ZyWALL 2Plus Internet Security Appliance User’s Guide Version 4.
ZyWALL 2 Plus User’s Guide Copyright Copyright © 2006 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
ZyWALL 2 Plus User’s Guide Certifications Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
ZyWALL 2 Plus User’s Guide Certifications 5
ZyWALL 2 Plus User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device. Please contact your vendor for further information. • Connect the power cord to the right supply voltage (110V AC in North America or 230V AC in Europe).
ZyWALL 2 Plus User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
ZyWALL 2 Plus User’s Guide Customer Support Please have the following information ready when you contact customer support. • • • • Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONEA WEB SITE FAX FTP SITE REGULAR MAIL LOCATION CORPORATE HEADQUARTERS (WORLDWIDE) CZECH REPUBLIC DENMARK FINLAND SALES E-MAIL support@zyxel.com.tw +886-3-578-3942 sales@zyxel.
ZyWALL 2 Plus User’s Guide TELEPHONEA WEB SITE SALES E-MAIL FAX FTP SITE info@pl.zyxel.com +48 (22) 333 8250 www.pl.zyxel.com ZyXEL Communications ul. Okrzei 1A 03-715 Warszawa Poland www.zyxel.ru ZyXEL Russia Ostrovityanova 37a Str. Moscow, 117279 Russia www.zyxel.es ZyXEL Communications Arte, 21 5ª planta 28033 Madrid Spain www.zyxel.se ZyXEL Communications A/S Sjöporten 4, 41764 Göteborg Sweden www.ua.zyxel.com ZyXEL Ukraine 13, Pimonenko Str.
ZyWALL 2 Plus User’s Guide 10 Customer Support
ZyWALL 2 Plus User’s Guide Table of Contents Copyright .................................................................................................................. 3 Certifications ............................................................................................................ 4 Safety Warnings ....................................................................................................... 6 ZyXEL Limited Warranty.....................................................................
ZyWALL 2 Plus User’s Guide 2.4.6 VPN Status ................................................................................................66 Chapter 3 Wizard Setup .......................................................................................................... 69 3.1 Wizard Setup Overview ......................................................................................69 3.2 Internet Access .................................................................................................
ZyWALL 2 Plus User’s Guide 6.1.1 Bridge Loop ............................................................................................103 6.2 Spanning Tree Protocol (STP) .........................................................................104 6.2.1 Rapid STP ..............................................................................................104 6.2.2 STP Terminology ....................................................................................104 6.2.3 How STP Works .................
ZyWALL 2 Plus User’s Guide 8.11 Threshold Screen ...........................................................................................145 8.12 Service ..........................................................................................................146 8.12.1 Firewall Edit Custom Service ................................................................148 8.13 Solving the Asymmetrical Route Problem Example .......................................149 8.14 My Service Firewall Rule Example ........
ZyWALL 2 Plus User’s Guide 11.1.4.2 Encapsulation ..............................................................................189 11.1.4.3 VPN, NAT, and NAT Traversal .....................................................190 11.1.4.4 SA Life Time ................................................................................191 11.1.4.5 IPSec High Availability .................................................................191 11.2 VPN Rules (IKE) .........................................................
ZyWALL 2 Plus User’s Guide 13.3 RADIUS ..........................................................................................................243 13.3.1 Types of RADIUS Messages ................................................................244 13.4 Local User Database ....................................................................................244 13.5 RADIUS ........................................................................................................
ZyWALL 2 Plus User’s Guide 16.7.1 Priority-based Scheduler ......................................................................271 16.7.2 Fairness-based Scheduler ....................................................................271 16.7.3 Maximize Bandwidth Usage .................................................................271 16.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic ........................272 16.7.5 Maximize Bandwidth Usage Example ...............................................
ZyWALL 2 Plus User’s Guide 18.3 WWW ...........................................................................................................299 18.4 HTTPS Example ............................................................................................300 18.4.1 Internet Explorer Warning Messages ...................................................301 18.4.2 Netscape Navigator Warning Messages ...............................................301 18.4.3 Avoiding the Browser Warning Messages ..............
ZyWALL 2 Plus User’s Guide Chapter 20 ALG Screen........................................................................................................... 333 20.1 ALG Introduction ...........................................................................................333 20.1.1 ALG and NAT ........................................................................................333 20.1.2 ALG and the Firewall ............................................................................333 20.2 FTP ......
ZyWALL 2 Plus User’s Guide 22.10 F/W Upload Screen .....................................................................................361 22.11 Backup and Restore ....................................................................................363 22.11.1 Backup Configuration .........................................................................364 22.11.2 Restore Configuration ........................................................................364 22.11.3 Back to Factory Defaults ..............
ZyWALL 2 Plus User’s Guide 26.3 LAN Port Filter Setup .....................................................................................393 26.4 TCP/IP and DHCP Ethernet Setup Menu ......................................................394 26.4.1 IP Alias Setup .......................................................................................397 Chapter 27 Internet Access .................................................................................................... 399 27.
ZyWALL 2 Plus User’s Guide 30.4.1 Internet Access Only .............................................................................424 30.4.2 Example 2: Internet Access with a Default Server ................................426 30.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............426 30.4.4 Example 4: NAT Unfriendly Application Programs ...............................430 30.5 Trigger Port Forwarding .................................................................................
ZyWALL 2 Plus User’s Guide 34.3.1 System Information ...............................................................................457 34.3.2 Console Port Speed ..............................................................................458 34.4 Log and Trace ................................................................................................459 34.4.1 Viewing Error Log .................................................................................459 34.4.2 Syslog Logging .................
ZyWALL 2 Plus User’s Guide 36.1.1 Command Syntax .................................................................................483 36.1.2 Command Usage ..................................................................................484 36.2 Call Control Support .......................................................................................485 36.2.1 Budget Management ............................................................................485 36.2.2 Call History .............................
ZyWALL 2 Plus User’s Guide Appendix G Importing Certificates .......................................................................................... 557 Appendix H Command Interpreter........................................................................................... 569 Appendix I Firewall Commands ............................................................................................. 571 Appendix J NetBIOS Filter Commands ...................................................................
ZyWALL 2 Plus User’s Guide 26 Table of Contents
ZyWALL 2 Plus User’s Guide List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................ 51 Figure 2 VPN Application .................................................................................................... 51 Figure 3 Front Panel ........................................................................................................... 52 Figure 4 Change Password Screen ..........................................................................
ZyWALL 2 Plus User’s Guide Figure 39 Bridge Loop: Bridge Connected to Wired LAN ................................................... 103 Figure 40 Bridge .................................................................................................................. 106 Figure 41 WAN Route ......................................................................................................... 110 Figure 42 WAN: Ethernet Encapsulation ........................................................................
ZyWALL 2 Plus User’s Guide Figure 82 Requested URLs Example .................................................................................. 176 Figure 83 Web Page Review Process Screen .................................................................... 177 Figure 84 VPN: High-Level Example .................................................................................. 179 Figure 85 VPN: IKE SA and IPSec SA ...............................................................................
ZyWALL 2 Plus User’s Guide Figure 125 NAT Address Mapping Edit ............................................................................... 257 Figure 126 Multiple Servers Behind NAT Example ............................................................. 259 Figure 127 Port Translation Example .................................................................................. 259 Figure 128 Port Forwarding ................................................................................................
ZyWALL 2 Plus User’s Guide Figure 168 SNMP ................................................................................................................ 316 Figure 169 DNS .................................................................................................................. 317 Figure 170 CNM .................................................................................................................. 318 Figure 171 UPnP ....................................................................
ZyWALL 2 Plus User’s Guide Figure 211 Menu 1.1.1: DDNS Edit Host ............................................................................ 379 Figure 212 MAC Address Cloning in WAN Setup ............................................................... 381 Figure 213 Menu 2: Dial Backup Setup ............................................................................ 383 Figure 214 Menu 2.1: Advanced WAN Setup ..................................................................... 384 Figure 215 Menu 11.
ZyWALL 2 Plus User’s Guide Figure 253 NAT Example 3 ................................................................................................. 427 Figure 254 Example 3: Menu 11.1.2 ................................................................................... 428 Figure 255 Example 3: Menu 15.1.1.1 ................................................................................ 428 Figure 256 Example 3: Final Menu 15.1.1 ..........................................................................
ZyWALL 2 Plus User’s Guide Figure 296 System Maintenance: Restore Configuration ................................................... 475 Figure 297 System Maintenance: Starting Xmodem Download Screen ............................. 475 Figure 298 Restore Configuration Example ........................................................................ 475 Figure 299 Successful Restoration Confirmation Screen ................................................... 476 Figure 300 Telnet Into Menu 24.7.
ZyWALL 2 Plus User’s Guide Figure 339 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 525 Figure 340 Macintosh OS 8/9: Apple Menu ........................................................................ 526 Figure 341 Macintosh OS 8/9: TCP/IP ................................................................................ 526 Figure 342 Macintosh OS X: Apple Menu ...........................................................................
ZyWALL 2 Plus User’s Guide Figure 382 SSL Client Authentication ................................................................................. 567 Figure 383 ZyWALL Secure Login Screen .......................................................................... 567 Figure 384 Option to Enter Debug Mode ............................................................................ 585 Figure 385 Boot Module Commands ..................................................................................
ZyWALL 2 Plus User’s Guide List of Tables Table 1 Front Panel Lights ................................................................................................. 52 Table 2 Web Configurator HOME Screen in Router Mode ................................................. 56 Table 3 Web Configurator HOME Screen in Bridge Mode ................................................. 59 Table 4 Bridge and Router Mode Features Comparison ....................................................
ZyWALL 2 Plus User’s Guide Table 39 Rule Summary ..................................................................................................... 138 Table 40 Firewall Edit Rule ................................................................................................. 141 Table 41 Anti-Probing ......................................................................................................... 143 Table 42 Firewall Threshold ...................................................................
ZyWALL 2 Plus User’s Guide Table 82 NAT Address Mapping ......................................................................................... 256 Table 83 NAT Address Mapping Edit ................................................................................. 257 Table 84 Port Forwarding ................................................................................................... 261 Table 85 Port Triggering ........................................................................................
ZyWALL 2 Plus User’s Guide Table 125 General Setup ................................................................................................... 352 Table 126 Password Setup ................................................................................................ 353 Table 127 Time and Date ................................................................................................... 354 Table 128 Default Time Servers ........................................................................
ZyWALL 2 Plus User’s Guide Table 168 Menu 15.3: Trigger Port Setup .......................................................................... 433 Table 169 Abbreviations Used in the Filter Rules Summary Menu .................................... 442 Table 170 Rule Abbreviations Used ................................................................................... 443 Table 171 Menu 21.1.1.1: TCP/IP Filter Rule .....................................................................
ZyWALL 2 Plus User’s Guide Table 211 Class C Subnet Planning ................................................................................... 538 Table 212 Class B Subnet Planning ................................................................................... 539 Table 213 Commonly Used Services ................................................................................. 541 Table 214 Firewall Commands ...........................................................................................
ZyWALL 2 Plus User’s Guide Preface Congratulations on your purchase of the ZyWALL. Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. Your ZyWALL is easy to install and configure. About This User's Guide This manual is designed to guide you through the configuration of your ZyWALL for its various applications.
ZyWALL 2 Plus User’s Guide Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font. Command and arrow keys are enclosed in square brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key and [SPACE BAR] means the Space Bar.
ZyWALL 2 Plus User’s Guide CHAPTER 1 Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. 1.1 ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates. You can also deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration. The ZyWALL provides bandwidth management, NAT, port forwarding, DHCP server and many other powerful features.
ZyWALL 2 Plus User’s Guide Time and Date The ZyWALL allows you to get the current time and date from an external server when you turn on your ZyWALL. You can also set the time manually. Reset Button Use the reset button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33. 1.2.
ZyWALL 2 Plus User’s Guide X-Auth (Extended Authentication) X-Auth provides added security for VPN by requiring each VPN client to use a user name and password. Certificates The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.
ZyWALL 2 Plus User’s Guide RADIUS (RFC2138, 2139) RADIUS (Remote Authentication Dial In User Service) server enables user authentication, authorization and accounting. IEEE 802.1x for Network Security The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication. With the local user profile, the ZyWALL allows you to configure up 32 user profiles without a network authentication server.
ZyWALL 2 Plus User’s Guide IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN, interfaces via its single physical Ethernet LAN interface with the ZyWALL itself as the gateway for each network. Central Network Management Central Network Management (CNM) allows an enterprise or service provider network administrator to manage your ZyWALL.
ZyWALL 2 Plus User’s Guide Full Network Management The embedded web configurator is an all-platform, web-based utility that allows you to easily manage and configure the ZyWALL. Most functions of the ZyWALL are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menudriven interface that you can access from a terminal emulator through the console port or over a telnet connection.
ZyWALL 2 Plus User’s Guide Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. In the following diagram, A is a VPN Client for secure remote management, B is a VPN client for remote access, and C is a remote IPSec router. The LAN is marked 1 and the remote network is marked 2.
ZyWALL 2 Plus User’s Guide 1.3.3 Front Panel Lights Figure 3 Front Panel The following table describes the lights. Table 1 Front Panel Lights LED COLOR STATUS DESCRIPTION Off The ZyWALL is turned off. Green On The ZyWALL is turned on. Red Flashing The ZyWALL is performing system tests. On The power to the ZyWALL is too low. Off The backup port is not connected. On The backup port is connected. Flashing The backup port is sending or receiving packets. Off The LAN is not connected.
ZyWALL 2 Plus User’s Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
ZyWALL 2 Plus User’s Guide Figure 4 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator. Figure 5 Replace Certificate Screen 7 You should now see the HOME screen (see Figure 7 on page 56).
ZyWALL 2 Plus User’s Guide 2.3.1 Procedure To Use The Reset Button Make sure the SYS LED is on (not blinking) before you begin this procedure. 1 Press the RESET button for ten seconds, and then release it. The ZyWALL restarts with the defaults restored. Otherwise, go to step 2. 2 Turn the ZyWALL off. 3 While pressing the RESET button, turn the ZyWALL on. 4 Continue to hold the RESET button. he ZyWALL restarts with the defaults restored.
ZyWALL 2 Plus User’s Guide 2.4.1 Router Mode The following screen displays when the ZyWALL is set to router mode. The ZyWALL is set to router mode by default. Figure 7 Web Configurator HOME Screen in Router Mode Use submenus to configure ZyWALL features. Click LOGOUT at any time to exit the web configurator. The following table describes the labels in this screen.
