ZyXEL Communications ZyXEL ZyWALL P1 Скачать руководство пользователя страница 123

Страница: 123 / 369

ZyWALL P1 User’s Guide

122

Chapter 7 Firewall Screens

One Minute High

This is the rate of new half-open sessions that causes the firewall to start deleting

half-open sessions. When the rate of new connection attempts rises above this

number, the ZyWALL deletes half-open sessions as required to accommodate

new connection attempts.
The numbers, say 80 in the

One Minute Low

field and 100 in this field, cause the

ZyWALL to start deleting half-open sessions when more than 100 session

establishment attempts have been detected in the last minute, and to stop

deleting half-open sessions when fewer than 80 session establishment attempts

have been detected in the last minute.

Maximum

Incomplete Low

This is the number of existing half-open sessions that causes the firewall to stop

deleting half-open sessions. The ZyWALL continues to delete half-open requests

as necessary, until the number of existing half-open sessions drops below this

number.

Maximum

Incomplete High

This is the number of existing half-open sessions that causes the firewall to start

deleting half-open sessions. When the number of existing half-open sessions

rises above this number, the ZyWALL deletes half-open sessions as required to

accommodate new connection requests. Do not set

Maximum Incomplete High

to lower than the current

Maximum

Incomplete

Low

number.

The above values, say 80 in the

Maximum Incomplete Low

field and 100 in this

field, cause the ZyWALL to start deleting half-open sessions when the number of

existing half-open sessions rises above 100, and to stop deleting half-open

sessions with the number of existing half-open sessions drops below 80.

TCP Maximum

Incomplete

This is the number of existing half-open TCP sessions with the same destination

host IP address that causes the firewall to start dropping half-open sessions to

that same destination host IP address. Enter a number between 1 and 256. As a

general rule, you should choose a smaller number for a smaller network, a slower

system or limited bandwidth.

Action taken when

the TCP Maximum

Incomplete

threshold is

reached.

Delete the oldest

half open session

when new

connection request

comes

Select this radio button to clear the oldest half open session when a new

connection request comes.

Deny new

connection request

for

Select this radio button and specify for how long the ZyWALL should block new

connection requests when

TCP Maximum Incomplete

is reached.

Enter the length of blocking time in minutes (between 1 and 256).

Apply

Click

Apply

to save your changes back to the ZyWALL.

Reset Click

Reset

to begin configuring this screen afresh.

Table 36

Firewall: Threshold (continued)

LABEL

DESCRIPTION

Содержание ZyXEL ZyWALL P1

Страница 1: ...ZyWALL P1 Internet Security Appliance User s Guide Version 3 64 8 2005...

Страница 2: ...EL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it conv...

Страница 3: ...ccordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turnin...

Страница 4: ...ly is damaged remove it from the power outlet Do NOT attempt to repair the power supply Contact your local vendor to order a new power supply Place connecting cables carefully so that no one will step...

Страница 5: ...er to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center for your Return Material Authorization number RMA Products must be returned Postage Prepaid It is recommended...

Страница 6: ...ater pipes will be damaged Do NOT install nor use your device during a thunderstorm There may be a remote risk of electric shock from lightning Do NOT expose your device to dampness dust or corrosive...

Страница 7: ...5 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448...

Страница 8: ...co uk ZyXEL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK sales zyxel co uk 44 0 1344 303034 ftp zyxel co uk a is the prefix number you enter to ma...

Страница 9: ...ZyWALL P1 User s Guide 8 Customer Support...

Страница 10: ...2 Non Physical Features 32 1 3 Applications 35 1 3 1 Secure Network Access for Telecommuters 35 1 3 2 LAN Network Protection 35 1 4 ZyWALL Hardware Connection 36 1 5 Front Panel LED 36 Chapter 2 Intro...

Страница 11: ...ss 59 3 3 4 1 Dynamic Secure Gateway Address 59 3 3 5 VPN Wizard Gateway Policy Setting 59 3 3 6 VPN Wizard Network Setting 60 3 3 7 IKE Phases 62 3 3 7 1 Negotiation Mode 63 3 3 7 2 Pre Shared Key 63...

Страница 12: ...w 91 6 2 Types of Firewalls 91 6 2 1 Packet Filtering Firewalls 91 6 2 2 Application level Firewalls 91 6 2 3 Stateful Inspection Firewalls 92 6 3 Introduction to ZyXEL s Firewall 92 6 4 Denial of Ser...

Страница 13: ...7 5 Alerts 106 7 6 Configuring Firewall 107 7 6 1 Rule Summary 107 7 6 2 Configuring Firewall Rules 109 7 6 3 Configuring Custom Services 112 7 7 Example Firewall Rule 112 7 8 Predefined Services 116...

Страница 14: ...1 9 4 2 Nailed Up 131 9 5 NAT Traversal 131 9 5 1 NAT Traversal Configuration 132 9 5 2 X Auth Extended Authentication 132 9 5 3 Authentication Server 132 9 6 ID Type and Content 133 9 6 1 ID Type and...

Страница 15: ...ate Details 171 10 16 Directory Servers 174 10 17 Add or Edit a Directory Server 175 Chapter 11 Network Address Translation NAT 177 11 1 NAT Overview 177 11 1 1 NAT Definitions 177 11 1 2 What NAT Doe...

Страница 16: ...irements for Using SSH 202 13 8 Configuring SSH 202 13 9 Secure Telnet Using SSH Examples 203 13 9 1 Example 1 Microsoft Windows 203 13 9 2 Example 2 Linux 203 13 10 Secure FTP Using SSH Example 204 1...

Страница 17: ...ance 235 16 1 Maintenance Overview 235 16 1 1 General Setup and System Name 235 16 1 2 Domain Name 235 16 2 Configuring Password 236 16 3 Pre defined NTP Time Servers List 237 16 4 Configuring Time an...

Страница 18: ...Troubleshooting 257 18 1 Problems Starting Up the ZyWALL 257 18 2 Problems Accessing the ZyWALL 258 18 2 1 Pop up Windows JavaScripts and Java Permissions 258 18 2 1 1 Internet Explorer Pop up Blocker...

Страница 19: ...ng Certificates 317 Appendix I Command Interpreter 329 Appendix J Firewall Commands 331 Appendix K NetBIOS Filter Commands 337 Appendix L Certificates Commands 341 Appendix M Brute Force Password Gues...

