAs screen Click Trusted CAs to go to the Trusted CAs screen where you can view and manage the ZyWALL s list of certificates of trusted certification authorities RA Encryption Certificate If you select Enrollment via an RA select the CA s RA encryption certificate from t...

Page 365: ...on Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includ...

Page 366: ...an in depth list of information about the certificate Use the export icon to save the certificate to a computer Click the icon and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificates Note that subseque...

Page 367: ...o change the name type up to 31 characters to identify this key certificate You may use any character not including spaces Property Check incoming certificates issued by this CA against a CRL Select this check box to have the ZyWALL check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL Clear this check box to have the ZyWALL not check...

Page 368: ...certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm O...

Page 369: ...ample that this is actually their certificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification req...

Page 370: ...usted CAs screen You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy Table 105 SECURITY CERTIFICATES Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in thi...

Page 371: ...n or company and C Country It is recommended that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Ex...

Page 372: ...ties on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy The trusted remote host certificate must be a self signed certificate and you must remove any spaces from its filename before you can import it Figure 235 SECURITY CERTIFICATES Trusted Remote Hosts Import The following table describes the labe...

Page 373: ... Trusted Remote Hosts to open the Trusted Remote Hosts screen Click the details icon to open the Trusted Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name Figure 236 SECURITY CERTIFICATES Trusted Remote Hosts Details ...

Page 374: ...ield displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the default self signed certificate on the ZyWALL that the ZyWALL uses to sign the trusted remote host certificates Signature Algorithm This field displays the type of algorithm that the ZyWALL use...

Page 375: ... to verify a remote host s certificate before you import it into the ZyWALL SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm The ZyWALL uses one of its own self signed certificates to sign the imported trusted remote host certificates This changes the fingerprint value displayed here so it does not match the original See Section 15 3 on ...

Page 376: ...d or unnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field displ...

Page 377: ...n dotted decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change the server port number if needed however you must use the same server port number that the directory server uses 389 is the default server port number for LDAP Login Setting Login The ZyWALL m...

Page 378: ...Chapter 15 Certificates ZyWALL 2WG User s Guide 378 ...

Page 379: ...age 741 for more information about RADIUS 16 1 1 Local User Database By storing user profiles locally on the ZyWALL your ZyWALL is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you may authenticate in this way 16 1 2 RADIUS The ZyWALL can use an external RADIUS server to authenticate an unlimited number of users 16 2 Loc...

Page 380: ...Chapter 16 Authentication Server ZyWALL 2WG User s Guide 380 Figure 239 SECURITY AUTH SERVER Local User Database ...

Page 381: ...Enter a password up to 31 characters long for this user profile Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 112 SECURITY AUTH SERVER RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server Clear the check box to enable user authent...

Page 382: ... of the external accounting server in dotted decimal notation Port Number The default port of the RADIUS server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 alphanumeric characters as the key to be shared between the external accounting server and the ZyWALL The key is not se...

Page 383: ...383 PART IV Advanced Network Address Translation NAT 385 Static Route 401 Policy Route 405 Bandwidth Management 411 DNS 427 Remote Management 439 UPnP 461 Custom Application 471 ALG Screen 473 ...

Page 384: ...384 ...

Page 385: ...address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a pa...

Page 386: ... to the DMZ port instead If you do not define any servers for Many to One and Many to Many Overload mapping NAT offers the additional benefit of firewall protection With no servers defined your ZyWALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 17 1 3 Ho...

Page 387: ...rks 17 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP alias behind the ZyWALL can communicate with three distinct WAN networks More examples follow at the end of this chapter Figure 242 NAT Application With IP Alias ...

Page 388: ... The ZyWALL changes the server s IP address to 2 and port to B Since 1 A has already sent packets to 3 C and 4 D they can send packets back to 2 B and the ZyWALL will perform NAT on them and send them to the server at IP address 1 port A Packets have not been sent from 1 A to 4 E or 5 so they cannot send packets to 1 A Figure 243 Port Restricted Cone NAT Example 17 1 6 NAT Mapping Types NAT suppor...

Page 389: ...through the ZyWALL 17 2 1 SUA Single User Account Versus NAT SUA Single User Account is a ZyNOS implementation of a subset of NAT that supports two types of mapping Many to One and Server The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Select either SUA or Full Feature in NAT Overview Table...

Page 390: ...ses on the DMZ 17 3 NAT Overview Screen Click ADVANCED NAT to open the NAT Overview screen Figure 244 ADVANCED NAT NAT Overview The following table describes the labels in this screen Table 115 ADVANCED NAT NAT Overview LABEL DESCRIPTION Global Settings Max Concurrent Sessions This read only field displays the highest number of NAT sessions that the ZyWALL will permit at one time Max Concurrent Se...

Page 391: ...le address mapping rules are configured The first number shows how many address mapping rules are configured on the ZyWALL The second number shows the maximum number of address mapping rules that can be configured on the ZyWALL Port Forwarding Rules The bar displays how many of the ZyWALL s possible port forwarding rules are configured The first number shows how many port forwarding rules are conf...

Page 392: ...ured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 Figure 245 ADVANCED NAT Address Mapping The following table describes the labels in this screen Table 116 ADVANCED NAT Address Mapping LABEL DESCRIPTI...

Page 393: ... the ending Inside Global Address IGA This field is N A for One to One Many to One and Server mapping types Type 1 One to One mode maps one local IP address to one global IP address Note that port numbers do not change for the One to One NAT mapping type 2 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s S...

Page 394: ...ied in this screen Table 117 ADVANCED NAT Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following 1 One to One One to One mode maps one local IP address to one global IP address Note that port numbers do not change for One to One NAT mapping type 2 Many to One Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to...

Page 395: ...ase refer to RFC 1700 for further information about port numbers 17 5 3 Configuring Servers Behind Port Forwarding Example Let s say you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP add...

Page 396: ... world through a single WAN IP address When you use port translation with port forwarding multiple servers on the local network can use the same port number and still be accessible to the outside world through a single WAN IP address The following example has two web servers on a LAN Server A uses IP address 192 168 1 33 and server B uses 192 168 1 34 Both servers use port 80 The letters a b c d r...

Page 397: ...gn a Default Server IP address the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup Refer to Figure 118 on page 395 for port numbers commonly used for particular services The last port forwarding rule is reserved for Roadrunner services The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to somet...

Page 398: ...lay the corresponding summary page of the port forwarding servers This is the number of an individual port forwarding server entry Active Select this check box to enable the port forwarding server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry Name Enter a name to identify this port forwarding rule Incoming Port s Enter a por...

Page 399: ...rotocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you do not need to configure a new IP address each time you want a different LAN computer to use the application For example Figure 250 Trigger Port Forw...

Page 400: ... a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Trigger The trigger p...

Page 401: ...t reachable through the default gateway use static routes For example the next figure shows a computer A connected to the ZyWALL s LAN interface The ZyWALL routes most traffic from A to the Internet through the default gateway R1 You create one static route to connect to services offered by your ISP behind router R2 You create another static route to communicate with a separate network behind a ro...

Page 402: ...ute screen The first two static route entries are for default WAN 1 and WAN 2 routes on a ZyWALL with multiple WAN interfaces You cannot modify or delete a static default route The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address Figure 253 ADVANCED STATIC ROUTE IP Static Route ...

Page 403: ... IP address of the gateway The gateway is a router or switch on the same network segment as the ZyWALL s interface The gateway helps forward packets to their destinations Modify Click the edit icon to go to the screen where you can set up a static route on the ZyWALL Click the delete icon to remove a static route from the ZyWALL A window displays asking you to confirm that you want to delete the r...

Page 404: ...orks Enter a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts Select this check box to keep this route private and not included in RIP broadcasts Clear this check box to propagate thi...

Page 405: ...ble the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths 19 3 Routing Policy Individual routing policies are used as part of the overall IPPR process A policy defines the mat...

Page 406: ...de 406 IPPR follows the existing packet filtering facility of RAS in style and in implementation 19 4 IP Routing Policy Setup Click ADVANCED POLICY ROUTE to open the Policy Route Summary screen Figure 255 ADVANCED POLICY ROUTE Policy Route Summary ...

Page 407: ...ual policy route Active This field shows whether the policy is active or inactive Source Address Port This is the source IP address range and or port number range Destination Address Port This is the destination IP address range and or port number range Gateway Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gate...

Page 408: ... IP Protocol Select Predefined and then the IP protocol from ALL 0 ICMP 1 IGMP 2 TCP 6 UDP 17 GRE 47 ESP 50 or AH 51 Otherwise select Custom and enter a number from 0 to 255 Type of Service Prioritize incoming network traffic by choosing from Any Normal Min Delay Max Thruput Max Reliable or Mix Cost Precedence Precedence value of the incoming packet Select a value from 0 to 7 or Any Packet Length ...

Page 409: ...UDP packets with a port 5060 destination Note If you select SIP make sure you also use the ALG screen to turn on the SIP ALG Source Interface Use the check box to select LAN DMZ WAN 1 WAN 2 and or WLAN Starting IP Address Enter the source starting IP address Ending IP Address Enter the source ending IP address Starting Port Enter the source starting port number This field is applicable only when y...

Page 410: ...ilable check box to have the ZyWALL send traffic that matches the policy route through the other WAN interface if it cannot send the traffic through the WAN interface you selected This option is only available when you select WAN Interface Converted Type of Service Set the new TOS value of the outgoing packet Prioritize incoming network traffic by choosing Don t Change Normal Min Delay Max Thruput...

Page 411: ...ets at the next routing device For example you can set the WAN interface speed to 1024 kbps or less if the broadband device connected to the WAN port has an upstream speed of 1024 kbps 20 2 Bandwidth Classes and Filters Use bandwidth classes and sub classes to allocate specific amounts of bandwidth capacity bandwidth budgets Configure a bandwidth filter to define a bandwidth class or sub class bas...

Page 412: ...andwidth Management You can create bandwidth classes based on subnets The following figure shows LAN subnets You could configure one bandwidth class for subnet A and another for subnet B Figure 257 Subnet based Bandwidth Management Example 20 6 Application and Subnet based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application The followi...

Page 413: ...using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels ...

Page 414: ...geted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The sales and marketing are first to get extra bandwidth because ...

Page 415: ...low the sub class to use its parent class s unused bandwidth A parent class s unused bandwidth is given to the highest priority sub class first The sub class can also borrow bandwidth from a higher parent class grandparent class if the sub class s parent class is also configured to borrow bandwidth from its parent class This can go on for as many levels as are configured to borrow bandwidth from t...

Page 416: ...bandwidth borrowing enabled 20 9 Maximize Bandwidth Usage With Bandwidth Borrowing If you configure both maximize bandwidth usage on the interface and bandwidth borrowing on individual sub classes the ZyWALL functions as follows 1 The ZyWALL sends traffic according to each bandwidth class s bandwidth budget 2 The ZyWALL assigns a parent class s unused bandwidth to its sub classes that have more tr...

Page 417: ...ps of bandwidth to each of them before it allocates any bandwidth to FTP As a result FTP can only use bandwidth when VoIP and NetMeeting do not use all of their allocated bandwidth Suppose you try to browse the web too In this case VoIP NetMeeting and FTP all have higher priority so they get to use the bandwidth first You can only browse the web when VoIP NetMeeting and FTP do not use all 1000 Kbp...

Page 418: ...speed to match the interface s actual transmission speed For example set the WAN interface speed to 1000 kbps if your Internet connection has an upstream transmission speed of 1 Mbps You can set this number higher than the interface s actual transmission speed This will stop lower priority traffic from being sent if higher priority traffic uses all of the actual bandwidth You can also set this num...

Page 419: ... which you want to set up bandwidth management classes Bandwidth management controls outgoing traffic on an interface not incoming So in order to limit the download bandwidth of the LAN users set the bandwidth management class on the LAN In order to limit the upload bandwidth set the bandwidth management class on the corresponding WAN interface Bandwidth Management This field displays whether band...

Page 420: ...nt class Class Name This is the name that identifies a bandwidth management class Service This is the service that this bandwidth management class is configured to manage Destination IP Address This is the destination IP address for connections to which this bandwidth management class applies Destination Port This is the destination port for connections to which this bandwidth management class app...