ZyWALL 2 Plus User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Routing Protocol This shows the routing protocol - IP for which the ZyWALL is configured. This field is not configurable. Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Firewall This displays whether or not the ZyWALL’s firewall is activated.
ZyWALL 2 Plus User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Renew If you are using Ethernet encapsulation and the WAN port is configured to get the IP address automatically from the ISP, click Renew to release the WAN port’s dynamically assigned IP address and get the IP address afresh. Click Dial to dial up the PPTP, PPPoE or dial backup connection.
ZyWALL 2 Plus User’s Guide Figure 8 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen. Table 3 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Wizards for VPN Quick Setup VPN Click VPN to configure a Virtual Private Network (VPN) policy for secure communications between sites. Device Information System Name This is the System Name you enter in the MAINTENANCE General screen. It is for identification purposes.
ZyWALL 2 Plus User’s Guide Table 3 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Time This field displays your ZyWALL’s present date and time along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL to use it. Memory The first number shows how many kilobytes of the heap memory the ZyWALL is using.
ZyWALL 2 Plus User’s Guide Table 3 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Show Statistics Click Show Statistics to see bridge performance statistics such as the number of packets sent and number of packets received for each port. VPN Status Click VPN Status to display the active VPN (secure) connections. 2.4.3 Navigation Panel After you enter the password, use the sub-menus on the navigation panel to configure ZyWALL features.
ZyWALL 2 Plus User’s Guide Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change. The following table describes the sub-menus. Table 5 Screens Summary LINK TAB FUNCTION HOME This screen shows the ZyWALL’s general device and network status information. Use this screen to access the wizards, statistics and DHCP table.
ZyWALL 2 Plus User’s Guide Table 5 Screens Summary (continued) LINK TAB CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage certificates and certification requests. AUTH SERVER FUNCTION Trusted CAs Use this screen to view and manage the list of the trusted CAs. Trusted Remote Hosts Use this screen to view and manage the certificates belonging to the trusted remote hosts.
ZyWALL 2 Plus User’s Guide Table 5 Screens Summary (continued) LINK TAB FUNCTION UPnP UPnP Use this screen to enable UPnP on the ZyWALL. Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. ALG ALG Use this screen to allow certain applications to pass through the ZyWALL. LOGS View Log Use this screen to view the logs for the categories that you selected. Log Settings Use this screen to change your ZyWALL’s log settings.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 6 Home: Show Statistics LABEL DESCRIPTION Port These are the ZyWALL’s interfaces. Status For the LAN, this displays the port speed and duplex setting.
ZyWALL 2 Plus User’s Guide Figure 10 Home: DHCP Table The following table describes the labels in this screen. Table 7 Home: DHCP Table LABEL DESCRIPTION Interface Select an interface to show the current DHCP client information for the specified interface. # This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name.
ZyWALL 2 Plus User’s Guide Figure 11 Home: VPN Status The following table describes the labels in this screen. Table 8 Home: VPN Status LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
ZyWALL 2 Plus User’s Guide 68 Chapter 2 Introducing the Web Configurator
ZyWALL 2 Plus User’s Guide CHAPTER 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure the WAN port to access the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel. 3.
ZyWALL 2 Plus User’s Guide Figure 12 ISP Parameters: Ethernet Encapsulation The following table describes the labels in this screen. Table 9 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
ZyWALL 2 Plus User’s Guide 3.2.1.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. Figure 13 ISP Parameters: PPPoE Encapsulation The following table describes the labels in this screen.
ZyWALL 2 Plus User’s Guide Table 10 ISP Parameters: PPPoE Encapsulation (continued) LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address.
ZyWALL 2 Plus User’s Guide Note: The ZyWALL supports one PPTP server connection at any given time. Figure 14 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 11 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
ZyWALL 2 Plus User’s Guide Table 11 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server. Connection ID/ Name Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP.
ZyWALL 2 Plus User’s Guide Figure 16 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 15 on page 74), the following screen displays. Note: If you want to activate a standard service with your iCard’s PIN number (license key), use the REGISTRATION Service screen.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 12 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com account If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. Existing myZyXEL.
ZyWALL 2 Plus User’s Guide Figure 19 Internet Access Wizard: Status The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Figure 20 Internet Access Wizard: Registration Failed If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.
ZyWALL 2 Plus User’s Guide Figure 22 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. A gateway policy identifies the IPSec routers at either end of a VPN tunnel. A network policy specifies which devices (behind the IPSec routers) can use the VPN tunnel.
ZyWALL 2 Plus User’s Guide Figure 24 IPSec Fields Summary Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. Click VPN Wizard in the HOME screen to open the VPN configuration wizard. The first screen displays as shown next. Note: Your settings are not saved when you click Back. Figure 25 VPN Wizard: Gateway Setting The following table describes the labels in this screen.
ZyWALL 2 Plus User’s Guide Table 13 VPN Wizard: Gateway Setting LABEL DESCRIPTION My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 14 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel. Name Type up to 32 characters to identify this VPN network policy.
ZyWALL 2 Plus User’s Guide 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) Figure 27 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 15 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
ZyWALL 2 Plus User’s Guide Table 15 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 16 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
ZyWALL 2 Plus User’s Guide Figure 29 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 17 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router mode or the ZyWALL’s IP address in bridge mode. Remote Gateway Address This is the IP address or the domain name used to identify the remote IPSec router.
ZyWALL 2 Plus User’s Guide Table 17 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Name This is the name of this VPN network policy. Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ Subnet Mask When the local network is configured for a single IP address, this field is N/A.
ZyWALL 2 Plus User’s Guide 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule after any existing rule(s) for your ZyWALL.
ZyWALL 2 Plus User’s Guide 88 Chapter 3 Wizard Setup
ZyWALL 2 Plus User’s Guide CHAPTER 4 Registration 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. Note: You need to create an account before you can register your device and activate the services at myZyXEL.com. You can directly create a myZyXEL.com account, register your ZyWALL and activate a service using the REGISTRATION screen. Alternatively, go to http://www.myZyXEL.
ZyWALL 2 Plus User’s Guide Figure 31 Registration The following table describes the labels in this screen. Table 18 Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com account If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. Existing myZyXEL.
ZyWALL 2 Plus User’s Guide Table 18 Registration LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 32 Registration: Registered Device 4.
ZyWALL 2 Plus User’s Guide Figure 33 Registration: Service The following table describes the labels in this screen. Table 19 Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
ZyWALL 2 Plus User’s Guide CHAPTER 5 LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. 5.1 LAN, WAN and the ZyWALL A network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyWALL’s LAN ports.
ZyWALL 2 Plus User’s Guide If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the ZyWALL.
ZyWALL 2 Plus User’s Guide 5.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server. If you disable the ZyWALL’s DHCP service, you must have another DHCP server on your LAN, or else the computers must be manually configured. 5.3.
ZyWALL 2 Plus User’s Guide IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
ZyWALL 2 Plus User’s Guide Figure 35 LAN The following table describes the labels in this screen. Table 20 LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
ZyWALL 2 Plus User’s Guide Table 20 LAN (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
ZyWALL 2 Plus User’s Guide Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown. Figure 36 LAN Static DHCP The following table describes the labels in this screen.
ZyWALL 2 Plus User’s Guide 5.9 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets). Note: Make sure that the subnets of the logical networks do not overlap.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 22 LAN IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign.
ZyWALL 2 Plus User’s Guide 102 Chapter 5 LAN Screens
ZyWALL 2 Plus User’s Guide CHAPTER 6 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 6.1 Bridge The ZyWALL can serve as a transparent firewall (also known as a bridge firewall) in order to provide firewall protection against denial of service attacks without. You do not need to change your existing network configuration to use the ZyWALL as a bridge firewall.
ZyWALL 2 Plus User’s Guide 6.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 6.2.1 Rapid STP The ZyWALL uses IEEE 802.
ZyWALL 2 Plus User’s Guide 6.2.3 How STP Works After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops. STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically.
ZyWALL 2 Plus User’s Guide Figure 40 Bridge The following table describes the labels in this screen. Table 25 Bridge LABEL DESCRIPTION Bridge Setup 106 IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Gateway IP Address Enter the gateway IP address. First/Second/Third DNS Server DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa.
ZyWALL 2 Plus User’s Guide Table 25 Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Tree Protocol Select the check box to activate RSTP on the ZyWALL. Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. 0 is the highest.
ZyWALL 2 Plus User’s Guide 108 Chapter 6 Bridge Screens
ZyWALL 2 Plus User’s Guide CHAPTER 7 WAN Screens This chapter describes how to configure WAN settings. 7.1 WAN Overview • Use the WAN Route screen to configure route priority. • Use the WAN screen to configure the WAN port for Internet access. • Use the Traffic Redirect screen to configure your traffic redirect properties and parameters. • Use the Dial Backup screen to configure the backup WAN dial-up connection. 7.2 TCP/IP Priority (Metric) The metric represents the "cost of transmission".
ZyWALL 2 Plus User’s Guide Figure 41 WAN Route The following table describes the labels in this screen. Table 26 WAN Route LABEL DESCRIPTION Route Priority 110 WAN Traffic Redirect Dial Backup The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
ZyWALL 2 Plus User’s Guide 7.4 WAN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks. Table 27 Private IP Address Ranges 10.0.0.0 - 10.255.255.255 172.16.0.
ZyWALL 2 Plus User’s Guide 7.6 WAN MAC Address Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom" file (ZyNOS configuration file).
ZyWALL 2 Plus User’s Guide Figure 42 WAN: Ethernet Encapsulation The following table describes the labels in this screen. Table 29 WAN: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
ZyWALL 2 Plus User’s Guide Table 29 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Login Server IP Address Type the authentication server IP address here if your ISP gave you one. This field is not available for Telia Login. Login Server (Telia Login only) Type the domain name of the Telia login server, for example login1.telia.com.
ZyWALL 2 Plus User’s Guide Table 29 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
ZyWALL 2 Plus User’s Guide Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. The screen shown next is for PPPoE encapsulation.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 30 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e. DSL, cable, wireless, etc.) connection.
ZyWALL 2 Plus User’s Guide Table 30 WAN: PPPoE Encapsulation LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives.
ZyWALL 2 Plus User’s Guide 7.7.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 31 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
ZyWALL 2 Plus User’s Guide Table 31 WAN: PPTP Encapsulation LABEL DESCRIPTION Enable NAT (Network Address Translation) Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT. For more information about NAT see Chapter 14 on page 249.
ZyWALL 2 Plus User’s Guide 7.8 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection. In the following figure, your ZyWALL is labeled A, the gateway is labeled B and the backup gateway is labeled C.
ZyWALL 2 Plus User’s Guide Figure 47 Traffic Redirect The following table describes the labels in this screen. Table 32 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down. Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation. The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's Internet connection terminates.
ZyWALL 2 Plus User’s Guide Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 33 Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly.
ZyWALL 2 Plus User’s Guide Table 33 Dial Backup (continued) LABEL DESCRIPTION Enable RIP Select this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers. RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information.
ZyWALL 2 Plus User’s Guide Table 33 Dial Backup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 7.11 Advanced Modem Setup 7.11.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP.
ZyWALL 2 Plus User’s Guide Figure 49 Advanced Setup The following table describes the labels in this screen. Table 34 Advanced Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath" can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
ZyWALL 2 Plus User’s Guide Table 34 Advanced Setup (continued) LABEL DESCRIPTION Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number. Retry Interval (sec) Type a number of seconds for the ZyWALL to wait before trying another call after a call has failed. This applies before a phone number is blacklisted.
ZyWALL 2 Plus User’s Guide 130 Chapter 7 WAN Screens
ZyWALL 2 Plus User’s Guide CHAPTER 8 Firewall Screens This chapter shows you how to configure your ZyWALL’s firewall. 8.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network.
ZyWALL 2 Plus User’s Guide Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule. 8.2 Firewall Connection Directions Firewall rules are grouped based on the direction of travel of packets to which they apply.
ZyWALL 2 Plus User’s Guide 8.3 Security Considerations Note: Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them.
ZyWALL 2 Plus User’s Guide Your firewall would have the following configuration. Table 35 Blocking All LAN to WAN IRC Traffic Example # SOURCE DESTINATION SCHEDULE SERVICE ACTION 1 Any Any Any IRC Drop Default Any Any Any Any Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN. The ZyWALL applies the firewall rules in order.
ZyWALL 2 Plus User’s Guide Your firewall would have the following configuration. Table 36 Limited LAN to WAN IRC Traffic Example # SOURCE DESTINATION SCHEDULE SERVICE ACTION 1 192.168.1.7 Any Any IRC Allow 2 Any Any Any IRC Drop Default Any Any Any Any Allow • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 37 Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Allow Asymmetrical Route If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 54 Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 38 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Packet Direction This is the direction of travel of packets.
ZyWALL 2 Plus User’s Guide 8.7 Firewall Rule Summary Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. Note: The ordering of your rules is very important as rules are applied in the order that they are listed. Figure 55 Rule Summary The following table describes the labels in this screen.
ZyWALL 2 Plus User’s Guide Table 39 Rule Summary LABEL DESCRIPTION Destination Address This drop-down list box displays the destination addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any. Service Type This drop-down list box displays the services to which this firewall rule applies. See Appendix E on page 541 for a list of common services.
ZyWALL 2 Plus User’s Guide Figure 56 Firewall Edit Rule 140 Chapter 8 Firewall Screens
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 40 Firewall Edit Rule LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.
ZyWALL 2 Plus User’s Guide Table 40 Firewall Edit Rule LABEL DESCRIPTION Action for Matched Packets Use the drop-down list box to select what the firewall is to do with packets that match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender. Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 41 Anti-Probing LABEL DESCRIPTION Respond to PING on Select the interface that you want to reply to incoming Ping requests. Select Disable to have the ZyWALL not respond to any incoming Ping requests. Do not respond to requests for unauthorized services. Select this option to prevent hackers from finding the ZyWALL by probing for unused ports.
ZyWALL 2 Plus User’s Guide 8.10 Firewall Thresholds For DoS attacks, the ZyWALL uses thresholds to determine when to start dropping sessions that do not become fully established (half-open sessions). These thresholds apply globally to all sessions. For TCP, half-open means that the session has not reached the established state-the TCP threeway handshake has not yet been completed. Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server.
ZyWALL 2 Plus User’s Guide If you often use P2P applications such as file sharing with eMule or eDonkey, it’s recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the ZyWALL may classify them as DoS attacks. 8.11 Threshold Screen Click SECURITY > FIREWALL > Threshold to bring up the next screen. The global values specified for the threshold and timeout apply to all TCP connections.