Страница 20: ...e 14 Internet Access Wizard PPTP Encapsulation 57 Figure 15 Internet Access Wizard Complete 58 Figure 16 VPN Wizard Gateway Policy Setting 60 Figure 17 VPN Wizard Network Setting 61 Figure 18 Two Phas...

Страница 21: ...les IKE Network Policy 141 Figure 56 VPN Rule IKE VPN Activation 144 Figure 57 VPN SA Monitor 145 Figure 58 VPN Global Setting 146 Figure 59 Telecommuters Sharing One VPN Rule Example 147 Figure 60 Te...

Страница 22: ...icate 200 Figure 96 SSH Communication Example 200 Figure 97 How SSH Works 201 Figure 98 SSH 202 Figure 99 SSH Example 1 Store Host Key 203 Figure 100 SSH Example 2 Test 204 Figure 101 SSH Example 2 Lo...

Страница 23: ...re 144 Security Settings Java 264 Figure 145 Java Sun 265 Figure 146 WIndows 95 98 Me Network Configuration 270 Figure 147 Windows 95 98 Me TCP IP Properties IP Address 271 Figure 148 Windows 95 98 Me...

Страница 24: ...e 315 Figure 186 Security Certificate 317 Figure 187 Login Screen 318 Figure 188 Certificate General Information before Import 318 Figure 189 Certificate Import Wizard 1 319 Figure 190 Certificate Imp...

Страница 25: ...ZyWALL P1 User s Guide 24 List of Figures...

Страница 26: ...Table 15 VPN Wizard IKE Tunnel Setting 66 Table 16 VPN Wizard IPSec Setting 67 Table 17 VPN Wizard VPN Status 69 Table 18 LAN LAN 76 Table 19 LAN Static DHCP 78 Table 20 Example of Network Properties...

Страница 27: ...tificate My Certificate Create 156 Table 53 Certificate My Certificate Details 160 Table 54 Certificates Trusted CAs 162 Table 55 Certificates Trusted CA Import 164 Table 56 Certificates Trusted CA De...

Страница 28: ...ng the ZyWALL 258 Table 99 Troubleshooting the LAN Interface 265 Table 100 Troubleshooting the WAN Interface 266 Table 101 Troubleshooting Internet Access 266 Table 102 Troubleshooting the Password 26...

Страница 29: ...350 Table 129 CDR Logs 350 Table 130 PPP Logs 350 Table 131 UPnP Logs 351 Table 132 Content Filtering Logs 351 Table 133 Attack Logs 352 Table 134 IPSec Logs 353 Table 135 IKE Logs 353 Table 136 PKI...

Страница 30: ...Guide is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and c...

Страница 31: ...our mouse pointer to Control Panels and then click Modem For brevity s sake we will use e g as a shorthand for for instance and i e for that is or in other words throughout this manual The ZyWALL P1 I...

Страница 32: ...solution that protects your computer In addition the embedded web configurator is easy to operate 1 2 ZyWALL Features The following sections describe ZyWALL features 1 2 1 Physical Features 10 100 Mb...

Страница 33: ...provide secure communications without the expense of leased site to site lines The ZyWALL VPN is based on the IPSec standard and is fully interoperable with other IPSec based VPN products X Auth Exte...

Страница 34: ...er of data from a remote client to a private server creating a Virtual Private Network VPN using a TCP IP based network PPTP supports on demand multi protocol and virtual private networking over publi...

Страница 35: ...nt IP address known within another network for example a public IP address used on the Internet Port Forwarding Use this feature to forward incoming service requests to a server on your local network...

Страница 36: ...ork example A telecommunter can simply connect the pre configured ZyWALL and enter the VPN account information to establish a VPN connection through the Internet to headquaters Figure 1 Application Te...

Страница 37: ...WALL Figure 2 Application LAN Network Protection 1 4 ZyWALL Hardware Connection Refer to the Quick Start Guide for information on hardware connection and basic setup 1 5 Front Panel LED The LED and po...

Страница 38: ...N connection Blinking The 100M WAN is sending or receiving packets VPN Off The ZyWALL does not have a VON connection Green On The ZyWALL has a successful VPN connection Blinking The ZyWALL is receivin...

Страница 39: ...ZyWALL P1 User s Guide 38 Chapter 1 Getting to Know Your ZyWALL...

Страница 40: ...browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the Troublesho...

Страница 41: ...some versions the default password appears automatically if this is the case click Login Figure 5 Web Configurator Login Screen 7 You should see a screen asking you to change your password highly reco...

Страница 42: ...reen see Figure 8 on page 43 Note The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into...

Страница 43: ...le pressing the RESET button turn the ZyWALL on 4 Continue to hold the RESET button The PWR LED will begin to blink This indicates that the defaults have been restored Release the RESET button 5 Wait...

Страница 44: ...screen Table 3 Web Configurator HOME LABEL DESCRIPTION Wizards for Quick Setup Internet Access Click Internet Access to use the initial configuration wizard VPN Wizard Click VPN Wizard to create VPN...

Страница 45: ...rom green to red when the maximum is being approached Network Status Interface This is the port type Port types are WAN and LAN Status For the LAN port this displays the port speed and duplex setting...

Страница 46: ...obing Use this screen to change your anti probing settings Threshold Use this screen to configure the threshold for DoS attacks VPN VPN Rules IKE Use this screen to configure VPN connections using IKE...

Страница 47: ...to configure through which interface s and from which IP address es users can send DNS queries to the ZyWALL CNM Use this screen to configure your ZyWALL s CNM Central Network Management settings to a...

Страница 48: ...using the ZyWALL s DHCP server Table 5 Home Show Statistics LABEL DESCRIPTION Port This is the WAN or LAN port Status This displays the port speed and duplex setting if you re using Ethernet encapsula...

Страница 49: ...his field displays the computer host name MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A networ...

Страница 50: ...ion name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase ZyWALL proces...

Страница 51: ...ZyWALL P1 User s Guide 50 Chapter 2 Introducing the Web Configurator...

Страница 52: ...d blank if you don t have that information 3 2 1 ISP Parameters The ZyWALL offers three choices of encapsulation They are Ethernet PPTP or PPPoE 3 2 2 WAN and DNS The second wizard screen allows you t...