Page 421: ...and 7 to set the priority of this class The higher the number the higher the priority The default setting is 3 Borrow bandwidth from parent class Select this option to allow a sub class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth budget Bandwidth borrowing is governed by the priority of the sub classes That is a sub class with the highest priority 7 ...

Page 422: ...idth for SIP traffic and is useful for example when there is a VoIP Voice over Internet Protocol device on your LAN Note If you select SIP make sure you also use the ALG screen to turn on the SIP ALG Select Custom from the drop down list box if you do not want to use a predefined application for the bandwidth class When you select Custom you need to configure at least one of the following fields o...

Page 423: ...me port number in both fields to specify a single port number See Appendix D on page 737 for a table of services and port numbers Protocol ID Enter the protocol ID service type number for example 1 for ICMP 6 for TCP or 17 for UDP Apply Click Apply to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 134 Services and Port Numbers SERVICES PORT NUMBER...

Page 424: ...the total number of packets transmitted Tx Bytes This field displays the total number of bytes transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in bps for the past one to eight seconds For example ...

Page 425: ...s that is not allocated to bandwidth classes If you do not enable maximize bandwidth usage on an interface the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes A A If you allocate all the root class s bandwidth to the bandwidth classes the default class still displays a budget of 2 kbps the minimum amount of bandwidth that can be assi...

Page 426: ...Chapter 20 Bandwidth Management ZyWALL 2WG User s Guide 426 ...

Page 427: ... you DNS server addresses manually enter them in the DNS server fields 2 If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address from the ISP 3 You can manually enter the IP addresses of other DNS servers These servers can be public or private A DNS server could even be behind a remote IPSec router s...

Page 428: ...d to the same IP address as yourhost com This feature is useful if you want to be able to use for example www yourhost com and still reach your hostname 21 5 Name Server Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server A domain zone may also be included A domain zone is a fully ...

Page 429: ... specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote private network 21 6 System Screen Click ADVANCED DNS to display the following screen Use this screen to configure your ZyWALL s DNS address and name server records ...

Page 430: ...omain and com tw is the top level domain This is the index number of the address record FQDN This is a host s fully qualified domain name Wildcard This column displays whether or not the DNS wildcard feature is enabled for this domain name IP Address This is the IP address of a host Modify Click the edit icon to go to the screen where you can edit the record Click the delete icon to remove an exis...

Page 431: ...tes a name server record without a domain zone The default record is grayed out The ZyWALL uses this default record if the domain name that needs to be resolved does not match any of the other name server records A name server record with a domain zone is always put before a record without a domain zone This is the index number of the name server record Domain Zone A domain zone is a fully qualifi...

Page 432: ...dress Record LABEL DESCRIPTION FQDN Type a fully qualified domain name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the second level domain and com tw is the top level domain IP Address If this entry is for one of the WAN ports on a ZyWALL with ...

Page 433: ...ield blank if all domain zones are served by the specified DNS server s DNS Server Select the DNS Server s from ISP radio button if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set as a DHCP client The fields below display the read only DNS server IP address...

Page 434: ...ng negative DNS resolutions helps speed up the ZyWALL s processing of commonly queried domain names for which DNS resolution has failed and reduces the amount of traffic that the ZyWALL sends out to the WAN Negative Cache Period Type the time 60 to 3600 seconds that the ZyWALL is to allow a negative resolution entry to remain in the DNS cache before discarding it Apply Click Apply to save your cha...

Page 435: ...or negative DNS resolution entries Remaining Time sec This is the number of seconds left before the DNS resolution entry is discarded from the cache Modify Click the delete icon to remove the DNS resolution entry from the cache Table 140 ADVANCED DNS Cache LABEL DESCRIPTION Table 141 ADVANCED DNS DHCP LABEL DESCRIPTION DNS Servers Assigned by DHCP Server The ZyWALL passes a DNS Domain Name System ...

Page 436: ... IP address Use the drop down list box to select a DNS server IP address that the ISP assigns in the field to the right Select User Defined if you have the IP address of a DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defin...

Page 437: ...s the router to substitute another port s IP address for the domain name mapping 21 11 Configuring Dynamic DNS To change your ZyWALL s DDNS click ADVANCED DNS DDNS The screen appears as shown Figure 269 ADVANCED DNS DDNS The following table describes the labels in this screen Table 142 ADVANCED DNS DDNS LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS Service Provide...

Page 438: ...and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server HA Select this check box to enable the high availability HA feature High availability has the ZyWALL update a domai...

Page 439: ...Management From the WAN When you configure remote management to allow management from any network except the LAN you still need to configure a firewall rule to allow access See Chapter 11 on page 239 for details on configuring firewall rules You can also disable a service on the ZyWALL by not allowing access for the service protocol through any of the ZyWALL interfaces You may only have one remote...

Page 440: ...creen 22 2 WWW HTTP and HTTPS HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and ...

Page 441: ... default on the ZyWALL s WS web server Figure 271 HTTPS Implementation If you disable the HTTP service in the REMOTE MGMT WWW screen then the ZyWALL blocks all HTTP connection attempts 22 3 WWW Click ADVANCED REMOTE MGMT to open the WWW screen Use this screen to configure the ZyWALL s HTTP and HTTPS management settings ...

Page 442: ...roxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the ZyWALL for example 8443 then you must notify people who need to access the ZyWALL web configurator to use https ZyWALL IP Address 8443 as the URL Server Access Select the interface s through which a computer may access the ZyWALL using this service You can allow only secure web configu...

Page 443: ...Security Alert Dialog Box Internet Explorer 22 4 2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is from the ZyWALL Server Access Select the interface s through which a computer may access...

Page 444: ...certificate and what you can do to avoid seeing the warnings The issuing certificate authority of the ZyWALL s HTTPS server certificate is not one of the browser s trusted certificate authorities The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWALL itself since the certificate is a self signed certificate For the browser to trust a self signed certificate imp...

Page 445: ...tches the ZyWALL s actual IP address You cannot use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address 2a Create a new certificate for the ZyWALL that uses the IP address of the ZyWALL s port that you are trying to access as the certificate s common name For example to use HTTPS to access a LAN port with IP address 192 168 1 1 create a certificate that ...

Page 446: ...ZyWALL s MAC address that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to that shown in the following figure Figure 278 Device specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate You will then see this information in the My Certificates screen ...

Page 447: ...t data in plaintext clear or unencrypted text SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session Figure 280 SSH Communication Over the WAN Exa...

Page 448: ... on the type of encryption method to use 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in to the server 22 7 SSH Implementation on the ZyWALL Your ZyWALL supports SSH version 1 5...

Page 449: ... screen Click My Certificates and see Chapter 15 on page 349 for details Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a trusted com...

Page 450: ...ccept connection using SSH version 1 3 A window displays prompting you to store the host key in you computer Click Yes to continue Figure 283 SSH Example 1 Store Host Key Enter the password to log in to the ZyWALL The SMT main menu displays next 22 9 2 Example 2 Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions 1 Test wh...

Page 451: ...ilar for other SSH client programs Refer to your SSH client program user s guide 1 Enter sftp 1 192 168 1 1 This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER 2 Enter the passwo...

Page 452: ...IP address the access can come It is recommended that you disable Telnet and FTP when you configure SSH for secure connections Figure 287 ADVANCED REMOTE MGMT Telnet sftp 1 192 168 1 1 Connecting to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting ye...

Page 453: ...onfigure SSH for secure connections Figure 288 ADVANCED REMOTE MGMT FTP Table 145 ADVANCED REMOTE MGMT Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Se...

Page 454: ...gured Table 146 ADVANCED REMOTE MGMT FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a trusted computer that is ...

Page 455: ...on Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext A...

Page 456: ... warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A t...

Page 457: ...h is the password for incoming Set requests from the management station The default is public and allows all requests Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a...

Page 458: ...ds without notifying the Vantage CNM administrator 22 17 Configuring CNM Vantage CNM is disabled on the device by default Click ADVANCED REMOTE MGMT CNM to configure your device s Vantage CNM settings Table 149 ADVANCED REMOTE MGMT DNS LABEL DESCRIPTION Service Port The DNS service port number is 53 and cannot be changed here Service Access Select the interface s through which a computer may send ...

Page 459: ...wall that does not forward packets through to the Vantage CNM server The encryption algorithms and or encryption keys do not match between the ZyWALL and the Vantage CNM server Last Registration Time This field displays the last date year month date and time hours minutes seconds that the ZyWALL registered with the Vantage CNM server It displays all zeroes if it has not yet registered with the Van...

Page 460: ...r Choose from None no encryption DES or 3DES The Encryption Key field appears when you select DES or 3DES The ZyWALL must use the same encryption algorithm as the Vantage CNM server Encryption Key Type eight alphanumeric characters 0 to 9 a to z or A to Z when you choose the DES encryption algorithm and 24 alphanumeric characters 0 to 9 a to z or A to Z when you choose the 3DES encryption algorith...

Page 461: ...a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 23 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple produc...

Page 462: ...lowing table describes the fields in this screen Table 151 ADVANCED UPnP LABEL DESCRIPTION UPnP Setup Device Name This identifies the ZyXEL device in UPnP applications Enable the Universal Plug and Play UPnP feature Select this check box to activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen without entering the ZyWALL s IP address although y...

Page 463: ...ications Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 151 ADVANCED UPnP LABEL DESCRIPTION Table 152 ADVANCED UPnP Ports LABEL DESCRIPTION Reserve UPnP NAT rules in flash after system bootup Select this check box to have the ZyWALL retain UPnP created NAT rules even after restarting If you use UPnP and you set a port on yo...

Page 464: ... and forwards requests on all external port numbers that are otherwise unmapped to the Internal Client Protocol This field displays the protocol of the NAT mapping rule TCP or UDP Internal Port This field displays the port number on the Internal Client to which the ZyWALL should forward incoming connection requests Internal Client This field displays the DNS host name or IP address of a client on ...

Page 465: ... Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details 3 In the Communications window select the Universal Plug and Play check box in the Components selection box 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted ...

Page 466: ...port of the ZyXEL device Turn on your computer and the ZyXEL device 1 Click Start Settings and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays 4 Select Networking Service in the Components selection box and click Details 5 ...

Page 467: ...Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 468: ...ith UPnP you can access the web based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first This is helpful if you do not know the IP address of the ZyXEL device 4 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tray 5 Double click the icon to display your current Internet connection status ...

Page 469: ...k Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your ZyXEL device and select Invoke The web configurator login screen displays ...

Page 470: ...Chapter 23 UPnP ZyWALL 2WG User s Guide 470 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device ...

Page 471: ... to the default ports By default these ZyWALL features monitor traffic for the following protocols on these port numbers FTP 21 SIP 5060 H 323 1720 SMTP 25 POP3 110 HTTP 80 Changes in the Custom APP screen do not apply to the firewall 24 2 Custom Applicaton Configuration Click ADVANCED Custom APP to open the Custom Application screen This screen only specifies what port numbers the ZyWALL checks f...

Page 472: ...than one entry To remove an entry select Select a Type Description Enter information about the reason for monitoring custom port numbers for this protocol Start Port Enter the starting port for the range that the ZyWALL is to monitor for this application If you are only entering a single port number enter it here End Port Enter the ending port for the range that the ZyWALL is to monitor for this a...

Page 473: ...yWALL translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application s traffic to come in from the WAN to the LAN 25 1 1 ALG and NAT The ZyWALL dynamically creates an implicit NAT session for the application s traffic from the WAN to the LAN The...

Page 474: ... and downloading files The FTP ALG allows TCP packets with a port 21 destination to pass through If the FTP server is located on the LAN you must also configure NAT port forwarding and firewall rules if you want to allow access to the server from the WAN 25 3 H 323 H 323 is a standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to p...

Page 475: ...rwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2 You configure corresponding policy routes to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP address B go out through WAN IP address 2 Figure 297 H 323 with Multiple WAN IP Addresses When you configure the firewall and port forwarding to allow calls from the WAN to a spe...

