ZyXEL Communications ZyWALL 110 Series Скачать руководство пользователя страница 310 | Manualshive

Страница: 310 / 562

ZyXEL Communications ZyWALL 110 Series Скачать руководство пользователя страница 310

Chapter 20 IPSec VPN

ZyWALL 110/310/1100 Series User’s Guide

310

Extended Authentication

Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.

In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) provides a
user name and password to the other router, which uses a local user database and/or an external
server to verify the user name and password. If the user name or password is wrong, the routers
do not establish an IKE SA.

You can set up the ZyWALL to provide a user name and password to the remote IPSec router, or
you can set up the ZyWALL to check a user name and password that is provided by the remote
IPSec router.

If you use extended authentication, it takes four more steps to establish an IKE SA. These steps
occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in
aggressive mode).

Certificates

It is possible for the ZyWALL and remote IPSec router to authenticate each other with certificates.
In this case, you do not have to set up the pre-shared key, local identity, or remote identity because
the certificates provide this information instead.

• Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the signatures

on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match.

• The local and peer ID type and content come from the certificates.

Note: You must set up the certificates for the ZyWALL and remote IPSec router first.

IPSec SA Overview

Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely
negotiate an IPSec SA through which to send data between computers on the networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

This section introduces the key components of an IPSec SA.

Local Network and Remote Network

In an IPSec SA, the local network, the one(s) connected to the ZyWALL, may be called the local
policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may be
called the remote policy.

Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each packet is
protected by the encryption and authentication algorithms. IPSec VPN includes two active
protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC
2406).

«
...
308
309
310
311
312
...
»

Содержание ZyWALL 110 Series

Страница 1: ...com ZyWALL 110 310 1100 Series VPN Firewall Version 3 10 Edition 2 02 2013 Copyright 2013 ZyXEL Communications Corporation User s Guide Default Login Details LAN Port IP Address https 192 168 1 1 Use...

Страница 2: ...in this manual is accurate Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the ZyWALL and access the Web Configurator wizards See the wizard real time help for infor...

Страница 3: ...2 1 5 ISP Parameters 35 2 1 6 Internet Access Finish 36 Chapter 3 Hardware Introduction 37 3 1 Default Zones Interfaces and Ports 37 3 2 Stopping the ZyWALL 38 3 3 Rack mounting 38 3 4 Wall mounting...

Страница 4: ...ation Provisioning Advanced Wizard Phase 1 Settings 64 4 4 7 VPN Settings for Configuration Provisioning Advanced Wizard Phase 2 65 4 4 8 VPN Settings for Configuration Provisioning Advanced Wizard Su...

Страница 5: ...Object References 122 7 3 3 Add Edit DHCPv6 Request Release Options 123 7 3 4 Add Edit DHCP Extended Options 124 7 4 PPP Interfaces 125 7 4 1 PPP Interface Summary 126 7 4 2 PPP Interface Add or Edit...

Страница 6: ...r 10 Routing Protocols 199 10 1 Routing Protocols Overview 199 10 1 1 What You Can Do in this Chapter 199 10 1 2 What You Need to Know 199 10 2 The RIP Screen 199 10 3 The OSPF Screen 201 10 3 1 Confi...

Страница 7: ...rview 233 15 1 1 What You Can Do in this Chapter 233 15 1 2 What You Need to Know 233 15 1 3 Before You Begin 236 15 2 The ALG Screen 236 15 3 ALG Technical Reference 238 Chapter 16 IP MAC Binding 241...

Страница 8: ...en 268 19 2 2 The Firewall Add Edit Screen 272 19 3 The Session Limit Screen 273 19 3 1 The Session Limit Add Edit Screen 275 19 4 Firewall Rule Configuration Example 276 19 5 Firewall Rule Example Ap...

Страница 9: ...king the ZyWALL 332 22 5 Logging Out of the SSL VPN User Screens 333 22 6 SSL User Application Screen 333 22 7 SSL User File Sharing 334 22 7 1 The Main File Sharing Screen 334 22 7 2 Opening a File o...

Страница 10: ...6 3 1 Configuring Active Passive Mode Device HA 363 26 4 Configuring an Active Passive Mode Monitored Interface 365 26 5 Device HA Technical Reference 366 Chapter 27 User Group 371 27 1 Overview 371 2...

Страница 11: ...an Do in this Chapter 396 30 1 2 What You Need to Know 396 30 2 The Schedule Summary Screen 397 30 2 1 The One Time Schedule Add Edit Screen 398 30 2 2 The Recurring Schedule Add Edit Screen 399 Chapt...

Страница 12: ...424 33 3 2 The Trusted Certificates Import Screen 427 33 4 Certificates Technical Reference 428 Chapter 34 ISP Accounts 429 34 1 Overview 429 34 1 1 What You Can Do in this Chapter 429 34 2 ISP Accoun...

Страница 13: ...omain Zone Forwarder 453 37 6 8 MX Record 454 37 6 9 Adding a MX Record 454 37 6 10 Adding a DNS Service Control Rule 455 37 7 WWW Overview 456 37 7 1 Service Access Limitations 456 37 7 2 System Time...

Страница 14: ...39 1 1 What You Can Do in this Chapter 499 39 1 2 What you Need to Know 499 39 2 The Configuration File Screen 501 39 3 The Firmware Package Screen 505 39 4 The Shell Script Screen 507 Chapter 40 Dia...

Страница 15: ...u Need To Know 525 42 2 The Reboot Screen 525 Chapter 43 Shutdown 526 43 1 Overview 526 43 1 1 What You Need To Know 526 43 2 The Shutdown Screen 526 Chapter 44 Troubleshooting 527 44 1 Resetting the...

Страница 16: ...ZyWALL 110 310 1100 Series User s Guide 16...

Страница 17: ...IPv6 Ethernet PPP VLAN and bridge routing You may also create IPv6 policy routes and IPv6 objects The ZyWALL can also route IPv6 packets through IPv4 networks using different tunneling methods Figure...

Страница 18: ...so he can access network resources in the same way as if he were part of the internal network Figure 3 SSL VPN With Full Tunnel Mode User Aware Access Control Set up security policies to restrict acc...

Страница 19: ...ellular interfaces In either case you can balance the traffic loads between them Figure 5 Applications Multiple WAN Interfaces 1 2 Management Overview You can manage the ZyWALL in the following ways W...

Страница 20: ...k 2 Enable JavaScripts Java permissions and cookies The recommended screen resolution is 1024 x 768 pixels 1 3 1 Web Configurator Access 1 Make sure your ZyWALL hardware is properly connected See the...

Страница 21: ...te Admin Info screen If you change the default password the Login screen appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the ZyWALL is using its default config...

Страница 22: ...an overview of links to the Web Configurator screens Object Reference Click this to check which configuration items reference an object Console Click this to open a Java based console window from whic...

Страница 23: ...object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is...

Страница 24: ...rence Guide for information about the commands Figure 11 Console Window CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator Open the pop up window and then click some menus...

Страница 25: ...e arrange to suit your needs See the Web Help for details on the dashboard Monitor Menu The monitor menu screens display status and statistics information Table 6 Monitor Menu Screens Summary FOLDER O...

Страница 26: ...n for an installed 3G card Tunnel Configure tunneling between IPv4 and IPv6 networks VLAN Create and manage VLAN interfaces and virtual VLAN interfaces Bridge Create and manage bridges and virtual bri...

Страница 27: ...r sessions and rules to force user authentication Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create a...

Страница 28: ...ZyWALL here Log Report Email Daily Report Configure where and how to send daily reports and what reports to send Log Settings Configure the system log e mail logs and remote syslog servers Table 8 Mai...

Страница 29: ...can do Sort in ascending or descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups Filter by mathematical operators or or searching for tex...

Страница 30: ...ct it and click Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red tr...

Страница 31: ...list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other In some lists you can also use the Shift or Ctrl k...

Страница 32: ...Chapter 1 Introduction ZyWALL 110 310 1100 Series User s Guide 32...

Страница 33: ...lick the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access 2 1 1 Int...

Страница 34: ...r the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Dom...

Страница 35: ...0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it 2 1 4 Internet Access PPTP Note Enter the Inte...

Страница 36: ...IP Address Enter your static public IP address Auto displays if you selected Auto as the IP Address Assignment in the previous screen First Second DNS Server These fields display if you selected stat...

Страница 37: ...may use the WAN interface rather than wan1 or wan2 ge2 or ge3 An OPT optional Ethernet port can be configured as an additional WAN port LAN WLAN or DMZ port Physical Ports Interfaces Zones P7 ext wlan...

Страница 38: ...ack or in a wiring closet with other equipment using a rack mounting kit Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL...

Страница 39: ...crew the screws all the way in to the wall leave a small gap between the head of the screw and the wall The gap must be big enough for the screw heads to slide into the screw slots and the connection...

Страница 40: ...contact your vendor SYS Green Off The ZyWALL is not ready or has failed On The ZyWALL is ready and running Blinking The ZyWALL is booting Red On The ZyWALL xd an error or has failed USB Green Off No...

Страница 41: ...ter equipped with communications software configured to the following parameters Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off CF Card Slot Insert a compact flash card into this...

Страница 42: ...Chapter 3 Hardware Introduction ZyWALL 110 310 1100 Series User s Guide 42...

Страница 43: ...is wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP See Section 4 2 on page 43 VPN SETUP Use VPN Setup to configure a VPN Virtual Private Network rule for a secure c...

Страница 44: ...terface that you want to configure for a WAN connection and click Next Figure 24 Choose an Ethernet Interface 4 2 2 Select WAN Type WAN Type Selection Select the type of encapsulation this connection...

Страница 45: ...ether the interface should use a fixed or dynamic IP address Figure 26 WAN Interface Setup Step 2 WAN Interface This is the interface you are configuring for Internet access Zone This is the security...

Страница 46: ...ur ZyWALL accepts MSCHAP V2 only User Name Type the user name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long Password Type the password assoc...

Страница 47: ...ddress This field is read only when the WAN interface uses a dynamic IP address If your WAN interface uses a static IP address enter it in this field First DNS Server Second DNS Server These fields on...

Страница 48: ...service name specified in the ISP account Server IP This field only appears for a PPTP interface It displays the IP address of the PPTP server User Name This is the user name given to you by your ISP...

Страница 49: ...address of the ZyWALL in the ZyWALL IPSec VPN Client to get the VPN settings automatically from the ZyWALL Figure 30 VPN Wizard Welcome 4 3 2 VPN Setup Wizard Wizard Type Choose Express to create a VP...