Страница 53: ...blished If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 and you must enable the Network Address Translation NAT feature of the ZyWALL The Inter...

Страница 54: ...r address from the ISP 3 You can manually enter the IP addresses of other DNS servers These servers can be public or private A DNS server could even be behind a remote IPSec router 3 2 2 4 Ethernet Fo...

Страница 55: ...as it requires no specific configuration of the broadband modem at the subscriber s site Table 9 Internet Access Wizard Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Enc...

Страница 56: ...E Figure 13 Internet Access Wizard PPPoE Encapsulation The following table describes the related labels in this screen Table 10 Internet Access Wizard PPPoE Encapsulation LABEL DESCRIPTION ISP Paramet...

Страница 57: ...demand multi protocol and virtual private networking over public networks such as the Internet Note Refer to Appendix D on page 291 for more information on PPTP The ZyWALL supports one PPTP server con...

Страница 58: ...m the drop down list box User Name Type the user name given to you by your ISP Password Type the password associated with the User Name above Retype Password Type your password again for confirmation...

Страница 59: ...s services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication Use the VPN wizard screens to configure a VPN rule that use a pre s...

Страница 60: ...e gateway has a static WAN IP address enter it in the Secure Gateway Address field You may alternatively enter the remote secure gateway s domain name if it has one in the Secure Gateway Address field...

Страница 61: ...ny time Table 12 VPN Wizard Gateway Policy Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy You may use any character including space...

Страница 62: ...d is configured to Single enter a static IP address on the LAN behind your ZyWALL When the Local Network field is configured to Range IP enter the beginning static IP address in a range of computers o...

Страница 63: ...d the IPSec SA stays connected Starting IP Address When the Remote Network field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Remote Network...

Страница 64: ...6 messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity is not revealed in the...

Страница 65: ...is built from the authentication provided by the AH and ESP protocols The primary function of key management is to establish and maintain the SA between systems Once the SA is established the transpo...

Страница 66: ...oubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data...

Страница 67: ...uires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Authentication Algorithm MD5 Message Digest 5...

Страница 68: ...with a 0x zero x which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itse...

Страница 69: ...Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal s...

Страница 70: ...is not applicable When the local network is configured for a range IP address this is the end static IP address in a range of computers on the LAN behind your ZyWALL When the local network is configur...

Страница 71: ...ly renegotiates Pre Shared Key This is a pre shared key identifying a communicating party during a phase 1 IKE negotiation IPSec Setting IKE Phase 2 Encapsulation Mode This shows Tunnel mode or Transp...

Страница 72: ...ZyWALL P1 User s Guide Chapter 3 Wizard Setup 71 Figure 22 VPN Wizard Complete...

Страница 73: ...ZyWALL P1 User s Guide 72 Chapter 3 Wizard Setup...

Страница 74: ...e another DHCP server on your LAN or else the computer must be manually configured 4 2 1 IP Pool Setup The ZyWALL is pre configured to provide one IP address of 169 254 1 33 to a DHCP client This conf...

Страница 75: ...controls the sending and receiving of RIP packets When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP informat...

Страница 76: ...ss D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The addres...

Страница 77: ...oadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packet...

Страница 78: ...anges to None after you click Apply Select DNS Relay to have the ZyWALL act as a DNS proxy The ZyWALL s LAN IP address displays in the field to the right read only The ZyWALL tells the DHCP client on...

Страница 79: ...number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address Type the IP address that you want to assign to the computer on your LAN Alter...

Страница 80: ...en 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost The metric sets the priority for the ZyWALL s routes to the Internet Each route must have a unique...

Страница 81: ...ic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls Allow...

Страница 82: ...nager authentication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields do not appear with the Standard service type User Name Type the user name given to y...

Страница 83: ...ng information with other routers The RIP Direction field controls the sending and receiving of RIP packets Choose Both None In Only or Out Only When set to Both or Out Only the ZyWALL will broadcast...

Страница 84: ...hat part of the task Furthermore with NAT all of the LANs computers will have access The screen shown next is for PPPoE encapsulation Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Inte...

Страница 85: ...uter interacts with a broadband modem i e DSL cable wireless etc connection Operationally PPPoE saves significant effort for both the end user and ISP carrier as it requires no specific configuration...

Страница 86: ...g a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The screen shown next is for...

Страница 87: ...otocol that enables secure transfer of data from a remote client to a private server creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtu...

Страница 88: ...vider s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL 5 4 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourh...

Страница 89: ...ype of service that you are registered for from your Dynamic DNS service provider Select Dynamic DNS if you have the Dynamic DNS service Select Static DNS if you have the Static DNS service Select Cus...

Страница 90: ...DNS server auto detect IP Address only when there are one or more NAT routers between the ZyWALL and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the...

Страница 91: ...ZyWALL P1 User s Guide 90 Chapter 5 WAN Screens...

Страница 92: ...ll to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented wi...

Страница 93: ...roxies support See Section 6 5 on page 97 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 6 3 I...

Страница 94: ...xtension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computer...

Страница 95: ...ment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teard...

Страница 96: ...arget system tries to respond to itself A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target netwo...

Страница 97: ...ing ICMP types trigger an alert 6 4 2 2 Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are the following all others are illegal Table 27 ICMP Commands That Trigger Alerts 5 REDIRECT...

Страница 98: ...llowed through the router or firewall The ZyWALL blocks all IP Spoofing attempts 6 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known t...

Страница 99: ...information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this packet and it is...

Страница 100: ...m rules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator Note The ability to define firewall rul...

Страница 101: ...ituation exists for ICMP except that the ZyWALL is even more restrictive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address m...

Страница 102: ...rvices to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces 6 Protect against IP spoofing by making sure the firewall is ac...

Страница 103: ...rk session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 6 7 2 1 When To Use The Firewall 1 To prevent...

Страница 104: ...ed based on the direction of travel of packets to which they apply By default the ZyWALL s stateful packet inspection allows packets traveling in the following directions LAN to LAN ZyWALL This allows...

Страница 105: ...nts carefully before configuring rules 7 3 1 Rule Checklist 1 State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus Notes se...

Страница 106: ...vice is not listed it is necessary to first define it See Section 7 8 on page 116 for more information on predefined services 7 3 3 3 Source Address What is the connection s source address is it on th...

