Check Point ZoneAlarm Secure Wireless Router Z100G User Guide Version 7.
COPYRIGHT & TRADEMARKS PREAMBLE Copyright © 2007 SofaWare, All Rights Reserved. No part of this document may be reproduced in any form or by any means without written permission from SofaWare. The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
POWER ADAPTER Operate this product only from the type of power source indicated on the product’s marking label. If you are not sure of the type of power supplied to your home, consult your dealer or local power company. Use only the power supply provided with your product. Check whether the device’s set supply voltage is the same as the local supply voltage. To reduce risk of damage to the unit, remove it from the outlet by holding the power adapter rather than the cord.
Contents Contents About This Guide ................................................................................................................................vii Introduction...........................................................................................................................................1 About Your Check Point ZoneAlarm Router......................................................................................1 Product Features................................................
Contents Configuring the Internet Connection ................................................................................................55 Overview...........................................................................................................................................55 Using the Internet Wizard .................................................................................................................56 Using Internet Setup.......................................................
Contents Viewing Connections ......................................................................................................................160 Viewing Wireless Statistics.............................................................................................................161 Setting Your Security Policy ............................................................................................................167 The ZoneAlarm Firewall Security Policy ........................................
Contents Email Filtering ................................................................................................................................282 Automatic and Manual Updates......................................................................................................287 Secure Remote Access.......................................................................................................................291 Overview.....................................................................
Contents Configuring HTTPS........................................................................................................................338 Setting the Time on the Router .......................................................................................................341 Using Diagnostic Tools...................................................................................................................344 Backing Up the ZoneAlarm Router Configuration ....................................
About Your Check Point ZoneAlarm Router About This Guide To make finding information in this manual easier, some types of information are marked with special symbols or formatting. Boldface type is used for command and button names. Note: Notes are denoted by indented text and preceded by the Note icon. Warning: Warnings are denoted by indented text and preceded by the Warning icon.
About Your Check Point ZoneAlarm Router Chapter 1 Introduction This chapter introduces the Check Point ZoneAlarm Secure Wireless Router Z100G and this guide. This chapter includes the following topics: About Your Check Point ZoneAlarm Router ...............................................1 Product Features ...........................................................................................2 Optional Security Services ...........................................................................
Product Features Product Features Table 1: ZoneAlarm Z100G Features Feature ZoneAlarm Z100G Concurrent Users 5 (Upgradable to 15) Capacity Firewall Throughput 70 Mbps VPN Throughput 5 Mbps Concurrent Firewall Connections 4,000 Hardware Features 4-Port LAN Switch 10/100 Mbps WAN Port 10/100 Mbps Print Server USB 2.
Product Features Four Preset Security Policies Anti-spoofing Voice over IP (H.
Product Features Spanning Tree Protocol (STP) Traffic Monitoring DHCP Server, Client, and Relay MAC Cloning Static NAT Ethernet Cable Type Recognition Wireless Wireless Protocols 802.11b (11 Mbps), 802.11g (54 Mbps), Super G* (108 Mbps) Wireless Security VPN over Wireless, WEP, WPA2 (802.
Optional Security Services Local Diagnostics Tools Ping, WHOIS, Packet Sniffer, VPN Tunnel Monitor, Connection Table Monitor, Wireless Monitor, My Computers Display NTP Automatic Time Setting TFTP Rapid Deployment Hardware Specifications Power 100/110/120/210/220/230VAC (Linear Power Adapter) or 100~240VAC (Switched Power Adapter) Mounting Options Desktop or Wall Mounting Warranty 1 Year Hardware * Super G and XR mode are only available with select wireless network adapters.
Software Requirements These services require an additional purchase of subscription. For more information, go to www.zonelabs.com/z100g. Software Requirements One of the following browsers: • Microsoft Internet Explorer 6.0 or higher • Netscape Navigator 6.0 and higher • Mozilla Firefox Note: For proper operation of the ZoneAlarm Portal, disable any pop-up blockers for http://my.firewall.
Getting to Know Your ZoneAlarm Z100G Router Network Requirements • 10BaseT or 100BaseT Network Interface Card installed on each computer • CAT 5 STP (Category 5 Shielded Twisted Pair) Straight Through Ethernet cable for each attached device • An 802.11b, 802.11g or 802.
Getting to Know Your ZoneAlarm Z100G Router Table 2: ZoneAlarm Z100G Router Rear Panel Elements Label Description PWR A power jack used for supplying power to the unit. Connect the supplied power supply to this jack. RESET A button used for rebooting the ZoneAlarm router or resetting the ZoneAlarm router to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the ZoneAlarm router • Long press (7 seconds).
Getting to Know Your ZoneAlarm Z100G Router Front Panel The ZoneAlarm Z100G router includes several status LEDs that enable you to monitor the router’s operation. Figure 2: ZoneAlarm Z100G Router Front Panel For an explanation of the ZoneAlarm Z100G router’s status LEDs, see the following table.
Contacting Technical Support LED VPN USB WLAN State Explanation LNK/ACT Flashing Data is being transmitted/received Off No VPN activity Flashing (Green) VPN activity On (Green) VPN tunnels established, no activity Off No USB port activity Flashing (Green) USB port activity Off No WLAN activity Flashing (Green) WLAN activity Contacting Technical Support If there is a problem with your ZoneAlarm router, see http://www.sofaware.com/support.
What Is a Firewall? Chapter 2 The ZoneAlarm Firewall This chapter introduces the ZoneAlarm firewall and its advantages. This chapter includes the following topics: What Is a Firewall?.....................................................................................11 Security Requirements................................................................................12 Old Firewall Technologies .........................................................................
Security Requirements Security Requirements In order to make control decisions for new communication attempts, it is not sufficient for the firewall to examine packets in isolation. Depending upon the communication attempt, both the communication state (derived from past communications) and the application state (derived from other applications) may be critical in the control decision.
Old Firewall Technologies Table 4: Packet Filter Advantages and Disadvantages Advantages Disadvantages Application independence Low security High performance No screening above the network layer Scalability Application-Layer Gateways Application-layer gateways improve security by examining all application layers, bringing context information into the decision-making process. However, the method they use to do this disrupts the client/server model, reducing scalability.
Check Point Stateful Inspection Technology Check Point Stateful Inspection Technology Invented by Check Point, Stateful Inspection is the industry standard for network security solutions. A powerful inspection module examines every packet, ensuring that packets do not enter a network unless they comply with the network's security policy. Stateful Inspection technology implements all necessary firewall capabilities between the data and network layers.
Check Point Stateful Inspection Technology • Date and time of packet arrival or departure The ZoneAlarm firewall examines IP addresses, port numbers, and any other information required. It understands the internal structures of the IP protocol family and applications, and is able to extract data from a packet's application content and store it, to provide context in cases where the application does not provide it.
Check Point Stateful Inspection Technology Step 2 Channel Type CMD Description Source TCP Source Destination Port Server responds FTP with data port server TCP Destination Port 21 FTP client C FTP server P FTP client D information P > 1023 3 Data Client initiates data FTP D> connection to client 1023 Server FTP P acknowledges server server on port P 4 Data data connection The following diagram demonstrates the establishment of a Passive FTP connection through a firewal
Check Point Stateful Inspection Technology The fact that both of the channels are established by the client presents a challenge for the firewall protecting the FTP server: while a firewall can easily be configured to identify incoming command connections over the default port 21, it must also be able to handle incoming data connections over a dynamic port that is negotiated randomly as part of the FTP client-server communication.
Check Point Stateful Inspection Technology Firewall Technology Action Stateful Inspection A Stateful Inspection firewall examines the FTP application-layer Firewall data in an FTP session. When the client initiates a command session, the firewall extracts the port number from the request. The firewall then records both the client and server's IP addresses and port numbers in an FTP-data pending request list.
Before You Install the ZoneAlarm Router Chapter 3 Installing and Setting Up ZoneAlarm This chapter describes how to properly set up and install your ZoneAlarm router in your networking environment. This chapter includes the following topics: Before You Install the ZoneAlarm Router .................................................19 Wall Mounting the ZoneAlarm Router.......................................................32 Securing the ZoneAlarm Router against Theft ........................................
Before You Install the ZoneAlarm Router Windows Vista Checking the TCP/IP Installation 1. Click Start > Control Panel. The Control Panel window appears. 2. 20 Under Network and Internet, click View network status and tasks.
Before You Install the ZoneAlarm Router The Network Sharing Center screen appears. 3. In the Tasks pane, click Manage network connections.
Before You Install the ZoneAlarm Router The Network Connections screen appears. 4. Double-click the Local Area Connection icon. The Local Area Connection Status window opens. 5. 22 Click Properties.
Before You Install the ZoneAlarm Router The Local Area Connection Properties window opens. 6. Check if Internet Protocol Version 4 (TCP/IPv4) appears in the list box and if it is properly configured with the Ethernet card installed on your computer. TCP/IP Settings 1. In the Local Area Connection Properties window, double-click the Internet Protocol Version 4 (TCP/IPv4) component, or select it and click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties window appears. 2.
Before You Install the ZoneAlarm Router Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically. If for some reason you need to assign a static IP address, select Specify an IP address, type in an IP address in the range of 192.168.10.129-254, enter 255.255.255.0 in the Subnet Mask field, and click OK to save the new settings. (Note that 192.168.
Before You Install the ZoneAlarm Router 2. Double-click the Network and Dial-up Connections icon. The Network and Dial-up Connections window appears. 3. Right-click the opens.
Before You Install the ZoneAlarm Router The Local Area Connection Properties window appears. 4. 26 In the above window, check if TCP/IP appears in the components list and if it is properly configured with the Ethernet card installed on your computer. If TCP/IP does not appear in the Components list, you must install it as described in the next section.
Before You Install the ZoneAlarm Router Installing TCP/IP Protocol 1. In the Local Area Connection Properties window click Install. The Select Network Component Type window appears. 2. Select Protocol and click Add. The Select Network Protocol window appears. 3. Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer.
Before You Install the ZoneAlarm Router TCP/IP Settings 1. In the Local Area Connection Properties window, double-click the Internet Protocol (TCP/IP) component, or select it and click Properties. The Internet Protocol (TCP/IP) Properties window opens. 2. Click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically.
Before You Install the ZoneAlarm Router Mac OS Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears. 2. Click the Connect via drop-down list, and select Ethernet. 3. Click the Configure drop-down list, and select Using DHCP Server. 4. Close the window and save the setup.
Before You Install the ZoneAlarm Router Mac OS-X Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple -> System Preferences. The System Preferences window appears. 2. Click Network. The Network window appears.
Before You Install the ZoneAlarm Router 3. Click Configure.
Wall Mounting the ZoneAlarm Router TCP/IP configuration fields appear. 4. Click the Configure IPv4 drop-down list, and select Using DHCP. 5. Click Apply Now. Wall Mounting the ZoneAlarm Router For your convenience, the ZoneAlarm router includes a wall mounting kit, which consists of two plastic conical anchors and two cross-head screws. To mount the ZoneAlarm router on the wall 1. Decide where you want to mount your ZoneAlarm router. 2. Decide on the mounting orientation.
Wall Mounting the ZoneAlarm Router 3. Mark two drill holes on the wall, in accordance with the following sketch: 4. Drill two 3.5 mm diameter holes, approximately 25 mm deep. 5. Insert two plastic conical anchors into the holes. Note: The conical anchors you received with your ZoneAlarm router are suitable for concrete walls. If you want to mount the router on a plaster wall, you must use anchors that are suitable for plaster walls. 6.
Securing the ZoneAlarm Router against Theft Securing the ZoneAlarm Router against Theft The ZoneAlarm router features a security slot to the rear of the right panel, which enables you to secure your router against theft, using an anti-theft security device. Note: Anti-theft security devices are available at most computer hardware stores. This procedure explains how to install a looped security cable on your router. A looped security cable typically includes the parts shown in the diagram below.
Securing the ZoneAlarm Router against Theft While these parts may differ between devices, all looped security cables include a bolt with knobs, as shown in the diagram below: Figure 5: Looped Security Cable Bolt The bolt has two states, Open and Closed, and is used to connect the looped security cable to the router's security slot. To install an anti-theft device on the ZoneAlarm router 1.
Router Installation 5. Thread the anti-theft device's pin through the bolt’s holes, and insert the pin into the main body of the anti-theft device, as described in the documentation that came with your device. Router Installation Installing the ZoneAlarm Router To install the ZoneAlarm router 1. Verify that you have the correct cable type. For information, see Network Requirements on page 7. 2. Connect the LAN cable: • 3.
Router Installation Figure 6: Typical Connection Diagram Chapter 3: Installing and Setting Up ZoneAlarm 37
Router Installation Cascading Your Router The ZoneAlarm router protects all computers and network devices that are connected to its LAN ports. If desired, you can increase the router's port capacity by cascading hubs or switches. To cascade the ZoneAlarm router to a hub or switch 1. Connect a standard Ethernet cable to one of the router's LAN ports. The ZoneAlarm router automatically detects cable types, so you can use either a straight-through or crossed Ethernet cable. 2.
Setting Up the ZoneAlarm Router Connecting the Router to Network Printers You can connect network printers to your ZoneAlarm Z100G router. To connect network printers 1. Connect one end of a USB cable to a USB port at the back of the unit. If needed, you can use the provided USB extension cord. 2. Connect the other end to a printer or a USB 2.0 hub. Warning: Verify that the USB devices' power requirement does not exceed the router's USB power supply capabilities.
Setting Up the ZoneAlarm Router Logging on to the ZoneAlarm Portal and setting up your password Initial Login to the ZoneAlarm Portal on page 43 Configuring an Internet connection Using the Internet Wizard on page 56 Setting the Time on your ZoneAlarm router Setting the Time on the Router on page 341 Setting up a wireless network Configuring a Wireless Network on page 113 Installing the Product Key Upgrading Your Software Product on page 335 Setting up subscription services Connecting to a Service Cen
Setting Up the ZoneAlarm Router The Firmware page appears. 2. Click ZoneAlarm Setup Wizard. The ZoneAlarm Setup Wizard opens with the Welcome page displayed.
Initial Login to the ZoneAlarm Portal Chapter 4 Getting Started This chapter contains all the information you need in order to get started using your ZoneAlarm router. This chapter includes the following topics: Initial Login to the ZoneAlarm Portal ........................................................43 Logging on to the ZoneAlarm Portal..........................................................46 Accessing the ZoneAlarm Portal Remotely Using HTTPS........................47 Using the ZoneAlarm Portal..
Initial Login to the ZoneAlarm Portal The initial login page appears. 2. Type a password both in the Password and the Confirm password fields. Note: The password must be five to 25 characters (letters or numbers). Note: You can change your username and password at any time. For further information, see Changing Your Password on page 311. 3. 44 Click OK.
Initial Login to the ZoneAlarm Portal The ZoneAlarm Setup Wizard opens, with the Welcome page displayed. 4. Configure your Internet connection using one of the following ways: • Internet Wizard The Internet Wizard is the first part of the Setup Wizard, and it takes you through basic Internet connection setup, step by step. For information on using the Internet Wizard, see Using the Internet Wizard on page 56.
Logging on to the ZoneAlarm Portal Logging on to the ZoneAlarm Portal Note: By default, HTTP and HTTPS access to the ZoneAlarm Portal is not allowed from the WLAN, unless you do one of the following: • Configure a specific firewall rule to allow access from the WLAN. See Using Rules on page 172. Or • Enable HTTPS access from the Internet. See Configuring HTTPS on page 338. To log on to the ZoneAlarm Portal 1. Do one of the following: • Browse to http://my.firewall.
Accessing the ZoneAlarm Portal Remotely Using HTTPS 2. Type your username and password. 3. Click OK. The Welcome page appears. Accessing the ZoneAlarm Portal Remotely Using HTTPS You can access the ZoneAlarm Portal remotely (from the Internet) through HTTPS. HTTPS is a protocol for accessing a secure Web server. It is used to transfer confidential user information. If desired, you can also use HTTPS to access the ZoneAlarm Portal from your internal network.