ZyWALL 2 Plus User’s Guide Table 42 Firewall Threshold (continued) LABEL DESCRIPTION One Minute High This is the rate of new half-open sessions per minute that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.
ZyWALL 2 Plus User’s Guide Figure 61 Firewall Service The following table describes the labels in this screen. Table 43 Firewall Service LABEL DESCRIPTION Custom Service This table shows all configured custom services. # This is the index number of the custom service. Service Name This is the name of the service. Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered.
ZyWALL 2 Plus User’s Guide Table 43 Firewall Service LABEL DESCRIPTION Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services. Predefined Service This table shows all the services that are already configured for use in firewall rules. See Appendix E on page 541 for a list of common services. # This is the index number of the predefined service. Service Name This is the name of the service.
ZyWALL 2 Plus User’s Guide Table 44 Firewall Edit Custom Service LABEL DESCRIPTION Type/Code This field is available only when you select ICMP in the IP Protocol field. The ICMP messages are identified by their types and in some cases codes. Enter the type number in the Type field and select the Code radio button and enter the code number if any. Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 8.
ZyWALL 2 Plus User’s Guide 8.14 My Service Firewall Rule Example The following Internet firewall rule example allows a hypothetical My Service connection from the Internet. 1 In the Service screen, click Add to open the Edit Custom Service screen. Figure 64 My Service Firewall Rule Example: Service 2 Configure it as follows and click Apply. Figure 65 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box.
ZyWALL 2 Plus User’s Guide Figure 66 My Service Firewall Rule Example: Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete. 8 Configure the destination address fields as follows and click Add. Figure 67 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done.
ZyWALL 2 Plus User’s Guide Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
ZyWALL 2 Plus User’s Guide Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
ZyWALL 2 Plus User’s Guide 154 Chapter 8 Firewall Screens
ZyWALL 2 Plus User’s Guide CHAPTER 9 Content Filtering Screens This chapter provides an overview of content filtering. 9.1 Content Filtering Overview Content filtering allows you to block web features such as ActiveX controls, Java applets and cookies and disable web proxies. The ZyWALL can block or allow access to web sites that you specify. It can also block access to web sites containing keywords that you specify.
ZyWALL 2 Plus User’s Guide Figure 70 Content Filter: General The following table describes the labels in this screen. Table 45 Content Filter: General LABEL DESCRIPTION General Setup 156 Enable Content Filter Select this check box to enable the content filter. Restrict Web Features Select the check box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out.
ZyWALL 2 Plus User’s Guide Table 45 Content Filter: General LABEL DESCRIPTION Web Proxy A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server. Schedule to Block Content filtering scheduling applies to the Filter List, Customized sites and Keywords.
ZyWALL 2 Plus User’s Guide Figure 71 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration.
ZyWALL 2 Plus User’s Guide Figure 72 Content Filter: Categories The following table describes the labels in this screen. Table 46 Content Filter: Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Content Filtering Enable external database content filtering to have the ZyWALL check an external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page.
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products.
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) 162 LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories. Personals/Dating Selecting this category excludes pages that promote interpersonal relationships.
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
ZyWALL 2 Plus User’s Guide 9.5 Content Filter Customization Click SECURITY > CONTENT FILTER > Customization to display the CONTENT FILTER Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 47 Content Filter: Customization LABEL DESCRIPTION Web Site List Customization Enable Web site customization Select this check box to allow trusted web sites and block forbidden web sites. Content filter list customization may be enabled and disabled without re-entering these site names.
ZyWALL 2 Plus User’s Guide Table 47 Content Filter: Customization (continued) LABEL DESCRIPTION Add Click this button when you have finished adding the key words field above. Delete Select a keyword from the Keyword List, and then click this button to delete it from that list. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 9.
ZyWALL 2 Plus User’s Guide Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's complete filename. 9.7 Content Filtering Cache Click SECURITY > CONTENT FILTER > Cache to display the CONTENT FILTER Cache screen. Use this screen to view and configure your ZyWALL’s URL caching.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 48 Content Filter: Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
ZyWALL 2 Plus User’s Guide 170 Chapter 9 Content Filtering Screens
ZyWALL 2 Plus User’s Guide CHAPTER 10 Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. See Chapter 4 on page 89 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens. 10.
ZyWALL 2 Plus User’s Guide Figure 75 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 77 on page 173). Figure 76 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen.
ZyWALL 2 Plus User’s Guide Figure 77 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 77 on page 173). Type your myZyXEL.com account password in the Password field. 6 Click Submit. Figure 78 Blue Coat: Login 7 In the Web Filter Home screen, click Reports.
ZyWALL 2 Plus User’s Guide Figure 79 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 80 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
ZyWALL 2 Plus User’s Guide Figure 81 Global Report Screen Example 11You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
ZyWALL 2 Plus User’s Guide Figure 82 Requested URLs Example 10.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review. 1 Log into the content filtering reports web site (see Section 10.2 on page 171).
ZyWALL 2 Plus User’s Guide Figure 83 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed.
ZyWALL 2 Plus User’s Guide 178 Chapter 10 Content Filtering Reports
ZyWALL 2 Plus User’s Guide C H A P T E R 11 IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. 11.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing, used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
ZyWALL 2 Plus User’s Guide Figure 85 VPN: IKE SA and IPSec SA In some situations, you might want to set up a VPN tunnel quickly and temporarily. In this case, you can create an IPSec SA using manual keys. In this kind of VPN tunnel, there is no IKE SA, and you specify the encryption and authentication keys manually. The rest of this section discusses IKE SAs, IPSec SAs, and IPSec SAs using manual keys in more detail. Then, it elaborates on more specific topics, such as encryption and authentication.
ZyWALL 2 Plus User’s Guide Main mode is illustrated by the example below, where the ZyWALL (X) is initiating an IKE SA. Figure 86 IKE SA: Main Negotiation Mode One or more proposals, each consisting of: - encryption algorithm (see Section 11.1.4.1 on page 187) - authentication algorithm (see Section 11.1.4.1 on page 187) - Diffie-Hellman key group (see Section 11.1.1.2 on page 183) 1 One accepted proposal 2 Diffie-Hellman key exchange (see Section 11.1.1.
ZyWALL 2 Plus User’s Guide Main mode provides better security because your identity is encrypted in steps 5 and 6. The trade-off is the number of steps it takes to establish the IKE SA. In contrast, aggressive mode is faster but does not provide as much security. This mode is illustrated below. Figure 87 IKE SA: Aggressive Negotiation Mode One or more proposals, each consisting of: - encryption algorithm (see Section 11.1.4.1 on page 187) - authentication algorithm (see Section 11.1.4.
ZyWALL 2 Plus User’s Guide • authentication method (and extended authentication) - these characteristics control how the ZyWALL and remote IPSec router authenticate each other. • additional properties - these characteristics include the IKE SA life time, NAT traversal, and so on. See Section 11.1.2.3 on page 186 for SA life time, Section 11.1.4.3 on page 190 for NAT traversal and each screen for the other properties. The first three sets of characteristics are discussed below. 11.1.1.
ZyWALL 2 Plus User’s Guide The ZyWALL and the remote IPSec router authenticate each other using an ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any such domain name or e-mail address does not have to exist, and any such domain name or IP address does not have to correspond to the ZyWALL’s or remote IPSec router’s properties.
ZyWALL 2 Plus User’s Guide Extended authentication is helpful when multiple IPSec routers use one VPN rule to connect to a single IPSec router. In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) verifies a user name and password from the other router using the local user database or an external RADIUS server. As a result, an attacker cannot establish an IPSec SA without a valid user name and password. The ZyWALL can support either role in extended authentication.
ZyWALL 2 Plus User’s Guide 11.1.2.2 Local and Remote Network If IPSec SAs have overlapping local networks and overlapping remote networks, only one of these IPSec SAs can be set to active at a time. If a packet has to be routed through an overlapping (inactive) connection, it is dropped. Note: The ZyWALL does not allow you to save multiple active IPSec SAs with overlapping local and remote IP addresses. 11.1.2.
ZyWALL 2 Plus User’s Guide uniquely identify a particular security association. When an IPSec SA using manual keys is established, the SPI is transmitted from the remote IPSec router to the ZyWALL. The ZyWALL then uses the network, encryption and key values that the administrator associated with the SPI to establish the IPSec SA. Note: Current ZyXEL implementation assumes identical outgoing and incoming SPIs.
ZyWALL 2 Plus User’s Guide There is a relationship between the active protocol and the types of encryption and authentication algorithms that are available. This relationship is illustrated in Table 51 on page 188, where more information is also provided about each type of encryption and authentication algorithm. Table 51 VPN: Types of Encryption and Authentication in ESP and AH ESP Encryption AH DES Data Encryption Standard (DES) is a widely used method of data encryption using a secret key.
ZyWALL 2 Plus User’s Guide 11.1.4.2 Encapsulation IPSec VPNs use either transport mode or tunnel mode to encapsulate packets. These modes are illustrated below. Table 52 VPN: Transport and Tunnel Mode Encapsulation Original Packet Transport Mode Packet Tunnel Mode Packet IP Header TCP Header Data IPSec Header IP Header TCP Header Data IP Header IPSec Header IP Header TCP Header Data Tunnel mode is the most common mode of operation.
ZyWALL 2 Plus User’s Guide 11.1.4.3 VPN, NAT, and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec SA using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address.
ZyWALL 2 Plus User’s Guide 11.1.4.4 SA Life Time One characteristic of SAs is the SA life time. The SA lifetime specifies how long the SA lasts until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in the following situations: • there is traffic when the SA life time expires • the IPSec SA is configured on the ZyWALL as nailed up (see below) Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send traffic.
ZyWALL 2 Plus User’s Guide Figure 89 IPSec High Availability 11.2 VPN Rules (IKE) A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. A gateway policy identifies the IPSec routers at either end of a VPN tunnel. This is used in setting up the IKE (phase 1) security association (SA). A network policy specifies which devices (behind the IPSec routers) can use the VPN tunnel. This is used in setting up the IPSec (phase 2) SA.
ZyWALL 2 Plus User’s Guide Figure 91 IPSec Fields Summary Click VPN to display the VPN Rules (IKE) screen. Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use IKE SAs. Figure 92 VPN Rules (IKE) The following table describes the labels in this screen. Table 54 VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks. Click this icon to add a VPN gateway policy (or IPSec rule).
ZyWALL 2 Plus User’s Guide Table 54 VPN Rules (IKE) (continued) LABEL DESCRIPTION My ZyWALL This represents your ZyWALL. The WAN IP address, domain name or dynamic domain name of your ZyWALL displays in router mode. The ZyWALL’s IP address displays in bridge mode. Remote Gateway This represents the remote secure gateway. The IP address, domain name or dynamic domain name of the remote IPSec router displays if you specify it, otherwise Dynamic displays. Click this icon to add a VPN network policy.
ZyWALL 2 Plus User’s Guide Figure 93 VPN Rules (IKE): Gateway Policy: Edit Chapter 11 IPSec VPN 195
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 55 VPN Rules (IKE): Gateway Policy: Edit LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Fail back to Primary Remote Gateway when possible Select this to have the ZyWALL fall back to using the primary remote gateway if the connection becomes available again. Fail Back Check Interval Set how often the ZyWALL should check the connection to the primary remote gateway while connected to the redundant remote gateway. Each gateway policy uses one or more network policies.
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. • Select IP to identify the remote IPSec router by its IP address. • Select DNS to identify the remote IPSec router by a domain name. • Select E-mail to identify the remote IPSec router by an e-mail address. Select from the following when you set Authentication Key to Certificate.
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ user names and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 13 on page 243).
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Enable Multiple Proposals Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2 encryption and authentication algorithms when negotiating an IPSec SA.
ZyWALL 2 Plus User’s Guide Figure 94 VPN Rules (IKE): Network Policy Edit Chapter 11 IPSec VPN 201
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 56 VPN Rules (IKE): Network Policy Edit LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.
ZyWALL 2 Plus User’s Guide Table 56 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
ZyWALL 2 Plus User’s Guide Table 56 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Authentication Algorithm MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. SA Life Time (Seconds) Define the length of time before an IPSec SA automatically renegotiates in this field.
ZyWALL 2 Plus User’s Guide Figure 95 VPN Rules (IKE): Network Policy Move The following table describes the labels in this screen. Table 57 VPN Rules (IKE): Network Policy Move LABEL DESCRIPTION Network Policy Information The following fields display the general network settings of this VPN policy. Name This field displays the policy name. Local Network This field displays one or a range of IP address(es) of the computer(s) behind the ZyWALL.
ZyWALL 2 Plus User’s Guide Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. Figure 96 VPN Rules (Manual) The following table describes the labels in this screen. Table 58 VPN Rules (Manual) 206 LABEL DESCRIPTION # This is the VPN policy index number. Name This field displays the identification name for this VPN policy.
ZyWALL 2 Plus User’s Guide Table 58 VPN Rules (Manual) (continued) LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Remote Gateway Address This is the static WAN IP address or domain name of the remote IPSec router. Modify Click the edit icon to edit the VPN policy. Click the delete icon to remove the VPN policy.
ZyWALL 2 Plus User’s Guide Figure 97 VPN Rules (Manual): Edit The following table describes the labels in this screen. Table 59 VPN Rules (Manual) Edit LABEL DESCRIPTION Property 208 Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Allow NetBIOS Traffic Through IPSec Tunnel This field is not available when the ZyWALL is in bridge mode.
ZyWALL 2 Plus User’s Guide Table 59 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
ZyWALL 2 Plus User’s Guide Table 59 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Remote Gateway Addr Type the WAN IP address or the domain name (up to 31 characters) of the IPSec router with which you're making the VPN connection. Manual Proposal SPI Type a unique SPI (Security Parameter Index) from one to four characters long. Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9". Encapsulation Mode Select Tunnel mode or Transport mode from the drop-down list box.
ZyWALL 2 Plus User’s Guide Figure 98 VPN: SA Monitor The following table describes the labels in this screen. Table 60 VPN: SA Monitor LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 99 VPN: Global Setting The following table describes the labels in this screen. Table 61 VPN: Global Setting LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity. If the remote IPSec router does not reply, the ZyWALL automatically disconnects the VPN tunnel.
ZyWALL 2 Plus User’s Guide Table 61 VPN: Global Setting (continued) LABEL DESCRIPTION VPN rules skip applying to the overlap range of local and remote IP addresses When you configure a VPN rule, the ZyWALL checks to make sure that the IP addresses in the local and remote networks do not overlap. Select this check box to disable the check if you need to configure a VPN policy with overlapping local and remote IP addresses.