Page 476: ...5 5 1 STUN STUN Simple Traversal of User Datagram Protocol UDP through Network Address Translators allows the VoIP device to find the presence and types of NAT routers and or firewalls between it and the public Internet STUN also allows the VoIP device to find the public IP address that NAT assigned so the VoIP device can embed it in the SIP data stream See RFC 3489 for details on STUN You do not ...

Page 477: ...ALL SIP ALG drops any incoming calls after the timeout period 25 5 4 SIP Audio Session Timeout If no voice packets go through the SIP ALG before the timeout period default 5 minutes expires the SIP ALG does not drop the call but blocks all voice traffic and deletes the audio session You cannot hear anything and you will need to make a new call to continue your conversation 25 6 ALG Screen Click AD...

Page 478: ... SIP ALG Select this check box to allow SIP sessions to pass through the ZyWALL SIP is a signaling protocol used in VoIP Voice over IP the sending of voice signals over Internet Protocol SIP Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the Z...

Page 479: ...479 PART V Logs and Maintenance Logs Screens 481 Maintenance 511 ...

Page 480: ...480 ...

Page 481: ...screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 26 3 on page 484 Options include logs about system maintenance system errors access control allowed or blocked web sites blocked web features such as ActiveX controls java and cookies attacks such as DoS and IPSec Log entries in red indicate system error logs The log wraps aro...

Page 482: ...e time the log was recorded See Section 27 4 on page 513 to configure the ZyWALL s time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information about the log entr...

Page 483: ...ult configuration file you can download a CA certificate signed by VeriSign from myZyXEL com and import it into the ZyWALL as a trusted CA This will stop the ZyWALL from generating this log every time it attempts to connect with myzyxel com and the update server Follow the steps below to download the certificate from myZyXEL com 1 Go to http www myZyXEL com and log in with your account 2 Click Dow...

Page 484: ... a type of log that warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites or web sites with restricted web features such as cookies active X and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in bl...

Page 485: ...Chapter 26 Logs Screens ZyWALL 2WG User s Guide 485 Figure 304 LOGS Log Settings ...

Page 486: ...ecify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs SMTP Authentication ...

Page 487: ...web sites that also get counted as hits The ZyWALL records web site hits by counting the HTTP GET packets Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits thus the web hit count is not yet 100 accurate Click LOGS Reports to display the following screen Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly...

Page 488: ...this screen afresh Interface Select on which interface LAN DMZ or WLAN the logs will be collected The logs on the DMZ LAN or WLAN IP alias 1 and 2 are also recorded Report Type Use the drop down list box to select the type of reports to display Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited Protocol Port displays th...

Page 489: ...op down list box to have the ZyWALL record and display the LAN DMZ or WLAN IP addresses that the most traffic has been sent to and or from and how much traffic has been sent to and or from those IP addresses Table 159 LOGS Reports Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN DMZ or WLAN The names ar...

Page 490: ...L DESCRIPTION IP Address This column lists the LAN DMZ or WLAN IP addresses to and or from which the most traffic has been sent The LAN DMZ or WLAN IP addresses are listed in descending order with the LAN DMZ or WLAN IP address to and or from which the most traffic was sent listed first Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN DMZ or WLAN T...

Page 491: ...st used protocol or service port listed first Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN DMZ or WLAN This field displays Outgoing to denote traffic that is going out from the LAN DMZ or WLAN to the WAN Amount This column lists how much traffic has been sent and or received for each protocol or service port The measurement unit shown bytes Kby...

Page 492: ...HCP PPPoE PPTP or dial up server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client Successful SMT login Someone has logged on to the router s SMT interface SMT login failed Someone has failed to log on to the router s SMT interface Successful WEB login Someone has logged on to the router s web configurator interfa...

Page 493: ...eone has failed to log on to the router s web configurator interface using HTTPS protocol DNS server s was not responding to last 32 consecutive queries The specified DNS server did not respond to the last 32 consecutive queries DDNS update IP s host d successfully The device updated the IP address of the specified DDNS host name SMTP successfully The device sent an e mail myZyXEL com registration...

Page 494: ...with the SMTP server error message included Table 165 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP IGMP ESP GRE OSPF Packet Direction Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting Firewall rule NOT match TCP UDP IGMP ESP GRE OSPF Packet Direction rule d Attempted TCP UDP IG...

Page 495: ...ut 10 seconds Exceed MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of incomplete connections TCP and UDP exceeded the user configured threshold Incomplete count is for all TCP and UDP connections through the firewall Note When the number of incomplete connections TCP UDP Maximum Incomplete High the router sends TCP RST packets for TCP connections and destroys TOS f...

Page 496: ...PPTP or dial up call was disconnected Table 170 PPP Logs LOG MESSAGE DESCRIPTION ppp LCP Starting The PPP connection s Link Control Protocol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage is opening ppp CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is opening ppp IPCP Starting The PPP connection s Internet Protocol Control P...

Page 497: ...t activated 3G Modem is locked The internal modem on the inserted 3G card is blocked SIM card not inserted or damaged There is no SIM card in the inserted GSM 3G card or the SIM card is damaged 3G connection has been dropped s The 3G connection has been dropped due to the specific reason such as idle timeout manual disconnection failure to get an IP address switching to WAN 1 ping check failure co...

Page 498: ...t in trusted web list The web site is not in a trusted domain and the router blocks all traffic except trusted domain sites s Forbidden Web site The web site is in the forbidden web site list s Contains ActiveX The web site contains ActiveX s Contains Java applet The web site contains a Java applet s Contains cookie The web site contains a cookie s Proxy mode detected The router detected proxy mod...

Page 499: ...fing WAN ICMP type d code d The firewall detected an ICMP IP spoofing attack on the WAN port icmp echo ICMP type d code d The firewall detected an ICMP echo attack syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop attack teardrop UDP The firewall detected an UDP teardrop attack te...

Page 500: ...nt TELNET denied Attempted use of TELNET service was blocked according to remote management settings Remote Management HTTP or UPnP denied Attempted use of HTTP or UPnP service was blocked according to remote management settings Remote Management WWW denied Attempted use of WWW service was blocked according to remote management settings Remote Management HTTPS denied Attempted use of HTTPS service...

Page 501: ...ying Remote ID failed The connection failed during IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s Local Remote Addresses don t match IKE Packet Retransmit The router retransmitted the last packet sent because there was no response from the peer Failed to send IKE P...

Page 502: ...s Remote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local ID Type Phase 1 ID content mismatch This router s Peer ID Content is different from the peer IPSec router s Local ID Content No known phase 1 ID type found The router could not find a known phase 1 ID ...

Page 503: ...authentication algorithm did not match between the router and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE phase 2 perfect forward secret PFS setting did not match between the router and the peer Rule d Phase 1 ID mismatch The listed rule s IKE phase 1 ID di...

Page 504: ...online certificate enrollment failed because the certification authority server s address cannot be resolved Enrollment successful The CMP online certificate enrollment was successful The Destination field records the certification authority server s IP address and port Enrollment failed The CMP online certificate enrollment failed The Destination field records the certification authority server s...

Page 505: ...d the certificate with the listed subject name has not passed the path verification The recorded reason codes are only approximate reasons for not trusting the certificate Please see Table 179 on page 505 for the corresponding descriptions of the codes Table 179 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the certificate and the search constrain...

Page 506: ...t for packets traveling from the LAN to the LAN or the ZyWALL W to W ZW WAN to WAN ZyWALL ACL set for packets traveling from the WAN to the WAN or the ZyWALL D to D ZW DMZ to DMZ ZyWALL ACL set for packets traveling from the DMZ to the DM or the ZyWALL L to WL LAN to WLAN ACL set for packets traveling from the LAN to the WLAN WL to L WLAN to LAN ACL set for packets traveling from the WLAN to the L...

Page 507: ...work 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message ...

Page 508: ...ytes rcvd receiveBytes dir from to protoID IPProtocolID proto serviceName trans IPSec Normal This message is sent by the device when the connection session is closed The facility is defined in the Log Settings screen The severity is the traffic log type The message and note always display Traffic Log The proto field lists the service name The dir field lists the incoming and outgoing interfaces LA...

Page 509: ...og descriptions Event Log Facility 8 Severity Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort ob 0 1 ob_mac mac address msg msg note note devID mac address cat Anti Spam 1stReIP IP This message is sent by the device RAS displays as the system name if you haven t configured one at the time when this syslog is generated The facility is defined in the web MAIN MENU LOGS Log Settings page...

Page 510: ...Chapter 26 Logs Screens ZyWALL 2WG User s Guide 510 ...

Page 511: ...ndows 95 98 click Start Settings Control Panel Network Click the Identification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP clic...

Page 512: ...f you leave this blank the domain name obtained by DHCP from the ISP is used While you must enter the host name System Name the domain name can be assigned from the ZyWALL via DHCP Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactivi...

Page 513: ...e this screen to configure the ZyWALL s time based on your local time zone Table 185 MAINTENANCE Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field If you forget the password you may have to use the hardware RESET button This restores the default password of 1234 New Password Type your new system password up to 30 c...

Page 514: ...ing at the same time the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it New Time hh mm ss This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Setup to Manual enter the new time in this field and then click Apply New Date yyyy mm dd This field displays the last upda...

Page 515: ... parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and type 2 in the o clock field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at t...

Page 516: ...ime server pools it randomly selects one pool and tries to synchronize with a server in it If the synchronization fails then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time server pools have been tried 27 5 1 Resetting the Time The ZyWALL resets the time in the following instances When you click Synchroniz...

Page 517: ...a network in that it does not modify the frames it forwards The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port All future communications to that MAC address will only be sent on that port The bridge gradually builds a host MAC address to port mapping table such as in the following example during the learning process Table 187 MA...

Page 518: ... As it only moves frames between ports after inspecting them it is completely transparent 2 Performance is improved as there s less processing overhead 3 As a transparent bridge does not modify the frames it forwards it is effectively stealth as it is invisible to attackers Bridging devices are most useful in complex environments that require a rapid or new firewall deployment A transparent bridgi...

Page 519: ...de there is no need to select or clear this radio button IP Address Click LAN WAN DMZ or WLAN to go to the LAN WAN DMZ or WLAN screen where you can view and or change the corresponding settings Bridge Select this radio button and configure the following fields then click Apply to set the ZyWALL to bridge mode IP Address Enter the IP address of your ZyWALL in dotted decimal notation IP Subnet Mask ...

Page 520: ...d to assign your computer a static IP address in the same subnet as the ZyWALL s IP address in order to access the ZyWALL You can use the firewall and VPN in bridge mode See the user s guide for a list of other features that are available in bridge mode Figure 316 MAINTENANCE Device Mode Bridge Mode The following table describes the labels in this screen Table 189 MAINTENANCE Device Mode Bridge Mo...

Page 521: ... stop the ZyWALL from acting as a DHCP server When configured as a server the ZyWALL provides TCP IP configuration for the clients If not DHCP service is disabled and you must have another DHCP server on your LAN or else the computers must be manually configured When set as a server fill in the rest of the DHCP setup fields IP Pool Starting Address This field specifies the first of the contiguous ...

Page 522: ... icon on your desktop Figure 319 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the HOME screen If the upload was not successful the following screen will appear Click Return to go back to the F W Upload screen Table 190 MAINTENANCE Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field o...

Page 523: ...ackup and Restore See Section 43 5 on page 655 for transferring configuration files using FTP TFTP commands Click MAINTENANCE Backup Restore Information related to factory defaults backup configuration and restoring configuration appears as shown next Figure 321 MAINTENANCE Backup and Restore ...

Page 524: ...o your ZyWALL 1 Do not turn off the ZyWALL while configuration file upload is in progress After you see a restore configuration successful screen you must then wait one minute before logging into the ZyWALL again Figure 322 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon o...

Page 525: ...ack to Factory Defaults Click the Reset button to clear all user entered configuration information and return the ZyWALL to its factory defaults as shown on the screen The following warning screen appears Figure 325 Reset Warning Message You can also press the hardware RESET button to reset the factory defaults of your ZyWALL Refer to Section 2 3 on page 59 for more information on the RESET button...