Accessing the ZoneAlarm Portal Remotely Using HTTPS Note: Your browser must support 128-bit cipher strength. To check your browser's cipher strength, open Internet Explorer and click Help > About Internet Explorer. To access the ZoneAlarm Portal from your internal network • Browse to https://my.firewall. (Note that the URL starts with “https”, not “http”.) The ZoneAlarm Portal appears. To access the ZoneAlarm Portal from the Internet • Browse to https://:981.
Using the ZoneAlarm Portal The ZoneAlarm Portal appears. Using the ZoneAlarm Portal The ZoneAlarm Portal is a Web-based management interface, which enables you to manage and configure the ZoneAlarm router operation and options. The ZoneAlarm Portal consists of three major elements. Table 8: ZoneAlarm Portal Elements Element Description Main menu Used for navigating between the various topics (such as Reports, Security, and Setup).
Using the ZoneAlarm Portal Figure 7: ZoneAlarm Portal Main Menu The main menu includes the following submenus. Table 9: Main Menu Submenus This Does this… Welcome Displays general welcome information. Reports Provides reporting capabilities in terms of event logging, traffic submenu… monitoring, active computers, and established connections. Security Provides controls and options for setting the security of any computer in the network.
Using the ZoneAlarm Portal This Does this… Antivirus Allows you to configure VStream Antivirus settings. Services Allows you to control your subscription to subscription services. Network Allows you to manage and configure your network settings and Internet submenu… connection. Setup Provides a set of tools for managing your ZoneAlarm router. Allows you to upgrade your license and firmware and to configure HTTPS access to your ZoneAlarm router. Users Allows you to manage ZoneAlarm router users.
Using the ZoneAlarm Portal Status Bar The status bar is located at the bottom of each page. It displays the fields below, as well as the date and time. Table 10: Status Bar Fields This field… Displays this… Internet Your Internet connection status. The connection status may be one of the following: Service • Connected. The ZoneAlarm router is connected to the Internet. • Not Connected. The Internet connection is down. • Establishing Connection. The ZoneAlarm router is connecting to the Internet.
Logging off Logging off Logging off terminates your administration session. Any subsequent attempt to connect to the ZoneAlarm Portal will require re-entering of the administration password. To log off of the ZoneAlarm Portal • Do one of the following: • If you are connected through HTTP, click Logout in the main menu. The Login page appears. • If you are connected through HTTPS, the Logout option does not appear in the main menu. Close the browser window.
Overview Chapter 5 Configuring the Internet Connection This chapter describes how to configure and work with a ZoneAlarm Internet connection. This chapter includes the following topics: Overview ....................................................................................................55 Using the Internet Wizard ..........................................................................56 Using Internet Setup ...................................................................................
Using the Internet Wizard Using the Internet Wizard The Internet Wizard allows you to configure your ZoneAlarm router for Internet connection quickly and easily through its user-friendly interface. Note: The first time you log on to the ZoneAlarm Portal, the Internet Wizard starts automatically as part of the Setup Wizard. In this case, you should skip to step 3 in the following procedure. To configure the Internet connection using the Internet Wizard 1.
Using the Internet Wizard The Internet Connection Method dialog box appears. 4. Select the Internet connection method you want to use for connecting to the Internet. If you are uncertain regarding which connection method to use contact your xDSL provider. Note: If you selected PPTP or PPPoE, do not use your dial-up software to connect to the Internet. 5. Click Next. If you chose PPPoE, continue at Using a PPPoE Connection on page 58. If you chose PPTP, continue at Using a PPTP Connection on page 60.
Using the Internet Wizard Using a PPPoE Connection If you selected the PPPoE (PPP over Ethernet) connection method, the PPP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. 58 Click Next.
Using the Internet Wizard The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish. Table 11: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. This field can be left blank.
Using the Internet Wizard Using a PPTP Connection If you selected the PPTP connection method, the PPP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. 60 Click Finish.
Using the Internet Wizard Table 12: PPTP Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. Server IP Type the IP address of the PPTP modem. Internal IP Type the local IP address required for accessing the PPTP modem. Subnet Mask Select the subnet mask of the PPTP modem. Using a Cable Modem Connection No further settings are required for a cable modem connection.
Using the Internet Wizard Using a Static IP Connection If you selected the Static IP connection method, the Static IP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. 62 Click Finish.
Using the Internet Wizard Table 13: PPPoE Connection Fields In this field… Do this… IP Address Type the static IP address of your ZoneAlarm router. Subnet Mask Select the subnet mask that applies to the static IP address of your ZoneAlarm router. Default Gateway Type the IP address of your ISP’s default gateway. Primary DNS Server Type the Primary DNS server IP address. Secondary DNS Server Type the Secondary DNS server IP address. This field is optional.
Using Internet Setup Using Internet Setup Internet Setup allows you to manually configure your Internet connection. To configure the Internet connection using Internet Setup 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. 64 Next to the desired Internet connection, click Edit.
Using Internet Setup The Internet Setup page appears. 3. Do one of the following: • To configure an Ethernet-based connection, continue at Configuring an Ethernet-Based Connection on page 66. • To configure no connection, continue at Using No Connection on page 74.
Using Internet Setup Configuring an Ethernet-Based Connection 1. In the Port drop-down list, do one of the following: • To configure an Ethernet-based connection through the WAN port, select WAN. • 2. To configure an Ethernet-based connection through the DMZ/WAN2 port, select WAN2. In the Connection Type drop-down list, select the Internet connection type you intend to use. The display changes according to the connection type you selected.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The ZoneAlarm router attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a Cable Modem Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 75. New fields appear, depending on the check boxes you selected. 2. Click Apply. The ZoneAlarm router attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a PPPoE Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 75.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The ZoneAlarm router attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a PPTP Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 75.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The ZoneAlarm router attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a Telstra (BPA) Connection Use this Internet connection type only if you are subscribed to Telstra® BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation Limited. 1. Complete the fields using the relevant information in Internet Setup Fields on page 75.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The ZoneAlarm router attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Configuring No Connection 1. In the Port drop-down list, select None. The fields disappear. 2. 74 Click Apply.
Using Internet Setup Table 14: Internet Setup Fields In this field… Do this… PPP Settings Username Type your user name. Password Type your password. Confirm password Type your password. Service Type your service name. If your ISP has not provided you with a service name, leave this field empty. Server IP If you selected PPTP, type the IP address of the PPTP server as given by your ISP. If you selected Telstra (BPA), type the IP address of the Telstra authentication server as given by Telstra.
Using Internet Setup In this field… Do this… On outgoing Select this option to specify that the router should only establish a activity connection if there is outgoing activity (that is, packets need to be transmitted to the Internet). If the connection times out, the router will disconnect. Idle timeout Type the amount of time (in minutes) that the connection can remain idle. Once this period of time has elapsed, the router will disconnect. The default value is 1.
Using Internet Setup In this field… Do this… Secondary DNS Type the Secondary DNS server IP address. Server WINS Server Type the WINS server IP address. Advanced External IP If you selected PPTP, type the IP address of the PPTP client as given by your ISP. If you selected PPPoE, this field is optional, and you do not have to fill it in unless your ISP has instructed you to do so. MTU This field allows you to control the maximum transmission unit size.
Viewing Internet Connection Information In this field… Do this… Cloned MAC Do one of the following: Address • Click This Computer to automatically "clone" the MAC address of your computer to the ZoneAlarm router. • If the ISP requires authentication using the MAC address of a different computer, type the MAC address in this field. Viewing Internet Connection Information You can view information on your Internet connection(s) in terms of status, duration, and activity.
Viewing Internet Connection Information A tooltip displays the number of bytes sent and received bytes through the connection. 3. To refresh the information on this page, click Refresh. Table 15: Internet Page Fields Field Description Status Indicates the connection’s status. Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds IP Address Your IP address.
Enabling/Disabling the Internet Connection Enabling/Disabling the Internet Connection You can temporarily disable an Internet connection. This is useful if, for example, you are going on vacation and do not want to leave your computer connected to the Internet. The Internet connection’s Enabled/Disabled status is persistent through ZoneAlarm router reboots. To enable/disable an Internet connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2.
Configuring Network Settings Chapter 6 Managing Your Network This chapter describes how to manage and configure your network connection and settings. This chapter includes the following topics: Configuring Network Settings....................................................................81 Using Network Objects ..............................................................................95 Configuring Network Service Objects......................................................104 Managing Ports.......
Configuring Network Settings The My Network page appears. 2. Click Edit in the LAN network’s row. The Edit Network Settings page for the LAN network appears. 3. 82 In the Mode drop-down list, select Enabled.
Configuring Network Settings The fields are enabled. 4. If desired, change your ZoneAlarm router’s internal IP address. See Changing IP Addresses on page 83. 5. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 85. 6. If desired, configure a DHCP server. See Configuring a DHCP Server on page 86. 7. Click Apply. A warning message appears. 8. Click OK. A success message appears.
Configuring Network Settings Note: The internal network range is defined both by the ZoneAlarm router’s internal IP address and by the subnet mask. For example, if the ZoneAlarm router’s internal IP address is 192.168.100.7, and you set the subnet mask to 255.255.255.0, the network’s IP address range will be 192.168.100.1 – 192.168.100.254. 5. Click Apply. A warning message appears. 6. Click OK. • 7. The ZoneAlarm router's internal IP address and/or the internal network range are changed.
Configuring Network Settings Enabling/Disabling Hide NAT Hide Network Address Translation (Hide NAT) enables you to share a single public Internet IP address among several computers, by “hiding” the private IP addresses of the internal computers behind the ZoneAlarm router’s single Internet IP address. Note: If Hide NAT is disabled, you must obtain a range of Internet IP addresses from your ISP. Hide NAT is enabled by default. Note: Static NAT and Hide NAT can be used together.
Configuring Network Settings Configuring a DHCP Server By default, the ZoneAlarm router operates as a DHCP (Dynamic Host Configuration Protocol) server. This allows the ZoneAlarm router to automatically configure all the devices on your network with their network configuration details. Note: The DHCP server only serves computers that are configured to obtain an IP address automatically.
Configuring Network Settings A warning message appears. 5. Click OK. A success message appears 6. If your computer is configured to obtain its IP address automatically (using DHCP), and either the ZoneAlarm DHCP server or another DHCP server is enabled, restart your computer. If you enabled the DHCP server, your computer obtains an IP address in the DHCP address range. Configuring the DHCP Address Range By default, the ZoneAlarm DHCP server automatically sets the DHCP address range.
Configuring Network Settings 3. Do one of the following: • To allow the DHCP server to set the IP address range, select the Automatic DHCP range check box. • To set the DHCP range manually: 1) Clear the Automatic DHCP range check box. The DHCP IP range fields appear. 4. 2) In the DHCP IP range fields, type the desired DHCP range. Click Apply. A warning message appears. 5. Click OK. A success message appears 6.
Configuring Network Settings Configuring DHCP Relay You can configure DHCP relay for internal networks. Note: DHCP relay will not work if the router is located behind a NAT device. To configure DHCP relay 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit. The Edit Network Settings page appears. 3. In the DHCP Server list, select Relay. The Automatic DHCP range check box is disabled, and new fields appear. 4.
Configuring Network Settings 5. In the Secondary DHCP Server IP field, type the IP address of the DHCP server to use if the primary DHCP server fails. 6. Click Apply. A warning message appears. 7. Click OK. A success message appears 8. If your computer is configured to obtain its IP address automatically (using DHCP), and either the ZoneAlarm DHCP server or another DHCP server is enabled, restart your computer. Your computer obtains an IP address in the DHCP address range.
Configuring Network Settings The DHCP Server Options page appears. 4. Complete the fields using the relevant information in the following table.
Configuring Network Settings New fields appear, depending on the check boxes you selected. 5. Click Apply. 6. If your computer is configured to obtain its IP address automatically (using DHCP), restart your computer. Your computer obtains an IP address in the DHCP address range.
Configuring Network Settings Table 16: DHCP Server Options Fields In this field… Do this… Domain Name Type a default domain suffix that should be passed to DHCP clients. The DHCP client will automatically append the domain suffix for the resolving of non-fully qualified names. For example, if the domain suffix is set to "mydomain.com", and the client tries to resolve the name “mail”, the suffix will be automatically appended to the name, resulting in “mail.mydomain.com”.
Configuring Network Settings In this field… Do this… Automatically assign Clear this option if you do not want the DHCP server to pass the default gateway current gateway IP address to DHCP clients as the default gateway's IP address. Normally, it is recommended to leave this option selected. The Default Gateway field is enabled. Default Gateway Type the IP address to pass to DHCP clients as the default gateway, instead of the current gateway IP address.
Using Network Objects In this field… Do this… Nortel IP Phone To enable Nortel IP phones to receive their configuration, type the phone's configuration string. Thomson IP Phone To enable Thomson IP phones to receive their configuration, type the phone's configuration string. Using Network Objects You can add individual computers or networks as network objects. This enables you to configure various settings for the computer or network represented by the network object.
Using Network Objects • Assign the network object's IP address to a MAC address Normally, the ZoneAlarm DHCP server consistently assigns the same IP address to a specific computer. However, if the ZoneAlarm DHCP server runs out of IP addresses and the computer is down, then the DHCP server may reassign the IP address to a different computer. If you want to guarantee that a particular computer's IP address remains constant, you can reserve the IP address for use by the computer's MAC address only.
Using Network Objects Adding and Editing Network Objects You can add or edit network objects via: • The Network Objects page This page enables you to add both individual computers and networks. • The My Computers page This page enables you to add only individual computers as network objects. The computer's details are filled in automatically in the wizard. To add or edit a network object via the Network Objects page 1. Click Network in the main menu, and click the Network Objects tab.
Using Network Objects The ZoneAlarm Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed. 3. Do one of the following: • 4. 98 To specify that the network object should represent a single computer or device, click Single Computer. • To specify that the network object should represent a network, click Network. Click Next.
Using Network Objects The Step 2: Computer Details dialog box appears. If you chose Single Computer, the dialog box includes the Reserve a fixed IP address for this computer option. If you chose Network, the dialog box does not include this option. 5. Complete the fields using the information in the tables below. 6. Click Next.
Using Network Objects The Step 3: Save dialog box appears. 7. Type a name for the network object in the field. 8. Click Finish. To add or edit a network object via the My Computers page 1. 100 Click Reports in the main menu, and click the My Computers tab.
Using Network Objects The My Computers page appears. If a computer has not yet been added as a network object, the Add button appears next to it. If a computer has already been added as a network object, the Edit button appears next to it. 2. Do one of the following: • To add a network object, click Add next to the desired computer. • To edit a network object, click Edit next to the desired computer. The ZoneAlarm Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed.
Using Network Objects 4. Click Next. The Step 2: Computer Details dialog box appears. The computer's IP address and MAC address are automatically filled in. 5. Complete the fields using the information in the tables below. 6. Click Next. The Step 3: Save dialog box appears with the network object's name. If you are adding a new network object, this name is the computer's name. 7. To change the network object name, type the desired name in the field. 8. Click Finish.
Using Network Objects In this field… Do this… External IP Type the Internet IP address to which you want to map the local computer's IP address. Exclude this computer Select this option to exclude this computer from the Web Filtering from Web Filtering service and Web rule enforcement. Table 18: Network Object Fields for a Network In this field… Do this… IP Range Type the range of local computer IP addresses in the network.
Configuring Network Service Objects Viewing and Deleting Network Objects To view or delete a network object 1. Click Network in the main menu, and click the Network Objects tab. The Network Objects page appears with a list of network objects. 2. To delete a network object, do the following: a. icon. In the desired network object's row, click the Erase A confirmation message appears. b. Click OK. The network object is deleted.
