ZyWALL 10~100 Series Internet Security Gateway Reference Guide Versions 3.52, 3.60 and 3.
ZyWALL 10~100 Series Internet Security Gateway Copyright Copyright © 2003 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.
ZyWALL 10~100 Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a CLASS B digital device pursuant to Part 15 of the FCC Rules.
ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.
ZyWALL 10~100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
ZyWALL 10~100 Series Internet Security Gateway Customer Support When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support. • Product model and serial number. • Information in Menu 24.2.1 – System Information. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
ZyWALL 10~100 Series Internet Security Gateway Table of Contents Copyright......................................................................................................................................................ii Federal Communications Commission (FCC) Interference Statement................................................. iii Information for Canadian Users ...............................................................................................................
ZyWALL 10~100 Series Internet Security Gateway Index ............................................................................................................................................................
ZyWALL 10~100 Series Internet Security Gateway List of Diagrams Diagram 2-1 Ideal Setup ................................................................................................................................ 2-1 Diagram 2-2 “Triangle Route” Problem ........................................................................................................ 2-2 Diagram 2-3 IP Alias............................................................................................................................
ZyWALL 10~100 Series Internet Security Gateway List of Charts Chart 8-1 Classes of IP Addresses ..................................................................................................................8-1 Chart 8-2 Allowed IP Address Range By Class ..............................................................................................8-2 Chart 8-3 “Natural” Masks .............................................................................................................................
ZyWALL 10~100 Series Internet Security Gateway Chart 13-11 Sample IPSec Logs During Packet Transmission .................................................................. 13-15 Chart 13-12 RFC-2408 ISAKMP Payload Types....................................................................................... 13-16 Chart 13-13 Log Categories and Available Settings................................................................................... 13-17 Chart 14-1 Brute-Force Password Guessing Protection Commands.
ZyWALL 10~100 Series Internet Security Gateway Preface About Your ZyWALL Congratulations on your purchase of the ZyWALL Security Gateway. About This User's Manual This manual is designed to provide background information on some of the ZyWALL’s features. It also includes commands for use with the command interpreter. This manual may refer to the ZyWALL Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 10 to 100 models.
ZyWALL 10~100 Series Internet Security Gateway Syntax Conventions • • • • • • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose” means for you to use one of the predefined choices. The SMT menu titles and labels are in Bold Times New Roman font. The choices of a menu item are in Bold Arial font.
General Information Part I: General Information This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP and IP subnetting.
ZyWALL 10~100 Series Internet Security Gateway Chapter 1 Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
ZyWALL 10~100 Series Internet Security Gateway The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: a. In the Network window, click Add. b. Select Adapter and then click Add. c. Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: a. In the Network window, click Add. b. Select Protocol and then click Add. c.
ZyWALL 10~100 Series Internet Security Gateway 1. Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. 2. Click the DNS Configuration tab. -If you do not know your DNS information, select Disable DNS.
ZyWALL 10~100 Series Internet Security Gateway 3. Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. 4. Click OK to save and close the TCP/IP Properties window. 5. Click OK to close the Network window. Insert the Windows CD if prompted. 6. Turn on your ZyWALL and restart your computer when prompted. Verifying Your Computer’s IP Address 1.
ZyWALL 10~100 Series Internet Security Gateway 1. For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. 2. For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Setting Up Your Computer’s IP Address 3. Right-click Local Area Connection and then click Properties.
ZyWALL 10~100 Series Internet Security Gateway 4. Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. 5. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced.
ZyWALL 10~100 Series Internet Security Gateway 6. -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add. -In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add. -Repeat the above two steps for each IP address you want to add.
ZyWALL 10~100 Series Internet Security Gateway 7. In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. 8.
ZyWALL 10~100 Series Internet Security Gateway 1. Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. 2. Select Ethernet built-in from the Connect via list. 3. For dynamically assigned settings, select Using DHCP Server from the Configure: list.
