Manuale d’uso / di manutenzione del prodotto 35 Series del fabbricante ZyXEL Communications
Vai alla pagina of 807
ZyW ALL 5/35/70 Series Internet Security Appliance User ’ s Guide V ersion 4.00 12/2005.
ZyWALL 5/35/70 Series User’s Guide Copyright 2 Copyright Copyright © 2005 by ZyXEL Communications Corpo ration. The contents of this publication may not be reprod uced in any part or as a whole, tr.
ZyWALL 5/35/70 Series User’s Guide 3 Federal Communications Commission (F CC) Interference Statement Federal Communications Commission (FCC) Interference S t atement This device complies with Part 15 of FCC rul es. Operation is subject to the following two conditions: • This device may not cause harmful interference.
ZyWALL 5/35/70 Series User’s Guide Federal Com munications Commission ( FCC) Interf erence Statem ent 4.
ZyWALL 5/35/70 Series User’s Guide 5 Safety Warnings Safety W arnings For your safety , be sure to read and fo llow all warning notices and instructions. • Do NOT open the device or un it. Opening or removi ng covers can expose you to dangerous high vo ltage points or othe r risks.
ZyWALL 5/35/70 Series User’s Guide ZyXEL Limited Warranty 6 ZyXEL Limited W arranty ZyXEL warrants to the original en d user (purchaser) that this product is free from any defects in materials or workmansh ip for a period of up to tw o years from the date of purchase .
ZyWALL 5/35/70 Series User’s Guide 7 Customer Suppo rt Customer Support Please have the following information r eady when you contact customer support. • Product model and serial number . • W arranty Information. • Date that you received your de vice.
ZyWALL 5/35/70 Series User’s Guide Customer Support 8 POLAND info@pl.zyxel.com +48-22-5286603 www.pl.zyxel .com ZyXEL Communications ul.Emilli Plater 53 00-1 13 W arszawa Poland +48-22-5206701 RUSSIA http://zyxel.ru/support +7-095-542-89-29 www .zyxel.
ZyWALL 5/35/70 Series User’s Guide 9 Customer Suppo rt.
ZyWALL 5/35/70 Series User’s Guide Table of Contents 10 T able of Content s Copyright .................................................. .......................................... ...................... 2 Federal Communications Commissi on (FCC) Interference S t atement .
ZyWALL 5/35/70 Series User’s Guide 11 Table of Contents 2.4.5 Show S tatistics: Line Chart ......... ................ ............. ................ ............. ..... 80 2.4.6 DHCP T able Sc reen ......... ............. ................ ..........
ZyWALL 5/35/70 Series User’s Guide Table of Contents 12 Chapter 6 Bridge Screens ................................................... ........................................... ....... 122 6.1 Bridge Loop ..... ............. ................ .......
ZyWALL 5/35/70 Series User’s Guide 13 Table of Contents 7.17 Configuring Advanced Modem Setup .................. ................ ................ .......... 159 Chapter 8 DMZ Screens .. .......................................... ...................
ZyWALL 5/35/70 Series User’s Guide Table of Contents 14 9.16.4 IEEE 802.1x + Dyna mic WEP .............. ................ ............. ............ ....... 196 9.16.5 IEEE 802.1x + S tatic WEP ............. .........................................
ZyWALL 5/35/70 Series User’s Guide 15 Table of Contents 1 1.3.3.2 Servic e ........ ................ ............. ................ ............. ................ ....... 217 1 1.3.3.3 Source Ad dres s .......... ............. ................ .....
ZyWALL 5/35/70 Series User’s Guide Table of Contents 16 13.3.3 Signature Actions ........... ................ ............. ................ ................ .......... 248 13.3.4 Configuring IDP Signatures ........ ............. ............. .....
ZyWALL 5/35/70 Series User’s Guide 17 Table of Contents Chapter 16 Content Filtering Screens ............ ..................................................... .................. 27 8 16.1 Content Filtering Overview ............ .... ...... ........
ZyWALL 5/35/70 Series User’s Guide Table of Contents 18 Chapter 19 VPN Screens ....................................................... ........................................... ....... 308 19.1 VPN/IPSec Ov erview ........... ................ ....
ZyWALL 5/35/70 Series User’s Guide 19 Table of Contents 20.5.1 Certificate File Formats .. .......... ... ................ ............. ............. ................ 346 20.6 My Certificate Create ......................... ............. ..........
ZyWALL 5/35/70 Series User’s Guide Table of Contents 20 22.7 Port T riggering .... ... ............. ................ ............. ............. ................ ............. ...388 Chapter 23 St atic Route .... ...................................
ZyWALL 5/35/70 Series User’s Guide 21 Table of Contents Chapter 26 DNS ................................................................................. ....................................... 418 26.1 DNS Overview .......... ............. .........
ZyWALL 5/35/70 Series User’s Guide Table of Contents 22 27.13 FTP ........................... ................ ............. ................ ............. ................ ....... 447 27.14 SNMP ..................... ................ ............. .
ZyWALL 5/35/70 Series User’s Guide 23 Table of Contents Chapter 30 Logs Screens ................................................................. ....................................... 472 30.1 Configuring View Log .......... ............. ........
ZyWALL 5/35/70 Series User’s Guide Table of Contents 24 32.4 Changing the System Passw ord ............. ................ ............. ................ .......... 506 32.5 Resetting the ZyWALL .. ............. ................ ................ ....
ZyWALL 5/35/70 Series User’s Guide 25 Table of Contents 37.3 TCP/IP Setup ... ................ ............. ................. ................ ............. ................ ...536 37.3.1 IP Address ..... ...... ....... ............. ..............
ZyWALL 5/35/70 Series User’s Guide Table of Contents 26 42.2 NA T S etup ............ ................ ............. ................ ............. ................ ............. ...564 42.2.1 Address Mapping Sets ................ .......... .......
ZyWALL 5/35/70 Series User’s Guide 27 Table of Contents 46.2 System S tatus ...... ............ ................. ................ ............. ................ ............. ...600 46.3 System Informat ion and Console Port S peed ................ .
ZyWALL 5/35/70 Series User’s Guide Table of Contents 28 Chapter 48 System Maintenance Menus 8 to 10 ............................................................ ....... 628 48.1 Command Interpreter Mode .......... ............. ............. .......
ZyWALL 5/35/70 Series User’s Guide 29 Table of Contents Hardware Installation .................................................... ....................................... 672 Appendix C Removing and Installing a Fuse ................................
ZyWALL 5/35/70 Series User’s Guide Table of Contents 30 Appendix S Log Descriptions ........................... ..................................................... .................. 774 Index ............................................... ......
ZyWALL 5/35/70 Series User’s Guide 31 Table of Contents.
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 32 List of Figures Figure 1 Secure Internet Acce ss via Cable, DSL or Wireless Modem ............................. ... 62 Figure 2 VPN Application ............. ............. ................ .....
ZyWALL 5/35/70 Series User’s Guide 33 List of Figures Figure 39 WLAN Port Role Ex ample ........ ............. ................ ............. ................ ............. ... 1 18 Figure 40 LAN Port Roles ..... ............. ................ .....
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 34 Figure 82 Wireless Card: WP A- PSK ............... ................................ ................. ............ ....... 194 Figure 83 Wireless Card: WP A ....................... .............
ZyWALL 5/35/70 Series User’s Guide 35 List of Figures Figure 125 Anti-S pam: General .................... ............. ................ ................ ............. ............. 270 Figure 126 Anti-S pam: External DB ...... .......... ....... ..
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 36 Figure 168 T rusted Remote Hosts ........ ................. ................ ............. ................ ................ 360 Figure 169 Remote Host Certificates ........... ... .............
ZyWALL 5/35/70 Series User’s Guide 37 List of Figures Figure 21 1 Login Screen (Internet Explorer) ... ... ............. ............. ................ ............. .......... 439 Figure 212 Login Screen (Netsca pe) .............. ................ .
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 38 Figure 254 Firmware Upload In Process ...... ... .......... ............. ............. ................ ............. ... 495 Figure 255 Network T emporarily Disconnect ed . .... ............. .
ZyWALL 5/35/70 Series User’s Guide 39 List of Figures Figure 297 Menu 6.3: Route Failover .............. ... ............. ................ ............. ............. .......... 542 Figure 298 Menu 7.1: Wireless Setup ............. ............. ..
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 40 Figure 339 Menu 21.2: Firewall Setup ............ ............. ............. ................ ............. ............. 583 Figure 340 Outgoing Packet F iltering Process ... .................
ZyWALL 5/35/70 Series User’s Guide 41 List of Figures Figure 382 Example Xmodem Up load ...... ............. ................ ............. ................ ............. ... 625 Figure 383 Menu 24.7.2 As Seen Using the Cons ole Port ...............
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 42 Figure 425 Windows XP: Advanced TCP/ IP Prop erties .. ............. ............. ................ .......... 685 Figure 426 Windows XP: Internet P rotocol (TCP /IP) Properties ................
ZyWALL 5/35/70 Series User’s Guide 43 List of Figures Figure 468 Headquarters Network Policy Edit ... ................. ............ ................. ................ ... 735 Figure 469 Branch Office Network Policy Edit .................... .......
ZyWALL 5/35/70 Series User’s Guide List of Tables 44 List of T ables T able 1 Model S pecific Features .............. ................ ................ ............. ................ ............. 54 T able 2 Front Panel LED s . ................ ...
ZyWALL 5/35/70 Series User’s Guide 45 List of Tables T able 39 WAN: Ethernet Encapsulation ................ ............. ................ ................ ................ 144 T able 40 WAN: PPPoE Encap s ulatio n ........... ......................
ZyWALL 5/35/70 Series User’s Guide List of Tables 46 T able 82 Common Computer Virus T ypes ........ ................. ................ ............. ................ ... 258 T able 83 Anti-Virus: General .................... ................ ......
ZyWALL 5/35/70 Series User’s Guide 47 List of Tables T able 125 N A T Mapping T ypes ... ............. ................ ............. ................ ................ ............. 378 T able 126 N A T Overview ...... ............. ................
ZyWALL 5/35/70 Series User’s Guide List of Tables 48 T able 168 Web Site Hits Report ........... ............. ................. ............ ................. ................ ... 480 T able 169 P rotocol/ Port Report ............... ..............
ZyWALL 5/35/70 Series User’s Guide 49 List of Tables T able 21 1 Remote Node Network Layer Options Menu Fields ................... ................ ....... 556 T able 212 Menu 1 1.1.5: Traf fic Redirect Setup . ................. ............ .......
ZyWALL 5/35/70 Series User’s Guide List of Tables 50 T able 254 Clas ses of IP Addresses ............... .......... ................ ............. ............. ................ 694 T able 255 A llowed IP Address Range By Class .... ................
ZyWALL 5/35/70 Series User’s Guide 51 List of Tables T able 297 A S Logs ................... ................ ............. ................ ............. ................ ............. .. .7 9 2 T able 298 S yslog Logs ................... .........
ZyWALL 5/35/70 Series User’s Guide Preface 52 Preface Congratulations on you r purchase of the ZyW ALL. Note: Register your product online to receive e-mail notices of firmware upgrade s and information at www .zyxel.com for global products, or a t www .
ZyWALL 5/35/70 Series User’s Guide 53 Preface Synt ax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose ” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 54 C HAPTER 1 Getting to Know Y our ZyW ALL This chapter introduces the main feat ures and applications of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 55 Chapter 1 Getting to Know Your ZyWALL T able Key: An O in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at th e time of writing, although it may be subject to change.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 56 Time and Date The ZyW ALL allows you to get the current time and da te from an external server when you turn on your ZyW ALL. Y ou can also set the tim e manua lly . The Real T ime Chip (R TC) keeps track of the time and date.
ZyWALL 5/35/70 Series User’s Guide 57 Chapter 1 Getting to Know Your ZyWALL Bandwid t h Management Bandwidth manage ment allows you to allo cate network resource s according to defin ed policies. This policy-based ba nd width allocation helps your netw ork to better handle real-time applications such as V oice-over-IP (V oIP).
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 58 Content Filtering The ZyW ALL can block web features such as ActiveX controls, Java applets and cookies, as well as disable web proxies. The ZyW ALL can block or allow access to web sites that you specify .
ZyWALL 5/35/70 Series User’s Guide 59 Chapter 1 Getting to Know Your ZyWALL IEEE 802.1x for Network Security The ZyW ALL supports the IEEE 802.1x standard th at works with the IEEE 802.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 60 Dynamic DNS Support W ith Dynamic DNS (Domain Name System) support, you can have a static hostname alia s for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet.
ZyWALL 5/35/70 Series User’s Guide 61 Chapter 1 Getting to Know Your ZyWALL T raffic Redirect T raffic Redirect forwards W AN traffic to a backup gateway on the LAN when the ZyW ALL cannot connect to the Internet, thus acting as an auxiliary backup whe n your regular W AN connection fails.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 62 1.3 Applications for the ZyW ALL Here are some examples of what you can do with y our ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 63 Chapter 1 Getting to Know Your ZyWALL Figure 2 VPN Application 1.3.3 Front Panel LEDs Figure 3 ZyW ALL 70 Front Panel Figure 4 ZyW ALL 35 Front Panel Figure 5 Z.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 64 The following table describes the LEDs. Table 2 Front Panel LEDs LED COLOR ST ATUS DESCRIPTION PWR Off The ZyW ALL is turned off. Green On The ZyWALL is turned on. Red On The power to the ZyWALL is too low .
ZyWALL 5/35/70 Series User’s Guide 65 Chapter 1 Getting to Know Your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 66 C HAPTER 2 Introducing the W eb Configurator This chapter describes how to access the Zy W ALL we b configurator and p rovides an overview of its screens.
ZyWALL 5/35/70 Series User’s Guide 67 Chapter 2 Introducing the Web Configurator Figure 6 Change Password Screen 6 Click Apply in the Replace Certificate scre en to create a certificate using your ZyW ALL ’ s MAC address that will be specific to this device.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 68 2.3.1 Procedure T o Use The Reset Button Make sure the SYS LED is on (not blinking ) before you begin this proc edure. 1 Press the RESET button for ten seconds, and then release it.
ZyWALL 5/35/70 Series User’s Guide 69 Chapter 2 Introducing the Web Configurator Note: Follow the instruction s you see in the HOME screen or click the icon. The screen varies according to the device mode you select in the MAINTENANCE Devic e Mode screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 70 The following table describes the labels in this screen. Table 3 Web Configurator HOME Scr een in Router Mode LABEL DESCRIPTION Wizards for W AN 1 (W AN) and VPN Quick Setup Internet Access Click Internet Ac cess to use the initial configurat ion wizard.
ZyWALL 5/35/70 Series User’s Guide 71 Chapter 2 Introducing the Web Configurator 2.4.2 Bridge Mode The following screen displays when the ZyW A LL is set to bridge mode. While in bridge mode, the ZyW ALL cannot get an IP address from a DHCP server .
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 72 Figure 10 Web Configurator HO ME Screen in Bridge Mode The following table describes the labels in this screen. Table 4 Web Configurator HOME Scr een in Bridg e Mode LABEL DESCRIPTION Wizards for VPN Quick Setup VPN Click VPN to create VPN policies.
ZyWALL 5/35/70 Series User’s Guide 73 Chapter 2 Introducing the Web Configurator Firmware V ersion This is the ZyNOS Firmware ve rsion an d the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 74 2.4.3 Navigation Panel After you enter the password, use the sub-menus on the navigation panel to configure ZyW ALL features. The following table lists the fe atures available for each device mode.
ZyWALL 5/35/70 Series User’s Guide 75 Chapter 2 Introducing the Web Configurator T able Key: An O in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at th e time of writing, although it may be subject to change.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 76 WA N General This screen al lows you to configure load balancing, route priority and traffic redirect properties. Route (ZyW ALL 5 only) This screen allows you to configure route priority .
ZyWALL 5/35/70 Series User’s Guide 77 Chapter 2 Introducing the Web Configurator IDP General Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 78 NA T NA T Overview Use this screen to enable NA T . Address Mapping Use this screen to configure network address translation mapping rules. Port Forwarding Use this screen to configure servers behind the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 79 Chapter 2 Introducing the Web Configurator 2.4.4 System S t atistics Click Show St a t i s t i c s in the HOME screen. Read-only information here includes port status and packet specific statistics. Also provided is "Up T ime" and "poll interval(s)".
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 80 2.4.5 Show St atistics: Line Chart Click the icon in the Show S tatistics screen.
ZyWALL 5/35/70 Series User’s Guide 81 Chapter 2 Introducing the Web Configurator The following table describes the labels in this screen. 2.4.6 DHCP T able Screen DHCP (Dynamic Host Configuration Protocol , RFC 2131 and RFC 2132) allows indiv idual clients to obtain TCP/IP configuration at start-up from a server .
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 82 The following table describes the labels in this screen. 2.4.7 VPN St atus Click VPN S tatus in the HOME screen when the ZyW ALL is set to router mode. Read-only information here includes encapsulation mode an d security protocol.
ZyWALL 5/35/70 Series User’s Guide 83 Chapter 2 Introducing the Web Configurator Figure 14 Home : VPN S tatus The following table describes the labels in this screen. Table 10 Home : VPN Status LABEL DESCRIPTION # This is the security association index number.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 84 C HAPTER 3 W izard Setup This chapter provides information on the Wizard Setup screens in the web configurator . The Internet access wizard is only applicable when the ZyW ALL is in router mode.
ZyWALL 5/35/70 Series User’s Guide 85 Chapter 3 Wizard Setup Figure 15 ISP Parameters : Et hernet Encap sulation The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 86 3.2.1.2 PPPoE Encap sulation Point-to-Point Protocol ov er Ethernet (PPPoE) function s as a dial-up connection.
ZyWALL 5/35/70 Series User’s Guide 87 Chapter 3 Wizard Setup 3.2.1.3 PPTP Encap su lation Point-to-Point T unneling Protocol (PP TP) is a networ k protocol that enables transfe rs of data from a remote client to a private server , crea ting a V irtual Private Network (VPN) usin g TCP/ IP-based networks.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 88 Figure 17 ISP Parameters: PPTP Encap sulation The following table describes the labels in this screen. Table 13 ISP Parameters : PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down li st box.
ZyWALL 5/35/70 Series User’s Guide 89 Chapter 3 Wizard Setup 3.2.2 Internet Access Wizard: Second Screen Click Next to go to the screen where you can regi ster your ZyW ALL and activate the free content filtering, anti-spam, anti-virus and IDP trial applications.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 90 Figure 19 Internet Access Setu p Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 18 on page 89 ), the following screen displays.
ZyWALL 5/35/70 Series User’s Guide 91 Chapter 3 Wizard Setup The following table describes the labels in this screen. After you fill in the fields and click Next , the following screen shows indicating the registration is in progress. W ait for the registration progress to finish.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 92 Figure 22 Internet Access Wizard: S tatus The following screen appears if the registration was not suc cessful. Click Return to go back to the Device Registration screen and check your settings.
ZyWALL 5/35/70 Series User’s Guide 93 Chapter 3 Wizard Setup Figure 25 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key . If you want to set the rule to use a certificate, please go to the VPN screens for configuration.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 94 The following table describes the labels in this screen. 3.4 VPN Wizard Network Setting T wo active SAs cannot have the local and remote IP address(es) both the same. T wo ac tive SAs can have the same local or remote IP address, but not bo th.
ZyWALL 5/35/70 Series User’s Guide 95 Chapter 3 Wizard Setup Figure 27 VPN Wizard: Network Setting The following table describes the labels in this screen. Table 16 VPN Wizard : Netwo rk Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 96 3.5 VPN Wizard IKE T unnel Setting (IKE Phase 1) Figure 28 VPN Wizard: IKE Tunnel Setting Remote Network Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses.
ZyWALL 5/35/70 Series User’s Guide 97 Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 17 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotia tion Mode Select Main Mode for identity protecti on. Select Aggress ive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 98 3.6 VPN Wizard IPSec Setting (IKE Phase 2) Figure 29 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 18 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encaps ulation Mode Tu n n e l is compatible wi th NA T , T ran sport is not.
ZyWALL 5/35/70 Series User’s Guide 99 Chapter 3 Wizard Setup 3.7 VPN Wizard S t atus Summary This read-only screen shows the status of the current VPN settin g. Use the summary table to check whether what you have configured is correct. SA Life T ime (Seconds) Define the l ength of time before an IKE SA automat ically renegotia tes in this field.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 100 Figure 30 VPN Wizard: VPN S tatus The following table describes the labels in this screen. Table 19 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy .
ZyWALL 5/35/70 Series User’s Guide 101 Chapter 3 Wizard Setup Name This is the name of this VPN network policy . Network Policy Setting Local Network S tarting IP Address This is a (static) IP address on the LAN behind your ZyW ALL. Ending IP Address/ Subnet Mask When the local network is configured for a single IP ad dress, this field is N/A.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 102 3.8 VPN Wizard Setup Complete Congratulations! Y ou have successfully set up th e V PN rule after any existing rule(s) for your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 103 Chapter 3 Wizard Setup.
ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 104 C HAPTER 4 Registration 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL ’ s online services center wh ere you can register your ZyW ALL and manage subscription services available for the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 105 Chapter 4 Registr ation Y ou will get automatic e-mail not ification of new signature releases from mySecurityZone after you activate the IDP/Anti-virus service. Y o u can also check for new signature or virus updates at http://mysecurity .
ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 106 The following table describes the labels in this screen. Note: If the ZyW ALL is registered already , this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription st atus.
ZyWALL 5/35/70 Series User’s Guide 107 Chapter 4 Registr ation Figure 33 Registrat ion : Registered Device 4.3 Service After you activate a trial, you can also use the Service screen to register and enter your iCard’ s PIN number (license key). Click REGISTRA T ION , Service to open the screen as shown next.
ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 108 The following table describes the labels in this screen. T able 21 Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. S tatus This field displays whether a service is activated ( Active ) or not ( Inactive ).
ZyWALL 5/35/70 Series User’s Guide 109 Chapter 4 Registr ation.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 110 C HAPTER 5 LAN Screens This chapter describes how to configure LAN settin gs. This chapter is on ly applicable when the ZyW ALL is in router mode. The LAN Port Roles screen is available on the ZyW ALL 5 and ZyW ALL 35.
ZyWALL 5/35/70 Series User’s Guide 111 Chapter 5 LAN Screens These parameters should work fo r the majority of installations . If your ISP gives yo u explicit DNS server address(es), read the embedde d web c onfigurator help re garding what fields need to be configured.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 112 Both RIP-2B and RIP-2M send routing data in RIP -2 fo rmat; the dif ference being that RIP- 2B uses subnet broadcasting while RI P-2M uses multicasting.
ZyWALL 5/35/70 Series User’s Guide 113 Chapter 5 LAN Screens Figure 35 LAN The following table describes the labels in this screen. T able 22 LAN LABEL DESCRIPTION LAN TCP/IP IP Address T ype the IP address of your ZyWALL in do tted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 114 Multicast Select IGMP V - 1 or IGMP V -2 or None . IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
ZyWALL 5/35/70 Series User’s Guide 115 Chapter 5 LAN Screens 5.6 LAN St atic DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 116 5.7 LAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide 117 Chapter 5 LAN Screens Figure 38 LAN IP Alias The following table describes the labels in this screen. T able 24 LAN IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another LAN network for the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 118 5.8 LAN Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage.
ZyWALL 5/35/70 Series User’s Guide 119 Chapter 5 LAN Screens T o change your ZyW ALL ’ s port role settings, click NETWORK , LAN and then the Port Roles tab. The screen appears as shown. The radio buttons on the left correspon d to Ethernet ports on the front panel of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 120 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 41 Port Roles Change Complete Apply Click Apply to save your changes back to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 121 Chapter 5 LAN Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 122 C HAPTER 6 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyW ALL is in bridge mode. 6.1 Bridge Loop The ZyW ALL can act as a bridge between a switch and a wired LAN o r between two routers.
ZyWALL 5/35/70 Series User’s Guide 123 Chapter 6 Bridge Screens 6.2.1 Rapid STP The ZyW ALL uses IEEE 802.1w RSTP (Rapid Spanning T ree Protocol) that allow faster convergence of the spanning tree (while al so being backwards comp atible with STP-only aware bridges).
ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 124 Once a stable network topology has been esta blished, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) tr ansmitted from the root bridge.
ZyWALL 5/35/70 Series User’s Guide 125 Chapter 6 Bridge Screens Figure 43 Bridge The following table describes the labels in this screen. T able 28 Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address T ype the IP address of your ZyWALL in dotted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 126 6.4 Bridge Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage.
ZyWALL 5/35/70 Series User’s Guide 127 Chapter 6 Bridge Screens Figure 44 WLAN Port Role Example T o change your ZyW ALL ’ s port role settings, click NETWORK , BRIDGE and then the Port Roles tab. The screen appears as shown. The radio buttons on the left correspon d to Ethernet ports on the front panel of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 128 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears.
ZyWALL 5/35/70 Series User’s Guide 129 Chapter 6 Bridge Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 130 C HAPTER 7 W AN Screens This chapter describes how to configure W AN settings. Multiple W AN and load balancing are not available on the ZyW ALL 5.
ZyWALL 5/35/70 Series User’s Guide 131 Chapter 7 WAN Screens Y ou can select through which W AN port you wa nt to send out traffic from UPnP-enabled applications (see Chapter 28 on page 456 ). The ZyW ALL's DDNS lets you select whic h W AN interface you want to use for each individual domain name.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 132 7.4.1.1 Example 1 The following figure depicts an example where both the W AN ports on the ZyW ALL are connected to the Internet. The con figured available outbound bandwidths for W AN 1 and W AN 2 are 512K and 256K respectively .
ZyWALL 5/35/70 Series User’s Guide 133 Chapter 7 WAN Screens 7.4.2 W eighted Round Robin Similar to the Round Robin (RR) algorithm, the W eighted Round Robin (WRR) algorithm set s the ZyW ALL to send traf fic through each W AN interface in turn. In addition, the W AN interfaces are assigned weights.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 134 Figure 49 S pillover Algorithm Example 7.5 TCP/IP Priority (Metric) The metric represents the "cost of transmissi on". A router determines the best route for transmission by choosing a path with the lowest "cost".
ZyWALL 5/35/70 Series User’s Guide 135 Chapter 7 WAN Screens Figure 50 W AN General.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 136 The following table describes the labels in this screen. Table 32 WAN Gene ral LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fai l over) o peration mode to have the ZyWALL use the second highest priority W AN port as a back up.
ZyWALL 5/35/70 Series User’s Guide 137 Chapter 7 WAN Screens 7.7 Configuring Load Balancing T o configure load balanc ing on the ZyW ALL, click NETWORK , WA N in the navigation panel. The WA N G e n e r a l screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 138 7.7.1 Least Load First T o configure Least Load First, select Least Load First in the Load Balancing Algorithm field. Figure 51 Load Balancing: Least Lo ad First The following table describes the re lated fields in this screen.
ZyWALL 5/35/70 Series User’s Guide 139 Chapter 7 WAN Screens 7.7.2 W e ighted Round Robin T o load balance using the weight ed roun d robin method, s elect W eighted Round Robin in the Load Balancing Algorithm field. Figure 52 Load Balancing: W eighted Round Robin The following table describes the re lated fields in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 140 Figure 53 Load Balancing: S pillover The following table describes the re lated fields in this screen. 7.8 W AN Route Click NETWORK , WA N to open the Route screen. Use this screen to configure route priority .
ZyWALL 5/35/70 Series User’s Guide 141 Chapter 7 WAN Screens Figure 54 W A N Route The following table describes the labels in this screen. Table 36 WAN Rout e LABEL DESCRIPTION Route Priority WA N .
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 142 7.9 W AN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are is olated from the Internet, for instance, only between your two branch of fices, you can assign any IP addresses to the hosts without problems.
ZyWALL 5/35/70 Series User’s Guide 143 Chapter 7 WAN Screens 1 The ISP tells you the DNS server addresses, usua lly in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server field s.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 144 Figure 55 W A N: Ethernet Encap sulation The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 145 Chapter 7 WAN Screens Retype to Confirm T ype your password again to make sure that you have entered is correctly . Login Server IP Address T ype the a uthentication se rver IP a ddress here if your ISP gave you one.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 146 7.12.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.
ZyWALL 5/35/70 Series User’s Guide 147 Chapter 7 WAN Screens Operationally , PPPoE saves significant effort for bo th you and the ISP or carrier , as it requires no specific configuration of the broa dband modem at the customer site.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 148 The following table describes the labels in this screen. Table 40 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE.
ZyWALL 5/35/70 Series User’s Guide 149 Chapter 7 WAN Screens RIP Direction RIP (Routing Information Protocol) allows a router to exchange routi ng information with other routers. The RIP Direction field control s the sending and receiving of RIP packet s.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 150 7.12.3 PPTP Encap sulation Point-to-Point T unneling Protocol (PP TP) is a ne twork protocol that enables secure transfer of data from a remote client to a private server , creating a V irtual Private Network (VPN) using TCP/IP-based networks.
ZyWALL 5/35/70 Series User’s Guide 151 Chapter 7 WAN Screens The following table describes the labels in this screen. Table 41 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet A.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 152 Enable NA T (Network Address T ranslation) Network Address T ranslation (NA T) allows the translation of an Internet protocol address use.
ZyWALL 5/35/70 Series User’s Guide 153 Chapter 7 WAN Screens 7.13 T raffic Redirect T raffic redirect forwards W AN traffic to a backup gateway when the ZyW ALL canno t connect to the Internet through its norm al gateway . Connect the backup gateway on the W AN so that the ZyW ALL still provides firewall protection.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 154 Figure 59 T raffic Redirect LAN Setup 7.14 Configuring T raffic Redirect T o change your ZyW ALL ’ s traffic redirect settings, click NETWORK , WA N and then the T raffic Redirect tab. The screen appears as shown.
ZyWALL 5/35/70 Series User’s Guide 155 Chapter 7 WAN Screens 7.15 Configuring Dial Backup Click NETWORK , WA N and then the Dial Backup tab to display the Dial Backup screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 156 Figure 61 Dial Backup.
ZyWALL 5/35/70 Series User’s Guide 157 Chapter 7 WAN Screens The following table describes the labels in this screen. Table 43 Dial Ba ckup LABEL DESCRIPTION Dial Backup Setu p Enable Dial Backup Select th is check box to turn on dial backup. Basic Settings Login Name T ype the login name a ssigned by your ISP .
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 158 Enable RIP Select this check box to turn on RIP (Rout in g Information Protocol), which allows a router to exchange routing in formatio n with other routers.
ZyWALL 5/35/70 Series User’s Guide 159 Chapter 7 WAN Screens 7.16 Advanced Modem Setup 7.16.1 A T Command Strings For regular telephone lines, the default Dial st ring tells the modem that the line uses tone dialing. ATDT is the command for a switch that requ ires tone dialing.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 160 Figure 62 Advanced Setup The following table describes the labels in this screen. Table 44 Advanced Setu p LABEL DESCRIPTION A T Command St r i n g s Dial T ype the A T Command string to make a call.
ZyWALL 5/35/70 Series User’s Guide 161 Chapter 7 WAN Screens Dial T imeout (sec) T ype a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (sto pping). Retry Count T y pe a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting th e number .
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 162 C HAPTER 8 DMZ Screens This chapter describes how to configure the ZyW ALL ’ s DMZ. 8.
ZyWALL 5/35/70 Series User’s Guide 163 Chapter 8 DMZ Screens Figure 63 DMZ The following table describes the labels in this screen. Table 45 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address T ype the IP address of your ZyWALL ’s DMZ port in dotted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 164 RIP V ersion The RIP V ersion fiel d controls the format and the broadcasting me thod of the RIP packets that the ZyW ALL sends (it recognizes both formats when receiving). RIP- 1 is universally supported but RIP-2 carries more informa tion.
ZyWALL 5/35/70 Series User’s Guide 165 Chapter 8 DMZ Screens 8.3 DMZ S t atic DHCP This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 166 Figure 64 DMZ S tatic DHCP The following table describes the labels in this screen. T able 46 DMZ S tatic DHCP LABEL DESCRIPTION # This is the index number of th e St atic IP table entry (row).
ZyWALL 5/35/70 Series User’s Guide 167 Chapter 8 DMZ Screens 8.4 DMZ IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 168 8.5 DMZ Public IP Address Example The following figure shows a simple network set up with public IP addresses on the W AN and DMZ and private IP addresses on the LAN. Lowe r case letters represent public IP addresses (like a.
ZyWALL 5/35/70 Series User’s Guide 169 Chapter 8 DMZ Screens Figure 66 DMZ Public Addr ess Example 8.6 DMZ Private and Public IP Address Example The following figure shows a network setup with bot h private and public IP ad dresses on the DMZ. Lower case letters represent public IP addresses (like a.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 170 Figure 67 DMZ Private and Public Address Example 8.7 DMZ Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models.
ZyWALL 5/35/70 Series User’s Guide 171 Chapter 8 DMZ Screens Figure 68 WLAN Port Role Example Note: Do the following if you are configuring fro m a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 172 Figure 69 DMZ: Port Roles The following table describes the labels in this screen. Table 48 DMZ: Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use th e port as p art of the LAN.
ZyWALL 5/35/70 Series User’s Guide 173 Chapter 8 DMZ Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 174 C HAPTER 9 W ireless LAN This chapter discusses how to conf igure wireless LAN on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 175 Chapter 9 Wireless LAN Figure 70 WLAN The following table describes the labels in this screen. T able 49 WLAN LABEL DESCRIPTION WLAN TCP/I P IP Address T ype the IP address of your ZyWALL ’s WL AN interface in dotted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 176 RIP V ersion The RIP V ers ion field controls the format and t he broadcasting method of the RIP packets that the ZyW ALL sends (it reco gnizes both formats when receiv ing). RIP-1 is universally supported but RIP-2 carries more information.
ZyWALL 5/35/70 Series User’s Guide 177 Chapter 9 Wireless LAN 9.3 WLAN S t atic DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 178 Figure 71 WLAN S tatic DHCP The following table describes the labels in this screen. 9.4 WLAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide 179 Chapter 9 Wireless LAN When you use IP alias, you can also configur e firewall rules to control access between the WLAN's logical networks (subnets). Note: Make sure that the subnet s of the logical networks do not overlap .
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 180 9.5 WLAN Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage.
ZyWALL 5/35/70 Series User’s Guide 181 Chapter 9 Wireless LAN Note: Do the following if you are configuring fro m a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 182 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 75 WLAN Port Roles Change Complete 9.
ZyWALL 5/35/70 Series User’s Guide 183 Chapter 9 Wireless LAN Figure 76 ZyW ALL Wireless Security Levels If you do not enable any wireless security on your ZyW ALL, your network is acc essible to any wireless networki ng device that is within range.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 184 9.6.3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices ( Allow Association ) or exclude them from accessing the AP ( Deny Association ).
ZyWALL 5/35/70 Series User’s Guide 185 Chapter 9 Wireless LAN 9.9 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key manageme nt.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 186 Sent by the RADIUS server to indicate th at it has started or stopped accounting. In order to ensure network security , the access point and the RADIUS server use a shared secret key, which is a password, they both know .
ZyWALL 5/35/70 Series User’s Guide 187 Chapter 9 Wireless LAN If this feature is enabled, it is not necessary to configure a defau lt encryption key in the Wir eless Card screen (see Section 9.16.4 on p age 196 ). Y ou may still configure and store keys here, but they will not be u sed while dynamic WEP is enabled.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 188 TKIP regularly changes and rotates the encryp tion keys so that the same encryption key is never used twice.
ZyWALL 5/35/70 Series User’s Guide 189 Chapter 9 Wireless LAN Figure 78 WP A-PSK Authentication 9.13 Introduction to RADIUS The ZyW ALL can use an external RADIUS serv er to authenticate an unlimited number of users.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 190 Figure 79 WP A with R ADIUS Application Example 9.15 Wireless Client WP A Supplicant s A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WP A.
ZyWALL 5/35/70 Series User’s Guide 191 Chapter 9 Wireless LAN Figure 80 Wirel ess Card: No Security The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 192 9.16.1 S t atic WEP Stat ic WEP provides a mechanism for encrypting data using encryption keys. Both the AP an d the wireless stations must use the same WEP key to encrypt and decrypt data.
ZyWALL 5/35/70 Series User’s Guide 193 Chapter 9 Wireless LAN Figure 81 Wireless Card: S tatic WEP The following table describes the wireless LAN security labels in this screen. 9.16.2 WP A-PSK Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 194 Figure 82 Wireless Card: WP A-PSK The following wireless LAN security fiel ds become available when you select WP A-PSK in the Security drop down list-bo x. T able 56 Wireless Card: WP A-PSK LABEL DESCRIPTION Security Select WP A-PSK from the drop-down list.
ZyWALL 5/35/70 Series User’s Guide 195 Chapter 9 Wireless LAN 9.16.3 WP A Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select WP A from the Security list. Figure 83 Wireless Card: WP A The following wireless LAN security fiel ds become available when you select WP A in the Security drop down list-b ox.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 196 9.16.4 IEEE 802.1x + Dynamic WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select 802.1x + Dy namic WEP from the Security list. Figure 84 Wireless Card: 802.
ZyWALL 5/35/70 Series User’s Guide 197 Chapter 9 Wireless LAN 9.16.5 IEEE 802.1x + St atic WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select 802.1x + S tatic WEP from the Security list. Figure 85 Wireless Card: 802.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 198 9.16.6 IEEE 802.1x + No WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen.
ZyWALL 5/35/70 Series User’s Guide 199 Chapter 9 Wireless LAN The following wireless LAN security fiel ds become available when you select 802.1x + No WEP in the Security drop down list-box. 9.16.7 No Access 80 2.1x + S t atic WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 200 The following wireless LAN security fiel ds become available when you select No Acce ss 802.1x + S tatic WEP in the Security drop down list-box. 9.16.8 No Access 802.1x + No WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen.
ZyWALL 5/35/70 Series User’s Guide 201 Chapter 9 Wireless LAN Figure 88 Wireless Card: MAC Address Filter The following table describes the labels in this menu. T able 62 Wireless Card: MAC Address Filter LABEL DESCRIPTION Active Select or clear the check box to e nable or disable MAC address filte ring.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 202 C HAPTER 10 Firewalls This chapter gives some back ground information on firewa lls and introduces the ZyW ALL firewall. 10.1 Firewall Overview Originally , the term firewall referred to a construction techni que designed to prevent the spread of fire from one room to another .
ZyWALL 5/35/70 Series User’s Guide 203 Chapter 10 Firewalls 1 Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the applicatio n gateway is the only host whose name must be made known to outside systems.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 204 Figure 89 ZyW ALL Firewall Application 10.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks w ith a connection to the Internet.
ZyWALL 5/35/70 Series User’s Guide 205 Chapter 10 Firewalls 10.4.2 T ypes of DoS Atta cks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 206 response. While the targeted system waits for the ACK that follows the SYN-ACK, it queu es up all outstanding SYN-ACK responses on what is known as a backlog queu e.
ZyWALL 5/35/70 Series User’s Guide 207 Chapter 10 Firewalls Figure 92 Smurf Attack 10.4.2.1 ICMP V ulnerability ICMP is an error -reporting protocol that works in concert with IP . The following ICMP types trigger an alert: 10.4.2.2 Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 208 All SMTP commands are illegal except for tho se displayed in the following tables. 10.4.2.3 T raceroute T raceroute is a utility used to determine th e path a packet takes between two endpoints.
ZyWALL 5/35/70 Series User’s Guide 209 Chapter 10 Firewalls Figure 93 S tateful Inspection The previous figure shows the ZyW ALL ’ s de fault firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a T elnet session from within the LAN and responses to this request are allowe d.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 210 temporary entries might be modified, in order to permit only packets that are valid for the current state o f the conn ection.
ZyWALL 5/35/70 Series User’s Guide 211 Chapter 10 Firewalls If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the In ternet. Assuming that this is an acceptable part of the security policy (as is the case w ith the default policy), the connection will be allowed.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 212 Any protocol that operates in this way must be supported on a case-by-case bas is. Y ou can use the web configurat or’ s Custom Services feature to do this. 10.6 Guidelines For Enhancing Security With Y our Firewall 1 Change the default password via SMT or web configurator.