Configuring Network Service Objects The Network Services page appears with a list of network service objects. 2. Do one of the following: • To add a network service object, click New. • To edit an existing network service object, click Edit next to the desired object in the list.
Configuring Network Service Objects The ZoneAlarm Network Service Wizard opens, with the Step 1: Network Service Details dialog box displayed. 3. Complete the fields using the information in the table below. 4. Click Next. The Step 2: Network Service Name dialog box appears. 5. 106 Type a name for the network service object in the field.
Configuring Network Service Objects 6. Click Finish. Table 19: Network Service Fields In this field… Do this… Protocol Select the network service's IP protocol. If you select Other, the Protocol Number field appears. If you select TCP or UDP, the Port Ranges field appears. Protocol Number Type the number of the network service's IP protocol. Port Ranges Type the network service's port or port ranges. Multiple ports or port ranges must be separated by commas.
Managing Ports Managing Ports The ZoneAlarm router allows you to restrict the LAN1-4 ports and the WAN port to a specific link speed and duplex setting. If desired, you can also disable ports. Viewing Port Statuses You can view the status of the ZoneAlarm router's ports on the Ports page, including each Ethernet connection's duplex state. This is useful if you need to check whether the router's physical connections are working, and you can’t see the LEDs on front of the router. To view port statuses 1.
Managing Ports Table 20: Ports Fields This field… Displays… Assign To The port's current assignment. For example, if the LAN1 port is not assigned to a network, the field displays "None". Status The port's current status. This can be any of the following: • The detected link speed (10 Mbps or 100 Mbps) and duplex (Full Duplex or Half Duplex) • No Link. The router does not detect anything connected to the port. • Disabled. The port is disabled.
Managing Ports The Port Setup page appears. 3. 4. In the Assign to Network drop-down list, do one of the following: • To enable a LAN port, select LAN. • To enable the WAN port, select Internet. • To disable a port, select None. Click Apply. A warning message appears. 5. Click OK. The port is reassigned to the specified network or purpose.
Managing Ports Modifying Link Configurations By default, the ZoneAlarm router automatically detects the link speed and duplex. If desired, you can manually restrict the router's ports to a specific link speed and duplex setting. To modify a port's link configuration 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to the desired port, click Edit. The Port Setup page appears. 3. 4.
Managing Ports Resetting Ports to Defaults You can reset the ZoneAlarm router's ports to their default link configurations ("Automatic Detection") and default assignments. The LAN1-4 ports' default assignment is "LAN". Resetting All Ports to Defaults To reset all ports to defaults 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Click Default. A confirmation message appears. 3. Click OK.
Overview Chapter 7 Configuring a Wireless Network This chapter describes how to configure a wireless internal network. This chapter includes the following topics: Overview ..................................................................................................113 Using the Wireless Configuration Wizard................................................116 Manually Configuring a WLAN...............................................................122 Troubleshooting Wireless Connectivity .............
Overview About the Wireless Hardware in Your ZoneAlarm Wireless Router Your ZoneAlarm wireless router features a built-in 802.11b/g access point that is tightly integrated with the firewall and VPN. ZoneAlarm wireless routers support the latest 802.11g standard (up to 54 Mbps) and are backwards compatible with the older 802.11b standard (up to 11 Mbps), so that both new and old adapters of these standards are interoperable.
Overview Security Description WEP encryption In the WEP (Wired Equivalent Privacy) encryption security method, wireless Protocol stations must use a pre-shared key to connect to your network. This method is not recommended, due to known security flaws in the WEP protocol. It is provided for compatibility with existing wireless deployments. Note: The router and the wireless stations must be configured with the same WEP key.
Using the Wireless Configuration Wizard Using the Wireless Configuration Wizard The Wireless Configuration Wizard provides a quick and simple way of setting up your basic WLAN parameters for the first time. To configure a WLAN using the Wireless Configuration Wizard 1. Prepare the router for a wireless connection as described in Preparing the Router for a Wireless Connection on page 38. 2. Click Network in the main menu, and click the My Network tab. The My Network page appears. 3.
Using the Wireless Configuration Wizard 7. Click Next. 8. The Wireless Security dialog box appears. 9. Do one of the following: • Click WPA-Personal to use the WPA-Personal security mode. WPA-Personal (also called WPA-PSK) uses a passphrase for authentication. This method is recommended for small, private wireless networks, which want to authenticate and encrypt wireless data. Both WPA and the newer, more secure WPA2 (802.11i) will be accepted.
Using the Wireless Configuration Wizard 10. Do one of the following: • To bridge the LAN and WLAN networks so that they appear as a single unified network, click Bridge Mode. Traffic from the WLAN to the LAN will be allowed to pass freely, and the LAN and WLAN will share a single IP address range. Note: This option creates a bridge called "default-bridge", which includes the WLAN and the LAN.
Using the Wireless Configuration Wizard WPA-Personal If you chose WPA-Personal, the Wireless Configuration-WPA-Personal dialog box appears. Do the following: 1. In the text box, type the passphrase for accessing the network, or click Random to randomly generate a passphrase. This must be between 8 and 63 characters. It can contain spaces and special characters, and is case-sensitive. 2. Click Next.
Using the Wireless Configuration Wizard The Wireless Security Confirmation dialog box appears. 3. Click Next. 4. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. 120 Prepare the wireless stations.
Using the Wireless Configuration Wizard WEP If you chose WEP, the Wireless Configuration-WEP dialog box appears. Do the following: 1. Choose a WEP key length. The possible key lengths are: • 64 Bits - The key length is 10 hexadecimal characters. • 128 Bits - The key length is 26 hexadecimal characters. • 152 Bits - The key length is 32 hexadecimal characters. Some wireless card vendors call these lengths 40/104/128, respectively.
Manually Configuring a WLAN 4. Click Next. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations. No Security The Wireless Security Complete dialog box appears. • Click Finish. The wizard closes. Manually Configuring a WLAN To manually configure a WLAN network 1. Prepare the router for a wireless connection as described in Preparing the Router for a Wireless Connection on page 38. 2.
Manually Configuring a WLAN The Edit Network Settings page appears. 4. In the Mode drop-down list, select Enabled. The fields are enabled. 5. In the IP Address field, type the IP address of the WLAN network's default gateway. The WLAN network must not overlap other networks. 6. In the Subnet Mask field, type the WLAN’s internal network range.
Manually Configuring a WLAN 7. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 85. 8. If desired, configure a DHCP server. See Configuring a DHCP Server on page 86. 9. Complete the fields using the information in Basic Wireless Settings Fields on page 126. 10. To configure advanced settings, click Show Advanced Settings and complete the fields using the information in Advanced Wireless Settings Fields on page 131.
Manually Configuring a WLAN New fields appear. 11. Click Apply. A warning message appears, telling you that you are about to change your network settings. 12. Click OK.
Manually Configuring a WLAN A success message appears. Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes are also called "Access Point" and "Peer to Peer". On the wireless client, choose the "Infrastructure" or "Access Point" mode. You can set the wireless cards to either "Long Preamble" or "Short Preamble". Table 22: Basic Wireless Settings Fields In this field… Do this… Wireless Settings Network Name Type the network name (SSID) that identifies your wireless network.
Manually Configuring a WLAN In this field… Do this… Operation Mode Select an operation mode: • 802.11b (11Mbps). Operates in the 2.4 GHz range and offers a maximum theoretical rate of 11 Mbps. When using this mode, only 802.11b stations will be able to connect. • 802.11g (54 Mbps). Operates in the 2.4 GHz range, and offers a maximum theoretical rate of 54 Mbps. When using this mode, only 802.11g stations will be able to connect. • 802.11b/g (11/54 Mbps). Operates in the 2.
Manually Configuring a WLAN In this field… Do this… Channel Select the radio frequency to use for the wireless connection: • Automatic. The ZoneAlarm router automatically selects a channel. This is the default. • A specific channel. The list of channels is dependent on the selected country and operation mode. Note: If there is another wireless network in the vicinity, the two networks may interfere with one another.
Manually Configuring a WLAN In this field… Do this… Require WPA2 Specify whether you want to require wireless stations to connect using (802.11i) WPA2, by selecting one of the following: WPA Encryption • Enabled. Only wireless stations using WPA2 can access the WLAN network. • Disabled. Wireless stations using either WPA or WPA2 can access the WLAN network. This is the default. Select the encryption method to use for authenticating and encrypting wireless data: • Auto.
Manually Configuring a WLAN In this field… Do this… Key 1, 2, 3, 4 Select the WEP key length from the drop-down list. length The possible key lengths are: • 64 Bits. The key length is 10 characters. • 128 Bits. The key length is 26 characters. • 152 Bits. The key length is 32 characters. Note: Some wireless card vendors call these lengths 40/104/128, respectively. Note: WEP is generally considered to be insecure, regardless of the selected key length.
Manually Configuring a WLAN Table 23: Advanced Wireless Settings Fields In this field… Do this… Advanced Security Hide the Network Specify whether you want to hide your network's SSID, by selecting one of Name (SSID) the following: • Yes. Hide the SSID. Only devices to which your SSID is known can connect to your network. • No. Do not hide the SSID. Any device within range can detect your network name and attempt to connect to your network. This is the default.
Manually Configuring a WLAN In this field… Do this… Wireless Transmitter Transmission Rate Transmitter Power Select the transmission rate: • Automatic. The ZoneAlarm router automatically selects a rate. This is the default. • A specific rate Select the transmitter power. Setting a higher transmitter power increases the access point's range. A lower power reduces interference with other access points in the vicinity. The default value is Full.
Manually Configuring a WLAN In this field… Do this… Fragmentation Type the smallest IP packet size (in bytes) that requires that the IP packet Threshold be split into smaller fragments. If you are experiencing significant radio interference, set the threshold to a low value (around 1000), to reduce error penalty and increase overall throughput. Otherwise, set the threshold to a high value (around 2000), to reduce overhead. The default value is 2346.
Manually Configuring a WLAN In this field… Do this… Extended Range Specify whether to use Extended Range (XR) mode: Mode (XR) • Disabled. XR mode is disabled. • Enabled. XR mode is enabled. XR will be automatically negotiated with XR-enabled wireless stations and used as needed. This is the default. For more information on XR mode, see About the Wireless Hardware in Your Wireless Router on page 114.
Troubleshooting Wireless Connectivity Troubleshooting Wireless Connectivity I cannot connect to the WLAN from a wireless station. What should I do? • Check that the SSID configured on the station matches the ZoneAlarm router's SSID. The SSID is case-sensitive. • Check that the encryption settings configured on the station (encryption mode and keys) match the ZoneAlarm router's encryption settings.
Troubleshooting Wireless Connectivity • Check the Transmission Power parameter in the WLAN's advanced settings. • Make sure that you are not using two access points in close proximity and on the same frequency. For minimum interference, channel separation between nearby access points must be at least 25 MHz (5 channels). • The ZoneAlarm router supports XR (Extended Range) technology. For best range, enable XR mode in the wireless network's advanced settings, and use XRenabled stations.
Troubleshooting Wireless Connectivity Note: Reducing the RTS Threshold and the Fragmentation Threshold too much can have a negative impact on performance. Note: Setting an RTS Threshold value equal to the Fragmentation Threshold value effectively disables RTS. I am not getting the full speed. What should I do? • The actual speed is always less then the theoretical speed, and degrades with distance. • Read the section about reception problems. Better reception means better speed.
Overview Chapter 8 Using Bridges This chapter describes how to connect multiple network segments at the data-link layer, using a bridge. This chapter includes the following topics: Overview ..................................................................................................139 Workflow..................................................................................................140 Adding and Editing Bridges .....................................................................
Workflow • If a host with an IP address outside of the allowed IP address range tries to connect from the LAN network segment, the connection will be blocked and logged as “Spoofed IP”. • If a host with an IP address within the bridge IP address range tries to connect from a network segment other than the LAN segment, the connection will be blocked and logged as “Spoofed IP”.
Adding and Editing Bridges Adding and Editing Bridges To add or edit a bridge 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a bridge, click Add Bridge. • To edit a bridge, click Edit in the desired bridge's row.
Adding and Editing Bridges The Bridge Configuration page appears. 3. Complete the fields using the following table. 4. Click Apply. A success message appears.
Adding and Editing Bridges Table 24: Bridge Configuration Fields In this field… Do this… Network Name Type a name for the bridge. Firewall Between Members Specify whether the firewall should be enabled between networks on this bridge, by selecting one of the following: Non IP Traffic • Enabled. The firewall is enabled, and it will inspect traffic between networks on the bridge, enforcing firewall rules and SmartDefense protections. This is the default value. • Disabled.
Adding and Editing Bridges In this field… Do this… Bridge Priority Select this bridge's priority. The bridge's priority is combined with a bridged network's MAC address to create the bridge's ID. The bridge with the lowest ID is elected as the root bridge. The other bridges in the tree calculate the shortest distance to the root bridge, in order to eliminate loops in the topology and provide fault tolerance. To increase the chance of this bridge being elected as the root bridge, select a lower priority.
Adding Internal Networks to Bridges Adding Internal Networks to Bridges To add an internal network to a bridge 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Click Edit in the desired network's row. 3. In the Mode drop-down list, select Bridged. New fields appear. 4. Complete these fields as described below.
Adding Internal Networks to Bridges If the assigned bridge uses STP, additional fields appear. 5. Click Apply. A warning message appears. 6. Click OK. A success message appears.
Adding Internal Networks to Bridges In the My Network page, the internal network appears indented under the bridge. Table 25: Bridged Network Fields In this field… Do this… Assign to Bridge Select the bridge to which the connection should be assigned. Bridge Anti-Spoofing Select this option to enable anti-spoofing. If anti-spoofing is enabled, only IP addresses within the Allowed IP Range can be source IP addresses for packets on this network.
Adding Internal Networks to Bridges In this field… Do this… Allowed IP Range Type the range of IP addresses that should be allowed on this network. Note: When assigning IP addresses to machines in a bridged network segment, the ZoneAlarm DHCP server allocates only addresses within the allowed IP address range.
Adding Internal Networks to Bridges In this field… Do this… Spanning Tree Protocol - Port Select the port's priority. Priority The port's priority is combined with the port's logical number to create the port's ID. The port with the lowest ID is elected as the root port, which forwards frames out of the bridge. The other ports in the bridge calculate the least-cost path to the root port, in order to eliminate loops in the topology and provide fault tolerance.
Deleting Bridges Deleting Bridges To delete a bridge 1. Remove all internal networks from the bridge, by doing the following for each network: a. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. b. Click Edit in the desired network's row. c. In the Mode drop-down list, select Enabled. d. Click Apply. Click Network in the main menu, and click the My Network tab. The My Network page appears. 3. In the desired bridge’s row, click the Erase icon.
Viewing the Event Log Chapter 9 Viewing Reports This chapter describes the ZoneAlarm Portal reports. This chapter includes the following topics: Viewing the Event Log.............................................................................151 Using the Traffic Monitor ........................................................................154 Viewing Computers..................................................................................158 Viewing Connections ......................................
Viewing the Event Log An event marked in Indicates… Green Traffic accepted by the firewall. this color… By default, accepted traffic is not logged. However, such traffic may be logged if specified by a security policy downloaded from your Service Center, or if specified in user-defined rules. In addition, accepted traffic may be logged if SmartDefense protections' Action field is set to "Track" instead of "Block".
Viewing the Event Log To view the event log 1. Click Reports in the main menu, and click the Event Log tab. The Event Log page appears. 2. If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker’s details, by clicking on the IP address of the attacking machine. The ZoneAlarm router queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information.
Using the Traffic Monitor A standard File Download dialog box appears. b. Click Save. The Save As dialog box appears. 5. c. Browse to a destination directory of your choice. d. Type a name for the configuration file and click Save. The *.xls file is created and saved to the specified directory. To clear all displayed events: a. Click Clear. A confirmation message appears. b. Click OK. All events are cleared.