ZyWALL 2 Plus User’s Guide Table 62 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL: 0.0.0.0 (dynamic IP address assigned by the ISP) Public static IP address Remote Gateway Address: Public static IP address 0.0.0.0 With this IP address only the telecommuter can initiate the IPSec tunnel. Local Network - Single IP Address: Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.2 Telecommuter C: 192.168.4.15 192.168.1.
ZyWALL 2 Plus User’s Guide Table 63 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My ZyWALL 0.0.0.0 My ZyWALL: bigcompanyhq.com Remote Gateway Address: bigcompanyhq.com Local Network - Single IP Address: 192.168.1.10 Remote Network - Single IP Address: 192.168.1.10 Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: bob@bigcompanyhq.com Peer ID Content: bob@bigcompanyhq.com Telecommuter A (telecommutera.dydns.
ZyWALL 2 Plus User’s Guide In the following example, the VPN rule’s local network (A) includes the ZyWALL’s LAN IP address of 192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the ZyWALL’s LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL’s LAN interface.
ZyWALL 2 Plus User’s Guide CHAPTER 12 Certificates This chapter gives background information about public-key certificates and explains how to use them. 12.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
ZyWALL 2 Plus User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure). 12.1.
ZyWALL 2 Plus User’s Guide 12.4 My Certificates Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. Figure 104 My Certificates The following table describes the labels in this screen.
ZyWALL 2 Plus User’s Guide Table 64 My Certificates (continued) 220 LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate.
ZyWALL 2 Plus User’s Guide 12.5 My Certificate Import Click SECURITY > CERTIFICATES > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL. Note: You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL. The certificate you import replaces the corresponding request in the My Certificates screen.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 65 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 12.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 66 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory.
ZyWALL 2 Plus User’s Guide Table 66 My Certificate Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.
ZyWALL 2 Plus User’s Guide Figure 107 My Certificate Details Chapter 12 Certificates 225
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 67 My Certificate Details 226 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces). Property Default self-signed certificate which signs the imported remote host certificates.
ZyWALL 2 Plus User’s Guide Table 67 My Certificate Details (continued) LABEL DESCRIPTION Subject Alternative Name This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.
ZyWALL 2 Plus User’s Guide Figure 108 Trusted CAs The following table describes the labels in this screen. Table 68 Trusted CAs 228 LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
ZyWALL 2 Plus User’s Guide Table 68 Trusted CAs (continued) LABEL DESCRIPTION Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificates. Note that subsequent certificates move up by one when you take this action.
ZyWALL 2 Plus User’s Guide 12.10 Trusted CA Details Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 70 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
ZyWALL 2 Plus User’s Guide Table 70 Trusted CA Details (continued) LABEL DESCRIPTION Subject Alternative Name This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.
ZyWALL 2 Plus User’s Guide Figure 111 Trusted Remote Hosts The following table describes the labels in this screen. Table 71 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
ZyWALL 2 Plus User’s Guide Table 71 Trusted Remote Hosts (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates. 12.12 Verifying a Trusted Remote Host’s Certificate Certificates issued by certification authorities have the certification authority’s signature for you to check.
ZyWALL 2 Plus User’s Guide Figure 113 Certificate Details Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. 12.13 Trusted Remote Hosts Import Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow the instructions in this screen to save a trusted host’s certificate to the ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 114 Trusted Remote Host Import The following table describes the labels in this screen. Table 72 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen. 12.
ZyWALL 2 Plus User’s Guide Figure 115 Trusted Remote Host Details The following table describes the labels in this screen. Table 73 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
ZyWALL 2 Plus User’s Guide Table 73 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate Information These read-only fields display detailed information about the certificate. 238 Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyWALL is the Certification Authority that signed the certificate. X.509 means that this certificate was created and signed according to the ITU-T X.
ZyWALL 2 Plus User’s Guide Table 73 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate in PEM (Base-64) Encoded Format This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 74 Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates. # The index number of the directory server.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 75 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
ZyWALL 2 Plus User’s Guide 242 Chapter 12 Certificates
ZyWALL 2 Plus User’s Guide CHAPTER 13 Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 13.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or a RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) server for an unlimited number of users. The ZyWALL uses the local user database for VPN extended authentication. 13.
ZyWALL 2 Plus User’s Guide 13.3.1 Types of RADIUS Messages The following types of RADIUS messages are exchanged between the ZyWALL and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access.
ZyWALL 2 Plus User’s Guide Figure 118 Local User Database Chapter 13 Authentication Server 245
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 76 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 13.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 77 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the ZyWALL. Server IP Address Enter the IP address of the external authentication server in dotted decimal notation.
ZyWALL 2 Plus User’s Guide 248 Chapter 13 Authentication Server
ZyWALL 2 Plus User’s Guide CHAPTER 14 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 14.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. 14.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyWALL.
ZyWALL 2 Plus User’s Guide 14.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
ZyWALL 2 Plus User’s Guide 14.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. In this example, corporation A’s networks are labeled A, and Corporation B’s networks are labeled B. Figure 121 NAT Application With IP Alias The following table describes the routes in this example.
ZyWALL 2 Plus User’s Guide 14.1.5 Port Restricted Cone NAT At the time of writing ZyWALL ZyNOS version 4.00 uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network. In the following example, the ZyWALL maps the source address of all packets sent from internal IP address 1 and port A to IP address 2 and port B on the external network.
ZyWALL 2 Plus User’s Guide • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Note: Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types. The following table summarizes these types.
ZyWALL 2 Plus User’s Guide 14.3 NAT Overview Click ADVANCED > NAT to open the NAT Overview screen. Figure 123 NAT Overview The following table describes the labels in this screen. Table 81 NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent This read-only field displays the highest number of NAT sessions that the ZyWALL Sessions will permit at one time. Max. Concurrent Use this field to set the highest number of NAT sessions that the ZyWALL will permit Sessions Per a host to have at one time.
ZyWALL 2 Plus User’s Guide 14.4 NAT Address Mapping Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 82 NAT Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address Mapping Rules # This is the rule index number. Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address. If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address.
ZyWALL 2 Plus User’s Guide Figure 125 NAT Address Mapping Edit The following table describes the labels in this screen. Table 83 NAT Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-One NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.
ZyWALL 2 Plus User’s Guide 14.5 Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.
ZyWALL 2 Plus User’s Guide Figure 126 Multiple Servers Behind NAT Example 14.5.4 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the LAN. When you use port forwarding without port translation, a single server on the LAN can use a specific port number and be accessible to the outside world through a single WAN IP address.
ZyWALL 2 Plus User’s Guide 14.6 Port Forwarding Screen Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. Refer to Appendix E on page 541 for port numbers commonly used for particular services. Note: The last port forwarding rule is reserved for Roadrunner services.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 84 Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
ZyWALL 2 Plus User’s Guide Figure 129 Port Forwarding 14.8 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address.
ZyWALL 2 Plus User’s Guide For example: Figure 130 Trigger Port Forwarding Process: Example 1 Jane’s computer, labeled J in the figure, requests a file from the Real Audio server (port 7070) labeled S in the figure. 2 Port 7070 is a “trigger” port and causes the ZyWALL to record Jane’s computer IP address. The ZyWALL associates Jane's computer IP address with the "incoming" port range of 6970-7170. 3 The Real Audio server responds using a port number ranging between 6970-7170.
ZyWALL 2 Plus User’s Guide Figure 131 Port Triggering The following table describes the labels in this screen. Table 85 Port Triggering 264 LABEL DESCRIPTION # This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
ZyWALL 2 Plus User’s Guide CHAPTER 15 Static Route This chapter shows you how to configure static routes for your ZyWALL. 15.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the following figure through remote node Router 1.
ZyWALL 2 Plus User’s Guide Figure 133 IP Static Route The following table describes the labels in this screen. Table 86 IP Static Route LABEL DESCRIPTION # This is the number of an individual static route. Name This is the name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number.
ZyWALL 2 Plus User’s Guide Figure 134 IP Static Route Edit The following table describes the labels in this screen. Table 87 IP Static Route Edit LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route. Destination IP Address This parameter specifies the IP network address of the final destination. Routing is always based on network number.
ZyWALL 2 Plus User’s Guide 268 Chapter 15 Static Route
ZyWALL 2 Plus User’s Guide CHAPTER 16 Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 16.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
ZyWALL 2 Plus User’s Guide 16.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 16.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, Email and Video for example). 16.
ZyWALL 2 Plus User’s Guide 16.6 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.
ZyWALL 2 Plus User’s Guide When you enable maximize bandwidth usage, the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels. When only one class requires more bandwidth, the ZyWALL gives extra bandwidth to that class.
ZyWALL 2 Plus User’s Guide 16.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets.
ZyWALL 2 Plus User’s Guide 16.8 Bandwidth Borrowing Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a sub-class to allow the sub-class to use its parent class’s unused bandwidth. A parent class’s unused bandwidth is given to the highest priority sub-class first.
ZyWALL 2 Plus User’s Guide • The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. • The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled. • The Research Software and Hardware classes can both borrow unused bandwidth from the Research class because the Research Software and Hardware classes both have bandwidth borrowing enabled.
ZyWALL 2 Plus User’s Guide Figure 136 Bandwidth Management: Summary The following table describes the labels in this screen. Table 93 Bandwidth Management: Summary 276 LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
ZyWALL 2 Plus User’s Guide 16.11 Configuring Class Setup The Class Setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root class. The bandwidth budget of the root class is equal to the speed you configured on the interface (see Section 16.
ZyWALL 2 Plus User’s Guide Table 94 Bandwidth Management: Class Setup (continued) LABEL DESCRIPTION Edit Click Edit to configure the selected class. You cannot edit the root class. Delete Click Delete to delete the class and all its sub-classes. You cannot delete the root class. Statistics Click Statistics to display the status of the selected class. Filter List This list displays the bandwidth management filters that are configured for the classes on the selected interface.
ZyWALL 2 Plus User’s Guide Figure 138 Bandwidth Management: Edit Class The following table describes the labels in this screen. Table 95 Bandwidth Management: Edit Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. Bandwidth Budget (kbps) Specify the maximum bandwidth allowed for the class in kbps. The recommendation is a setting between 20 kbps and 20000 kbps for an individual class.
ZyWALL 2 Plus User’s Guide Table 95 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Enable Bandwidth Filter Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
ZyWALL 2 Plus User’s Guide Table 95 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 97 Bandwidth Management: Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted. Tx Bytes This field displays the total number of bytes transmitted.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 98 Bandwidth Management: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class. A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes.
ZyWALL 2 Plus User’s Guide 284 Chapter 16 Bandwidth Management
ZyWALL 2 Plus User’s Guide CHAPTER 17 DNS This chapter shows you how to configure the DNS screens. 17.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The ZyWALL uses a system DNS server (in the order you specify in the DNS System screen) to resolve domain names, for example, VPN, DDNS and the time server. 17.
ZyWALL 2 Plus User’s Guide 17.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain. mail.myZyXEL.com.tw is also a FQDN, where "mail" is the host, "myZyXEL" is the secondlevel domain, and "com.
ZyWALL 2 Plus User’s Guide Figure 141 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. 17.6 System Screen To configure your ZyWALL’s DNS address and name server records, click ADVANCED > DNS. The screen appears as shown.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 99 System DNS LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
ZyWALL 2 Plus User’s Guide Figure 143 System DNS: Add Address Record The following table describes the labels in this screen. Table 100 System DNS: Add Address Record LABEL DESCRIPTION FQDN Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
ZyWALL 2 Plus User’s Guide Figure 144 System DNS: Insert Name Server Record The following table describes the labels in this screen. Table 101 System DNS: Insert Name Server Record 290 LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.
ZyWALL 2 Plus User’s Guide 17.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyWALL receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyWALL received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 102 DNS Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Resolutions Select the check box to record the positive DNS resolutions in the cache. Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN. Maximum TTL Type the maximum time to live (TTL) (60 to 3600 seconds).
ZyWALL 2 Plus User’s Guide Figure 146 DNS DHCP The following table describes the labels in this screen. Table 103 DNS DHCP LABEL DESCRIPTION DNS Servers Assigned by DHCP Server The ZyWALL passes a DNS (Domain Name System) server IP address to the DHCP clients. Selected Interface Select an interface from the drop-down list box to configure the DNS servers for the specified interface. DNS These read-only labels represent the DNS servers.
ZyWALL 2 Plus User’s Guide 17.10 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
ZyWALL 2 Plus User’s Guide Figure 147 DDNS The following table describes the labels in this screen. Table 104 DDNS LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Username Enter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. Password Enter the password associated with the user name above.
ZyWALL 2 Plus User’s Guide Table 104 DDNS LABEL DESCRIPTION IP Address Update Policy Select Use WAN IP Address to have the ZyWALL update the domain name with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static IP address. Select Let DDNS Server Auto Detect only when there are one or more NAT routers between the ZyWALL and the DDNS server.
ZyWALL 2 Plus User’s Guide CHAPTER 18 Remote Management This chapter provides information on the Remote Management screens. 18.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See Chapter 8 on page 131 for details on configuring firewall rules.
ZyWALL 2 Plus User’s Guide 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 5 There is a firewall rule that blocks it. 18.1.
ZyWALL 2 Plus User’s Guide Figure 148 HTTPS Implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 18.3 WWW Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to change your ZyWALL’s web settings.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 105 WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
ZyWALL 2 Plus User’s Guide 18.4.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL. You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the web configurator login screen; if you select No, then web configurator access is blocked.
ZyWALL 2 Plus User’s Guide Figure 151 Security Certificate 1 (Netscape) Figure 152 Security Certificate 2 (Netscape) 18.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
ZyWALL 2 Plus User’s Guide • The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients. a Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. b Click CERTIFICATES.
ZyWALL 2 Plus User’s Guide Figure 154 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Figure 155 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure.
ZyWALL 2 Plus User’s Guide Figure 156 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen.
ZyWALL 2 Plus User’s Guide 18.5 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. The SSH server is labeled A, and the SSH client is labeled B. Figure 158 SSH Communication Example 18.6 How SSH Works The following table summarizes how a secure connection is established between two remote hosts.
ZyWALL 2 Plus User’s Guide The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.
ZyWALL 2 Plus User’s Guide Figure 159 SSH The following table describes the labels in this screen. Table 107 SSH LABEL DESCRIPTION Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 12 on page 217 for details).