ZyWALL 5/35/70 Series User’s Guide 213 Chapter 10 Firewalls 10.7.2 Firewall • The firewall inspects packet contents as well as their source and destination addresses.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 214 C HAPTER 11 Firewall Screens This chapter shows you how to configure your ZyW ALL firewall. 1 1.1 Access Methods The web configurator is, by far , the most co mprehensive firewall configuration tool your ZyW ALL has to offer .
ZyWALL 5/35/70 Series User’s Guide 215 Chapter 11 Fi rewall Screens • WLAN to W AN By default, the ZyW ALL ’ s stateful pa cket insp ection drops packets travel ing in the following directions: .
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 216 1 1.3 Rule Logic Overview Note: S tudy these point s carefully before configuring rules. 1 1.3.1 Rule Checklist 1 Stat e the intent of the rule. For example, Th is restricts all IRC acce ss from the LAN to the Internet.
ZyWALL 5/35/70 Series User’s Guide 217 Chapter 11 Fi rewall Screens 1 1.3.3 .2 Service Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. See Section 1 1.1 1.2 on page 233 for more information on predefined services.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 218 Figure 94 LAN to W AN Traf fic 1 1.4.2 W A N T o LAN Rules The default rule for W AN to LAN traffic bloc ks all incoming connections (W AN to LAN). If you wish to allow certain W AN users to have access to your LAN, you will need to create custom rules to allow it.
ZyWALL 5/35/70 Series User’s Guide 219 Chapter 11 Fi rewall Screens 1 1.6 Firewall Default Rule (Router Mode) Click SECURITY , FIREW ALL to open the Default Rule screen. Enable (or activate) the firewall by selecting the Enable Fir e wall check box.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 220 1 1.7 Firewall Default Rule (Bridge Mode) Click SECURITY , FIREW ALL to open the Default Rule screen. Enable (or activate) the firewall by selecting the Enable Fir e wall check box.
ZyWALL 5/35/70 Series User’s Guide 221 Chapter 11 Fi rewall Screens Figure 97 Default Rule (Bri dge Mode) The following table describes the labels in this screen. T able 68 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the fi rewall.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 222 1 1.8 Firewall Rule Summary Click SECURITY , FIREW ALL , then the Rule Summary tab to open the screen. This screen displays a list of the co nfigured firewall rules. Note: The ordering of your rule s is very import ant as rules are applie d in turn.
ZyWALL 5/35/70 Series User’s Guide 223 Chapter 11 Fi rewall Screens 1 1.8.1 Firewall Edit Rule Follow these directions to create a new rule. 1 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your ne w rule becomes nu mber 6 and the previous rule 6 (if there is one) becomes rule 7.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 224 Figure 99 Firewall Edit Rule.
ZyWALL 5/35/70 Series User’s Guide 225 Chapter 11 Fi rewall Screens The following table describes the labels in this screen. T able 70 Firewall Edit Rule LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 226 1 1.9 Anti-Probing If an outside user attempts to probe an unsupp orted port on your ZyW ALL, an ICMP response packet is automatically return ed. This allows the outside user to know the ZyW ALL exists.
ZyWALL 5/35/70 Series User’s Guide 227 Chapter 11 Fi rewall Screens 1 1.10 Firewall Threshold In the Threshold screen, shown later , you m ay choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyW ALL uses th resholds to determine when to drop sessions that do not become fully established.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 228 When the rate of new connection a ttempts rises above a threshold ( one-minute high ), the ZyW ALL starts deleting half-open se ssions as required to accommo date new connection requests.
ZyWALL 5/35/70 Series User’s Guide 229 Chapter 11 Fi rewall Screens Figure 101 Firewall Threshold The following table describes the labels in this screen. T able 72 Firewall Threshold LABEL DESCRIPTION Disable DoS Attack Protection on Select the check box of an interface to which the ZyWALL does not apply the thresholds.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 230 1 1.1 1 Service Click SECURITY , FIREW ALL , then the Service tab to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 231 Chapter 11 Fi rewall Screens Figure 102 Firewall Service The following table describes the labels in this screen. T able 73 Firewall Service LABEL DESCRIPTION Custom Service This table shows all configured custom services.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 232 1 1.1 1.1 Firewall Edit Custom Service Configure customized ports for serv ices not predefined by the ZyW ALL (see Section 1 1.1 1.2 on page 233 for a list of predefined services) .
ZyWALL 5/35/70 Series User’s Guide 233 Chapter 11 Fi rewall Screens 1 1.1 1.2 Predefined Services The Pr edefined Services table in the Service screen displays all predefined services that the ZyW ALL already supports. Next to the name of the service, two fields appear in bracke ts.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 234 IMAP(TCP/UDP:143) Internet Message Access Protocol (IMAP) is us ed to access mail stored on a remo te mail server over a TCP/IP connection using port 143. IMAP has shorter response times than POP3.
ZyWALL 5/35/70 Series User’s Guide 235 Chapter 11 Fi rewall Screens 1 1.12 Example Firewall Rule The following Internet firewa ll rule example allows a hypot hetical My Service connection from the Internet. 1 In the Service screen, click Add to open th e Edit Custom Service screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 236 Figure 104 Service 2 Configure it as follows and click Apply . Figure 105 Edit Custom Service Example 3 Click the Rule Summary tab. Select WA N t o L A N from the Packet Dir ection drop- down list bo x.
ZyWALL 5/35/70 Series User’s Guide 237 Chapter 11 Fi rewall Screens Figure 106 Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete . 8 Configure the destination address screen as follows and click Add .
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 238 Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
ZyWALL 5/35/70 Series User’s Guide 239 Chapter 11 Fi rewall Screens Figure 109 My Service Example Rule Summary Rule 1: Allows a My Service conn ection from the W AN to IP addresses 10.
ZyWALL 5/35/70 Series User’s Guide Chapter 12 Intrusion Detectio n and Prevention (IDP) 240 C HAPTER 12 Intrusion Detection and Prevention (IDP) This chapter introduces some ba ckground information o n IDP . Sk ip to the next chapter to see how to configure IDP on yo ur ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 241 Chapter 12 Intrusion Detection and Pr evention (IDP) Firewalls are usually deployed at the n etwork edge. However , many attacks (inadvertently) are launched from within an or ganization.
ZyWALL 5/35/70 Series User’s Guide Chapter 12 Intrusion Detectio n and Prevention (IDP) 242 12.1.5 Example Intrusions The following are some examples of intrusions. 12.1.5.1 SQL Slammer Worm W32.SQLExp.W orm is a worm that targ ets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000.
ZyWALL 5/35/70 Series User’s Guide 243 Chapter 12 Intrusion Detection and Pr evention (IDP) 12.1.5.4 MyDoom MyDoom W32.Mydoom.A @mm (also known as W32.Novar g.A) is a mass-mailing worm that arrives as an attachment with an bat, cmd, exe, pif, scr , or zip file extension.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 244 C HAPTER 13 Configuring IDP This chapter shows you how to configure IDP on the ZyW ALL. 13.1 Overview T o use IDP on the ZyW ALL, you need to insert the ZyW ALL T urbo Card into the rear panel slot of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 245 Chapter 13 Configuring IDP Figure 1 1 1 Applying IDP to Interf aces 13.2 General Setup Use this scr een to enable IDP on the ZyW ALL and choose what inte rface(s) you wan t to protect from intrusions. Click IDP from the navigation panel.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 246 Figure 1 12 IDP: General The following table describes the labels in this screen. 13.3 IDP Signatures The rules that define how to id entify and respond to intrusions are called “signatures”.
ZyWALL 5/35/70 Series User’s Guide 247 Chapter 13 Configuring IDP T o see signatures lis ted by intrusion type supp orted by the ZyW ALL, sele ct that type from the Attack T ype list box. Figure 1 13 Attack T ypes The following table descr ibes each attack type.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 248 13.3.2 Intrusion Severity Intrusions are assigned a severity level based on the following table. The intrusion severity level then determines the default signature action. 13.3.3 Signature Actions Y ou can enable/disable individual signatures.
ZyWALL 5/35/70 Series User’s Guide 249 Chapter 13 Configuring IDP Figure 1 14 Signature Actions The following table describes signature actions. 13.3.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 250 Figure 1 15 IDP: Signatures The following table describes the labels in this screen. T able 80 IDP Signatures: Group V iew LABEL DESCRIPTION Signature Groups Attack T ype Select the type of signatures you want to view from the list box.
ZyWALL 5/35/70 Series User’s Guide 251 Chapter 13 Configuring IDP 13.3.5 Query View Click IDP in th e navigation pane l and then click the Signatur es tab to see the ZyW ALL ’ s “group view” signature screen, then click the Switch to query view link to go to this ‘query view” screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 252 Note: A partial name may be searched but a complete ID number must be entered before a match can be found. For exa mple, a search by name for “w” (in the first example) finds all intrusions that cont ain this letter in the name field.
ZyWALL 5/35/70 Series User’s Guide 253 Chapter 13 Configuring IDP Figure 1 17 Signature Query by Comple te ID 13.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Sear ch By Attributes .
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 254 Figure 1 18 Signature Query by Attribute. 13.4 Up date The ZyW ALL comes with built-in signatures cr eated by the ZyXEL Security Response T e am (ZSR T). These are regularly updated as new intrusions evolve.
ZyWALL 5/35/70 Series User’s Guide 255 Chapter 13 Configuring IDP 13.4.2 Configuring IDP Up date When scheduling signatu re updates, you shou ld choose a day and time when your network is least busy so as to minimize disru ption to your network. Y our custom signatu re configurations are not over-written when you download new signatures.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 256 The following table describes the labels in this screen. Table 81 Signatures Update LABEL DESCRIPTION Signature Information Current Patt ern Ve r s i o n This field displays the signatures vers ion numb er currently used by the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 257 Chapter 13 Configuring IDP 13.5 Backup and Restore Y ou can change the pre-defined Active , Log , Alert and/or Action settings of individual signatures. Figure 120 IDP: Backup & Restore Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings.
ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 258 C HAPTER 14 Anti-V irus This chapter introduces and shows you how to configure th e anti-virus sca nner . 14.1 Anti-V irus Overview A computer virus is a small program designed to corrupt and/or alter the operati on of other legitimate programs.
ZyWALL 5/35/70 Series User’s Guide 259 Chapter 14 Anti-Virus 2 The virus spreads to other files and programs on the computer . 3 The infected files are uninten tionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially .
ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 260 14.2.1 How the ZyW ALL Anti-V irus Scanner W orks The ZyW ALL checks traffic going to the inte rface(s) you specify for signature matches. Figure 121 ZyW ALL Anti-virus Example The following describes the virus scanning process on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 261 Chapter 14 Anti-Virus 1 The ZyW ALL anti-virus scanner canno t detect po lymorphic viruses. 2 The ZyW ALL does not scan th e following file/traffic types: • Simultaneou s downloads of a file using multiple connections.
ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 262 The following table describes the labels in this screen. 14.4 Signature Up date The ZyW ALL comes with built-in signatures cr eated by the ZyXEL Security Response T e am (ZSR T). These are regularly updated as new intrusions evolve.
ZyWALL 5/35/70 Series User’s Guide 263 Chapter 14 Anti-Virus Note: Y ou should have already registered the ZyW ALL at myZyXEL.com (http:// www .myzyxel.com/myzyxel/) and also have ei ther activa ted the trial license or standard license (iCard). If your license has expired, you will have t o renew it before updates are allowed.
ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 264 Figure 123 Anti-Virus: Up date The following table describes the labels in this screen. Table 84 Anti-V irus: Update LABEL DESCRIPTION Signature Information Current Patt ern Ve r s i o n This field displays the signatures vers ion numb er currently used by the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 265 Chapter 14 Anti-Virus Update Now Cl ick this button to begin downloading signatures from the Update Server immediately . Auto Update Sel ect the check box to configure a sched ule for automati c signature updates.
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 266 C HAPTER 15 Anti-S p am This chapter covers how to use the ZyW ALL ’ s anti-spam feature to deal with junk e-mail (spam). 15.1 Anti-S p am Overview The ZyW ALL ’ s anti-spam featur e identifies unsolicited commer cial or ju nk e-mail (spam).
ZyWALL 5/35/70 Series User’s Guide 267 Chapter 15 Anti-Spa m 15.1.1.1 Sp amBulk Engine The e-mail fingerprint ID that the ZyW ALL gene rates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake.
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 268 15.1.1.4 Sp amT ricks Engine The SpamT ricks engine checks for the tactics th at spammers use to minimize the expense of sending lots of e-mail and tactics that they use to bypass spam filters.
ZyWALL 5/35/70 Series User’s Guide 269 Chapter 15 Anti-Spa m The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analys is to dete ct phishing. 15.1.4 Whitelist Configure whitelist entries to identify legitim ate e-mail .
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 270 15.1.7 MIME Headers MIME (Multipurpose Internet Ma il Extensions) allows varied me di a types to be used in e- mail.
ZyWALL 5/35/70 Series User’s Guide 271 Chapter 15 Anti-Spa m The following table describes the labels in this screen. 15.3 Anti-S p am External DB Screen Click SECURITY , ANTI-SP AM , External DB to display the Anti-Spam External DB screen. Use this screen to enable or disable th e use of the anti-spam external database.
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 272 Figure 126 Anti-S pam: Externa l DB The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 273 Chapter 15 Anti-Spa m 15.4 Anti-S p am List s Screen Click SECURITY , ANTI-SP A M , Lists to display the Anti-Spam Lists screen. Configure the whitelist to identify legitimate e- mail. Configure the blac klist to id entify spam e-mail.
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 274 Figure 127 Anti-S pam: Lists The following table describes the labels in this screen. Table 87 Anti-S pam: List s LABEL DESCRIPTION Resou.
ZyWALL 5/35/70 Series User’s Guide 275 Chapter 15 Anti-Spa m 15.5 Anti-S p am Rule Edit Screen Click SECURITY , ANTI-SP AM , Lists to display the Anti-Spam Lists screen. T o create a new anti-spam whitelist or blacklist entry , type the i ndex number wh ere you want to put the entry .
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 276 The following table describes the labels in this screen. Table 88 Anti-Spam Rule Edit LABEL DESCRIPTION Rule Edit Active T u rn this entry on to have the ZyWA LL use it as part of the whitelist or blacklist.
ZyWALL 5/35/70 Series User’s Guide 277 Chapter 15 Anti-Spa m Apply Click Apply to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 278 C HAPTER 16 Content Filtering Screens This chapter provides an over view of content filtering. 16.1 Content Filtering Overview Content filtering all ows you to block certain we b features, such as Cookies, and/or restrict specific websites.
ZyWALL 5/35/70 Series User’s Guide 279 Chapter 16 Content Filterin g Screens Figure 129 Content Filter : General The following table describes the labels in this screen. T able 89 Content Filter : General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the conten t filter .
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 280 16.3 Content Filtering with an External Dat abase When you register for and en able external database conten t filtering, your ZyW ALL accesses an external database that has millions of web sites categorized based on content.
ZyWALL 5/35/70 Series User’s Guide 281 Chapter 16 Content Filterin g Screens Figure 130 Content Filtering Looku p Procedure 1 A computer behind the ZyW ALL tries to access a web site.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 282 Figure 131 Content Filter : Categories The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 283 Chapter 16 Content Filterin g Screens Unrated W eb Pages Select Block to prevent users from accessing web pages that the external databa se content filteri ng has not catego rized.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 284 Alcohol/T obacco Selecting this category exclud es pages that promote or offer the sale alcohol/tobacco products, or provide th e means to create them. It also includes pages that gl orify , tout, or otherwise encourage the consumption of alcohol/tobacco.
ZyWALL 5/35/70 Series User’s Guide 285 Chapter 16 Content Filterin g Screens Education Selecting this category exclude s pages that offer educational information, distance learning and trade school in formation or programs. It also includes pages th at are sponsored b y schools, educatio nal facilities, faculty , or alumni groups.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 286 News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the da y . It also includes radio stations and magazin es.
ZyWALL 5/35/70 Series User’s Guide 287 Chapter 16 Content Filterin g Screens Humor/Jokes Selecting this cate gory excludes p ages that primarily focus on comedy , jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing hu morous Adult/Mature content also have an Adult/Matu re category rati ng.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 288 16.5 Content Filter Customization Click SECURITY , CONTENT FIL TER , then the Customization tab to display the CONTENT FIL TER Customization screen. Y ou can create a list of good (allowed) we b site addresses and a list of bad (blocked) web site addresses.
ZyWALL 5/35/70 Series User’s Guide 289 Chapter 16 Content Filterin g Screens The following table describes the labels in this screen. Table 91 Content Filter: Customization LABEL DESCRIPTION Web Site List Customization Enable Web site customization Select this check box to allow trusted web sites and block forbidden web sites.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 290 16.6 Customizing Keyword Blocking URL Checking Y ou can use commands to set ho w much of a website’ s URL the content filter is to check for keyword blocking. See the appendices for info rmation on how to access and use the command interpreter .
ZyWALL 5/35/70 Series User’s Guide 291 Chapter 16 Content Filterin g Screens Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the k eyword bloc king search to include the URL's complete filename.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 292 The following table describes the labels in this screen. Table 92 Content Filter: Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL T ype the maximum time to live (TTL) (1 to 720 hours).
ZyWALL 5/35/70 Series User’s Guide 293 Chapter 16 Content Filterin g Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 294 C HAPTER 17 Content Filtering Report s This chapter describes how to view content filtering reports after yo u have activated the category-based content filtering subscription service.
ZyWALL 5/35/70 Series User’s Guide 295 Chapter 17 Content Filtering Reports Figure 134 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyW ALL ’ s model name and/or MAC address under Registered ZyXEL Pr oducts .
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 296 Figure 136 myZyXEL.com: Service Manage ment 5 Enter your ZyXEL device's MAC address (in lowe r case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 136 on page 29 6 ).
ZyWALL 5/35/70 Series User’s Guide 297 Chapter 17 Content Filtering Reports Figure 138 Content Filtering Reports M ain Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports.
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 298 Figure 140 Global Report Screen Example 11 Y ou can clic k a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
ZyWALL 5/35/70 Series User’s Guide 299 Chapter 17 Content Filtering Reports Figure 141 Requested URLs Example 17.3 W eb Site Submission Y ou may find that a web site has not been accura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed.
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 300 Figure 142 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Submit to have the web site reviewed.
ZyWALL 5/35/70 Series User’s Guide 301 Chapter 17 Content Filtering Reports.
ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 302 C HAPTER 18 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 18.1 VPN Overview A VPN (V irtual Private Network) provides sec ure communications between sites without the expense of leased site-to-site lines.
ZyWALL 5/35/70 Series User’s Guide 303 Chapter 18 Introdu ction to IPSec Figure 143 Encryption an d Decryption 18.1.3.2 Dat a Confidentiality The IPSec sender can encrypt packets befo re transmitting them across a network.
ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 304 18.2 IPSec Architecture The overall IPSec architect ure is shown as follows.
ZyWALL 5/35/70 Series User’s Guide 305 Chapter 18 Introdu ction to IPSec Figure 145 T ransport and T unnel Mode IPSec Encapsulation 18.3.1 T ransport Mode Tr a n s p o r t mode is used to protect upper layer prot ocols and only af fects the da ta in the IP packet.
ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 306 NA T is incompatible with the AH protocol in both Tr a n s p o r t and T unnel mode. An IPSec VPN using the AH protocol digitally sig ns the outbound packet, both data p ayload and headers, with a hash value appe nded to the pack et.
ZyWALL 5/35/70 Series User’s Guide 307 Chapter 18 Introdu ction to IPSec.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 308 C HAPTER 19 VPN Screens This chapter introduces the VPN W eb Configurator . See Chapter 30 on page 472 for information on viewing logs and Appendix S on page 774 for IPSec log descriptions.
ZyWALL 5/35/70 Series User’s Guide 309 Chapter 19 VPN Screens 19.3 My ZyW ALL My ZyW ALL identifies the W AN IP address or domain name of the ZyW ALL (if it has one) or leave the field set to 0.0. 0.0 when the ZyW ALL is in router mode. This field displays the ZyW ALL ’ s IP address when the ZyW ALL is in bridge mode.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 310 If the remote secure gateway has a static W AN IP address, enter it in the Remote Gateway Address field. Y ou may alternatively enter the remo te secure gateway’ s domain name (if it has one).