Using the Traffic Monitor You can export a detailed traffic report for all enabled networks, using the procedure Exporting General Traffic Reports on page 157. Viewing Traffic Reports To view a traffic report 1. Click Reports in the main menu, and click the Traffic tab. The Traffic Monitor page appears. 2. In the Traffic Monitor Report drop-down list, select the network interface for which you want to view a report. The list includes all currently enabled networks.
Using the Traffic Monitor Note: The firewall blocks broadcast packets used during the normal operation of your network. This may lead to a certain amount of traffic of the type "Traffic blocked by firewall" that appears under normal circumstances and usually does not indicate an attack. Configuring Traffic Monitor Settings You can configure the interval at which the ZoneAlarm router should collect traffic data for network traffic reports. To configure Traffic Monitor settings 1.
Using the Traffic Monitor 4. Click Apply. Exporting General Traffic Reports You can export a general traffic report that includes information for all enabled networks to a *.csv (Comma Separated Values) file. You can open and view the file in Microsoft Excel. To export a general traffic report 1. Click Reports in the main menu, and click the Traffic tab. The Traffic Monitor page appears. 2. Click Export. A standard File Download dialog box appears. 3. Click Save. The Save As dialog box appears. 4.
Viewing Computers Viewing Computers This option allows you to view the currently active computers on your network. The computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, etc.). You can also view node limit information. To view the computers 1. Click Reports in the main menu, and click the My Computers tab. The My Computers page appears. If you enabled the wireless network, the wireless stations are shown under the WLAN.
Viewing Computers These computers are still protected, but they are blocked from accessing the Internet through the ZoneAlarm router. Note: Computers that did not communicate through the firewall are not counted for node limit purposes, even though they are protected by the firewall and appear in the My Computers table. Note: To increase the number of computers allowed by your license, you can upgrade your product. For further information, see Upgrading Your Software Product on page 335.
Viewing Connections Viewing Connections This option allows you to view currently active connections between your networks, as well as those from your networks to the Internet. To view the active connections 1. Click Reports in the main menu, and click the Connections tab. The Connections page appears. The page displays the information in the following table. 2. To refresh the display, click Refresh. 3. To view information on the destination machine, click its IP address.
Viewing Wireless Statistics Table 28: Connections Fields This field… Displays… Protocol The protocol used (TCP, UDP, etc.) Source - IP Address The source IP address Source - Port The source port Destination - IP The destination IP address Address Destination -Port The destination port Options An icon indicating further details: • • - The connection is encrypted. - The connection is being scanned by VStream Antivirus.
Viewing Wireless Statistics The Wireless page appears. The page displays the information in the following tables. 2. To refresh the display, click Refresh.
Viewing Wireless Statistics This field… Displays… Statistics for WLAN This information is displayed for the WLAN.
Viewing Wireless Statistics To view statistics for a wireless station 1. Click Reports in the main menu, and click the My Computers tab. The My Computers page appears. The following information appears next to each wireless station: • 2. The signal strength in dB • A series of bars representing the signal strength Mouse-over the information icon next to the wireless station. A tooltip displays statistics for the wireless station, as described in the following table. 3.
Viewing Wireless Statistics This field… Displays… XR Indicates whether the wireless client supports Extended Range (XR) mode. Possible values are: • yes. The wireless client supports XR mode. • no. The wireless client does not support XR mode.
The ZoneAlarm Firewall Security Policy Chapter 10 Setting Your Security Policy This chapter describes how to set up your ZoneAlarm router security policy. You can enhance your security policy by subscribing to services such as Web Filtering and Email Filtering. For information on subscribing to services, see Using Subscription Services on page 267. This chapter includes the following topics: The ZoneAlarm Firewall Security Policy.................................................167 Default Security Policy.
Default Security Policy Security Policy Implementation The key to implementing a network security policy is to understand that a firewall is simply a technical tool that reflects and enforces a network security policy for accessing network resources. A rule base is an ordered set of individual network security rules, against which each attempted connection is checked. Each rule specifies the source, destination, service, and action to be taken for each connection.
Setting the Firewall Security Level • Access from the WAN to network printers is blocked. These rules are independent of the firewall security level. You can easily override the default security policy, by creating user-defined firewall rules. For further information, see Using Rules on page 172. Setting the Firewall Security Level The firewall security level can be controlled using a simple lever available on the Firewall page. You can set the lever to the following states.
Setting the Firewall Security Level This Does this… Further Details High Enforces strict control on all All inbound traffic is blocked. level… incoming and outgoing connections. Restricts all outbound traffic except for the following: Web traffic (HTTP, HTTPS), email (IMAP, POP3, SMTP), ftp, newsgroups, Telnet, DNS, IPSEC IKE and VPN traffic. Block All Blocks all access between All inbound traffic from the Internet and all networks. outbound traffic to the Internet is blocked.
Setting the Firewall Security Level To change the firewall security level 1. Click Security in the main menu, and click the Firewall tab. The Firewall page appears. 2. Drag the security lever to the desired level. The ZoneAlarm router security level changes accordingly.
Using Firewall Rules Using Firewall Rules The ZoneAlarm router checks the protocol used, the ports range, and the destination IP address, when deciding whether to allow or block traffic. User-defined rules have priority over the default security policy rules and provide you with greater flexibility in defining and customizing your security policy.
Using Firewall Rules For example, if you want to block all outgoing FTP traffic, except traffic from a specific IP address, you can create a rule blocking all outgoing FTP traffic and move the rule down in the Rules table. Then create a rule allowing FTP traffic from the desired IP address and move this rule to a higher location in the Rules table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.
Using Firewall Rules The following rule types exist: Table 32: Firewall Rule Types Rule Description Allow and This rule type enables you to do the following: Forward • Permit incoming traffic from the Internet to a specific service and destination IP address in your internal network and then forward all such connections to a specific computer in your network. Such rules are called NAT forwarding rules. For example, if the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.
Using Firewall Rules Rule Description Allow This rule type enables you to do the following: • Permit outgoing access from your internal network to a specific service on the Internet. • Permit incoming access from the Internet to a specific service in your internal network. Note: You cannot use an Allow rule to permit incoming traffic, if the network or VPN uses Hide NAT. Use an “Allow and Forward” rule instead. However, you can use Allow rules for static NAT IP addresses.
Using Firewall Rules Adding and Editing Firewall Rules To add or edit a firewall rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. 176 Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click the Edit icon next to the desired rule.
Using Firewall Rules The ZoneAlarm Firewall Rule wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow and Forward rule.
Using Firewall Rules 5. Complete the fields using the relevant information in the following table. 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. To configure advanced settings, click Show Advanced Settings. New fields appear.
Using Firewall Rules 8. Complete the fields using the relevant information in the following table. 9. Click Next. The Step 4: Rule Options dialog box appears. 10. Complete the fields using the relevant information in the following table. 11. Click Next.
Using Firewall Rules The Step 5: Done dialog box appears. 12. If desired, type a description of the rule in the field provided. 13. Click Finish. The new rule appears in the Rules page. Table 33: Firewall Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to a specific standard Service service or a network service object.
Using Firewall Rules In this field… Do this… Protocol Select the protocol for which the rule should apply (ESP, GRE, TCP, UDP, ICMP, IGMP, or OSPF). To specify that the rule should apply for any protocol, select ANY. To specify a protocol by number, select Other. The Protocol Number field appears. Port Range To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box.
Using Firewall Rules In this field… Do this… Destination Select the destination of the connections you want to allow or block. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify the ZoneAlarm IP address, select This Gateway. To specify any destination except the ZoneAlarm Portal and network printers, select ANY.
Using Firewall Rules In this field… Do this… Log accepted Select this option to log the specified blocked or allowed connections. connections / Log blocked connections By default, accepted connections are not logged, and blocked connections are logged. You can modify this behavior by changing the check box's state. Enabling/Disabling Firewall Rules You can temporarily disable a user-defined rule. To enable/disable a firewall rule 1. Click Security in the main menu, and click the Rules tab.
Using Firewall Rules Changing Firewall Rules' Priority To change a firewall rule's priority 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Do one of the following: • Click next to the desired rule, to move the rule up in the table. next to the desired rule, to move the rule down in the table. • Click The rule's priority changes accordingly. Viewing and Deleting Firewall Rules To view or delete an existing firewall rule 1.
Configuring Servers Configuring Servers Note: If you do not intend to host any public Internet servers in your network (such as a Web Server, Mail Server, or an exposed host), you can skip this section. The ZoneAlarm router enables you to configure the following types of public Internet servers: • Servers for specific services You can allow all incoming connections of a specific service and forward them to a particular host in your network.
Configuring Servers To allow services to be run on a specific host 1. Click Security in the main menu, and click the Servers tab. The Servers page appears, displaying a list of services and a host IP address for each allowed service. 2. Complete the fields using the information in the following table. 3. Click Apply. A success message appears. Table 34: Servers Page Fields In this Do this… Allow Select the check box next to the public server you want to configure.
Using Web Rules In this Do this… Host IP Type the IP address of the computer that will run the service (one of your column… network computers), or click the corresponding This Computer button to allow your computer to host the service. VPN Only Select this option to allow only connections made through a VPN. To stop the forwarding of services to a specific host 1. Click Security in the main menu, and click the Servers tab. The Servers page appears. 2. In the desired server's row, click Clear.
Using Web Rules Note: Web rules differ from the Web Filtering subscription service in the following ways: • The Web Filtering service is subscription-based and requires a connection to the Service Center, while Web rules are included with the ZoneAlarm router. • The Web Filtering service is centralized, extracting URLs from HTTP requests and sending the URLs to the Service Center to determine whether they should be blocked or allowed. With Web rules, HTTP requests are analyzed in the gateway itself.
Using Web Rules For example, if you want to block all the pages of a particular Web site, except a specific page, you can create a rule blocking access to all of the Web site's pages and move the rule down in the Web Rules table. Then create a rule allowing access to the desired page and move this rule to a higher location in the Web Rules table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.
Using Web Rules Adding and Editing Web Rules To add or edit a Web rule 1. Click Security in the main menu, and click the Web Rules tab. The Web Rules page appears. 2. 190 Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click the Edit icon next to the desired rule.
Using Web Rules The ZoneAlarm Web Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Rule Location dialog box appears. The example below shows a Block rule.
Using Web Rules 5. Complete the fields using the relevant information in the following table. 6. Click Next. The Step 3: Confirm Rule dialog box appears. 7. Click Finish. The new rule appears in the Web Rules page.
Using Web Rules Table 36: Web Rules Fields In this field… Do this… Block/Allow Type the URL or IP address to which the rule should apply. access to the following URL Wildcards (*) are supported. For example, to block all URLs that start with "http://www.casino-", set this field's value to: http://www.casino- * Note: If you block a Web site based on its domain name (http://), the Web site is not automatically blocked when surfing to the Web server's IP address (http://).
Using Web Rules Changing Web Rules' Priority To change a Web rule's priority 1. Click Security in the main menu, and click the Web Rules tab. The Web Rules page appears. 2. Do one of the following: • Click next to the desired rule, to move the rule up in the table. next to the desired rule, to move the rule down in the table. • Click The rule's priority changes accordingly. Viewing and Deleting Web Rules To view or delete an existing Web rule 1.
Using Web Rules Customizing the Access Denied Page The Access Denied page appears when a user attempts to access a page that is blocked either by a Web rule or by the Web Filtering service. You can customize this page using the following procedure. For information on the Web Filtering service, see Web Filtering on page 276. To customize the Access Denied page 1. Do one of the following: • Click Security in the main menu, and click the Web Rules tab. The Web Rules page appears. • 2.
Using Web Rules You can use HTML tags as needed. 4. To display the Access Denied page using HTTPS, select the Use HTTPS check box. 5. To preview the Access Denied page, click Preview. A browser window opens displaying the Access Denied page. 6. Click Apply. Your changes are saved.
Overview Chapter 11 Using SmartDefense This chapter explains how to use Check Point SmartDefense Services. This chapter includes the following topics: Overview ..................................................................................................197 Configuring SmartDefense .......................................................................198 SmartDefense Categories .........................................................................205 Resetting SmartDefense to its Defaults ........
Configuring SmartDefense Configuring SmartDefense You can configure SmartDefense using the following tools: • SmartDefense Wizard. Resets all SmartDefense settings to their defaults, and then creates a SmartDefense security policy according to your network and security preferences. See Using the SmartDefense Wizard on page 198. • SmartDefense Tree. Enables you to fine tune individual settings in the SmartDefense policy. You can use the SmartDefense tree instead of, or in addition to, the wizard.
Configuring SmartDefense The SmartDefense page appears. 2. Click SmartDefense Wizard. The SmartDefense Wizard opens, with the Step 1: SmartDefense Level dialog box displayed. 3. Drag the lever to the desired level of SmartDefense enforcement.
Configuring SmartDefense For information on the levels, see the following table. 4. Click Next. The Step 2: Application Intelligence Server Types dialog box appears. 5. Select the check boxes next to the types of public servers that are running on your network. 6. Click Next. The Step 3: Application Blocking dialog box appears.
Configuring SmartDefense 7. Select the check boxes next to the types of applications you want to block from running on your network. 8. Click Next. The Step 4: Confirmation dialog box appears. 9. Click Finish. Existing SmartDefense settings are cleared, and the security policy is applied.
Configuring SmartDefense Table 37: SmartDefense Security Levels This level… Does this… Minimal Disables all SmartDefense protections, except those that cannot be disabled. Normal Enables the following: • Teardrop • Ping of Death • LAND • Packet Sanity • Max Ping Size (set to 1500) • Welchia • Cisco IOS • Null Payload • IGMP • Small PMTU (Log Only) This level blocks the most common attacks.
Configuring SmartDefense Using the SmartDefense Tree For convenience, SmartDefense is organized as a tree, in which each branch represents a category of settings. When a category is expanded, the settings it contains appear as nodes. For information on each category and the nodes it contains, see SmartDefense Categories on page 205. Each node represents an attack type, a sanity check, or a protocol or service that is vulnerable to attacks.
Configuring SmartDefense To configure a SmartDefense node 1. Click Security in the main menu, and click the SmartDefense tab. The SmartDefense page appears. The left pane displays a tree containing SmartDefense categories. • 2. To expand a category, click the icon next to it. • To collapse a category, click the icon next to it. Expand the relevant category, and click on the desired node. The right pane displays a description of the node, followed by fields. 3.
SmartDefense Categories a) Click Default. A confirmation message appears. b) Click OK. The fields are reset to their default values, and your changes are saved.
SmartDefense Categories Teardrop In a Teardrop attack, the attacker sends two IP fragments, the latter entirely contained within the former. This causes some computers to allocate too much memory and crash. You can configure how Teardrop attacks should be handled. Table 38: Teardrop Fields In this field… Do this… Action Specify what action to take when a Teardrop attack occurs, by selecting one of the following: Track 206 • Block. Block the attack. This is the default. • None. No action.
SmartDefense Categories Ping of Death In a Ping of Death attack, the attacker sends a fragmented PING request that exceeds the maximum IP packet size (64KB). Some operating systems are unable to handle such requests and crash. You can configure how Ping of Death attacks should be handled. Table 39: Ping of Death Fields In this field… Do this… Action Specify what action to take when a Ping of Death attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default.
SmartDefense Categories LAND In a LAND attack, the attacker sends a SYN packet, in which the source address and port are the same as the destination (the victim computer). The victim computer then tries to reply to itself and either reboots or crashes. You can configure how LAND attacks should be handled. Table 40: LAND Fields In this field… Do this… Action Specify what action to take when a LAND attack occurs, by selecting one of the following: Track 208 • Block. Block the attack.
SmartDefense Categories Non-TCP Flooding Advanced firewalls maintain state information about connections in a State table. In NonTCP Flooding attacks, the attacker sends high volumes of non-TCP traffic. Since such traffic is connectionless, the related state information cannot be cleared or reset, and the firewall State table is quickly filled up. This prevents the firewall from accepting new connections and results in a Denial of Service (DoS).