ZyWALL 2 Plus User’s Guide 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 160 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The SMT main menu displays next. 18.9.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions.
ZyWALL 2 Plus User’s Guide Figure 162 SSH Example 2: Log in $ ssh –1 192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: 3 The SMT main menu displays next. 18.
ZyWALL 2 Plus User’s Guide 18.11 Telnet You can configure your ZyWALL for remote Telnet access as shown next. The computer using telnet to access the LAN is labeled A, and the arrow shows the direction of incoming traffic. Figure 164 Telnet Configuration on a TCP/IP Network 18.12 Configuring TELNET Click ADVANCED > REMOTE MGMT > TELNET to open the Telnet screen. Use this screen to configure your ZyWALL for remote Telnet access.
ZyWALL 2 Plus User’s Guide Table 108 Telnet (continued) LABEL DESCRIPTION Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings and exit this screen.
ZyWALL 2 Plus User’s Guide Table 109 FTP LABEL DESCRIPTION Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh. 18.
ZyWALL 2 Plus User’s Guide An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
ZyWALL 2 Plus User’s Guide 18.14.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click ADVANCED > REMOTE MGMT > SNMP. The screen appears as shown. Figure 168 SNMP The following table describes the labels in this screen. Table 111 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
ZyWALL 2 Plus User’s Guide Table 111 SNMP (continued) LABEL DESCRIPTION Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings.
ZyWALL 2 Plus User’s Guide Table 112 DNS LABEL DESCRIPTION Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh. 18.16 Introducing Vantage CNM Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 113 CNM LABEL DESCRIPTION Registration Information Registration Status This read only field displays Not Registered when Enable is not selected. It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server.
ZyWALL 2 Plus User’s Guide Chapter 18 Remote Management 319
ZyWALL 2 Plus User’s Guide 320 Chapter 18 Remote Management
ZyWALL 2 Plus User’s Guide CHAPTER 19 UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 19.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
ZyWALL 2 Plus User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 19.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.
ZyWALL 2 Plus User’s Guide Table 114 UPnP LABEL DESCRIPTION Allow users to make configuration changes through UPnP Select this check box to allow UPnP-enabled applications to automatically configure the ZyWALL so that they can communicate through the ZyWALL, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled applicatio
ZyWALL 2 Plus User’s Guide Table 115 UPnP Ports (continued) LABEL DESCRIPTION Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
ZyWALL 2 Plus User’s Guide 19.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start > Settings > Control Panel. Double-click Add/Remove Programs. 2 Click Windows Setup and select Communication in the Components selection box. Click Details. 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next.
ZyWALL 2 Plus User’s Guide 19.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start > Settings > Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. 4 Select Networking Service in the Components selection box and click Details.
ZyWALL 2 Plus User’s Guide 19.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start > Control Panel. Doubleclick Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. Chapter 19 UPnP You may edit or delete the port mappings or click Add to manually add port mappings.
ZyWALL 2 Plus User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray. 5 Double-click the icon to display your current Internet connection status. 19.5.
ZyWALL 2 Plus User’s Guide Follow the steps below to access the web configurator. 1 Click Start > Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays.
ZyWALL 2 Plus User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device.
ZyWALL 2 Plus User’s Guide Chapter 19 UPnP 331
ZyWALL 2 Plus User’s Guide 332 Chapter 19 UPnP
ZyWALL 2 Plus User’s Guide CHAPTER 20 ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 20.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload.
ZyWALL 2 Plus User’s Guide 20.2 FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. The FTP ALG allows TCP packets with a port 21 destination to pass through.
ZyWALL 2 Plus User’s Guide 20.5 SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol. SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling.
ZyWALL 2 Plus User’s Guide 20.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout default (60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period. 20.5.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 116 ALG LABEL DESCRIPTION Enable FTP ALG Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail. Enable H.323 ALG Select this check box to allow H.323 sessions to pass through the ZyWALL. H.323 is a protocol used for audio communications over networks.
ZyWALL 2 Plus User’s Guide 338 Chapter 20 ALG Screen
ZyWALL 2 Plus User’s Guide CHAPTER 21 Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Appendix N on page 587 for example log message explanations. 21.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 21.
ZyWALL 2 Plus User’s Guide Table 117 View Log (continued) LABEL DESCRIPTION Time This field displays the time the log was recorded. See Section 22.4 on page 353 to configure the ZyWALL’s time and date. Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet. Destination This field lists the destination IP address and the port number of the incoming packet.
ZyWALL 2 Plus User’s Guide 21.2.1 Certificate Not Trusted Log Note myZyXEL.com and the update server use certificate signed by VeriSign to identify themselves. The default configuration file includes a trusted CA certificate signed by VeriSign. If the ZyWALL does not have a CA certificate signed by VeriSign as a trusted CA, the ZyWALL will not trust the certificate from myZyXEL.com and the update server. The ZyWALL will generate a log like "Due to error code(11), cert not trusted: SSL/TLS peer certif...
ZyWALL 2 Plus User’s Guide Figure 178 myZyXEL.com: Certificate Download 21.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send. An alert is a type of log that warrants more serious attention.
ZyWALL 2 Plus User’s Guide Figure 179 Log Settings Chapter 21 Logs Screens 343
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 119 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the ZyWALL sends.
ZyWALL 2 Plus User’s Guide Table 119 Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly email alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log.
ZyWALL 2 Plus User’s Guide Figure 180 Reports Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 120 Reports LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data. Send Raw Select the check box and click Apply to have the ZyWALL send unprocessed traffic Traffic Statistics statistics to a syslog server for analysis.
ZyWALL 2 Plus User’s Guide 21.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited. Figure 181 Web Site Hits Report Example The following table describes the label in this screen.
ZyWALL 2 Plus User’s Guide Figure 182 Protocol/Port Report Example The following table describes the labels in this screen. Table 122 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.
ZyWALL 2 Plus User’s Guide Figure 183 Host IP Address Report Example The following table describes the labels in this screen. Table 123 Host IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent. The LAN IP addresses are listed in descending order with the LAN IP address to and/or from which the most traffic was sent listed first.
ZyWALL 2 Plus User’s Guide 350 Chapter 21 Logs Screens
ZyWALL 2 Plus User’s Guide CHAPTER 22 Maintenance This chapter displays information on the maintenance screens. 22.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 22.2 General Setup 22.2.1 General Setup and System Name General Setup contains administrative and system-related information. System Name is for identification purposes.
ZyWALL 2 Plus User’s Guide Figure 184 General Setup The following table describes the labels in this screen. Table 125 General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted. Domain Name Enter the domain name (if you know it) here.
ZyWALL 2 Plus User’s Guide Figure 185 Password Setup The following table describes the labels in this screen. Table 126 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type. Retype to Confirm Type the new password again for confirmation.
ZyWALL 2 Plus User’s Guide Figure 186 Time and Date The following table describes the labels in this screen. Table 127 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date. Time and Date Setup 354 Manual Select this radio button to enter the time and date manually.
ZyWALL 2 Plus User’s Guide Table 127 Time and Date (continued) LABEL DESCRIPTION Get from Time Server Select this radio button to have the ZyWALL get the time and date from the time server you specified below. Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main difference between them is the format.
ZyWALL 2 Plus User’s Guide 22.5 Pre-defined NTP Time Servers List When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined list of NTP time servers. The ZyWALL continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified.
ZyWALL 2 Plus User’s Guide When the System Time and Date Synchronization in Process screen appears, wait up to one minute. Figure 187 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. Figure 188 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen.
ZyWALL 2 Plus User’s Guide 22.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port. All future communications to that MAC address will only be sent on that port.
ZyWALL 2 Plus User’s Guide 3 As a transparent bridge does not modify the frames it forwards, it is effectively “stealth” as it is invisible to attackers. Bridging devices are most useful in complex environments that require a rapid or new firewall deployment. A transparent, bridging firewall can also be good for companies with several branch offices since the setups at these offices are often the same and it's likely that one design can be used for many of the networks.
ZyWALL 2 Plus User’s Guide Table 130 Device Mode (Router Mode) (continued) LABEL DESCRIPTION Bridge Select this radio button and configure the following fields, then click Apply to set the ZyWALL to bridge mode. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Enter the IP subnet mask of the ZyWALL. Gateway IP Address Enter the gateway IP address. Apply Click Apply to save your changes back to the ZyWALL.
ZyWALL 2 Plus User’s Guide Table 131 Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode. LAN Interface IP Address Enter the IP address of your ZyWALL’ s LAN port in dotted decimal notation. 192.168.1.1 is the factory default. LAN Interface Subnet Mask Enter the IP subnet mask of the ZyWALL’s LAN port.
ZyWALL 2 Plus User’s Guide Figure 192 Firmware Upload The following table describes the labels in this screen. Table 132 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process.
ZyWALL 2 Plus User’s Guide Figure 194 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 195 Firmware Upload Error 22.11 Backup and Restore See Section 35.5 on page 476 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore.
ZyWALL 2 Plus User’s Guide Figure 196 Backup and Restore 22.11.1 Backup Configuration Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.
ZyWALL 2 Plus User’s Guide Note: Do not turn off the ZyWALL while configuration file upload is in progress. After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 197 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
ZyWALL 2 Plus User’s Guide 22.11.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen. The following warning screen will appear. Figure 200 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL. Refer to Section 2.3 on page 54 for more information on the RESET button. 22.
ZyWALL 2 Plus User’s Guide CHAPTER 23 Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 23.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
ZyWALL 2 Plus User’s Guide Figure 202 Initial Screen Copyright (c) 1994 - 2006 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:01:23:45 initialize ch =1, ethernet address: 00:A0:C5:01:23:46 AUX port init . done Modem init . inactive Press ENTER to continue... 23.2.2 Entering the Password The login screen appears after you press [ENTER], prompting you to enter the password, as shown below. For your first login, enter the default password “1234”.
ZyWALL 2 Plus User’s Guide Table 134 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move the cursor [ENTER] or [UP]/ [DOWN] arrow keys Within a menu, press [ENTER] to move to the next field. You can also use the [UP]/[DOWN] arrow keys to move to the previous and the next field, respectively. When you are at the top of a menu, press the [UP] arrow key to move to the bottom of a menu. Entering information Fill in, or press [SPACE BAR], then press [ENTER] to select from choices.
ZyWALL 2 Plus User’s Guide Figure 204 Main Menu (Router Mode) Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 26. Schedule Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 15. NAT Setup 99.
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 135 Main Menu Summary NO. MENU TITLE FUNCTION 1 General Setup Use this menu to set up device mode, dynamic DNS and administrative information. 2 WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up connection. 3 LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings.
ZyWALL 2 Plus User’s Guide Table 136 SMT Menus Overview (continued) MENUS SUB MENUS 11 Remote Node Setup 11.1 Remote Node Profile 11.1.2 Remote Node Network Layer Options 11.1.4 Remote Node Filter 11.1.5 Traffic Redirect Setup 11.2 Remote Node Profile (Backup ISP) 11.2.1 Remote Node PPP Options 11.2.2 Remote Node Network Layer Options 11.2.3 Remote Node Script 11.2.4 Remote Node Filter 12 Static Routing Setup 12.1 Edit Static Route Setup 15 NAT Setup 15.1 Address Mapping Sets 15.1.
ZyWALL 2 Plus User’s Guide Table 136 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and Console Port Speed 24.2.1 System Information 24.3 Log and Trace 24.3.1 View Error Log 24.2.2 Console Port Speed 24.3.2 Syslog Logging 24.3.4 Call-Triggering Packet 24.4 Diagnostic 24.5 Backup Configuration 24.6 Restore Configuration 24.7 Upload Firmware 24.7.1 Upload System Firmware 24.7.2 Upload System Configuration File 24.
ZyWALL 2 Plus User’s Guide 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “x” for each character you type. 23.5 Resetting the ZyWALL See Section 2.3 on page 54 for directions on resetting the ZyWALL.
ZyWALL 2 Plus User’s Guide CHAPTER 24 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 24.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 24.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup. 2 The Menu 1 - General Setup screen appears, as shown next. Fill in the required fields.
ZyWALL 2 Plus User’s Guide Table 137 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Edit Dynamic DNS Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 2 Plus User’s Guide 24.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next). Figure 209 Menu 1.1: Configure Dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.
ZyWALL 2 Plus User’s Guide Figure 210 Menu 1.1.1: DDNS Host Summary Menu 1.1.
ZyWALL 2 Plus User’s Guide Figure 211 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= MyDevice DDNS Type= DynamicDNS Enable Wildcard Option= No Enable Off Line Option= N/A IP Address Update Policy: Let DDNS Server Auto Detect= No Use User-Defined= No Use WAN IP Address= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 141 Menu 1.1.1: DDNS Edit Host FIELD DESCRIPTION Host Name Enter your host name in this field.
ZyWALL 2 Plus User’s Guide Table 141 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION Let DDNS Server Auto Detect Only select this option when there are one or more NAT routers between the ZyWALL and the DDNS server. Press [SPACE BAR] to select Yes and then press [ENTER] to have the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address.
ZyWALL 2 Plus User’s Guide CHAPTER 25 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 25.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection. 25.2 WAN Setup From the main menu, enter 2 to open menu 2.
ZyWALL 2 Plus User’s Guide The following table describes the fields in this screen. Table 142 MAC Address Cloning in WAN Setup FIELD DESCRIPTION MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that computer whose IP you give in the following field.
ZyWALL 2 Plus User’s Guide Figure 213 Menu 2: Dial Backup Setup Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= Yes Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 143 Menu 2: Dial Backup Setup FIELD DESCRIPTION Dial-Backup: Active Use this field to turn the dial-backup feature on (Yes) or off (No).
ZyWALL 2 Plus User’s Guide Figure 214 Menu 2.1: Advanced WAN Setup Menu 2.1 - Advanced WAN Setup AT Command Strings: Dial= atdt Drop= ~~+++~~ath Answer= ata Drop DTR When Hang Up= Yes Call Control: Dial Timeout(sec)= 60 Retry Count= 0 Retry Interval(sec)= N/A Drop Timeout(sec)= 20 Call Back Delay(sec)= 15 AT Response Strings: CLID= NMBR = Called Id= Speed= CONNECT Press ENTER to Confirm or ESC to Cancel: The following table describes fields in this menu.
ZyWALL 2 Plus User’s Guide Table 145 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value. Retry Count Enter a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
ZyWALL 2 Plus User’s Guide Figure 215 Menu 11.2: Remote Node Profile (Backup ISP) Menu 11.