Страница 50: ...cribes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site The remote IPSec device has a static IP address or a domain name This ZyW...

Страница 51: ...racters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a c...

Страница 52: ...he remote IPSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure Gateway commands into...

Страница 53: ...110 310 1100 Series User s Guide 53 Figure 35 VPN Express Wizard Finish Click Close to exit the wizard 4 3 7 VPN Advanced Wizard Scenario Click the Advanced radio button as shown in Figure 31 on page...

Страница 54: ...or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer The remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote...

Страница 55: ...e DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in...

Страница 56: ...est 5 and SHA Secure Hash Algorithm are hash algorithms used to authenticate packet data The stronger the algorithm the slower it is SA Life Time Set how often the ZyWALL renegotiates the IKE SA A sho...

Страница 57: ...up the VPN tunnel Local Policy IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy IP address and subnet mask of the computers on the n...

Страница 58: ...tion Provisioning Wizard Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the ZyWALL IPSec VPN Client VPN rules for the ZyWALL IPSec VPN Clie...

Страница 59: ...pre shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key in the VPN rule Figure 41 VPN Settings for Configuration Provisioning Express Wizard...

Страница 60: ...ection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the Remote Acc...

Страница 61: ...racters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a c...

Страница 62: ...the computers on the network behind your ZyWALL that can be accessed using the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard The Configuration for Secu...

Страница 63: ...ress Wizard Finish Click Close to exit the wizard 4 4 5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Click the Advanced radio button as shown in the screen shown in Figure 41 o...

Страница 64: ...configurable in this wizard It allows incoming connections from the ZyWALL IPSec VPN Client My Address interface Select an interface from the drop down list box to use on your ZyWALL Negotiation Mode...

Страница 65: ...Wizard Phase 2 Active Protocol ESP is compatible with NAT AH is not available in this wizard Encapsulation Tunnel is compatible with NAT Transport is not Encryption Algorithm 3DES and AES use encrypt...

Страница 66: ...field because it is not configurable in this wizard It allows incoming connections from the ZyWALL IPSec VPN Client Pre Shared Key VPN tunnel password Certificate The certificate the ZyWALL uses to i...

Страница 67: ...r s Guide 67 VPN Connection screen Enter the IP address of the ZyWALL in the ZyWALL IPSec VPN Client to get all these VPN settings automatically from the ZyWALL Figure 50 VPN for Configuration Provisi...

Страница 68: ...Chapter 4 Quick Setup Wizards ZyWALL 110 310 1100 Series User s Guide 68...

Страница 69: ...76 to look at the VPN tunnels that are currently established Use the DHCP Table screen see Section 5 2 5 on page 77 to look at the IP addresses currently assigned to DHCP clients and the IP addresses...

Страница 70: ...date the widget s information immediately Close Widget E Click this to close the widget Use Widget Setting to re open it Virtual Device Rear Panel Click this to view details about the ZyWALL s rear pa...

Страница 71: ...field displays the model name of this ZyWALL Serial Number This field displays the serial number of this ZyWALL The serial number is used for device tracking and control MAC Address Range This field...

Страница 72: ...the ZyWALL s recent memory usage Flash Usage This field displays what percentage of the ZyWALL s onboard flash memory is currently being used USB Storage Usage This field shows how much storage in th...

Страница 73: ...nnect icon to have the ZyWALL try to connect a PPPoE PPTP interface If the interface cannot use one of these ways to get or to update its IP address this field displays n a Click the Disconnect icon t...

Страница 74: ...y of the log Category This field displays the type of log generated Message This field displays the actual log message Source This field displays the source address if any in the packet that generated...

Страница 75: ...this screen 5 2 3 The Active Sessions Screen Use this screen to look at a chart of the ZyWALL s recent traffic session usage To access this screen click Session Usage in the dashboard Table 16 Dashboa...

Страница 76: ...shed To access this screen click VPN Status in System Status in the dashboard Figure 55 Dashboard System Status VPN Status Table 17 Dashboard Session Usage LABEL DESCRIPTION Sessions The y axis repres...

Страница 77: ...ies the interface that assigned an IP address to a DHCP client IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address Click the column...

Страница 78: ...any entry User ID This field displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amou...

Страница 79: ...domain names Use the System Status IP MAC Binding screen Section 6 7 on page 91 to view a list of devices that have received an IP address from ZyWALL interfaces with IP MAC binding enabled Use the S...

Страница 80: ...the physical port number Status This field displays the current status of the physical port Down The physical port is not connected Speed Duplex The physical port is connected This field displays the...

Страница 81: ...ck this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the po...

Страница 82: ...ALL 110 310 1100 Series User s Guide 82 6 3 Interface Status Screen This screen lists all of the ZyWALL s interfaces and gives packet statistics for them Click Monitor System Status Interface Status t...

Страница 83: ...Chapter 6 Monitor ZyWALL 110 310 1100 Series User s Guide 83 Figure 60 Monitor System Status Interface Status...

Страница 84: ...s not appear in the list For PPP interfaces Connected The PPP interface is connected Disconnected The PPP interface is not connected If the PPP interface is disabled it does not appear in the list Zon...

Страница 85: ...ick this to look at the status of virtual interfaces on top of this interface Port This field displays the physical port number Status This field displays the current status of each interface The poss...

Страница 86: ...e IP address for the interface Click Renew to send a new DHCP request to a DHCP server Click Connect to try to connect a PPPoE PPTP interface If the interface cannot use one of these ways to get or to...

Страница 87: ...on page 89 for more information The following table describes the labels in this screen Table 24 Monitor System Status Traffic Statistics LABEL DESCRIPTION Data Collection Collect Statistics Select t...

Страница 88: ...e 25 on page 89 These fields are available when the Traffic Type is Service Port This field is the rank of each record The protocols and service ports are sorted by the amount of traffic Service Port...

Страница 89: ...s Destination address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all established sessions that passed through the ZyWALL by user service source...

Страница 90: ...to the protocol and port of each services that is defined See Chapter 29 on page 390 for more information about services Source This field displays when View is set to all sessions Type the source IP...

Страница 91: ...ZyWALL do not display in the list Figure 64 Monitor System Status IP MAC Binding Table 27 Monitor System Status DDNS Status LABEL DESCRIPTION Update Click this to have the ZyWALL update the profile t...

Страница 92: ...name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests MAC Address This field displays the MAC address to which the IP address is cur...

Страница 93: ...shown Force Logout Select a user ID and click this icon to end a user s session Refresh Click this button to update the information in the screen Table 29 Monitor System Status Login Users continued...

Страница 94: ...ion Searching network The 3G device is searching for a network Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is a...

Страница 95: ...shows Limited Service if the service provider has stopped service to the 3G SIM card For example if the bill has not been paid or the account has expired Cellular System This field displays what type...

Страница 96: ...ard IMSI IMSI International Mobile Subscriber Identity is a 15 digit code that identifies the SIM card Table 31 Monitor System Status More Information continued LABEL DESCRIPTION Table 32 Monitor Syst...

Страница 97: ...nted by using the Remove Now button or for some reason the ZyWALL cannot mount it Click Use It to have the ZyWALL mount a connected USB storage device This button is grayed out if the file system is n...

Страница 98: ...tion 6 11 1 on page 98 for more details Search Click this button to search for an IPSec SA that matches the information you specified above Disconnect Select an IPSec SA and click this button to disco...

Страница 99: ...over IPSec to open the following screen Use this screen to display and manage the ZyWALL s connected L2TP VPN sessions Table 34 Monitor VPN Monitor SSL LABEL DESCRIPTION Disconnect Select a connectio...

Страница 100: ...est existing log message first The maximum possible number of log messages in the ZyWALL varies by model Events that generate an alert as well as a log message display in red Regular logs display in b...

Страница 101: ...clude the port in this filter Destination Address This displays when you show the filter Type the IP address of the destination of the incoming packet when the log message was generated Do not include...

Страница 102: ...message It has the same range of values as the Priority field above Category This field displays the log that generated the log message It is the same value used in the Display and other Category fiel...

Страница 103: ...5 for PPPoE or PPTP Internet connections Use the Cellular screens Section 7 5 on page 132 to configure settings for interfaces for Internet connections through an installed 3G card Use the Tunnel scre...

Страница 104: ...software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Unlike port groups bridge interfaces can take advantage of some security features in the ZyWALL You...

Страница 105: ...rface Relationships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups...

Страница 106: ...tten as 2001 0db8 1a2f 0000 0000 0015 2001 0db8 0000 0000 1a2f 0015 2001 db8 1a2f 0 0 15 or 2001 db8 0 0 1a2f 15 Prefix and Prefix Length Similar to an IPv4 subnet mask IPv6 uses an address prefix to...

Страница 107: ...ed from the ISP or a connected uplink router for its LAN The ZyWALL uses the received IPv6 prefix for example 2001 db2 48 to generate its LAN IP address Through sending Router Advertisements RAs regul...

Страница 108: ...ALL s lan1 lan2 ext wlan or dmz IP address Use the appropriate lan1 lan2 ext wlan or dmz IP address to access the ZyWALL Figure 73 Configuration Network Interface Port Role 110 The physical Ethernet p...

Страница 109: ...removed from the ZyWALL but you can still configure it Ethernet interfaces are similar to other types of interfaces in many ways They have an IP address subnet mask and gateway used to make routing d...

Страница 110: ...lick Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an interface select it and click Activate Inactivate To turn off an interface select it and click Inactivate C...

Страница 111: ...y RIP 2 packets The ZyWALL can use subnet broadcasting or multicasting With OSPF you can use Ethernet interfaces to do the following things Enable and disable OSPF in the underlying physical port or p...

Страница 112: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 112 Figure 75 Configuration Network Interface Ethernet Edit External Type...

Страница 113: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 113 Figure 76 Configuration Network Interface Ethernet Edit Internal Type...

Страница 114: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 114 Figure 77 Configuration Network Interface Ethernet Edit OPT...

Страница 115: ...matically adds this interface to the default WAN trunk For general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT s...

Страница 116: ...Gateway Enter the IPv6 address of the default outgoing gateway using colon hexadecimal notation Metric Enter the priority of the gateway if any on this interface The ZyWALL decides which gateway to us...

Страница 117: ...CPv6 server use this section to configure DHCPv6 lease settings that determine what additional information to offer to the DHCPv6 clients Add Click this to create an entry in this table See Section 7...