SmartDefense Categories In this field… Do this… Max. Percent Type the maximum percentage of state table capacity allowed for non-TCP Non-TCP Traffic connections. The default value is 10%. DDoS Attack In a distributed denial-of-service attack (DDoS attack), the attacker directs multiple hosts in a coordinated attack on a victim computer or network. The attacking hosts send large amounts of spurious data to the victim, so that the victim is no longer able to respond to legitimate service requests.
SmartDefense Categories Table 42: Distributed Denial of Service Fields In this field… Do this… Action Specify what action to take when a DDoS attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log DDoS attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
SmartDefense Categories Packet Sanity Packet Sanity performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. You can configure whether logs should be issued for offending packets. Table 43: Packet Sanity Fields In this field… Action Do this… Specify what action to take when a packet fails a sanity test, by selecting one of the following: Track • Block. Block the packet. This is the default.
SmartDefense Categories In this field… Do this… Disable relaxed The UDP length verification sanity check measures the UDP header length UDP length and compares it to the UDP header length specified in the UDP header. If verification the two values differ, the packet may be corrupted. However, since different applications may measure UDP header length differently, the ZoneAlarm router relaxes the UDP length verification sanity check by default, performing the check but not dropping offending packets.
SmartDefense Categories Max Ping Size PING (ICMP echo request) is a program that uses ICMP protocol to check whether a remote machine is up. A request is sent by the client, and the server responds with a reply echoing the client's data. An attacker can echo the client with a large amount of data, causing a buffer overflow. You can protect against such attacks by limiting the allowed size for ICMP echo requests.
SmartDefense Categories In this field… Do this… Max Ping Size Specify the maximum data size for ICMP echo response. The default value is 1500. IP Fragments When an IP packet is too big to be transported by a network link, it is split into several smaller IP packets and transmitted in fragments. To conceal a known attack or exploit, an attacker might imitate this common behavior and break the data section of a single packet into several fragmented packets.
SmartDefense Categories Table 45: IP Fragments Fields In this field… Do this… Forbid IP Fragments Specify whether all fragmented packets should be dropped, by selecting one of the following: • True. Drop all fragmented packets. • False. No action. This is the default. Under normal circumstances, it is recommended to leave this field set to False. Setting this field to True may disrupt Internet connectivity, because it does not allow any fragmented packets.
SmartDefense Categories Network Quota An attacker may try to overload a server in your network by establishing a very large number of connections per second. To protect against Denial Of Service (DoS) attacks, Network Quota enforces a limit upon the number of connections per second that are allowed from the same source IP address. You can configure how connections that exceed that limit should be handled.
SmartDefense Categories In this field… Do this… Max. Type the maximum number of network connections allowed per second Connections/Second from the same source IP address. from Same Source IP The default value is 100. Set a lower threshold for stronger protection against DoS attacks. Note: Setting this value too low can lead to false alarms. Welchia The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability.
SmartDefense Categories Table 47: Welchia Fields In this field… Do this… Action Specify what action to take when the Welchia worm is detected, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Welchia worm attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
SmartDefense Categories Table 48: Cisco IOS DOS In this field… Do this… Action Specify what action to take when a Cisco IOS DOS attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Cisco IOS DOS attacks, by selecting one of the following: Number of Hops to Protect • Log. Log the attack. This is the default. • None. Do not log the attack.
SmartDefense Categories Null Payload Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. You can configure how null payload ping packets should be handled. Table 49: Null Payload Fields In this field… Do this… Action Specify what action to take when null payload ping packets are detected, by selecting one of the following: Track • Block. Block the packets. This is the default. • None. No action.
SmartDefense Categories Checksum Verification SmartDefense identifies any IP, TCP, or UDP packets with incorrect checksums. You can configure how these packets should be handled. Table 50: Checksum Verification Fields In this field… Do this… Action Specify what action to take when packets with incorrect checksums are detected, by selecting one of the following: Track • Block. Block the packets. This is the default. • None. No action.
SmartDefense Categories TCP This category allows you to configure various protections related to the TCP protocol. It includes the following: • Flags on page 229 • Sequence Verifier on page 228 • Small PMTU on page 224 • Strict TCP on page 223 • SynDefender on page 226 Strict TCP Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet.
SmartDefense Categories Table 51: Strict TCP In this field… Do this… Action Specify what action to take when an out-of-state TCP packet arrives, by selecting one of the following: Track • Block. Block the packets. • None. No action. This is the default. Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets.
SmartDefense Categories Table 52: Small PMTU Fields In this field… Do this… Action Specify what action to take when a packet is smaller than the Minimal MTU Size threshold, by selecting one of the following: Track • Block. Block the packet. • None. No action. This is the default. Specify whether to issue logs for packets are smaller than the Minimal MTU Size threshold, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs.
SmartDefense Categories SynDefender In a SYN attack, the attacker sends many SYN packets without finishing the three-way handshake. This causes the attacked host to be unable to accept new connections. You can protect against this attack by specifying a maximum amount of time for completing handshakes. Table 53: SynDefender Fields In this field… Do this… Action Specify what action to take when a SYN attack occurs, by selecting one of the following: • Block. Block the packet. This is the default.
SmartDefense Categories In this field… Do this… Log Mode Specify upon which events logs should be issued, by selecting one of the following: • None. Do not issue logs. • Log per attack. Issue logs for each SYN attack. This is the default. • Log individual unfinished handshakes. Issue logs for each incomplete handshake. This field is only relevant if the Track field is set to Log.
SmartDefense Categories Sequence Verifier The ZoneAlarm router examines each TCP packet's sequence number and checks whether it matches a TCP connection state. You can configure how the router handles packets that match a TCP connection in terms of the TCP session but have incorrect sequence numbers. Table 54: Strict TCP In this field… Do this… Action Specify what action to take when TCP packets with incorrect sequence numbers arrive, by selecting one of the following: Track • Block.
SmartDefense Categories Flags The URG flag is used to indicate that there is urgent data in the TCP stream, and that the data should be delivered with high priority. Since handling of the URG flag is inconsistent between different operating systems, an attacker can use the URG flag to conceal certain attacks. You can configure how the URG flag should be handled.
SmartDefense Categories Port Scan An attacker can perform a port scan to determine whether ports are open and vulnerable to an attack. This is most commonly done by attempting to access a port and waiting for a response. The response indicates whether or not the port is open. This category includes the following types of port scans: • Host Port Scan. The attacker scans a specific host's ports to determine which of the ports are open. • Sweep Scan.
SmartDefense Categories Table 56: Port Scan Fields In this field… Do this… Number of ports SmartDefense detects ports scans by measuring the number of ports accessed accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
SmartDefense Categories In this field… Do this… Track Specify whether to issue logs for scans, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs. This is the default. Detect scans Specify whether to detect only scans originating from the Internet, by from Internet only selecting one of the following: • False. Do not detect only scans from the Internet. This is the default. • True. Detect only scans from the Internet.
SmartDefense Categories FTP Bounce When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine. You can configure how FTP bounce attacks should be handled.
SmartDefense Categories Block Known Ports You can choose to block the FTP server from connecting to well-known ports. Note: Known ports are published ports associated with services (for example, SMTP is port 25). This provides a second layer of protection against FTP bounce attacks, by preventing such attacks from reaching well-known ports.
SmartDefense Categories Block Port Overflow FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas. To enforce compliance to the FTP standard and prevent potential attacks against the FTP server, you can block PORT commands that contain a number greater than 255.
SmartDefense Categories Blocked FTP Commands Some seldom-used FTP commands may compromise FTP server security and integrity. You can specify which FTP commands should be allowed to pass through the security server, and which should be blocked. To enable FTP command blocking • In the Action drop-down list, select Block. The FTP commands listed in the Blocked Commands box will be blocked. FTP command blocking is enabled by default.
SmartDefense Categories To allow a specific FTP command 1. In the Blocked Commands box, select the desired FTP command. 2. Click Accept. The FTP command appears in the Allowed Commands box. 3. Click Apply. The FTP command will be allowed, regardless of whether FTP command blocking is enabled or disabled. HTTP This category allows you to configure various protections related to the HTTP protocol.
SmartDefense Categories Table 60: Header Rejection Fields In this field… Do this… Action Specify what action to take when an HTTP header-based exploit is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log HTTP header-based exploits, by selecting one of the following: • • HTTP header values Log. Log the attack. None. Do not log the attack. This is the default. Select the HTTP header values to detect.
SmartDefense Categories Table 61: Worm Catcher Fields In this field… Do this… Action Specify what action to take when an HTTP-based worm attack is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log HTTP-based worm attacks, by selecting one of the following: • • HTTP-based worm Log. Log the attack. None. Do not log the attack. This is the default. Select the worm patterns to detect.
SmartDefense Categories In each node, you can configure how peer-to-peer connections of the selected type should be handled, using the following table. Table 62: Peer to Peer Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log peer-to-peer connections, by selecting one of the following: • Log. Log the connection.
SmartDefense Categories In this field… Do this… Block masquerading Specify whether to block using the peer-to-peer application over HTTP, over HTTP protocol by selecting one of the following: • Block. Block using the application over HTTP. This is the default. • None. Do not block using the application over HTTP. This field is not relevant for eMule and Winny. Microsoft Networks This category includes File and Print Sharing.
SmartDefense Categories Table 63: File Print and Sharing Fields In this field… Do this… Action Specify what action to take when a CIFS worm attack is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log CIFS worm attacks, by selecting one of the following: • • CIFS worm patterns list 242 Log. Log the attack. None. Do not log the attack. This is the default. Select the worm patterns to detect.
SmartDefense Categories IGMP This category includes the IGMP protocol. IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerability in the multicast routing software/hardware used, by sending specially crafted IGMP packets. You can configure how IGMP attacks should be handled.
SmartDefense Categories In this field… Do this… Enforce IGMP to According to the IGMP specification, IGMP packets must be sent to multicast addresses multicast addresses. Sending IGMP packets to a unicast or broadcast address might constitute and attack; therefore the ZoneAlarm router blocks such packets. Specify whether to allow or block IGMP packets that are sent to nonmulticast addresses, by selecting one of the following: • Block. Block IGMP packets that are sent to non-multicast addresses.
SmartDefense Categories Note: SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session. Note: Skype versions up to 2.0.0.103 are supported. In each node, you can configure how instant messaging connections of the selected type should be handled, using the following table.
Resetting SmartDefense to its Defaults In this field… Do this… Block proprietary Specify whether proprietary protocols should be blocked on all ports, by protocol / selecting one of the following: Block proprietary • Block. Block the proprietary protocol on all ports. This in effect prevents all communication using this instant messenger application. This is the default. • None. Do not block the proprietary protocol on all ports.
Overview Chapter 12 Using VStream Antivirus This chapter explains how to use the VStream Antivirus engine to block security threats before they reach your network. This chapter includes the following topics: Overview ..................................................................................................247 Enabling/Disabling VStream Antivirus....................................................249 Viewing VStream Antivirus Signature Database Information .................
Overview Table 66: VStream Antivirus Actions If a virus if found in VStream Antivirus does this... this protocol... on this port...
Enabling/Disabling VStream Antivirus If you are subscribed to the VStream Antivirus subscription service, VStream Antivirus virus signatures are automatically updated, so that security is always up-to-date, and your network is always protected.
Viewing VStream Antivirus Signature Database Information 2. Drag the On/Off lever upwards or downwards. VStream Antivirus is enabled/disabled for all internal network computers. Viewing VStream Antivirus Signature Database Information VStream Antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures. Periodically, the contents of the daily database are moved to the main database, leaving the daily database empty.
Configuring VStream Antivirus Configuring VStream Antivirus You can configure VStream Antivirus in the following ways: • Configuring the VStream Antivirus Policy on page 251 • Configuring VStream Antivirus Advanced Settings on page 261 Configuring the VStream Antivirus Policy VStream Antivirus includes a flexible mechanism that allows the user to define exactly which traffic should be scanned, by specifying the protocol, ports, and source and destination IP addresses.
Configuring VStream Antivirus The ZoneAlarm router will process rule 1 first, passing outgoing SMTP traffic from the specified IP address, and only then it will process rule 2, scanning all outgoing SMTP traffic. The following rule types exist: Table 68: VStream Antivirus Rule Types Rule Description Pass This rule type enables you to specify that VStream Antivirus should not scan traffic matching the rule.
Configuring VStream Antivirus The Antivirus Policy page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click the Edit icon next to the desired rule. The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed.
Configuring VStream Antivirus 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule. 5. Complete the fields using the relevant information in the following table. 6. Click Next.
Configuring VStream Antivirus The Step 3: Destination & Source dialog box appears. 7. To configure advanced settings, click Show Advanced Settings. New fields appear. 8. Complete the fields using the relevant information in the following table. 9. Click Next.
Configuring VStream Antivirus The Step 4: Done dialog box appears. 10. If desired, type a description of the rule in the field provided. 11. Click Finish. The new rule appears in the Antivirus Policy page. Table 69: VStream Antivirus Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to a specific standard Service service or network service object.
Configuring VStream Antivirus In this field… Do this… Protocol Select the protocol (TCP, UDP, or ANY) for which the rule should apply. Port Range To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box. Note: If you do not enter a port range, the rule will apply to all ports. If you enter only one port number, the range will include only that port.
Configuring VStream Antivirus In this field… Do this… Data Direction Select the direction of connections to which the rule should apply: • Download and Upload data. The rule applies to downloaded and uploaded data. This is the default. • Download data. The rule applies to downloaded data, that is, data flowing from the destination of the connection to the source of the connection. • Upload data.
Configuring VStream Antivirus Enabling/Disabling VStream Antivirus Rules You can temporarily disable a VStream Antivirus rule. To enable/disable a VStream Antivirus rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Next to the desired rule, do one of the following: • To enable the rule, click The button changes to • To disable the rule, click The button changes to . and the rule is enabled. . and the rule is disabled.
Configuring VStream Antivirus Viewing and Deleting VStream Antivirus Rules To view or delete an existing VStream Antivirus rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears with a list of existing VStream Antivirus rules. 2. To view a rule's description, mouse-over the information icon in the desired rule's row. A tooltip displays the rule's description. 3. To delete a rule, do the following. a. In the desired rule's row, click the Erase icon.
Configuring VStream Antivirus Configuring VStream Antivirus Advanced Settings To configure VStream Antivirus advanced settings 1. Click Antivirus in the main menu, and click the Advanced tab. The Advanced Antivirus Settings page appears. 2. Complete the fields using the following table. 3. Click Apply. 4. To restore the default VStream Antivirus settings, do the following: a) Click Default. A confirmation message appears. b) Click OK. The VStream Antivirus settings are reset to their defaults.
Configuring VStream Antivirus Table 70: Advanced Antivirus Settings Fields In this field… Do this… File Types Block potentially unsafe Select this option to block all emails containing potentially unsafe file types in email attachments.
Configuring VStream Antivirus In this field… Do this… Pass safe file types Select this option to accept common file types that are known to without scanning be safe, without scanning them.
Configuring VStream Antivirus In this field… Do this… Archive File Handling Maximum Nesting Level Type the maximum number of nested content levels that VStream Antivirus should scan. Setting a higher number increases security. Setting a lower number prevents attackers from overloading the gateway by sending extremely nested archive files. The default value is 5 levels.
Updating VStream Antivirus In this field… Do this… When a password-protected VStream Antivirus cannot extract and scan password-protected file is found in archive files inside archives. Specify how VStream Antivirus should handle such files, by selecting one of the following: • Pass file without scanning. Accept the file without scanning it. This is the default. • Block file. Block the file.
Connecting to a Service Center Chapter 13 Using Subscription Services This chapter explains how to start subscription services, and how to use Software Updates, Web Filtering, and Email Filtering services. Note: Check with your reseller regarding availability of subscription services, or surf to www.sofaware.com/servicecenters to locate a Service Center in your area. This chapter includes the following topics: Connecting to a Service Center ...............................................................