ZyWALL 2 Plus User’s Guide Table 146 Menu 11.2: Remote Node Profile (Backup ISP) (continued) FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.2.2 - Remote Node Network Layer Options. See Section 25.8 on page 388 for more information. Edit Script Options Press [SPACE BAR] to select Yes and press [ENTER] to edit the AT script for the dial backup remote node (Menu 11.2.3 - Remote Node Script). See Section 25.
ZyWALL 2 Plus User’s Guide Figure 216 Menu 11.2.1: Remote Node PPP Options Menu 11.2.1 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields. Table 147 Menu 11.2.
ZyWALL 2 Plus User’s Guide Figure 217 Menu 11.2.2: Remote Node Network Layer Options Menu 11.2.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= SUA Only Metric= 15 Private= No RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: The following table describes the fields in this menu. Table 148 Menu 11.2.
ZyWALL 2 Plus User’s Guide Table 148 Menu 11.2.2: Remote Node Network Layer Options FIELD DESCRIPTION Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1, RIP-2B and RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMPv1) and version 2 (IGMP-v2). Press the [SPACE BAR] to enable IP Multicasting or select None to disable it.
ZyWALL 2 Plus User’s Guide after you enter the password, then you should create a third set to match the final “PPP...” but without a “Send” string. Otherwise, the ZyWALL will start PPP prematurely right after sending your password to the server. If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout” in menu 2 (default 60 seconds), the ZyWALL will timeout and drop the line. To debug a script, go to Menu 24.
ZyWALL 2 Plus User’s Guide Use menu 11.2.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. Please refer to Chapter 32 on page 437 for more information on defining the filters. Figure 219 Menu 11.2.4: Remote Node Filter Menu 11.2.
ZyWALL 2 Plus User’s Guide CHAPTER 26 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 26.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN connections. 26.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup. Figure 220 Menu 3: LAN Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 26.
ZyWALL 2 Plus User’s Guide Figure 221 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 26.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 222 Menu 3: TCP/IP and DHCP Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
ZyWALL 2 Plus User’s Guide Figure 223 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Client IP Pool: Starting Address= 192.168.1.33 Size of Client IP Pool= 128 255.255.255.0 First DNS Server= From ISP IP Address= N/A Second DNS Server= From ISP IP Address= N/A Third DNS Server= From ISP IP Address= N/A DHCP Server Address= N/A TCP/IP Setup: IP Address= 192.168.1.
ZyWALL 2 Plus User’s Guide Table 150 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server Second DNS Server Third DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns.
ZyWALL 2 Plus User’s Guide 26.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. You must use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network.
ZyWALL 2 Plus User’s Guide Table 152 Menu 3.2.1: IP Alias Setup (continued) FIELD DESCRIPTION Outgoing Protocol Filters Enter the filter set(s) you wish to apply to the outgoing traffic between this node and the ZyWALL. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 2 Plus User’s Guide CHAPTER 27 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 27.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine what encapsulation type you should use. 27.
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 153 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
ZyWALL 2 Plus User’s Guide 27.3 Configuring the PPTP Client Note: The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option.
ZyWALL 2 Plus User’s Guide Figure 227 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPPoE in the Encapsulation f
ZyWALL 2 Plus User’s Guide CHAPTER 28 Remote Node Setup This chapter shows you how to configure a remote node. 28.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.
ZyWALL 2 Plus User’s Guide 28.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.x screen you see is for Ethernet encapsulation shown next. Figure 229 Menu 11.1: Remote Node Profile for Ethernet Encapsulation Menu 11.
ZyWALL 2 Plus User’s Guide Table 156 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION My Login This field is applicable for PPPoE encapsulation only. Enter the login name assigned by your ISP when the ZyWALL calls this remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellc) to access the PPPoE server. My Password Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only.
ZyWALL 2 Plus User’s Guide Figure 230 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.
ZyWALL 2 Plus User’s Guide 28.3.2.3 Metric See Section 7.2 on page 109 for details on the Metric field. Table 157 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation. Authen This field sets the authentication protocol used for outgoing calls.
ZyWALL 2 Plus User’s Guide Figure 231 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.
ZyWALL 2 Plus User’s Guide Figure 232 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.
ZyWALL 2 Plus User’s Guide Table 159 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup Set If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.
ZyWALL 2 Plus User’s Guide Figure 233 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 234 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.
ZyWALL 2 Plus User’s Guide Figure 235 Menu 11.1.5: Traffic Redirect Setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 14 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 10 Period(sec)= 300 Timeout(sec)= 8 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 160 Menu 11.1.
ZyWALL 2 Plus User’s Guide CHAPTER 29 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 29.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. Note: The first static route entry is for the default WAN route. You cannot modify or delete a static default route. The name of the default static route is left blank unless you configure a static WAN IP address.
ZyWALL 2 Plus User’s Guide Figure 237 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: `The following table describes the IP Static Route Menu fields. Table 161 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12.
ZyWALL 2 Plus User’s Guide CHAPTER 30 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 30.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 30.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See Section 30.2.
ZyWALL 2 Plus User’s Guide Figure 238 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to the remote node i
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 162 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see Section 30.2.1 on page 417 for further discussion). You can configure any of the mapping types described in Chapter 14 on page 249. Choose Full Feature if you have multiple public WAN IP addresses for your ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 241 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: 30.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also Section 30.1.1 on page 415). The fields in this menu cannot be changed. Figure 242 Menu 15.1.255: SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Name= SUA Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------0.0.0.
ZyWALL 2 Plus User’s Guide Table 163 SUA Address Mapping Rules FIELD DESCRIPTION Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.255. Global Start IP This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP. Global End IP This is the ending global IP address (IGA). Type These are the mapping types discussed above.
ZyWALL 2 Plus User’s Guide 30.2.1.3 Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
ZyWALL 2 Plus User’s Guide Figure 244 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 165 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
ZyWALL 2 Plus User’s Guide 30.3 Configuring a Server Behind NAT Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Follow these steps to configure a server behind NAT: 1 Enter 15 in the main menu to go to Menu 15 - NAT Setup. 2 Enter 2 to open Menu 15.2 - NAT Server Setup (and configure the address mapping rules for the WAN port). Figure 245 Menu 15.2.1: NAT Server Sets Menu 15.
ZyWALL 2 Plus User’s Guide Figure 246 15.2.x: NAT Server Configuration 15.2.3 - NAT Server Configuration Index= 2 -----------------------------------------------Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 166 15.2.x: NAT Server Configuration FIELD DESCRIPTION Index This is the index number of an individual port forwarding server entry.
ZyWALL 2 Plus User’s Guide Figure 247 Menu 15.2: NAT Server Setup Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 Yes 21 25 192.168.1.33 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
ZyWALL 2 Plus User’s Guide Figure 249 NAT Example 1 Figure 250 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above, simply choose the
ZyWALL 2 Plus User’s Guide 30.4.2 Example 2: Internet Access with a Default Server Figure 251 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Default Server behind the NAT as shown in the next figure. Figure 252 Menu 15.2: Specifying an Inside Server Menu 15.2 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.
ZyWALL 2 Plus User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). 4 You also map your third IGA to the web server and mail server on the LAN.
ZyWALL 2 Plus User’s Guide 7 When finished, menu 15.1.1 should look like as shown in Figure 256 on page 429. Figure 254 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2 Private= RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: The following figure shows how to configure the first rule.
ZyWALL 2 Plus User’s Guide Figure 256 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP --- --------------1. 192.168.1.10 2 192.168.1.11 3. 0.0.0.0 4. 5. 6. 7. 8. 9. 10. Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --10.132.50.1 1-1 10.132.50.2 1-1 255.255.255.255 10.132.50.3 M-1 10.132.50.
ZyWALL 2 Plus User’s Guide Figure 257 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 Yes 80 80 192.168.1.21 002 Yes 25 25 192.168.1.20 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: 30.4.
ZyWALL 2 Plus User’s Guide Follow the steps outlined in example 3 above to configure these two menus as follows. Figure 259 Example 4: Menu 15.1.1.1: Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= 10.132.50.1 End = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
ZyWALL 2 Plus User’s Guide Figure 260 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- --192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: 30.
ZyWALL 2 Plus User’s Guide Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. Figure 261 Menu 15.3: Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port -------------------------------------------------------------1. Real Audio 6970 7170 7070 7070 2. 0 0 0 0 3. 0 0 0 0 4. 0 0 0 0 5. 0 0 0 0 6. 0 0 0 0 7. 0 0 0 0 8. 0 0 0 0 9. 0 0 0 0 10. 0 0 0 0 11. 0 0 0 0 12.
ZyWALL 2 Plus User’s Guide 434 Chapter 30 Network Address Translation (NAT)
ZyWALL 2 Plus User’s Guide CHAPTER 31 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 31.1 Accessing the Firewall Settings The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall.
ZyWALL 2 Plus User’s Guide Figure 263 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies. You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so. Active: Yes You can use the Web Configurator to configure the firewall.
ZyWALL 2 Plus User’s Guide CHAPTER 32 Filter Configuration This chapter shows you how to create and apply filters. 32.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
ZyWALL 2 Plus User’s Guide 32.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
ZyWALL 2 Plus User’s Guide Figure 265 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
ZyWALL 2 Plus User’s Guide 32.2 Packet Filtering Versus Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 32.2.1 Packet Filtering Packet filtering restricts access based on the source/destination computer network address of a packet and the type of application. • The router filters packets as they pass through the router’s interface according to the filter rules you designed.
ZyWALL 2 Plus User’s Guide 32.2.2.1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracking your network. 2 A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. 3 To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks.
ZyWALL 2 Plus User’s Guide Figure 267 Menu 21.1: Filter Set Configuration Menu 21.
ZyWALL 2 Plus User’s Guide The protocol dependent filter rules abbreviation are listed as follows: Table 170 Rule Abbreviations Used ABBREVIATION DESCRIPTION IP Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destination Port number GEN Off Offset Len Length Refer to the next section for information on configuring the filter rules. 32.3.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.
ZyWALL 2 Plus User’s Guide Figure 268 Menu 21.1.1.1: TCP/IP Filter Rule Menu 21.1.1.
ZyWALL 2 Plus User’s Guide Table 171 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Enter the source port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is 0. Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the source port in the packet against the value given in Source: Port #. Options are None, Equal, Not Equal, Less and Greater.
ZyWALL 2 Plus User’s Guide Figure 269 Executing an IP Filter 32.3.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule.
ZyWALL 2 Plus User’s Guide to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyWALL applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match.
ZyWALL 2 Plus User’s Guide Table 172 Generic Filter Rule Menu Fields FIELD DESCRIPTION More If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No. Log Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged.
ZyWALL 2 Plus User’s Guide 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Figure 272 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
ZyWALL 2 Plus User’s Guide Figure 273 Example Filter Rules Summary: Menu 21.1.3 Menu 21.1.3 - Filter Rules Summary # 1 2 3 4 5 6 A Type Filter Rules M m n - ---- ----------------------------------------------- - - Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F N N N N N Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23). M = N means an action can be taken immediately.
ZyWALL 2 Plus User’s Guide Figure 274 Protocol and Device Filter Sets 32.6 Firewall Versus Filters Firewall configuration is discussed in Chapter 8 on page 131. Further comparisons are also made between filtering, NAT and the firewall. 32.7 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
ZyWALL 2 Plus User’s Guide Figure 275 Filtering LAN Traffic Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 32.7.2 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate.
ZyWALL 2 Plus User’s Guide CHAPTER 33 SNMP Configuration This chapter explains SNMP configuration menu 22. 33.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password. Figure 277 Menu 22: SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.
ZyWALL 2 Plus User’s Guide Table 173 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 33.
ZyWALL 2 Plus User’s Guide CHAPTER 34 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 34.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below. Figure 278 Menu 24: System Maintenance Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
ZyWALL 2 Plus User’s Guide 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 279 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status Port WAN LAN Status 100M/Full 100M/Full Port WAN LAN TxPkts 9521 13438 Ethernet Address 00:13:49:00:00:02 00:13:49:00:00:01 System up Time: RxPkts 105390 10927 Cols 0 0 IP Address 172.23.23.60 192.168.1.
ZyWALL 2 Plus User’s Guide Table 175 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left. DHCP This is the DHCP setting of the port listed on the left. System up Time This is the total time the ZyWALL has been on. Name This is the ZyWALL's system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.
ZyWALL 2 Plus User’s Guide Figure 281 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V4.00(WM.0)b2 | 07/25/2005 Country Code: 255 LAN Ethernet Address: 00:A0:C5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
ZyWALL 2 Plus User’s Guide Figure 282 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 34.4 Log and Trace There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging. 34.4.
ZyWALL 2 Plus User’s Guide Figure 284 Examples of Error and Information Messages 53 Thu Jul 54 Thu Jul 55 Thu Jul 57 Thu Jul 58 Thu Jul 59 Thu Jul 60 Thu Jul 61 Thu Jul 62 Thu Jul 63 Thu Jul Clear Error 1 05:54:53 1 05:54:56 1 05:54:56 1 05:54:56 1 05:54:56 1 05:54:56 1 05:55:26 1 05:56:56 1 07:50:58 1 07:53:28 Log (y/n): 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 PINI INFO PP05 -WARN PP0d INFO PP0d INFO PINI INFO PINI INFO PSSV -WARN PINI INFO PINI INFO PINI INFO Channel 0 ok SNMP TRAP 3: interf
ZyWALL 2 Plus User’s Guide 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.
ZyWALL 2 Plus User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP") spo: Source port dpo: Destination portMar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.
ZyWALL 2 Plus User’s Guide 34.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next.
ZyWALL 2 Plus User’s Guide 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 287 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP Setup Test System 11. Reboot System Enter Menu Selection Number: WAN= Host IP Address= N/A 34.5.
ZyWALL 2 Plus User’s Guide Table 178 System Maintenance Menu Diagnostic FIELD DESCRIPTION Host IP Address If you entered 1in the Enter Menu Selection Number field, then enter the IP address of the computer you want to ping in this field. Enter the number of the selection you would like to perform or press [ESC] to cancel.
ZyWALL 2 Plus User’s Guide 466 Chapter 34 System Information & Diagnosis
ZyWALL 2 Plus User’s Guide CHAPTER 35 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 35.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware. After you configure your ZyWALL, you can backup the configuration file to a computer.
ZyWALL 2 Plus User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
ZyWALL 2 Plus User’s Guide Figure 288 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current router configuration to your workstation.
ZyWALL 2 Plus User’s Guide 35.3.3 Example of FTP Commands from the Command Line Figure 289 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit 35.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients.