ZyWALL 10~100 Series Internet Security Gateway 4. For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. 5. Close the TCP/IP Control Panel. 6. Click Save if prompted, to save changes to your configuration. 7. Turn on your ZyWALL and restart your computer (if prompted).
ZyWALL 10~100 Series Internet Security Gateway 2. Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. 3. For dynamically assigned settings, select Using DHCP from the Configure list. 4. For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box.
ZyWALL 10~100 Series Internet Security Gateway Chapter 2 Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. Diagram 2-1 Ideal Setup The “Triangle Route” Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices.
ZyWALL 10~100 Series Internet Security Gateway Diagram 2-2 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
ZyWALL 10~100 Series Internet Security Gateway Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN. Therefore your LAN is protected.
ZyWALL 10~100 Series Internet Security Gateway Chapter 3 The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related.
ZyWALL 10~100 Series Internet Security Gateway 3-2 The Big Picture
ZyWALL 10~100 Series Internet Security Gateway Chapter 4 Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area. WLAN is not available on all models.
ZyWALL 10~100 Series Internet Security Gateway The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.
ZyWALL 10~100 Series Internet Security Gateway Diagram 4-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
ZyWALL 10~100 Series Internet Security Gateway could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible.
ZyWALL 10~100 Series Internet Security Gateway Chapter 5 Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
ZyWALL 10~100 Series Internet Security Gateway • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.
ZyWALL 10~100 Series Internet Security Gateway Chapter 6 PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
ZyWALL 10~100 Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.
ZyWALL 10~100 Series Internet Security Gateway Chapter 7 PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
ZyWALL 10~100 Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the PPP frames to the PNS.
ZyWALL 10~100 Series Internet Security Gateway Diagram 7-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
ZyWALL 10~100 Series Internet Security Gateway Chapter 8 IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1. IP addresses are categorized into different classes. The class of an address depends on the value of its first octet.
ZyWALL 10~100 Series Internet Security Gateway A class “B” address (16 host bits) can have 216 –2 or 65534 hosts. A class “A” address (24 host bits) can have 224 –2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B” address has a valid range of 128 to 191.
ZyWALL 10~100 Series Internet Security Gateway With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits. By convention, subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits.
ZyWALL 10~100 Series Internet Security Gateway The first three octets of the address make up the network number (class “C”). You want to have two separate networks. Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1” thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128.
ZyWALL 10~100 Series Internet Security Gateway 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
ZyWALL 10~100 Series Internet Security Gateway Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Chart 8-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.
ZyWALL 10~100 Series Internet Security Gateway Chart 8-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 1 255.255.255.128 (/25) 2 126 2 255.255.255.192 (/26) 4 62 3 255.255.255.224 (/27) 8 30 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.252 (/30) 64 2 7 255.255.255.254 (/31) 128 1 Subnetting With Class A and Class B Networks.
ZyWALL 10~100 Series Internet Security Gateway Chart 8-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 9 255.255.255.128 (/25) 512 126 10 255.255.255.192 (/26) 1024 62 11 255.255.255.224 (/27) 2048 30 12 255.255.255.240 (/28) 4096 14 13 255.255.255.248 (/29) 8192 6 14 255.255.255.252 (/30) 16384 2 15 255.255.255.
Command and Log Information Part II: Command and Log Information This part provides information on the command interpreter interface, firewall and NetBIOS commands and logs and password protection.
ZyWALL 10~100 Series Internet Security Gateway Chapter 9 Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Command Syntax The command keywords are in courier new font.
ZyWALL 10~100 Series Internet Security Gateway Chapter 10 Firewall Commands The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall Set-Up config edit firewall active This command turns the firewall on or off. config retrieve firewall This command returns the previously saved firewall settings.
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config display firewall attack This command shows all of the attack response settings. config display firewall e-mail This command shows all of the e-mail settings. config display firewall ? This command shows all of the available firewall sub commands. config edit firewall e-mail mail-server This command sets the IP address to which the e-mail messages are sent.