Connecting to a Service Center The Account page appears. 2. 268 In the Service Account area, click Connect.
Connecting to a Service Center The ZoneAlarm Services Wizard opens, with the Service Center dialog box displayed. 3. Make sure the Connect to a Service Center check box is selected. 4. Do one of the following: • To connect to the SofaWare Service Center, choose usercenter.sofaware.com. • 5. To specify a Service Center, choose Specified IP and then in the Specified IP field, enter the desired Service Center’s IP address, as given to you by your system administrator. Click Next.
Connecting to a Service Center • If the Service Center requires authentication, the Service Center Login dialog box appears. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. 270 • The Connecting screen appears. • The Confirmation dialog box appears with a list of services to which you are subscribed.
Connecting to a Service Center 6. Click Next. The Done screen appears with a success message. 7. Click Finish. The following things happen: • If a new firmware is available, the ZoneAlarm router may start downloading it. This may take several minutes. Once the download is complete, the ZoneAlarm router restarts using the new firmware. • The Welcome page appears.
Connecting to a Service Center 272 • The services to which you are subscribed are now available on your ZoneAlarm router and listed as such on the Account page. See Viewing Services Information on page 273 for further information. • The Services submenu includes the services to which you are subscribed.
Viewing Services Information Viewing Services Information The Account page displays the following information about your subscription. Table 71: Account Page Fields This field… Displays… Service Center The name of the Service Center to which you are connected (if known). Name Gateway ID Your gateway ID. Subscription will The date on which your subscription to services will end. end on Service The services available in your service plan.
Refreshing Your Service Center Connection Refreshing Your Service Center Connection This option restarts your ZoneAlarm router’s connection to the Service Center and refreshes your ZoneAlarm router’s service settings. To refresh your Service Center connection 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Refresh. The ZoneAlarm router reconnects to the Service Center. Your service settings are refreshed.
Configuring Your Account Configuring Your Account This option allows you to access your Service Center's Web site, which may offer additional configuration options for your account. Contact your Service Center for a user ID and password. To configure your account 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Configure. Note: If no additional settings are available from your Service Center, this button will not appear.
Web Filtering 5. Click Finish. The following things happen: • You are disconnected from the Service Center. • The services to which you were subscribed are no longer available on your ZoneAlarm router. Web Filtering When the Web Filtering service is enabled, access to Web content is restricted according to the categories specified under Allow Categories. If a user attempts to access a blocked page, the Access Denied page appears.
Web Filtering Note: The Web Filtering subscription service differs from Web rules in the following ways: • The category-based Web Filtering service is subscription-based and requires a connection to the Service Center, while Web rules are included with the ZoneAlarm router. • The category-based Web Filtering service is centralized, extracting URLs from HTTP requests and sending the URLs to the Service Center to determine whether they should be blocked or allowed.
Web Filtering The Web Filtering page appears. 2. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled.
Web Filtering Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family or office members, by selecting the categories. Categories marked with visible, while categories marked with administrator password for viewing. will remain will be blocked and will require the Note: If the ZoneAlarm router is remotely managed, contact your Service Center administrator to change these settings.
Web Filtering This ensures that users will not gain access to undesirable Web sites, even when the Service Center is unavailable. The button changes to • . To temporarily allow all connections to the Internet, click . This ensures continuous access to the Internet. The button changes to . When the Service Center is available again, the gateway will enforce the configured Web Filtering policy. Temporarily Disabling Web Filtering If desired, you can temporarily disable the Web Filtering service.
Web Filtering 3. • The Snooze button changes to Resume. • The Web Filtering Off popup window opens. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. • The service is re-enabled for all internal network computers. • If you clicked Resume in the Web Filtering page, the button changes to Snooze.
Email Filtering • If you clicked Resume in the Web Filtering Off popup window, the popup window closes. Email Filtering There are two Email Filtering services: • Email Antivirus When the Email Antivirus service is enabled, your email is automatically scanned for the detection and elimination of all known viruses and vandals. If a virus is detected, it is removed and replaced with a warning message.
Email Filtering Enabling/Disabling Email Filtering To enable/disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. Next to Email Antivirus, drag the On/Off lever upwards or downwards. Email Antivirus is enabled/disabled. Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses and spam: • Email retrieving (POP3).
Email Filtering Note: If the ZoneAlarm router is remotely managed, contact your Service Center administrator to change these settings. To enable virus and spam scanning for a protocol 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. In the Options area, click or next to the desired protocol.
Email Filtering Temporarily Disabling Email Filtering If you are having problems sending or receiving email you can temporarily disable the Email Filtering services. To temporarily disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. Click Snooze. • Email Antivirus and Email Antispam are temporarily disabled for all internal network computers. • The Snooze button changes to Resume.
Email Filtering • 3. 286 The Email Filtering Off popup window opens. To re-enable Email Antivirus and Email Antispam, click Resume, either in the popup window, or on the Email Filtering page. • The services are re-enabled for all internal network computers. • If you clicked Resume in the Email Filtering page, the button changes to Snooze. • If you clicked Resume in the Email Filtering Off popup window, the popup window closes.
Automatic and Manual Updates Automatic and Manual Updates The Software Updates service enables you to check for new security and software updates. Note: Software Updates are only available if you are connected to a Service Center and subscribed to this service. Checking for Software Updates when Remotely Managed If your ZoneAlarm router is remotely managed, it automatically checks for software updates and installs them without user intervention.
Automatic and Manual Updates Checking for Software Updates when Locally Managed If your ZoneAlarm router is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually. To configure software updates when locally managed 1. Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. 2.
Automatic and Manual Updates 3. To set the ZoneAlarm router so that software updates must be checked for manually, drag the Automatic/Manual lever downwards. The ZoneAlarm router does not check for software updates automatically. 4. To manually check for software updates, click Update Now. The system checks for new updates and installs them.
Overview Chapter 14 Secure Remote Access This chapter describes how to use your ZoneAlarm router as a Remote Access VPN Server. This chapter includes the following topics: Overview ..................................................................................................291 Configuring a Remote Access VPN .........................................................293 Configuring the SecuRemote Remote Access VPN Server......................294 Installing SecuRemote....................................
Overview ZoneAlarm allows a single VPN user to connect. If you need to allow VPN remote access to multiple users, consider purchasing a Check Point Safe@Office gateway. Figure 8: Remote Access VPN Note: A locally managed Remote Access VPN Server must have a static IP address. If you need a Remote Access VPN Server with a dynamic IP address, you must use SofaWare Security Management Portal (SMP) management.
Configuring a Remote Access VPN Configuring a Remote Access VPN To create a Remote Access VPN with one user 1. On the ZoneAlarm router, enable the SecuRemote Remote Access VPN Server. See Configuring the SecuRemote Remote Access VPN Server on page 294. 2. Set up remote VPN access for users. See Setting Up Remote VPN Access for Users on page 318. 3.
Configuring the SecuRemote Remote Access VPN Server Configuring the SecuRemote Remote Access VPN Server To configure the SecuRemote Remote Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The VPN Server page appears. 2. 294 Select the Allow SecuRemote users to connect from the Internet check box.
Configuring the SecuRemote Remote Access VPN Server New check boxes appear. 3. To allow authenticated users connecting from the Internet to bypass NAT when connecting to your internal network, select the Bypass NAT check box. 4. To allow authenticated users connecting from the Internet to bypass the default firewall policy and access your internal network without restriction, select the Bypass default firewall policy check box. User-defined rules will still apply to the authenticated users. 5.
Installing SecuRemote Installing SecuRemote If you configured the ZoneAlarm SecuRemote VPN Server, then authorized remote access users can connect to your network using SecureClient/SecuRemote VPN Client software. Users can download the necessary software from http://www.checkpoint.com. Alternatively, authorized ZoneAlarm users can use the following procedure to download and install SecureClient/SecuRemote software. To install SecureClient/SecuRemote 1. Connect to the ZoneAlarm Portal using HTTPS.
Installing a Certificate Installing a Certificate A digital certificate is a secure means of authenticating the ZoneAlarm router to Remote Access VPN Clients. The certificate is issued by the Certificate Authority (CA) to entities such as gateways, users, or computers. The entity then uses the certificate to identify itself and provide verifiable information.
Installing a Certificate Generating a Self-Signed Certificate To generate a self-signed certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears. 2. 298 Click Install Certificate.
Installing a Certificate The ZoneAlarm Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Generate a self-signed security certificate for this gateway. The Create Self-Signed Certificate dialog box appears. 4. Complete the fields using the information in the following table. 5. Click Next. The ZoneAlarm router generates the certificate. This may take a few seconds.
Installing a Certificate The Done dialog box appears, displaying the certificate's details. 6. Click Finish. The ZoneAlarm router installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes.
Installing a Certificate • The starting and ending dates between which the gateway's certificate and the CA's certificate are valid Table 72: Certificate Fields In this field… Do this… Country Select your country from the drop-down list. Organization Type the name of your organization. Name Organizational Unit Type the name of your division. Gateway Name Type the gateway's name. This name will appear on the certificate, and will be visible to remote users inspecting the certificate.
Installing a Certificate In this field… Do this… Valid Until Use the drop-down lists to specify the month, day, and year when this certificate should expire. Note: You must renew the certificate when it expires. Importing a Certificate To install a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears. 2. Click Install Certificate. The ZoneAlarm Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3.
Installing a Certificate 5. Click Next. The Import-Certificate Passphrase dialog box appears. This may take a few moments. 6. Type the pass-phrase you received from the network security administrator. 7. Click Next. The Done dialog box appears, displaying the certificate's details. 8. Click Finish. The ZoneAlarm router installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes.
Uninstalling a Certificate • The starting and ending dates between which the gateway's certificate and the CA's certificate are valid Uninstalling a Certificate A certificate is required for the correct functioning of the VPN Server. If you uninstall the certificate, VPN Clients configured for certificate authentication will not be able to connect to the VPN Server. Note: If you want to replace a currently-installed certificate, there is no need to uninstall the certificate first.
Viewing VPN Tunnels Viewing VPN Tunnels You can view a list of currently established VPN tunnels. To view VPN tunnels 1. Click Reports in the main menu, and click the VPN Tunnels tab. The VPN Tunnels page appears with a table of open VPN tunnels. The VPN Tunnels page includes the information described in the following table. 2. To refresh the table, click Refresh.
Viewing VPN Tunnels Table 73: VPN Tunnels Page Fields This field… Displays… Type The currently active security protocol (IPSEC). Source The IP address or address range of the entity from which the tunnel originates. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 307. Destination The IP address or address range of the entity to which the tunnel is connected. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 307.
Viewing VPN Tunnels This field… Displays… Established The time at which the tunnel was established.
Viewing IKE Traces for VPN Connections Viewing IKE Traces for VPN Connections If you are experiencing VPN connection problems, you can save a trace of IKE (Internet Key Exchange) negotiations to a file, and then use the free IKE View tool to view the file. The IKE View tool is available for the Windows platform. Note: Before viewing IKE traces, it is recommended to do the following: • The ZoneAlarm router stores traces for all recent IKE negotiations.
Viewing IKE Traces for VPN Connections 5. Browse to a destination directory of your choice. 6. Type a name for the *.elg file and click Save. The *.elg file is created and saved to the specified directory. This file contains the IKE traces of all currently-established VPN tunnels. 7. Use the IKE View tool to open and view the *.elg file, or send the file to technical support.
Changing Your Login Credentials Chapter 15 Managing Users This chapter describes how to manage ZoneAlarm router users. You can define multiple users, set their passwords, and assign them various permissions. This chapter includes the following topics: Changing Your Login Credentials............................................................311 Adding and Editing Users ........................................................................313 Viewing and Deleting Users....................................
Changing Your Login Credentials The Internal Users page appears. 2. In the row of your username, click Edit. The Account Wizard opens displaying the Set User Details dialog box. 3. Edit the Username field. 4. Edit the Password and Confirm password fields.
Adding and Editing Users Note: Use 5 to 25 characters (letters or numbers) for the new password. 5. Click Next. The Set User Permissions dialog box appears. 6. Click Finish. Your changes are saved. Adding and Editing Users This procedure explains how to add and edit users. To add or edit a user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. Do one of the following: • To create a new user, click New User.
Adding and Editing Users • To edit an existing user, click Edit next to the desired user. The Account Wizard opens displaying the Set User Details dialog box. 3. Complete the fields using the information in Set User Details Fields on page 315. 4. Click Next. The Set User Permissions dialog box appears.
Adding and Editing Users The options that appear on the page are dependant on the software and services you are using. 5. Complete the fields using the information in Set User Permissions Fields on page 316. 6. Click Finish. The user is saved. Table 75: Set User Details Fields In this field… Do this… Username Enter a username for the user. Password Enter a password for the user. Use five to 25 characters (letters or numbers) for the new password. Confirm Password Re-enter the user’s password.
Adding and Editing Users Table 76: Set User Permissions Fields In this field... Do this... Administrator Level Select the user’s level of access to the ZoneAlarm Portal. The levels are: • No Access: The user cannot access the ZoneAlarm Portal. • Read Only: The user can log on to the ZoneAlarm Portal, but cannot modify system settings or export the router configuration via the Setup>Tools page.
Viewing and Deleting Users Remote Desktop Select this option to allow the user to log on to the my.firewall portal, view the Active Computers page, and remotely access computers' Access desktops, using the Remote Desktop feature. Note: The user can perform these actions, even if their level of administrative access is "No Access". For information on Remote Desktop, see Using Remote Desktop on page 319. Viewing and Deleting Users Note: The “admin” user cannot be deleted. To view or delete users 1.
Setting Up Remote VPN Access for Users Setting Up Remote VPN Access for Users If you are using your ZoneAlarm router as a SecuRemote Remote Access VPN Server, you can allow users to access it remotely through their Remote Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote, or a Check Point appliance with a built-in SecuRemote VPN Client). Note: ZoneAlarm Z100G allows defining a single VPN user. To set up remote VPN access for a user 1.
Overview Chapter 16 Using Remote Desktop This chapter describes how to remotely access the desktop of each of your computers, using the ZoneAlarm router's Remote Desktop feature. This chapter includes the following topics: Overview ..................................................................................................319 Workflow..................................................................................................320 Configuring Remote Desktop........................................
Workflow Workflow To use Remote Desktop 1. Configure Remote Desktop. See Configuring Remote Desktop on page 321. 2. Enable the Remote Desktop server on computers that authorized users should be allowed to remotely access. See Configuring the Host Computer on page 324. 3. Grant Remote Desktop Access permissions to users who should be allowed to remotely access desktops. See Adding and Editing Users on page 313. 4. The authorized users can access remote computers' desktops as desired.
Configuring Remote Desktop Configuring Remote Desktop To configure Remote Desktop 1. Click Setup in the main menu, and click the Remote Desktop tab. The Remote Desktop page appears. 2. Do one of the following: • To enable Remote Desktop, select the Allow remote desktop access check box.
Configuring Remote Desktop New fields appear. • To disable Remote Desktop, clear the Allow remote desktop access check box. 3. Fields disappear. Complete the fields using the information in the following table. 4. Click Apply. Table 77: Remote Desktop Options In this field… Do this… Sharing Share local drives Select this option to allow the host computer to access hard drives on the client computer. This enables remote users to access their local hard drives when logged on to the host computer.
Configuring Remote Desktop In this field… Do this… Share local printers Select this option to allow the host computer to access printers on the client computer. This enables remote users to access their local printer when logged on to the host computer. Share local Select this option to allow the host computer to access smartcards on smartcards the client computer. This enables remote users to access their local smartcards when logged on to the host computer.
Configuring the Host Computer Configuring the Host Computer To enable remote users to connect to a computer, you must enable the Remote Desktop server on that computer. Note: The host computer must have one of the following operating systems installed: • Microsoft Windows Server 2003 • Microsoft Windows XP Professional • Microsoft Windows XP Media Center • Microsoft Windows XP Tablet PC 2005 To enable users to remotely connect to a computer 1. Log on to the desired computer as an administrator.