Страница 118: ...t associated with any entry IPv6 Address Prefix Length Enter the IPv6 network prefix address and the prefix length The prefix length indicates what the left most part of the IP address is the same for...

Страница 119: ...y perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of s...

Страница 120: ...ess of this interface and the ZyWALL works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP...

Страница 121: ...formation about RIP Enable RIP Select this to enable RIP in this interface Direction This field is effective when RIP is enabled Select the RIP direction from the drop down list box BiDir This interfa...

Страница 122: ...e either the factory assigned default MAC address a manually specified MAC address or clone the MAC address of another device or computer Use Default MAC Address Select this option to have the interfa...

Страница 123: ...t Lease Options Table 42 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display th...

Страница 124: ...characters a z A Z 0 9 and _ with no spaces allowed The first character must be alphabetical a z A Z Code This field displays the code number of the selected DHCP option If you selected User Defined i...

Страница 125: ...is option is used to identify a bootfile when the file field in the DHCP header has been used for DHCP options The minimum length of the value is 1 SIP Server 120 This option carries either an IPv4 ad...

Страница 126: ...PTP interface to use Each ISP account specifies the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PP...

Страница 127: ...it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect...

Страница 128: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 128 Figure 83 Configuration Network Interface PPP Add...

Страница 129: ...up to 60 characters long Connectivity Nailed Up Select this if the PPPoE PPTP connection should always be up Clear this to have the ZyWALL establish the PPPoE PPTP connection only when there is traffi...

Страница 130: ...external interface must be a DHCPv6 client You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix delegation Assign the prefix delegation to an internal i...

Страница 131: ...Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum si...

Страница 132: ...work to which you are originally subscribed You can set the 3G device to connect to other networks if the signal strength of the home network is too low or it is unavailable Check this address Select...

Страница 133: ...5G 3G protocol of mobile telecommunications standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air in...

Страница 134: ...erface select it and click Connect You might use this in testing the interface or to manually establish the connection Disconnect To disconnect an interface select it and click Disconnect You might us...

Страница 135: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 135 Figure 85 Configuration Network Interface Cellular Add...

Страница 136: ...s 0 360 that elapses before the ZyWALL automatically disconnects from the ISP s server Zero disables the idle timeout ISP Settings Profile Selection Select Device to use one of the 3G device s profile...

Страница 137: ...unt to access the Internet If your ISP disabled PIN code authentication enter an arbitrary number Retype to Confirm Type the PIN code again to confirm it Interface Parameters Egress Bandwidth Enter th...

Страница 138: ...s Assignment Enter the cellular interface s WAN IP address in this field if you selected Use Fixed IP Address Metric Enter the priority of the gateway if any on this interface The ZyWALL decides which...

Страница 139: ...ted is not available in a month such as 30th or 31st the ZyWALL resets the budget on the last day of the month Reset time and data budget counters This button is available only when you enable budget...

Страница 140: ...IPv6 over IPv4 tunnel has to be used Figure 87 IPv6 over IPv4 Network On the ZyWALL you can either set up a manual IPv6 in IPv4 tunnel or an automatic 6to4 tunnel The following describes each method I...

Страница 141: ...a policy route for a 6to4 tunnel Through your properly pre configuring the destination router s IP address in the IP address assignments to hosts the ZyWALL can automatically forward 6to4 packets to t...

Страница 142: ...a new GRE tunnel interface Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Z...

Страница 143: ...Remote Gateway Address Tunnel Mode This is the tunnel mode of the interface GRE IPv6 in IPv4 or 6to4 This field also displays the interface s IPv4 IP address and subnet mask if it is a GRE tunnel Othe...

Страница 144: ...reater or lesser number of configuration fields General Settings Enable Select this to enable this interface Clear this to disable this interface Interface Properties Interface Name This field is read...

Страница 145: ...he hosts in the matched network If you enter a prefix starting with 2002 the ZyWALL will forward the matched packets to the IPv4 IP address converted from the packets destination address The IPv4 IP a...

Страница 146: ...ctivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you...

Страница 147: ...arate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and the...

Страница 148: ...he router and VLAN 2 Between the router and VLAN 3 VLAN Interfaces Overview In the ZyWALL each VLAN is called a VLAN interface As a router the ZyWALL routes traffic between VLAN interfaces but it does...

Страница 149: ...ce To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object Reference to open a screen that...

Страница 150: ...settings and connectivity check for each VLAN interface To access this screen click the Create Virtual Interface icon in the VLAN Summary screen The following screen appears Apply Click Apply to save...

Страница 151: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 151 Figure 95 Configuration Network Interface VLAN Create Virtual Interface...

Страница 152: ...o the default WAN trunk For general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface Inter...

Страница 153: ...se based on this priority The lower the number the higher the priority If two or more gateways have the same priority the ZyWALL uses the one that was configured first Address from DHCPv6 Prefix Deleg...

Страница 154: ...able See Section 7 3 3 on page 123 for more information Remove Select an entry and click this to change the settings Object Reference Select an entry and click this to delete it from this table This f...

Страница 155: ...ion Use this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix Add Click this to create an entry in this table Edit Select an entr...

Страница 156: ...heck Check this address Select this to specify a domain name or IP address for the connectivity check Enter that domain name or IP address in the field next to it Check Port This field only displays w...

Страница 157: ...e default router select Custom Defined and enter the IP address Lease time Specify how long each computer can use the information especially the IP address before it has to request the information aga...

Страница 158: ...OSPF Setting See Section 10 3 on page 201 for more information about OSPF Area Select the area in which this interface belongs Select None to disable OSPF in this interface Priority Enter the priority...

Страница 159: ...computer B Bridge X records the source address 0A 0A 0A 0A 0A 0A and port 2 in the table It also looks up 0B 0B 0B 0B 0B 0B in the table There is no entry yet so the bridge broadcasts the packet on p...

Страница 160: ...m the routing table and adds the bridge interface s entries to the routing table For example this table shows the routing table before and after you create bridge interface br0 250 250 250 0 23 betwee...

Страница 161: ...irtual Interface To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object Reference to open...

Страница 162: ...Add Edit This screen lets you configure IP address assignment interface bandwidth parameters DHCP settings and connectivity check for each bridge interface To access this screen click the Create Virt...

Страница 163: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 163 Figure 97 Configuration Network Interface Bridge Create Virtual Interface...

Страница 164: ...utomatically adds this interface to the default WAN trunk For general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNA...

Страница 165: ...ou want to use a static IP address This field is optional The prefix length indicates what the left most part of the IP address is the same for all computers in the network that is the network address...

Страница 166: ...ect this to get an IPv6 IP address for this interface from the DHCP server Clear this to not get any IP address information through DHCPv6 DHCPv6 Request Options DHCPv6 Lease Options If this interface...

Страница 167: ...dvertise a fixed prefix to the network Add Click this to create an IPv6 prefix address Edit Select an entry in this table and click this to modify it Remove Select an entry in this table and click thi...

Страница 168: ...lay Server 2 This field is optional Enter the IP address of another DHCP server for the network These fields appear if the ZyWALL is a DHCP Server IP Pool Start Address Enter the IP address from which...

Страница 169: ...e links between specific IP addresses and specific MAC addresses This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only t...

Страница 170: ...Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TC...

Страница 171: ...ere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment IP Address Enter the IP address for this interface Subnet Mask Enter the subnet mask of this...

Страница 172: ...For these interfaces you can only enter the IP address In many interfaces you can also let the IP address and subnet mask be assigned by an external DHCP server on the network In this case the interfa...

Страница 173: ...erface from the network 2 If you set the bandwidth restrictions very high you effectively remove the restrictions The ZyWALL also restricts the size of each data packet The maximum number of bytes in...

Страница 174: ...1 and subnet mask is 255 255 255 0 the starting IP address in the pool is 9 9 9 2 and the pool size is 253 Subnet mask The interface provides the same subnet mask you specify for the interface See IP...

Страница 175: ...sting systems including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuratio...

Страница 176: ...Chapter 7 Interfaces ZyWALL 110 310 1100 Series User s Guide 176...

Страница 177: ...terface connected to the VoIP service provider set to active and another interface connected to another ISP set to passive This way VoIP traffic goes through the interface connected to the VoIP servic...

Страница 178: ...ad balancing algorithms the ZyWALL can use to decide which interface the traffic from the LAN should use for a session3 The available bandwidth you configure on the ZyWALL refers to the actual bandwid...

Страница 179: ...ing on the number of queues being used This works in a looping fashion until a queue is empty The Weighted Round Robin WRR algorithm is best suited for situations when the bandwidths set for the two W...

Страница 180: ...first trunk member interface uses an unlimited access Internet connection and the second is billed by usage Spillover load balancing only uses the second interface when the traffic load exceeds the th...

Страница 181: ...s of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks The ZyWALL automatically adds SNAT settings for traffic it routes from internal interfaces to ex...

Страница 182: ...to send network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used and so on Load Balancing Index es This field is av...

Страница 183: ...face The weights of the different member interfaces form a ratio This ratio determines how much traffic the ZyWALL assigns to each member interface The higher an interface s weight is relative to the...

Страница 184: ...ond interface needs to be used and so on The table lists the trunk s member interfaces This table is read only This column displays the priorities of the group s interfaces The order of the interfaces...

Страница 185: ...n this spillover bandwidth limit is exceeded the ZyWALL sends new session traffic through the next interface The traffic of existing sessions still goes through the interface on which they started The...

Страница 186: ...Chapter 8 Trunk ZyWALL 110 310 1100 Series User s Guide 186...

Страница 187: ...route to connect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 107 Exampl...

Страница 188: ...inistrators to have traffic received on a specified interface use a specified IP address as the source IP address Note The ZyWALL automatically uses SNAT for traffic it routes from internal interfaces...

Страница 189: ...ith the DSCP mapping The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic c...

Страница 190: ...n a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select...

Страница 191: ...object The ZyWALL applies the policy route to the packets sent from the corresponding service port any means all service ports Next Hop This is the next hop to which packets are directed It helps forw...

Страница 192: ...Chapter 9 Policy and Static Routes ZyWALL 110 310 1100 Series User s Guide 192 Figure 109 Configuration Network Routing Policy Route Add Edit IPv4 Configuration...

Страница 193: ...ptive name of up to 31 printable ASCII characters for the policy Criteria User Select a user name or user group from which the packets are sent Incoming Select where the packets are coming from any an...

Страница 194: ...N tunnel Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm Select Interface to route the matched packets through the specified o...