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION Attack COMMAND DESCRIPTION config edit firewall e-mail hour <0-23> This command sets the hour when the firewall log is sent through e- mail if the ZyWALL is set to send it on an hourly, daily or weekly basis. config edit firewall e-mail minute <0-59> This command sets the minute of the hour for the firewall log to be sent via e- mail if the ZyWALL is set to send it on a hourly, daily or weekly basis.
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION Sets 10-4 COMMAND DESCRIPTION config edit firewall attack minute-low <0-255> This command sets the threshold of half-open sessions where the ZyWALL stops deleting half-opened sessions. config edit firewall attack max-incomplete-high <0-255> This command sets the threshold of half-open sessions where the ZyWALL starts deleting old half-opened sessions until it gets them down to the max incomplete low.
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION Rules COMMAND DESCRIPTION Config edit firewall set connection-timeout This command sets how long ZyWALL waits for a TCP session to be established before dropping the session. Config edit firewall set fin-wait-timeout This command sets how long the ZyWALL leaves a TCP session open after the firewall detects a FIN-exchange (indicating the end of the TCP session).
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION 10-6 COMMAND DESCRIPTION Config edit firewall set rule alert This command sets whether or not the ZyWALL sends an alert e-mail when a DOS attack or a violation of a particular rule occurs. config edit firewall set rule srcaddr-single This command sets the rule to have the ZyWALL check for traffic with this individual source address.
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set rule TCP destportsingle This command sets a rule to have the ZyWALL check for TCP traffic with this destination address. You may repeat this command to enter various, non-consecutive port numbers.
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config delete firewall set rule This command removes the specified rule in a firewall configuration set.
ZyWALL 10~100 Series Internet Security Gateway Chapter 11 NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
ZyWALL 10~100 Series Internet Security Gateway This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. =============== NetBIOS Filter Status =============== LAN to WAN: Forward WAN to LAN: Forward IPSec Packets: Forward Trigger Dial: Disabled Diagram 11-1 NetBIOS Display Filter Settings Command Without DMZ Example Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that has DMZ.
ZyWALL 10~100 Series Internet Security Gateway Chart 11-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded from the WAN to the DMZ. Forward DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded from the DMZ to the LAN. Forward DMZ to WAN This field displays whether NetBIOS packets are blocked or forwarded from the DMZ to the WAN.
ZyWALL 10~100 Series Internet Security Gateway = For types 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6, use on to block NetBIOS packets from being sent through a VPN connection. Use off to allow NetBIOS packets to be sent through a VPN connection. For type 7, use on to allow NetBIOS packets to initiate dial backup calls. Use off to block NetBIOS packets from initiating dial backup calls.
ZyWALL 10~100 Series Internet Security Gateway Chapter 12 Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
ZyWALL 10~100 Series Internet Security Gateway AT ATHE ATBAx ATENx,(y) ATSE ATTI(h,m,s) ATDA(y,m,d) ATDS ATDT ATDUx,y ATRBx ATRWx ATRLx ATGO(x) ATGR ATGT ATRTw,x,y(,z) ATSH ATDOx,y ATTD ATUR ATLC ATXSx ATSR just answer OK print help change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
ZyWALL 10~100 Series Internet Security Gateway Chapter 13 Log Descriptions Chart 13-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host. Chart 13-2 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information from the time server.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-2 System Maintenance Logs TELNET Login Fail Someone has failed to log on to the router via telnet. FTP Login Successfully Someone has logged on to the router via ftp. FTP Login Fail Someone has failed to log on to the router via ftp. NAT Session Table is Full! The maximum number of NAT session table entries has been exceeded and the table is full.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an ICMP attack; see the section on ICMP messages for type and code details. land TCP The firewall detected a TCP land attack.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a TCP syn flood attack. ports scan TCP The firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop attack. teardrop ICMP (type:%d, code:%d) The firewall detected an ICMP teardrop attack; see the section on ICMP messages for type and code details.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default policy: TCP (set:%d) TCP access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set’s configuration.