Configuring the Host Computer The Remote tab appears. 5. Select the Allow users to connect remotely to this computer check box. 6. Click Select Remote Users. The Remote Desktop Users dialog box appears. 7. Do the following for each remote user who should be allowed to access this computer: a. Click Add.
Configuring the Host Computer The Select Users dialog box appears. b. Type the desired user's username in the text box. The Check Names button is enabled. c. Click Check Names. d. Click OK. The Remote Desktop Users dialog box reappears with the desired user's username. 8. Click OK. 9. Click OK.
Accessing a Remote Computer's Desktop Accessing a Remote Computer's Desktop Note: The client computer must meet the following requirements: • Microsoft Internet Explorer 6.0 or later • A working Internet connection To access a remote computer's desktop 1. Click Reports in the main menu, and click the My Computers tab. The My Computers page appears. 2. Next to the desired computer, click Remote Desktop.
Accessing a Remote Computer's Desktop • 3. The Remote Desktop Connection Security Warning dialog box appears. Select the desired connection options. The available options depend on your Remote Desktop configuration. See Configuring Remote Desktop on page 321. 4. Click OK. The Log On to Windows dialog box appears. 5. Type your username and password for the remote computer. These are the credentials configured for your user account in Enabling the Remote Desktop Server on page 324. 6. Click OK.
Accessing a Remote Computer's Desktop Table 78: Remote Desktop Keyboard Shortcuts This shortcut… Does this… ALT+INSERT Cycles through running programs in the order that they were started ALT+HOME Displays the Start menu CTRL+ALT+BREAK Toggles between displaying the session in a window and on the full screen CTRL+ALT+END Opens the Windows Security dialog box Chapter 16: Using Remote Desktop 329
Accessing a Remote Computer's Desktop Chapter 17 Maintenance This chapter describes the tasks required for maintenance and diagnosis of your ZoneAlarm router. This chapter includes the following topics: Viewing Firmware Status .........................................................................332 Updating the Firmware.............................................................................333 Upgrading Your License ..........................................................................
Viewing Firmware Status Viewing Firmware Status The firmware is the software program embedded in the ZoneAlarm router. You can view your current firmware version and additional details. To view the firmware status • Click Setup in the main menu, and click the Firmware tab. The Firmware page appears.
Updating the Firmware This field… Displays… For example… Installed Product The licensed software and ZoneAlarm Z100G (5 nodes) the number of allowed nodes Uptime The time that elapsed from 01:21:15 the moment the unit was turned on Hardware Type The type of the current SBox-200 ZoneAlarm router hardware Hardware Version The current hardware 1.0 version of the ZoneAlarm router Updating the Firmware If you are subscribed to Software Updates, firmware updates are performed automatically.
Updating the Firmware The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 5. Click Upload. Your ZoneAlarm router firmware is updated. Updating may take a few minutes. Do not power off the router. At the end of the process the ZoneAlarm router restarts automatically.
Upgrading Your License Upgrading Your License If product upgrades are available, you can upgrade the ZoneAlarm product installed on your router, by purchasing a new license. You will receive a new Product Key that enables you to use advanced features on the same ZoneAlarm router you have today. There is no need to replace your hardware. You can also purchase node upgrades, if available. Note: To determine whether product or node upgrades are available, contact your ZoneAlarm router provider.
Configuring Syslog Logging 4. In the Product Key field, enter the new Product Key. 5. Click Next. The Installed New Product Key dialog box appears. 6. Click Finish. Configuring Syslog Logging You can configure the ZoneAlarm router to send event logs to a Syslog server residing in your internal network or on the Internet. The logs detail the date and the time each event occurred.
Configuring Syslog Logging To configure Syslog logging 1. Click Setup in the main menu, and click the Logging tab. The Logging page appears. 2. Complete the fields using the information in the following table. 3. Click Apply. Table 80: Logging Page Fields In this field… Do this… Syslog Server Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service.
Configuring HTTPS Configuring HTTPS You can enable ZoneAlarm router users to access the ZoneAlarm Portal from the Internet. To do so, you must first configure HTTPS. Note: Configuring HTTPS is equivalent to creating a simple Allow rule, where the destination is This Gateway. To create more complex rules for HTTPS, such as allowing HTTPS connections from multiple IP address ranges, define Allow rules for TCP port 443, with the destination This Gateway. For information, see Using Rules on page 172.
Configuring HTTPS Note: You can use HTTPS to access the ZoneAlarm Portal from your internal network, by surfing to https://my.firewall. If you selected Internal Networks + IP Range, additional fields appear. 3. If you selected Internal Networks + IP Range, enter the desired IP address range in the fields provided. 4. Click Apply. The HTTPS configuration is saved.
Configuring HTTPS Table 81: Access Options Select this To allow access from… option… Internal Networks The internal network only. This disables remote access capability. This is the default. Internal Networks + The internal network and your VPN. VPN Internal Networks + A particular range of IP addresses. IP Range Additional fields appear, in which you can enter the desired IP address range. ANY Any IP address. Disabled Nowhere. Access via this protocol is disabled.
Setting the Time on the Router Setting the Time on the Router You set the time displayed in the ZoneAlarm Portal during initial router setup. If desired, you can change the date and time using the procedure below. To set the time 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Set Time. The ZoneAlarm Set Time Wizard opens displaying the Set the ZoneAlarm Time dialog box. 3. Complete the fields using the information in Set Time Wizard Fields on page 343. 4.
Setting the Time on the Router The following things happen in the order below: • If you selected Specify date and time, the Specify Date and Time dialog box appears. Set the date, time, and time zone in the fields provided, then click Next. • 342 If you selected Use a Time Server, the Time Servers dialog box appears.
Setting the Time on the Router Complete the fields using the information in Time Servers Fields on page 344, then click Next. • 5. The Date and Time Updated screen appears. Click Finish. Table 82: Set Time Wizard Fields Select this option… To do the following… Your computer's clock Set the router time to your computer’s system time. Your computer’s system time is displayed to the right of this option. Keep the current setting Do not change the router’s time.
Using Diagnostic Tools Table 83: Time Servers Fields In this field… Do this… Primary Server Type the IP address of the Primary NTP server. Secondary Server Type the IP address of the Secondary NTP server. This field is optional. Clear Clear the field. Select your time zone Select the time zone in which you are located. Using Diagnostic Tools The ZoneAlarm router is equipped with a set of diagnostic tools that are useful for troubleshooting Internet connectivity.
Using Diagnostic Tools Use this To do this… For information, see... Packet Sniffer Capture network traffic. This information is Using Packet Sniffer on page useful troubleshooting network problems. 347 tool… Using IP Tools To use an IP tool 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. In the Tool drop-down list, select the desired tool. 3. In the Address field, type the IP address or DNS name for which to run the tool. 4. Click Go.
Using Diagnostic Tools • If you selected Traceroute, the following things happen: The ZoneAlarm router connects to the specified IP address or DNS name. The IP Tools window opens and displays a list of routers used to make the connection. • If you selected WHOIS, the following things happen: The ZoneAlarm router queries the Internet WHOIS server. A window displays the name of the entity to which the IP address or DNS name is registered and their contact information.
Using Diagnostic Tools Using Packet Sniffer The ZoneAlarm router includes the Packet Sniffer tool, which enables you to capture packets from any internal network or ZoneAlarm port. This is useful for troubleshooting network problems and for collecting data about network behavior. The ZoneAlarm router saves the captured packets to a file on your computer. You can use a free protocol analyzer, such as Ethereal or Wireshark, to analyze the file, or you can send it to technical support.
Using Diagnostic Tools The Packet Sniffer window displays the name of the interface, the number of packets collected, and the percentage of storage space remaining on the router for storing the packets. 5. Click Stop to stop collecting packets. A standard File Download dialog box appears. 6. Click Save. The Save As dialog box appears. 7. Browse to a destination directory of your choice. 8. Type a name for the configuration file and click Save. The *.
Using Diagnostic Tools Table 85: Packet Sniffer Fields In this field… Do this… Interface Select the interface from which to collect packets. The list includes the primary Internet connection, the ZoneAlarm router ports, and all defined networks. Filter String Type the filter string to use for filtering the captured packets. Only packets that match the filter condition will be saved. For a list of basic filter strings elements, see Filter String Syntax on page 350.
Using Diagnostic Tools Filter String Syntax The following represents a list of basic filter string elements: • and on page 350 • dst on page 351 • dst port on page 351 • ether proto on page 352 • host on page 353 • not on page 353 • or on page 354 • port on page 354 • src on page 355 • src port on page 355 • tcp on page 356 • udp on page 357 For detailed information on filter syntax, refer to http://www.tcpdump.org.
Using Diagnostic Tools EXAMPLE The following filter string saves packets that both originate from IP address is 192.168.10.1 and are destined for port 80: src 192.168.10.1 and dst port 80 dst PURPOSE The dst element captures all packets with a specific destination. SYNTAX dst destination PARAMETERS destination IP Address or String. The computer to which the packet is sent.
Using Diagnostic Tools PARAMETERS port Integer. The port to which the packet is sent. EXAMPLE The following filter string saves packets that are destined for port 80: dst port 80 ether proto PURPOSE The ether proto element is used to capture packets of a specific ether protocol type. SYNTAX ether proto \protocol PARAMETERS protocol String. The protocol type of the packet. This can be the following: ip, ip6, arp, rarp, atalk, aarp, dec net, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui.
Using Diagnostic Tools host PURPOSE The host element captures all incoming and outgoing packets for a specific computer. SYNTAX host host PARAMETERS host IP Address or String. The computer to/from which the packet is sent. This can be the following: • An IP address • A host name EXAMPLE The following filter string saves all packets that either originated from IP address 192.168.10.1, or are destined for that same IP address: host 192.168.10.
Using Diagnostic Tools or PURPOSE The or element is used to alternate between string elements. The filtered packets must match at least one of the filter string elements. SYNTAX element or element [or element...] element || element [|| element...] PARAMETERS element String. A filter string element. EXAMPLE The following filter string saves packets that either originate from IP address 192.168.10.1 or IP address 192.168.10.10: src 192.168.10.1 or src 192.168.10.
Using Diagnostic Tools EXAMPLE The following filter string saves all packets that either originated from port 80, or are destined for port 80: port 80 src PURPOSE The src element captures all packets with a specific source. SYNTAX src source PARAMETERS source IP Address or String. The computer from which the packet is sent. This can be the following: • An IP address • A host name EXAMPLE The following filter string saves packets that originated from IP address 192.168.10.1: src 192.168.10.
Using Diagnostic Tools PARAMETERS port Integer. The port from which the packet is sent. EXAMPLE The following filter string saves packets that originated from port 80: src port 80 tcp PURPOSE The tcp element captures all TCP packets. This element can be prepended to port-related elements. Note: When not prepended to other elements, the tcp element is the equivalent of ip proto tcp. SYNTAX tcp tcp element PARAMETERS element String.
Using Diagnostic Tools EXAMPLE 1 The following filter string captures all TCP packets: tcp EXAMPLE 2 The following filter string captures all TCP packets destined for port 80: tcp dst port 80 udp PURPOSE The udp element captures all UDP packets. This element can be prepended to port-related elements. Note: When not prepended to other elements, the udp element is the equivalent of ip proto udp. SYNTAX udp udp element PARAMETERS element String.
Backing Up the ZoneAlarm Router Configuration EXAMPLE 1 The following filter string captures all UDP packets: udp EXAMPLE 2 The following filter string captures all UDP packets destined for port 80: udp dst port 80 Backing Up the ZoneAlarm Router Configuration You can export the ZoneAlarm router configuration to a *.cfg file, and use this file to backup and restore ZoneAlarm router settings, as needed. The file includes all your settings.
Backing Up the ZoneAlarm Router Configuration Importing the ZoneAlarm Router Configuration In order to restore your ZoneAlarm router’s configuration from a configuration file, you must import the file. To import the ZoneAlarm router configuration 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Import. The Import Settings page appears. 3. Do one of the following: • In the Import Settings field, type the full path to the configuration file. Or 4.
Backing Up the ZoneAlarm Router Configuration The ZoneAlarm router settings are imported. The Import Settings page displays the configuration file's content and the result of implementing each configuration command. Note: If the router's IP address changed as a result of the configuration import, your computer may be disconnected from the network; therefore you may not be able to see the results.
Resetting the ZoneAlarm Router to Defaults Resetting the ZoneAlarm Router to Defaults You can reset the ZoneAlarm router to its default settings. When you reset your ZoneAlarm router, it reverts to the state it was originally in when you purchased it. Warning: This operation erases all your settings and password information. You will have to set a new password and reconfigure your ZoneAlarm router for Internet connection.
Resetting the ZoneAlarm Router to Defaults A confirmation message appears. 3. To revert to the firmware version that shipped with the router, select the check box. 4. Click OK. • The Please Wait screen appears. • The ZoneAlarm router returns to its factory defaults. • The ZoneAlarm router is restarted. This may take a few minutes. • 362 The Login page appears.
Resetting the ZoneAlarm Router to Defaults To reset the ZoneAlarm router to factory defaults using the Reset button 1. Make sure the ZoneAlarm router is powered on. 2. Using a pointed object, press the RESET button on the back of the ZoneAlarm router steadily for seven seconds and then release it. 3. Allow the ZoneAlarm router to boot-up until the system is ready. For information on the router's front and rear panels, see the Getting to Know Your Router section in Introduction on page 1.
Running Diagnostics Running Diagnostics You can view technical information about your ZoneAlarm router’s hardware, firmware, license, network status, and Service Center. This information is useful for troubleshooting. You can export it to an *.html file and send it to technical support. To view diagnostic information 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Diagnostics. Technical information about your ZoneAlarm router appears in a new window. 3.
Rebooting the ZoneAlarm Router Rebooting the ZoneAlarm Router If your ZoneAlarm router is not functioning properly, rebooting it may solve the problem. To reboot the ZoneAlarm router 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Restart. A confirmation message appears. 3. Click OK. • The Please Wait screen appears. • The ZoneAlarm router is restarted. This may take a few minutes. • The Login page appears.
Overview Chapter 18 Using Network Printers This chapter describes how to set up and use network printers. This chapter includes the following topics: Overview ..................................................................................................367 Setting Up Network Printers.....................................................................368 Configuring Computers to Use Network Printers.....................................371 Viewing Network Printers ......................................
Setting Up Network Printers Setting Up Network Printers To set up a network printer 1. Connect the network printer to the ZoneAlarm router. See Connecting the Router to Network Printers. 2. Turn the printer on. 3. In the ZoneAlarm Portal, click Network in the main menu, and click the Ports tab. The Ports page appears. 4. 368 Next to USB, click Edit.
Setting Up Network Printers The USB Devices page appears. If the ZoneAlarm router detected the printer, the printer is listed on the page. If the printer is not listed, check that you connected the printer correctly, then click Refresh to refresh the page. 5. Next to the printer, click Edit. The Printer Setup page appears.
Setting Up Network Printers 6. Write down the port number allocated to the printer. The port number appears in the Printer Server TCP Port field. You will need this number later, when configuring computers to use the network printer. 7. To change the port number, do the following: a. Type the desired port number in the Printer Server TCP Port field. Note: Printer port numbers may not overlap, and must be high ports. b. Click Apply.
Configuring Computers to Use Network Printers Configuring Computers to Use Network Printers Perform the relevant procedure on each computer from which you want to enable printing via the ZoneAlarm print server to a network printer. Windows Vista This procedure is relevant for computers with a Windows Vista operating system. To configure a computer to use a network printer 1.
Configuring Computers to Use Network Printers The Printers screen appears. 4. Click Add a printer. The Add Printer wizard opens displaying the Choose a local or network printer screen. 5. Click Add a local printer. 6. Click Next.