Страница 195: ...ckets original DSCP value Select default to have the ZyWALL set the DSCP value of the packets to 0 User Defined DSCP Code Use this field to specify a custom DSCP value Address Translation Use this sec...

Страница 196: ...nnect your ZyWALL to an IPv6 network Both sections have similar fields as described below Add Click this to create a new static route Edit Double click an entry or select it and click Edit to open a s...

Страница 197: ...to a single host enter the specific IP address here and use a subnet mask of 255 255 255 255 for IPv4 in the Subnet Mask field or a prefix of 128 for IPv6 in the Prefix Length field to force the netw...

Страница 198: ...at is unbudgeted or unused by the policy routes depending on how many policy routes require more bandwidth and on their priority levels When only one policy route requires more bandwidth the ZyWALL gi...

Страница 199: ...age 201 to configure general OSPF settings and manage OSPF areas Use the OSPF Area Add Edit screen see Section 10 3 2 on page 206 to create or edit an OSPF area 10 1 2 What You Need to Know The ZyWALL...

Страница 200: ...pen the following screen Figure 114 Configuration Network Routing RIP The following table describes the labels in this screen Table 73 Configuration Network Routing Protocol RIP LABEL DESCRIPTION Auth...

Страница 201: ...may be expressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbo...

Страница 202: ...and networks X and Y Area 2 is a stub area It has routing information about the OSPF AS but it depends on a default route to send information to networks X and Y Area 3 is a NSSA It has routing infor...

Страница 203: ...mation with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR and BDR are selected by priority if two routers have the same priority the highest ro...

Страница 204: ...ea OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 7 3 1 on page 110 4 Set up virtu...

Страница 205: ...Metric Type 2 cost external cost Metric the OSPF AS cost is ignored Metric Type the external cost for routes provided by RIP The metric represents the cost of transmission for routing purposes The way...

Страница 206: ...e you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This field is a sequential value and it is not asso...

Страница 207: ...5 authentication in the area The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the default password for MD5 authentication in the area Th...

Страница 208: ...uthentication protects the integrity but not the confidentiality of routing updates None uses no authentication Text uses a plain text password that is sent over the network not very secure MD5 uses a...

Страница 209: ...password and authentication ID MD5 is an authentication method that produces a 128 bit checksum called a message digest for each packet It also includes an authentication ID which can be set to any va...

Страница 210: ...Chapter 10 Routing Protocols ZyWALL 110 310 1100 Series User s Guide 210...

Страница 211: ...rface bridge interface PPPoE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure...

Страница 212: ...ic is traffic between interfaces or VPN tunnels in different zones For example in Figure 121 on page 211 traffic between VLAN 1 and the Internet is inter zone traffic This is the normal case when zone...

Страница 213: ...n create your own User Configuration zones Add Click this to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s...

Страница 214: ...cter cannot be a number This value is case sensitive Member List Available lists the interfaces and VPN tunnels that do not belong to any zone Select the interfaces and VPN tunnels that you want to ad...

Страница 215: ...current IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services wit...

Страница 216: ...is inactive Profile Name This field displays the descriptive profile name for this entry DDNS Type This field displays which DDNS service you are using Domain Name This field displays each domain name...

Страница 217: ...he screen to its last saved settings Table 81 Configuration Network DDNS continued LABEL DESCRIPTION Table 82 Configuration Network DDNS Add LABEL DESCRIPTION Show Advanced Settings Hide Advanced Sett...

Страница 218: ...tween the ZyWALL and the DDNS server Note The ZyWALL may not determine the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server Custom If you have a static IP addr...

Страница 219: ...org to the host record specified as the mail exchanger If you are using this service type the host record of your mail server here Otherwise leave the field blank See www dyndns org for more informati...

Страница 220: ...Chapter 12 DDNS ZyWALL 110 310 1100 Series User s Guide 220...

Страница 221: ...IP address Suppose you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a th...

Страница 222: ...c entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the entry Mapping Type This field displays what kind of NAT this ent...

Страница 223: ...value is case sensitive Classification Select what kind of NAT this rule is to perform Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside...

Страница 224: ...e IP address specified by the address object User Defined Original IP This field is available if Mapped IP is User Defined Type the translated destination IP address that this NAT rule supports Mapped...

Страница 225: ...es that interface s IP address as the source address for the traffic it sends from the users to the Mapped IP device For example if you configure a NAT rule to forward traffic from the WAN to a LAN se...

Страница 226: ...replies to the ZyWALL s LAN IP address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN user The return traffic s source matches the original destination address 1 1 1...

Страница 227: ...Chapter 13 NAT ZyWALL 110 310 1100 Series User s Guide 227 Figure 131 LAN to LAN Return Traffic 192 168 1 21 LAN 192 168 1 89 Source 1 1 1 1 SMTP NAT Source 192 168 1 21 SMTP...

Страница 228: ...Chapter 13 NAT ZyWALL 110 310 1100 Series User s Guide 228...

Страница 229: ...oute allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 132 HTTP Redirect Example 14 1 1 What You Can Do in this Chapter Use the...

Страница 230: ...HTTP requests from the client to the proxy server You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet To make the example in Figure 132...

Страница 231: ...ou can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activ...

Страница 232: ...ou may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be...

Страница 233: ...ions between SIP clients A and B and the SIP server Figure 135 SIP ALG Example The ALG feature is only needed for traffic that goes through the ZyWALL s NAT 15 1 1 What You Can Do in this Chapter Use...

Страница 234: ...2 sessions between H 323 devices A and B Figure 136 H 323 ALG Example SIP ALG SIP phones can be in any zone including LAN DMZ WAN and the SIP server and SIP clients can be in the same network or diffe...

Страница 235: ...s from LAN IP addresses B and C go out through WAN IP address 2 Even though only LAN IP address A can receive incoming calls from the Internet LAN IP addresses B and C can still make calls out to the...

Страница 236: ...rmation 15 1 3 Before You Begin You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN 15 2 The ALG Screen Click Configuration Network ALG to open t...

Страница 237: ...meout period Enter the SIP signaling session timeout value 1 86400 SIP Signaling Port If you are using a custom UDP port number not 5060 for SIP traffic enter it here Enable H 323 ALG Turn on the H 32...

Страница 238: ...ace s connection fails the client needs to re initialize the connection through the second interface that was set to passive in order to have the connection go through the second interface VoIP client...

Страница 239: ...15 ALG ZyWALL 110 310 1100 Series User s Guide 239 RTP When you make a VoIP call using H 323 or SIP the RTP Real time Transport Protocol is used to handle voice data transfer See RFC 1889 for details...

Страница 240: ...Chapter 15 ALG ZyWALL 110 310 1100 Series User s Guide 240...

Страница 241: ...address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with an...

Страница 242: ...tion Network IP MAC Binding Edit to open the IP MAC Binding Edit screen Use this screen to configure an interface s IP to MAC address binding settings Table 88 Configuration Network IP MAC Binding Sum...

Страница 243: ...IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this interface attempts to use an IP address not assigned by the Zy...

Страница 244: ...Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the ZyWALL and the interface s IP address and subnet mask IP Address Enter the IP address that the ZyWALL is...

Страница 245: ...first IP address in a range of IP addresses for which the ZyWALL does not apply IP MAC binding End IP Enter the last IP address in a range of IP addresses for which the ZyWALL does not apply IP MAC bi...

Страница 246: ...Chapter 16 IP MAC Binding ZyWALL 110 310 1100 Series User s Guide 246...

Страница 247: ...s of 1 1 1 1 The ZyWALL receives the DNS query message and responds to it with the WAN2 s IP address 2 2 2 2 because the WAN2 has the least load at that moment Another Internet host B also sends a DNS...

Страница 248: ...SCRIPTION Global Setting Enable DNS Load Balancing Select this to enable DNS load balancing Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to...

Страница 249: ...ncing method the ZyWALL uses for this DNS load balancing rule Weighted Round Robin Each member interface is assigned a weight An interface with a larger weight gets more chances to transmit traffic th...

Страница 250: ...ts to keep the DNS entry in their caches before removing it Enter 0 to have the ZyWALL not recommend this so the DNS request hosts will follow their DNS server s TTL setting Query From Setting IP Addr...

Страница 251: ...ount of incoming traffic Select Least Load Total to have the ZyWALL choose the member interface which is handling the least amount of outgoing and incoming traffic Failover IP Address Enter an alterna...

Страница 252: ...ress Static dynamically assigned Dynamic or obtained from a DHCP server DHCP Client as well as the IP address and subnet mask Weight This field is available if you selected Weighted Round Robin for th...

Страница 253: ...thentication and the endpoint security check and is given access Local user B passes authentication but fails the endpoint security check and is denied access Figure 149 Authentication Policy Using En...

Страница 254: ...licies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged...

Страница 255: ...ut logging in Click Add to change the list s membership A screen appears Available services appear on the left Select any services you want users to be able to access without logging in and click the...

Страница 256: ...he list The priority is important as the policies are applied in order of priority Default displays for the default authentication policy that the ZyWALL uses on traffic that does not match any except...

Страница 257: ...ss group for whom this policy applies Select any if the policy is effective for every source This is any and not configurable for the default policy Destination Address Select a destination address or...

Страница 258: ...n export user names from the RADIUS server to a text file then you might configure a script to create the user accounts instead 1 Click Configuration Object User Group User Click the Add icon 2 Enter...

Страница 259: ...ion Object User Group Group Add 3 Repeat this process to set up the remaining user groups 18 3 3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADI...

Страница 260: ...ick OK Figure 156 Configuration Object Auth method Edit 3 Click Configuration Auth Policy In the Authentication Policy Summary section click the Add icon 4 Set up a default policy that forces every us...

Страница 261: ...n the Login screen appears They have to log in using the user name and password in the RADIUS server 18 3 4 User Group Authentication Using the RADIUS Server The previous example showed how to have a...

Страница 262: ...values are Finance Engineer Sales and Boss Select case sensitive if the RADIUS server checks user name casing Figure 159 Configuration Object AAA Server RADIUS Add 2 Now you add ext group user user ob...

Страница 263: ...Chapter 18 Authentication Policy ZyWALL 110 310 1100 Series User s Guide 263...

Страница 264: ...Chapter 18 Authentication Policy ZyWALL 110 310 1100 Series User s Guide 264...

Страница 265: ...sion Limit screens see Section 19 3 on page 273 to limit the number of concurrent NAT firewall sessions a client can use 19 1 2 What You Need to Know Stateful Inspection The ZyWALL has a stateful insp...