ZyWALL 5/35/70 Series User’s Guide 311 Chapter 19 VPN Screens Figure 146 NA T Router Between IPSec Routers Normally you cannot set up a VPN connecti on with a NA T router between the two IPSec routers because the NA T router c hanges the header of th e IPSec packet.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 312 between three encryption algor ithms (DES, 3DES and AES ), tw o authentication algorithms (MD5 and SHA1) and two ke y groups (DH1 and DH2) when you configure a VPN rule (see Section 19.12 on page 32 4 ).
ZyWALL 5/35/70 Series User’s Guide 313 Chapter 19 VPN Screens The two ZyW ALLs in this ex ample cannot complete their negotiation because ZyW ALL B’ s Local ID type is IP , but ZyW ALL A ’ s Peer ID type is set to E-mail . An ID mismatched message displays in the IPSec log.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 314 • Choose an authentication algorithm. • Choose a Dif fie-Hellman public-key cry ptography key group ( DH1 or DH2 ) . • Set the IKE SA lifetime. This field allows you to determin e how l ong an IKE SA should stay up before it times out.
ZyWALL 5/35/70 Series User’s Guide 315 Chapter 19 VPN Screens 19.8.3 Diffie-Hellm an (DH) Ke y Group s Diffie-Hellman (DH) is a publi c -key cryptography protocol tha t allows two parties to establish a shared secret over an unsecured communications channel.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 316 19.10 VPN Rules (IKE) Click VPN to display the VPN Rules (IKE) screen. This i s a read-only menu of yo ur IPSec rule (tunnel). T o add an IPSe c rule (or gateway policy), click the add gateway policy ( ) icon.
ZyWALL 5/35/70 Series User’s Guide 317 Chapter 19 VPN Screens Figure 149 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 150 IPSec Fields Summary Note: Local and remote network IP addresses must be st atic.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 318 Note: The Recycle Bin gateway policy is a virtu al placeholder for any netwo rk policy(ies) without an associated gateway policy . When there is a network policy in the Recycle Bin , the Recycle Bin gateway po licy automatically displays in this screen.
ZyWALL 5/35/70 Series User’s Guide 319 Chapter 19 VPN Screens Figure 151 VPN Rules (IKE): Gate way Policy: Edit.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 320 The following table describes the labels in this screen. Table 101 VPN Rules (IKE): Gate way Policy: Edit LABEL DESCRIPTION Property Name T ype up to 32 characters to identify this VPN gateway policy .
ZyWALL 5/35/70 Series User’s Guide 321 Chapter 19 VPN Screens Remote Gateway Address T ype the WAN IP address or the domain na me (up to 31 characters) of the IPSec router with which you're making the VPN connecti on. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 322 Peer ID T ype Select from the following when you set Authentication Key to Pre-shared Key . •S e l e c t IP to identi fy the remote IPSec router by its IP address. •S e l e c t DNS to identify the remote IPSe c router by a domain name.
ZyWALL 5/35/70 Series User’s Guide 323 Chapter 19 VPN Screens Server Mode Select Server Mode to have this ZyWALL authent icate extended authentication clients that request this VPN connection.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 324 19.12 VPN Rules (IKE): Network Policy Edit Click VPN and the add network policy ( ) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Use this screen to configure a network policy .
ZyWALL 5/35/70 Series User’s Guide 325 Chapter 19 VPN Screens Figure 152 VPN Rules (IKE): Network Policy Edit.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 326 The following table describes the labels in this screen. Table 102 VPN Rules (IKE): Ne twork Policy Edit LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
ZyWALL 5/35/70 Series User’s Guide 327 Chapter 19 VPN Screens S tarting IP Address When the Address T ype field i s configured to Single Address , enter a (st atic) IP address on the LAN behind your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 328 19.13 VPN Rules (IKE): Network Policy Move Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. Use this screen to associa te a network policy to a gateway rule.
ZyWALL 5/35/70 Series User’s Guide 329 Chapter 19 VPN Screens Figure 153 VPN Rules (IKE): Network Policy Move The following table describes the labels in this screen. 19.14 VPN Rules (Manual) Refer to Figure 150 o n page 317 for a graphical representation of the fields in the web configurator .
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 330 Y ou may want to configure a VPN rule that u ses manual key management if you are havin g problems with IKE key management. Refer to T able 100 on page 317 for descriptions of the ic ons used in this screen.
ZyWALL 5/35/70 Series User’s Guide 331 Chapter 19 VPN Screens 19.15 VPN Rules (Manual): Edit Manual key managemen t is useful if you have pro blems with IKE key management . 19.15.1 Security Pa rameter Index (SPI) An SPI is used to distinguish dif ferent SAs te rminating at the same de stination and using the same IPSec protocol.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 332 Figure 155 VPN Rules (Manual): Edit The following table describes the labels in this screen. T able 105 VPN Rules (Manual) Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy .
ZyWALL 5/35/70 Series User’s Guide 333 Chapter 19 VPN Screens Local Network Local IP add resses must be static and correspond to the remote IPSec router's configured remote IP addresses. T wo ac tive SAs cannot have the local and remo te IP address(es) both the same.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 334 My ZyW ALL Wh en the ZyW ALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0 . For a ZyW ALL with multiple WAN port s, the following applies if the My ZyW ALL field is configured as 0.
ZyWALL 5/35/70 Series User’s Guide 335 Chapter 19 VPN Screens 19.16 VPN SA Monitor In the web configurator , click VPN and the SA Monitor tab. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of se cu rity settings related to a specific VPN tunnel.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 336 19.17 VPN Global Setting Click VPN , then the Global Setting tab to open the VPN Global Setting screen. Use this screen to change your ZyW ALL ’ s global settings. Figure 157 VPN: Global Setting The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 337 Chapter 19 VPN Screens 19.18 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyW ALL at headquarters. The telecommut ers use IPSec routers with dynamic W AN IP addresses.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 338 Figure 158 T elecommuters Sharing One VPN Rule Example 19.18.2 T elecommuters Usin g Unique VPN Rules Example In this example the teleco.
ZyWALL 5/35/70 Series User’s Guide 339 Chapter 19 VPN Screens Figure 159 T elecommuters Using Uniq ue VPN Rules Example T able 109 T elecommuters Using Unique VPN Rules Example T ELECOMMUTERS HEADQUARTERS All T e lecommuter Rules: All Headquarters Rules: My ZyW ALL 0.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 340 19.19 VPN and Remote Management If a VPN tunnel uses T elnet, FTP , WWW , SNMP , DNS or ICMP , then you should configure remote management ( REMOTE MGMT ) to allow access for that service.
ZyWALL 5/35/70 Series User’s Guide 341 Chapter 19 VPN Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 342 C HAPTER 20 Certificates This chapter gives background in formation about public-key certificates and explains how to use them. 20.1 Certificates Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users.
ZyWALL 5/35/70 Series User’s Guide 343 Chapter 20 Certificates Certification authorities maintain directory ser vers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled exp iration is called a CRL (Certificate Revocation List).
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 344 20.4 My Certificates Click SECURITY , CER TIFICA TES , My Certificates to open the My Certificates screen. This is the ZyW ALL ’ s summary list of certific ates and certification requests.
ZyWALL 5/35/70 Series User’s Guide 345 Chapter 20 Certificates Ty p e This field displays wha t kind of certificate this is. REQ represents a certification request an d is not yet a valid certificate. Send a certification request to a certification authority , which then issues a certific ate.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 346 20.5 My Certificate Import Click SECURITY , CER TIFICA TES , My Certificates and then Import to open the My Certificate I mport screen. Follow the instructions in this screen to save an existing certificate to the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 347 Chapter 20 Certificates Figure 162 My Certificat e Import The following table describes the labels in this screen. 20.6 My Certificate Create Click SECURITY , CER TIFICA TES , My Certificates and then Cr eate to open the My Certificate Cr eate screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 348 Figure 163 My Certificate Cr eate The following table describes the labels in this screen. T able 1 12 My Certificate Create LABEL DESCRIPTION Certificate Name T ype up to 31 ASCII characters (not incl uding sp aces) to identif y this certifi cate.
ZyWALL 5/35/70 Series User’s Guide 349 Chapter 20 Certificates Country T ype up to 127 characte rs to identify the nation where the ce rtificate owner is located. Y ou may use any character , including spaces, but the ZyW ALL drops trailing sp aces.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 350 After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyW ALL is generating the self-signed cert ificate or certification request.
ZyWALL 5/35/70 Series User’s Guide 351 Chapter 20 Certificates Figure 164 My Certificate Details.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 352 The following table describes the labels in this screen. Table 113 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certifica te.
ZyWALL 5/35/70 Series User’s Guide 353 Chapter 20 Certificates 20.8 T rusted CAs Click SECURITY , CER TIFICA TES , Tr u s t e d C A s to open the Tr u s t e d C A s scree n. This screen displays a summary list of certificates of the certification authorities that you have set the ZyW ALL to accept as trusted.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 354 Figure 165 T rusted CAs The following table describes the labels in this screen. Table 114 T rusted CAs LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW AL L ’s PKI storage space that is currently in use.
ZyWALL 5/35/70 Series User’s Guide 355 Chapter 20 Certificates 20.9 T rusted CA Import Click SECURITY , CER TIFICA TES , Tr u s t e d C A s to open the Tr u s t e d C A s scree n and then click Import to open the T rusted CA Import screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 356 The following table describes the labels in this screen. 20.10 T rusted CA Det ails Click SECURITY , CER TIFICA TES , Tr u s t e d C A s to open the Tr u s t e d C A s scree n. Click the details icon to open the T r usted CA Details screen.
ZyWALL 5/35/70 Series User’s Guide 357 Chapter 20 Certificates Figure 167 T rusted CA Details The following table describes the labels in this screen. Table 116 T rusted CA Details LABEL DESCRIPTION Name This field displays the iden tifying name of this certificate.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 358 Certification Path Click the Refresh button to have this read-only text box displa y the end entity’s certificate and a list of cert ification authority certificat es that shows the hierarchy of certification authorities that validate th e end entity’s certificate.
ZyWALL 5/35/70 Series User’s Guide 359 Chapter 20 Certificates 20.1 1 T rusted Remote Host s Click SECURITY , CER TIFICA TES , T rusted Remote Hosts to open the T rusted Remote Hosts screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 360 Figure 168 T rusted Remote Hosts The following table describes the labels in this screen. Table 117 T rusted Remote Hosts LABEL DESCRIPTION PKI S torage S pace in Use This bar displays th e percentage of the ZyW ALL ’s PKI storage space that is currently in use.
ZyWALL 5/35/70 Series User’s Guide 361 Chapter 20 Certificates 20.12 V erifying a T rusted Remote Host’ s Certificate Certificates issued by certific ation authorities have the certificat ion authority’ s signature for you to check. Self-sig ned certificates only have th e signature of the host itself.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 362 Figure 170 Certificate Details V erify (over the phone for example) that the remote host has the sa me information in the Thumbprint Algorithm and Thumbprint fields.
ZyWALL 5/35/70 Series User’s Guide 363 Chapter 20 Certificates Figure 171 T rusted Remote Host Import The following table describes the labels in this screen. 20.14 T rusted Remote Host Certificate Det ails Click SECURITY , CER TIFICA TES , T rusted Remote Hosts to open the T rusted Remote Hosts screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 364 Figure 172 T rusted Remote Host Details The following table describes the labels in this screen. Table 119 T rusted Remote Host Details LABEL DESCRIPTION Name This field displays the iden tifying name of this certificate.
ZyWALL 5/35/70 Series User’s Guide 365 Chapter 20 Certificates Certificate Information These read -only fields display detail ed in formation about the certificate. Ty p e This field displ ays general information abo ut the certificate. With truste d remote host certificates, this field alw ays displays CA-signed.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 366 20.15 Directory Servers Click SECURITY , CER TIFICA TES , Dir ectory Servers to open the Directory Servers screen. This screen displays a summary list of di rectory servers (that contain lists of valid and revoked certificates) that have bee n saved into the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 367 Chapter 20 Certificates The following table describes the labels in this screen. 20.16 Directory Server Add or Edit Click SECURITY , CER TIFICA TES , Dir ectory Servers to open the Directory Servers screen. Click Add (or the details icon) to open the Directory Server Add screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 368 The following table describes the labels in this screen. T able 121 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name T ype up to 31 ASCII characters (spaces are not permitted) to identify this directory server .
ZyWALL 5/35/70 Series User’s Guide 369 Chapter 20 Certificates.
ZyWALL 5/35/70 Series User’s Guide Chapter 21 Authenticat ion Server 370 C HAPTER 21 Authentication Server This chapter discusses how to configure th e ZyW ALL ’ s authentication server feature.
ZyWALL 5/35/70 Series User’s Guide 371 Chapter 21 Au thentication Server Figure 175 Local User Da tabase.
ZyWALL 5/35/70 Series User’s Guide Chapter 21 Authenticat ion Server 372 The following table describes the labels in this screen. 21.3 RADIUS Use RADIUS to authenticat e users using an external se rver . Click SECURITY , AUTH SER VER , then the RADIUS tab to open the RADIUS screen.
ZyWALL 5/35/70 Series User’s Guide 373 Chapter 21 Au thentication Server The following table describes the labels in this screen. T able 123 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication serve r .
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 374 C HAPTER 22 Network Address T ranslation (NA T) This chapter discusses how to configure NA T on the ZyW ALL. 22.1 NA T Overview NA T (Network Address Translation - NA T , RFC 1631) is the trans lation of the IP address of a host in a packet.
ZyWALL 5/35/70 Series User’s Guide 375 Chapter 22 Network Addr ess Translation (NAT) 22.1.2 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the inside global address) before forwarding the packet to the W AN side.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 376 Figure 177 How NA T Works 22.1.4 NA T Application The following figure illustrates a possible NA T application, wher e three inside LANs (logical LANs using IP Alias) behind the ZyW ALL can communicate with three distinct W AN networks.
ZyWALL 5/35/70 Series User’s Guide 377 Chapter 22 Network Addr ess Translation (NAT) 22.1.5 Port Restricted Cone NA T At the time of writing ZyW ALL ZyNOS version 4. 00 uses port restricted cone NA T . Port restricted cone NA T maps all outgoing packets fro m an internal IP address and port to a single IP address and port on the external network.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 378 • Server : This type allows you to specify insi de servers of different services behind the NA T to be accessible to the outside world a lthough, it is highly recommended that you use the DMZ port for these servers instead.
ZyWALL 5/35/70 Series User’s Guide 379 Chapter 22 Network Addr ess Translation (NAT) 22.3 NA T Overview Click ADV ANCED , NA T to open the NA T Over view screen. Not all fields are available on all models. Figure 180 NA T Overview The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 380 22.4 NA T Address Mapping Ordering your rules is important because the Zy W ALL applies the rules in the order that you specify . When a rule matche s the current pack et, the ZyW ALL takes the corresponding action and the remaining rules are ignored.
ZyWALL 5/35/70 Series User’s Guide 381 Chapter 22 Network Addr ess Translation (NAT) Figure 181 NA T Address Mapping The following table describes the labels in this screen. T able 127 NA T Addres s Mapping LABEL DESCRIPTION SUA Address Mapping Rules This read-only table displays the default address mapp ing rules.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 382 22.4.1 NA T Address Mapping Edit Click the Edit button to display the NA T Addr ess Mapping Edit screen.
ZyWALL 5/35/70 Series User’s Guide 383 Chapter 22 Network Addr ess Translation (NAT) The following table describes the labels in this screen. 22.5 Port Forwarding A port forwarding set is a list of .
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 384 22.5.1 Default Server IP Address In addition to the servers for specified services, NA T supports a default server IP address. A default server receives packets from ports that are not specifie d in this screen.
ZyWALL 5/35/70 Series User’s Guide 385 Chapter 22 Network Addr ess Translation (NAT) Figure 183 Multiple Servers Behind NA T Example 22.5.4 NA T and Multiple W AN The ZyW ALL has two W AN ports. Y ou can configure port fo rwarding and trigger port rule sets for the first W AN port and separate sets of rules for the second W AN port.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 386 Figure 184 Port T ranslation Example 22.6 Port Forwarding Note: If you do not assign a Default Serve r IP address, the ZyW ALL discards all packet s received for port s that are not specified here or in th e remote management setup.
ZyWALL 5/35/70 Series User’s Guide 387 Chapter 22 Network Addr ess Translation (NAT) Figure 185 Port Forwarding The following table describes the labels in this screen. T able 130 Port Fo rwarding LABEL DESCRIPTION W AN Interface Select the WAN port for which you want to view or con figure address mapping ru les.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 388 22.7 Port T riggering Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side.
ZyWALL 5/35/70 Series User’s Guide 389 Chapter 22 Network Addr ess Translation (NAT) 4 The ZyW ALL forwards the traffic to Jane’ s computer IP address.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 390 Tr i g g e r The trigger port is a port (or a range of ports ) that causes (or triggers) the ZyW ALL to record the IP address of the LAN computer th at sent the traffic to a server on the W AN.
ZyWALL 5/35/70 Series User’s Guide 391 Chapter 22 Network Addr ess Translation (NAT).
ZyWALL 5/35/70 Series User’s Guide Chapter 23 St atic Route 392 C HAPTER 23 S t atic Route This chapter shows you how to config ure static routes for your ZyW ALL. 23.1 IP S t atic Route Each remote node specifies only the network to which the gateway is di rectly connected, and the ZyW ALL has no knowled ge of the networks beyond.
ZyWALL 5/35/70 Series User’s Guide 393 Chapter 23 Static Route Note: The default route is disabled af ter you change the st atic W AN IP address to a dynamic W AN IP address. Figure 189 IP S tatic Route The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 23 St atic Route 394 23.2.1 IP St atic Route Edit Select a static route index numb er and click Edit . The screen shown next appears. Use this screen to configure the required information for a static route.
ZyWALL 5/35/70 Series User’s Guide 395 Chapter 23 Static Route Gateway IP Address Enter the IP addre ss of the gateway . The gateway i s a router or switch on the same network segment as the device's LAN or WAN port. The gateway h elps forward packet s to their destinations.
ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 396 C HAPTER 24 Policy Route This chapter covers setting and ap plying policies used for IP routing.
ZyWALL 5/35/70 Series User’s Guide 397 Chapter 24 Policy Route IPPR follows the existing packet filtering fac ility of RAS in style and in implementation. 24.4 IP Routing Policy Setup Click ADV ANCED , POLICY ROUTE to open the Policy Route Summary screen (some of the screen’ s blank rows are not shown).
ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 398 The following table describes the labels in this screen. 24.5 Policy Route Edit Click POLICY ROUTE to op e n t h e Policy Route Summary screen. Then clic k the edit icon to open the Edit IP Policy Route screen.
ZyWALL 5/35/70 Series User’s Guide 399 Chapter 24 Policy Route Figure 192 Edit IP Policy Route The following table describes the labels in this screen. Table 135 Edit IP Policy Route LABEL DESCRIPTION Criteria Active Select the check box to activate the policy .
ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 400 Packet Length T ype a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length. Length Comparison Choose from Equal , Not Equal , Less , Greater , Les s or Equal or Greater or Equal .
ZyWALL 5/35/70 Series User’s Guide 401 Chapter 24 Policy Route.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 402 C HAPTER 25 Bandwid th Management This chapter describes the functions and conf iguration of bandwidth management with multiple levels of sub-classes.
ZyWALL 5/35/70 Series User’s Guide 403 Chapter 25 Bandwidth Ma nagement 25.3 Proportional Bandwid th Allocation Bandwidth management allo ws you to define ho w much bandwidth each class gets; however , the actual bandwidth a llotted to each clas s de creases or increases in proportion to actual available bandwidth.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 404 25.6 Application and Subnet-based Bandwid th Management Y ou could also create bandwidth clas ses based on a combination of a subnet and an application. The following exam ple table shows bandwidth alloca tions for application specific traffic from separate LAN subnets.
ZyWALL 5/35/70 Series User’s Guide 405 Chapter 25 Bandwidth Ma nagement When you enable maxim ize bandwidth usag e, the ZyW ALL first makes sure that each bandwidth class gets up to its band width allotment.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 406 25.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwid th The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets.
ZyWALL 5/35/70 Series User’s Guide 407 Chapter 25 Bandwidth Ma nagement 25.8 Bandwid th Borrowing Bandwidth borrowing allows a sub -class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to bo rrow any unused or unbudgeted bandwidth on the whole interface.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 408 • The Bill class cannot bo rrow unused bandwi dth from the Root class because the Sales class has bandwidth borrowing disabl ed. • The Amy class cannot borrow unused bandwi dth from the Sales USA class because the Amy class has bandwid th borrowing di sabled.