Configuring Computers to Use Network Printers The Choose a printer port dialog box appears. 7. Click Create a new port. 8. In the Type of port drop-down list, select Standard TCP/IP Port. 9. Click Next. The Type a printer hostname or IP address dialog box appears. 10. In the Device type drop-down list, select Autodetect. 11. In the Hostname or IP address field, type the ZoneAlarm router's LAN IP address, or "my.firewall".
Configuring Computers to Use Network Printers 12. In the Port name field, type the port name. 13. Select the Query the printer and automatically select the driver to use check box. 14. Click Next. The following things happen: • If Windows cannot identify your printer, the Additional Port Information Required dialog box appears. Do the following: 1) Click Custom. 2) Click Settings.
Configuring Computers to Use Network Printers The Configure Standard TCP/IP Port Monitor dialog box opens. 3) In the Protocol area, make sure that Raw is selected. 4) In the Port Number field, type the printer's port number, as shown in the Printers page. 5) Click OK. 6) Click Next. • The Install the printer driver dialog box displayed.
Configuring Computers to Use Network Printers 15. Do one of the following: • Use the lists to select the printer's manufacturer and model. • If your printer does not appear in the lists, insert the CD that came with your printer in the computer's CD-ROM drive, and click Have Disk. 16. Click Next. 17. Complete the remaining dialog boxes in the wizard as desired, and click Finish. The printer appears in the Printers and Faxes window. 18. Right-click the printer and click Properties in the popup menu.
Configuring Computers to Use Network Printers Windows 2000/XP This procedure is relevant for computers with a Windows 2000/XP operating system. To configure a computer to use a network printer 1. If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway. See Adding and Editing Rules on page 176. 2. Click Start > Settings > Control Panel. The Control Panel window opens. 3. Click Printers and Faxes.
Configuring Computers to Use Network Printers The Local or Network Printer dialog box appears. 6. Click Local printer attached to this computer. Note: Do not select the Automatically detect and install my Plug and Play printer check box. 7. Click Next. The Select a Printer Port dialog box appears. 8. Click Create a new port. 9. In the Type of port drop-down list, select Standard TCP/IP Port. 10. Click Next.
Configuring Computers to Use Network Printers The Add Standard TCP/IP Port Wizard opens with the Welcome dialog box displayed. 11. Click Next. The Add Port dialog box appears. 12. In the Printer Name or IP Address field, type the ZoneAlarm router's LAN IP address, or "my.firewall". You can find the LAN IP address in the ZoneAlarm Portal, under Network > My Network. The Port Name field is filled in automatically. 13. Click Next.
Configuring Computers to Use Network Printers The Add Standard TCP/IP Printer Port Wizard opens, with the Additional Port Information Required dialog box displayed. 14. Click Custom. 15. Click Settings. The Configure Standard TCP/IP Port Monitor dialog box opens. 16. In the Port Number field, type the printer's port number, as shown in the Printers page. 17. In the Protocol area, make sure that Raw is selected. 18. Click OK. The Add Standard TCP/IP Printer Port Wizard reappears.
Configuring Computers to Use Network Printers 19. Click Next. The Completing the Add Standard TCP/IP Printer Port Wizard dialog box appears. 20. Click Finish. The Add Printer Wizard reappears, with the Install Printer Software dialog box displayed. 21. Do one of the following: • Use the lists to select the printer's manufacturer and model. • If your printer does not appear in the lists, insert the CD that came with your printer in the computer's CD-ROM drive, and click Have Disk. 22. Click Next.
Configuring Computers to Use Network Printers 23. Complete the remaining dialog boxes in the wizard as desired, and click Finish. The printer appears in the Printers and Faxes window. 24. Right-click the printer and click Properties in the popup menu. The printer's Properties dialog box opens. 25. In the Ports tab, in the list box, select the port you added. The port's name is IP_. 26. Click OK.
Configuring Computers to Use Network Printers MAC OS-X This procedure is relevant for computers with the latest version of the MAC OS-X operating system. Note: This procedure may not apply to earlier MAC OS-X versions. To configure a computer to use a network printer 1. If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway. See Adding and Editing Rules on page 176. 2. Choose Apple -> System Preferences.
Configuring Computers to Use Network Printers The Print & Fax window appears. 5. In the Printing tab, click Set Up Printers. The Printer List window appears. 6. 384 Click Add.
Configuring Computers to Use Network Printers New fields appear. 7. In the first drop-down list, select IP Printing. 8. In the Printer Type drop-down list, select Socket/HP Jet Direct. 9. In the Printer Address field, type the ZoneAlarm router's LAN IP address, or "my.firewall". You can find the LAN IP address in the ZoneAlarm Portal, under Network > My Network. 10. In the Queue Name field, type the name of the required printer queue. For example, the printer queue name for HP printers is RAW. 11.
Configuring Computers to Use Network Printers A list of models appears. 12. In the Model Name list, select the desired model. 13. Click Add. The new printer appears in the Printer List window. 14. In the Printer List window, select the newly added printer, and click Make Default.
Viewing Network Printers Viewing Network Printers To view network printers 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to USB, click Edit. The USB Devices page appears, displaying a list of connected printers. For each printer, the model, serial number, and status is displayed. A printer can have the following statuses: • Initialize. The printer is initializing. • Ready. The printer is ready. • Not Ready. The printer is not ready.
Resetting Network Printers Note: Each printer port number must be different, and must be a high port. To change a printer's port 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to USB, click Edit. The USB Devices page appears, displaying a list of connected printers. 3. Next to the desired printer, click Edit. The Printer Setup page appears. 4. In the printer's Printer Server TCP Port field, type the desired port number. 5. Click Apply.
Connectivity Chapter 19 Troubleshooting This chapter provides solutions to common problems you may encounter while using the ZoneAlarm router. Note: For information on troubleshooting wireless connectivity, see Troubleshooting Wireless Connectivity on page 135. This chapter includes the following topics: Connectivity ............................................................................................ 389 Service Center and Upgrades..................................................................
Connectivity • Check if you have defined firewall rules which block your Internet connectivity. • Check with your ISP for possible service outage. • Check whether you are exceeding the maximum number of computers allowed by your license, by viewing the My Computers page. I cannot access my DSL broadband connection. What should I do? DSL equipment comes in two flavors: bridges (commonly known as DSL modems) and routers. Some DSL equipment can be configured to work both ways.
Connectivity Note: 192.168.10 is the default value, and it may vary if you changed it in the My Network page. • Check your TCP/IP configuration according to Installing and Setting up the ZoneAlarm Router on page 19. • Restart your ZoneAlarm router and your broadband modem by disconnecting the power and reconnecting after 5 seconds. • If your Web browser is configured to use an HTTP proxy to access the Internet, add my.firewall to your proxy exceptions list. My network seems extremely slow.
Connectivity • If possible, disable NAT in the router. Refer to the router’s documentation for instructions on how to do this. • If the router has a “DMZ Computer” or “Exposed Host” option, set it to the ZoneAlarm router’s external IP address. • Open the following ports in the NAT device: • UDP 9281/9282 • UDP 500 • UDP 2746 • TCP 256 • TCP 264 • ESP IP protocol 50 • TCP 981 I cannot receive audio or video calls through the ZoneAlarm router.
Service Center and Upgrades Service Center and Upgrades I have exceeded my node limit. What does this mean? What should I do? Your Product Key specifies a maximum number of nodes that you may connect to the ZoneAlarm router. The ZoneAlarm router tracks the cumulative number of nodes on the internal network that have communicated through the firewall.
Other Problems Other Problems I have forgotten my password. What should I do? Reset your ZoneAlarm router to factory defaults using the Reset button as detailed in Resetting the ZoneAlarm Router to Defaults on page 361. Why are the date and time displayed incorrectly? You can adjust the time on the Setup page's Tools tab. For information, see Setting the Time on the Router on page 341. I cannot use a certain network application. What should I do? Look at the Event Log page.
Technical Specifications Chapter 20 Specifications This chapter includes the following topics: Technical Specifications.......................................................................... 395 CE Declaration of Conformity................................................................. 398 Federal Communications Commission Radio Frequency Interference Statement .................................................................................................
Technical Specifications Table 86: ZoneAlarm Attributes Attribute ZoneAlarm Z100G SBXWZA-166LHGE-5 Physical Attributes Dimensions 200 x 33 x 130 mm (width x height x depth) (7.87 x 1.3 x 5.12 inches) (incl. antenna connectors) Weight 635 g (1.40 lbs) Retail Box Dimensions 290 x 250 x 80 mm (width x height x depth) (11.42 x 9.84 x 3.15 inches) 5V Power Supply Unit Power Supply Nominal In: 100~240VAC @ 0.5A Input Power Supply Nominal 12VDC @ 1.5 A Output Max. Power 6.
Technical Specifications Applicable Standards Safety cULus, CB, LVD Quality IISO9001, ISO 14001, TL9000 EMC CE . FCC 15B.VCCI Reliability EN 300 019 - 1, 2, 3 Environment RoHS & WEEE RF R&TTE .FCC15C,TELCO Wireless Attributes Operation Frequency 2.412-2.484 MHz Transmission Power 79.
CE Declaration of Conformity CE Declaration of Conformity SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, hereby declares that this equipment is in conformity with the essential requirements specified in Article 3.1 (a) and 3.
CE Declaration of Conformity Attribute ZoneAlarm Z100G SBXWZA-166LHGE-5 EN 61000-4-8 EN 61000-4-11 ENV50204 EN 61000-4-5 EN 61000-4-6 EN 61000-4-7 EN 61000-4-8 EN 61000-4-9 EN 61000-4-10 EN 61000-4-11 EN 61000-4-12 Safety EN 60950 IEC 60950 The "CE" mark is affixed to this product to demonstrate conformance to the R&TTE Directive 99/05/EEC (Radio Equipment and Telecommunications Terminal Equipment Directive) and FCC Part 15 Class B. The product has been tested in a typical configuration.
Federal Communications Commission Radio Frequency Interference Statement Federal Communications Commission Radio Frequency Interference Statement This equipment complies with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Glossary of Terms Glossary of Terms A ADSL Modem A device connecting a computer to the Internet via an existing phone line. ADSL (Asymmetric Digital Subscriber Line) modems offer a high-speed 'always-on' connection. C CA The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information.
Glossary of Terms D DHCP Any machine requires a unique IP address to connect to the Internet using Internet Protocol. Dynamic Host Configuration Protocol (DHCP) is a communications protocol that assigns Internet Protocol (IP) addresses to computers on the network. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. DMZ A DMZ (demilitarized zone) is an internal network defined in addition to the LAN network and protected by the ZoneAlarm appliance.
Glossary of Terms HTTPS Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. A protocol for accessing a secure Web server. It uses SSL as a sublayer under the regular HTTP application. This directs messages to a secure port number rather than the default Web port number, and uses a public key to encrypt data HTTPS is used to transfer confidential user information. Hub A device with multiple ports, connecting several PCs or network devices on a network.
Glossary of Terms M MAC Address The MAC (Media Access Control) address is a computer's unique hardware number. When connected to the Internet from your computer, a mapping relates your IP address to your computer's physical (MAC) address on the LAN. Mbps Megabits per second. Measurement unit for the rate of data transmission.
Glossary of Terms PPTP The Point-to-Point Tunneling Protocol (PPTP) allows extending a local network by establishing private “tunnels” over the Internet. This protocol it is also used by some DSL providers as an alternative for PPPoE. R RJ-45 The RJ-45 is a connector for digital transmission over ordinary phone wire. Router A router is a device that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks.
Glossary of Terms At the other end (the client program in your computer), TCP reassembles the individual packets and waits until they have arrived to forward them to you as a single file. TCP/IP TCP/IP (Transmission Control Protocol/Internet Protocol) is the underlying communication protocol of the Internet. U UDP UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP).
Index Index A Access Denied page customizing • 195 account, configuring • 275 active computers, viewing • 158 active connections, viewing • 160 ADSL modem • 401 Allow and Forward rules, explained • 176 Allow rules, explained • 176 cable modem connection • 61, 68 explained • 401 cable type • 36 certificate explained • 297 generating self-signed • 298 importing • 302 installing • 297 uninstalling • 304 Checksum Verification • 222 B Block Known Ports • 234 Block Port Overflow • 235 Block rules, explained •
Index Ping • 344 firewall Traceroute • 344 about • 167 using • 344 levels • 169 WHOIS • 344 rule types • 174 diagnostics • 364 DMZ explained • 402 setting security level • 169 firewall rules adding and editing • 176 DNS • 344, 402 changing priority • 184 Dynamic DNS • 273 deleting • 184 E Email Antispam, see Email Filtering • 282 Email Antivirus, see Email Filtering • 282 Email Filtering Email Antispam • 282 Email Antivirus • 282 enabling/disabling • 283 selecting protocols for • 283 snoozing
Index explained • 85, 404 IP address Host Port Scan • 230 changing • 83 HTTPS explained • 403 configuring • 338 hiding • 85 explained • 402 IP Fragments • 215 using • 47 ISP, explained • 403 hub • 36, 389, 403 I L LAN IGMP • 243 cable • 36 IKE traces, viewing • 308 connection • 56, 66 initial login • 43 explained • 403 installation ports • 36 cable type • 36 LAND • 208 network • 36 licenses • 158, 332, 364, 389 network requirements • 7 link configurations, modifying • 111 proce
Index configuring • 81 password configuring DHCP options • 90 changing • 311 configuring the WLAN • 113 setting up • 43 enabling DHCP Server on • 86 Peer to Peer • 239 enabling Hide NAT • 85 Ping • 344 installation on • 36 Ping of Death • 207 managing • 81 ports objects • 95 network objects managing • 108 modifying assignments • 109 adding and editing • 97 modifying link configurations • 111 using • 95 resetting to defaults • 112 viewing and deleting • 104 viewing statuses • 108 Netwo
Index R rebooting • 365 explained • 291 security Remote Access VPN Clients • 291 configuring servers • 185 Remote Access VPN Servers • 291 creating firewall rules • 172 Remote Desktop defining a computer as an exposed host • 185 accessing a remote desktop • 327 configuring • 321 configuring the host computer • 324 using • 319 reports active computers • 158 active connections • 160 event log • 151 node limit • 158 traffic • 154 viewing • 151 wireless statistics • 161 routers • 344, 389, 405 rules fi
Index Setup Wizard • 43, 56 T Small PMTU • 224 TCP, explained • 405 SmartDefense TCP/IP categories • 205 setting up for MAC OS • 29 configuring • 198 setting up for Windows XP/2000 • 24 using • 197 software updates Teardrop • 206 technical support • 10 checking for manually • 287 Telstra • 73 explained • 287 Traceroute • 344 Spanning Tree Protocol Traffic Monitor explained • 140 configuring • 156 Stateful Inspection • 14, 404, 405 exporting reports • 157 static IP connection • 62 usi
Index V Vendor-Specific Attribute configuring • 251 VPN explained • 291, 406 tunnnels • 305 viewing IKE traces • 308 VPN tunnels creation and closing of • 305 explained • 291, 406 viewing • 305 VStream Antivirus about • 247 configuring • 251 configuring advanced settings • 261 configuring policy • 251 enabling/disabling • 249 rules • 252 updating • 265 viewing database information • 250 VStream Antivirus rules adding and editing • 252 changing priority • 259 deleting • 260 enabling/disabling • 259 types •
Index configuring • 113 rebooting • 365 defined • 406 resetting to factory defaults • 361 Worm Catcher • 238 securing against theft • 34 WPA-Personal • 113 setting the time • 341 Z setting up • 39 ZoneAlarm network requirements • 7 ZoneAlarm Portal elements • 49 initial login • 43 logging on • 46 remotely accessing • 47 using • 49 ZoneAlarm router backing up • 358 cascading • 38 changing internal IP address of • 83 configuring Internet connection • 55 connecting to network printers • 39 exporting