Страница 107: ...for WAN to LAN traffic blocks all incoming connections WAN to LAN If you wish to allow certain WAN users to have access to your LAN you will need to create custom rules to allow it See the following...

Страница 108: ...ngle route topology on the network See Appendix E on page 295 for more on triangle route topology Packet Direction This is the direction of travel of packets LAN to LAN ZyWALL LAN to WAN WAN to LAN WA...

Страница 109: ...arized below take priority over the general firewall action settings above Rule This is your firewall rule number The ordering of your rules is important as rules are applied in turn Click to expand o...

Страница 110: ...Click the edit icon to go to the screen where you can edit the rule Click the delete icon to delete an existing firewall rule A window display asking you to confirm that you want to delete the firewal...

Страница 111: ...ZyWALL P1 User s Guide 110 Chapter 7 Firewall Screens Figure 39 Firewall Creating Editing A Firewall Rule The following table describes the labels in this screen...

Страница 112: ...rvice from the Available Services box on the left then click to add it to the Selected Service s box on the right To remove a service highlight it in the Selected Service s box on the right then click...

Страница 113: ...ule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet Apply Click Apply to save your customized settings and exit this screen Cancel Click Canc...

Страница 114: ...ule Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 3 Click Inse...

Страница 115: ...and click Apply Figure 43 Firewall Example Edit Custom Service 7 In the Edit Rule screen use the arrows between Available Services and Selected Service s to configure it as follows Click Apply when yo...

Страница 116: ...ZyWALL P1 User s Guide Chapter 7 Firewall Screens 115 Figure 44 Firewall Example My Service Rule Configuration...

Страница 117: ...that defines the service Note that there may be more than one IP protocol type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port 53 and TCP port 53 Custom services m...

Страница 118: ...ble a computer to connect to and communicate with a LAN NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transpare...

Страница 119: ...Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including main...

Страница 120: ...s on the LAN and WAN Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyWALL by probing for unused ports If you select this option the ZyWALL...

Страница 121: ...olute number or measured as the arrival rate could indicate that a Denial of Service attack is occurring The ZyWALL measures both the total number of existing half open sessions and the rate of sessio...

Страница 122: ...ection requests to the host giving the server time to handle the present connections The ZyWALL continues to block all new connection requests until the Blocking Time expires The ZyWALL also sends ale...

Страница 123: ...nnection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the...

Страница 124: ...r secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authenticat...

Страница 125: ...VPN applications 8 1 4 1 Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compar...

Страница 126: ...ithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms The Authentication Algorithms...

Страница 127: ...forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 8 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP pa...

Страница 128: ...ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destinati...

Страница 129: ...ZyWALL P1 User s Guide 128 Chapter 8 Introduction to IPSec...

Страница 130: ...ed for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not require...

Страница 131: ...of data encryption using a secret key DES applies a 56 bit key to each 64 bit block of data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits...

Страница 132: ...ress may be configured as 0 0 0 0 only when using IKE key management and not Manual key management 9 4 2 Nailed Up When you initiate an IPSec tunnel with nailed up enabled the ZyWALL automatically ren...

Страница 133: ...tunnel mode Use IKE keying mode Enable NAT traversal on both IPSec endpoints In order for IPSec router A see Figure 51 on page 132 to receive an initiating IPSec packet from IPSec router B set the NAT...

Страница 134: ...lgorithms DES 3DES and AES two authentication algorithms MD5 and SHA1 and two key groups DH1 and DH2 when you configure a VPN rule see Section 9 8 2 on page 140 The ID type and content act as an extra...

Страница 135: ...which to identify the remote IPSec router This option is available only when you set Authentication Method to Certificate The domain name or e mail address that you use in the Content field is used fo...

Страница 136: ...tic Click VPN display the VPN Rules IKE screen This is a read only menu of your IPSec rule tunnel To add a rule click the add icon Edit an IPSec rule by clicking the edit icon to configure the associa...

Страница 137: ...routers between the two IPSec routers The remote IPSec router must also have NAT traversal enabled You can use NAT traversal with ESP protocol using Transport or Tunnel mode but not with AH protocol n...

Страница 138: ...own list box to select the certificate to use for this VPN tunnel You must have certificates already configured in the My Certificates screen Click My Certificates to go to the My Certificates screen...

Страница 139: ...n name or e mail address by which to identify the remote IPSec router Use up to 31 ASCII characters including spaces although trailing spaces are truncated The domain name or e mail address is for ide...

Страница 140: ...168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is...

Страница 141: ...the policy name Local Network This field displays one or a range of IP address es of the computer s behind the ZyWALL Remote Network This field displays one or a range of IP address es of the remote...

Страница 142: ...IKE Add Policy LABEL DESCRIPTION Active Select this check box to activate this VPN tunnel This option determines whether a VPN rule is applied Name Type a name to identify this VPN policy You may use...

Страница 143: ...ame Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Add...

Страница 144: ...er must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES...

Страница 145: ...ead only The following table describes the fields in this tab Enable Multiple Proposal Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2 encryption and authentication algo...

Страница 146: ...screen appears as shown Table 46 SA Monitor LABEL DESCRIPTION This is the security association index number Name This field displays the identification name for this VPN policy Local Network This fiel...

Страница 147: ...ply with an acknowledgement the ZyWALL automatically disconnects the VPN tunnel Enter 0 to disable this feature Input Idle Timer Enter the time period between 30 and 3600 seconds to wait before the Zy...

Страница 148: ...use Dynamic DNS to do this With aggressive negotiation mode see Section 3 3 7 1 on page 63 the ZyWALL can use the ID types and contents to distinguish between VPN rules Telecommuters can each use a s...

Страница 149: ...HEADQUARTERS All Telecommuter Rules All Headquarters Rules My IP Address 0 0 0 0 My IP Address bigcompanyhq com Secure Gateway Address bigcompanyhq com Local IP Address 192 168 1 10 Remote IP Address...

Страница 150: ...low access for that service Telecommuter C telecommuterc dydns org Headquarters ZyWALL Rule 3 Local ID Type E mail Peer ID Type E mail Local ID Content myVPN myplace com Peer ID Content myVPN myplace...

Страница 151: ...ZyWALL P1 User s Guide 150 Chapter 9 VPN Screens...

Страница 152: ...ryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the...

Страница 153: ...ed to transmit private keys 10 2 Self signed Certificates Until public key infrastructure becomes more mature it may not be available in some areas You can have the ZyWALL act as a certification autho...