Страница 266: ...fic from any interface to the ZyWALL is allowed DHCPv6 and Default_Allow_ICMPv6_Group traffic from any interface to the ZyWALL is allowed From LAN to any other than the ZyWALL Traffic from the LAN to...

Страница 267: ...u also apply a schedule to the firewall rule the user can only access the network at the scheduled time A user aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disa...

Страница 268: ...e interface See the chapter about interfaces for more information By putting LAN 1 and the alternate gateway A in the figure in different subnets all returning network traffic must pass through the Zy...

Страница 269: ...page 221 for more information The ZyWALL applies NAT Destination NAT settings before applying the firewall rules So for example if you configure a NAT entry that sends WAN traffic to a LAN IP address...

Страница 270: ...Chapter 19 Firewall ZyWALL 110 310 1100 Series User s Guide 270 Figure 163 Configuration Firewall...

Страница 271: ...displays all the firewall rules for traffic going to the selected To Zone To any displays all the firewall rules for traffic coming from the selected From Zone From any to any displays all of the fire...

Страница 272: ...the IPv4 or IPv6 destination address object to which this firewall rule applies Service This displays the service object to which this firewall rule applies Access This field displays whether the fire...

Страница 273: ...ress range Source Select an IPv4 address or address group to apply an IPv4 rule to traffic coming from it Select an IPv6 address or address group to apply an IPv6 rule to traffic coming from it Select...

Страница 274: ...specific users or addresses Rule Summary This table lists the rules for limiting the number of concurrent sessions hosts can have Add Click this to create a new entry Select an entry and click Add to...

Страница 275: ...n to its last saved settings Table 100 Configuration Firewall Session Limit continued LABEL DESCRIPTION Table 101 Configuration Firewall Session Limit Edit LABEL DESCRIPTION Create new Object Use to c...

Страница 276: ...Address to configure an address object Configure it as follows and click OK Figure 168 Firewall Example Create an Address Object 3 Click Create new Object Service to configure a service object for Doo...

Страница 277: ...and enter a name for the firewall rule Select Dest_1 for the Destination and Doom as the Service Enter a description and configure the rest of the screen as follows Click OK when you are done Figure 1...

Страница 278: ...s traffic from the LAN it checks it against the first rule If the traffic matches if it is IRC traffic the firewall takes the action in the rule drop and stops checking the firewall rules Any traffic...

Страница 279: ...raffic from the LAN1 to go to the WAN Alternatively you configure a LAN1 to WAN rule with the CEO s user name say CEO to allow IRC traffic from any source IP address to go to any destination address Y...

Страница 280: ...The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic If the rule that blocks all LAN1 to WAN IRC traffic came first the CEO s IRC traffic would match that rule and t...

Страница 281: ...etwork IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The ZyWALL can also combine multiple IPSec V...

Страница 282: ...IPSec VPN connection policy uses which devices behind the IPSec routers can use the VPN tunnel and the IPSec SA settings phase 2 settings You can also activate or deactivate and connect or disconnect...

Страница 283: ...o securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure Fi...

Страница 284: ...ic IP address or a domain name Choose this if the remote IPSec router has a dynamic IP address You don t specify the remote IPSec router s address but you specify the remote policy the addresses of th...

Страница 285: ...uthentication method specifies how the ZyWALL authenticates the remote IPSec router See Chapter 31 on page 400 In a VPN gateway the ZyWALL and remote IPSec router can use certificates to authenticate...

Страница 286: ...der turned on Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it...

Страница 287: ...Chapter 20 IPSec VPN ZyWALL 110 310 1100 Series User s Guide 287 Figure 179 Configuration VPN IPSec VPN VPN Connection Edit IKE...

Страница 288: ...a specific number of bytes for the Maximum Segment Size MSS meaning the largest amount of data in a single TCP segment or IP datagram for this VPN connection Select Auto to have the ZyWALL automatical...

Страница 289: ...WALL and remote IPSec router must use the same active protocol Encapsulation Select which type of encapsulation the IPSec SA uses Choices are Tunnel this mode encrypts the IP header information and th...

Страница 290: ...on The peer must be configured to respond to the method you select Select icmp to have the ZyWALL regularly ping the address you specify to make sure traffic can still go through the connection You ma...

Страница 291: ...to configure a new one This is the address that hides the original source address The size of the original source address range Source must be equal to the size of the translated source address range...

Страница 292: ...y screen see Section 20 2 on page 285 click either the Add icon or an existing manual key entry s Edit icon and click Show Advanced Settings In the VPN Gateway section of the screen select Manual Key...

Страница 293: ...Active Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryp...

Страница 294: ...ust have the same encryption key The ZyWALL ignores any characters above the minimum number of characters required by the algorithm For example if you enter 1234567890XYZ for a DES encryption key the...

Страница 295: ...ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object References Select...

Страница 296: ...Chapter 20 IPSec VPN ZyWALL 110 310 1100 Series User s Guide 296 Figure 182 Configuration VPN IPSec VPN VPN Gateway Edit...

Страница 297: ...ec router You can provide a second IP address or domain name for the ZyWALL to try if it cannot establish an IKE SA with the first one Fall back to Primary Peer Gateway when possible When you select t...

Страница 298: ...during authentication The identity depends on the Local ID Type IP type an IP address if you type 0 0 0 0 the ZyWALL uses the IP address specified in the My Address field This is not recommended in t...

Страница 299: ...ollowing situations There is a NAT router between the ZyWALL and remote IPSec router You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers w...

Страница 300: ...a similar feature The remote IPSec router must also enable NAT traversal and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged Dead Peer Detection DPD Select th...

Страница 301: ...ionally maintenance for example There is also more burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out to which spoke to route it encrypts it and sends...

Страница 302: ...splays the VPN concentrators in the ZyWALL To access this screen click Configuration VPN IPSec VPN Concentrator Figure 184 Configuration VPN IPSec VPN Concentrator Each field is discussed in the follo...

Страница 303: ...on SHA512 authentication A subnet or range remote policy Table 112 VPN IPSec VPN Concentrator Edit LABEL DESCRIPTION Name Enter the name of the concentrator You may use 1 31 alphanumeric characters un...

Страница 304: ...ration When you add or edit a configuration provisioning entry you are allowed to set the VPN Connection and Allowed User fields Duplicate entries are not allowed You cannot select the same VPN Connec...

Страница 305: ...e an IKE SA because the ZyWALL does not know the IP address of the remote IPSec router This is often used for telecommuters Move Use Move to reorder a selected entry Select an entry click Move type th...

Страница 306: ...are listed in order from weakest to strongest Data Encryption Standard DES is a widely used method of data encryption It applies a 56 bit key to each 64 bit block of data Triple DES 3DES is a variant...

Страница 307: ...longer to encrypt and decrypt Authentication Before the ZyWALL and remote IPSec router establish an IKE SA they have to verify each other s identity This process is based on pre shared keys and route...

Страница 308: ...ticate each other successfully In contrast in Table 115 on page 308 the ZyWALL and the remote IPSec router cannot authenticate each other and therefore cannot establish an IKE SA It is also possible t...

Страница 309: ...another router A between router X and router Y Figure 190 VPN NAT Example If router A does NAT it might change the IP addresses port numbers or both If router X and router Y try to establish a VPN tu...

Страница 310: ...set up the pre shared key local identity or remote identity because the certificates provide this information instead Instead of using the pre shared key the ZyWALL and remote IPSec router check the s...

Страница 311: ...uter The header for the active protocol AH or ESP appears between the IP headers In transport mode the encapsulation depends on the active protocol With AH the ZyWALL includes part of the original IP...

Страница 312: ...only specify one encryption algorithm and one authentication algorithm You cannot specify several proposals There is no DH key exchange so you have to provide the encryption key and the authenticatio...

Страница 313: ...uter M s network Destination the original destination address the remote network B SNAT the translated source address the local network A Source Address in Inbound Packets Inbound Traffic Source NAT Y...

Страница 314: ...e mail server in the local network A Mapped Port the translated destination port or range of destination ports The original port range and the mapped port range must be the same size IPSec VPN Example...

Страница 315: ...ddress to create an address object for the remote network Set the Address Type to SUBNET the Network field to 172 16 1 0 and the Netmask to 255 255 255 0 2 Enable the VPN connection and name it VPN_CO...

Страница 316: ...Chapter 20 IPSec VPN ZyWALL 110 310 1100 Series User s Guide 316...

Страница 317: ...enter access messages or upload a custom logo to be displayed on the remote user screen 21 1 2 What You Need to Know Full Tunnel Mode In full tunnel mode a virtual connection is created for remote use...

Страница 318: ...This screen lists the configured SSL access policies Figure 195 VPN SSL VPN Access Privilege Table 116 Objects OBJECT TYPE OBJECT SCREEN DESCRIPTION User Accounts User Account User Group Configure a...

Страница 319: ...entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Ob...

Страница 320: ...e following table describes the labels in this screen Table 118 VPN SSL VPN Access Privilege Add Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use...

Страница 321: ...and click the left arrow button Note To allow access to shared files on a Windows 7 computer within Windows 7 you must enable sharing on the folder and also go to the Network and Sharing Center s Adv...

Страница 322: ...list and click the right arrow button to add to the Selected Address Objects list You can select more than one network To block access to a network select the network name in the Selected Address Obj...

Страница 323: ...tablished successfully You can enter up to 60 characters 0 9 a z A Z _ with spaces allowed Logout Message Specify a message to display on the screen when a user logs out and the SSL VPN connection is...

Страница 324: ...ilege Add and click Create New Object Application to create an SSL application object Set the Type to Web Application the Server Type to Web Server and the URL to http info Select Web Page Encryption...

Страница 325: ...nd password and click SSL VPN to establish an SSL VPN connection 4 Your computer starts establishing a secure connection to the ZyWALL after the login This may take up to two minutes If you get a mess...

Страница 326: ...isplays after the connection is up In this example click the Web Server link to go to http info If the user account is not included in an SSL VPN access policy the ZyWALL redirects the user to the use...

Страница 327: ...ethods Using a supported web browser Once you have successfully logged in through the ZyWALL you can access intranet sites web based applications or web based e mails using one of the supported web br...

Страница 328: ...The remote user s computer establishes an HTTPS connection to the ZyWALL to access the login screen If instructed by your network administrator you must install or import a certificate provided by th...

Страница 329: ...twork to access network resources Figure 202 Login Screen 4 Your computer starts establishing a secure connection to the ZyWALL after a successful login This may take up to two minutes If you get a me...