ZyWALL 2 Plus User’s Guide 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. 35.3.6 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended.
ZyWALL 2 Plus User’s Guide 35.3.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 181 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the ZyWALL and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.
ZyWALL 2 Plus User’s Guide Figure 292 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu. Figure 293 Successful Backup Confirmation Screen ** Backup Configuration completed. OK. ### Hit any key to continue.### 35.
ZyWALL 2 Plus User’s Guide Figure 294 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3.
ZyWALL 2 Plus User’s Guide 35.4.2 Restore Using FTP Session Example Figure 295 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Refer to Section 35.3.5 on page 470 to read about configurations that disallow TFTP and FTP over WAN. 35.4.
ZyWALL 2 Plus User’s Guide 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 299 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 35.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure in Section 35.
ZyWALL 2 Plus User’s Guide Figure 300 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3.
ZyWALL 2 Plus User’s Guide 35.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a user name. 4 Enter your password as requested (the default is “1234”). 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the ZyWALL, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.
ZyWALL 2 Plus User’s Guide 1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted.
ZyWALL 2 Plus User’s Guide Figure 303 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the router.
ZyWALL 2 Plus User’s Guide Figure 305 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the system. Warning: 1.
ZyWALL 2 Plus User’s Guide 482 Chapter 35 Firmware and Configuration File Maintenance
ZyWALL 2 Plus User’s Guide CHAPTER 36 System Maintenance Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. 36.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.
ZyWALL 2 Plus User’s Guide The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets []. The |symbol means “or”. For example, sys filter netbios config means that you must specify the type of netbios filter and whether to turn it on or off. 36.1.2 Command Usage A list of commands can be found by typing help or ? at the command prompt. Always type the full command.
ZyWALL 2 Plus User’s Guide 36.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the ZyWALL within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.
ZyWALL 2 Plus User’s Guide Figure 310 Budget Management Menu 24.9.1 - Budget Management Remote Node Period Connection Time/Total Budget Elapsed Time/Total 1.ChangeMe No Budget No Budget 2.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
ZyWALL 2 Plus User’s Guide Figure 311 Call History Menu 24.9.2 - Call History Phone Number Dir Rate #call Max Min Total 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 184 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. Dir This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call.
ZyWALL 2 Plus User’s Guide Figure 312 Menu 24: System Maintenance Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Enter 10 to go to Menu 24.
ZyWALL 2 Plus User’s Guide Table 185 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format. Daytime (RFC 867) format is day/month/year/time zone of the server.
ZyWALL 2 Plus User’s Guide Table 185 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION End Date (mmnth-week-hr) Configure the day and time when Daylight Saving Time ends if you selected Yes in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time.
ZyWALL 2 Plus User’s Guide CHAPTER 37 Remote Management This chapter covers remote management found in SMT menu 24.11. 37.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: • Internet (WAN only) • ALL (LAN&WAN) • LAN only, • Neither (Disable).
ZyWALL 2 Plus User’s Guide Figure 314 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 Port = 21 Access = ALL Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Port = 22 Access = ALL Secure Client IP = 0.0.0.
ZyWALL 2 Plus User’s Guide 37.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in menu 24.11. 3 The IP address in the Secure Client IP field (menu 24.11) does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4 There is an SMT console session running.
ZyWALL 2 Plus User’s Guide 494 Chapter 37 Remote Management
ZyWALL 2 Plus User’s Guide CHAPTER 38 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 38.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a videocassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.
ZyWALL 2 Plus User’s Guide Figure 316 Schedule Set Setup Menu 26.1 - Schedule Set Setup Active= Yes How Often= Once Start Date(yyyy-mm-dd) = N/A Once: Date(yyyy-mm-dd)= 2000 - 01 - 01 Weekdays: Sunday= N/A Monday= N/A Tuesday= N/A Wednesday= N/A Thursday= N/A Friday= N/A Saturday= N/A Start Time (hh:mm)= 00 : 00 Duration (hh:mm)= 00 : 00 Action= Forced On Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle If a connection has been already established, your ZyWALL will not drop it.
ZyWALL 2 Plus User’s Guide Table 187 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line. Enable Dial-On-Demand means that this schedule permits a demand call on the line.
ZyWALL 2 Plus User’s Guide Figure 318 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.
ZyWALL 2 Plus User’s Guide CHAPTER 39 Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. 39.1 Problems Starting Up the ZyWALL Table 188 Troubleshooting the Start-Up of Your ZyWALL PROBLEM CORRECTIVE ACTION None of the LEDs turn on when you turn on the ZyWALL.
ZyWALL 2 Plus User’s Guide 39.3 Problems with the WAN Interface Table 190 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get WAN IP address from the ISP. The ISP provides the WAN IP address after authentication. Authentication may be through the user name and password, the MAC address or the host name. Use the following corrective actions to make sure the ISP can authenticate your connection. You need a user name and password if you're using PPPoE or PPTP encapsulation.
ZyWALL 2 Plus User’s Guide Table 191 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the web configurator. Make sure that there is not an SMT console session running. Use the ZyWALL’s WAN IP address when configuring from the WAN. Refer to the instructions on checking your WAN connection. Use the ZyWALL’s LAN IP address when configuring from the LAN. Refer to for instructions on checking your LAN connection. Check that you have enabled web service access.
ZyWALL 2 Plus User’s Guide 39.4.1.1.1 Disable pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 319 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled.
ZyWALL 2 Plus User’s Guide 39.4.1.1.2 Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools > Internet Options> Privacy. 2 Select Settings…to open the Pop-up Blocker Settings screen. Figure 321 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1.
ZyWALL 2 Plus User’s Guide Figure 322 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 39.4.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer, click Tools > Internet Options > Security.
ZyWALL 2 Plus User’s Guide Figure 323 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.
ZyWALL 2 Plus User’s Guide Figure 324 Security Settings - Java Scripting 39.4.1.3 Java Permissions 1 From Internet Explorer, click Tools > Internet Options > Security. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.
ZyWALL 2 Plus User’s Guide Figure 325 Security Settings - Java 39.4.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools > Internet Options > Advanced. 2 Make sure that Use Java 2 for
ZyWALL 2 Plus User’s Guide Figure 326 Java (Sun) 39.5 Packet Flow The following is the packet check flow on the ZyWALL.
ZyWALL 2 Plus User’s Guide APPENDIX A Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 192 Device Specifications Default LAN IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 DHCP Pool 192.168.1.33 to 192.168.1.
ZyWALL 2 Plus User’s Guide Table 193 Performance (continued) (continued) CATEGORY PERFORMANCE Concurrent Sessions 3000 Simultaneous IPSec VPN Connections 2 Table 194 Firmware Features Modes of Operation Routing/NAT/SUA Mode Transparent Mode Firewall (ICSA Certified) IP Protocol/Packet Filter DoS and DDoS Protections Stateful Packet Inspection Real time E-mail alerts Reports and Logs Transparent Firewall 510 VPN (ICSA Certified) Manual key, IKE PKI (X.
ZyWALL 2 Plus User’s Guide Table 194 Firmware Features (continued) Other Protocol Support PPP (Point-to-Point Protocol) link layer protocol. Transparent bridging for unsupported network layer protocols. DHCP Server/Client/Relay RIP I/RIP II ICMP SNMP v1 and v2c with MIB II support (RFC 1213) IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP IEEE 802.
ZyWALL 2 Plus User’s Guide Figure 327 Console/Dial Backup Cable DB-9 End Pin Layout Table 196 Console Cable Pin Assignments PIN DEFINITION RJ-45 END DB-9M (MALE) END DSR 1 6 DTR 2 4 TX 3 3 RTS 4 7 GND 5 5 RX 6 2 CTS 7 8 DCD 8 1 N/A 9 Table 197 Console Cable Pin Assignments PIN DEFINITION 512 RJ-45 END DB-9M (MALE) END DTR 1 4 DSR 2 6 RX 3 2 CTS 4 8 GND 5 5 TX 6 3 RTS 7 7 DCD 8 1 N/A 9 Appendix A Product Specifications
ZyWALL 2 Plus User’s Guide Figure 328 Ethernet Cable Pin Assignments Wall Mounting Specifications Use two M4 x 30 mm screws to wall-mount the ZyWALL. The holes for the wall-mounting screws should be 108 mm apart. Power Adaptor Specifications Table 198 Power Adaptor Specifications AC Power Adapter Model PSA18R-120P Input Power AC 100~240Volts/50~60Hz/0.5A Output Power DC 12Volts/1.
ZyWALL 2 Plus User’s Guide 514 Appendix A Product Specifications
ZyWALL 2 Plus User’s Guide APPENDIX B Wall-mounting Instructions Do the following to hang your ZyWALL on a wall. Note: See the product specifications appendix for the size of screws to use and how far apart to place them. 1 Locate a high position on wall that is free of obstructions. Use a sturdy wall. 2 Drill two holes for the screws. Make sure the distance between the centers of the holes matches what is listed in the product specifications appendix.
ZyWALL 2 Plus User’s Guide 516 Appendix B Wall-mounting Instructions
ZyWALL 2 Plus User’s Guide APPENDIX C Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
ZyWALL 2 Plus User’s Guide Figure 330 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: 1 In the Network window, click Add.
ZyWALL 2 Plus User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK. 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • • If your IP address is dynamic, select Obtain an IP address automatically.
ZyWALL 2 Plus User’s Guide Figure 332 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • • If you do not know your gateway’s IP address, remove previously installed gateways. If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyWALL and restart your computer when prompted.
ZyWALL 2 Plus User’s Guide Figure 333 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 334 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
ZyWALL 2 Plus User’s Guide Figure 335 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 336 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • 522 If you have a dynamic IP address click Obtain an IP address automatically.
ZyWALL 2 Plus User’s Guide • • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 337 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
ZyWALL 2 Plus User’s Guide Figure 338 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
ZyWALL 2 Plus User’s Guide Figure 339 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11Turn on your ZyWALL and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt.
ZyWALL 2 Plus User’s Guide Figure 340 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 341 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.
ZyWALL 2 Plus User’s Guide 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyWALL in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your ZyWALL and restart your computer (if prompted).
ZyWALL 2 Plus User’s Guide Figure 343 Macintosh OS X: Network 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyWALL in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your ZyWALL and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window.
ZyWALL 2 Plus User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 344 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown.
ZyWALL 2 Plus User’s Guide • • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen.
ZyWALL 2 Plus User’s Guide 1 Assuming that you have only one network card on the computer, locate the ifconfigeth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. • If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example. Figure 348 Red Hat 9.
ZyWALL 2 Plus User’s Guide Figure 351 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: Shutting down loopback interface: Setting network parameters: Bringing up loopback interface: Bringing up interface eth0: [OK] [OK] [OK] [OK] [OK] Verifying Settings Enter ifconfig in a terminal screen to check your TCP/IP properties. Figure 352 Red Hat 9.
ZyWALL 2 Plus User’s Guide APPENDIX D IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1. IP addresses are categorized into different classes. The class of an address depends on the value of its first octet. • Class “A” addresses have a 0 in the left most bit.
ZyWALL 2 Plus User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B” address has a valid range of 128 to 191. The first octet of a class “C” address begins with “110”, and therefore has a range of 192 to 223.
ZyWALL 2 Plus User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/” followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128.
ZyWALL 2 Plus User’s Guide Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet. Table 204 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001.
ZyWALL 2 Plus User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
ZyWALL 2 Plus User’s Guide Table 209 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).
ZyWALL 2 Plus User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B” address has two host ID octets available for subnetting and a class “A” address has three host ID octets (see Table 199 on page 533) available for subnetting. The following table is a summary for class “B” subnet planning. Table 212 Class B Subnet Planning NO.
ZyWALL 2 Plus User’s Guide 540 Appendix D IP Subnetting
ZyWALL 2 Plus User’s Guide Appendix E Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
ZyWALL 2 Plus User’s Guide Table 213 Commonly Used Services (continued) NAME PROTOCOL PORT(S) HTTP TCP 80 Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce. User-Defined 1 Internet Control Message Protocol is often used for diagnostic or routing purposes. UDP 4000 User-Defined 2 Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.
ZyWALL 2 Plus User’s Guide Table 213 Commonly Used Services (continued) NAME PROTOCOL PORT(S) SFTP TCP 115 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP TCP/UDP 161 Simple Network Management Program. SNMP-TRAPS TCP/UDP 162 Traps for use with the SNMP (RFC:1215).
ZyWALL 2 Plus User’s Guide 544 Appendix E Common Services
ZyWALL 2 Plus User’s Guide APPENDIX F VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes • The private networks behind the IPSec routers must be on different subnets. For example, 192.168.10.0/24 and 192.168.20.0/24.
ZyWALL 2 Plus User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values. VPN Configuration This section gives a VPN rule configuration example using the web configurator. 1 Click VPN to display the following screen.
ZyWALL 2 Plus User’s Guide Figure 354 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router.
ZyWALL 2 Plus User’s Guide Figure 355 Branch Office Gateway Policy Edit The IP address of the headquarters IPSec router. 3 Click the add network policy ( configure a VPN policy.
ZyWALL 2 Plus User’s Guide Figure 356 Headquarters VPN Rule Figure 357 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply.
ZyWALL 2 Plus User’s Guide Figure 358 Headquarters Network Policy Edit Activate the network policy. IP addresses on different subnets.
ZyWALL 2 Plus User’s Guide Figure 359 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
ZyWALL 2 Plus User’s Guide Figure 360 VPN Rule Configured The following screen displays. Figure 361 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel.
ZyWALL 2 Plus User’s Guide VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly. VPN Log The system log can often help to identify a configuration problem. Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends, clear the log and then build the tunnel.
ZyWALL 2 Plus User’s Guide Figure 363 VPN Log Example ras> sys log disp ike ipsec # .time source destination message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 Send:[HASH] 3|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 4|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.
ZyWALL 2 Plus User’s Guide IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). Note: If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information. Type ipsec debug level 0 and press [ENTER] to stop it.
ZyWALL 2 Plus User’s Guide Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email. Services work as if you were at the office instead of connected through the Internet.
ZyWALL 2 Plus User’s Guide APPENDIX G Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
ZyWALL 2 Plus User’s Guide Figure 366 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 367 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard.
ZyWALL 2 Plus User’s Guide Figure 368 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 369 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.
ZyWALL 2 Plus User’s Guide Figure 370 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store.
ZyWALL 2 Plus User’s Guide Figure 372 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
ZyWALL 2 Plus User’s Guide Figure 373 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
ZyWALL 2 Plus User’s Guide Figure 374 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard.