Страница 154: ...address This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is recommended that yo...

Страница 155: ...certificate is about to expire or has already expired Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the cer...

Страница 156: ...onding certification request that was generated by the ZyWALL The certificate you import replaces the corresponding request in the My Certificates screen You must remove any spaces from the certificat...

Страница 157: ...te The following table describes the labels in this screen Table 52 Certificate My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters not including spaces to identify...

Страница 158: ...a request for a certificate Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority Copy the certification request from the My Certif...

Страница 159: ...TES and then My Certificates to open the My Certificates screen see Figure 62 on page 153 Click the details icon to open the My Certificate Details screen You can use this screen to view in depth cert...

Страница 160: ...ZyWALL P1 User s Guide Chapter 10 Certificates 159 Figure 65 Certificate My Certificate Details The following table describes the labels in this screen...

Страница 161: ...his field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate...

Страница 162: ...WALL calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This rea...

Страница 163: ...bject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended th...

Страница 164: ...has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the ZyWALL check the CRL before trusting any certificates issued by...

Страница 165: ...ame and set whether or not you want the ZyWALL to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Table 55 Certificat...

Страница 166: ...name type up to 31 characters to identify this key certificate You may use any character not including spaces Property Check incoming certificates issued by this CA against a CRL Select this check box...

Страница 167: ...ing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm...

Страница 168: ...rtificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone...

Страница 169: ...cate on the ZyWALL that the ZyWALL uses to sign the trusted remote host certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field...

Страница 170: ...the remote host s certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name extension Figure 70 Remote Host Certificates 3 Double click the certificate s icon to o...

Страница 171: ...Remote Host s Certificate Click CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen Follow the instructions in...

Страница 172: ...emote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name Table 58 Certificates Trusted Remote Hos...

Страница 173: ...1 characters to identify this key certificate You may use any character not including spaces Certification Path Click the Refresh button to have this read only text box display the end entity s own ce...

Страница 174: ...ired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses R...

Страница 175: ...e labels in this screen Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII charac...

Страница 176: ...xpired or unnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to ident...

Страница 177: ...decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change...

Страница 178: ...e IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside...

Страница 179: ...ALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 11 1 3...

Страница 180: ...to a unique global IP address Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Note Port numbers do not change for One...

Страница 181: ...host to have at one time Enable NAT Select this check box to turn on the NAT feature for the WAN port Clear this check box to turn off the NAT feature for the WAN port Note Your ZyWALL supports SUA w...

Страница 182: ...P accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any acti...

Страница 183: ...her B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears a...

Страница 184: ...s 192 168 1 34 Both servers use port 80 The letters a b c d represent the WAN port s IP address The ZyWALL translates port 8080 of traffic received on the WAN port IP address a b c d to port 80 and se...

Страница 185: ...ers This is the number of an individual port forwarding server entry Active Select this check box to enable the port forwarding server entry Clear this check box to disallow forwarding of these ports...

Страница 186: ...nd protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the L...

Страница 187: ...articular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Type a port number or the starting port numbe...

Страница 188: ...k N3 because it doesn t know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you to tell the ZyWALL about the networks beyond the remote node...

Страница 189: ...ute Active This field shows whether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network nu...

Страница 190: ...ss Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Metric Metr...

Страница 191: ...ZyWALL P1 User s Guide 190 Chapter 12 Static Route...

Страница 192: ...e WAN only or LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field You may only have on...

Страница 193: ...r SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthoriz...

Страница 194: ...by default on the ZyWALL s WS web server Figure 86 HTTPS Implementation Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen then the ZyWALL blocks all HTTP connection attempt...

Страница 195: ...ed to access the ZyWALL web configurator to use https ZyWALL IP Address 8443 as the URL Server Access Select a ZyWALL interface from Server Access on which incoming HTTPS access is allowed You can all...

Страница 196: ...r login screen if you select No then web configurator access is blocked Figure 88 Security Alert Dialog Box Internet Explorer 13 4 2 Netscape Navigator Warning Messages When you attempt to access the...

Страница 197: ...ALL s HTTPS server certificate is not one of the browser s trusted certificate authorities The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWALL itself since the...

Страница 198: ...ple Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL s actual IP address You cannot use this procedure if you need to access the WAN port and it uses...

Страница 199: ...ZyWALL P1 User s Guide 198 Chapter 13 Remote Management Figure 91 Login Screen Internet Explorer Figure 92 Login Screen Netscape...

Страница 200: ...ertificate screen to create a certificate using your ZyWALL s MAC address that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to...

Страница 201: ...in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network...

Страница 202: ...ryption Method Once the identification is verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data Transmission After the identification is veri...

Страница 203: ...connections You must have certificates already configured in the My Certificates screen click My Certificates and refer to Chapter 10 on page 151 for details Server Port You may change the server port...

Страница 204: ...r or device name for the ZyWALL 2 Configure the SSH client to accept connection using SSH version 1 3 A window displays prompting you to store the host key in you computer Click Yes to continue Figure...

Страница 205: ...ur SSH client program user s guide 1 Enter sftp 1 192 168 167 1 This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1 If this is the first time you ar...

Страница 206: ...pears as shown sftp 1 192 168 167 1 Connecting to 192 168 167 1 The authenticity of host 192 168 167 1 192 168 167 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d...

Страница 207: ...Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s th...

Страница 208: ...ed Note SNMP is only available if TCP IP is configured Table 73 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port numbe...

Страница 209: ...f variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the...

Страница 210: ...CRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215...

Страница 211: ...fault is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed howeve...

Страница 212: ...that allows an administrator from any location to easily configure manage monitor and troubleshoot ZyWALL devices located worldwide See the Vantage CNM User s Guide for details Table 76 DNS LABEL DESC...

Страница 213: ...Registration Status This read only field displays Not Registered when Enable is not selected It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered aft...

Страница 214: ...uter here and configure the NAT router to forward UDP port 1864 traffic to the Vantage CNM server If the Vantage CNM server is behind a firewall you may have to create a rule on the firewall to allow...

Страница 215: ...ZyWALL P1 User s Guide 214 Chapter 13 Remote Management...

Страница 216: ...he icon of a UPnP device will allow you to access the information and properties of that device 14 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate thro...