Страница 330: ...wser Figure 205 SecuExtender Blocked by Internet Explorer 6 The ZyWALL tries to run the ssltun application You may need to click something to get your browser to allow this In Internet Explorer click...

Страница 331: ...SecuExtender client on your computer Figure 208 Installation Warning 9 The Application screen displays showing the list of resources available to you See Figure 209 on page 332 for a screen example No...

Страница 332: ...in the Name field or enter a descriptive name to identify this link Table 120 Remote User Screen Overview DESCRIPTION 1 Click on a menu tab to go to the Application or File Sharing screen 2 Click thi...

Страница 333: ...ogout Prompt 22 6 SSL User Application Screen Use the Application tab s screen to access web based applications such as web sites and e mail on the network through the SSL VPN connection Which applica...

Страница 334: ...ons Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folde...

Страница 335: ...y the web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon 3 If an access user name and passwo...

Страница 336: ...ick on a doc file to open the Word document Figure 215 File Sharing Open a Word File 22 7 3 Downloading a File You are prompted to download a file which cannot be opened using a web browser Follow the...

Страница 337: ...the New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the...

Страница 338: ...Figure 219 File Sharing Rename 22 7 7 Deleting a File or Folder Click the Delete icon next to a file or folder to remove it 22 7 8 Uploading a File Follow the steps below to upload a file to the file...

Страница 339: ...er 22 SSL User Screens ZyWALL 110 310 1100 Series User s Guide 339 Note Uploading a file with the same name and file extension replaces the existing file on the file server No warning message is displ...

Страница 340: ...Chapter 22 SSL User Screens ZyWALL 110 310 1100 Series User s Guide 340...

Страница 341: ...C remote desktop program you must have the VNC client installed on your computer 23 1 The ZyWALL SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status F...

Страница 342: ...n name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it Your computer uses th...

Страница 343: ...nder Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG...

Страница 344: ...WALL SecuExtender ZyWALL 110 310 1100 Series User s Guide 344 Figure 224 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 225 ZyWALL SecuExtender U...

Страница 345: ...to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is e...

Страница 346: ...access LAN_SUBNET in the following figure Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP_POOL in the following figure Set the next hop to be the VP...

Страница 347: ...e L2TP Over IPSec Use this field to turn the ZyWALL s L2TP VPN function on or off VPN Connection Select the IPSec VPN connection the ZyWALL uses for L2TP VPN All of the configured VPN connections disp...

Страница 348: ...essage after waiting this long without receiving any traffic from the remote user The ZyWALL disconnects the VPN tunnel if the remote user does not respond First DNS Server Second DNS Server Specify t...

Страница 349: ...anagement rules for traffic going through the ZyWALL Bandwidth management examines every TCP and UDP connection passing through the ZyWALL Then you can specify by port whether or not the ZyWALL contin...

Страница 350: ...Inbound traffic comes back from the WAN device to the LAN1 device Bandwidth management is applied before sending the traffic out a LAN1 interface Figure 229 LAN1 to WAN Connection and Packet Directio...

Страница 351: ...h usage enabled to borrow any unused bandwidth on the out going interface After each application gets its configured bandwidth rate the ZyWALL uses the fairness based scheduler to divide any unused ba...

Страница 352: ...A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps Then the ZyWALL divides the remaining bandwidth 1000 500 500 equally between the two 500 2 250 kbps for each T...

Страница 353: ...interface destination port schedule user source destination information DSCP code and service type as criteria to create a sequence of specific conditions similar to the sequence of rules used by fire...

Страница 354: ...up to which the policy applies If any displays the policy applies to all users Schedule This is the schedule that defines when the policy applies none means the policy always applies Incoming Interfac...

Страница 355: ...g the first Pri value or outgoing the second Pri value traffic that matches this policy The smaller the number the higher the priority Traffic with a higher priority is given bandwidth before traffic...

Страница 356: ...used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Criteria Use this section to configure the conditions of traffic to which this policy applies User Sele...

Страница 357: ...which this policy applies any means all services DSCP Marking Set how the ZyWALL handles the DSCP value of the incoming and outgoing packets that match this policy Inbound refers to the traffic the Z...

Страница 358: ...er priority The ZyWALL uses a fairness based round robin scheduler to divide bandwidth between traffic flows with the same priority The number in this field is ignored if the incoming and outgoing lim...

Страница 359: ...passive mode device HA You can configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs 26 1 2 What You Need to Know Act...

Страница 360: ...ng with a summary of the monitored interfaces Figure 236 Configuration Device HA General The following table describes the labels in this screen Table 129 Configuration Device HA General LABEL DESCRIP...

Страница 361: ...tatus This tells whether the monitored interface s connection is down or up HA Status The text before the slash shows whether the device is configured as the master or the backup role This text after...

Страница 362: ...ster ZyWALL Virtual Router and Management IP Addresses If a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each inter...

Страница 363: ...rface has priority 255 Enable Preemption This field is available for a backup ZyWALL Select this if this ZyWALL should become the master ZyWALL if a lower priority ZyWALL is the master when this one i...

Страница 364: ...role this field displays the ZyWALL s IP addresses and or Fully Qualified Domain Names FQDN through which ZyWALLs in backup role can get updated configuration from this ZyWALL Sync Now This displays...

Страница 365: ...the interface s device HA settings and uses them again if you later remove the interface from the bridge If the bridge is later deleted or the interface is removed from it Device HA will recover the i...

Страница 366: ...bridge interfaces on two ZyWALLs without device HA activated on both Doing so could cause a broadcast storm Either activate device HA before connecting the bridge interfaces or disable the bridge inte...

Страница 367: ...ace on the master ZyWALL set the bridge interface as a monitored interface and activate device HA 3 Configure the bridge interface on the backup ZyWALL set the bridge interface as a monitored interfac...

Страница 368: ...ple 1 In this case the ZyWALLs are already connected but the bridge faces have not been configured yet Configure a disabled bridge interface on the master ZyWALL but disable it Then set the bridge int...

Страница 369: ...n only configure one set of settings for synchronization regardless of how many VRRP groups you might configure The ZyWALL uses Secure FTP on a port number you can change to synchronize but it is stil...

Страница 370: ...26 Device HA ZyWALL 110 310 1100 Series User s Guide 370 The backup ZyWALL cannot be the master This refers to the actual role at the time of synchronization not the role setting in the configuration...

Страница 371: ...lt settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them 27 1 2...

Страница 372: ...132 on page 371 from the external server If the external server does not have the information the ZyWALL sets the user type for this session to User For the rest of the user attributes such as reauthe...

Страница 373: ...2 User Summary Screen The User screen provides a summary of all user accounts To access this screen login to the Web Configurator and click Configuration Object User Group Figure 242 Configuration Ob...

Страница 374: ...or an Edit icon User Type This field displays the types of user accounts the ZyWALL uses admin this user can look at and change the configuration of the ZyWALL limited admin this user can look at the...

Страница 375: ...s on page 372 for more information about this type ext group user this user account is maintained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 372 for more information...

Страница 376: ...page 378 the users can select this check box on their screen as well In this case the session is automatically renewed before the lease time expires Reauthentication Time If you select Use Default Se...

Страница 377: ...Configuration Object User Group Group continued LABEL DESCRIPTION Table 136 Configuration User Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 alphanumeric c...

Страница 378: ...46 Configuration Object User Group Setting The following table describes the labels in this screen Table 137 Configuration Object User Group Setting LABEL DESCRIPTION User Authentication Timeout Setti...

Страница 379: ...to the ZyWALL in one session before having to log in again Unlike Lease Time the user has no opportunity to renew the session without logging out Miscellaneous Settings Allow renewing lease time autom...

Страница 380: ...s account is checked Type the maximum number of simultaneous logins by each access user User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each...

Страница 381: ...is type ext group user this user account is maintained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 372 for more information about this type Lease Time Enter the numbe...

Страница 382: ...ease time field in this screen Lease time field in the User Add Edit screen see Section 27 2 1 on page 374 Lease time field in the Setting screen see Section 27 4 on page 378 Updating lease time autom...

Страница 383: ...counts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the LDAP or RADIUS server and create a shell script that creates the user accounts...

Страница 384: ...N connection policies Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and addre...

Страница 385: ...eld displays the configured name of each address object Type This field displays the type of each address object INTERFACE means the object uses the settings of one of the ZyWALL s interfaces IPv4 Add...

Страница 386: ...RANGE SUBNET INTERFACE IP INTERFACE SUBNET and INTERFACE GATEWAY Note The ZyWALL automatically updates address objects that are based on an interface s IP address subnet or gateway if the interface s...

Страница 387: ...address settings change For example if you change 1 s IP address the ZyWALL automatically updates the corresponding interface based LAN subnet address object IPv6 Address This field is only available...

Страница 388: ...ve it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 7 3 2 on page 122 for an example This field is...

Страница 389: ...alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You...

Страница 390: ...ore complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some uses are DHCP DNS RIP and SNMP TCP creates connections between computers to exchange data Once th...

Страница 391: ...for each service Service groups may consist of services and other service groups The sequence of members in the service group is not important 29 2 The Service Summary Screen The Service summary scre...

Страница 392: ...t associated with a specific service Name This field displays the name of each service Content This field displays a description of each service Table 147 Configuration Object Service Service Edit LAB...

Страница 393: ...els in this screen See Section 29 3 1 on page 394 for more information as well Table 148 Configuration Object Service Service Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double c...

Страница 394: ...types of families Supports IPv4 only Supports IPv6 only Supports both IPv4 and IPv6 Name This field displays the name of each service group By default the ZyWALL uses services starting with Default_Al...

Страница 395: ...hat you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them...

Страница 396: ...reen Section 30 2 1 on page 398 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 30 2 2 on page 399 to create or edit a recurring schedule 30 1 2 What You Need...

Страница 397: ...122 for an example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Da...

Страница 398: ...r to the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartDate Specify the year...

Страница 399: ...table describes the remaining labels in this screen Table 152 Configuration Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule Y...

Страница 400: ...xt Figure 263 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWA...

Страница 401: ...he ASAS as a RADIUS server in the ZyWALL s Configuration Object AAA Server screens 6 Give the OTP tokens to local or remote users 31 1 4 What You Can Do in this Chapter Use the Configuration Object AA...

Страница 402: ...Normally the directory structure reflects the geographical or organizational boundaries The following figure shows a basic directory structure branching from countries to organizations to organization...

Страница 403: ...lowing table describes the labels in this screen 31 2 1 Adding an Active Directory or LDAP Server Click Object AAA Server Active Directory or LDAP to display the Active Directory or LDAP screen Click...