Page 526: ... files by e mail and or the console port The diagnostics files contain the ZyWALL s configuration and diagnostic information You may need to generate this file and send it to customer support during troubleshooting Click MAINTENANCE Diagnostics to open the following screen The ZyWALL sends only one diagnosis mail within five minutes unless you click Perform Diagnostics Now ...

Page 527: ...han 60 seconds Enter 0 to have the ZyWALL not generate and send diagnostic files based on CPU usage going over a specific level Periodic Diagnostics Use these fields to set the ZyWALL to generate and send diagnostic files at regular intervals Even if you enable both CPU utilization based and periodic diagnosis the ZyWALL only sends one diagnostic file within five minutes unless you click Perform D...

Page 528: ...ype a title that you want to be in the subject line of the diagnostic e mail message that the ZyWALL sends Mail Sender Enter the e mail address that you want to be in the from sender line of the diagnostic e mail message that the ZyWALL sends If you activate SMTP authentication the e mail address must be able to be authenticated by the mail server as well Send Log to Diagnostic files are sent to t...

Page 529: ...reless Setup 579 Remote Node Setup 583 IP Static Route Setup 591 Network Address Translation NAT 595 Introducing the ZyWALL Firewall 615 Filter Configuration 617 SNMP Configuration 633 System Information Diagnosis 635 Firmware and Configuration File Maintenance 647 System Maintenance Menus 8 to 10 661 Remote Management 669 IP Policy Routing 673 Call Scheduling 681 ...

Page 530: ...530 ...

Page 531: ... via console port how to navigate the SMT and how to configure SMT menus 28 2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide When configuring using the console port you need a computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud No parity 8 da...

Page 532: ...face The SMT is an interface that you use to configure your ZyWALL Copyright c 1994 2007 ZyXEL Communications Corp initialize ch 0 ethernet address 00 00 AA 77 90 79 initialize ch 1 ethernet address 00 00 AA 77 90 7A initialize ch 2 ethernet address 00 00 AA 77 90 7B initialize ch 3 ethernet address 00 00 AA 77 90 79 initialize ch 4 ethernet address 00 00 AA 77 90 7C initialize ch 5 ethernet addre...

Page 533: ...ext field You can also use the UP DOWN arrow keys to move to the previous and the next field respectively When you are at the top of a menu press the UP arrow key to move to the bottom of a menu Entering information Fill in or press SPACE BAR then press ENTER to select from choices You need to fill in two types of fields The first requires you to type in the appropriate information The second allo...

Page 534: ... Node Setup 12 Static Routing Setup 15 NAT Setup 99 Exit Enter Menu Selection Number Copyright c 1994 2007 ZyXEL Communications Corp ZyWALL 2WG Main Menu Getting Started Advanced Management 1 General Setup 21 Filter and Firewall Setup 22 SNMP Configuration 23 System Password 24 System Maintenance 99 Exit Enter Menu Selection Number Table 194 Main Menu Summary NO MENU TITLE FUNCTION 1 General Setup...

Page 535: ...figure filters and activate deactivate the firewall 22 SNMP Configuration Use this menu to configure SNMP related parameters 23 System Password Change your password in this menu recommended 24 System Maintenance From displaying system status to uploading firmware this menu provides comprehensive system maintenance 25 IP Routing Policy Setup Configure and display policies for use in IP policy routi...

Page 536: ...mote Node Script 11 3 4 Remote Node Filter 12 Static Routing Setup 12 1 Edit IP Static Route 15 NAT Setup 15 1 Address Mapping Sets 15 1 x Address Mapping Rules 15 1 x x Address Mapping Rule 15 2 Port Forwarding Setup 15 2 x NAT Server Setup 15 2 x x NAT Server Configuration 15 3 Trigger Port Setup 15 3 x Trigger Port Setup 21 Filter and Firewall Setup 21 1 Filter Set Configuration 21 1 x Filter R...

Page 537: ... 1 View Error Log 24 3 2 Syslog Logging 24 3 4 Call Triggering Packet 24 4 Diagnostic 24 5 Backup Configuration 24 6 Restore Configuration 24 7 Upload Firmware 24 7 1 Upload System Firmware 24 7 2 Upload System Configuration File 24 8 Command Interpreter Mode 24 9 Call Control 24 9 1 Budget Management 24 9 2 Call History 24 10 Time and Date Setting 24 11 Remote Management Setup 25 IP Routing Polic...

Page 538: ...system password and press ENTER 4 Re type your new system password for confirmation and press ENTER Note that as you type a password the screen displays an x for each character you type 28 5 Resetting the ZyWALL See Section 2 3 on page 59 for directions on resetting the ZyWALL ...

Page 539: ... Mode Router Mode Edit Dynamic DNS No Press ENTER to Confirm or ESC to Cancel Table 196 Menu 1 General Setup Router Mode FIELD DESCRIPTION System Name Choose a descriptive name for identification purposes It is recommended you enter your computer s Computer name in this field This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted Dom...

Page 540: ...Name Device Mode Bridge Mode IP Address 0 0 0 0 Network Mask 0 0 0 0 Gateway 0 0 0 0 First System DNS Server IP Address 0 0 0 0 Second System DNS Server IP Address 0 0 0 0 Third System DNS Server IP Address 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 197 Menu 1 General Setup Bridge Mode FIELD DESCRIPTION Device Mode Press SPACE BAR and then ENTER to select Bridge Mode IP Address Enter th...

Page 541: ...ress SPACE BAR to select Yes in the Edit Dynamic DNS field Press ENTER to display Menu 1 1 Configure Dynamic DNS 4 Press SPACE BAR and then ENTER to select Yes in the Edit Host field Press ENTER to display Menu 1 1 1 DDNS Host Summary Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active No Username Password Edit Host No Press ENTER to Confirm or ESC to Cancel Table 198 Menu 1 1 Co...

Page 542: ...____________________________________________________ Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Table 199 Menu 1 1 1 DDNS Host Summary FIELD DESCRIPTION This is the DDNS host index number Summary This displays the details about the DDNS host Select Command Press SPACE BAR to choose from None Edit Delete Next Page or Previous Page and then press ENTER You must selec...

Page 543: ...S is selected in the DDNS Type field Press SPACE BAR and then ENTER to select Yes When Yes is selected http www dyndns org traffic is redirected to a URL that you have previously specified see www dyndns org for details Bind WAN Enter the WAN interface to use for updating the IP address of the domain name HA Press SPACE BAR and then ENTER to select Yes to enable the high availability HA feature If...

Page 544: ...or more NAT routers between the ZyWALL and the DDNS server Press SPACE BAR to select Yes and then press ENTER to have the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server Use User Defined Press SPACE BAR t...

Page 545: ... for your WAN interface s a 3G WAN connection and a dial backup connection using the SMT menus 30 2 WAN Setup From the main menu enter 2 to open menu 2 Figure 338 MAC Address Cloning in WAN Setup Menu 2 WAN Setup WAN 1 MAC Address Assigned By Factory default IP Address N A Dial Backup Active No Port Speed 115200 AT Command String Init at fs0 0 Edit Advanced Setup No 3G Modem Setup Init Configure A...

Page 546: ...nformation on an alternate backup WAN connection 30 3 1 Configuring Dial Backup in Menu 2 From the main menu enter 2 to open menu 2 Table 201 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN 1 MAC Address Assigned By Press SPACE BAR and then ENTER to choose one of two methods to assign a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP address a...

Page 547: ...ION Dial Backup Active Use this field to turn the dial backup feature on Yes or off No Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command String Init Enter the AT command string to initialize the WAN device Consult the manual of your WA...

Page 548: ... Commands Fields FIELD DESCRIPTION AT Command Strings Dial Enter the AT Command string to make a call Drop Enter the AT Command string to drop a call represents a one second wait e g ath can be used if your modem has a slow response time Answer Enter the AT Command string to answer a call Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default the DTR ...

Page 549: ...ber Retry Interval sec Enter a number of seconds for the ZyWALL to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Enter a number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Enter a number of seconds for the ZyWALL to wait bet...

Page 550: ...n Edit Script Options Press SPACE BAR to select Yes and press ENTER to edit the AT script for the dial backup remote node Menu 11 3 3 Remote Node Script See Section 30 3 5 on page 552 for more information Telco Option Allocated Budget Enter the maximum number of minutes that this remote node may be called within the time period configured in the Period field The default for this field is 0 meaning...

Page 551: ... the previous field Rem Subnet Mask Enter the subnet mask associated with your static IP My WAN Addr Leave the field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know it Enter your WAN IP address here if you know it static This is the address assigned to your local ZyWALL not the remote router Network Address Translation N...

Page 552: ...ork Address Translation field it displays 255 and indicates the SMT will use the pre configured Set 255 read only in menu 15 1 If you select Full Feature or None in the Network Address Translation field it displays 1 2 or 3 and indicates the SMT will use the pre configured Set 1 in menu 15 1 for the first WAN port Set 2 in menu 15 1 for the second WAN port and Set 3 for the Backup port Refer to Se...

Page 553: ... your password to the server If there are errors in the script and it gets stuck at a set for longer than the Dial Timeout in menu 2 default 60 seconds the ZyWALL will timeout and drop the line To debug a script go to Menu 24 4 to initiate a manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect Figure 343 Menu 11 3 3 Rem...

Page 554: ...e filters Figure 344 Menu 11 3 4 Remote Node Filter 30 4 3G WAN 3G Third Generation is a digital packet switched wireless technology Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data It allows fast transfer of voice and non voice data and provides broadband Internet access to mobile devices See Section 8 13 on page 18...

Page 555: ...ou select Configure directly in the field above You can enter up to 72 ASCII printable characters Spaces are allowed APN This field is available when you select Configure APN in the field above Enter the APN Access Point Name provided by your service provider Connections with different APNs may provide different services such as Internet access or MMS Multi Media Messaging Service and charge metho...

Page 556: ...for the remote node This field can be up to eight characters WAN 2 denotes a 3G WAN connection but you can change that Active Press SPACE BAR and then ENTER to select Yes to enable the remote node or No to disable the remote node Outgoing My Login Enter the login name assigned by your ISP for this remote node My Password Enter the password assigned by your ISP for this remote node Retype to Confir...

Page 557: ...he time regardless of whether or not there is any traffic Select No to have this connection act as a dial up connection Session Options Edit Filter sets This field leads to another hidden menu Use SPACE BAR to select Yes and press ENTER to open menu 11 3 4 to edit the filter sets See Section 30 3 6 on page 554 for more details Idle Timeout Enter the number of seconds of idle time when there is no ...

Page 558: ...Chapter 30 WAN and Dial Backup Setup ZyWALL 2WG User s Guide 558 ...

Page 559: ... the LAN Menus From the main menu enter 3 to open Menu 3 LAN Setup Figure 347 Menu 3 LAN Setup 31 3 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter Set...

Page 560: ...CP Setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Not all fields are available on all models Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LAN...

Page 561: ...ss N A Press ENTER to Confirm or ESC to Cancel Table 210 Menu 3 2 DHCP Ethernet Setup Fields FIELD DESCRIPTION DHCP This field enables disables the DHCP server If set to Server your ZyWALL will act as a DHCP server If set to None the DHCP server will be disabled If set to Relay the ZyWALL acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients Wh...

Page 562: ...third DNS server that choice changes to None after you save your changes Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it DHCP Server Address If Relay is selected in the DHCP field above then type the IP address of the actual remote DHCP server here Table 210 Menu 3 2 DHCP Ethernet Setup Fie...

Page 563: ...Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL Table 212 Menu 3 2 1 IP Alias Setup FIELD DESCRIPTION IP Alias 1 2 Choose Yes to configure the LAN network for the ZyWALL IP Address Enter the IP address of your ZyWALL in dotted decimal notation IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based o...

Page 564: ...Chapter 31 LAN Setup ZyWALL 2WG User s Guide 564 ...

Page 565: ... access the Internet There are three different menu 4 screens depending on whether you chose Ethernet PPTP or PPPoE Encapsulation Contact your ISP to determine what encapsulation type you should use This menu configures WAN 1 on a ZyWALL with multiple WAN interfaces Configure the WAN 2 interface in Menu 11 2 Remote Node Profile or in the WAN WAN 2 screen via the web configurator 32 2 Ethernet Enca...