Страница 217: ...only sends UPnP multicasts to the LAN Please see later in this User s Guide for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 14 3 Configurin...

Страница 218: ...he firewall Clear this check box to have the firewall block all UPnP application packets for example MSN packets Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin co...

Страница 219: ...ZyWALL ignores the Internal Port value and forwards requests on all external port numbers that are otherwise unmapped to the Internal Client Protocol This field displays the protocol of the NAT mappin...

Страница 220: ...anel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details 3 In the Communications window select the Universal Plug a...

Страница 221: ...rt of the ZyXEL device Turn on your computer and the ZyXEL device 1 Click Start Settings and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the...

Страница 222: ...nel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties 3 In the Internet Connection Properties window click Settings to see the port...

Страница 223: ...is disconnected from your computer all port mappings will be deleted automatically 4 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tra...

Страница 224: ...ful if you do not know the IP address of the ZyXEL device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Netw...

Страница 225: ...ZyWALL P1 User s Guide 224 Chapter 14 UPnP 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device...

Страница 226: ...iew Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 15 3 on page 227 Options include logs about system maintenance system errors access control a...

Страница 227: ...P address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information...

Страница 228: ...and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black Note A...

Страница 229: ...ZyWALL P1 User s Guide 228 Chapter 15 Logs Screens Figure 114 Log Settings The following table describes the labels in this screen...

Страница 230: ...ay of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs SMTP Authentication SMTP Simple Mail Transfer Protoc...

Страница 231: ...when an individual web page loads it may contain references to other web sites that also get counted as hits The ZyWALL records web site hits by counting the HTTP GET packets Many web sites include H...

Страница 232: ...og Settings screen Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Report Type Use the drop down list box to select the type of repo...

Страница 233: ...to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Table 84 Web Site Hits Report LABE...

Страница 234: ...puter Table 85 Protocol Port Report LABEL DESCRIPTION Protocol Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL The protocols or service por...

Страница 235: ...m the WAN to the LAN This field displays Outgoing to denote traffic that is going out from the LAN to the WAN Amount This column displays how much traffic has gone to and from the listed LAN IP addres...

Страница 236: ...tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and...

Страница 237: ...owed but dashes and underscores _ are accepted Domain Name Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by...

Страница 238: ...servers it randomly selects one server and tries to synchronize with it If the synchronization fails then the ZyWALL goes through the rest of the list in order from the first one tried until either it...

Страница 239: ...e screen appears as shown Use this screen to configure the ZyWALL s time based on your local time zone Figure 121 Time and Date The following table describes the labels in this screen tock usno navy m...

Страница 240: ...ton to have the ZyWALL get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server sends when you turn on the ZyWALL Not all tim...

Страница 241: ...at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance you would type...

Страница 242: ...Fail 16 5 F W Upload Screen Find firmware at www zyxel com in a file that usually uses the system model name with a bin extension e g zywall bin The upload process may take up to two minutes After a s...

Страница 243: ...ocess The ZyWALL automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Table 92 Firmware Upload LABEL DESC...

Страница 244: ...was not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 128 Firmware Upload Error 16 6 Configuration Screen See Section 17 5 on page 254 for transfe...

Страница 245: ...in case you need to return to your previous settings Click Backup to save the ZyWALL s current configuration to your computer 16 6 2 Restore Configuration Restore Configuration allows you to upload a...

Страница 246: ...a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 131 Network Temporarily Disconnected If you uploaded the default configuration file you m...

Страница 247: ...screen The following warning screen will appear Figure 133 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL Refer to Section 2...

Страница 248: ...ZyWALL P1 User s Guide Chapter 16 Maintenance 247 Figure 134 Restart Screen...

Страница 249: ...ZyWALL P1 User s Guide 248 Chapter 16 Maintenance...

Страница 250: ...e ZyWALL s available features and functionality You can download new firmware releases from your nearest ZyXEL FTP site to use to upgrade your ZyWALL s performance 17 2 Filename Conventions The config...

Страница 251: ...to transfer from the ZyWALL to the computer while upload means from your computer to the ZyWALL 17 3 1 Using the FTP Command from the Command Line 1 Launch the FTP client on your computer 2 Enter open...

Страница 252: ...word 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes se...

Страница 253: ...to restore the five minute SMT timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyWALL Set the transfer mode to binary before starting da...

Страница 254: ...as this may PERMANENTLY DAMAGE YOUR ZyWALL When the Restore Configuration process is complete the ZyWALL will automatically restart 17 4 1 Restore Using FTP For details about backup using T FTP please...

Страница 255: ...e and Configuration Files This section shows you how to upload firmware and configuration files You can upload configuration files by following the procedure in Section 17 4 on page 253 Note WARNING D...

Страница 256: ...WAN 17 5 4 TFTP File Upload The ZyWALL also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommende...

Страница 257: ...wing example please consult the documentation of your TFTP client program For UNIX use get to transfer from the ZyWALL to the computer put the other way around and binary to set binary transfer mode 1...

Страница 258: ...WALL Table 97 Troubleshooting the Start Up of Your ZyWALL PROBLEM CORRECTIVE ACTION None of the LEDs turn on when you turn on the ZyWALL If supplying power via the USB port use only the included USB c...

Страница 259: ...ess the ZyWALL The username is admin The default password is 1234 The Password and Username fields are case sensitive Make sure that you enter the correct password and username using the proper casing...

Страница 260: ...rivacy 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 139 Internet Options 3 Click Apply to save this...

Страница 261: ...to open the Pop up Blocker Settings screen Figure 140 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192...

Страница 262: ...Click Close to return to the Privacy screen 6 Click Apply to save this setting 18 2 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts...

Страница 263: ...142 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that...

Страница 264: ...Java Scripting 18 2 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java per...

Страница 265: ...bleshooting Figure 144 Security Settings Java 18 2 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun...

Страница 266: ...connections Refer to the Quick Start Guide for LAN connection instructions Make sure the computer s Ethernet adapter is installed and functioning properly Cannot ping any computer on the LAN Check th...

Страница 267: ...ess Refer to Chapter 4 on page 65 It is recommended that you clone your computer s MAC address even if your ISP presently does not require MAC address authentication If your ISP requires host name aut...

Страница 268: ...r to Section 15 1 1 on page 232 for scenarios when remote management may not be possible When NAT is enabled Use the ZyWALL s WAN IP address when configuring from the WAN Use the ZyWALL s LAN IP addre...