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: IGMP (set:%d, rule:%d) IGMP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration. Firewall rule match: ESP (set:%d, rule:%d) ESP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT match: OSPF (set:%d, rule:%d) OSPF access did not match the listed firewall rule and the ZyWALL logged it. Firewall rule NOT match: (set:%d, rule:%d) Access did not match the listed firewall rule and the ZyWALL logged it. Filter default policy DROP! TCP access matched a default filter policy and the ZyWALL dropped the packet to block access.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP ICMP access matched the listed filter rule and the ZyWALL dropped the packet to block access. Filter match DROP Access matched the listed filter rule and the ZyWALL dropped the packet to block access. Filter match DROP Access matched the listed filter rule (denied LAN IP) and the ZyWALL dropped the packet to block access.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP reset packets The firewall sent out TCP reset packets. Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding NAT table entry.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-7 ACL Setting Notes ACL SET NUMBER DIRECTION 9 DMZ to DMZ/ZyWALL DESCRIPTION ACL set 9 for packets traveling from the DMZ to the DM or the ZyWALL.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-8 ICMP Notes TYPE CODE 0 11 DESCRIPTION Echo message Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 13 Pointer indicates the error Timestamp 0 14 Timestamp request message Timestamp Reply 0 15 Timestamp reply message Information Request 0 16 Information request message Information Reply 0 Information reply message Chart 13-9 Sys log LOG MESSAGE Mon dd hr:mm:ss hostname s
ZyWALL 10~100 Series Internet Security Gateway Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:02:22 Send Main Mode request to <192.168.100.
ZyWALL 10~100 Series Internet Security Gateway The following table shows sample log messages during IKE key exchange. Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE Send Mode request to DESCRIPTION The ZyWALL has started negotiation with the peer. Send Mode request to Recv Mode request from The ZyWALL has received an IKE negotiation request from the peer.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Remote IP / conflicts If the security gateway is “0.0.0.0”, the ZyWALL will use the peer’s “Local Addr” as its “Remote Addr”. If a peer’s “Local Addr” range conflicts with other connections, then the ZyWALL will not accept VPN connection requests from this peer. !! Active connection allowed exceeded The ZyWALL limits the number of simultaneous Phase 2 SA negotiations.
ZyWALL 10~100 Series Internet Security Gateway Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE vs. My Local -> Error ID Info DESCRIPTION The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router. The log displays this router’s configured local IP address type or IP address that the incoming packet did not match. The router sent a payload type of IKE packet.
ZyWALL 10~100 Series Internet Security Gateway The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.
ZyWALL 10~100 Series Internet Security Gateway Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands). Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record.
ZyWALL 10~100 Series Internet Security Gateway Use the sys logs display [log category] command to show the logs in an individual ZyWALL log category. Use the sys logs clear command to erase all of the ZyWALL’s logs. Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras> sys logs display access # .time notes source destination message 0|11/11/2002 15:10:12 |172.
ZyWALL 10~100 Series Internet Security Gateway Chapter 14 Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure. Chart 14-1 Brute-Force Password Guessing Protection Commands COMMAND DESCRIPTION sys pwderrtm This command displays the brute-force guessing password protection settings.
Index Part III: Index This part provides an Index of key terms.
ZyWALL 10~100 Series Internet Security Gateway Index A DSSS.........See Direct Sequence Spread Spectrum Ad-hoc Configuration ...................................... 4-2 E Alternative Subnet Mask Notation................... 8-3 e.g. .................................. See Syntax Conventions B Encapsulation Basic Service Set.............................................. 4-2 PPP over Ethernet ........................................ 6-1 Big Picture .....................................................
ZyWALL 10~100 Series Internet Security Gateway Infrastructure Configuration ............................ 4-3 S IP Addressing .................................................. 8-1 Select .............................. See Syntax Conventions IP Classes......................................................... 8-1 Service................................................................. v L Subnet Masks ...................................................8-2 Log Descriptions..............................