Page 566: ...P is Time Warner s RoadRunner otherwise choose Standard Note DSL users must choose the Standard option only The My Login My Password and Login Server fields are not applicable in this case My Login Enter the login name given to you by your ISP My Password Type your password again for confirmation Retype to Confirm Enter your password again to make sure that you have entered is correctly Login Serv...

Page 567: ...e network for example a private IP address used in a local network to a different IP address known within another network for example a public IP address used on the Internet Choose None to disable NAT Choose SUA Only if you have a single public IP address SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multiple p...

Page 568: ...P Service Type N A My Login My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Table 214 New Fields in Menu 4 PPTP Screen FIELD DESCRIPTION Encapsulation Press SPACE BAR and then press ENTER to choose PPTP The encapsulation method influence...

Page 569: ...e Internet You may deactivate the firewall in menu 21 2 or via the ZyWALL embedded web configurator You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so See the chapters on firewall for more information on the firewall Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation PPPoE Service Type N A My Login My Password Retype to Co...

Page 570: ...Chapter 32 Internet Access ZyWALL 2WG User s Guide 570 ...

Page 571: ... 33 2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server s traffic Figure 356 Menu 5 1 DMZ Port Filter Setup Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP and DHCP Setup Enter Menu Selection Number Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Pr...

Page 572: ... Menu 5 2 TCP IP and DHCP Ethernet Setup The DHCP and TCP IP setup fields are the same as the ones in Menu 3 2 TCP IP and DHCP Ethernet Setup Each public server will need a unique IP address Refer to Section 31 4 on page 560 for information on how to configure these fields Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP and DHCP Setup Enter Menu Selection Number Menu 5 2 TCP IP and DHCP Ethernet...

Page 573: ...open Menu 5 2 1 IP Alias Setup as shown next Use this menu to configure the second and third networks Figure 359 Menu 5 2 1 IP Alias Setup Refer to Table 212 on page 563 for instructions on configuring IP alias parameters Menu 5 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A IP Alias 2 No ...

Page 574: ...Chapter 33 DMZ Setup ZyWALL 2WG User s Guide 574 ...

Page 575: ...fic redirect properties Figure 361 Menu 6 1 Route Assessment Menu 6 Route Setup 1 Route Assessment 2 Traffic Redirect 3 Route Failover Enter Menu Selection Number Menu 6 1 Route Assessment Probing WAN 1 Check Point Yes Use Default Gateway as Check Point Yes Check Point N A Probing WAN 2 Check Point Yes Use Default Gateway as Check Point Yes Check Point N A Probing Traffic Redirection Check Point N...

Page 576: ...ain name or IP address of a reliable nearby computer for example your ISP s DNS server address in the Check Point field the ZyWALL will use the default gateway IP address When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Menu 6 2 Traffic Redirect Active No Configuration Backup Gateway IP Address 0 0 0 0 ...

Page 577: ...d of menu 6 1 or the default gateway Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds for your ZyWALL to wait for a ping response from the IP address in the Check Point field of menu 6 1 before it times out The WAN connection is considered down after the ZyWALL times out the number of times specified in the Fail Tolerance field Use a higher ...

Page 578: ...Chapter 34 Route Setup ZyWALL 2WG User s Guide 578 ...

Page 579: ...IP Multicast and IP alias please refer to Chapter 6 on page 147 35 1 1 IP Address From the main menu enter 7 to open Menu 7 WLAN Setup to configure TCP IP RFC 1155 Figure 364 Menu 7 WLAN Setup From menu 7 select the submenu option 2 TCP IP and DHCP Setup and press ENTER The screen now displays Menu 7 2 TCP IP and DHCP Ethernet Setup as shown next Menu 7 WLAN Setup 2 TCP IP and DHCP Setup Enter Men...

Page 580: ... the WLAN port see Chapter 38 on page 595 in menus 15 1 and 15 2 35 1 2 IP Alias Setup You must use menu 7 2 to configure the first network Move the cursor to the Edit IP Alias field press SPACE BAR to choose Yes and press ENTER to configure the second and third network Pressing ENTER opens Menu 7 2 1 IP Alias Setup as shown next Menu 7 2 TCP IP and DHCP Ethernet Setup DHCP None TCP IP Setup Clien...

Page 581: ... to Table 212 on page 563 for instructions on configuring IP alias parameters Menu 7 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A IP Alias 2 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Enter here to CONFIRM or ESC to CANCEL ...

Page 582: ...Chapter 35 Wireless Setup ZyWALL 2WG User s Guide 582 ...

Page 583: ... 4 Remote Node Filter 36 2 Remote Node Setup From the main menu select menu option 11 to open Menu 11 Remote Node Setup shown below Enter 1 to open Menu 11 1 Remote Node Profile and configure the setup for your WAN port Enter 2 to open Menu 11 2 Remote Node Profile 3G WAN and configure the setup for your 3G connection Enter 3 to open Menu 11 3 Remote Node Profile Backup ISP and configure the setup...

Page 584: ...Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters Active Press SPACE BAR and then ENTER to select Yes activate remote node or No deactivate remote node Encapsulation Ethernet is the default encapsulation Press SPACE BAR and then ENTER to change to PPPoE or PPTP encapsulation Service Type Press SPACE BAR and then ENTER to select from Standard RR Tos...

Page 585: ...at will be routed by your ZyWALL IP is the only option for the ZyWALL Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 1 2 Remote Node Network Layer Options Session Options Schedules You can apply up to four schedule sets here For more details please refer to Chapter 47 on page 681 Edit Filter Sets This field leads to another hidden menu Use ...

Page 586: ...e Section 8 6 on page 170 for details on the Metric field 36 3 3 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11 1 then you will see the next screen Table 220 Fields in Menu 11 1 PPPoE Encapsulation Specific FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation then type the name of your PPPoE service here Only valid with PPPoE encapsulation Authen This field se...

Page 587: ...255 0 Idle Timeout sec 100 Server IP Addr 10 0 0 138 Connection ID Name Press ENTER to Confirm or ESC to Cancel Table 221 Menu 11 1 Remote Node Profile for PPTP Encapsulation FIELD DESCRIPTION Encapsulation Press SPACE BAR and then ENTER to select PPTP You must also go to menu 11 3 to check the IP Address setting once you have selected the encapsulation method My IP Addr Enter the IP address of th...

Page 588: ...encapsulation only Enter the gateway IP address assigned to you if you are using a static IP address My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number If this is the case enter the ...

Page 589: ...rom 1 to 15 to set this route s priority among the ZyWALL s routes see Section 8 6 on page 170 The smaller the number the higher priority the route has Private This field is valid only for PPTP PPPoE encapsulation This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No ...

Page 590: ...n Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL ...

Page 591: ...he IP static routes as shown next to configure IP static routes in menu 12 1 The first two static route entries are for default WAN1 and WAN2 routes on a ZyWALL with multiple WAN interfaces You cannot modify or delete a static default route The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address The before a route name indicates the static route is inac...

Page 592: ...____ 15 ________ 30 ________ Enter selection number Menu 12 1 Edit IP Static Route Route 3 Route Name Active No Destination IP Address IP Subnet Mask Gateway IP Address Metric 2 Private No Press ENTER to CONFIRM or ESC to CANCEL Table 223 Menu 12 1 Edit IP Static Route FIELD DESCRIPTION Route This is the index number of the static route that you chose in menu 12 Route Name Enter a descriptive name...

Page 593: ...number from 1 to 15 to set this route s priority among the ZyWALL s routes see Section 8 6 on page 170 The smaller the number the higher priority the route has Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node will be propagat...

Page 594: ...Chapter 37 IP Static Route Setup ZyWALL 2WG User s Guide 594 ...

Page 595: ...ny to One and Server See Section 38 2 1 on page 598 for a detailed description of the NAT set for SUA The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Choose SUA Only if you have just one public WAN IP address for your ZyWALL Choose Full Feature if you have multiple public WAN IP addresses f...

Page 596: ... to the Remote Node Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Menu 11 1 2 Remote Node Network ...

Page 597: ... following screen On a ZyWALL with two WAN interfaces you can configure port forwarding and trigger port rules for the first WAN interface and separate sets of rules for the second WAN interface Figure 378 Menu 15 NAT Setup Table 224 Applying NAT in Menus 4 11 1 2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 menu 15 1 see ...

Page 598: ...Set Enter 255 to display the next screen see also Section 38 1 1 on page 595 The fields in this menu cannot be changed Figure 380 Menu 15 1 255 SUA Address Mapping Rules The following table explains the fields in this menu Menu 15 1 Address Mapping Sets 1 NAT_SET 2 example 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name SUA Idx Local Start IP Local End IP...

Page 599: ...e of the set you selected in menu 15 1 or enter the name of a new set you want to create Idx This is the index or rule number Local Start IP Local Start IP is the starting local IP address ILA Local End IP Local End IP is the ending local IP address ILA If the rule is for all local IPs then the start IP is 0 0 0 0 and the end IP is 255 255 255 255 Global Start IP This is the starting global IP add...

Page 600: ...umber of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so as old rule 5 becomes rule 4 old rule 6 becomes rule 5 and old rule 7 becomes rule 6 Menu 15 1 1 Address Mapping Rules Set Name NAT_SET Id...

Page 601: ... 1 Editing Configuring an Individual Rule in a Set Action The default is Edit Edit means you want to edit a selected rule see following field Insert Before means to insert a rule before the rule selected The rules after the selected rule will then be moved down by one rule Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule None disables...

Page 602: ...r See Section 38 4 3 on page 607 for an example Local IP Only local IP fields are N A for server Global IP fields MUST be set for Server Start Enter the starting local IP address ILA End Enter the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for One to One and Server types Global IP Start Enter the...

Page 603: ...R to open Menu 15 2 x x NAT Server Configuration see the next figure Figure 385 15 2 x x NAT Server Configuration Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 No 0 0 0 0 0 0 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 009 No 0 0 0 0 0 0 010 No 0 0 0 0 0 0 Sele...

Page 604: ...warding and trigger port rules for the first WAN port and separate sets of rules for the second WAN port This is the WAN port server set you select in menu 15 2 Index This is the index number of an individual port forwarding server entry Name Enter a name to identify this port forwarding rule Active Press SPACE BAR and then ENTER to select Yes to enable the NAT server entry Start Port Enter a port...

Page 605: ...le 38 4 General NAT Examples The following are some examples of NAT configuration 38 4 1 Internet Access Only In the following Internet access example you only need one rule where all your ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by your ISP Figure 388 NAT Example 1 ...

Page 606: ... this case 38 4 2 Example 2 Internet Access with a Default Server Figure 390 NAT Example 2 In this case you do exactly as above use the convenient pre configured SUA Only set and also go to menu 15 2 1 to specify the Default Server behind the NAT as shown in the next figure Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Re...

Page 607: ...inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses 3 Map the other outgoing LAN traffic to IGA3 Many 1 mapping 4 You also map your third IGA to the web server and mail server on the LAN Type Server allo...

Page 608: ...ess ENTER to confirm 5 Select Type as One to One direct mapping for packets going both ways and enter the local Start IP as 192 168 1 10 the IP address of FTP Server 1 the global Start IP as 10 132 50 1 our first IGA See Figure 394 on page 609 6 Repeat the previous step for rules 2 to 4 as outlined above 7 When finished menu 15 1 1 should look like as shown in Figure 395 on page 609 Figure 393 Exa...

Page 609: ...re the menu as shown in Figure 396 on page 610 Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10...

Page 610: ...numbers do not change for Many One to One and One to One NAT mapping types The following figure illustrates this Figure 397 NAT Example 4 Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80 80 192 168 1 21 002 Yes 25 25 192 168 1 20 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 00...

Page 611: ...Address Mapping Rule After you ve configured your rule you should be able to check the settings in menu 15 1 1 as shown next Figure 399 Example 4 Menu 15 1 1 Address Mapping Rules Menu 15 1 1 1 Address Mapping Rule Type Many One to One Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 Address Mapping Rules S...

Page 612: ...specific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you do not need to confi...

Page 613: ...acters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Enter a port number or the starting port number in a range of port numbers End Port Enter a port number or t...