Страница 269: ...ZyWALL P1 User s Guide 268 Chapter 18 Troubleshooting...

Страница 270: ...requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropr...

Страница 271: ...icrosoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you nee...

Страница 272: ...pter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address...

Страница 273: ...se the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyWALL and restart your computer when prompted Verifying Settings 1 Click Start...

Страница 274: ...r s IP Address 273 Figure 149 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 150 Windows XP Control Panel 3 Rig...

Страница 275: ...ections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 152 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Pro...

Страница 276: ...re additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two...

Страница 277: ...e General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server...

Страница 278: ...ork Connections window Network and Dial up Connections in Windows 2000 NT 11Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then...

Страница 279: ...g up Your Computer s IP Address Figure 156 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 157 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings selec...

Страница 280: ...Save if prompted to save changes to your configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window M...

Страница 281: ...ng From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click A...

Страница 282: ...s the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets...

Страница 283: ...ost ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Subnetting With subnetting the class arrangement...

Страница 284: ...s 192 168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up the network number class C You want to have two separate networks Divide the network 192 168 1 0 into two...

Страница 285: ...255 255 128 is the directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168...

Страница 286: ...IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highe...

Страница 287: ...1111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 115 Eight Subnets SUBNET SUBNET ADDRESS FIRST AD...

Страница 288: ...ubnetting The following table is a summary for class B subnet planning Table 117 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 2...

Страница 289: ...ZyWALL P1 User s Guide 288 Appendix B IP Subnetting...

Страница 290: ...a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the...

Страница 291: ...ss Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is betw...

Страница 292: ...s that it requires one separate ATM VC per destination Figure 162 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a computer to the ANT...

Страница 293: ...ity The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Figure 163 PPTP Protocol Overview Mi...

Страница 294: ...ssage Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tu...

Страница 295: ...ZyWALL P1 User s Guide 294 Appendix D PPTP...

Страница 296: ...ng data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The...

Страница 297: ...aces with the ZyWALL being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyWALL to your LAN The follow...

Страница 298: ...his ensures that all incoming network traffic passes through your ZyWALL to your LAN Therefore your LAN is protected Figure 168 Gateways on the WAN Side How To Configure Triangle Route 1 From the SMT...

Страница 299: ...ZyWALL P1 User s Guide 298 Appendix E Triangle Route...

Страница 300: ...P address A complete SIP identity is called a SIP URI Uniform Resource Identifier A SIP account s URI identifies the SIP account in a way similar to the way an e mail address identifies an e mail acco...

Страница 301: ...P requests A SIP server responds to the SIP requests When you use SIP to make a VoIP call it originates at a client and terminates at a server A SIP client could be a computer or a SIP phone One devic...

Страница 302: ...an IP address and sends the translated IP address back to the device that sent the request Then the client device that originally sent the request can send requests to the IP address that it received...

Страница 303: ...ugh NAT by examining and translating IP addresses embedded in the data stream When a VoIP device SIP client behind the SIP ALG registers with the SIP register server the SIP ALG translates the device...

Страница 304: ...amically creates an implicit port forwarding rule for SIP traffic from the WAN to the LAN The SIP ALG on the ZyWALL supports all NAT mapping types including One to One Many to One Many to Many Overloa...

Страница 305: ...ind the ZyWALL without STUN use the ip alg enable ALG_SIP command to activate the SIP ALG Signaling Session Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessi...

Страница 306: ...anually create any static IP routes for the remote VPN site They are not required Dynamic IPSec Rule Create a dynamic rule by setting the Secure Gateway Address to 0 0 0 0 A single dynamic rule can su...

Страница 307: ...mote IP Address Start settings with your own values VPN Configuration via Web Configurator This section gives a VPN rule configuration example using the web configurator 1 Click VPN to display the fol...

Страница 308: ...ZyWALL P1 User s Guide Appendix G VPN Setup 307 Figure 174 Headquarters VPN Rule Edit IP addresses on different subnets The IP address of the branch office IPSec router...

Страница 309: ...P1 User s Guide 308 Appendix G VPN Setup Figure 175 Branch Office VPN Rule Edit Dialing the VPN Tunnel via Web Configurator IP addresses on different subnets The IP address of the headquarters IPSec...

Страница 310: ...e dial icon in the VPN Rules screen s Modify column to have the IPSec routers set up the tunnel 1 Figure 176 VPN Rule Configured The following screen displays Figure 177 VPN Dial This screen displays...

Страница 311: ...o display the first VPN menu shown next Figure 179 Menu 27 VPN IPSec Setup 2 Type 1 in menu 27 and then press ENTER to display Menu 27 1 IPSec Summary This is a summary read only menu of your IPSec ru...

Страница 312: ...Press Space Bar to Toggle Menu 27 1 1 IPSec Setup Index 1 Name BRANCH Active Yes Keep Alive Yes Nat Traversal No Local ID type E MAIL Content test example com My IP Addr 0 0 0 0 Peer ID type E MAIL Co...

Страница 313: ...e same on both IPSec routers Use a simple key and or copy and paste the setting into the other IPSec router to avoid typos Menu 27 1 1 IPSec Setup Index 1 Name HQ Active Yes Keep Alive Yes Nat Travers...

Страница 314: ...f the IPSec routers The following steps will help you to rapidly identify and correct configuration problems Log into the SMTs of both ZyXEL IPSec routers via telnet Position the telnet windows side b...

Страница 315: ...3 43 172 21 3 185 IKE Send HASH 2 09 21 2004 05 45 08 172 21 3 43 172 21 3 185 IKE Adjust TCP MSS to 1398 3 09 21 2004 05 45 07 172 21 3 185 172 21 3 43 IKE Recv HASH SA NONCE ID ID 4 09 21 2004 05 45...

Страница 316: ...le 1 Original on off 2 IKE on off 3 IPSec SPI on off 4 XAUTH on off 5 CERT on off 6 All ras ipsec debug level 0 None 1 User 2 Low 3 High ras ipsec debug type 1 on ras ipsec debug type 2 on ras ipsec d...

Страница 317: ...ec router at headquarters The server s IP address 192 168 10 33 is in the subnet configured in the Local Policy fields in Figure 174 on page 307 C Documents and Settings Administrator ftp 192 168 10 3...