ZyWALL 2 Plus User’s Guide Figure 375 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 376 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
ZyWALL 2 Plus User’s Guide Figure 377 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 378 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
ZyWALL 2 Plus User’s Guide Figure 379 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 380 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field.
ZyWALL 2 Plus User’s Guide Figure 382 SSL Client Authentication 3 You next see the ZyWALL login screen.
ZyWALL 2 Plus User’s Guide 568 Appendix G Importing Certificates
ZyWALL 2 Plus User’s Guide APPENDIX H Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Command Syntax • • • • • The command keywords are in courier new font.
ZyWALL 2 Plus User’s Guide 570 Appendix H Command Interpreter
ZyWALL 2 Plus User’s Guide APPENDIX I Firewall Commands The following describes the firewall commands. See Appendix H on page 569 for information on the command structure. Table 214 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active This command turns the firewall on or off. config retrieve firewall This command returns the previously saved firewall settings. config save firewall This command saves the current firewall settings.
ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail config edit firewall e-mail mail-server This command sets the IP address to which the e-mail messages are sent. config edit firewall e-mail return-addr This command sets the source e-mail address of the firewall e-mails. config edit firewall e-mail email-to This command sets the e-mail address to which the firewall e-mails are sent.
ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION Sets COMMAND DESCRIPTION config edit firewall attack minute-high <0-255> This command sets the threshold rate of new half-open sessions per minute where the ZyWALL starts deleting old half-opened sessions until it gets them down to the minutelow threshold. config edit firewall attack minute-low <0-255> This command sets the threshold of half-open sessions where the ZyWALL stops deleting half-opened sessions.
ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION Rules 574 COMMAND DESCRIPTION Config edit firewall set tcp-idle-timeout This command sets how long ZyWALL lets an inactive TCP connection remain open before considering it closed. Config edit firewall set log This command sets whether or not the ZyWALL creates logs for packets that match the firewall’s default rule set.
ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION config edit firewall set rule destaddrsubnet This command sets a rule to have the ZyWALL check for traffic with a particular subnet destination (defined by IP address and subnet mask).
ZyWALL 2 Plus User’s Guide 576 Appendix I Firewall Commands
ZyWALL 2 Plus User’s Guide APPENDIX J NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix H on page 569 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
ZyWALL 2 Plus User’s Guide The filter types and their default settings are as follows. Table 215 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded Block between the LAN and the WAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded. Trigger dial Forward This field displays whether NetBIOS packets are allowed to initiate Disabled calls.
ZyWALL 2 Plus User’s Guide APPENDIX K Certificates Commands The following describes the certificate commands. See Appendix H on page 569 for information on the command structure. All of these commands start with certificates. Table 216 Certificates Commands COMMAND DESCRIPTION my_cert create create selfsigned [key size] Create a self-signed local host certificate. specifies a descriptive name for the generated certificate.
ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION create cmp_enroll [key size] Create a certificate request and enroll for a certificate immediately online using CMP protocol. specifies a descriptive name for the enrolled certificate. specifies the CA server address. specifies the name of the CA certificate. specifies the id and key used for user authentication.
ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models. replace_fact ory ca_trusted import Import the PEM-encoded certificate from stdin. specifies the name as which the imported CA certificate is to be saved.
ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION delete Delete the specified trusted remote host certificate. specifies the name of the certificate to be deleted. List all trusted remote host certificate names and basic information. list rename Rename the specified trusted remote host certificate. specifies the name of the certificate to be renamed.
ZyWALL 2 Plus User’s Guide APPENDIX L Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See Appendix H on page 569 for information on the command structure.
ZyWALL 2 Plus User’s Guide 584 Appendix L Brute-Force Password Guessing Protection
ZyWALL 2 Plus User’s Guide APPENDIX M Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file).
ZyWALL 2 Plus User’s Guide Figure 385 Boot Module Commands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
ZyWALL 2 Plus User’s Guide APPENDIX N Log Descriptions This appendix provides descriptions of example log messages. Table 218 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information from the time server. Time calibration failed The router failed to get information from the time server. WAN interface gets IP: %s A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.
ZyWALL 2 Plus User’s Guide Table 218 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION Configuration Change: PC = 0x%x, Task ID = 0x%x The router is saving configuration changes. Successful SSH login Someone has logged on to the router’s SSH server. SSH login failed Someone has failed to log on to the router’s SSH server. Successful HTTPS login Someone has logged on to the router's web configurator interface using HTTPS protocol.
ZyWALL 2 Plus User’s Guide Table 219 System Error Logs (continued) LOG MESSAGE DESCRIPTION DHCP Server cannot assign the static IP %S (out of range). The LAN subnet, LAN alias 1, or LAN alias 2 was changed and the specified static DHCP IP addresses are no longer valid. The DHCP static IP %s is conflict. The static DHCP IP address conflicts with another host. SMTP fail (%s) The device failed to send an e-mail (error message included).
ZyWALL 2 Plus User’s Guide Table 221 TCP Reset Logs (continued) LOG MESSAGE DESCRIPTION Peer TCP state out of order, sent TCP RST The router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state. Firewall session time out, sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out.
ZyWALL 2 Plus User’s Guide Table 223 ICMP Logs (continued) LOG MESSAGE DESCRIPTION Packet without a NAT table entry blocked: ICMP The router blocked a packet that didn’t have a corresponding NAT table entry. Unsupported/out-of-order ICMP: ICMP The firewall does not support this kind of ICMP packets or the ICMP packets are out of order. Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.
ZyWALL 2 Plus User’s Guide Table 227 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted web list The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites. %s: Forbidden Web site The web site is in the forbidden web site list. %s: Contains ActiveX The web site contains ActiveX. %s: Contains Java applet The web site contains a Java applet.
ZyWALL 2 Plus User’s Guide Table 228 Attack Logs (continued) LOG MESSAGE DESCRIPTION land [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack. land ICMP (type:%d, code:%d) The firewall detected an ICMP land attack. ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an IP spoofing attack on the WAN port. ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack on the WAN port.
ZyWALL 2 Plus User’s Guide Table 228 Attack Logs (continued) LOG MESSAGE DESCRIPTION IP address in FTP port command is different from the client IP address. It maybe a bounce attack. The IP address in an FTP port command is different from the client IP address. It may be a bounce attack. Fragment packet size is smaller than the MTU size of output interface. The fragment packet size is smaller than the MTU size of output interface.
ZyWALL 2 Plus User’s Guide Table 230 IPSec Logs (continued) LOG MESSAGE DESCRIPTION Rule <%d> idle time out, disconnect The router dropped a connection that had outbound traffic and no inbound traffic for a certain time period. You can use the "ipsec timer chk_conn" CI command to set the time period. The default value is 2 minutes. WAN IP changed to The router dropped all connections with the “MyIP” configured as “0.0.0.0” when the WAN IP address changed.
ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) 596 LOG MESSAGE DESCRIPTION Cannot resolve Secure Gateway Addr for rule <%d> The router couldn’t resolve the IP address from the domain name that was used for the secure gateway address. Peer ID: - The displayed ID information did not match between the two ends of the connection. vs. My Remote The displayed ID information did not match between the two ends of the connection.
ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) LOG MESSAGE DESCRIPTION XAUTH fail! Username: The router was not able to use extended authentication to authenticate the listed user name. Rule[%d] Phase 1 negotiation mode mismatch The listed rule’s IKE phase 1 negotiation mode did not match between the router and the peer. Rule [%d] Phase 1 encryption algorithm mismatch The listed rule’s IKE phase 1 encryption algorithm did not match between the router and the peer.
ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] phase 2 mismatch The listed rule’s IKE phase 2 did not match between the router and the peer. Rule [%d] Phase 2 key length mismatch The listed rule’s IKE phase 2 key lengths (with the AES encryption algorithm) did not match between the router and the peer.
ZyWALL 2 Plus User’s Guide Table 232 PKI Logs (continued) LOG MESSAGE DESCRIPTION Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received CRL The router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field.
ZyWALL 2 Plus User’s Guide Table 233 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION 20 CRL decoding failed. 21 CRL is not currently valid, but in the future. 22 CRL contains duplicate serial numbers. 23 Time interval is not continuous. 24 Time information not available. 25 Database method failed due to timeout. 26 Database method failed. 27 Path was not verified. 28 Maximum path length reached. Table 234 802.
ZyWALL 2 Plus User’s Guide Table 234 802.1X Logs (continued) LOG MESSAGE DESCRIPTION Use Local User Database to authenticate user. The local user database is operating as the authentication server. Use RADIUS to authenticate user. The RADIUS server is operating as the authentication server. No Server to authenticate user. There is no authentication server to authenticate a user. Local User Database does not find user`s credential.
ZyWALL 2 Plus User’s Guide Table 236 ICMP Notes (continued) TYPE CODE DESCRIPTION 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host Echo 8 0 Time Exceeded 11 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter Problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp Reply 14 0 Timestamp reply message Information Request 15 0 Information request message Information
ZyWALL 2 Plus User’s Guide Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on.
ZyWALL 2 Plus User’s Guide Table 238 RFC-2408 ISAKMP Payload Types (continued) LOG DISPLAY PAYLOAD TYPE TRANS Transform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Log Commands This section provides some general examples of how to use the log commands. The items that display with your device may vary but the basic function should be the same.
ZyWALL 2 Plus User’s Guide Figure 387 Displaying Log Parameters Example ras> sys logs category access Usage: [0:none/1:log/2:alert/3:both] [0:don't show debug type/ 1:show debug type] 4 Use sys logs category followed by a log category and a parameter to decide what to record. Use 0 to not record logs for that category, 1 to record only logs for that category, 2 to record only alerts for that category, and 3 to record both logs and alerts for that category.
ZyWALL 2 Plus User’s Guide Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> ras> ras> ras> # sys sys sys sys .time logs logs logs logs load category access 3 save display access source destination message 0|06/08/2004 05:58:21 |172.21.4.154 |224.0.1.24 BLOCK Firewall default policy: IGMP (W to W/ZW) 1|06/08/2004 05:58:20 |172.21.3.56 |239.255.255.
ZyWALL 2 Plus User’s Guide Index Numerics B 10/100 Mbps Ethernet WAN 45 Backup 364, 468 Backup VPN Connection 191 Backup WAN 45 Bandwidth Borrowing 274 Bandwidth Class 269 Bandwidth Filter 269, 280 Bandwidth Management 46, 269 Bandwidth Management Statistics 281 Bandwidth Manager Class Configuration 278 Bandwidth Manager Class Setup 277 Bandwidth Manager Monitor 282 Bandwidth Manager Summary 275 Bridge Protocol Data Units (BPDUs) 105 Bridging 405 Budget Management 485, 486 A Action for Matched Packets
ZyWALL 2 Plus User’s Guide Connection ID/Name 408 Console Port 457, 458, 459 Configuration File Upload 480 File Backup 472 File Upload 479 Restoring Files 475 Contact Information 8 Content Filter Categories 158 Content Filter General 155 Content Filtering 47, 155 Customizing 165 Days and Times 155 Filter List 155 Restrict Web Features 155 Copyright 3 Customer Support 8 D DDNS Configuration 377 DDNS Type 379 Default 366 Denial of Service 131, 143, 146, 435 Denial of Services Thresholds 145 DHCP 65, 95, 96,
ZyWALL 2 Plus User’s Guide SMT Menus 435 When To Use 441 Firewall Threshold 145 Firmware File Maintenance 467 Flow Control 367 FTP 294, 297, 312, 469, 493 File Upload 478 GUI-based Clients 470 Restoring Files 473 FTP File Transfer 476 FTP Restrictions 297, 470, 493 FTP Server 50, 427 Full Network Management 50 G Gateway IP Addr 409 Gateway IP Address 400, 414 Gateway Policy 193, 194 General Setup 351, 375 Global 249 H Hidden Menus 368 Host 353, 379 Host IDs 533 How SSH works 306 How STP Works 105 HTTPS 4
ZyWALL 2 Plus User’s Guide IPSec High Availability 191 IPSec SA Active Protocol 185, 187 and NetBIOS 186 Authentication Algorithms 188 Authentication Key (for manual keys) 186 Encapsulation 185, 189 Encryption Algorithms 188 Encryption Key (for manual keys) 186 IP Addresses with Manual Keys 183 Manual Keys 186 Nail Up 191 Overlapping Policies 186 Perfect Forward Secrecy (PFS) 185 Proposal 185 Replay Detection 186 SA Life Time 191 Security Parameter Index (SPI) (for manual keys) 186 Transport Mode 189 Tunne
ZyWALL 2 Plus User’s Guide O R Offline 379 One Minute High 146 One Minute Low 145 One to One 252 Outgoing Protocol Filters 398 Outside 249 Packet Filtering 48, 440 PAP 386, 407 Password 352, 368, 373, 400, 453 Path cost 104 Perfect Forward Secrecy (PFS) Diffie-Hellman Key Group 185 Period(hr) 387, 407 Ping 464 Point-to-Point Tunneling Protocol 72 Point-to-Point Tunneling Protocol See PPTP 119 Port Forwarding 49 Port Restricted Cone NAT 252 Power Adaptor 513 Power Adaptor Specifications 513 PPP 387 PPPoE
ZyWALL 2 Plus User’s Guide Safety Warnings 6 Schedule Sets Duration 496 Scheduler 271, 276 Schedules 405, 407, 408 Screws 513 Secure FTP Using SSH Example 310 Secure Telnet Using SSH Example 308 Server 253, 355, 356, 400, 405, 417, 419, 421, 422, 424, 426, 427, 489 Server IP 405 Service Name 407 Service Type 147, 148, 400, 404 Services 258 Session Initiation Protocol 335 Set Up a Schedule 495 SIP Application Layer Gateway 46 SMT 368 SMT Menu Overview 371 SNMP 49, 313 Community 453 Configuration 453 Get 314
ZyWALL 2 Plus User’s Guide V ZyNOS F/W Version 458, 468 Virtual Private Network 46 Virtual Private Network. See VPN. VPN 119, 179 Active Protocol 187 and NAT 190 and Remote Management 180 Established in Two Phases 179 IKE SA. See IKE SA. IPSec 179 IPSec SA. See IPSec SA. Local Network 179 Manual Keys 180 Proposal 181 Remote IPSec Router 179 Remote Network 179 Security Association (SA) 179 VPN Application 51 VPN HA 191 VPN. See also IKE SA, IPSec SA.