Page 614: ...Chapter 38 Network Address Translation NAT ZyWALL 2WG User s Guide 614 ...

Page 615: ...creen shown next Figure 401 Menu 21 Filter and Firewall Setup 39 1 1 Activating the Firewall Enter option 2 in this menu to bring up the following screen Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the web configurator to configure firewall rules Menu 21 Filter and Firewal...

Page 616: ...cts against Denial of Service DoS attacks when it is active Your network is vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the Web Configurator to configure the firewall Press ENTER to ...

Page 617: ...ata filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet should be allowed to trigger a call Remote node call filtering is only applicable when using PPPoE encapsulation Outgoing packets must undergo data filtering before...

Page 618: ... rules and protocol filter rules within the same set You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming telnet s...

Page 619: ...User s Guide 619 Figure 404 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port ...

Page 620: ...R 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 x Filter Rules Summary This screen shows the summary of the existing rules in the filter set The following tables contain a brief description of the abbreviations used in the previous menus Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number Menu 21 1 Filter Set Configuration Filter Fi...

Page 621: ...enu FIELD DESCRIPTION A Active Y means the rule is active N means the rule is inactive Type The type of filter rule GEN for Generic IP for TCP IP Filter Rules These parameters are displayed here M More Y means there are more rules to check which form a rule chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specif...

Page 622: ...ne Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 232 Menu 21 1 1 1 TCP IP Filter Rule FIELD DESCRIPTION Active Press SPACE BAR and then ENTER to select Yes to activate the filter rule or No to deactivate it IP Protocol Protocol refers to the upper layer protocol e g TCP is 6 UDP is 17 and ICMP is 1 Type a value between 0 and 255 A v...

Page 623: ...blish a TCP connection SYN 1 and ACK 0 if No it is ignored More Press SPACE BAR and then ENTER to select Yes or No If Yes a matching packet is passed to the next filter rule before an action is taken if No the packet is disposed of according to the action fields If More is Yes then Action Matched and Action Not Matched will be N A Log Press SPACE BAR and then ENTER to select a logging option from ...

Page 624: ...gure 408 Executing an IP Filter 40 2 3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule The purpose of generic rules is to allow you to filter non IP packets For IP it is generally easier to use the IP rules directly ...

Page 625: ...on Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 233 Generic Filter Rule Menu Fields FIELD DESCRIPTION Filter This is the filter set filter rule co ordinates i e 2 3 refers to the second filter set and the third rule of that set Filter Type Use SPACE BAR and then ENTER to select a rule type Parameters displayed below each type will be different TCP IP filter rules are u...

Page 626: ...ly filter rule of this set Make the entries in this menu as shown in the following figure Log Select the logging option from the following None No packets will be logged Action Matched Only packets that match the rule parameters will be logged Action Not Matched Only packets that do not match the rule parameters will be logged Both All packets will be logged Action Matched Select the action for a ...

Page 627: ... is to drop the packet m D if the action is matched and to forward the packet immediately n F if the action is not matched no matter whether there are more rules to be checked there aren t in this example Menu 21 1 3 1 TCP IP Filter Rule Filter 3 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 23 Port Comp Equal Source I...

Page 628: ...r are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Therefore the ZyWALL applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the other hand the generic or device filters are applied to the raw packets that appear on the wire They are applie...

Page 629: ... a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 40 5 2 1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracking yo...

Page 630: ... Filters DMZ traffic filter sets may be useful to block certain packets reduce traffic and prevent security breaches Go to menu 5 1 shown next and enter the number s of the filter set s that you want to apply as appropriate You can choose up to four filter sets from twelve by entering their numbers separated by commas e g 3 4 6 11 Input filter sets filter incoming traffic to the ZyWALL and output ...

Page 631: ...propriate You can cascade up to four filter sets by entering their numbers separated by commas The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls and block incoming telnet FTP and HTTP connections Figure 416 Filtering Remote Node Traffic Menu 11 1 4 Remote Node Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device fil...

Page 632: ...Chapter 40 Filter Configuration ZyWALL 2WG User s Guide 632 ...

Page 633: ... 0 Trap Community public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 234 SNMP Configuration Menu Fields FIELD DESCRIPTION Get Community Type the Get community which is the password for the incoming Get and GetNext requests from the management station Set Community Type the Set community which is the password for incoming Set requests from the management station Trusted Host I...

Page 634: ...CRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before reboot...

Page 635: ...ur system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor your ZyWALL Specifically it gives you information on your system firmware version number of packets sent and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu enter 1 to open Menu 24 1...

Page 636: ... 0 0 0 0 0 0 0 None DMZ 00 00 AA 77 90 7B 192 168 100 2 255 255 255 0 Server System up Time 3 02 07 CARD bridged to LAN Press Command COMMANDS 1 2 Drop WAN1 2 9 Reset Counters ESC Exit Table 236 System Maintenance Status Menu Fields FIELD DESCRIPTION Port This field identifies an interface WAN1 WAN2 LAN WCRD wireless LAN card DMZ or WLAN on the ZyWALL Status For the LAN DMZ and WLAN Interfaces thi...

Page 637: ...w More specifically it gives you information on your routing protocol Ethernet address IP address etc Ethernet Address This is the MAC address of the port listed on the left IP Address This is the IP address of the port listed on the left IP Mask This is the IP mask of the port listed on the left DHCP This is the DHCP setting of the port listed on the left System up Time This is the total time the...

Page 638: ... 77 90 79 IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Table 237 Fields in System Maintenance Information FIELD DESCRIPTION Name This is the ZyWALL s system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing Refers to the routing protocol used ZyNOS F W Version Refers to the version ...

Page 639: ... main menu to open Menu 24 System Maintenance 2 From menu 24 select option 3 to open Menu 24 3 System Maintenance Log and Trace 3 Select the first option from Menu 24 3 System Maintenance Log and Trace to display the error log in the system After the ZyWALL finishes displaying you will have the option to clear the error log Figure 423 Menu 24 3 System Maintenance Log and Trace Examples of typical ...

Page 640: ... Thu Jul 1 05 54 56 2004 PP0d INFO LAN promiscuous mode 1 58 Thu Jul 1 05 54 56 2004 PINI INFO Last errorlog repeat 1 Times 59 Thu Jul 1 05 54 56 2004 PINI INFO main init completed 60 Thu Jul 1 05 55 26 2004 PSSV WARN SNMP TRAP 0 cold start 61 Thu Jul 1 05 56 56 2004 PINI INFO SMT Session Begin 62 Thu Jul 1 07 50 58 2004 PINI INFO SMT Session End 63 Thu Jul 1 07 53 28 2004 PINI INFO SMT Session Be...

Page 641: ...02 Jul 19 11 19 32 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 Call Terminated Packet triggered Message Format SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx x Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send fort...

Page 642: ...r 03 10 41 34 202 132 155 97 ZyXEL IP Src 192 168 2 33 Dst 202 132 155 93 ICMP S04 R01mF Mar 03 11 59 20 202 132 155 97 ZyXEL GEN 00a0c5f502fnord010080 S05 R01mF Mar 03 12 00 52 202 132 155 97 ZyXEL GEN ffffffffffff0080 S05 R01mF Mar 03 12 00 57 202 132 155 97 ZyXEL GEN 00a0c5f502010080 S05 R01mF Mar 03 12 01 06 202 132 155 97 ZyXEL IP Src 192 168 2 33 Dst 202 132 155 93 TCP spo 01170 dpo 00021 S0...

Page 643: ... Source port empty means no source port information Dst Destination Address dpo Destination port empty means no destination port information prot Protocol TCP UDP ICMP IGMP GRE ESP rule a b where a means set number b means rule number Action nothing N block B forward F 08 01 200011 48 41Local1 Notice192 168 10 10RAS FW 172 16 1 80 137 172 16 1 80 137 UDP default permit 2 0 B 08 01 200011 48 41Loca...

Page 644: ...n Menu 24 4 System Maintenance Diagnostic IP Frame ENET0 RECV Size 44 44 Time 17 02 44 262 Frame Type IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Source Po...

Page 645: ...d in menu 4 or menu 11 is Ethernet or None when you have a static IP The WAN Release and Renewal fields in menu 24 4 conveniently allow you to release and or renew the assigned WAN IP address subnet mask and default gateway in a fashion similar to winipcfg Figure 428 WAN LAN DHCP The following table describes the diagnostic tests available in menu 24 4 for your ZyWALL and associated connections Me...

Page 646: ...Internet setup You can also test the Internet setup in Menu 4 Internet Access Please refer to Chapter 32 on page 565 for more details This feature is only available for a 3G connection or dial up connections using PPPoE or PPTP encapsulation Reboot System Enter 11 to reboot the ZyWALL WAN If you entered 2 3 or 4 in the Enter Menu Selection Number field enter the number of the WAN interface in this...

Page 647: ... ZyWALL s performance 43 2 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password DHCP Setup TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the ZyWALL s settings they can be saved back to your computer under a filename of your choosing ZyNOS ZyXEL Network Operat...

Page 648: ...ZyWALL configuration to your computer Backup is highly recommended once your ZyWALL is functioning properly FTP is the preferred method for backing up your current configuration to your computer since it is faster You can also perform backup and restore using menu 24 through the console port Any serial communications program should work fine however you must use Xmodem protocol to perform the down...

Page 649: ...t 43 3 3 Example of FTP Commands from the Command Line Figure 430 FTP Session Example Menu 24 5 Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Locate the rom 0 file 4 Type get rom 0 to back up the current ro...

Page 650: ... backup the configuration file follow the procedure shown next 1 Use telnet from your computer to connect to the ZyWALL and log in Because TFTP does not have any security checks the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address 2 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance 3 Enter command sys stdio 0 t...

Page 651: ...name of the configuration file on the ZyWALL to the file destination on the computer and renames it config rom 43 3 8 GUI based TFTP Clients The following table describes some of the fields that you may see in GUI based TFTP clients Refer to Section 43 3 5 on page 650 to read about configurations that disallow TFTP and FTP over WAN 43 3 9 Backup Via Console Port Back up configuration via console p...

Page 652: ...oose the Xmodem protocol Then click Receive 4 After a successful backup you will see the following screen Press any key to return to the SMT menu Figure 434 Successful Backup Confirmation Screen 43 4 Restore Configuration This section shows you how to restore a previously saved configuration Note that this function erases the current configuration before restoring a previous back up configuration ...

Page 653: ... Find the rom file on your computer that you want to restore to your ZyWALL 7 Use put to transfer files from the ZyWALL to the computer for example put config rom rom 0 transfers the configuration file config rom on your computer to the ZyWALL See earlier in this chapter for more information on filename conventions Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and con...

Page 654: ...ing other serial communications programs should be similar 1 Display menu 24 6 and enter y at the following screen Figure 437 System Maintenance Restore Configuration 2 The following screen indicates that the Xmodem download has started Figure 438 System Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen ...

Page 655: ...e in Section 43 4 on page 652 or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port WARNING Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL 43 5 1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration To use this feature your computer must have an FTP client ...

Page 656: ... commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP client on y...

Page 657: ...it the ftp prompt 43 5 4 FTP Session Example of Firmware File Upload Figure 443 FTP Session Example of Firmware File Upload More commands found in GUI based FTP clients are listed earlier in this chapter Refer to Section 43 3 5 on page 650 to read about configurations that disallow TFTP and FTP over WAN 43 5 5 TFTP File Upload The ZyWALL also supports the uploading of firmware files using TFTP Tri...

Page 658: ... TFTP Upload Command Example The following is an example TFTP command tftp i host put firmware bin ras Where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyWALL s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destination on the remote host ras name of the firmware on the ZyWA...

Page 659: ...are upload process has completed the ZyWALL will automatically restart 43 5 10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in the next screen Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 Enter...

Page 660: ... process has completed restart the ZyWALL by entering atgo Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to resta...

Page 661: ...the console port although some commands are only available with a serial connection See the included disk or zyxel com for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 448 Command Mode in Menu 24 Menu 24 System Maintenance 1 System Status 2 System Informat...