Страница 318: ...Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your opera...

Страница 319: ...ndix H Importing Certificates Figure 187 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 188 Certificate General Information before Import 3 Click Next to begin...

Страница 320: ...mporting Certificates 319 Figure 189 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 190 Certificate Import Wizard 2 5 Click Finish to com...

Страница 321: ...ZyWALL P1 User s Guide 320 Appendix H Importing Certificates Figure 191 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 192 Root Certificate Store...

Страница 322: ...ds a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be acti...

Страница 323: ...CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Doubl...

Страница 324: ...wizard as shown earlier in this appendix Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double...

Страница 325: ...cate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Fig...

Страница 326: ...rt Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 199 Person...

Страница 327: ...6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 202 Access...

Страница 328: ...ZyWALL P1 User s Guide Appendix H Importing Certificates 327 Figure 203 SSL Client Authentication 3 You next see the ZyWALL login screen Figure 204 ZyWALL Secure Login Screen...

Страница 329: ...ZyWALL P1 User s Guide 328 Appendix H Importing Certificates...

Страница 330: ...it and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclos...

Страница 331: ...ZyWALL P1 User s Guide 330 Appendix I Command Interpreter...

Страница 332: ...onfig display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a...

Страница 333: ...mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the ZyWALL is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59 This...

Страница 334: ...the same destination where the ZyWALL starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specified set C...

Страница 335: ...ommand sets the ZyWALL to log traffic that matches the rule doesn t match both or neither Config edit firewall set set rule rule alert yes no This command sets whether or not the ZyWALL sends an alert...

Страница 336: ...a rule to have the ZyWALL check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyWALL check...

Страница 337: ...ZyWALL P1 User s Guide 336 Appendix J Firewall Commands...

Страница 338: ...ng of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the sen...

Страница 339: ...r dial This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter numbe...

Страница 340: ...er s Guide Appendix K NetBIOS Filter Commands 339 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets sys filter netbios config 4 off This command stops NetBIOS commands from init...

Страница 341: ...ZyWALL P1 User s Guide 340 Appendix K NetBIOS Filter Commands...

Страница 342: ...name specifies a descriptive name for the generated certification request subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If t...

Страница 343: ...ve name is not specified for the imported certificate the certificate will adopt the descriptive name of the certification request export name Export the PEM encoded certificate to stdout for user to...

Страница 344: ...usted CA certificate names and basic information rename old name new name Rename the specified trusted CA certificate old name specifies the name of the certificate to be renamed new name specifies th...

Страница 345: ...d if required The format is login password delete name Delete the specified directory service name specifies the name of the directory server to be deleted view name View the specified directory servi...

Страница 346: ...n on the command structure Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered Table 12...

Страница 347: ...ZyWALL P1 User s Guide 346 Appendix M Brute Force Password Guessing Protection...

Страница 348: ...sful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the router via...

Страница 349: ...filter settings WAN connection is down A WAN connection is down You cannot access the network through this interface Table 125 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP...

Страница 350: ...nutes UDP idle timeout 3 minutes TCP connection three way handshaking timeout 270 seconds TCP FIN wait timeout 2 MSL Maximum Segment Lifetime set in the TCP header TCP idle established timeout s 150 m...

Страница 351: ...P reply packet to the sender Table 129 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is t...

Страница 352: ...The content filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the block...

Страница 353: ...ewall detected an ICMP echo attack For type and code details see Table 140 on page 359 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan a...

Страница 354: ...led during IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s Local R...

Страница 355: ...s Remote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local...

Страница 356: ...router and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE p...

Страница 357: ...t subject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert su...

Страница 358: ...Algorithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not us...

Страница 359: ...expired User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from whic...

Страница 360: ...WALL ACL set for packets traveling from the WAN to the WAN or the ZyWALL D to D ZW DMZ to DMZ ZyWALL ACL set for packets traveling from the DMZ to the DM or the ZyWALL Table 140 ICMP Notes TYPE CODE D...

Страница 361: ...rt dst dstIP dstPort msg msg note note devID mac address last three numbers cat category This message is sent by the system RAS displays as the system name if you haven t configured one when the route...

Страница 362: ...e 3 Use sys logs category followed by a log category to display the parameters that are available for the category Figure 206 Displaying Log Parameters Example 4 Use sys logs category followed by a lo...

Страница 363: ...ar command to erase all of the ZyWALL s logs Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results ras sys logs load ras sys logs...

Страница 364: ...te force Attack 95 BYE Request 300 C Cable Modem 92 Cables Connecting 3 5 Central Network Management 34 certificate 137 certificates 32 Client server Protocol 300 Command Line 250 Configuration 47 73...

Страница 365: ...re File Maintenance 249 firmware version 43 France Contact Information 6 FTP 73 87 182 191 206 250 File Upload 254 GUI based Clients 251 Restoring Files 253 FTP File Transfer 254 FTP Restrictions 191...

Страница 366: ...l 44 Negotiation Mode 63 Aggressive Mode 63 Main Mode 63 NetBIOS Network Basic Input Output System 77 80 NetBIOS commands 96 Network Address Translation NAT 34 Network Address Translators 302 Network...

Страница 367: ...rity Association 59 Safety Warnings 3 Saving the State 97 Secure FTP Using SSH Example 204 Secure Gateway Address 59 Secure Telnet Using SSH Example 203 Security Association 59 63 Security Ramificatio...

Страница 368: ...hake 94 Threshold Values 120 Thunderstorm 3 5 Time and Date 32 Time Zone 238 Traceroute 97 Tracing 34 Trivial File Transfer Protocol 252 U UDP ICMP Security 100 Uniform Resource Identifier 299 Univers...

Страница 369: ...ZyWALL P1 User s Guide 368 Index X X Auth 132 Z ZyNOS 250 ZyXEL Limited Warranty Note 4 ZyXEL s Firewall Introduction 92...

Результаты поиска

Содержание ZyXEL ZyWALL P1

Отзывы:

Похожие инструкции для ZyXEL ZyWALL P1

Бренды по названию

Популярные бренды

ZyXEL Communications ZyXEL ZyWALL P1, Руководство пользователя

Результаты поиска

Содержание ZyXEL ZyWALL P1

Отзывы:

Похожие инструкции для ZyXEL ZyWALL P1

Бренды по названию

Популярные бренды