ZyWALL 5/35/70 Series User’s Guide 409 Chapter 25 Bandwidth Ma nagement Figure 194 Bandwidth Ma nagement: Summary The following table describes the labels in this screen. T able 141 Bandwidth Managemen t: Summary LABEL DESCRIPTION Class These read-only labe ls represent the physica l interfaces.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 410 25.1 1 Configuring Class Setup The Class Setup screen displays the configured band wi dth classes by individual interface. Select an interface and click the buttons to pe rform the actions describe d next.
ZyWALL 5/35/70 Series User’s Guide 411 Chapter 25 Bandwidth Ma nagement 25.1 1.1 Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Setup scree n. Y ou must use the Summary screen to en able bandwidth manage ment on an interface before you can confi gure classes for that interface.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 412 Figure 196 Bandwidth Management: Edit Class The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 413 Chapter 25 Bandwidth Ma nagement Enable Bandwidth Filter Select Enable Bandwid th Filter to have the ZyW ALL use this bandwidth filter when it performs bandwidth management.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 414 25.1 1.2 Bandwidth Management S tatistics Use the Bandwidth Management S tatistics screen to view network performance information. Click the S tatistics button in the Class Setup screen to open the St a t i s t i c s screen.
ZyWALL 5/35/70 Series User’s Guide 415 Chapter 25 Bandwidth Ma nagement Figure 197 Bandwidth Mana gement: S tatistics The following table describes the labels in this screen. 25.12 Configuring Monitor T o view the device’ s bandwidth usage and allotmen ts, click ADV ANCED , BW MGMT , then the Monitor tab.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 416 Figure 198 Bandwidth Ma nagement: Monitor The following table describes the labels in this screen. T able 146 Bandwidth Managemen t: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
ZyWALL 5/35/70 Series User’s Guide 417 Chapter 25 Bandwidth Ma nagement.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 41 8 C HAPTER 26 DNS This chapter shows you how to configure the DNS screens. 26.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa.
ZyWALL 5/35/70 Series User’s Guide 419 Chapter 26 DNS 26.4 Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. An FQDN consists of a hos t and doma in name and includes the top-level domain.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 0 Figure 199 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.
ZyWALL 5/35/70 Series User’s Guide 421 Chapter 26 DNS Figure 200 System DNS The following table describes the labels in this screen. Table 147 System DNS LABEL DESCRIPTION Address Record An address record specifie s the mapping of a fully qualified do main name (FQDN) to an IP address.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 2 26.6.1 Adding an Address Record Click Add in the System screen to add an address record. Figure 201 System DNS: Add Ad dress Record Name Server Record A name server record contains a DNS server ’s IP address.
ZyWALL 5/35/70 Series User’s Guide 423 Chapter 26 DNS The following table describes the labels in this screen. 26.6.2 Inserting a Name Server record Click Inser t in the System screen to insert a name server record.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 4 The following table describes the labels in this screen. 26.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyW ALL receives a positive or negati ve response for a DNS query , it records the response in the DNS cache.
ZyWALL 5/35/70 Series User’s Guide 425 Chapter 26 DNS 26.8 Configure DNS Cache T o configure your ZyW ALL ’ s DNS caching, click ADV ANCED , DNS , then the Cache tab. The screen appears as shown. Figure 203 DNS Cache The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 6 26.9 Configuring DNS DHCP Click ADV ANCED , DNS and then the DHCP tab to open the DNS DHC P screen shown next. Use this screen to configure the DNS serv er information that th e ZyW ALL sends to its LAN, DMZ or WLAN DHCP clients.
ZyWALL 5/35/70 Series User’s Guide 427 Chapter 26 DNS Figure 204 DNS DHCP The following table describes the labels in this screen. Table 151 DNS DHCP LABEL DESCRIPTION DNS Servers Assigned by DHCP Server The ZyW ALL passes a DNS (Domain Name System) server IP address to the DHCP clients.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 8 26.10 Dynamic DNS Dynamic DNS allows you to update your curre nt dynamic IP address with one or many dynamic DNS services so that anyone can c ont act you (in NetMeeting, CU-SeeMe, etc.
ZyWALL 5/35/70 Series User’s Guide 429 Chapter 26 DNS Figure 205 DDNS The following table describes the labels in this screen. Table 152 DDNS LABEL DESCRIPTION Account Setup Active Select this check bo x to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider .
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 43 0 W AN Interface Select the W AN port to use for updati ng the IP address of the domain name. IP Address Update Policy Select Use W AN IP Address to have the ZyWALL update the doma in name with the WAN port's IP address.
ZyWALL 5/35/70 Series User’s Guide 431 Chapter 26 DNS.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 432 C HAPTER 27 Remote Management This chapter provides information on the Remote Management screens. 27.1 Remote Management Overview Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers.
ZyWALL 5/35/70 Series User’s Guide 433 Chapter 27 Remote Manag ement 1 A filter in SMT menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service. 2 Y ou have disabled that service in one of the remote management screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 434 Figure 206 HTTPS Implement ation Note: If you disable HTTP Se rver Access ( Disable ) in the REMOTE MGMT WWW screen, then the ZyW ALL blocks all HTTP connection attempts. 27.3 WWW Click ADV ANCED , REMOTE MGMT to open the WWW screen.
ZyWALL 5/35/70 Series User’s Guide 435 Chapter 27 Remote Manag ement Figure 207 WWW The following table describes the labels in this screen. T able 153 WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 436 27.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW ALL, then in your browser enter “https://ZyW ALL IP Address/” as the web site address where “Z yW ALL IP Address” is the IP address or domain name of the ZyW ALL you wish to access.
ZyWALL 5/35/70 Series User’s Guide 437 Chapter 27 Remote Manag ement 27.4.2 Net scape Navigator W arning Messages When you attempt to access the ZyW ALL HTTPS server , a W ebsite Certified by an Unknown Authority screen pops up asking if you trust the server certificate.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 438 27.4.3 A voiding the Browser W arn ing Messages The following describes the main reasons that your browser displays warnings about the ZyW ALL ’ s HTTPS server certificate and what you can do to avoid seeing the warni ngs.
ZyWALL 5/35/70 Series User’s Guide 439 Chapter 27 Remote Manag ement Figure 21 1 Login Screen (I nternet Explorer) Figure 212 Login Screen (Netsca pe) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyW ALL models.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 440 Figure 213 Replace Certificate Click Apply in the Replace Certificate scre en to create a certificate using your ZyW ALL ’ s MAC address that will be spec ific to this device. Click CER TIFICA TES to open the My Certificates screen.
ZyWALL 5/35/70 Series User’s Guide 441 Chapter 27 Remote Manag ement Figure 215 Common ZyW ALL Certificate 27.5 SSH Unlike T elnet or FTP , which transmit data in clear text, SSH (Secure Shell) is a.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 442 Figure 217 How SSH Works 1 Host Identification The SSH client s ends a conn ection request to the SSH server .
ZyWALL 5/35/70 Series User’s Guide 443 Chapter 27 Remote Manag ement 27.7.1 Requirement s for Using SSH Y ou must install an SSH client pr ogram on a client computer (W indows or Linux operating system) that is used to conn ect to the ZyW A LL over SSH.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 444 27.9 Secure T elnet Using SSH Exampl es This section shows two examples using a comm and interface and a graphical interface SSH client program to remotely access the ZyW ALL. The configuration and connection steps are similar for most SSH client pr ograms.
ZyWALL 5/35/70 Series User’s Guide 445 Chapter 27 Remote Manag ement Figure 220 SSH Example 2: T est 2 Enter “ ssh –1 192.168.1.1 ”. This command forces your computer to connect to the ZyW ALL using SSH version 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 446 Figure 222 Secure FTP: Firmware Upload Example 27.1 1 T elnet Y ou can configure your ZyW ALL for remote T elnet acce ss as shown next. Figure 223 T elnet Configuration on a TCP/IP N etwork 27.
ZyWALL 5/35/70 Series User’s Guide 447 Chapter 27 Remote Manag ement Figure 224 Te l n e t The following table describes the labels in this screen. 27.13 FTP Y ou can upload and download the ZyW ALL ’ s fi rmware and configuration files using FTP , please see the chapter on firmware and configuration file maintena nce for details.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 448 Figure 225 FTP The following table describes the labels in this screen. 27.14 SNMP Simple Network Management Protocol is a protocol used for exchanging man agement information between network devices.
ZyWALL 5/35/70 Series User’s Guide 449 Chapter 27 Remote Manag ement Figure 226 SNMP Managemen t Model An SNMP managed network consis ts of two main types of comp onent: agen ts and a man ager . An agent is a management software module th at resi des in a managed device (the ZyW ALL).
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 450 27.14.1 Supported MIBs The ZyW ALL support s MIB II that is defined in RF C-1213 and RFC-121 5. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
ZyWALL 5/35/70 Series User’s Guide 451 Chapter 27 Remote Manag ement Figure 227 SNMP The following table describes the labels in this screen. T able 158 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community , which is the password for the incoming Get and GetNext requests from the management station.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 452 27.15 DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 7 on page 130 for more information. Click ADV ANCED , REMOTE MGMT and then the DNS tab to change your Zy W ALL ’ s DNS settings.
ZyWALL 5/35/70 Series User’s Guide 453 Chapter 27 Remote Manag ement If you allow your ZyW ALL to be managed b y the V antage CNM server , then you should n ot do any configuratio ns directly to the ZyW A LL (using either the we b configurator, SMT menus or commands) with out notifyi ng the V antage CNM administrator .
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 454 Last Registration T ime This fi eld displays the last date (year-mo nth-date) and time (hours-minutes- seconds) that the ZyW ALL registered with the V antage CNM server . It displays all zeroes if it has not yet r egistered with the V antage CNM server .
ZyWALL 5/35/70 Series User’s Guide 455 Chapter 27 Remote Manag ement.
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 456 C HAPTER 28 UPnP This chapter introduces the Universal Plug and Pl ay feature. This chapter is only applicable when the ZyW ALL is in router mode.
ZyWALL 5/35/70 Series User’s Guide 457 Chapter 28 UPnP All UPnP-enabled devices may communicate freely with eac h other without additional configuration. Disable UPnP if this is not your intention. 28.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from th e Universal Plug and Play Forum Creates UPnP™ Implementers Corp.
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 458 28.3 Displaying UPnP Port Mapping Click UPnP and then Ports to display the UPnP Ports screen. Use this s creen to view the NA T port mapping rules that UPnP creates on the ZyW ALL. Not all fields are available on all models.
ZyWALL 5/35/70 Series User’s Guide 459 Chapter 28 UPnP The following table describes the labels in this screen. 28.4 Inst alling UPnP in Windows Example This section shows ho w to install UPnP in W indows Me and W indows XP .
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 460 28.4.1 Inst alling UPnP in Windows Me Follow the steps below to in stall UPnP in W indows Me. 1 Click St a r t , Settings and Contr ol Panel . Double-click Add/Remove Programs . 2 Click on the Win d o ws S et u p ta b and select Communication in the Components selection box.
ZyWALL 5/35/70 Series User’s Guide 461 Chapter 28 UPnP 28.4.2 Inst alling UPnP in Windows XP Follow the steps below to install UPnP in W indows XP . 28.5 Using UPnP in Windows XP Example This section shows yo u how to use the UPnP feature in W indows XP .
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 462 28.5.1 Auto-discover Y our UPnP-enabled Network Device 1 Click St a r t and Contro l Panel . Double- click Network Connections . An icon displays under Internet Gateway . 2 Right-click the icon and select Properties .
ZyWALL 5/35/70 Series User’s Guide 463 Chapter 28 UPnP Note: When the UPnP-enabled device is disconnect ed from your computer , all port mappings will be deleted automatically .
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 464 Follow the steps below to access the web configurator . 1 Click St a r t and then Contr ol Panel . 2 Double-click Network Connections . 3 Select My Network Places under Other Places . 4 An icon with the d escription for each UPnP-enabled device displays under Local Network .
ZyWALL 5/35/70 Series User’s Guide 465 Chapter 28 UPnP 6 Right-click the icon for your ZyXEL device and select Properties . A properties window displays with basic information about the ZyXEL device.
ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 466 C HAPTER 29 ALG Screen This chapter covers how to use the ZyW ALL ’ s ALG featu re to allow ce rtain applications to pass through the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 467 Chapte r 29 ALG Screen If the primary W AN connection fa ils, t he client needs to re-i nitialize the conn ection through the secondary W AN port to have th e connection go thro ugh the secondary W AN port.
ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 468 Figure 232 H.323 ALG Examp le • W ith multiple W AN IP addresses on the Zy W ALL, you can configure different firewall and port forwarding rules to allow incoming calls from each W AN IP address to go to a specific IP address on the LAN (or DMZ).
ZyWALL 5/35/70 Series User’s Guide 469 Chapte r 29 ALG Screen Figure 234 H.323 Calls from the W AN with Multiple Outgoing Calls • The H.323 ALG operat es on TCP packets with a port 1720 destination. • The ZyW ALL allows H.323 au dio connections.
ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 470 The following example shows SIP s ignaling and audio sessions between SIP clients A and B and the SIP server (1). Figure 235 SIP ALG Example 29.5.3 SIP Signaling Session Ti meout Most SIP clients have an “ expire” mechanism indicating the lifetime of signaling sessions.
ZyWALL 5/35/70 Series User’s Guide 471 Chapte r 29 ALG Screen Figure 236 ALG The following table describes the labels in this screen. Table 163 ALG LABEL DESCRIPTION Enable FTP ALG Select this check box to allow FTP sessions to pass through the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 472 C HAPTER 30 Logs Screens This chapter contains inform ation about configuring genera l log settings and viewing the ZyW ALL ’ s logs. Refer to Appendix S on page 774 for example log messa ge explanations.
ZyWALL 5/35/70 Series User’s Guide 473 Chapter 3 0 Logs Scr eens The following table describes the labels in this screen. 30.2 Log Description Example The following is an example of how a log di splays in the command line interpreter and a description of the sample log.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 474 30.2.1 Certificate Not T rusted Log Note myZyXEL.com and the update server use certif icate signed by V eriSign to identify themselves. If th e ZyW ALL does n ot have a CA certificate signed by V eriSign as a trusted CA, the ZyW ALL will not trust the certificate from myZyXEL.
ZyWALL 5/35/70 Series User’s Guide 475 Chapter 3 0 Logs Scr eens Figure 239 myZyXEL.com: Certificate Download 30.3 Configuring Log Settings T o change your ZyW ALL ’ s log settings, click LOGS , then the Log Settings tab. The screen appears as shown.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 476 Figure 240 Log Settings.
ZyWALL 5/35/70 Series User’s Guide 477 Chapter 3 0 Logs Scr eens The following table describes the labels in this screen. T able 166 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP addre ss of the mail server for the e-mail addresses specified below .
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 478 30.4 Configuring Report s The Reports p age displays which co mputers on the LAN send and receive the most traffic, what kinds of traffic are used the most and whic h web sites are visited the most often.
ZyWALL 5/35/70 Series User’s Guide 479 Chapter 3 0 Logs Scr eens Figure 241 Report s Note: Enabling the ZyW ALL ’s reporting function decreases th e overall throughput by about 1 Mbps. The following table describes the labels in this screen. Note: All of the recorded report s data is erased when you turn of f the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 480 30.4.1 V iewing We b Site Hit s In the Reports screen, select W eb Site Hits from the Report T ype drop-dow n list box to have the ZyW ALL record and display which web sites have bee n visited the most often and how many times they have been visited.
ZyWALL 5/35/70 Series User’s Guide 481 Chapter 3 0 Logs Scr eens Figure 243 Protocol/Port Report Example The following table describes the labels in this screen. T able 169 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or servic e ports for which the most traffic has gone through the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 482 30.4.3 V iewing Host IP Address In the Reports screen, select Host IP Address from the Report T ype drop-down list box to have the ZyW.
ZyWALL 5/35/70 Series User’s Guide 483 Chapter 3 0 Logs Scr eens 30.4.4 Report s Specifications The following table lists detailed specifications on the reports feature. T able 171 Report S pecifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: 20 Hit count limit: Up to 2 32 hits can be counted per web site.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 484 C HAPTER 31 Maintenance This chapter displays informat ion on the maintenance screens. 31.1 Maintenance Overview The maintenanc e screens can help you view system inform a tion, upload new firmware, manage configuratio n and restart your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 485 Chapter 31 Maintenance Figure 245 General Setup The following table describes the labels in this screen. 31.3 Configuring Password T o change your ZyW ALL ’ s password (recommended), click MAINTENANCE , then the Password tab.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 486 Figure 246 Password Setup The following table describes the labels in this screen. 31.4 T ime and Date The ZyW ALL ’ s Real T i me Chip (R TC) kee ps track of the time and date.
ZyWALL 5/35/70 Series User’s Guide 487 Chapter 31 Maintenance Figure 247 T ime and Date The following table describes the labels in this screen. Table 174 T ime and Date LABEL DESCRIPTION Current T ime and Date Current T ime This field displays the ZyWALL ’s present time .
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 488 Get from Time Server Select this radio button to have the Zy WALL get the time and date from the time server you specified below . T ime Protocol Select the time service protocol that your time server uses.
ZyWALL 5/35/70 Series User’s Guide 489 Chapter 31 Maintenance 31.5 Pre-defined NTP T ime Servers List When you turn on the ZyW ALL for t he first time, the date an d time start at 20 00-01-01 00:00:00. The ZyW ALL then attempts to synchr onize with one of th e following pre-defined list of NTP time servers.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 490 When the System Time and Date Synchr onization in Process screen appears, wait up to one minute. Figure 248 Synchronization in Process Click the Return button to go back to the T ime and Date screen after the time and date is updated successfully .
ZyWALL 5/35/70 Series User’s Guide 491 Chapter 31 Maintenance 31.6 Introduction T o T ransp arent Bridging A transparent bridge is invisibl e to the operatio n of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that po rt.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 492 3 As a transparent bridge does not modify the frames it forwards, it is ef fectively “stealth” as it is invisible to attackers. Bridging devices are most useful in complex envi ronments that require a rapid or new firewall deployment.
ZyWALL 5/35/70 Series User’s Guide 493 Chapter 31 Maintenance 31.9 Configuring Device Mode (Bridge) T o configure and have your ZyW ALL work as a rou ter or a bridge, click MAINTENANCE , then the Device Mo de tab. The following applies when the ZyW ALL is in bridge mode.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 494 31.10 F/W Upload Screen Find firmware at www .zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "z ywall.bin". The upload proces s uses HTTP (Hypertext T ransfer Protocol) and may take up to two minutes.
ZyWALL 5/35/70 Series User’s Guide 495 Chapter 31 Maintenance Figure 253 Firmware Uplo ad The following table describes the labels in this screen. Note: Do not turn of f the ZyW ALL while firmware upload is in progress! After you see the Firmware Upload in Pr ocess screen, wait two minutes before logging into the ZyW ALL again.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 496 Figure 255 Network T emporarily Disconnected After two minutes, log in again an d check your new firmware version in the HOME screen. If the upload was not successful, the fo llowing screen will appear .
ZyWALL 5/35/70 Series User’s Guide 497 Chapter 31 Maintenance Figure 257 Backup and Restore 31.1 1.1 Backup Configuration Backup Configurat ion allows you to b ack up (save) the ZyW ALL ’ s current configuration to a file on your computer .
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 498 Note: Do not turn of f the ZyW ALL while configuration file upload is in progress. After you see a “restore configuration successf ul” scree n, you must then wait one minute before logging into the ZyW ALL again.
ZyWALL 5/35/70 Series User’s Guide 499 Chapter 31 Maintenance 31.1 1.3 Back to Factory Default s Pressing the Reset button in this section clears al l user-e ntered configuration information and returns the ZyW ALL to its factory defaults as shown on the screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 500 C HAPTER 32 Introducing the SMT This chapter explains how to access the System Management T erminal and gives an overview of its menus.
ZyWALL 5/35/70 Series User’s Guide 501 Chapter 32 I ntroducing the S MT Figure 263 Initial Screen 32.2.2 Entering the Password The login screen appears after you press [ENTER] , prompting you to enter the password, as shown below . For your first login, en ter the default password “ 1234 ”.
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 502 32.3.1 Main Menu After you enter the passwor d, the SMT displays the ZyW ALL Main Menu , as shown next. This guide uses the ZyW ALL 70 menus as an example. The menus ma y vary slightly for different ZyW ALL models.
ZyWALL 5/35/70 Series User’s Guide 503 Chapter 32 I ntroducing the S MT Figure 265 Main Menu (Route r Mode) Figure 266 Main Menu (Bridge Mode) The following table describes the fields in this menu. Copyright (c) 1994 - 2005 ZyXEL Co mmunications Corp.
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 504 32.3.2 SMT Menus Overview The following table gi ves you an overview o f your ZyW ALL ’ s various SMT menus. 3 LAN Setup Use this menu to apply L AN filters, configure L AN DHCP and TC P/IP settings.
ZyWALL 5/35/70 Series User’s Guide 505 Chapter 32 I ntroducing the S MT 6 Route Setup (for the ZyW ALL 35 and the ZyW ALL 70) 6.1 Route Assessment 6.2 T raffic Redirect 6.3 Route Failover 7 Wireless Setup 7.1 Wireless Setu p 7.1.1 WLAN MAC Address Filter 7.
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 506 32.4 Changing the System Password Change the system password by following the steps shown next. 1 Enter 23 in the main menu to open Menu 23 - System Password as shown next. 24 System Maintenance 24.
ZyWALL 5/35/70 Series User’s Guide 507 Chapter 32 I ntroducing the S MT Figure 267 Menu 23: System Password 2 T ype your existing password and press [ENTER] . 3 T ype your new system password an d press [ENTER] . 4 Re-type your new system password for confirmation and press [ENTER] .
ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 508 C HAPTER 33 SMT Menu 1 - General Setup Menu 1 - General Setup contains administra tive an d system-related information. 33.1 Introduction to General Setup Menu 1 - General Setup contains administra tive an d system-related information.
ZyWALL 5/35/70 Series User’s Guide 509 Chapter 33 SMT Menu 1 - Gene ral Setup Figure 269 Menu 1: General Setup (Bridge Mode) The following table describes the fiel ds not previously discussed (see T able 184 on page 508 ). Edit Dynamic DNS Press [SP ACE BAR] and then [ENTER] to select Ye s or No (default).
ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 510 33.2.1 Configuring Dynamic DNS T o configure Dynamic DNS, set the ZyW ALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and pres s [SP ACE BAR] to select Ye s in the Edit Dynamic DNS field.
ZyWALL 5/35/70 Series User’s Guide 511 Chapter 33 SMT Menu 1 - Gene ral Setup Figure 271 Menu 1.1.1: DDNS Host Summary The following table describes the fields in this screen. 5 Select Edit in the Select Command field; type the index number of the DDNS host you want to configure in the Select Rule field and press [ENTER] to open Menu 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 512 Figure 272 Menu 1.1.1: DDNS Edit Host The following table describes the fields in this screen.
ZyWALL 5/35/70 Series User’s Guide 513 Chapter 33 SMT Menu 1 - Gene ral Setup The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. IP Address Update Policy: Y ou can select Ye s in either the Let DDNS Server Auto Detect field (recommended) or the Use User-Defined field, but not both.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 514 C HAPTER 34 W AN and Dial Backup Setup This chapter describes how to configure the W AN using menu 2 and dial-backup u sing menus 2.
ZyWALL 5/35/70 Series User’s Guide 515 Chap ter 34 WAN and Dial Backup Setup The following table describes the fields in this screen. 34.3 Dial Backup The Dial Backup port can be used in reser ve, as a traditional dial- up connection should the broadband connection to the W AN port fail.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 516 Figure 274 Menu 2: Dial Backup Setup The following table describes the fields in this menu. 34.5 Advanced W AN Setup Note: Consult the manual of your W AN device c onnected to your Dial Backup port for specific A T commands.
ZyWALL 5/35/70 Series User’s Guide 517 Chap ter 34 WAN and Dial Backup Setup T o edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - W AN Setup , press the [SP ACE BAR] to se lect Ye s and then press [ENTER].
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 518 34.6 Remote Node Profile (Backup ISP) On a ZyW ALL with multiple W A N ports, enter 3 in Menu 1 1 - Remote Node Setup to open Menu 1 1.3 - Remote Node Pr ofile (Backup ISP) (shown below) and configure the setup for your Dial Backup p ort connection.
ZyWALL 5/35/70 Series User’s Guide 519 Chap ter 34 WAN and Dial Backup Setup Figure 276 Menu 1 1.3: Remote N ode Profile (Backup ISP) The following table describes the fields in this menu.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 520 34.7 Editing PPP Options The ZyW ALL ’ s dial back-up feature uses PPP . T o edit the remote node PPP Options, move the cursor to the Edit PPP Options field in Menu 1 1.
ZyWALL 5/35/70 Series User’s Guide 521 Chap ter 34 WAN and Dial Backup Setup Figure 277 Menu 1 1.3.1: Remote Node PPP Options This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 522 Figure 278 Menu 1 1.3.2: Remote Node Network Layer Op tions The following table describes the fields in this menu. Menu 11.3.2 - Remote Node Ne twork Layer Options IP Address Assignment= Sta tic Rem IP Addr= 0.
ZyWALL 5/35/70 Series User’s Guide 523 Chap ter 34 WAN and Dial Backup Setup 34.9 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 524 Y ou c an use two varia bles, $USERNAME and $PASSWORD (all UPPER case), to re present the actual user name and password in the script, so they will not show in the clear .
ZyWALL 5/35/70 Series User’s Guide 525 Chap ter 34 WAN and Dial Backup Setup The following table describes the fields in this menu. 34.10 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.3, and then press [SP ACE BAR] to set the value to Ye s .
ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 526 C HAPTER 35 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup . 35.1 Introduction to LAN Setup This chapter describes how to configure the ZyW ALL for LAN and wireless LAN connections.
ZyWALL 5/35/70 Series User’s Guide 527 Chapter 35 LAN Setup Figure 282 Menu 3.1: LAN Port Filter Setu p 35.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1 155) and DHCP Ethernet setu p.
ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 528 Figure 284 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next tabl e on how to configure the DHCP field s. Menu 3.2 - TCP/IP and DHCP Eth ernet Setup DHCP= Server TC P/IP Setup: Client IP Pool: Starting Address= 192.
ZyWALL 5/35/70 Series User’s Guide 529 Chapter 35 LAN Setup Use the instructions in the following table to configure TCP/IP parameters for the LAN port.
ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 530 35.4.1 IP Alias Setup IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide 531 Chapter 35 LAN Setup Outgoing Protocol Filters Enter the filter set(s) you wis h to apply to the outgoin g traffic between this node and the ZyWALL. When you have completed this menu, press [ENTER] at the p rompt [Press ENTER to C onfirm…] to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 5/35/70 Series User’s Guide Chapter 36 In ternet Access 532 C HAPTER 36 Internet Access This chapter shows you how to config ure your ZyW ALL for Internet access. 36.1 Introduction to Internet Access Setup Use information from your ISP along with the in st ructions in this chapter to set up your ZyW ALL to access the Internet.
ZyWALL 5/35/70 Series User’s Guide 533 Chapter 36 Internet Access The following table describes the fields in this menu. T able 200 Menu 4: Internet Acce ss Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purpo ses.
ZyWALL 5/35/70 Series User’s Guide Chapter 36 In ternet Access 534 36.3 Configuring the PPTP Client Note: The ZyW ALL supports only one PP TP server connection at any given time. T o configure a PP TP client, you must configure the My Login and Password fields for a PPP connection and the PP TP parame ters for a PP TP connection.
ZyWALL 5/35/70 Series User’s Guide 535 Chapter 36 Internet Access Figure 288 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsula tion field in menu 4.
ZyWALL 5/35/70 Series User’s Guide Chapter 37 DMZ Setup 536 C HAPTER 37 DMZ Setup This chapter describes how to co nfigure the ZyW ALL ’ s DMZ using Menu 5 - DMZ Setup . 37.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup .
ZyWALL 5/35/70 Series User’s Guide 537 Chap ter 37 DMZ Setup 37.3.1 IP Address From the main menu, enter 5 to ope n Menu 5 - DMZ Setup to configure TCP/IP (RFC 1 155). Figure 291 Menu 5: DMZ Setup From menu 5, select th e submenu opt ion 2. TCP/IP and DHCP Setup and press [ENTER] .
ZyWALL 5/35/70 Series User’s Guide Chapter 37 DMZ Setup 538 37.3.2 IP Alias Setup Y ou must use menu 5.2 to con figure the first network. Move the cursor to the Edit IP Alias field, press [SP ACE BAR] to choose Ye s and press [ENTER] to config ure the second and third network.
ZyWALL 5/35/70 Series User’s Guide 539 Chap ter 37 DMZ Setup.
ZyWALL 5/35/70 Series User’s Guide Chapter 38 Route Setup 540 C HAPTER 38 Route Setup This chapter describes how to configure the ZyW A LL's traffic redirect. This chapter applies to the ZyW ALL 35 and ZyW ALL 70. 38.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup .
ZyWALL 5/35/70 Series User’s Guide 541 Chapter 38 Route Setup The following table describes the fields in this menu. 38.3 T raffic Redirect T o configure the parameters for traf fic redirect, enter 2 in Menu 6 - Route Setup to open Menu 6.2 - T raffic Redirect as shown next.
ZyWALL 5/35/70 Series User’s Guide Chapter 38 Route Setup 542 38.4 Route Failover This menu allows you to configure how the ZyW ALL uses the rout e assessment ping check function. Figure 297 Menu 6.3: Route Failover The following table describes the fields in this menu.
ZyWALL 5/35/70 Series User’s Guide 543 Chapter 38 Route Setup.
ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 544 C HAPTER 39 Wireless Setup Use menu 7 to set up your ZyW ALL as the wireless access point.
ZyWALL 5/35/70 Series User’s Guide 545 Chapter 39 Wireless Setup Follow the instructions in the next table on how to configure the wireless LAN parameters. T able 206 Menu 7. 1: Wireless Setup FIELD DESCRIPTION Enable Wireless LAN Press [SP ACE BAR] to select Ye s to turn on the wireless LAN.
ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 546 39.1.1 MAC Address Filter Setup Y our ZyW ALL checks the MAC address of the wirele ss station device against a list of allowed or denied MAC addresses. However, intruders could fake allowed MAC addresses so MAC- based authentication is less secu re than EAP authentication.
ZyWALL 5/35/70 Series User’s Guide 547 Chapter 39 Wireless Setup 39.2 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 5 on page 1 10 . 39.2.1 IP Address From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP (RFC 11 5 5 ) .
ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 548 Figure 301 Menu 7.2: TCP/IP and DHCP Ethernet Setup The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup . Each public server will need a unique IP address.
ZyWALL 5/35/70 Series User’s Guide 549 Chapter 39 Wireless Setup Figure 302 Menu 7.2.1: IP Alias Setup Refer to T able 199 on page 530 for instructions on config uring IP alias parameters.
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 550 C HAPTER 40 Remote Node Setup This chapter shows you how to configure a remote node. 40.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gatewa y .
ZyWALL 5/35/70 Series User’s Guide 551 Chapter 40 Remote No de Setup Figure 303 Menu 1 1: Remote Node Setup 40.3 Remote Node Profile Setup The following explains how to configure the re mote node profile menu. Not all fields are available on all models.
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 552 The following table describes the fields in this menu. T able 208 Menu 1 1 .1: Remote Node Profile for Eth ernet Encapsulation FIELD DESCRIPTION Rem Node Name Enter a descriptiv e name for the remote node.
ZyWALL 5/35/70 Series User’s Guide 553 Chapter 40 Remote No de Setup 40.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). Y ou can only use PPPoE encapsulation when you’re using th e ZyW ALL with a DSL modem as the W AN device.
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 554 40.3.2.3 Metric See Section 7.5 on page 1 34 for details on the Metric field. 40.3.3 PPTP Encap sulation If you change the Encap sulation to PPTP in menu 1 1.1, then you will see the next screen.
ZyWALL 5/35/70 Series User’s Guide 555 Chapter 40 Remote No de Setup Figure 306 Menu 1 1.1: Remote Node Prof ile for P PTP Encaps ulation The next table shows h ow to configure field s in menu 1 1.1 not previously discussed. 40.4 Edit IP Move the cu rs or to the Edit IP field in menu 1 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 556 Figure 307 Menu 1 1.1.2: Remote Node Network Layer O ptions for Ethernet Encapsulation This menu displays the My W AN Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation.
ZyWALL 5/35/70 Series User’s Guide 557 Chapter 40 Remote No de Setup 40.5 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.1, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1.1.4 - Remote Node Filter .
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 558 Figure 308 Menu 1 1.1.4: Remote Node Filter (Ethernet Encap sulation) Figure 309 Menu 1 1.
ZyWALL 5/35/70 Series User’s Guide 559 Chapter 40 Remote No de Setup Figure 310 Menu 1 1.1.5: T raf fic Redirect Setup The following table describes the fields in this menu. Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.
ZyWALL 5/35/70 Series User’s Guide Chapter 41 IP Static Rout e Setup 560 C HAPTER 41 IP S t atic Route Setup This chapter shows you how to config ure static routes with your ZyW ALL. 41.1 IP S t atic Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.
ZyWALL 5/35/70 Series User’s Guide 561 Chapter 41 IP Static Route Setup Figure 312 Menu 12. 1: Edit IP S tatic Route `The following table describes the IP Static Route Menu fields.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 562 C HAPTER 42 Network Address T ranslation (NA T) This chapter discusses how to configure NA T on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 563 Chapter 42 Network Addr ess Translation (NAT) Figure 313 Menu 4: Applying NA T for Internet Access The following figure shows how you apply NA T to the remote node in menu 1 1.1. 1 Enter 1 1 from the main menu.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 564 The following table describes the fields in this menu. 42.2 NA T Setup Use the address mapping sets me nus and submenus to create the mapping table used to assign global addresses to computer s on the LAN and the DMZ.
ZyWALL 5/35/70 Series User’s Guide 565 Chapter 42 Network Addr ess Translation (NAT) 42.2.1 Address Mapping Set s Enter 1 to bring up Menu 15.1 - Addr ess Mapping Sets . Figure 316 Menu 15.1: Address Ma pping Sets 42.2.1.1 SUA Address Mapping Set Enter 255 to display th e next screen (see also Sect ion 42.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 566 Note: Menu 15.1.255 is read-only . 42.2.1.2 User-Defined Address Mapping Set s Now look at option 1 in menu 15.1. Enter 1 to bring up this menu. Lo ok at the dif ferences from the previous menu.
ZyWALL 5/35/70 Series User’s Guide 567 Chapter 42 Network Addr ess Translation (NAT) Figure 318 Menu 15.1.1: First Set Note: The T ype, Local and Global S tart/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 568 Note: Y ou must press [ENTER] at the bottom of the screen to save the whole set. Y ou must do this again if you make any changes to the set – including deleting a rule.
ZyWALL 5/35/70 Series User’s Guide 569 Chapter 42 Network Addr ess Translation (NAT) 42.3 Configuring a Server behind NA T Note: If you do not assign a Default Serve r IP address, the ZyW ALL discards all packet s received for port s that are not specified here or in th e remote management setup.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 570 Figure 321 Menu 15.2.1: NA T Server Se ts 4 Select Edit Rule in the Sel ect Command field; type the index numbe r of the NA T server you want to configure in the Select Rule fiel d and press [ENTER] to open Menu 15.
ZyWALL 5/35/70 Series User’s Guide 571 Chapter 42 Network Addr ess Translation (NAT) Figure 322 15.2.1.2: NA T Server Confi guration The following table describes the fields in this screen. 5 Enter a port nu mber in the Sta r t P o r t field. T o forward only one port, enter it again in the End Port field.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 572 Figure 323 Menu 15.2.1: NA T Server Se tup Y ou assign the private network IP addresses. Th e NA T network appears as a single host on the Internet. A is the FTP/T elnet/SMTP server .
ZyWALL 5/35/70 Series User’s Guide 573 Chapter 42 Network Addr ess Translation (NAT) Figure 325 NA T Exam ple 1 Figure 326 Menu 4: Internet Access & NA T Example From menu 4 sho wn abov e, simply choose the SUA Only option from the Network Address Tr a n s l a t i o n field.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 574 42.4.2 Example 2: Interne t Access with an Default Server Figure 327 NA T Exam ple 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.
ZyWALL 5/35/70 Series User’s Guide 575 Chapter 42 Network Addr ess Translation (NAT) 1 Map the first IGA to the first inside FTP server for FTP t raffic in both directions ( 1 : 1 mapping, giving bo th local and glo bal IP addresses).
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 576 Figure 330 Example 3: Menu 1 1.1.2 The following figure shows how to configure the first rule.
ZyWALL 5/35/70 Series User’s Guide 577 Chapter 42 Network Addr ess Translation (NAT) Figure 332 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. 1 Enter 15 from the main menu. 2 Enter 2 to go to menu 15 .
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 578 42.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NA T Mapping using TCP or UDP port address translation.
ZyWALL 5/35/70 Series User’s Guide 579 Chapter 42 Network Addr ess Translation (NAT) Figure 336 Example 4: Menu 15.1.1: Address Mapping Rules 42.5 T rigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 580 Note: Only one LAN computer can use a trigge r port (range) at a time. Enter 3 in menu 15 to d isplay Menu 15.3 - T rigger Ports . For a ZyW ALL with multiple W AN ports, enter 1 or 2 from menu 15.
ZyWALL 5/35/70 Series User’s Guide 581 Chapter 42 Network Addr ess Translation (NAT).
ZyWALL 5/35/70 Series User’s Guide Chapter 43 Introducing the ZyWALL F irewall 582 C HAPTER 43 Introducing the ZyW ALL Firewall This chapter shows you how to ge t started with the ZyW ALL firewall. 43.1 Using ZyW ALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
ZyWALL 5/35/70 Series User’s Guide 583 Chapter 43 Introduc ing the ZyWALL Firewall Figure 339 Menu 21.2: Fi rewall Setup Note: Configure the firewall rules using t he web configurator or CLI commands. Menu 21.2 - Firewall Se tup The firewall protects against Denial of Service (DoS) attacks when it is active.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 584 C HAPTER 44 Filter Configuration This chapter shows you how to create and apply filters. 44.1 Introduction to Filters Y our ZyW ALL uses filte rs to decide whether to a llow passage of a data packet a nd/or to make a call.
ZyWALL 5/35/70 Series User’s Guide 585 Chapter 44 Filter Configuration 44.1.1 The Filter Structure of the ZyW AL L A filter set consists of one or more filter rules. Usually , you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 586 Figure 341 Filter Rule Process Y ou can apply up to four filter sets to a particular port to block multiple types of packets. W ith each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
ZyWALL 5/35/70 Series User’s Guide 587 Chapter 44 Filter Configuration 44.2 Configuring a Filter Set The ZyW ALL includes filtering for NetBIOS over TCP/IP packets by default. T o configure another filter set, follow the procedure below . 1 Enter 21 in the main me nu to open menu 2 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 588 The protocol dependent filter rules abbreviation are listed as follows: Refer to the next section for inform ation on configurin g the filter rules. 44.2.1 Configuring a Filter Rule T o configure a filter rule, type its number in Menu 21.
ZyWALL 5/35/70 Series User’s Guide 589 Chapter 44 Filter Configuration T o speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the firs t rule that you create.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 590 The following figure illustrates th e logic flow of an IP filter . Destination IP Addr Enter the destinati on IP Address of the packet you wish to filter . This field is igno red if it is 0.
ZyWALL 5/35/70 Series User’s Guide 591 Chapter 44 Filter Configuration Figure 345 Executing an IP Filter 44.2.3 Configuring a Generic Filter Rule This section shows you how to configure a gen eri c filter rule.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 592 to allow you to filter non-IP packets. For IP , it is generally easier to us e the IP rules directly . For generic rules, the ZyW ALL treats a packet as a byte stream as opposed to an IP or IPX packet.
ZyWALL 5/35/70 Series User’s Guide 593 Chapter 44 Filter Configuration 44.3 Example Filter Let’ s look at an example to block outside us ers from accessing the ZyW ALL via telnet. Please see our included disk for more example filters. Figure 347 T elnet Filter Example 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup .
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 594 Figure 348 Example Filter: Menu 21 .1.3.1 The port number for the telnet service (TCP protocol) is 23 . See RFC 1060 for port numbers of well-known services. When you press [ENTER] to confirm, you will see the fo llowing screen.
ZyWALL 5/35/70 Series User’s Guide 595 Chapter 44 Filter Configuration M = N means an action can be taken immediately . The action is to drop the packet ( m = D ) if the action is matched and to fo .
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 596 44.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyW ALL already has filters to prevent NetBIOS traffic fro m triggering calls, and block incoming telnet, FTP and HTTP connections.
ZyWALL 5/35/70 Series User’s Guide 597 Chapter 44 Filter Configuration Figure 352 Filtering DMZ T raffic 44.6.3 Applying Re mote Node Filters Go to menu 1 1.1.4 (shown be low – note that call filter sets are only present for PPPoE encapsulation) and enter the numb er(s) of the filter set(s) as appropriate.
ZyWALL 5/35/70 Series User’s Guide Chapter 45 SNMP Configuration 598 C HAPTER 45 SNMP Configuration This chapter explains SNMP configuratio n menu 22. 45.1 SNMP Configuration T o configure SNMP , enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next.
ZyWALL 5/35/70 Series User’s Guide 599 Chapter 45 SNMP Configu ration 45.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: Destination T ype the IP address of the station to send your SNMP traps to.
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 600 C HAPTER 46 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 46.1 Introduction to System St atus This chapter covers the diagnostic tools that he lp you to maintain your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 601 Chapter 46 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - S tatus . Entering 1 drops the W AN conn ection, 9 resets the co unters and [ESC] takes you back to the previous screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 602 46.3 System Information and Console Port S peed This section describes your system and allows you to choose different console port speeds. T o get to the System Informa tion and Console Port Speed: 1 Enter 24 to go to Menu 24 - System Maintenance .
ZyWALL 5/35/70 Series User’s Guide 603 Chapter 46 System Information & Diagnosis Figure 358 Menu 24.2. 1: System Ma intenance: Informa tion The following table describes the fields in this screen. 46.3.2 Console Port Speed Y ou can change the speed of the console port through Menu 24.
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 604 Figure 359 Menu 24.2.2: System Maintenance: Change Cons ole Port S peed 46.4 Log and T race There are two logging facilities in the ZyW ALL. Th e first is the error logs and trace records that are stored locally .
ZyWALL 5/35/70 Series User’s Guide 605 Chapter 46 System Information & Diagnosis Figure 361 Examples of Error and Information Messages 46.4.2 Syslog Logging The ZyW ALL uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server .
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 606 Y our ZyW ALL sends five types of syslog messages . Some examples (not all ZyW ALL specific) of these syslog mes.
ZyWALL 5/35/70 Series User’s Guide 607 Chapter 46 System Information & Diagnosis 4 PPP log 5 Firewall log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 608 46.4.3 Call-T riggering Packet Call-T riggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equiva lent information is available in menu 24.
ZyWALL 5/35/70 Series User’s Guide 609 Chapter 46 System Information & Diagnosis 1 From the main menu, select option 24 to open Menu 24 - System Maintenance . 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic .
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 610 T able 229 System Maintenance Menu Diag nostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or W AN. Enter its IP address in the Host IP Address field below .
ZyWALL 5/35/70 Series User’s Guide 611 Chapter 46 System Information & Diagnosis.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 612 C HAPTER 47 Firmware and Configuration File Maintenance This chapter tells you how t o back up and rest ore your configuration file as well as upload new firmware and a new configura tion file.
ZyWALL 5/35/70 Series User’s Guide 613 Chapter 47 Firmw are and Configu ration File Maint enance The following table is a summary . Please note that the internal filename refe rs to the filename on .
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 614 Figure 366 T elnet into Menu 24.5 47.3.2 Using the FTP Command from the Comman d Line 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 615 Chapter 47 Firmw are and Configu ration File Maint enance 47.3.3 Example of FTP Comm ands from the Command Line Figure 367 FTP Session Example 47.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 616 4 The IP you entered in the Secured Client IP field in menu 24.1 1 does not match th e client IP . If it does not match, the Zy W ALL will disconnect the T elnet session immediately .
ZyWALL 5/35/70 Series User’s Guide 617 Chapter 47 Firmw are and Configu ration File Maint enance 47.3.8 GUI-based TFTP Client s The following table describes some of the fiel ds that you may see in GUI-based TFTP clients. Refer to Section 47.3.5 o n page 615 to read about configurations that disallow TFTP and FTP over W AN.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 618 Figure 370 Backup Configuration Example T ype a location for storing the configuration file or click Br owse to look for one. Choose the Xmodem protocol. Then click Receive .
ZyWALL 5/35/70 Series User’s Guide 619 Chapter 47 Firmw are and Configu ration File Maint enance Figure 372 T elnet into Menu 24.6 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 620 47.4.2 Restore Usin g FTP Session Example Figure 373 Restore Using FTP Session Example Refer to Section 47.3.5 o n page 615 to read about configurations that disallow TFTP and FTP over W AN.
ZyWALL 5/35/70 Series User’s Guide 621 Chapter 47 Firmw are and Configu ration File Maint enance 4 After a successful restoration you will see the following screen. Press any key to restart the ZyW ALL and return to the SMT menu. Figure 377 Successful Restoration Confirmati on Screen 47.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 622 Figure 378 T elnet Into Menu 24.7.1: Upload System Firmware 47.5.2 Configuration File Upload Y ou see the following screen when you telnet into menu 24.7.
ZyWALL 5/35/70 Series User’s Guide 623 Chapter 47 Firmw are and Configu ration File Maint enance 47.5.3 FTP File Upload Comman d from the DOS Prompt Example 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 624 1 Use telnet from your computer to connect to the ZyW ALL and log in. Because TFTP does not have any security checks, the ZyW A LL records the IP address of the telnet client and accepts TFTP request s only from this address.
ZyWALL 5/35/70 Series User’s Guide 625 Chapter 47 Firmw are and Configu ration File Maint enance Figure 381 Menu 24.7.1 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmode m protocol on your computer .
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 626 Figure 383 Menu 24.7.2 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmode m protocol on your computer .
ZyWALL 5/35/70 Series User’s Guide 627 Chapter 47 Firmw are and Configu ration File Maint enance.
ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 628 C HAPTER 48 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24.10 . 48.1 Command Interpreter Mode The Command Interpre ter (CI) is a part of the main router firmware.
ZyWALL 5/35/70 Series User’s Guide 629 Chapter 48 System Maintenance Menus 8 to 10 The required fields in a co mmand are e nclosed in angle brack ets <> . The optional fields in a c ommand are enclosed in s quare brackets [] . The | symbol means “or”.
ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 630 48.2 Call Control Support The ZyW ALL provides two call control functio ns: budget management and call histo ry . Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 1 1.
ZyWALL 5/35/70 Series User’s Guide 631 Chapter 48 System Maintenance Menus 8 to 10 Figure 388 Budget Manage ment The total budget is the time li mit on the accumulated time for ou tgoing calls to a remo te node. When this limit is reached, th e call will be dropped and further outgoing calls to that remote node will be blocked.
ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 632 Figure 389 Call History The following table describes the fields in this screen. 48.3 T ime and Date Setting The ZyW ALL ’ s Real T i me Chip (R TC) kee ps track of the time and date.
ZyWALL 5/35/70 Series User’s Guide 633 Chapter 48 System Maintenance Menus 8 to 10 Figure 390 Menu 24: System Maintenan ce Enter 10 to go to Menu 24.10 - System Maintena nce - Time and Date Setting to update the time and date settings of your ZyW ALL as shown in the following screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 634 T able 236 Menu 24 .10 System Maint enan ce: Time and Date Setting FIELD DESCRIPTION T ime Protocol Enter the time service pr otocol that your timeserver uses.
ZyWALL 5/35/70 Series User’s Guide 635 Chapter 48 System Maintenance Menus 8 to 10 End Date (mm- nth-week-hr) Configure the day and time when Dayli ght Saving Time ends if you selected Ye s in the Daylight Saving fi eld. The hr field uses the 24 hour format.
ZyWALL 5/35/70 Series User’s Guide Chapter 49 Remo te Management 636 C HAPTER 49 Remote Management This chapter covers remote management found in SMT menu 24.1 1. 49.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers.
ZyWALL 5/35/70 Series User’s Guide 637 Chapter 49 Remote Manag ement Figure 392 Menu 24.1 1 – Remote Mana gement Contr ol The following table describes the fields in this screen. Menu 24.11 - Remote Manageme nt Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.
ZyWALL 5/35/70 Series User’s Guide Chapter 49 Remo te Management 638 49.1.1 Remote Management Limit ations Remote management over LAN or W AN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service.
ZyWALL 5/35/70 Series User’s Guide 639 Chapter 49 Remote Manag ement.
ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 640 C HAPTER 50 IP Policy Routing This chapter covers setting and ap plying policies used for IP routing.
ZyWALL 5/35/70 Series User’s Guide 641 Chapter 50 IP Policy Routing 50.2 IP Routing Policy Setup T o setup a routing policy , perform the following procedures: Criteria/Action This displays the details about to which packets the policy applies and how the policy has the Zy W ALL handle those packets.
ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 642 1 T ype 25 in the main menu to open Menu 25 - IP Routing Policy Summary . 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in th e Select Rule field and press [ENTER] to open Menu 25.
ZyWALL 5/35/70 Series User’s Guide 643 Chapter 50 IP Policy Routing 50.2.1 Applying Policy to Packet s T o apply the policy to packets received on the selected interface (s), go to Menu 25.1: IP Routing Policy Setup and press [SP ACE BAR] to select Ye s in the Edit policy to packets received fr om field.
ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 644 Figure 395 Menu 25.1.1: IP Routing Policy Setup The following table describes the fields in this screen.
ZyWALL 5/35/70 Series User’s Guide 645 Chapter 50 IP Policy Routing Figure 396 Example of IP Policy Routing T o force W eb packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the W AN port of the ZyW ALL, follow the steps as shown next.
ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 646 4 Create another rule in menu 25 .1 for this rule to route pa ckets from any host (IP= 0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.
ZyWALL 5/35/70 Series User’s Guide 647 Chapter 50 IP Policy Routing.
ZyWALL 5/35/70 Series User’s Guide Chapter 51 Call Scheduling 648 C HAPTER 51 Call Scheduling Call scheduling allows you to dictate when a re mote node sho uld be called and for how long .
ZyWALL 5/35/70 Series User’s Guide 649 Chapter 51 Call Scheduling Figure 400 Schedule Set Setup If a connection has been already established, your ZyW ALL will not d rop it. Once the connection is droppe d manually or it times ou t, then that remote node can't be triggered up until the end of the Duration .
ZyWALL 5/35/70 Series User’s Guide Chapter 51 Call Scheduling 650 Once your schedule sets are conf igured , you must then apply them to the desired remote node(s).
ZyWALL 5/35/70 Series User’s Guide 651 Chapter 51 Call Scheduling Figure 402 Applying Schedule Set(s ) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Activ.
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 652 C HAPTER 52 T roubleshooting This chapter covers potential pr oblems and possible remedies. After each problem descri ption, some instructions are provided to help you to diagnose and to solve the problem.
ZyWALL 5/35/70 Series User’s Guide 653 Chapter 52 Trou bleshooting 52.3 Problems with the DMZ Interface 52.4 Problems with the W AN Interface Table 245 Troubleshooting th e DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access servers on the DMZ from the LAN.
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 654 52.5 Problems Accessing the ZyW ALL 52.5.1 Pop-up Windows, Ja vaScript s and Java Permissions In order to use the web configurator you need to allow: Table 247 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 655 Chapter 52 Trou bleshooting • W eb browser pop-up windows fro m your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for other In ternet Explorer versions may va ry .
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 656 Figure 404 Internet Options : Privacy 3 Click Apply to save this setting. 52.5.1.1.2 Enable pop-up Blockers with Exceptions Alternatively , if you only want to allow pop-up windows from your device, see the follo wing steps.
ZyWALL 5/35/70 Series User’s Guide 657 Chapter 52 Trou bleshooting Figure 405 Internet Options : Privacy 3 T ype the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 658 Figure 406 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 52.5.1.2 JavaScript s If pages of the web configura tor do not display properly in Internet Explorer, check that JavaScripts are allowed.
ZyWALL 5/35/70 Series User’s Guide 659 Chapter 52 Trou bleshooting Figure 407 Internet Options : Security 2 Click the Custom Level... button. 3 Scroll down to Scripting . 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is sele cted (the default).
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 660 Figure 408 Security Settings - Java Scripting 52.5.1.3 Java Permissions 1 From Internet Explorer , click To o l s , I nternet Options and then the Security tab. 2 Click the Custom Level.
ZyWALL 5/35/70 Series User’s Guide 661 Chapter 52 Trou bleshooting Figure 409 Security Settings - Java 52.5.1.3.1 JA V A (Sun) 1 From Internet Explorer , click To o l s , I nternet Options and then the Advance d tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected.
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 662 Figure 410 Java (Sun) 52.6 Packet Flow The following is the packet ch eck flow on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 663 Chapter 52 Trou bleshooting.
ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 664 A PPENDIX A Product S pecifications See also the Introduction ch apter for a general overv iew of the key features. S pecification T ables Table 248 Device Specifications Default IP Address 192.
ZyWALL 5/35/70 Series User’s Guide 665 Appendix A Product Specifications Operatio n Humidit y 20% ~ 95% RH (non -condensing) S torag e Humidity 20% ~ 95% RH (non-condensing) Certific ations EMC: FCC.
ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 666 Anti-S pam S pam, Phishing d etection Configurable white and black lists SMTP , POP3 support External S pam dat abase Conte.
ZyWALL 5/35/70 Series User’s Guide 667 Appendix A Product Specifications Other Protocol Support PPP (Point-to-Point Protocol ) link layer protocol. T ransparent bridging for unsupp orted network laye r protocols.
ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 668 Comp atible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyW ALL at the time of writing. It also shows the secu rity features that each card supports.
ZyWALL 5/35/70 Series User’s Guide 669 Appendix A Product Specifications Figure 41 1 WLAN Card Installation Cable Pin Assignment s In a serial communications connection, gene rally a computer is DTE (Data T erminal Equipment) and a modem is DCE (Data Circ uit-terminating Equipment).
ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 670 Figure 413 Ethernet Cable Pin Assignment s Table 253 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Fema.
ZyWALL 5/35/70 Series User’s Guide 671 Appendix A Product Specifications.
ZyWALL 5/35/70 Series User’s Guide Appendix B Hardware Installation 672 A PPENDIX B Hardware Inst allation The ZyW ALL can be placed on a desktop or ra ck-mounted on a stan da rd EIA rack.
ZyWALL 5/35/70 Series User’s Guide 673 Appendix B Hardware Installation Figure 414 Attaching Rubber Feet Note: Do not block the ventilation holes . Leave space betwee n ZyW ALLs when stacking. Rack-mounted Inst allation Requirement s The ZyW ALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment.
ZyWALL 5/35/70 Series User’s Guide Appendix B Hardware Installation 674 Figure 415 Attaching Mou nting Bracket s and Screws 3 After attaching both mounting brackets, pos ition the ZyW ALL in the rack by lining up the holes in the bracket s with the ap propri ate holes on the rack.
ZyWALL 5/35/70 Series User’s Guide 675 Appendix B Hardware Installation.
ZyWALL 5/35/70 Series User’s Guide Appendix C Removing and Installing a Fuse 676 A PPENDIX C Removing and Inst alling a Fuse This appendix shows you how to remo ve and install fuses for the ZyW ALL. If you need to install a new fuse, follow the procedure below .
ZyWALL 5/35/70 Series User’s Guide 677 Appendix C Removing and In stalling a Fuse.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 678 A PPENDIX D Setting up Y our Computer ’ s IP Address All computers must have a 10M or 100M Et hernet adapter card and TCP/IP installed.
ZyWALL 5/35/70 Series User’s Guide 679 Appendix D Setting up Your Computer’s IP Address Figure 417 WIndows 95/98 /Me: Networ k: Configura tion Inst alling Components The Network window Configuration tab displays a list of installed components. Y ou need a network adapter , the TCP/IP protocol and Client for Microso ft Networks.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 680 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK . 5 Restart your computer so the changes you made take ef fect.
ZyWALL 5/35/70 Series User’s Guide 681 Appendix D Setting up Your Computer’s IP Address Figure 419 Windows 95/98/Me : TCP/IP Pr operties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’ s IP address, remove previously installed gateways.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 682 Figure 420 Windows XP: S tart Menu 2 In the Control Panel , double-click Network Connections ( Network and Dial-up Connections in W i ndows 2000/NT). Figure 421 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Pr oper ties .
ZyWALL 5/35/70 Series User’s Guide 683 Appendix D Setting up Your Computer’s IP Address Figure 422 Windows XP: Control Panel: Network Connections: Pro perties 4 Select Internet Protocol (TCP/IP) (under the Genera l tab in W in XP) and then click Properties .
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 684 • If you have a static IP address click Use the following IP Address and fill in the IP addr ess , Subnet mask , and Default gateway fields. • Click Advanced .
ZyWALL 5/35/70 Series User’s Guide 685 Appendix D Setting up Your Computer’s IP Address Figure 425 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS se rver address automatically if you do not know your DNS server IP addre ss(es).
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 686 Figure 426 Windows XP: Internet Protocol (TCP/IP) Propert ies 8 Click OK to close the Internet Protocol (TCP/IP) Pr operties window . 9 Click Close ( OK in W indows 2000/NT) to close the Local Area Connection Properties window .
ZyWALL 5/35/70 Series User’s Guide 687 Appendix D Setting up Your Computer’s IP Address Figure 427 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 428 Macintosh O S 8/9: TC P/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configur e: list.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 688 4 For statically assigned settings, do the following: •F r o m t h e Configure box, select Manually . • T ype your IP address in the IP Address box. • T ype your subne t mask in the Subnet mask box.
ZyWALL 5/35/70 Series User’s Guide 689 Appendix D Setting up Your Computer’s IP Address Figure 430 Macintosh O S X: Netw ork 4 For statically assigned settings, do the following: •F r o m t h e Configure box, select Manually . • T ype your IP address in the IP Address box.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 690 Note: Make sure you are logged in as the ro ot administrator . Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE.
ZyWALL 5/35/70 Series User’s Guide 691 Appendix D Setting up Your Computer’s IP Address • If you hav e a dynamic IP address, clic k Automatically obtain IP address settings with and select dhcp from the drop down list.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 692 1 Assuming that you have only one network card on th e computer , locate the ifconfig- eth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor .
ZyWALL 5/35/70 Series User’s Guide 693 Appendix D Setting up Your Computer’s IP Address Figure 438 Red Hat 9.0: Restart Eth ernet Card V erifying Settings Enter ifconfig in a terminal screen to ch eck your TCP/IP properties. Figure 439 Red Hat 9.0: Checking TCP/IP Properties [root@localhost init.
ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 694 A PPENDIX E IP Subnetting IP Addressing Routers “route” based on the network number .
ZyWALL 5/35/70 Series User’s Guide 695 Appendix E IP Subnettin g Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a valu e of 0 to 127.
ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 696 Since the mask is always a continuous number of ones begin ning from the left, fo llowed by a continuous number of zeros for the remainder of the 32 bit mask, you can si mply specify the number of ones instead of writing the value of each octet.
ZyWALL 5/35/70 Series User’s Guide 697 Appendix E IP Subnettin g Note: In the following chart s, shaded/bolded last o ctet bit values indicate host ID bit s “borrowed” to form network ID bit s . The number of “borrowed” host ID bit s determines the number of sub nets y ou can have.
ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 698 Example: Four Subnet s The above exampl e illustrated using a 25-bit subne t mask to divide a class “C” address space into two subnets.
ZyWALL 5/35/70 Series User’s Guide 699 Appendix E IP Subnettin g Example Eight Subnet s Similarly use a 27-bit mask to create 8 subnets (001 , 010, 01 1, 100, 101, 1 10). The following table shows class C IP ad dress last octet values for each subnet.
ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 700 Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet ma sk also determines which bits are part of the network number and which are part of the host ID.
ZyWALL 5/35/70 Series User’s Guide 701 Appendix E IP Subnettin g.
ZyWALL 5/35/70 Series User’s Guide Appendix F PPPoE 702 A PPENDIX F PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP ov er Ethernet, RFC 2516) from your computer to an A TM PVC (Permanent V irt ual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see F igure 440 o n page 703 ).
ZyWALL 5/35/70 Series User’s Guide 703 Appendix F PPPoE Figure 440 Single-Compute r per Router Hardwa re Configuration How PPPoE W orks The PPPoE driver makes the Ethernet appea r as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).
ZyWALL 5/35/70 Series User’s Guide Appendix G PPT P 704 A PPENDIX G PPTP What is PPTP? PP TP (Point-to-Point T u nneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PP TP is informational only) to tunnel PPP frames.
ZyWALL 5/35/70 Series User’s Guide 705 Appendix G PPTP PPTP Protocol Overview PP TP is very simila r to L2TP , since L2TP is based on both PP TP and L2F (Cisco’ s Layer 2 Forwarding). Conceptually , the re are three pa rties in PP TP , namely the PNS (PP TP Network Server), the P AC (PP TP Access Concentrator) a nd the PP TP user .
ZyWALL 5/35/70 Series User’s Guide Appendix G PPT P 706 Figure 444 Example Message Exchange between Computer and an ANT PPP Dat a Connection The PPP frames are tunneled between the PN S and P AC over GRE (General Routing Encapsulation, RFC 1701, 17 02).
ZyWALL 5/35/70 Series User’s Guide 707 Appendix G PPTP.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 708 A PPENDIX H Wireless LANs Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies.
ZyWALL 5/35/70 Series User’s Guide 709 Appendix H Wire less LANs Figure 446 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 710 Figure 447 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.
ZyWALL 5/35/70 Series User’s Guide 711 Appendix H Wire less LANs Figure 448 RTS /C T S When station A sends data to the AP , it migh t no t know that the station B is already using the channel.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 712 A large Fragmentation Thr eshold is recommended for networks not prone to interference while you should set a smaller thresh old for busy networks or ne tworks that are prone to interference.
ZyWALL 5/35/70 Series User’s Guide 713 Appendix H Wire less LANs IEEE 802.1x In June 2001, the IEEE 802.1x st andard was designed to extend th e features of IEEE 802.1 1 to support extended authentication as well as providing additional accounting and control features.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 714 • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access- Request message.
ZyWALL 5/35/70 Series User’s Guide 715 Appendix H Wire less LANs 3 The wireless station replies with identity info rmation, including username and password. 4 The RADIUS server checks the user informa tion against its user profile database and determines whether or not to au thenticate the wireless station.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 716 PEAP (Protected EAP) Like EAP-TTLS, server-side certific ate authentication is used to establish a secure connection, then use simple username and p assword methods thro ugh the secured co nnection to authenticate the clients, thus hiding client identity .
ZyWALL 5/35/70 Series User’s Guide 717 Appendix H Wire less LANs Figure 450 WEP Authentication S teps Open system authentication in volves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP , which will then automatically accept and connect the wire less station to the network.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 718 Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security , certificate-based authen tications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption.
ZyWALL 5/35/70 Series User’s Guide 719 Appendix H Wire less LANs The Message Integrity Check (MIC ) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 720 In a network environment with multiple access points, wireless st ations are able to switch from one access point to another as they move between the coverage areas.
ZyWALL 5/35/70 Series User’s Guide 721 Appendix H Wire less LANs Requirement s for Roaming The following requirements must be met in order for wirele ss stations to roam between the coverage areas . 1 All the access points must be on the same subnet and configured wi th the same ESSID.
ZyWALL 5/35/70 Series User’s Guide Appendix I Triangle Route 722 A PPENDIX I T riangle Route The Ideal Setup When the firewall is on, your ZyW ALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology , all incoming and outgoing network traf fic passes through the ZyW ALL to protect your LAN against attacks.
ZyWALL 5/35/70 Series User’s Guide 723 Appendix I Triangle Route Figure 453 “T riangle Route” Problem The “T riangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide Appendix I Triangle Route 724 Figure 454 IP Alias Gateways on the W AN Side A second solution to the “triangle route” problem is to put all of your network gateways on the W AN side as the following figure shows.
ZyWALL 5/35/70 Series User’s Guide 725 Appendix I Triangle Route.
ZyWALL 5/35/70 Series User’s Guide Appendix J Windows 98 SE/Me Requirements for Anti-Viru s Message Display 726 A PPENDIX J Windows 98 SE/Me Requirement s for Anti-V irus Message Display W ith the anti-virus packet scan, when a virus is detected, an alert message is displayed on Miscrosoft W indows-bas ed computers.
ZyWALL 5/35/70 Series User’s Guide 727 Appendix J Windows 98 SE/Me Requirements for Anti-Virus Message Disp lay Figure 457 WIndows 98 SE: Program T ask Bar 2 Click the S tart Menu Programs tab and click Advanced .. . Figure 458 Windows 98 SE: T ask Bar Properties 3 Double-click Programs and click St a r t U p .
ZyWALL 5/35/70 Series User’s Guide Appendix J Windows 98 SE/Me Requirements for Anti-Viru s Message Display 728 Figure 459 Windows 98 SE: S tartUp 5 A Create Shortcut window disp lays. Enter “winpo pup” in the Command line field and click Next .
ZyWALL 5/35/70 Series User’s Guide 729 Appendix J Windows 98 SE/Me Requirements for Anti-Virus Message Disp lay Figure 461 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created in the St a r t U p pane. Restart the computer when prompted.
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 730 A PPENDIX K VPN Setup This appendix will help you to quickly crea te a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users.
ZyWALL 5/35/70 Series User’s Guide 731 Appendix K VPN Setup The following pages show a ty pical configuration that build s a tunnel between two private networks. One network is the he adquarters (HQ) and the other is a branch of fice. Both sites have static (fixed) public addresses.
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 732 Figure 464 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router .
ZyWALL 5/35/70 Series User’s Guide 733 Appendix K VPN Setup Figure 465 Branch Office Gateway Policy Edit 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN p olicy . The IP address of the headquarters IPSec router .
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 734 Figure 466 Headquarte rs VPN Rule Figure 467 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply .
ZyWALL 5/35/70 Series User’s Guide 735 Appendix K VPN Setup Figure 468 Headquarters Ne twork Policy Edit IP addresses on different subnets. Activate t he network policy .
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 736 Figure 469 Branch Office Network Policy Edit Dialing the VPN T unnel via Web Configurator T o test w hether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to ha ve the IPSec rout ers set up th e tunnel.
ZyWALL 5/35/70 Series User’s Guide 737 Appendix K VPN Setup Figure 470 VPN Rule Configured The following screen displays. Figure 471 VPN Dial This screen displays later if the I PSec routers can build the VPN tunnel.
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 738 VPN T roubleshooting If the IPSec tunnel does not build properly , the pr oblem is likely a configuration error at one of the IPSec routers. Log into the web conf igurators of both ZyXEL IPSec routers.
ZyWALL 5/35/70 Series User’s Guide 739 Appendix K VPN Setup Figure 473 VPN Log Example ras> sys log disp ike ipsec # .time source destination notes message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE Rule [ex-1] Tunnel built success fully 1|01/11/2001 18:47:22 |5.
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 740 IPSec Debug If you are having difficulty building an IPSec tun nel to a non-ZyXEL IPSec router , advanced users may wish to examine the IPSec debug feature ( Menu 24.
ZyWALL 5/35/70 Series User’s Guide 741 Appendix K VPN Setup Use a VPN T unnel A VPN tunnel gives you a se cure connection to ano ther computer or network .
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 742 A PPENDIX L Importing Certificates This appendix shows importing certificat es examples using In ternet Ex plorer 5.
ZyWALL 5/35/70 Series User’s Guide 743 Appendix L Importing Certificates Figure 476 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 477 Certificate General Information befor e Import 3 Click Next to begin the Install Certificate wizard.
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 744 Figure 478 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next . Figure 479 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.
ZyWALL 5/35/70 Series User’s Guide 745 Appendix L Importing Certificates Figure 480 Certificate Import Wizard 3 6 Click Ye s to add the ZyW ALL certifi cate to the root store.
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 746 Figure 482 Certificate General Information af ter Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 747 Appendix L Importing Certificates Figure 483 ZyW ALL Trusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your persona l certificate(s) and a password to inst all the personal certificate(s).
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 748 Figure 484 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. Inst alling Y our Personal Certificate(s) Y ou need a pass word in advance.
ZyWALL 5/35/70 Series User’s Guide 749 Appendix L Importing Certificates Figure 485 Personal Certificate Import Wizard 1 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br owse if you wish to import a different certificate.
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 750 Figure 487 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificat e should be saved on your computer or select Place all certificates in the following stor e and choose a different location.
ZyWALL 5/35/70 Series User’s Guide 751 Appendix L Importing Certificates Figure 489 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the ce rtificate is correctly installed on your computer .
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 752 Figure 492 SSL Client Authentication 3 Y ou next see the ZyW ALL login screen.
ZyWALL 5/35/70 Series User’s Guide 753 Appendix L Importing Certificates.
ZyWALL 5/35/70 Series User’s Guide Appendix M Comma nd Interpret er 754 A PPENDIX M Command Interpreter The following describes how to use the comman d interpreter . Enter 24 in the main menu to bring up the system maintena nce menu. Enter 8 to go to Menu 24.
ZyWALL 5/35/70 Series User’s Guide 755 Appendix M Command Interpreter.
ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 756 A PPENDIX N Firewall Commands The following des cribes th e firewall commands. See Appendix M on page 754 for information on the command structure.
ZyWALL 5/35/70 Series User’s Guide 757 Appendix N Firewall Commands E-mail config edit firewall e-mail mail-server <ip address of mail server> This command sets the IP address to which the e-mail messages are sent.
ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 758 config edit firewall attack minute-high <0-255> This command sets the threshold rate of new half-open sessions per minute where the ZyW ALL starts deleting old half-opene d sessions until it gets t hem down to the minute- low threshold.
ZyWALL 5/35/70 Series User’s Guide 759 Appendix N Firewall Commands Config edit firewall set <set #> tcp-idle-timeout <seconds> This command sets how long ZyWALL lets an inactive TCP connection remain open before considering it closed.
ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 760 config edit firewall set <set #> rule <rule #> destaddr- subnet <ip address> <subnet mask> This command sets a rule to have the ZyW ALL check for traffic with a p articular subnet destination (def ined by IP address and subnet mask).
ZyWALL 5/35/70 Series User’s Guide 761 Appendix N Firewall Commands.
ZyWALL 5/35/70 Series User’s Guide Appendix O Net BIOS Filter Command s 762 A PPENDIX O NetBIOS Filter Commands The following describes the NetB IOS packet filter commands.
ZyWALL 5/35/70 Series User’s Guide 763 Appendix O NetBIOS Filter Commands The filter types and their defa ult settings are as follows. NetBIOS Filter Configuration Syntax:sys filter netbios config &.
ZyWALL 5/35/70 Series User’s Guide Appendix O Net BIOS Filter Command s 764 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets.
ZyWALL 5/35/70 Series User’s Guide 765 Appendix O NetBIOS Filter Commands.
ZyWALL 5/35/70 Series User’s Guide Appendix P Certificates Commands 766 A PPENDIX P Certificates Commands The following describes the certificate commands. See Appendix M on page 754 for information on the command structure. All of these commands start with certificates.
ZyWALL 5/35/70 Series User’s Guide 767 Appendix P Certificates Commands create cmp_enroll <name> <CA addr> <CA cert> <auth key> <subject> [key size] Create a certificate request and enroll for a certificate immediately online using CMP protocol.
ZyWALL 5/35/70 Series User’s Guide Appendix P Certificates Commands 768 replace_fact ory Create a certificate using your device MAC address that will be specific to this device. The factory default certificate is a common default certificate for al l ZyWALL models.
ZyWALL 5/35/70 Series User’s Guide 769 Appendix P Certificates Commands delete <name> Delete the specified trusted remote host certificate. <name> sp ecifies the name of the certificate to be dele ted. list List all trusted remote host certificate names and basic info rmation.
ZyWALL 5/35/70 Series User’s Guide Appendix Q Brute-Force Passwo rd Guessing Protection 770 A PPENDIX Q Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-ti me that must ex pire before entering a fourth password after th ree incorrect passwords have been entered.
ZyWALL 5/35/70 Series User’s Guide 771 Appendix Q Brute-Force Passwor d Guessing Protection.
ZyWALL 5/35/70 Series User’s Guide Appendix R Boot Commands 772 A PPENDIX R Boot Commands The BootModule A T commands execute from wi thin the router ’ s bootup software, when debug mode is selected before the main router firmware is start ed.
ZyWALL 5/35/70 Series User’s Guide 773 Appendix R Boot Comman ds Figure 495 Boot Module Commands AT just answer OK ATHE print help ATBAx change baud rate.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 774 A PPENDIX S Log Descriptions This appendix provides descrip tions of example log messages. Table 275 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on informati on from the time server .
ZyWALL 5/35/70 Series User’s Guide 775 Appendix S Log Descriptions Configuration Change: PC = 0x%x, Task ID = 0x%x The router is saving configuration changes. Successful SSH login Someone has logged on to the router ’s SSH server . SSH login failed Someone has failed to log on to the router ’s SSH server .
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 776 WAN connection is down. A WAN connection is down. Y ou cannot access the network through this interfa ce. Dial Backup starts Dial backup started working. Dial Backup ends Dia l backup stopped working.
ZyWALL 5/35/70 Series User’s Guide 777 Appendix S Log Descriptions Table 278 TCP Reset Lo gs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was u nder a SYN flood attack (the TCP incomplete count is per desti nation host.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 778 F or type and code details, see Ta b l e 294 on page 789 . Table 280 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy: ICM.
ZyWALL 5/35/70 Series User’s Guide 779 Appendix S Log Descriptions ppp:LCP Closing The PPP connection’s Link Control Protocol stage is closing. ppp:IPCP Closing The PPP connection’s Internet Protocol Control Proto col stage is closing.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 780 For type and code details, see T abl e 294 on page 789 . Connecting to content filter server fail The connection to the external content fi ltering server failed. License key is invalid The external content filter ing licen se key is invalid.
ZyWALL 5/35/70 Series User’s Guide 781 Appendix S Log Descriptions Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS attack ICMP Source Quench ICMP Th e firewall detecte d an ICMP Source Quench attack.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 782 Table 287 Wireless Logs LOG MESSAGE DESCRIPTION WLAN MAC Filter Fail The MAC filter blocked a wireless station from connecting to the device. WLAN MAC Filter Success The MAC filter all owed a wireless station to connect to the device.
ZyWALL 5/35/70 Series User’s Guide 783 Appendix S Log Descriptions Table 289 IKE Logs LOG MESSAGE DESCRIPTION Active connection allowed exceeded The IKE process for a ne w conn ection fa iled because the limit of simultaneous phase 2 SAs has been reached.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 784 Remote IP <Remote IP> / <Remote IP> conflicts The security gateway is set to “0.0.0.0” and the router used the peer ’s “Local Address” as the router ’s “Remote Address”.
ZyWALL 5/35/70 Series User’s Guide 785 Appendix S Log Descriptions Rule [%d] Phase 2 authentication algorithm mismatch The listed rule’s IKE phase 2 authentication algorithm did not match between the router an d the peer .
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 786 Table 290 PKI Logs LOG MESSAGE DESCRIPTION Enrollment successful The SCEP onlin e certificate enrollment was successful. The Destination field records the certi fication autho rity server IP addre ss and port.
ZyWALL 5/35/70 Series User’s Guide 787 Appendix S Log Descriptions Table 291 Certificate Path Verificati on Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the cert ificate and the search co nstraints. 2 Key usage mismatch between the cert ificate and the search constraints.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 788 Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in th e local user database. RADIUS accepts user.
ZyWALL 5/35/70 Series User’s Guide 789 Appendix S Log Descriptions (L to L/ZW) LAN to LAN/ ZyW ALL ACL set for packet s traveling from the LAN to the LAN or the ZyW ALL. (W to W/ZW) WA N t o WA N / ZyW ALL ACL set for packet s traveling from the W AN to the W AN or the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 790 11 T ime Exceeded 0 T ime to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates .
ZyWALL 5/35/70 Series User’s Guide 791 Appendix S Log Descriptions Signature update OK - New signature version: <Signature version> Release Date: <Release date>! The device updated the signa ture file successfully . The sign ature file’s version and re lease date a re included.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 792 The turbo card is not ready , please insert the card and reboot! The turbo card i s not in stalled. The system is doing signature update now , please wait! The device is updating the signatu re file.
ZyWALL 5/35/70 Series User’s Guide 793 Appendix S Log Descriptions Remove rating server [%Rating Server IP Address%] from server list! The listed server IP address has been removed from the list of anti- spam external database servers.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 794 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack.
ZyWALL 5/35/70 Series User’s Guide 795 Appendix S Log Descriptions The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 796 Log Commands Go to the command interpreter interface. Appendix M on page 754 explains how to access and use the commands.
ZyWALL 5/35/70 Series User’s Guide 797 Appendix S Log Descriptions • Use the sys logs clear command to erase all of the ZyW ALL ’ s logs. Log Command Example This example shows how to set the ZyW ALL to record the access logs and alerts and then view the results.
ZyWALL 5/35/70 Series User’s Guide Index 798 Index Numerics 10/100 Mbps Ethernet WAN 55 11 0 V A C 5 230V AC 5 A Abnormal Working Conditions 6 AC 5 Access control 247 Access Point 545 Accessories 5 .
ZyWALL 5/35/70 Series User’s Guide 799 Index C CA 715 Cable Modem 203 Cables, Connecting 5 Call Back Delay 518 Call Control 630 Call History 63 1 , 632 Call Scheduling 59 , 648 Max Number of Schedul.
ZyWALL 5/35/70 Series User’s Guide Index 800 DNS 452 DNS Server For VPN Host 419 Domain Name 142 , 276 , 38 4 , 484 , 603 DoS Basics 204 Ty p e s 205 DoS (Denial of Service) 57 Drop T imeout 518 DSL.
ZyWALL 5/35/70 Series User’s Guide 801 Index Firmware File Maintenance 612 Fitness 6 Flow Control 500 Fragmentation Threshold 71 1 Fragmentation threshold 71 1 France, Contact Information 7 Fraudste.
ZyWALL 5/35/70 Series User’s Guide Index 802 IP Addressing 694 IP Alias 60 , 530 IP Alias Setup 530 IP Classes 694 IP Multicast 60 Internet Group Manage ment Protocol (IGMP) 60 IP Policy Routing 60 .
ZyWALL 5/35/70 Series User’s Guide 803 Index MIME 273 MIME Header 276 MIME Headers 270 MIME V alue 27 6 Modifications 3 MSDU 545 Multicast 11 2 , 11 4 , 176 , 523 , 529 , 557 Multimedia 235 , 469 Mu.
ZyWALL 5/35/70 Series User’s Guide Index 804 Levels 248 Policy-based Routing 396 Polyphormic virus 258 Pool 5 POP2 269 POP3 204 , 269 , 27 1 , 273 , 384 Port Forwarding 61 Port Restricted Cone NA T 377 port scans 240 Post Office Protocol 269 Postage Prepaid.
ZyWALL 5/35/70 Series User’s Guide 805 Index Return Material Auth orization (RMA) Number 6 Returned Products 6 Returns 6 RFC 1889 467 RFC 3489 469 Rights 2 Rights, Legal 6 RIP 111 , 11 2 , 523 , 529.
ZyWALL 5/35/70 Series User’s Guide Index 806 SSH 57 , 441 SSH Implement ation 442 startup 728 S tateful Inspection 57 , 202 , 203 , 208 , 209 Process 209 ZyW ALL 210 S tatic Route 392 S torage Sp ac.
ZyWALL 5/35/70 Series User’s Guide 807 Index Unsolicited Commercial E-mail 266 Upload Firmware 621 UPnP 58 , 456 UPnP Examples 459 UPnP Port Mapping 458 Upper Layer Prot ocols 210 , 21 1 Use Server .
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il ZyXEL Communications 35 Series è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del ZyXEL Communications 35 Series - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso ZyXEL Communications 35 Series imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul ZyXEL Communications 35 Series ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il ZyXEL Communications 35 Series, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del ZyXEL Communications 35 Series.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il ZyXEL Communications 35 Series. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo ZyXEL Communications 35 Series insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.