Страница 404: ...alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the AD...

Страница 405: ...hip Attribute An AD or LDAP server defines attributes for its accounts Enter the name of the attribute that the ZyWALL is to check to determine to which group a user belongs The value for this attribu...

Страница 406: ...or LDAP entry or edit an existing one Table 155 Configuration Object AAA Server RADIUS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to...

Страница 407: ...ckup Server Address If the RADIUS server has a backup server enter its address here Backup Authentication Port Specify the port number on the RADIUS server to which the ZyWALL sends authentication req...

Страница 408: ...ed a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attrib...

Страница 409: ...to create and manage authentication method objects Finding Out More 32 1 2 Before You Begin Configure AAA server objects see Chapter 31 on page 400 before you configure authentication method objects...

Страница 410: ...ck Configuration Object Auth Method Table 157 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a s...

Страница 411: ...arch on the second authentication server when you enter the username and password that doesn t match the one on the first authentication server Note You can NOT select two server objects of the same t...

Страница 412: ...ct from the drop down list box You can create a server object in the AAA Server screen see Chapter 31 on page 400 for more information The ZyWALL authenticates the users using the databases in the loc...

Страница 413: ...e openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates are often referred to as digital signatures Only you can write you...

Страница 414: ...ublic key infrastructure Advantages of Certificates Certificates offer the following benefits The ZyWALL only has to store the certificates of the certification authorities that you decide to trust no...

Страница 415: ...t More See Section 33 4 on page 428 for certificate background information 33 1 3 Verifying a Certificate Before you import a trusted certificate into the ZyWALL you should verify that you have the co...

Страница 416: ...and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS connection 33 2 The My Certificates Screen Click Configurati...

Страница 417: ...erences to open a screen that shows which settings use the entry See Section 7 3 2 on page 122 for an example This field displays the certificate index number The certificates are listed in alphabetic...

Страница 418: ...tion domain name or e mail address in the field provided The domain name or e mail address is for identification purposes only and can be any string A domain name can be up to 255 characters You can u...

Страница 419: ...hm Select DSA to use the Digital Signature Algorithm public key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer th...

Страница 420: ...request Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certificati...

Страница 421: ...cate has expired none displays for a certification request Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption a...

Страница 422: ...ate Only Use this button to save a copy of the certificate without its private key Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you...

Страница 423: ...ZyWALL Browse Click Browse to find the certificate file you want to upload Password This field only applies when you import a binary PKCS 12 format file Type the file s password that was created when...

Страница 424: ...entify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Co...

Страница 425: ...Chapter 33 Certificates ZyWALL 110 310 1100 Series User s Guide 425 Figure 280 Configuration Object Certificate Trusted Certificates Edit...

Страница 426: ...ASCII characters from the entity maintaining the server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the OCSP server usually a ce...

Страница 427: ...ays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt...

Страница 428: ...dvantages over a CRL The first is real time status information The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a hug...

Страница 429: ...ALL To access this screen click Configuration Object ISP Account Figure 282 Configuration Object ISP Account The following table describes the labels in this screen See the ISP Account Edit section be...

Страница 430: ...y the ISP account Authentication Type This field displays the authentication type used by the ISP account User Name This field displays the user name of the ISP account Table 166 Configuration Object...

Страница 431: ...dress of the PPTP server Connection ID This field is available if this ISP account uses the PPTP protocol Type your identification name for the PPTP server This field can be blank Service Name If this...

Страница 432: ...Edit screen to specify the name of a folder on a Linux or Windows file server which remote users can access using a standard web browser Section 35 2 1 on page 435 35 1 2 What You Need to Know Applic...

Страница 433: ...Remote Management Weblinks You can configure weblink SSL applications to allow remote users to access web sites 35 1 3 Example Specifying a Web Site for Access This example shows you how to create a...

Страница 434: ...describes the labels in this screen Table 168 Configuration Object SSL Application LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be...

Страница 435: ...on in the SSL Application screen and select Web Application or File Sharing in the Type field The screen differs depending on what object type you choose Note If you are creating a file sharing SSL ap...

Страница 436: ...The ZyWALL supports one OWA object Select VNC to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed Select RDP to allow users to manage L...

Страница 437: ...ou choose Web Application as the object type Select this option to prevent users from saving the web content Shared Path This field only appears when you choose File Sharing as the object type Specify...

Страница 438: ...uration Object DHCPv6 Request Figure 289 Configuration Object DHCPv6 Request The following table describes the labels in this screen Table 170 Configuration Object DHCPv6 Request LABEL DESCRIPTION Con...

Страница 439: ...pe This field displays the request type of each request object Interface This field displays the interface used for each request object Value This field displays the value for each request object Tabl...

Страница 440: ...s to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWAL...

Страница 441: ...ser Defined in the DNS Server field and enter the IP address of the DNS server in the User Defined Address field below Starting IP Address If you select Address Pool in the Lease Type field enter the...

Страница 442: ...Chapter 36 DHCPv6 ZyWALL 110 310 1100 Series User s Guide 442...

Страница 443: ...access the ZyWALL s command line interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen see Section 37 9 on page 476 to conf...

Страница 444: ...t be read only and use the FAT16 FAT32 EXT2 or EXT3 file system Click Configuration System USB Storage to open the screen as shown next Table 174 Configuration System Host Name LABEL DESCRIPTION Syste...

Страница 445: ...our local time zone and date click Configuration System Date Time The screen displays as shown You can manually set the ZyWALL s time and date or have the ZyWALL get the date and time from a time serv...

Страница 446: ...gure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the Zy...

Страница 447: ...ch and type 2 in the at field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same mom...

Страница 448: ...time servers have been tried 37 4 2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field When the P...

Страница 449: ...sole port using a terminal emulation program See Table 2 on page 20 for default console port settings Click Configuration System Console Speed to open the Console Speed screen Figure 297 Configuration...

Страница 450: ...ually enter them in the DNS server fields If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address fro...

Страница 451: ...e that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for wher...

Страница 452: ...om which computers and zones you can send DNS queries to the ZyWALL Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click...

Страница 453: ...main name 37 6 7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record Table 180 Configuration System DNS Address PTR Record Edit L...

Страница 454: ...corded name server IP address Enter if all domain zones are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also...

Страница 455: ...ings and exit this screen Cancel Click Cancel to exit this screen without saving Table 183 Configuration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure a...

Страница 456: ...in the allowed zone or the action is set to Deny 4 There is a firewall rule that blocks it 37 7 2 System Timeout There is a lease timeout for administrators The ZyWALL automatically logs you out if th...

Страница 457: ...a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL Please refer to the following figure 1 HTTPS connection requests from an SSL aware web brows...

Страница 458: ...check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections Server...

Страница 459: ...e method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control r...

Страница 460: ...en instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavi...

Страница 461: ...to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined...

Страница 462: ...Chapter 37 System ZyWALL 110 310 1100 Series User s Guide 462 Figure 306 Configuration System WWW Login Page The following figures identify the parts you can customize in the login and access pages...

Страница 463: ...tion You can specify colors in one of the following ways Click Color to display a screen of web safe colors from which to choose Enter the name of the desired color Logo Title Message Note Message Bac...

Страница 464: ...ransfer the specified graphic file from your computer to the ZyWALL Customized Login Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the s...

Страница 465: ...ssages When you attempt to access the ZyWALL HTTPS server a The Connection is Untrusted screen appears as shown in the following screen Click Technical Details if you want to verify more information a...

Страница 466: ...icate authorities The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWALL itself since the certificate is a self signed certificate For the browser to trust a self...

Страница 467: ...icate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA Web...

Страница 468: ...rd as shown earlier in this appendix 37 7 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment...

Страница 469: ...cate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Fig...

Страница 470: ...rt Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 318 Person...

Страница 471: ...7 7 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 321 A...

Страница 472: ...urely access the ZyWALL s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication...

Страница 473: ...ey with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against...

Страница 474: ...wing table describes the labels in this screen Table 187 Configuration System SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the I...

Страница 475: ...he selected entry Refer to Table 185 on page 461 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove...

Страница 476: ...yWALL Type yes and press ENTER Then enter the password to log in to the ZyWALL Figure 329 SSH Example 2 Log in 3 The CLI screen displays next 37 9 Telnet You can use Telnet to access the ZyWALL s comm...

Страница 477: ...ove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the m...

Страница 478: ...ice Control table to access the ZyWALL using this service TLS required Select the check box to use FTP over TLS Transport Layer Security to encrypt communication This implements TLS as a security mech...

Страница 479: ...to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule The entry with a hyphen instead of a number is the ZyWALL s non configurable...

Страница 480: ...P allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request...

Страница 481: ...ned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up authenticationFailur...

Страница 482: ...station The default is private and allows all requests Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all reques...

Страница 483: ...rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access...

Страница 484: ...TION Enable IPv6 Select this to have the ZyWALL support IPv6 and make IPv6 settings be available on the screens that the functions support such as the Configuration Network Interface Ethernet VLAN and...

Страница 485: ...page 487 to specify settings for recording log messages and alerts e mailing them storing them on a connected USB storage device and sending them to remote syslog servers 38 2 Email Daily Report Use t...

Страница 486: ...outgoing e mail Select Append system name to add the ZyWALL s system name to the subject Select Append date time to add the ZyWALL s system date and time to the subject Mail From Type the e mail addre...

Страница 487: ...t screens to configure settings such as log categories e mail addresses and server names for any log Use the Log Category Settings screen to edit what information is included in the system log USB sto...

Страница 488: ...d with a specific log Name This field displays the type of log setting entry system log logs stored on a USB storage device connected to the ZyWALL or one of the remote servers Log Format This field d...

Страница 489: ...ngs The Log Settings Edit screen controls the detailed settings for each log in the system log which includes the e mail profiles Go to the Log Settings Summary screen see Section 38 3 1 on page 487 a...

Страница 490: ...f it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the user name to provide to the SMTP ser...

Страница 491: ...ation from this category the ZyWALL does not e mail debugging information however even if this setting is selected E mail Server 1 Select whether each category of events should be included in the log...

Страница 492: ...Chapter 38 Log and Report ZyWALL 110 310 1100 Series User s Guide 492 Figure 339 Configuration Log Report Log Setting Edit USB Storage...

Страница 493: ...ny log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log...

Страница 494: ...Chapter 38 Log and Report ZyWALL 110 310 1100 Series User s Guide 494 Figure 340 Configuration Log Report Log Setting Edit Remote Server...