Page 662: ...rp ras Valid commands are sys ls exit ether aux config wwan wlan ip ipsec bridge bm certificates cnm 8021x radius radserv wcfg ras Table 243 Valid Commands COMMAND DESCRIPTION sys The system commands display device information and configure device settings ls The load sharing commands allow you to configure load balancing exit This command returns you to the SMT main menu ether These commands disp...

Page 663: ...going calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 450 Call Control 44 2 1 Budget Management Menu 24 9 1 shows the budget management statistics for outgoing calls Enter 1 from Menu 24 9 System Maintenance Call Control to bring up the following menu Not all fields are available on all models cer...

Page 664: ...ming and outgoing calls Enter 2 from Menu 24 9 System Maintenance Call Control to bring up the following menu Menu 24 9 1 Budget Management Remote Node Connection Time Total Budget Elapsed Time Total Period 1 WAN_1 No Budget No Budget 2 WAN_2 No Budget No Budget 3 Dial No Budget No Budget Reset Node 0 to update screen Table 244 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the inde...

Page 665: ...ect menu 24 in the main menu to open Menu 24 System Maintenance as shown next Menu 24 9 2 Call History Phone Number Dir Rate call Max Min Total 1 2 3 4 5 6 7 8 9 10 Enter Entry to Delete 0 to exit Table 245 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here Dir This shows whether the call was incoming or outgoing Rate This is the transfer rate of the call call This ...

Page 666: ...e Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Upload Firmware 8 Command Interpreter Mode 9 Call Control 10 Time and Date Setting 11 Remote Management Setup Enter Menu Selection Number Menu 24 10 System Maintenance Time and Date Setting Time Protocol NTP RFC 1305 Time Server Address 0 pool ntp org Current Time 08 24 26 New Time hh mm ss N A N A N A Curre...

Page 667: ...hen choose Yes Start Date mm nth week hr Configure the day and time when Daylight Saving Time starts if you selected Yes in the Daylight Saving field The hr field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the first Sunday of April Each time zone in the United States starts using Daylight Saving Time at 2 A M local time S...

Page 668: ...Chapter 44 System Maintenance Menus 8 to 10 ZyWALL 2WG User s Guide 668 ...

Page 669: ... remote management to allow management from any network except the LAN you still need to configure a firewall rule to allow access See Chapter 11 on page 239 for details on configuring firewall rules You can also disable a service on the ZyWALL by not allowing access for the service protocol through any of the ZyWALL interfaces To disable remote management of a service select Disable in the corres...

Page 670: ...7 Menu 24 11 Remote Management Control FIELD DESCRIPTION Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read only labels denotes a service that you may use to remotely manage the ZyWALL Port This field shows the port number for the service or protocol You may change the port number if needed but you must use the same port number to access the Zy...

Page 671: ...management session with an equal or higher priority running You may only have one remote management session running at one time 6 There is a firewall rule that blocks it Authenticate Client Certificates Select Yes by pressing SPACE BAR then ENTER to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate To do that the SSL client must have a CA signed certif...

Page 672: ...Chapter 45 Remote Management ZyWALL 2WG User s Guide 672 ...

Page 673: ...1 1 1 1 1 DA 2 2 2 2 2 2 2 5 SP 20 25 DP 20 25 P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 002 N _______________________________________________________ _______________________________________________________ 003 N _______________________________________________________ _______________________________________________________ 004 N _______________________________________________________ ________________...

Page 674: ... you are on the correct page When a rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or previous page of rules respectively Select Rule Type the policy index number you wish to edit or delete and then press ENTER When you have completed this menu press ENTER at the p...

Page 675: ...o Cancel Table 250 Menu 25 1 IP Routing Policy Setup FIELD DESCRIPTION Rule Index This is the index number of the routing policy selected in Menu 25 IP Routing Policy Summary Active Press SPACE BAR and then ENTER to select Yes to activate the policy Criteria IP Protocol Enter a number that represents an IP layer 4 protocol for example UDP 17 TCP 6 ICMP 1 and Don t care 0 Type of Service Prioritize...

Page 676: ...The gateway must be on the same subnet as the ZyWALL if it is on the LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Remote Node Idx This field displays if you selected Remote Node in the Gateway Type field Type 1 for WAN port 1 or 2 for WAN port 2 Redirect Packet This field applies if you selected Remote Node in the Gateway Type field ...

Page 677: ...onfigured IP route Menu 25 1 1 IP Routing Policy Setup Apply policy to packets received from LAN No DMZ No WLAN No ALL WAN Yes Selected Remote Node index N A Press ENTER to Confirm or ESC to Cancel Table 251 Menu 25 1 1 IP Routing Policy Setup FIELD DESCRIPTION LAN DMZ WLAN ALL WAN Press SPACE BAR to select Yes or No Choose Yes and press ENTER to apply the policy to packets received on the specifi...

Page 678: ...xt Figure 460 IP Routing Policy Example 1 Menu 25 1 IP Routing Policy Setup Rule Index 1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp Equal Source addr start 192 168 1 33 end 192 168 1 64 port start 0 end N A Destination addr start 0 0 0 0 end N A port start 80 end 80 Action Matched Gateway Type IP Address Gateway addr 192 168 1 1 Red...

Page 679: ...Yes in the LAN field in menu 25 1 1 to apply the policy to packets received on the LAN port 6 Check Menu 25 IP Routing Policy Summary to see if the rule is added correctly Menu 25 1 IP Routing Policy Setup Rule Index 2 Active No Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp Equal Source addr start 0 0 0 0 end N A port start 0 end N A Destination ...

Page 680: ...Chapter 46 IP Policy Routing ZyWALL 2WG User s Guide 680 ...

Page 681: ...ered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the ZyWALL by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can design up to 12 schedule sets but you can only apply up to four schedul...

Page 682: ... Thursday N A Friday N A Saturday N A Start Time hh mm 00 00 Duration hh mm 00 00 Action Forced On Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 252 Schedule Set Setup FIELD DESCRIPTION Active Press SPACE BAR to select Yes or No Choose Yes and press ENTER to activate the schedule set How Often Should this schedule set recur weekly or be used just once only Press SPACE BAR...

Page 683: ...action configured in the Action field Enter the maximum length of time in hour minute format Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that...

Page 684: ...Active Yes Encapsulation PPTP Edit IP No Service Type Standard Telco Option Allocated Budget min 0 Outgoing Period hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections No Retype to Confirm Authen CHAP PAP PPTP Session Options My IP Addr Edit Filter Sets No My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Press ENTER to Confirm or ESC to Cancel ...

Page 685: ...685 PART VII Troubleshooting and Specifications Troubleshooting 687 Product Specifications 693 ...

Page 686: ...686 ...

Page 687: ...ake sure the power adaptor is connected to the ZyWALL and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the ZyWALL off and on or disconnect and re connect the power adaptor to the ZyWALL 5 If the problem continues contact the vendor V One of the LEDs does not behave as expected 1 Make sure you understand the normal behavior of the LED See Section 1 4 4 on...

Page 688: ...ts factory defaults See Section 2 3 on page 59 V I cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default LAN IP address is 192 168 1 1 Use the ZyWALL s LAN IP address when configuring from the LAN Use the ZyWALL s WAN IP address when configuring from the WAN If you changed the LAN IP address Section 6 7 on page 150 use the new IP...

Page 689: ...pop up window select the Delete all offline content check box and click OK Click OK in the Internet Options screen to close it If you disconnect your computer from one device and connect it to another device that has the same IP address your computer s ARP Address Resolution Protocol table may contain an entry that maps the management IP address to the previous device s MAC address In Windows use ...

Page 690: ...ake sure that you have entered the correct Service Type User Name and Password be sure to use the correct casing Refer to the WAN setup chapter web configurator or SMT 2 Disconnect all the cables from your device and follow the directions in the Quick Start Guide again 3 If the problem continues contact your ISP V I cannot access the Internet 1 Check the hardware connections and make sure the LEDs...

Page 691: ... slow or intermittent 1 There might be a lot of traffic on the network Look at the LEDs and check Section 1 4 4 on page 56 If the ZyWALL is sending or receiving a lot of information try closing some programs that use the Internet especially peer to peer applications 2 Check the signal strength If the signal strength is low try moving the ZyWALL closer to the AP if possible and look around to see i...

Page 692: ...Chapter 48 Troubleshooting ZyWALL 2WG User s Guide 692 ...

Page 693: ... Mbps RJ 45 Ethernet port Reset Button Restores factory default settings Console RJ 45 port for RS 232 null modem connection Dial Backup RJ 45 port for RS 232 connection Extension Card Slot For installing a 3G card Antenna Two 2dBi fixed antennas Distance between the centers of the holes for wall mounting on the device s back 165 75 mm Screw size for wall mounting M4 Tap Screw see Figure 467 on pa...

Page 694: ...nfiguration Protocol Use this feature to have the ZyWALL assign IP addresses an IP default gateway and DNS servers to computers on your network Dynamic DNS Support With Dynamic DNS Domain Name System support you can use a fixed URL www zyxel com for example with a dynamic IP address You must register for this service with a Dynamic DNS service provider IP Multicast IP multicast is used to send tra...

Page 695: ... business partners and branch offices using data encryption and the Internet without the expense of leased site to site lines The ZyWALL VPN is based on the IPSec standard and is fully interoperable with other IPSec based VPN products Bandwidth Management You can efficiently manage traffic on your network by reserving bandwidth and giving priority to certain types of traffic and or to particular c...

Page 696: ...20 Radio Technology 1xEV DO Rev A HSDPA HSDPA UMTS HSDPA Maximum Speed Downstream Upstream 3 1 Mbps 1 8 Mbps 1 8Mbps 384Kbps 3 6Mbps 384Kbps 384Kbps 1 8Mbps 384Kbps Interface 32 bit CardBus Type II PC Card 16 bit PC Card 32 bit CardBus Type II PC Card 32 bit CardBus Type II PC Card 32 bit CardBus Type II PC Card SIM card authentication via the web configurator V V V V Enabling of the internal mode...

Page 697: ...e Table 253 on page 693 for the size of screws to use and how far apart to place them 1 Select a position free of obstructions on a sturdy wall 2 Drill two holes for the screws 1 Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws 3 Do not insert the screws all the way into the wall Leave a small gap of about 0 5 cm between the heads of the screw...

Page 698: ...ons ZyWALL 2WG User s Guide 698 Figure 466 Wall mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting All measurements are in millimeters mm Figure 467 Masonry Plug and M4 Tap Screw ...

Page 699: ...ETY STANDARDS TUV CE EN 60950 1 UNITED KINGDOM PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R 120P ZK R INPUT POWER 100 240VAC 50 60HZ 0 5A OUTPUT POWER 12VDC 1 5A POWER CONSUMPTION 18 W MAX SAFETY STANDARDS TUV BS EN 60950 1 AUSTRALIA AND NEW ZEALAND PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R 120P ZS R INPUT POWER 100 240VAC 50 60HZ 0 5A OUTPUT POWER 12VDC 1 5A POWER CONSUMPTION 18 W MAX SAFETY S...

Page 700: ...onsole cable and dial backup cable each have an RJ 45 connector and a DB 9 connector The pin layout for the DB 9 connector end of the cables is as follows Figure 468 Console Dial Backup Cable DB 9 End Pin Layout OUTPUT POWER 12VDC 1 5A POWER CONSUMPTION 18 W MAX SAFETY STANDARDS CCC CHINA PLUG STANDARDS 4 Pins 2 3 and 5 are used Table 257 Console Cable Pin Assignments PIN DEFINITION RJ 45 END DB 9...

Page 701: ... A 9 Table 259 Ethernet Cable Pin Assignments WAN LAN ETHERNET CABLE PIN LAYOUT Straight through Crossover Switch Adapter Switch Switch 1 IRD 1 OTD 1 IRD 1 IRD 2 IRD 2 OTD 2 IRD 2 IRD 3 OTD 3 IRD 3 OTD 3 OTD 6 OTD 6 IRD 6 OTD 6 OTD Table 258 Console Cable Pin Assignments PIN DEFINITION RJ 45 END DB 9M MALE END ...

Page 702: ...Chapter 49 Product Specifications ZyWALL 2WG User s Guide 702 ...