Страница 495: ...log facility allows you to log the messages to different files in the syslog server Please see the documentation for your syslog program for more information Active Log Selection Use the Selection dr...

Страница 496: ...ry Settings This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 38 3 2 on page 489 where this process is d...

Страница 497: ...Use the E Mail Server 1 drop down list to change the settings for e mailing logs to e mail server 1 for all log categories Using the System Log drop down list to disable all logs overrides your e mail...

Страница 498: ...es when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The ZyWALL does not e mail debugging information even if it is recor...

Страница 499: ...Use the Configuration File screen see Section 39 2 on page 501 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuratio...

Страница 500: ...t sub command mode Note exit or must follow sub commands if it is to make the ZyWALL exit sub command mode Figure 342 Configuration File Shell Script Example enter configuration mode configure termina...

Страница 501: ...in the configuration file or shell script The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands The ZyWALL still generates a log for any errors...

Страница 502: ...file If there is an error the ZyWALL generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf confi...

Страница 503: ...a duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the ZyWALL You can only delete manually saved configuration files You can...

Страница 504: ...ion this gets the ZyWALL started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration...

Страница 505: ...applied to this configuration file The ZyWALL applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK It applies configuration changes made via...

Страница 506: ...ck your new firmware version in the Dashboard screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Table 202 Maintenance File Manager Fir...

Страница 507: ...ension Click Maintenance File Manager Shell Script to open the Shell Script screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple shell scr...

Страница 508: ...screen without deleting the shell script file Download Click a shell script file s row to select it and click Download to save the configuration to your computer Copy Use this button to save a duplic...

Страница 509: ...ipt file from your computer to your ZyWALL File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the zysh file you want to...

Страница 510: ...screens see Section 40 4 on page 515 to have the ZyWALL save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer...

Страница 511: ...is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagnostic file Copy the diagnostic file to USB sto...

Страница 512: ...sting files of the same name Change the File Suffix field s setting to avoid this Figure 356 Maintenance Diagnostics Packet Capture This column displays the number for each file entry The total number...

Страница 513: ...ve data to USB storage Select this to have the ZyWALL store packet capture entries only on a USB storage device connected to the ZyWALL if the ZyWALL allows this Status Unused the connected USB storag...

Страница 514: ...fix cap for example vlan2 packet capture cap Number Of Bytes To Capture Per Packet Specify the maximum number of bytes to capture per packet The ZyWALL automatically truncates packets that exceed this...

Страница 515: ...asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The tot...

Страница 516: ...n comma separated value csv format You can download them to your computer and open them in a tool like Microsoft s Excel Table 209 Maintenance Diagnostics Core Dump Files LABEL DESCRIPTION Remove Sele...

Страница 517: ...to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number f...

Страница 518: ...function s settings 41 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Rout...

Страница 519: ...ure 361 Maintenance Packet Flow Explore Routing Status Direct Route Figure 362 Maintenance Packet Flow Explore Routing Status Policy Route Figure 363 Maintenance Packet Flow Explore Routing Status 1 1...

Страница 520: ...5 Maintenance Packet Flow Explore Routing Status Dynamic VPN Figure 366 Maintenance Packet Flow Explore Routing Status Static Dynamic Route Figure 367 Maintenance Packet Flow Explore Routing Status De...

Страница 521: ...sive route Persist This is the remaining time of a dynamically learned route The ZyWALL removes the route after this time period is counted down to zero The following fields are available if you click...

Страница 522: ...is the name of an interface which transmits packets out of the ZyWALL Gateway This is the IP address of the gateway in the same network of the outgoing interface The following fields are available if...

Страница 523: ...ed settings in the SNAT Table section SNAT Table The table fields in this section vary depending on the function box you select in the SNAT Flow section The following fields are available if you click...

Страница 524: ...his indicates which source IP address the SNAT rule uses finally For example Outgoing Interface IP means that the ZyWALL uses the IP address of the outgoing interface as the source IP address for the...

Страница 525: ...ve to use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 44 1 on page 535 reset returns the devic...

Страница 526: ...off the ZyWALL or remove the power Not doing so can cause the firmware to become corrupt 43 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processe...

Страница 527: ...net card is installed and functioning properly Also make sure that its IP address is in the same subnet as the ZyWALL s In the computer click Start All Programs Accessories and then Command Prompt In...

Страница 528: ...ace names is very strict Each name consists of 2 4 letters interface type followed by a number x limited by the maximum number of each type of interface For example VLAN interfaces are vlan0 vlan1 vla...

Страница 529: ...ted a cellular interface but cannot connect through it Make sure you have a compatible 3G device installed or connected See www zyxel com for details Make sure you have the cellular interface enabled...

Страница 530: ...operly in the ZyWALL You may need to configure the DDNS entry s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the ZyWALL and the DDN...

Страница 531: ...same pre shared key The ZyWALL s local and peer ID type and content must match the remote IPSec router s peer and local ID type and content respectively The ZyWALL and remote IPSec router must use th...

Страница 532: ...s certificate Multiple SAs connecting through a secure gateway must have the same negotiation mode The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel If you have the...

Страница 533: ...not being applied at the configured times Make sure the ZyWALL s current date and time are correct I cannot get a certificate to import into the ZyWALL 1 For My Certificates you can import a certific...

Страница 534: ...o the Internet Check the service control rules and to ZyWALL firewall rules I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not d...

Страница 535: ...ize of all the capture files on the ZyWALL including any existing capture files and any new capture files you generate If you have existing capture files you may need to set this size larger or delete...

Страница 536: ...s on and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the ZyWALL to restart You sho...

Страница 537: ...s 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the rec...

Страница 538: ...purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact your vendor You may also refer to the...

Страница 539: ...Direttive 2002 95 CE 2002 96 CE e 2003 108 CE relative alla riduzione dell uso di sostanze pericolose nelle apparecchiature elettriche ed elettroniche nonch allo smaltimento dei rifiuti Il simbolo del...

Страница 540: ...Appendix A Legal Information ZyWALL 110 310 1100 Series User s Guide 540...

Страница 541: ...cing login 254 idle timeout 379 logging in 254 multiple logins 380 see also users 371 Web Configurator 381 access users see also force user authentication policies account user 371 438 accounting serv...

Страница 542: ...er 400 authentication algorithms 209 306 and active protocol 306 and routing protocols 209 MD5 209 306 SHA1 306 text 209 Authentication Header see AH authentication method objects 409 and users 372 an...

Страница 543: ...Authentication Protocol CHAP 431 CHAP Challenge Handshake Authentication Protocol 431 CHAP PAP 431 CLI 20 24 button 24 messages 24 popup window 24 Reference Guide 2 client 341 cluster ID 361 commands...

Страница 544: ...es 362 device High Availability see device HA 359 DHCP 173 444 and DNS servers 174 and domain name 444 and interfaces 174 client list 77 pool 174 static DHCP 174 DHCP Unique IDentifier 107 DHCPv6 438...

Страница 545: ...ion files 499 shell scripts 499 file manager 499 file sharing SSL application create 435 Firefox 20 firewall 265 actions 273 and address groups 257 and address objects 257 and ALG 233 235 and H 323 AL...

Страница 546: ...nts 457 avoiding warning messages 466 example 465 vs HTTP 457 with Internet Explorer 465 with Netscape Navigator 465 hub and spoke VPN see VPN concentrator HyperText Transfer Protocol over Secure Sock...

Страница 547: ...Message Protocol see ICMP Internet Explorer 20 Internet Protocol Security see IPSec Internet Protocol version 6 see IPv6 IP policy routing see policy routes IP pool 321 IP protocols 390 and service ob...

Страница 548: ...efix delegation 107 prefix length 106 stateless autoconfiguration 107 IPv6 tunnelings 6in4 tunneling 140 6to4 tunneling 141 IPv6 in IPv4 tunneling 140 ISP account CHAP 431 CHAP PAP 431 MPPE 431 MSCHAP...

Страница 549: ...ement access troubleshooting 534 management access and device HA 359 Management Information Base MIB 480 manual key IPSec 288 MD5 306 memory usage 72 75 Message Digest 5 see MD5 messages CLI 24 metric...

Страница 550: ...n method 111 autonomous system AS 201 backbone 202 configuration steps 204 direction 111 link cost 111 priority 111 redistribute 203 redistribute type cost 205 routers see OSPF routers virtual links 2...

Страница 551: ...e NAT power off 526 PPP 175 troubleshooting 529 PPP interfaces subnet mask 172 PPPoE 175 and RADIUS 175 TCP port 1723 175 PPPoE PPTP interfaces 104 125 and ISP accounts 126 429 basic characteristics 1...

Страница 552: ...mir and Adleman public key algorithm RSA 419 round robin 179 routing troubleshooting 530 Routing Information Protocol see RIP routing protocols 199 and authentication algorithms 209 and Ethernet inter...

Страница 553: ...tificates 474 and zones 475 client requirements 474 encryption methods 474 for secure Telnet 475 how connection is established 473 versions 474 with Linux 476 with Microsoft Windows 475 SSL 317 321 45...

Страница 554: ...efault conf 505 T TCP 390 connections 390 port numbers 390 Telnet 476 and address groups 477 and address objects 477 and zones 477 with SSH 475 throughput rate troubleshooting 534 TightVNC 432 time 44...

Страница 555: ...3 User Datagram Protocol see UDP user group objects 371 438 user groups 371 372 438 and firewall 273 275 and policy routes 193 354 356 user name rules 374 user objects 371 438 user portal links 432 lo...

Страница 556: ...e firewall 267 basic troubleshooting 531 hub and spoke see VPN concentrator IKE SA see IKE SA IPSec 281 IPSec SA proposal 306 security associations SA 283 see also IKE SA see also IPSec 281 see also I...

Страница 557: ...d authentication method objects 460 and certificates 459 and zones 461 see also HTTP HTTPS 457 Z zipped files troubleshooting 529 zones 211 and firewall 265 271 and FTP 479 and interfaces 211 and SNMP...

Страница 558: ...Index ZyWALL 110 310 1100 Series User s Guide 558...

Страница 559: ...Index ZyWALL 110 310 1100 Series User s Guide 559...

Страница 560: ...Index ZyWALL 110 310 1100 Series User s Guide 560...

Страница 561: ...Index ZyWALL 110 310 1100 Series User s Guide 561...

Страница 562: ...Index ZyWALL 110 310 1100 Series User s Guide 562...

Отзывы:

Нет отзывов