Page 703: ...e details may not apply to your ZyWALL Pop up Windows JavaScripts and Java Permissions 705 Setting up Your Computer s IP Address 713 IP Addresses and Subnetting 729 Common Services 737 Wireless LANs 741 Importing Certificates 755 Legal Information 765 Customer Support 769 Index 775 ...

Page 704: ...704 ...

Page 705: ...rnet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable Pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 469 Pop up Blocker You c...

Page 706: ... web pop up blockers you may have enabled Figure 470 Internet Options Privacy 3 Click Apply to save this setting Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen ...

Page 707: ...ide 707 Figure 471 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to move the IP address to the list of Allowed sites Figure 472 Pop up Blocker Settings ...

Page 708: ...play properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 473 Internet Options Security 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 Cli...

Page 709: ...tings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window Figure 475 Security Settings Java ...

Page 710: ...and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window Figure 476 Java Sun Mozilla Firefox Mozilla Firefox 2 0 screens are used here Screens for other versions may vary You can enable Java Javascripts and pop ups in one screen Click Tools then click Options in the screen that appears ...

Page 711: ...ripts and Java Permissions ZyWALL 2WG User s Guide 711 Figure 477 Mozilla Firefox Tools Options Click Content to show the screen below Select the check boxes as shown in the following screen Figure 478 Mozilla Firefox Content Security ...

Page 712: ...Appendix A Pop up Windows JavaScripts and Java Permissions ZyWALL 2WG User s Guide 712 ...

Page 713: ...of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP ad...

Page 714: ...hen click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks 1 Click Add 2 Select Client and then click Add 3 Select M...

Page 715: ...select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 480 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information in...

Page 716: ...ose the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyWALL and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default ga...

Page 717: ...2WG User s Guide 717 Figure 482 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 483 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 718: ...b in Win XP and then click Properties Figure 485 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced ...

Page 719: ...dd In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of t...

Page 720: ...he General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 721: ...work Connections window Network and Dial up Connections in Windows 2000 NT 11 Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab M...

Page 722: ...acintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 490 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually ...

Page 723: ...nfiguration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 491 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from t...

Page 724: ...et mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window Linux This section shows you how to configure your computer s TCP IP settings in Red Hat Linux 9 0 Procedure screens and file location may ...

Page 725: ...ow to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 493 Red Hat 9 0 KDE Network Configuration Devices 2 Double click on the profile of the network card you wish to configure The Ethernet Device General screen displays as shown Figure 494 Red Hat 9 0 KDE Ethernet Device General ...

Page 726: ... 0 KDE Network Configuration DNS 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 496 Red Hat 9 0 KDE Network Configuration Activate 7 After the network card restart process is complete make sure the Status is Active in the Network Configuration screen Using Configuration Files Follow the step...

Page 727: ...the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 499 Red Hat 9 0 DNS Settings in resolv conf 3 After you edit and save the configuration files you must restart the network card Enter network restart in the etc rc d init d directory The following figure shows an example Figure 500 Red Hat 9 0 Restart Ethernet Card DEVICE eth0 ONBOOT yes ...

Page 728: ... root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19 129 Bcast 172 23 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 717 errors 0 dropped 0 overruns 0 frame 0 TX packets 13 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 RX bytes 730412 713 2 Kb TX bytes 1570 1 5 Kb Interrupt 10 Base address 0x1000...

Page 729: ...share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of four...

Page 730: ...s part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred to by the size of t...

Page 731: ...d by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet masks...

Page 732: ...hows the company network before subnetting Figure 503 Subnetting Example Before Subnetting You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either 0 or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 The following figure shows the compa...

Page 733: ...8 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving ...

Page 734: ...bnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 267 Subnet 4 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168...

Page 735: ...T BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 Table 270 16 bit Network Number Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 1638...

Page 736: ...ed You don t need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IAN...

Page 737: ...ocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 271 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Authentication Header tunneling protocol uses this service AIM New ICQ TCP 5190 AOL s Internet Messenger service It...

Page 738: ...ernet chat program NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING User Defined 1 Packet INternet Groper is a protocol that sends out ICMP echo requests t...

Page 739: ...ing mainframes midrange systems UNIX systems and network servers SSH TCP UDP 22 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the In...

Page 740: ...Appendix D Common Services ZyWALL 2WG User s Guide 740 ...

Page 741: ...pendent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 505 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic is tr...

Page 742: ...ired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless clients within the s...

Page 743: ...tially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not withi...

Page 744: ...requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake If ...

Page 745: ...pport it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the ZyWALL uses long preamble The wireless devices MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 802 11b ...

Page 746: ...IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless cli...

Page 747: ...nt and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the...

Page 748: ...wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates the s...

Page 749: ... defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requ...

Page 750: ... with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that W...

Page 751: ...client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 A 256 bit Pairwise Master Key PMK is derived from the authentication process by the RADIUS server and the client 4 The RADIUS server distributes the PMK to the AP The AP then sets up a key hierarchy and management syst...

Page 752: ... to this table to see what other security parameters you should configure for each authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 275 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dyna...

Page 753: ...door site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how much the antenna increases the signal power compared to using an isotropic antenna An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions dBi...

Page 754: ...d in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point the antenna i...

Page 755: ...orting the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a ZyWALL certificate issued by a certificate authority import the certificate authority s certificate into your operating system as a ...

Page 756: ...tes ZyWALL 2WG User s Guide 756 Figure 512 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 513 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard ...

Page 757: ...yWALL 2WG User s Guide 757 Figure 514 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 515 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard ...

Page 758: ...Appendix F Importing Certificates ZyWALL 2WG User s Guide 758 Figure 516 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 517 Root Certificate Store ...

Page 759: ...eds a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web configurator screen ...

Page 760: ...d CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next ...

Page 761: ...r in this appendix Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard Figure 521 Personal Certificate Import Wizard 1 ...

Page 762: ...t box Click Browse if you wish to import a different certificate Figure 522 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA Figure 523 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location ...

Page 763: ...tificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process Figure 525 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer Figure 526 Personal Certificate Import Wizard 6 ...

Page 764: ...r browser s web address field Figure 527 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the ZyWALL This screen displays even if you only have a single certificate as in the example Figure 528 SSL Client Authentication 3 You next see the ZyWALL login screen Figure 529 ZyWALL Secu...

Page 765: ...y any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Your use of the ZyWALL is subject to the terms and conditions of any related service providers Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Co...

Page 766: ...equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help FCC Radiation Exposure Statement This transmitter must not be co located or operating in conjunction with any other antenna or transmitter For operation within 5 15 5 25GHz frequency range it is res...

Page 767: ...r higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any imp...

Page 768: ...Appendix G Legal Information ZyWALL 2WG User s Guide 768 ...

Page 769: ...mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com www europe zyxel com FTP ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan Costa Rica Support E mail soporte zyxel co cr Sales E mail sales zyxel co cr Telephone 506 2017878 Fax 506 2015098 Web www zyxel...

Page 770: ...8448 Web www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web www zyxel fr Regular Mail ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France Germany Support E mail support zyxel de Sales E mail sales zyxel de Telephone 49 2405 6909 69 Fax 49 2405 6909 99 Web www zyxel de Regul...

Page 771: ...nagawa ku Tokyo 141 0022 Japan Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz Telephone 7 3272 590 698 Fax 7 3272 590 689 Web www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk Ave Office 414 Dostyk Business Centre 050010 Almaty Republic of Kazakhstan Malaysia Support E mail support zyxel com my Sales E mail sales zyxel com my Telephone 603 8076 9933 Fax 603 8076 9833 Web h...

Page 772: ...Okrzei 1A 03 715 Warszawa Poland Russia Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova 37a Str Moscow 117279 Russia Singapore Support E mail support zyxel com sg Sales E mail sales zyxel com sg Telephone 65 6899 6678 Fax 65 6899 8887 Web http www zyxel com sg Regular Mail ZyXEL Singap...

Page 773: ...il ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand Ukraine Support E mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine United Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone 44 13...

Page 774: ...Appendix H Customer Support ZyWALL 2WG User s Guide 774 ...

Page 775: ...ications 54 asymmetrical routes 250 vs virtual interfaces 250 AT command 547 648 authentication 586 authentication algorithms 305 311 and active protocol 305 Authentication Header See AH authentication protocol 550 556 586 authentication type 191 CHAP 191 PAP 191 B backup configuration 524 648 TFTP 650 bandwidth class 411 bandwidth filter 411 bandwidth management 411 address type 422 bandwidth bor...

Page 776: ...59 data bits 531 file backup 651 file upload 658 flow control 531 parity 531 restoring files 654 settings 531 speed 637 638 stop bit 531 contact information 769 content filter general 272 content filtering 271 categories 271 days and times 271 filter list 271 object 288 policy 275 restrict web features 271 URL for blocked access 275 copyright 765 cost of transmission 170 CTS Clear to Send 744 cust...

Page 777: ...thentication 308 Extended Service Set See ESS 742 F F W version 638 factory defaults 525 factory default configuration file 59 FCC interference statement 765 feature specifications 695 file backup console port 651 file maintenance over WAN 650 file upload console port 658 FTP 657 TFTP 657 Xmodem 659 filename conventions 647 filter 554 571 589 617 and NAT 628 applying 629 configuration 617 configur...

Page 778: ...hentication 308 ID content 307 ID type 307 IP address remote IPSec router 303 IP address ZyXEL device 303 local identity 307 main mode 302 308 NAT traversal 309 negotiation mode 302 password 308 peer identity 307 pre shared key 306 proposal 305 SA life time 310 user name 308 IKE SA See also VPN incoming protocol filter 563 Independent Basic Service Set See IBSS 741 initialization vector IV 750 Int...

Page 779: ...e MIB managing subscription services 141 managing the device good habits 54 using FTP See FTP using Telnet See command interface using the command interface See command interface Max Age 161 maximum incomplete high 263 maximum incomplete low 263 Media Access Control See MAC address menu overview 535 Message Integrity Check MIC 750 metric 170 404 552 586 589 593 MIB 455 MSDU see MAC service data un...

Page 780: ...haring 405 policy based routing 405 pool of IP addresses 149 152 POP3 service 395 port filter setup DMZ 571 LAN 559 port forwarding 394 port restricted cone NAT 388 port statistics 74 PPPoE client 568 encapsulation 83 181 565 569 584 585 586 idle timeout 569 PPTP 84 184 Client 567 configuring a client 567 encapsulation 84 184 586 idle timeout 568 service 395 preamble mode 745 precedence 405 pre sh...

Page 781: ...ction 149 563 version 149 563 589 route priority 170 routing 405 Routing Information Protocol See RIP routing policy 405 673 RSTP 160 RTC 513 665 RTP 474 RTS Request To Send 744 threshold 743 744 RTS CTS handshake 225 S SA life time 310 safety warnings 6 schedule 585 587 duration 682 scheduler 413 screws 697 secure FTP using SSH 451 secure Telnet using SSH 450 security associations See VPN securit...

Page 782: ... rule 622 setup 562 TCP IP priority 170 Telnet 452 Temporal Key Integrity Protocol TKIP 750 terminal emulation 531 TFTP configuration backup 650 file upload 657 GUI based clients 651 threshold 262 time 513 and date setting 665 Daylight Saving Time 515 resetting 516 synchronization with server 516 zone 515 667 Time protocol 515 time protocol 515 Daytime 515 NTP 515 Time 515 time setting 665 timeout...

Page 783: ...ance 650 WAN DHCP 645 WAN IP address 177 WAN setup 545 555 warranty 767 note 767 web configurator 57 web site hits 488 489 WEP key 229 Wi Fi Protected Access 749 Windows Internet Naming Service See WINS WINS 150 152 WINS server 152 wireless client 211 wireless client WPA supplicants 751 wireless LAN introduction 211 wireless network basic guidelines 211 channel 212 encryption 222 example 211 MAC a...

Page 784: ...Index ZyWALL 2WG User s Guide 784 X Xmodem 659 file upload 659 protocol 648 Z ZyNOS 638 648 ZyWALL registration 142 ZyXEL s Network Operating System See ZyNOS ...

Reviews: