Manuel d'utilisation / d'entretien du produit ZyWALL5UTM 4.0 du fabricant ZyXEL Communications
Aller à la page of 803
ZyW ALL 5/35/70 Series Internet Security Appliance User ’ s Guide V ersion 4.00 10/2005.
ZyWALL 5/35/70 Series User’s Guide Copyright 2 Copyright Copyright © 2005 by ZyXEL Communications Corpo ration. The contents of this publication may not be reprod uced in any part or as a wh ole, t.
ZyWALL 5/35/70 Series User’s Guide 3 Federal Communications Commissio n (FCC) Interference Statement Federal Communications Commission (FCC) Interference S t atement This device complies with Part 15 of FCC rul es. Operation is subject to the following two conditions: • This device may not cause harmful interference.
ZyWALL 5/35/70 Series User’s Guide Federal Com munications Commission (FCC) Interf erence St atement 4.
ZyWALL 5/35/70 Series User’s Guide 5 Safety Warnings Safety W arnings For your safety , be sure to read and fo llow all warning notices and instructions. • Do NOT open the device or un it. Opening or removing covers can expose yo u to dangerous high vo ltage points or othe r risks.
ZyWALL 5/35/70 Series User’s Guide ZyXEL Limited Warranty 6 ZyXEL Limited W arranty ZyXEL warrants to the original en d user (purchaser) that this product is free from any defects in materials or workmansh ip for a period of up to tw o years from the date of purchase .
ZyWALL 5/35/70 Series User’s Guide 7 Customer Suppo rt Customer Support Please have the following information r eady when you contact customer support. • Product model and serial number . • W arranty Information. • Date that you received your device.
ZyWALL 5/35/70 Series User’s Guide Customer Support 8 POLAND info@pl.zyxel.com +48-22-5286603 www.pl.zyxel .com ZyXEL Communications ul.Emilli Plater 53 00-1 13 W arszawa Poland +48-22-5206701 RUSSIA http://zyxel.ru/support +7-095-542-89-29 www .zyxel.
ZyWALL 5/35/70 Series User’s Guide 9 Customer Suppo rt.
ZyWALL 5/35/70 Series User’s Guide Table of Contents 10 T able of Content s Copyright .................................................. .......................................... ...................... 2 Federal Communications Commissi on (FCC) Interference S t atement .
ZyWALL 5/35/70 Series User’s Guide 11 Table of Contents Chapter 3 Wizard Setup .. .......................................... .......................................... .................... 80 3.1 Wizard Setup Overview ....................... .......
ZyWALL 5/35/70 Series User’s Guide Table of Contents 12 7.4.2 Weighted Round Robin .... ............. ................ ............. ............. ................ 129 7.4.3 S pillover . ................ ............. ............. ................ .
ZyWALL 5/35/70 Series User’s Guide 13 Table of Contents 9.1 1 .2 Encryption ...... ............. ............. ................ ............. ................ ............. ...183 9.12 WP A-PSK Application Exam ple .............. ...................
ZyWALL 5/35/70 Series User’s Guide Table of Contents 14 Chapter 1 1 Firewall Screens ................................................. ........................................... ....... 210 1 1.1 Acc ess Methods ............... ............. ......
ZyWALL 5/35/70 Series User’s Guide 15 Table of Contents 13.3.3 Signature Actions ........... ................ ............. ................ ............. ............. 244 13.3.4 Configuring IDP Signatures ..... ... ............. ............. ....
ZyWALL 5/35/70 Series User’s Guide Table of Contents 16 16.6.2 Full Path URL Che cking .......... ................ ............. ............. ................ ...286 16.6.3 File Name URL Che cking .... ................. ............ ............. .
ZyWALL 5/35/70 Series User’s Guide 17 Table of Contents 19.7 ID T ype and Cont ent ............ ............. ................ ............. ................ ............. ...307 19.7.1 ID T ype and Conten t E xamples .................. ............
ZyWALL 5/35/70 Series User’s Guide Table of Contents 18 22.5.1 Default Server IP Address ... ............. ................ ............. ................ ....... 380 22.5.2 Port Forwarding: Services and Po rt Numbers ...... ............. ..........
ZyWALL 5/35/70 Series User’s Guide 19 Table of Contents 26.5 Name Server Record . ....................... ............. ............ ............. ............. .......... 415 26.5.1 Private DNS Server .......... ............. ............. ........
ZyWALL 5/35/70 Series User’s Guide Table of Contents 20 28.5 Using UPnP in Windows XP Example . ............. ............. ............. ................ ...457 28.5.1 Auto-discover Y our UPnP-enabled Network D evice ...... ................ .......
ZyWALL 5/35/70 Series User’s Guide 21 Table of Contents Chapter 32 Introducing the SMT ..................... ........................................... ............................ 496 32.1 Introduction to the SMT ..................... ............
ZyWALL 5/35/70 Series User’s Guide Table of Contents 22 36.2 Ethernet Encapsulation . ............. ............. ............. ................ ............. ............. 528 36.3 Configuring the PPTP Client ...... ....... ......... ............. .
ZyWALL 5/35/70 Series User’s Guide 23 Table of Contents Chapter 41 IP St atic Route Setup ......................................... ........................................... ....... 556 41.1 IP S tatic Route Setup .............. ................ .
ZyWALL 5/35/70 Series User’s Guide Table of Contents 24 Chapter 45 SNMP Configuration ..................................................... ....................................... 594 45.1 SNMP Configuration .................. ............. ........
ZyWALL 5/35/70 Series User’s Guide 25 Table of Contents 47.5.6 TFTP Upload Command Example . ................................................ ....... 620 47.5.7 Uploading Via Consol e Port ..... ................ ............. ............. .........
ZyWALL 5/35/70 Series User’s Guide Table of Contents 26 52.5.1.3 Java Permission s .... ............. ............. ................ ............. ............. 656 52.6 Packet Flow ... ............. ............. ................ ............. ....
ZyWALL 5/35/70 Series User’s Guide 27 Table of Contents Certificates Commands ..................................... ........................................... ....... 762 Appendix Q Brute-Force Password Guessing Protecti on ........................
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 28 List of Figures Figure 1 Secure Internet Acce ss via Cable, DSL or Wireless Modem ... ................ ............. 58 Figure 2 VPN Application ...... ............. ............. ..............
ZyWALL 5/35/70 Series User’s Guide 29 List of Figures Figure 39 WLAN Port Role Ex ample ........ ............. ............. ............ ................. ............ ....... 1 14 Figure 40 LAN Port Roles .. ................ ............. ........
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 30 Figure 82 Wireless Card: WP A- PSK ............... ................................ ................. ............ ....... 190 Figure 83 Wireless Card: WP A ....................... .............
ZyWALL 5/35/70 Series User’s Guide 31 List of Figures Figure 125 Anti-S pam: General . ................ ................ ................ ................ ................ .......... 266 Figure 126 Anti-S pam: External DB ...... .......... ....... .
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 32 Figure 168 T rusted Remote Hosts ........ ................. ................ ................ ................ ............. 356 Figure 169 Remote Host Certificates ........... .......... ......
ZyWALL 5/35/70 Series User’s Guide 33 List of Figures Figure 21 1 Login Screen (Internet Explorer) ... ............. ................ ............. ............. ............. 435 Figure 212 Login Screen (Netsca pe) .............. ............. ....
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 34 Figure 254 Firmware Upload In Process ...... ... .......... ............. ............. ............. ............ ....... 491 Figure 255 Network T emporarily Disconnect ed . .... ............. .
ZyWALL 5/35/70 Series User’s Guide 35 List of Figures Figure 297 Menu 6.3: Route Failover .............. ... ............. ............. ............. ................ .......... 538 Figure 298 Menu 7.1: Wireless Setup ............. ............. ..
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 36 Figure 339 Menu 21.2: Firewall Setup ............ ............. ............. ............. ............. ................ 579 Figure 340 Outgoing Packet F iltering Process ... .................
ZyWALL 5/35/70 Series User’s Guide 37 List of Figures Figure 382 Example Xmodem Up load ...... ............. ............. ............ ................. ............ ....... 621 Figure 383 Menu 24.7.2 As Seen Using the Cons ole Port ...............
ZyWALL 5/35/70 Series User’s Guide List of Fi gures 38 Figure 425 Windows XP: Advanced TCP/ IP Prop erties .. ............. ............. ............. ............. 681 Figure 426 Windows XP: Internet P rotocol (TCP /IP) Properties ................
ZyWALL 5/35/70 Series User’s Guide 39 List of Figures Figure 468 Headquarters Network Policy Edit .................... ................ ................ ................ 731 Figure 469 Branch Office Network Policy Edit ... ............. ............
ZyWALL 5/35/70 Series User’s Guide List of Tables 40 List of T ables T able 1 Model S pecific Features .............. ................ ................ ............. ................ ............. 50 T able 2 Front Panel LED s . ............. ......
ZyWALL 5/35/70 Series User’s Guide 41 List of Tables T able 39 WAN: Ethernet Encapsulation ............ ................. ................ ............. ................ ... 140 T able 40 WAN: PPPoE Encap s ulatio n ........... .....................
ZyWALL 5/35/70 Series User’s Guide List of Tables 42 T able 82 Common Computer Virus T ypes ........ ................. ............ ................. ................ ... 254 T able 83 Anti-Virus: General .... ............ ................. ........
ZyWALL 5/35/70 Series User’s Guide 43 List of Tables T able 125 N A T Mapping T ypes ................... ............. ................ ............. ................ ............. 374 T able 126 N A T Overview ...... ............. ............. ...
ZyWALL 5/35/70 Series User’s Guide List of Tables 44 T able 168 Web Site Hits Report ........ ................ ............. ................ ............. ................ ....... 476 T able 169 P rotocol/ Port Report ........ ................ ....
ZyWALL 5/35/70 Series User’s Guide 45 List of Tables T able 21 1 Remote Node Network Layer Options Menu Fields ................... ............. .......... 552 T able 212 Menu 1 1.1.5: Traf fic Redirect Setup ..... ............. ............ .......
ZyWALL 5/35/70 Series User’s Guide List of Tables 46 T able 254 Clas ses of IP Addresses ............... .......... ............. ................ ............. ............. ... 690 T able 255 A llowed IP Address Range By Class .... ...............
ZyWALL 5/35/70 Series User’s Guide 47 List of Tables T able 297 A S Logs ............ ................ ............. ................ ............. ............. ................ ......... .7 8 8 T able 298 S yslog Logs ............. ............ ..
ZyWALL 5/35/70 Series User’s Guide Preface 48 Preface Congratulations on you r purchase of the ZyW ALL. Note: Register your product online to receive e-mail notices of firmware upgrade s and information at www .zyxel.com for global products, or a t www .
ZyWALL 5/35/70 Series User’s Guide 49 Pref ace Synt ax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose ” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 50 C HAPTER 1 Getting to Know Y our ZyW ALL This chapter introduces the main feat ures and applications of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 51 Chapter 1 Getting to Know Your ZyWALL T able Key: An O in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at th e time of writing, although it may be subject to change.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 52 Time and Date The ZyW ALL allows you to get the current time and da te from an external server when you turn on your ZyW ALL. Y ou can also set the tim e manua lly . The Real T ime Chip (R TC) ke eps track of the time and date.
ZyWALL 5/35/70 Series User’s Guide 53 Chapter 1 Getting to Know Your ZyWALL Bandwid t h Management Bandwidth manage ment allows you to allo cate network resource s according to defin ed policies. This policy-based ba nd width allocation helps your netw ork to better handle real-time applications such as V oice-over-IP (V oIP).
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 54 Content Filtering The ZyW ALL can block web features such as ActiveX controls, Java applets and cookies, as well as disable web proxies. The ZyW ALL can block or allow access to web sites that you specify .
ZyWALL 5/35/70 Series User’s Guide 55 Chapter 1 Getting to Know Your ZyWALL IEEE 802.1x for Network Security The ZyW ALL supports the IEEE 802.1x standard th at works with the IEEE 802.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 56 Dynamic DNS Support W ith Dynamic DNS (Domain Name System) support, you can have a static hostname alia s for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet.
ZyWALL 5/35/70 Series User’s Guide 57 Chapter 1 Getting to Know Your ZyWALL T raffic Redirect T raffic Redirect forwards W AN traffic to a backup gateway on the LAN when the ZyW ALL cannot connect to the Internet, thus acting as an auxiliary backup whe n your regular W AN connection fails.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 58 1.3 Applications for the ZyW ALL Here are some examples of what you can do with y our ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 59 Chapter 1 Getting to Know Your ZyWALL Figure 2 VPN Application 1.3.3 Front Panel LEDs Figure 3 ZyW ALL 70 Front Panel Figure 4 ZyW ALL 35 Front Panel Figure 5 Z.
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 60 The following table describes the LEDs. Table 2 Front Panel LEDs LED COLOR ST ATUS DESCRIPTION PWR Off The ZyW ALL is turned off. Green On The ZyWALL is turned on. Red On The power to the ZyWALL is too low .
ZyWALL 5/35/70 Series User’s Guide 61 Chapter 1 Getting to Know Your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 62 C HAPTER 2 Introducing the W eb Configurator This chapter describes how to access the Zy W ALL we b configurator and p rovides an overview of its screens.
ZyWALL 5/35/70 Series User’s Guide 63 Chapter 2 Introducing the Web Configurator Figure 6 Change Password Screen 6 Click Apply in the Replace Certificate scre en to create a certificate using your ZyW ALL ’ s MAC address that will be specific to this device.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Conf igurator 64 2.3.1 Procedure T o Use The Reset Button Make sure the SYS LED is on (not blinking ) before you begin this proc edure. 1 Press the RESET button for ten seconds, and then release it.
ZyWALL 5/35/70 Series User’s Guide 65 Chapter 2 Introducing the Web Configurator Note: Follow the instruction s you see in the HOME screen or click the icon. The screen varies according to the device mode you select in the MAINTENANCE Devic e Mode screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 66 The following table describes the labels in this screen. Table 3 Web Configurator HOME Scr een in Router Mode LABEL DESCRIPTION Wizards for W AN 1 (W AN) and VPN Quick Setup Internet Access Click Internet Ac cess to use the initial configurat ion wizard.
ZyWALL 5/35/70 Series User’s Guide 67 Chapter 2 Introducing the Web Configurator 2.4.2 Bridge Mode The following screen displays when the ZyW A LL is set to bridge mode. While in bridge mode, the ZyW ALL cannot get an IP address from a DHCP server .
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Conf igurator 68 Figure 10 Web Configurator HO ME Screen in Bridge Mode The following table describes the labels in this screen. Table 4 Web Configurator HOME Screen in Bridg e Mode LABEL DESCRIPTION Wizards for VPN Quick Setup VPN Click VPN to create VPN policies.
ZyWALL 5/35/70 Series User’s Guide 69 Chapter 2 Introducing the Web Configurator Firmware V ersion This is the ZyNOS Firmware ve rsion an d the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 70 2.4.3 Navigation Panel After you enter the password, use the sub-menus on the navigation p anel to configure ZyW ALL features. The following table lists the fe atures available for each device mode.
ZyWALL 5/35/70 Series User’s Guide 71 Chapter 2 Introducing the Web Configurator T able Key: An O in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at th e time of writing, although it may be subject to change.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 72 WA N General This screen al lows you to configure load balancing, route pr iority and traffic redirect properties. Route (ZyW ALL 5 only) This screen allows you to configure route priority .
ZyWALL 5/35/70 Series User’s Guide 73 Chapter 2 Introducing the Web Configurator IDP General Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 74 NA T NA T Overview Use this screen to enable NA T . Address Mapping Use this screen to configure network address translation mapping rules. Port Forwarding Use this screen to configure servers behind the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 75 Chapter 2 Introducing the Web Configurator 2.4.4 System S t atistics Click Show St a t i s t i c s in the HOME screen. Read-only in formation here includes port status and packet specific statistics. Also provided is "Up T ime" and "poll interval(s)".
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Conf igurator 76 2.4.5 Show St atistics: Line Chart Click the icon in the Show S tatistics screen.
ZyWALL 5/35/70 Series User’s Guide 77 Chapter 2 Introducing the Web Configurator The following table describes the labels in this screen. Table 8 Home: Show Statistics: Line Chart LABEL DESCRIPTION Click the icon to go back to the Show St atistics screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Conf igurator 78 The following table describes the labels in this screen. Table 9 Home: DHCP Table LABEL DESCRIPTION Interface Select LAN , DMZ or WLAN to show the current DHCP client information fo r the specifi ed interfac e.
ZyWALL 5/35/70 Series User’s Guide 79 Chapter 2 Introducing the Web Configurator Figure 14 Home : VPN S tatus The following table describes the labels in this screen. Table 10 Home : VPN Status LABEL DESCRIPTION # This is the security association index number.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 80 C HAPTER 3 W izard Setup This chapter provides information on the Wizard Setup screens in the web configurator . The Internet access wizard is only applicable when the ZyW ALL is in router mode.
ZyWALL 5/35/70 Series User’s Guide 81 Chapter 3 Wizard Setup Figure 15 ISP Parameters : Et hernet Encap sulation The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 82 3.2.1.2 PPPoE Encap sulation Point-to-Point Protocol ov er Ethernet (PPPoE) function s as a dial-up connection.
ZyWALL 5/35/70 Series User’s Guide 83 Chapter 3 Wizard Setup 3.2.1.3 PPTP Encap su lation Point-to-Point T unneling Protocol (PP TP) is a network pro tocol that enables transfe rs of data from a remote client to a private server , crea ting a V irtual Private Network (VPN) usin g TCP/ IP-based networks.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 84 Figure 17 ISP Parameters: PPTP Encap sulation The following table describes the labels in this screen. Table 13 ISP Parameters : PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down li st box.
ZyWALL 5/35/70 Series User’s Guide 85 Chapter 3 Wizard Setup 3.2.2 Internet Access Wizard: Second Screen Click Next to go to the screen where you can regi ster your ZyW ALL and activate the free content filtering, anti-spam, anti-virus and IDP trial applications.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 86 Figure 19 Internet Access Setu p Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 18 on page 85 ), the following screen displays.
ZyWALL 5/35/70 Series User’s Guide 87 Chapter 3 Wizard Setup The following table describes the labels in this screen. T able 14 Internet Access W izard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com acco unt , only the User Name and Password fields are availabl e.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 88 Figure 22 Internet Access Wizard: S tatus The following screen appears if the registration was not succes sful. Click Return to go back to the Device Registration screen and check your settings.
ZyWALL 5/35/70 Series User’s Guide 89 Chapter 3 Wizard Setup Figure 25 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key . If you want to set the rule to use a certificate, please go to the VPN screens for configuration.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 90 The following table describes the labels in this screen. Table 15 VPN Wizard: Gate way Setting LABEL DESCRIPTION Gateway Policy Property Name T ype up to 32 characters to identify this VPN gateway policy .
ZyWALL 5/35/70 Series User’s Guide 91 Chapter 3 Wizard Setup Figure 27 VPN Wizard: Network Setting The following table describes the labels in this screen. Table 16 VPN Wizard : Netwo rk Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 92 3.5 VPN Wizard IKE T unnel Setting (IKE Phase 1) Figure 28 VPN Wizard: IKE Tunnel Setting Remote Network Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses.
ZyWALL 5/35/70 Series User’s Guide 93 Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 17 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotia tion Mode Select Main Mode for identity protecti on. Select Aggress ive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 94 3.6 VPN Wizard IPSec Setting (IKE Phase 2) Figure 29 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 18 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encap sulation Mode Tu n n e l is compatible with NA T , Transport is not.
ZyWALL 5/35/70 Series User’s Guide 95 Chapter 3 Wizard Setup 3.7 VPN Wizard S t atus Summary This read-only screen shows the status of the current VPN settin g.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 96 Figure 30 VPN Wizard: VPN S tatus The following table describes the labels in this screen. Table 19 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy .
ZyWALL 5/35/70 Series User’s Guide 97 Chapter 3 Wizard Setup Name This is the name of this VPN network policy . Network Policy Setting Local Network S tarting IP Address This is a (static) IP address on the LAN behind your ZyW ALL. Ending IP Address/ Subnet Mask When the local network is configured for a single IP ad dress, this field is N/A.
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 98 3.8 VPN Wizard Setup Complete Congratulations! Y ou have successfully set up th e VPN rule after any existing rule(s) for your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 99 Chapter 3 Wizard Setup.
ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 100 C HAPTER 4 Registration 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL ’ s online services center wh ere you can register your ZyW ALL and manage subscription services available for the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 101 Chapter 4 Registr ation Y ou will get automatic e-mail not ification of new signature releases from mySecurityZone after you activate the IDP/Anti-virus service. Y o u can also check for new signature or virus updates at http://mysecurity .
ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 102 The following table describes the labels in this screen. T able 20 Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com acco unt , only the User Name and Password fields are availabl e.
ZyWALL 5/35/70 Series User’s Guide 103 Chapter 4 Registr ation Figure 33 Registrat ion : Registered Device 4.3 Service After you activate a trial, you can also use the Service screen to register and enter your iCard’ s PIN number (license key). Click REGISTRA T ION , Service to open the screen as shown next.
ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 104 The following table describes the labels in this screen. T able 21 Service LABEL DESCRIPTION Service Management Service This field displays the servi ce name available o n the ZyWALL. S tatus This field displays whether a service is activated ( Active ) or not ( Inactive ).
ZyWALL 5/35/70 Series User’s Guide 105 Chapter 4 Registr ation.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 106 C HAPTER 5 LAN Screens This chapter describes how to configure LAN settin gs. This chapter is on ly applicable when the ZyW ALL is in router mode. The LAN Port Roles screen is available on the ZyW ALL 5 and ZyW ALL 35.
ZyWALL 5/35/70 Series User’s Guide 107 Chapter 5 LAN Screens These parameters should work fo r the majority of installations . If your ISP gives yo u explicit DNS server address(es), read the embedde d web c onfigurator help regarding what fields need to be configured.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 108 Both RIP-2B and RIP-2M send routing data in RIP -2 fo rmat; the dif ference being that RIP- 2B uses subnet broadcasting while RI P-2M uses multicasting.
ZyWALL 5/35/70 Series User’s Guide 109 Chapter 5 LAN Screens Figure 35 LAN The following table describes the labels in this screen. T able 22 LAN LABEL DESCRIPTION LAN TCP/IP IP Address T ype the IP address of your ZyWALL in do tted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 110 Multicast Select IGMP V - 1 or IGMP V -2 or None . IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
ZyWALL 5/35/70 Series User’s Guide 111 Chapter 5 LAN Screens 5.6 LAN St atic DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 112 5.7 LAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide 113 Chapter 5 LAN Screens Figure 38 LAN IP Alias The following table describes the labels in this screen. T able 24 LAN IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another LAN network for the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 114 5.8 LAN Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage.
ZyWALL 5/35/70 Series User’s Guide 115 Chapter 5 LAN Screens T o change your ZyW ALL ’ s port role settings, click NETWORK , LAN and then the Port Roles tab. The screen appears as shown. The radio buttons on th e left correspond to Ethernet ports on the front pane l of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 116 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 41 Port Roles Change Complete Apply Click Apply to save your changes back to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 117 Chapter 5 LAN Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 118 C HAPTER 6 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyW ALL is in bridge mode. 6.1 Bridge Loop The ZyW ALL can act as a bridge between a switch and a wired LAN or between two routers.
ZyWALL 5/35/70 Series User’s Guide 119 Chapter 6 Bridge Screens 6.2.1 Rapid STP The ZyW ALL uses IEEE 802.1w RSTP (Rapid Spanning T ree Protocol) that allow faster convergence of the spanning tree (while al so being backwards comp atible with STP-only aware bridges).
ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 120 Once a stable network topology has been esta blished, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) tr ansmitted from the root bridge.
ZyWALL 5/35/70 Series User’s Guide 121 Chapter 6 Bridge Screens Figure 43 Bridge The following table describes the labels in this screen. T able 28 Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address T ype the IP address of your ZyWALL in dotted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 122 6.4 Bridge Port Roles Use the Port R oles screen to set ports as LAN, DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage.
ZyWALL 5/35/70 Series User’s Guide 123 Chapter 6 Bridge Screens Figure 44 WLAN Port Role Example T o change your ZyW ALL ’ s port role settings, click NETWORK , BRIDGE and then the Port Roles tab. The screen appears as shown. The radio buttons on th e left correspond to Ethernet ports on the front pane l of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 124 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears.
ZyWALL 5/35/70 Series User’s Guide 125 Chapter 6 Bridge Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 126 C HAPTER 7 W AN Screens This chapter describes how to configure W AN settings. Multiple W AN and load balancing are not available on the ZyW ALL 5.
ZyWALL 5/35/70 Series User’s Guide 127 Chapter 7 WAN Screens Y ou can select through which W AN port you wa nt to send out traffic from UPnP-enabled applications (see Chapter 28 on page 452 ). The ZyW ALL's DDNS lets you select whic h W AN interface you want to use for each individual domain name.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 128 7.4.1.1 Example 1 The following figure depicts an example where both the W AN ports on the ZyW ALL are connected to the Internet. The configu red available outbound band widths for W AN 1 and W AN 2 are 512K and 256K respectively .
ZyWALL 5/35/70 Series User’s Guide 129 Chapter 7 WAN Screens 7.4.2 W e ighted Round Robin Similar to the Round Robin (RR) algorithm, the W eighted Round Robin (WRR) algorithm set s the ZyW ALL to send traf fic through each W AN interface in turn. In addition, the W AN interfaces are assigned weights.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 130 Figure 49 S pillover Algorithm Example 7.5 TCP/IP Priority (Metric) The metric represents the "cost of transmissi on". A router determines the best route for transmission by choosing a path with the lowest "cost".
ZyWALL 5/35/70 Series User’s Guide 131 Chapter 7 WAN Screens Figure 50 W AN General.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 132 The following table describes the labels in this screen. Table 32 WAN Gene ral LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fai l over) o peration mode to have the ZyWALL use the second highest priority W AN port as a back up.
ZyWALL 5/35/70 Series User’s Guide 133 Chapter 7 WAN Screens 7.7 Configuring Load Balancing T o configure load balanc ing on the ZyW ALL, click NETWORK , WA N in the navigation panel. The WA N G e n e r a l screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 134 7.7.1 Least Load First T o configure Least Load First, select Least Load First in the Load Balancing Algorithm field. Figure 51 Load Balancing: Least Lo ad First The following table describes the re lated fields in this screen.
ZyWALL 5/35/70 Series User’s Guide 135 Chapter 7 WAN Screens 7.7.2 W eighted Round Robin T o load balance using the weight ed roun d robin method, s elect W eighted Round Robin in the Load Balancing Algorithm field. Figure 52 Load Balancing: W eighted Round Robin The following table describes the re lated fields in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 136 Figure 53 Load Balancing: S pillover The following table describes the re lated fields in this screen. Table 35 Load Balancing: S pillover LABEL DESCRIPTION Active/Active Mode Select Active/Active Mode and set the related fields to enable load balancing on th e ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 137 Chapter 7 WAN Screens Figure 54 W A N Route The following table describes the labels in this screen. Table 36 WAN Rout e LABEL DESCRIPTION Route Priority WA N .
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 138 7.9 W AN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are is olated from the Internet, for instance, only between your two branch of fices, you can assign any IP addresses to the hosts without problems.
ZyWALL 5/35/70 Series User’s Guide 139 Chapter 7 WAN Screens 1 The ISP tells you the DNS server addresses, usua lly in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server field s.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 140 Figure 55 W A N: Ethernet Encap sulation The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 141 Chapter 7 WAN Screens Retype to Confirm T ype your password again to make sure that you have entered is correctly . Login Server IP Address T ype the a uthentication se rver IP a ddress here if your ISP gave you one.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 142 7.12.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.
ZyWALL 5/35/70 Series User’s Guide 143 Chapter 7 WAN Screens Operationally , PPPoE saves significant effort for bo th you and the ISP or carrier , as it requires no specific configuration of the broa dband modem at the customer site.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 144 The following table describes the labels in this screen. Table 40 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE.
ZyWALL 5/35/70 Series User’s Guide 145 Chapter 7 WAN Screens RIP Direction RIP (Routing Information Protocol) allows a router to exchange routi ng information with other routers. The RIP Direction field control s the sending and receiving of RIP packet s.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 146 7.12.3 PPTP Encap sulation Point-to-Point T unneling Protocol (PP TP) is a ne twork protocol that enables secure transfer of data from a remote client to a private server , creating a V irtual Private Network (VPN) using TCP/IP-based networks.
ZyWALL 5/35/70 Series User’s Guide 147 Chapter 7 WAN Screens The following table describes the labels in this screen. Table 41 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet A.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 148 Enable NA T (Network Address T ranslation) Network Address T ranslation (NA T) allows the translation of an Internet protocol address use.
ZyWALL 5/35/70 Series User’s Guide 149 Chapter 7 WAN Screens 7.13 T raffic Redirect T raffic redirect forwards W AN traffic to a backup gateway when the ZyW ALL canno t connect to the Internet through its norm al gateway . Conne ct the backup gateway on the W AN so that the ZyW ALL still provides firewall protection.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 150 Figure 59 T raffic Redirect LAN Setup 7.14 Configuring T raffic Redirect T o change your ZyW ALL ’ s traffic redirect settings, click NETWORK , WA N and then the T raffic Redirect tab. The screen appears as shown.
ZyWALL 5/35/70 Series User’s Guide 151 Chapter 7 WAN Screens 7.15 Configuring Dial Backup Click NETWORK , WA N and then the Dial Backup tab to display the Dial Backup screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 152 Figure 61 Dial Backup.
ZyWALL 5/35/70 Series User’s Guide 153 Chapter 7 WAN Screens The following table describes the labels in this screen. Table 43 Dial Ba ckup LABEL DESCRIPTION Dial Backup Setu p Enable Dial Backup Select th is check box to turn on dial backup. Basic Settings Login Name T ype the login name a ssigned by your ISP .
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 154 Enable RIP Select this check box to turn on RIP (Rout in g Information Protocol), which allows a router to exchange routing in formatio n with other routers.
ZyWALL 5/35/70 Series User’s Guide 155 Chapter 7 WAN Screens 7.16 Advanced Modem Setup 7.16.1 A T Command Strings For regular telephone lines, the default Dial st ring tells the modem that the line uses tone dialing. ATDT is the command for a switch that requ ires tone dialing.
ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 156 Figure 62 Advanced Setup The following table describes the labels in this screen. Table 44 Advanced Setu p LABEL DESCRIPTION A T Command St r i n g s Dial T ype the A T Command string to make a call.
ZyWALL 5/35/70 Series User’s Guide 157 Chapter 7 WAN Screens Dial T imeout (sec) T ype a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (sto pping). Retry Count T ype a number of times for the ZyW ALL to retry a busy or no-answer phone number before blacklisting th e number .
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 158 C HAPTER 8 DMZ Screens This chapter describes how to configure the ZyW ALL ’ s DMZ. 8.
ZyWALL 5/35/70 Series User’s Guide 159 Chapter 8 DMZ Screens Figure 63 DMZ The following table describes the labels in this screen. Table 45 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address T ype the IP address of your ZyWALL ’s DMZ port in dotted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 160 RIP V ersion The RIP V ersion fiel d controls the format an d the broadcasting me thod of the RIP packets that the ZyW ALL sends (it recognizes both formats when receiving). RIP- 1 is universally supported but RIP-2 carries more informa tion.
ZyWALL 5/35/70 Series User’s Guide 161 Chapter 8 DMZ Screens 8.3 DMZ S t atic DHCP This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 162 Figure 64 DMZ S tatic DHCP The following table describes the labels in this screen. T able 46 DMZ S tatic DHCP LABEL DESCRIPTION # This is the index number of th e St atic IP table entry (row).
ZyWALL 5/35/70 Series User’s Guide 163 Chapter 8 DMZ Screens 8.4 DMZ IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 164 8.5 DMZ Public IP Address Example The following figure shows a simple network set up with public IP addresses on the W AN and DMZ and private IP addresses on the LAN. Lowe r case letters represent public IP addresses (like a.
ZyWALL 5/35/70 Series User’s Guide 165 Chapter 8 DMZ Screens Figure 66 DMZ Public Addr ess Example 8.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 166 Figure 67 DMZ Private and Public Address Example 8.7 DMZ Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models.
ZyWALL 5/35/70 Series User’s Guide 167 Chapter 8 DMZ Screens Figure 68 WLAN Port Role Example Note: Do the following if you are configuring fro m a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 168 Figure 69 DMZ: Port Roles The following table describes the labels in this screen. Table 48 DMZ: Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use th e port as p art of the LAN.
ZyWALL 5/35/70 Series User’s Guide 169 Chapter 8 DMZ Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 170 C HAPTER 9 W ireless LAN This chapter discusses how to conf igure wireless LAN on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 171 Chapter 9 Wireless LAN Figure 70 WLAN The following table describes the labels in this screen. T able 49 WLAN LABEL DESCRIPTION WLAN TCP/I P IP Address T ype the IP address of your ZyWALL ’s WL AN interface in dotted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 172 RIP V ersion The RIP V ers ion field controls the format and t he broadcasting method of the RIP packets that the ZyW ALL sends (it reco gnizes both formats when receiv ing). RIP-1 is universally supported but RIP-2 carries more information.
ZyWALL 5/35/70 Series User’s Guide 173 Chapter 9 Wireless LAN 9.3 WLAN S t atic DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 174 Figure 71 WLAN S tatic DHCP The following table describes the labels in this screen. T able 50 WLAN S tatic DHCP LABEL DESCRIPTION # This is the index number of th e St atic IP table entry (row).
ZyWALL 5/35/70 Series User’s Guide 175 Chapter 9 Wireless LAN When you use IP alias, you can also configur e firewall rules to control access between the WLAN's logical networks (subnets). Note: Make sure that the subnet s of the logical networks do not overlap .
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 176 9.5 WLAN Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage.
ZyWALL 5/35/70 Series User’s Guide 177 Chapter 9 Wireless LAN Note: Do the following if you are configuring fro m a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 178 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 75 WLAN Port Roles Change Complete 9.
ZyWALL 5/35/70 Series User’s Guide 179 Chapter 9 Wireless LAN Figure 76 ZyW ALL Wireless Security Levels If you do not enable any wireless security on your ZyW ALL, your network is acc essible to any wireless networki ng device that is within range.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 180 9.6.3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices ( Allow Association ) or exclude them from accessing the AP ( Deny Association ).
ZyWALL 5/35/70 Series User’s Guide 181 Chapter 9 Wireless LAN 9.9 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key manageme nt.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 182 Sent by the RADIUS server to indicate th at it has started or stopped accounting. In order to ensure network security , the access point and the RADIUS server use a shared secret key, which is a password, they both know .
ZyWALL 5/35/70 Series User’s Guide 183 Chapter 9 Wireless LAN If this feature is enabled, it is not necessary to configure a defau lt encryption key in the Wir eless Card screen (see Section 9.16.4 on page 192 ). Y ou may still configure and store keys here, but they will not be u sed while dynamic WEP is enabled.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 184 TKIP regularly changes and rotates the encryp tion keys so that the same encryption key is never used twice.
ZyWALL 5/35/70 Series User’s Guide 185 Chapter 9 Wireless LAN Figure 78 WP A-PSK Authentication 9.13 Introduction to RADIUS The ZyW ALL can use an external RADIUS serv er to authenticate an unlimited number of users.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 186 Figure 79 WP A with R ADIUS Application Example 9.15 Wireless Client WP A Supplicant s A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WP A.
ZyWALL 5/35/70 Series User’s Guide 187 Chapter 9 Wireless LAN Figure 80 Wirel ess Card: No Security The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 188 9.16.1 S t atic WEP St atic WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data.
ZyWALL 5/35/70 Series User’s Guide 189 Chapter 9 Wireless LAN Figure 81 Wireless Card: S tatic WEP The following table describes the wireless LAN security labels in this screen. T able 55 Wireless Card: St atic WEP LABEL DESCRIPTION Security Select St atic WEP from the d rop-down list.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 190 Figure 82 Wireless Card: WP A-PSK The following wireless LAN security fiel ds become available when you select WP A-PSK in the Security drop down list-bo x. T able 56 Wireless Card: WP A-PSK LABEL DESCRIPTION Security Select WP A-PSK from the drop-down list.
ZyWALL 5/35/70 Series User’s Guide 191 Chapter 9 Wireless LAN 9.16.3 WP A Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select WP A from the Security list. Figure 83 Wireless Card: WP A The following wireless LAN security fiel ds become available when you select WP A in the Security drop down list-b ox.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 192 9.16.4 IEEE 802.1x + Dynamic WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select 802.1x + Dy namic WEP from the Security list. Figure 84 Wireless Card: 802.
ZyWALL 5/35/70 Series User’s Guide 193 Chapter 9 Wireless LAN 9.16.5 IEEE 802.1x + St atic WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select 802.1x + S tatic WEP from the Security list. Figure 85 Wireless Card: 802.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 194 9.16.6 IEEE 802.1x + No WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen.
ZyWALL 5/35/70 Series User’s Guide 195 Chapter 9 Wireless LAN The following wireless LAN security fiel ds become available when you select 802.1x + No WEP in the Security drop down list-box. T able 60 Wireless Card: 802.1x + No WEP LABEL DESCRIPTION Security Select 802.
ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 196 The following wireless LAN security fiel ds become available when you select No Acce ss 802.1x + S tatic WEP in the Security drop down list-box. T able 61 Wireless Card: No Access 802.1x + S tatic WEP LABEL DESCRIPTION Security Select No Access 802.
ZyWALL 5/35/70 Series User’s Guide 197 Chapter 9 Wireless LAN Figure 88 Wireless Card: MAC Address Filter The following table describes the labels in this menu. T able 62 Wireless Card: MAC Address Filter LABEL DESCRIPTION Active Select or clear the check box to e nable or disable MAC address filter ing.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 198 C HAPTER 10 Firewalls This chapter gives some back ground information on firewa lls and introduces the ZyW ALL firewall. 10.1 Firewall Overview Originally , the term firewall referred to a construction techni que designed to prevent the spread of fire from one room to another .
ZyWALL 5/35/70 Series User’s Guide 199 Chapter 10 Firewalls 1 Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the applicatio n gateway is the only host whose name must be made known to outside systems.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 200 Figure 89 ZyW ALL Firewall Application 10.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks w ith a connection to the Internet.
ZyWALL 5/35/70 Series User’s Guide 201 Chapter 10 Firewalls 10.4.2 T ypes of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 202 response. While the targeted system waits for the ACK that follows the SYN-ACK, it queu es up all outstandin g SYN-ACK responses on what is known as a backlog queu e.
ZyWALL 5/35/70 Series User’s Guide 203 Chapter 10 Firewalls Figure 92 Smurf Attack 10.4.2.1 ICMP V ulnerability ICMP is an error -reporting protocol that works in concert with IP .
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 204 All SMTP commands are illegal except for tho se displayed in the following tables. T able 66 Legal SMTP Commands AUTH DA T A EHLO ETRN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML TURN VRFY 10.
ZyWALL 5/35/70 Series User’s Guide 205 Chapter 10 Firewalls Figure 93 S tateful Inspection The previous figure shows the ZyW ALL ’ s de fault firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a T elnet session from within the LAN and responses to this request are allowe d.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 206 temporary entries might be modified, in order to permit only packets that are valid for the current state o f the conn ection.
ZyWALL 5/35/70 Series User’s Guide 207 Chapter 10 Firewalls If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the In ternet. Assuming that this is an acceptable part of the security policy (as is the case w ith the default policy), the connection will be allowed.
ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 208 Any protocol that operates in this way must be supported on a case-by-case bas is. Y ou can use the web configurat or’ s Custom Services feature to do this. 10.6 Guidelines For Enhancing Security With Y our Firewall 1 Change the default password via SMT or web configurator.
ZyWALL 5/35/70 Series User’s Guide 209 Chapter 10 Firewalls 10.7.2 Firewall • The firewall inspects packet contents as well as their source and destination addresses.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 210 C HAPTER 11 Firewall Screens This chapter shows you how to configure your ZyW ALL firewall. 1 1.1 Access Methods The web configurator is, by far , the most co mprehensive firewall configuration tool your ZyW ALL has to offer .
ZyWALL 5/35/70 Series User’s Guide 211 Chapter 11 Fi rewall Screens • WLAN to W AN By default, the ZyW ALL ’ s stateful pa cket insp ection drops packets travel ing in the following directions: .
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 212 1 1.3 Rule Logic Overview Note: S tudy these point s carefully before configuring rules. 1 1.3.1 Rule Checklist 1 Stat e the intent of the rule. For example, Th is restricts all IRC acce ss from the LAN to the Internet.
ZyWALL 5/35/70 Series User’s Guide 213 Chapter 11 Fi rewall Screens 1 1.3.3 .2 Service Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. See Section 1 1.1 1.2 on page 229 for more information on predefined services.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 214 Figure 94 LAN to W AN Traf fic 1 1.4.2 W A N T o LAN Rules The default rule for W AN to LAN traffic bloc ks all incoming connections (W AN to LAN). If you wish to allow certain W AN users to have access to your LAN, you will need to create custom rules to allow it.
ZyWALL 5/35/70 Series User’s Guide 215 Chapter 11 Fi rewall Screens 1 1.6 Firewall Default Rule (Router Mode) Click SECURITY , FIREW ALL to open the Default Rule screen. Enable (or activate) the firewall by selecting the Enable Fir e wall check box.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 216 1 1.7 Firewall Default Rule (Bridge Mode) Click SECURITY , FIREW ALL to open the Default Rule screen. Enable (or activate) the firewall by selecting the Enable Fir e wall check box.
ZyWALL 5/35/70 Series User’s Guide 217 Chapter 11 Fi rewall Screens Figure 97 Default Rule (Bri dge Mode) The following table describes the labels in this screen. T able 68 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the fi rewall.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 218 1 1.8 Firewall Rule Summary Click SECURITY , FIREW ALL , then the Rule Summary tab to open the screen. This screen displays a list of the co nfigured firewall rules. Note: The ordering of your rule s is very import ant as rules are applie d in turn.
ZyWALL 5/35/70 Series User’s Guide 219 Chapter 11 Fi rewall Screens 1 1.8.1 Firewall Edit Rule Follow these directions to create a new rule. 1 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your ne w rule becomes nu mber 6 and the previous rule 6 (if there is one) becomes rule 7.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 220 Figure 99 Firewall Edit Rule.
ZyWALL 5/35/70 Series User’s Guide 221 Chapter 11 Fi rewall Screens The following table describes the labels in this screen. T able 70 Firewall Edit Rule LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extende d ASCII characters) for the firewall rule.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 222 1 1.9 Anti-Probing If an outside user attempts to probe an unsupp orted port on your ZyW ALL, an ICMP response packet is automatically return ed. This allows the outside user to know the ZyW ALL exists.
ZyWALL 5/35/70 Series User’s Guide 223 Chapter 11 Fi rewall Screens 1 1.10 Firewall Threshold In the Threshold screen, shown later , you m ay choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyW ALL uses th resholds to determine when to drop sessions that do not become fully established.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 224 When the rate of new connection a ttempts rises above a threshold ( one-minute high ), the ZyW ALL starts deleting half-open se ssions as required to accommo date new connection requests.
ZyWALL 5/35/70 Series User’s Guide 225 Chapter 11 Fi rewall Screens Figure 101 Firewall Threshold The following table describes the labels in this screen. T able 72 Firewall Threshold LABEL DESCRIPTION Disable DoS Attack Protection on Select the check box of an interface to which the ZyWALL does not apply the thresholds.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 226 1 1.1 1 Service Click SECURITY , FIREW ALL , then the Service tab to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyW A LL.
ZyWALL 5/35/70 Series User’s Guide 227 Chapter 11 Fi rewall Screens Figure 102 Firewall Service The following table describes the labels in this screen. T able 73 Firewall Service LABEL DESCRIPTION Custom Service This table shows all configured custom services.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 228 1 1.1 1.1 Firewall Edit Custom Service Configure customized ports for serv ices not predefined by the ZyW ALL (see Section 1 1.1 1.2 on page 229 for a list of predefined services) .
ZyWALL 5/35/70 Series User’s Guide 229 Chapter 11 Fi rewall Screens 1 1.1 1.2 Predefined Services The Pr edefined Services table in the Service screen displays all predefined services that the ZyW ALL already supports. Next to the name of the service, two fields appear in bracke ts.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 230 IMAP(TCP/UDP:143) Internet Message Access Protocol (IMAP) is us ed to access mail stored on a remo te mail serve r over a TCP/IP connection using port 143. IMAP has shorter response times than POP3.
ZyWALL 5/35/70 Series User’s Guide 231 Chapter 11 Fi rewall Screens 1 1.12 Example Firewall Rule The following Internet firewa ll rule example allows a hypot hetical My Service connection from the Internet. 1 In the Service screen, click Add to open th e Edit Custom Service screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 232 Figure 104 Service 2 Configure it as follows and click Apply . Figure 105 Edit Custom Service Example 3 Click the Rule Summary tab. Select WA N t o L A N from the Packet Dir ection drop- down list bo x.
ZyWALL 5/35/70 Series User’s Guide 233 Chapter 11 Fi rewall Screens Figure 106 Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete . 8 Configure the destination address screen as follows and click Add .
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 234 Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
ZyWALL 5/35/70 Series User’s Guide 235 Chapter 11 Fi rewall Screens Figure 109 My Service Example Rule Summary Rule 1: Allows a My Service conn ection from the W AN to IP addresses 10.
ZyWALL 5/35/70 Series User’s Guide Chapter 12 Intrusion Detectio n and Prevention (IDP) 236 C HAPTER 12 Intrusion Detection and Prevention (IDP) This chapter introduces some ba ckground information o n IDP . Sk ip to the next chapter to see how to configure IDP on your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 237 Chapter 12 Intrusion Detection and Pr evention (IDP) Firewalls are usually deployed at the n etwork edge. However , many attacks (inadvertently) are launched from within an or ganization.
ZyWALL 5/35/70 Series User’s Guide Chapter 12 Intrusion Detectio n and Prevention (IDP) 238 12.1.5 Example Intrusions The following are some examples of intrusions. 12.1.5.1 SQL Slammer Worm W32.SQLExp.W orm is a worm that targ ets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000.
ZyWALL 5/35/70 Series User’s Guide 239 Chapter 12 Intrusion Detection and Pr evention (IDP) 12.1.5.4 MyDoom MyDoom W32.Mydoom.A @mm (also known as W32.Novar g.A) is a mass-mailing worm that arrives as an attachment with an bat, cmd, exe, pif, scr , or zip file extension.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 240 C HAPTER 13 Configuring IDP This chapter shows you how to configure IDP on the Zy W ALL. 13.1 Overview T o use IDP on the ZyW ALL, you need to insert the ZyW ALL T urbo Card into the rear panel slot of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 241 Chapter 13 Configuring IDP Figure 1 1 1 Applying IDP to Interf aces 13.2 General Setup Use this scr een to enab le IDP on the ZyW ALL and choose what inte rface(s) you wan t to protect from intrusions. Click IDP from the navigation panel.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 242 Figure 1 12 IDP: General The following table describes the labels in this screen. Table 76 IDP: General Se tup LABEL DESCRIPTION General Setup Enable Intrusion Detection and Protection Select this check box to enable IDP on the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 243 Chapter 13 Configuring IDP T o see signatures lis ted by intrusion type supp orted by the ZyW ALL, sele ct that type from the Attack T ype list box. Figure 1 13 Attack T ypes The following table descr ibes each attack type.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 244 13.3.2 Intrusion Severity Intrusions are assigned a severity level based on the following table.
ZyWALL 5/35/70 Series User’s Guide 245 Chapter 13 Configuring IDP Figure 1 14 Signature Actions The following table describes signature actions. Table 79 Signature Actio ns ACTION DESCRIPTION No Action The intrusion is detected but no action is taken.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 246 Figure 1 15 IDP: Signatures The following table describes the labels in this screen. T able 80 IDP Signatures: Group V iew LABEL DESCRIPTION Signature Groups Attack T ype Select the type of signatures you want to view from the list box.
ZyWALL 5/35/70 Series User’s Guide 247 Chapter 13 Configuring IDP 13.3.5 Query View Click IDP in th e navigation pane l and then click the Signatur es tab to see the ZyW ALL ’ s “group view” signature screen, then click the Switch to query view link to go to this ‘query view” screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 248 Note: A partial name may be searched but a complete ID number must be entered before a match can be found. For exa mple, a search by name for “w” (in the first example) finds all intrusions that cont ain this letter in the name field.
ZyWALL 5/35/70 Series User’s Guide 249 Chapter 13 Configuring IDP Figure 1 17 Signature Query by Comple te ID 13.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Sear ch By Attributes .
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 250 Figure 1 18 Signature Query by Attribute. 13.4 Up date The ZyW ALL comes with built-in signatures cr eated by the ZyXEL Security Response T e am (ZSR T). These are regularly updated as new intrusions evolve.
ZyWALL 5/35/70 Series User’s Guide 251 Chapter 13 Configuring IDP 13.4.2 Configuring IDP Up date When scheduling signatu re updates, you shou ld choose a day and time when your network is least busy so as to minimize disru ption to your network. Y our custom signature configurations are not over-written when you download new signatures.
ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 252 The following table describes the labels in this screen. Table 81 Signatures Update LABEL DESCRIPTION Signature Information Current Patt ern Ve r s i o n This field displays the signatures vers ion numb er currently used by the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 253 Chapter 13 Configuring IDP 13.5 Backup and Restore Y ou can change the pre-defined Active , Log , Alert and/or Action settings of individual signatures. Figure 120 IDP: Backup & Restore Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings.
ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 254 C HAPTER 14 Anti-V irus This chapter introduces and shows you how to configure th e anti-virus scanner . 14.1 Anti-V irus Overview A computer virus is a small program designed to corrupt and/or alter the o peration of other legitimate programs.
ZyWALL 5/35/70 Series User’s Guide 255 Chapter 14 Anti-Virus 2 The virus spreads to other files and programs on the computer . 3 The infected files are uninten tionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially .
ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 256 14.2.1 How the ZyW ALL Anti-V irus Sc anner W orks The ZyW ALL checks traf fic going to the inte rface(s) you specify for signature matches. Figure 121 ZyW ALL Anti-virus Example The following describes the virus scanning process on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 257 Chapter 14 Anti-Virus 1 The ZyW ALL anti-virus scanner canno t detect po lymorphic viruses. 2 The ZyW ALL does not scan th e following file/traffic types: • Simultaneou s downloads of a file using multiple connections.
ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 258 The following table describes the labels in this screen. Table 83 Anti-V irus: General LABEL DESCRIPTION General Setup Enable Anti-Virus Select Enable Anti-V irus to activate the anti-virus feature on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 259 Chapter 14 Anti-Virus Note: Y ou should have already registered the ZyW ALL at myZyXEL.com (http:// www .myzyxel.com/myzyxel/) and also have ei ther activa ted the trial license or standard license (iCard). If your license has expired, you will have t o renew it before updates are allowed.
ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 260 Figure 123 Anti-Virus: Up date The following table describes the labels in this screen. Table 84 Anti-V irus: Update LABEL DESCRIPTION Signature Information Current Patt ern Ve r s i o n This field displays the signatures vers ion numb er currently used by the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 261 Chapter 14 Anti-Virus Update Now Cl ick this button to begin downloading signatures from the Update Server immediately . Auto Update Sel ect the check box to configure a sched ule for automati c signature updates.
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 262 C HAPTER 15 Anti-S p am This chapter covers how to use the ZyW ALL ’ s anti-spam feature to deal with junk e-mail (spam). 15.1 Anti-S p am Overview The ZyW ALL ’ s anti-spam featur e identifies unsolicited commer cial or ju nk e-mail (spam).
ZyWALL 5/35/70 Series User’s Guide 263 Chapter 15 Anti-Spa m 15.1.1.1 Sp amBulk Engine The e-mail fingerprint ID that the ZyW ALL gene rates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake.
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 264 15.1.1.4 Sp amT ricks Engine The SpamT ricks engine checks for the tactics th at spammers use to minimize the expens e of sending lots of e-mail and tactics that they use to bypass spam filters.
ZyWALL 5/35/70 Series User’s Guide 265 Chapter 15 Anti-Spa m The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analys is to dete ct phishing. 15.1.4 Whitelist Configure whitelist entries to identify legitim ate e-mail .
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 266 15.1.7 MIME Headers MIME (Multipurpose Internet Ma il Extensions) allows varied me di a types to be used in e- mail.
ZyWALL 5/35/70 Series User’s Guide 267 Chapter 15 Anti-Spa m The following table describes the labels in this screen. Table 85 Anti-Spam: General LABEL DESCRIPTION General Setup Enable Anti-spam Select this check box to en able the anti-spam feature.
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 268 Figure 126 Anti-S pam: Externa l DB The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 269 Chapter 15 Anti-Spa m 15.4 Anti-S p am List s Screen Click SECURITY , ANTI-SP A M , Lists to display the Anti-Spam Lists screen. Configure the whitelist to identify legitimate e- mail. Configure the blac klist to id entify spam e-mail.
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 270 Figure 127 Anti-S pam: Lists The following table describes the labels in this screen. Table 87 Anti-S pam: List s LABEL DESCRIPTION Resou.
ZyWALL 5/35/70 Series User’s Guide 271 Chapter 15 Anti-Spa m 15.5 Anti-S p am Rule Edit Screen Click SECURITY , ANTI-SP A M , Lists to display the Anti-Spam Lists screen. T o create a new anti-spam whitelist or blacklist entry , type the i ndex number wh ere you want to put the entry .
ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 272 The following table describes the labels in this screen. Table 88 Anti-Spam Rule Edit LABEL DESCRIPTION Rule Edit Active T u rn this entry on to have the ZyWA LL use it as part of the whitelist or blacklist.
ZyWALL 5/35/70 Series User’s Guide 273 Chapter 15 Anti-Spa m Apply Click Apply to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 274 C HAPTER 16 Content Filtering Screens This chapter provides an over view of content filtering. 16.1 Content Filtering Overview Content filtering all ows you to block certain we b features, such as Cookies, and/or restrict specific websites.
ZyWALL 5/35/70 Series User’s Guide 275 Chapter 16 Content Filterin g Screens Figure 129 Content Filter : General The following table describes the labels in this screen. T able 89 Content Filter : General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the conten t filter .
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 276 16.3 Content Filtering with an External Dat abase When you register for and en able external database conten t filtering, your ZyW ALL accesses an external database that has millions of web sites categorized based on content.
ZyWALL 5/35/70 Series User’s Guide 277 Chapter 16 Content Filterin g Screens Figure 130 Content Filtering Looku p Procedure 1 A computer behind the ZyW ALL tries to access a web site.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 278 Figure 131 Content Filter : Categories The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 279 Chapter 16 Content Filterin g Screens Unrated W eb Pages Select Block to prevent users from accessing web pages that the external databa se content filter ing has not catego rized.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 280 Alcohol/T obacco Selecting this category exclud es pages that promote or offer the sale alcohol/tobacco products, or provide th e means to create them. It also includes pages that gl orify , tout, or otherwise encourage the consumption of alcohol/tobacco.
ZyWALL 5/35/70 Series User’s Guide 281 Chapter 16 Content Filterin g Screens Education Selecting this category excl udes pages that offer educational information, distance learning and trade school in formation or programs. It also includes pages th at are sponsored b y schools, educatio nal facilities, faculty , or alumni groups.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 282 News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the da y . It also includes radio stations and magazin es.
ZyWALL 5/35/70 Series User’s Guide 283 Chapter 16 Content Filterin g Screens Humor/Jokes Selecting this cate gory excludes p ages that primarily focus on comedy , jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing hu morous Adult/Mature content also have an Adult/Matu re category ra ting.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 284 16.5 Content Filter Customization Click SECURITY , CONT ENT FIL TER , then the Customization tab to display t he CONTENT FIL TER Customization screen. Y ou can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses.
ZyWALL 5/35/70 Series User’s Guide 285 Chapter 16 Content Filterin g Screens The following table describes the labels in this screen. Table 91 Content Filter: Customization LABEL DESCRIPTION Web Site List Customization Enable Web site customization Select this check box to allow trusted web sites and block forbidden web sites.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 286 16.6 Customizing Keyword Blocking URL Checking Y ou can use commands to set ho w much of a website’ s URL the content filter is to check for keyword blocking. See the appendices for info rmation on how to access and use the command interpreter .
ZyWALL 5/35/70 Series User’s Guide 287 Chapter 16 Content Filterin g Screens Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the k eyword bloc king search to include the URL's complete filename.
ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 288 The following table describes the labels in this screen. Table 92 Content Filter: Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL T ype the maximum time to live (TTL) (1 to 720 hours).
ZyWALL 5/35/70 Series User’s Guide 289 Chapter 16 Content Filterin g Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 290 C HAPTER 17 Content Filtering Report s This chapter describes how to view content filtering reports after yo u have activated the category-based content filtering subscription service.
ZyWALL 5/35/70 Series User’s Guide 291 Chapter 17 Content Filtering Reports Figure 134 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyW ALL ’ s model name and/or MAC address under Registered ZyXEL Pr oducts .
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 292 Figure 136 myZyXEL.com: Service Manage ment 5 Enter your ZyXEL device's MAC address (in lowe r case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 136 on page 29 2 ).
ZyWALL 5/35/70 Series User’s Guide 293 Chapter 17 Content Filtering Reports Figure 138 Content Filtering Re ports M ain Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports.
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 294 Figure 140 Global Report Screen Exam ple 11 Y ou can click a ca tegory in the Categories report or click URLs in the Re port Home screen to see the URLs that were requested.
ZyWALL 5/35/70 Series User’s Guide 295 Chapter 17 Content Filtering Reports Figure 141 Requested URLs Example 17.3 W eb Site Submission Y ou may find that a web site has not been accura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed.
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 296 Figure 142 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Submit to have the web site reviewed.
ZyWALL 5/35/70 Series User’s Guide 297 Chapter 17 Content Filtering Reports.
ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 298 C HAPTER 18 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 18.1 VPN Overview A VPN (V irtual Private Network) provides sec ure communications between sites without the expense of leased site-to-site lines.
ZyWALL 5/35/70 Series User’s Guide 299 Chapter 18 Introdu ction to IPSec Figure 143 Encryption and De cryption 18.1.3.2 Dat a Confidentiality The IPSec sender can encrypt packets befo re transmitting them across a network.
ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 300 18.2 IPSec Architecture The overall IPSec architect ure is shown as follows.
ZyWALL 5/35/70 Series User’s Guide 301 Chapter 18 Introdu ction to IPSec Figure 145 T ransport and T unnel Mode IPSec Encapsulation 18.3.1 T ransport Mode Tr a n s p o r t mode is used to protect upper layer prot ocols and only affects the data in the IP packet.
ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 302 NA T is incompatible with the AH protocol in both Tr a n s p o r t and T unnel mode. An IPSec VPN using the AH protocol digitall y signs the outbound packet, both data payload and headers, with a hash value appe nded to the pack et.
ZyWALL 5/35/70 Series User’s Guide 303 Chapter 18 Introdu ction to IPSec.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 304 C HAPTER 19 VPN Screens This chapter introduces the VPN W eb Configurator . See Chapter 30 on page 468 for information on viewing logs and Appendix S on page 770 for IPSec log descriptions.
T able 94 ESP and AH ESP AH Encryption DES (default) Data Encryption S tandard (DES) is a widely used method of data encryption using a secret key . DES applies a 56-bit key to each 64-bit block of data.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 306 If the remote secure gateway has a static W AN IP address, enter it in the Remote Gateway Address field. Y ou may alternatively enter the remo te secure gateway’ s domain name (if it has one).
ZyWALL 5/35/70 Series User’s Guide 307 Chapter 19 VPN Screen s Figure 146 NA T Router Between IPSec Routers Normally you cannot set up a VPN connecti on with a NA T router between the two IPSec routers because the NA T router c hanges the header of th e IPSec packet.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 308 between three encryption algor ithms (DES, 3DES and AES ), tw o authentication algorithms (MD5 and SHA1) and two ke y groups (DH1 and DH2) when yo u configure a VPN rule (see Section 19.12 on page 32 0 ).
ZyWALL 5/35/70 Series User’s Guide 309 Chapter 19 VPN Screen s The two ZyW ALLs in this ex ample cannot complete their negotiation because ZyW ALL B’ s Local ID type is IP , but ZyW ALL A ’ s Peer ID type is set to E-mail . An ID mismatched message displays in the IPSec log.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 310 • Choose an authentication algorithm. • Choose a Dif fie-Hellman public-key cry ptography key grou p ( DH1 or DH2 ) . • Set the IKE SA lifetime. This field allows you to determin e how long an IKE SA should stay up before it times out.
ZyWALL 5/35/70 Series User’s Guide 311 Chapter 19 VPN Screens 19.8.3 Diffie-Hellm an (DH) Ke y Group s Diffie-Hellman (DH) is a publi c -key cryptography protocol tha t allows two parties to establish a shared secret over an unsecured communications channel.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 312 19.10 VPN Rules (IKE) Click VPN to display the VPN Rules (IKE) screen. This i s a read-only menu of your IPSec rule (tunnel). T o add an IPSe c rule (or gateway policy), click the add gateway policy ( ) icon.
ZyWALL 5/35/70 Series User’s Guide 313 Chapter 19 VPN Screen s Figure 149 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 150 IPSec Fields Summary Note: Local and remote network IP addresses must be static.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 314 Note: The Recycle Bin gateway policy is a virtu al placeholder for any netwo rk policy(ies) without an associated gateway policy . When there is a network policy in the Recycle Bin , the Recycle Bin gateway po licy automatically displays in this screen.
ZyWALL 5/35/70 Series User’s Guide 315 Chapter 19 VPN Screen s Figure 151 VPN Rules (IKE): Gate way Policy: Edit.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 316 The following table describes the labels in this screen. Table 101 VPN Rules (IKE): Gate way Policy: Edit LABEL DESCRIPTION Property Name T ype up to 32 characters to identify this VPN gateway policy .
ZyWALL 5/35/70 Series User’s Guide 317 Chapter 19 VPN Screens Remote Gateway Address T ype the WAN IP address or the domain na me (up to 31 characters) of the IPSec router with which you're making the VPN connecti on. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 318 Peer ID T ype Select from the following when you set Authentication Key to Pre-shared Key . •S e l e c t IP to identi fy the remote IPSec router by its IP address. •S e l e c t DNS to identify the remote IPSe c router by a do main name.
ZyWALL 5/35/70 Series User’s Guide 319 Chapter 19 VPN Screens Server Mode Select Server Mode to have this ZyWALL authent icate extended authentication clients that request this VPN connection.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 320 19.12 VPN Rules (IKE): Network Policy Edit Click VPN and the add network policy ( ) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Use this screen to configure a network policy .
ZyWALL 5/35/70 Series User’s Guide 321 Chapter 19 VPN Screen s Figure 152 VPN Rules (IKE): Network Policy Edit.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 322 The following table describes the labels in this screen. Table 102 VPN Rules (IKE): Ne twork Policy Edit LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
ZyWALL 5/35/70 Series User’s Guide 323 Chapter 19 VPN Screens S tarting IP Address When the Address T ype field i s configured to Single Address , enter a (st atic) IP address on the LAN behind your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 324 19.13 VPN Rules (IKE): Network Policy Move Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. Use this screen to associa te a network policy to a gateway rule.
ZyWALL 5/35/70 Series User’s Guide 325 Chapter 19 VPN Screen s Figure 153 VPN Rules (IKE): Network Policy Move The following table describes the labels in this screen. Table 103 VPN Rules (IKE): Ne twork Policy Move LABEL DESCRIPTION Network Policy Informati on The following fields display the genera l network settings of this VPN policy .
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 326 Y ou may want to configure a VPN rule that u ses manual key management if you are havin g problems with IKE key management. Refer to T able 100 on page 313 for descriptions of the ic ons used in this screen.
ZyWALL 5/35/70 Series User’s Guide 327 Chapter 19 VPN Screens 19.15 VPN Rules (Manual): Edit Manual key managemen t is useful if you have pro blems with IKE key management . 19.15.1 Security Pa rameter Index (SPI) An SPI is used to distinguish dif ferent SAs te rminating at the same de stination and using the same IPSec protocol.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 328 Figure 155 VPN Rules (Manual): Edit The following table describes the labels in this screen. T able 105 VPN Rules (Manual) Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy .
ZyWALL 5/35/70 Series User’s Guide 329 Chapter 19 VPN Screens Local Network Local IP add resses must be static and correspond to the remote IPSec router's configured remote IP addresses. T wo ac tive SAs cannot have the local and remo te IP address(es) both the same.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 330 My ZyW ALL Wh en the ZyW ALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0 . For a ZyW ALL with multiple WAN port s, the following applies if the My ZyW ALL field is configured as 0.
ZyWALL 5/35/70 Series User’s Guide 331 Chapter 19 VPN Screen s 19.16 VPN SA Monitor In the web configurator , click VPN and the SA Monitor tab. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of secu rity settings related to a specific VPN tunnel.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 332 19.17 VPN Global Setting Click VPN , then the Global Setting tab to open the VPN Global Setting screen. Use this screen to change your ZyW ALL ’ s global settings. Figure 157 VPN: Global Setting The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 333 Chapter 19 VPN Screens 19.18 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyW ALL at headquarters. The telecommut ers use IPSec routers with dynamic W AN IP addresses.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 334 Figure 158 T elecommuters Sharing One VPN Rule Example T able 108 T elecommuters Sharing One VPN Rule Example FIELDS T ELECOMMUTERS HEADQUAR TERS My ZyW ALL: 0.0.0.0 (dynamic IP address assigned by the ISP) Public static IP address Remote Gateway Address: Public static IP address 0.
ZyWALL 5/35/70 Series User’s Guide 335 Chapter 19 VPN Screen s Figure 159 T elecommuters Using Uniq ue VPN Rules Example T able 109 T elecommuters Using Unique VPN Rules Example T ELECOMMUTERS HEADQUARTERS All T e lecommuter Rules: All Headquarters Rules: My ZyW ALL 0.
ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 336 19.19 VPN and Remote Management If a VPN tunnel uses T elnet, FTP , WWW , SNMP , DNS or ICMP , then you should configure remote management ( REMOTE MGMT ) to allow access for that service.
ZyWALL 5/35/70 Series User’s Guide 337 Chapter 19 VPN Screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 338 C HAPTER 20 Certificates This chapter gives background in formation about public-key certificates and explains how to use them. 20.1 Certificates Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users.
ZyWALL 5/35/70 Series User’s Guide 339 Chapter 20 Certificates Certification authorities maintain directory ser vers with databases o f valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List).
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 340 20.4 My Certificates Click SECURITY , C ER TIFICA TES , My Certificates to open the My Certificates sc reen. This is the ZyW ALL ’ s summary list of certific ates and certification requests.
ZyWALL 5/35/70 Series User’s Guide 341 Chapter 20 Certificates Ty p e This field displays what kind of certificate this is. REQ represents a certification request an d is not yet a valid certificate. Send a certification request to a certification authority , which then issues a certific ate.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 342 20.5 My Certificate Import Click SECURITY , C ER TIFICA TES , My Certificates and then Import to open the My Certificate I mport screen. Follow the instructions in this screen to save an existing certificate to the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 343 Chapter 20 Certificates Figure 162 My Certificat e Import The following table describes the labels in this screen. Ta b l e 1 1 1 My Certificate Import LABEL DESCRIPTION File Path T ype in the location of the file you w ant to upload in thi s field or click Browse to find it.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 344 Figure 163 My Certificate Crea te The following table describes the labels in this screen. T able 1 12 My Certificate Create LABEL DESCRIPTION Certificate Name T ype up to 31 ASCII characters (not incl uding sp aces) to identif y this certifi cate.
ZyWALL 5/35/70 Series User’s Guide 345 Chapter 20 Certificates Country T ype up to 127 characte rs to identify the nation where the ce rtificate owner is located. Y ou may use any character , including spaces, but the ZyW ALL drops trailing sp aces.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 346 After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyW ALL is generating the self-signed cert ificate or certification request.
ZyWALL 5/35/70 Series User’s Guide 347 Chapter 20 Certificates Figure 164 My Certificate Details.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 348 The following table describes the labels in this screen. Table 113 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certifica te.
ZyWALL 5/35/70 Series User’s Guide 349 Chapter 20 Certificates 20.8 T rusted CAs Click SECURITY , C ER TIFICA TES , Tr u s t e d C A s to open the Tr u s t e d C A s screen. This screen displays a summary list of certificates of the certification authorities that you have set the ZyW ALL to accept as trusted.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 350 Figure 165 T rusted CAs The following table describes the labels in this screen. Table 114 T rusted CAs LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL ’s PKI storage space that is currently in use.
ZyWALL 5/35/70 Series User’s Guide 351 Chapter 20 Certificates 20.9 T rusted CA Import Click SECURITY , C ER TIFICA TES , Tr u s t e d C A s to open the Tr u s t e d C A s screen and then click Import to open the T rusted CA Import screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 352 The following table describes the labels in this screen. T able 1 15 Trusted CA Import LABEL DESCRIPTION File Path T ype in the location of the file you wan t to upload in this field or click Browse to find it.
ZyWALL 5/35/70 Series User’s Guide 353 Chapter 20 Certificates Figure 167 T rusted CA Details The following table describes the labels in this screen. Table 116 T rusted CA Details LABEL DESCRIPTION Name This field displays the iden tifying name of this certificate.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 354 Certification Path Click the Refresh button to have this read-only text box displa y the end entity’s certificate and a list of cert ification authority certificat es that shows the hierarchy of certification authorities that validate th e end entity’s certificate.
ZyWALL 5/35/70 Series User’s Guide 355 Chapter 20 Certificates 20.1 1 T rusted Remote Host s Click SECURITY , C ER TIFICA TES , T rusted Remote Hosts to open the T r usted Remote Hosts screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 356 Figure 168 T rusted Remote Hosts The following table describes the labels in this screen. Table 117 T rusted Remote Hosts LABEL DESCRIPTION PKI S torage S pace in Use This bar displays th e percentage of the ZyW ALL ’s PKI storage space that is currently in use.
ZyWALL 5/35/70 Series User’s Guide 357 Chapter 20 Certificates 20.12 V erifying a T rusted Remote Host’ s Certificate Certificates issued by certific ation authorities have the certificat ion authority’ s signature for you to check. Self-sig ned certificates only h ave th e signature of the host itself.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 358 Figure 170 Certificate Details V erify (over the phone for example) that the remote host has the sa me information in the Thumbprint Algorithm and Thumbprint fields.
ZyWALL 5/35/70 Series User’s Guide 359 Chapter 20 Certificates Figure 171 T rusted Remote Host Import The following table describes the labels in this screen. T able 1 18 Trusted Remote Host Import LABEL DESCRIPTION File Path T ype in the location of the file you w ant to upload in this field or cl ick Browse to find it.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 360 Figure 172 T rusted Remote Host Details The following table describes the labels in this screen. Table 119 T rusted Remote Host Details LABEL DESCRIPTION Name This field displays the iden tifying name of this certificate.
ZyWALL 5/35/70 Series User’s Guide 361 Chapter 20 Certificates Certificate Information These read-only field s display detail ed information abou t the certificate. Ty p e This field displ ays general information abo ut the certificate. With truste d remote host certificates, this field alw ays displays CA-signed.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 362 20.15 Directory Servers Click SECURITY , C ER TIFICA TES , Directory Servers to open the Directory Servers screen. This screen displays a summary list of di rectory servers (that contain lists of valid and revoked certificates) that have bee n saved into the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 363 Chapter 20 Certificates The following table describes the labels in this screen. T able 120 Directory Servers LABEL DESCRIPTION PKI S tor age S pace in Use This bar displays the percentage of the ZyWALL ’s PKI storage space that is currently in use.
ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 364 The following table describes the labels in this screen. T able 121 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name T ype up to 31 ASCII characters (spaces are not permitted) to identify this directory server .
ZyWALL 5/35/70 Series User’s Guide 365 Chapter 20 Certificates.
ZyWALL 5/35/70 Series User’s Guide Chapter 21 Authenticat ion Server 366 C HAPTER 21 Authentication Server This chapter discusses how to configure th e ZyW ALL ’ s authentication server feature.
ZyWALL 5/35/70 Series User’s Guide 367 Chapter 21 Au thentication Server Figure 175 Local User Da tabase.
ZyWALL 5/35/70 Series User’s Guide Chapter 21 Authenticat ion Server 368 The following table describes the labels in this screen. T able 122 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile.
ZyWALL 5/35/70 Series User’s Guide 369 Chapter 21 Au thentication Server The following table describes the labels in this screen. T able 123 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication serve r .
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 370 C HAPTER 22 Network Address T ranslation (NA T) This chapter discusses how to configure NA T on the ZyW ALL. 22.1 NA T Overview NA T (Network Address Translation - NA T , RFC 1631) is the transla tion of the IP address of a host in a packet.
ZyWALL 5/35/70 Series User’s Guide 371 Chapter 22 Network Addr ess Translation (NAT) 22.1.2 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the inside global address) before forwarding the packet to the W AN side.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 372 Figure 177 How NA T Works 22.1.4 NA T Application The following figure illustrates a possible NA T application, wher e three inside LANs (logical LANs using IP Alias) behind the ZyW ALL can communicate with three distinct W AN networks.
ZyWALL 5/35/70 Series User’s Guide 373 Chapter 22 Network Addr ess Translation (NAT) 22.1.5 Port Restricted Cone NA T At the time of writing ZyW ALL ZyNOS version 4. 00 uses port restricted cone NA T . Port restricted cone NA T maps all outgoing packets fro m an internal IP address and port to a single IP address and port on the external network.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 374 • Server : This type allows you to specify insi de servers of different services behind the NA T to be accessible to the outside world a lthough, it is highly recommended that you use the DMZ port for these servers instead.
ZyWALL 5/35/70 Series User’s Guide 375 Chapter 22 Network Addr ess Translation (NAT) 22.3 NA T Overview Click ADV ANCED , NA T to open the NA T Over view screen. Not all fields are available on all models. Figure 180 NA T Overview The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 376 22.4 NA T Address Mapping Ordering your rules is important because the Zy W ALL applies the rules in the order that you specify . When a rule matche s the current pack et, the ZyW ALL takes the corresponding action and the remaining rules are ignored.
ZyWALL 5/35/70 Series User’s Guide 377 Chapter 22 Network Addr ess Translation (NAT) Figure 181 NA T Address Mapping The following table describes the labels in this screen. T able 127 NA T Addres s Mapping LABEL DESCRIPTION SUA Address Mapping Rules This read-only table displays the de fault address mapping rules.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 378 22.4.1 NA T Address Mapping Edit Click the Edit button to display the NA T Addr ess Mapping Edit screen.
ZyWALL 5/35/70 Series User’s Guide 379 Chapter 22 Network Addr ess Translation (NAT) The following table describes the labels in this screen. Table 128 NA T Address Mapping Edit LABEL DESCRIPTION Ty p e Choose the port mapping type from one of the following.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 380 22.5.1 Default Server IP Address In addition to the servers for specified services, NA T supports a default server IP address. A default server receives packets from ports that are not specifie d in this screen.
ZyWALL 5/35/70 Series User’s Guide 381 Chapter 22 Network Addr ess Translation (NAT) Figure 183 Multiple Servers Behind NA T Example 22.5.4 NA T and Multiple W AN The ZyW ALL has two W AN ports. Y ou can configure port forward ing and trigger po rt rule sets for the first W AN port and separate sets of rules for the second W AN port.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 382 Figure 184 Port T ranslation Example 22.6 Port Forwarding Note: If you do not assign a Default Serve r IP address, the ZyW ALL discards all packet s received for port s that are not specified here or in th e remote management setup.
ZyWALL 5/35/70 Series User’s Guide 383 Chapter 22 Network Addr ess Translation (NAT) Figure 185 Port Forwarding The following table describes the labels in this screen. T able 130 Port Fo rwarding LABEL DESCRIPTION W AN Interface Select the WAN port for which you want to view or con figure address mapping ru les.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 384 22.7 Port T riggering Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side.
ZyWALL 5/35/70 Series User’s Guide 385 Chapter 22 Network Addr ess Translation (NAT) 4 The ZyW ALL forwards the traffic to Jane’ s computer IP address.
ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 386 Tr i g g e r The trigger port is a port (or a range of ports ) that causes (or triggers) the ZyW ALL to record the IP address of the LAN computer th at sent the traffic to a server on the W AN.
ZyWALL 5/35/70 Series User’s Guide 387 Chapter 22 Network Addr ess Translation (NAT).
ZyWALL 5/35/70 Series User’s Guide Chapter 23 Static Route 388 C HAPTER 23 S t atic Route This chapter shows you how to config ure static routes for your ZyW ALL. 23.1 IP S t atic Route Each remote node specifies only the network to which the gateway is di rectly connected, and the ZyW ALL has no knowled ge of the networks beyond.
ZyWALL 5/35/70 Series User’s Guide 389 Chapter 23 Static Route Note: The default route is disabled af ter you change the st atic W AN IP address to a dynamic W AN IP address. Figure 189 IP S tatic Route The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 23 Static Route 390 23.2.1 IP St atic Route Edit Select a static route index numb er and click Edit . The screen shown next appears. Use this screen to configure the required information for a static route.
ZyWALL 5/35/70 Series User’s Guide 391 Chapter 23 Static Route Gateway IP Address Enter the IP addre ss of the gateway . The gateway i s a router or switch on the same network segment as the device's LAN or WAN port. The gateway h elps forward packet s to their destinations.
ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 392 C HAPTER 24 Policy Route This chapter covers setting and ap plying policies used for IP routing.
ZyWALL 5/35/70 Series User’s Guide 393 Chapter 24 Policy Route IPPR follows the existing packet filtering fac ility of RAS in style and in implementation. 24.4 IP Routing Policy Setup Click ADV ANCED , POLICY ROUTE to open the Policy Route Summary screen (some of the screen’ s blank rows are not shown).
ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 394 The following table describes the labels in this screen. T able 134 Policy Route Summary LABEL DESCRIPTION # This is the number of an individual policy route. Active This field shows whether the policy is active or inactive.
ZyWALL 5/35/70 Series User’s Guide 395 Chapter 24 Policy Route Figure 192 Edit IP Policy Route The following table describes the labels in this screen. Table 135 Edit IP Policy Route LABEL DESCRIPTION Criteria Active Select the check box to activate the policy .
ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 396 Packet Length T ype a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length. Length Comparison Choose from Equal , Not Equal , Less , Greater , Les s or Equal or Greater or Equal .
ZyWALL 5/35/70 Series User’s Guide 397 Chapter 24 Policy Route.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 398 C HAPTER 25 Bandwid th Management This chapter describes the functions and conf iguration of bandwidth management with multiple levels of sub-classes.
ZyWALL 5/35/70 Series User’s Guide 399 Chapter 25 Bandwidth Manag ement 25.3 Proportional Bandwid th Allocation Bandwidth management allo ws you to define ho w much bandwidth each class gets; however , the actual bandwidth a llotted to each clas s de creases or increases in proportion to actual available bandwidth .
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Managemen t 400 25.6 Application and Subnet-based Bandwid th Management Y ou could also create bandwidth clas ses based on a combination of a subnet and an application. The following exam ple table shows bandwidth alloca tions for application specific traffic from separate LAN subnets.
ZyWALL 5/35/70 Series User’s Guide 401 Chapter 25 Bandwidth Manag ement When you enable maximi ze bandwidth usag e, the ZyW ALL first makes sure that each bandwidth class gets up to its bandwidth allotment.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Managemen t 402 25.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwid th The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets.
ZyWALL 5/35/70 Series User’s Guide 403 Chapter 25 Bandwidth Manag ement 25.8 Bandwid th Borrowing Bandwidth borrowing allows a sub-class to borrow u nused bandwidth from its paren t class, whereas maximize bandwidth usage allows bandwidth classes to bo rrow any unused or unbudgeted bandwidth on the whole interface.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 404 • The Bill class cannot bo rrow unused bandwi dth from the Root class because the Sales class has bandwidth borrowing disabl ed. • The Amy class cannot borrow unused bandwi dth from the Sales USA class because the Amy class has bandwid th borrowing di sabled.
ZyWALL 5/35/70 Series User’s Guide 405 Chapter 25 Bandwidth Manag ement Figure 194 Bandwidth Management: Summary The following table describes the labels in this screen. T able 141 Bandwidth Managemen t: Summary LABEL DESCRIPTION Class These read-only labe ls represent the physica l interfaces.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Managemen t 406 25.1 1 Configuring Class Setup The Class Setup screen displays the configured band wi dth classes by individual interface. Select an interface and click the buttons to pe rform the actions described n ext.
ZyWALL 5/35/70 Series User’s Guide 407 Chapter 25 Bandwidth Ma nagement 25.1 1.1 Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Setup scree n. Y ou must use the Summary screen to en able bandwidth manage ment on an interface before you can confi gure classes for that interface.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Managemen t 408 Figure 196 Bandwidth Management: Edit Class The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 409 Chapter 25 Bandwidth Ma nagement Enable Bandwidth Filter Select Enable Bandwid th Filter to have the ZyW ALL use this bandwidth filter when it performs bandwidth management.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Managemen t 410 25.1 1.2 Bandwid th Management St atistics Use the Bandwidth Management S tatistics screen to view network performance information. Click the S tatistics button in the Class Setup screen to open the St a t i s t i c s screen.
ZyWALL 5/35/70 Series User’s Guide 411 Chapter 25 Bandwidth Manag ement Figure 197 Bandwidth Ma nagement: S tatistics The following table describes the labels in this screen. Table 145 Bandwidth Ma nagement: S tatistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing.
ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Managemen t 412 Figure 198 Bandwidth Ma nagement: Monitor The following table describes the labels in this screen. T able 146 Bandwidth Managemen t: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
ZyWALL 5/35/70 Series User’s Guide 413 Chapter 25 Bandwidth Ma nagement.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 41 4 C HAPTER 26 DNS This chapter shows you how to configure the DNS screens. 26.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa.
ZyWALL 5/35/70 Series User’s Guide 415 Chapter 26 DNS 26.4 Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. An FQDN consists of a hos t and doma in name and includes the top-level domain.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 41 6 Figure 199 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.
ZyWALL 5/35/70 Series User’s Guide 417 Chapter 26 DNS Figure 200 System DNS The following table describes the labels in this screen. Table 147 System DNS LABEL DESCRIPTION Address Record An address record specifie s the mapping of a fully qualifie d domain name (FQDN) to an IP address.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 41 8 26.6.1 Adding an Address Record Click Add in the System screen to add an address record. Figure 201 System DNS: Add Ad dress Record Name Server Record A name server record contains a DNS server ’s IP address.
ZyWALL 5/35/70 Series User’s Guide 419 Chapter 26 DNS The following table describes the labels in this screen. Table 148 System DNS: Add Address Record LABEL DESCRIPTION FQDN T ype a fully qualified domai n name (FQDN) of a server . An FQDN starts with a host name and continues all the way up to the top-level domain name.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 0 The following table describes the labels in this screen. Table 149 System DNS: Insert Name Server Reco rd LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a ful ly qualified dom ain name without the host.
ZyWALL 5/35/70 Series User’s Guide 421 Chapter 26 DNS 26.8 Configure DNS Cache T o configure your ZyW ALL ’ s DNS caching, click ADV ANCED , DNS , then the Cache tab. The screen appears as shown. Figure 203 DNS Cache The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 2 26.9 Configuring DNS DHCP Click ADV ANCED , DNS and then the DHCP tab to open the DNS DHC P screen shown next. Use this screen to configure the DNS serv er information that th e ZyW ALL sends to its LAN, DMZ or WLAN DHCP clients.
ZyWALL 5/35/70 Series User’s Guide 423 Chapter 26 DNS Figure 204 DNS DHCP The following table describes the labels in this screen. Table 151 DNS DHCP LABEL DESCRIPTION DNS Servers Assigned by DHCP Server The ZyW ALL passes a DNS (Domain Name System) server IP address to the DHCP clients.
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 4 26.10 Dynamic DNS Dynamic DNS allows you to update your curre nt dynamic IP address with one or many dynamic DNS services so that anyone can c ont act you (in NetMeeting, CU-SeeMe, etc.
ZyWALL 5/35/70 Series User’s Guide 425 Chapter 26 DNS Figure 205 DDNS The following table describes the labels in this screen. Table 152 DDNS LABEL DESCRIPTION Account Setup Active Select this check bo x to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider .
ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 6 W AN Interface Select the W AN port to use for updati ng the IP address of the domain name. IP Address Update Policy Select Use W AN IP Address to have the ZyWALL update the doma in name with the WAN port's IP address.
ZyWALL 5/35/70 Series User’s Guide 427 Chapter 26 DNS.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 428 C HAPTER 27 Remote Management This chapter provides information on the Remote Management screens. 27.1 Remote Management Overview Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers.
ZyWALL 5/35/70 Series User’s Guide 429 Chapter 27 Remote Manag ement 1 A filter in SMT menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service. 2 Y ou have disabled that service in one of the remote management screens.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 430 Figure 206 HTTPS Implement ation Note: If you disable HTTP Server Access ( Disable ) in the REMOTE MGMT WWW screen, then the ZyW ALL blocks all HTTP connection attempts. 27.3 WWW Click ADV ANCED , REMOTE MGMT to open the WWW screen.
ZyWALL 5/35/70 Series User’s Guide 431 Chapter 27 Remote Manageme nt Figure 207 WWW The following table describes the labels in this screen. T able 153 WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 432 27.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW ALL, then in your browser enter “https://ZyW ALL IP Address/” as the web site address where “Z yW ALL IP Address” is the IP address or domain name of the ZyW ALL you wish to access.
ZyWALL 5/35/70 Series User’s Guide 433 Chapter 27 Remote Manageme nt 27.4.2 Net scape Navigator W arning Messages When you attempt to access the ZyW ALL HTTPS server , a W ebsite Certified by an Unknown Authority screen pops up asking if you trust the server certificate.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 434 27.4.3 A voiding the Browser W arn ing Messages The following describes the main reasons that your browser displays warnings about the ZyW ALL ’ s HTTPS server certificate and what you can do to avoid seeing the warni ngs.
ZyWALL 5/35/70 Series User’s Guide 435 Chapter 27 Remote Manageme nt Figure 21 1 Login Screen (I nternet Explorer) Figure 212 Login Screen (Netsca pe) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyW ALL models.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 436 Figure 213 Replace Certificate Click Apply in the Replace Certificate scre en to create a certificate using your ZyW ALL ’ s MAC address that will be spec ific to this device. Click CER TIFICA TES to open the My Certificates screen.
ZyWALL 5/35/70 Series User’s Guide 437 Chapter 27 Remote Manageme nt Figure 215 Common ZyW ALL Certificate 27.5 SSH Unlike T elnet or FTP , which transmit data in clear text, SSH (Secure Shell) is a.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 438 Figure 217 How SSH Works 1 Host Identification The SSH client s ends a conn ection request to the SSH server .
ZyWALL 5/35/70 Series User’s Guide 439 Chapter 27 Remote Manageme nt 27.7.1 Requirement s for Using SSH Y ou must install an SSH client pr ogram on a client computer (W indows or Linux operating system) that is used to conn ect to the ZyW A LL over SSH.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 440 27.9 Secure T elnet Using SSH Exampl es This section shows two examples using a comm and interface and a graphical interface SSH client program to remotely access the ZyW ALL. The configuration and connection steps are similar for most SSH client pr ograms.
ZyWALL 5/35/70 Series User’s Guide 441 Chapter 27 Remote Manageme nt Figure 220 SSH Example 2: T est $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5 -1.0.0 2 Enter “ ssh –1 192.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 442 Figure 222 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '19 2.168.1.1 (192.168.1.1)' can't be established.
ZyWALL 5/35/70 Series User’s Guide 443 Chapter 27 Remote Manageme nt Figure 224 Te l n e t The following table describes the labels in this screen. Table 155 Te l n e t LABEL DESCRIPTION Server Port.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 444 Figure 225 FTP The following table describes the labels in this screen. Table 156 FTP LABEL DESCRIPTION Server Port Y ou may change the server port number fo r a service if needed, howe ver you must use the same port number in order to use that service fo r remote management.
ZyWALL 5/35/70 Series User’s Guide 445 Chapter 27 Remote Manageme nt Figure 226 SNMP Managemen t Model An SNMP managed network consis ts of two main types of comp onent: agen ts and a m anager . An agent is a management software module th at resi des in a managed device (the ZyW ALL).
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 446 27.14.1 Supported MIBs The ZyW ALL support s MIB II that is defined in RFC-1213 and RFC-1 215. The focus of th e MIBs is to let administrators collect statistical data and monitor status and performance.
ZyWALL 5/35/70 Series User’s Guide 447 Chapter 27 Remote Manageme nt Figure 227 SNMP The following table describes the labels in this screen. T able 158 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community , which is the password for the incoming Get and GetNext requests from the management station.
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 448 27.15 DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 7 on page 126 for more information. Click ADV ANCED , REMOTE MGMT and then the DNS tab to change your Zy W ALL ’ s DNS settings.
ZyWALL 5/35/70 Series User’s Guide 449 Chapter 27 Remote Manageme nt If you allow your ZyW ALL to be managed b y the V antage CNM server , then you shou ld not do any configurat ions directly to the ZyW ALL (using either the web co nfigurator , SMT menus or commands) with out notifyi ng the V antage CNM administrator .
ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 450 Last Registration T ime This fi eld displays the last date (year-mo nth-date) and time (hours-minutes- seconds) that the ZyW ALL registered with the V antage CNM server . It displays all zeroes if it has not yet r egistered with the V antage CNM server .
ZyWALL 5/35/70 Series User’s Guide 451 Chapter 27 Remote Manag ement.
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 452 C HAPTER 28 UPnP This chapter introduces the Universal Plug and Pl ay feature. This chapter is only applicable when the ZyW ALL is in router mode.
ZyWALL 5/35/70 Series User’s Guide 453 Chapter 28 UPnP All UPnP-enabled devices may communicate freely with eac h other without additional configuration. Disable UPnP if this is not your intention. 28.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from th e Universal Plug and Play Forum Creates UPnP™ Implementers Corp.
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 454 28.3 Displaying UPnP Port Mapping Click UPnP and then Ports to display the UPnP Ports screen. Use this s creen to view the NA T port mapping rules that UPnP creates on the ZyW ALL. Not all fields are available on all models.
ZyWALL 5/35/70 Series User’s Guide 455 Chapter 28 UPnP The following table describes the labels in this screen. T able 162 UPnP Ports LABEL DESCRIPTION Reserve UPnP NA T rules in flash after system bootup Select this check box to have the ZyW ALL retain UPnP created NA T rules even after rest arting.
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 456 28.4.1 Inst alling UPnP in Windows Me Follow the steps below to in stall UPnP in W indows Me. 1 Click St a r t , Settings and Contr ol Panel . Double-click Add/Remove Programs . 2 Click on the Win d o ws S et u p tab and select Communication in the Components selection box.
ZyWALL 5/35/70 Series User’s Guide 457 Chapter 28 UPnP 28.4.2 Inst alling UPnP in Windows XP Follow the steps below to install UPnP in W indows XP . 1 Click St a r t , Settings and Contr ol Panel .
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 458 28.5.1 Auto-discover Y our UPnP-enabled Network Device 1 Click St a r t and Contr ol Panel . Double- click Network Connections . An icon displays under Internet Gateway . 2 Right-click the icon and select Properties .
ZyWALL 5/35/70 Series User’s Guide 459 Chapter 28 UPnP Note: When the UPnP-enabled device is disconnect ed from your computer , all port mappings will be deleted automatically . 4 Select the Show icon in notification area when connected check box and click OK .
ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 460 Follow the steps below to access the web configurator . 1 Click St a r t and then Contr ol Panel . 2 Double-click Network Connections . 3 Select My Network Places under Other Places . 4 An icon with the d escription for each UPnP-enabled device display s under Local Network .
6 Right-click the icon for your ZyXEL device and select Properties . A properties window displays with basic information about the ZyXEL device. ZyWALL 5/35/70 Series User’s Guide 461 Chapter 28 UPn.
ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 462 C HAPTER 29 ALG Screen This chapter covers how to use the ZyW ALL ’ s ALG featu re to allow ce rtain applications to pass through the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 463 Chapter 29 ALG Screen If the primary W AN connection fa ils, t he client needs to re-i nitialize the conn ection through the secondary W AN port to have th e connection go thro ugh the secondary W AN port.
ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 464 Figure 232 H.323 ALG Examp le Signaling session over TCP port 1720 Audio session using RTP • W ith multiple W AN IP addresses on the Z.
ZyWALL 5/35/70 Series User’s Guide 465 Chapter 29 ALG Scr een Figure 234 H.323 Calls from the WA N with Multiple Outgoing Calls • The H.323 ALG operat es on TCP packets with a port 172 0 destination. • The ZyW ALL allows H.323 audio connections.
ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 466 The following example shows SIP s ignaling and audio sessions between SIP clients A and B and the SIP server (1). Figure 235 SIP ALG Example Signaling session over UDP port 5060 Audio session using RTP 29.
ZyWALL 5/35/70 Series User’s Guide 467 Chapter 29 ALG Scr een Figure 236 ALG The following table describes the labels in this screen. Table 163 ALG LABEL DESCRIPTION Enable FTP ALG Select this check box to allow FTP sessions to pass through the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 468 C HAPTER 30 Logs Screens This chapter contains inform ation about configuring genera l log settings and viewing the ZyW ALL ’ s logs. Refer to Appendix S on page 770 for example log messa ge explanations.
ZyWALL 5/35/70 Series User’s Guide 469 Chapter 3 0 Logs Scre ens The following table describes the labels in this screen. Table 164 V iew Log LABEL DESCRIPTION Display The categories that you select in the Log Settings pa ge (see Section 30.3 on page 471 ) display in the dro p-down list box.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 470 30.2.1 Certificate Not T rusted Log Note myZyXEL.com and the update server use certif icate signed by V eriSign to identif y themselves. If the ZyW ALL does not have a CA certificate signed by V eriSign as a trusted CA, the ZyW ALL will not trust the certificate from myZyXEL.
ZyWALL 5/35/70 Series User’s Guide 471 Chapter 3 0 Logs Scre ens Figure 239 myZyXEL.com: Certificate Download 30.3 Configuring Log Settings T o change your ZyW ALL ’ s log settings, click LOGS , then the Log Settings tab. The screen appears as shown.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 472 Figure 240 Log Settings.
ZyWALL 5/35/70 Series User’s Guide 473 Chapter 3 0 Logs Scr eens The following table describes the labels in this screen. T able 166 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP addre ss of the mail server for the e-mail addresses specified below .
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 474 30.4 Configuring Report s The Reports p age displays which co mputers on the LAN send and receive the most traffic, what kinds of traffic are used the most and whic h web sites are visited the most often.
ZyWALL 5/35/70 Series User’s Guide 475 Chapter 3 0 Logs Scre ens Figure 241 Report s Note: Enabling the ZyW ALL ’s reporting functio n decreases the overall throughput by about 1 Mbps.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 476 30.4.1 V iewing W eb Site Hit s In the Reports screen, select W eb Site Hits from the Report T ype drop-dow n list box to have the ZyW ALL record and display which web sites have been vis ited the most often and how many times they have been visited.
ZyWALL 5/35/70 Series User’s Guide 477 Chapter 3 0 Logs Scre ens Figure 243 Protocol/Port Report Example The following table describes the labels in this screen. T able 169 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or servic e ports for which the most traffic has gone through the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 478 30.4.3 V iewing Host IP Address In the Reports screen, select Host IP Address from the Report T ype drop-down list box to have the ZyW.
ZyWALL 5/35/70 Series User’s Guide 479 Chapter 3 0 Logs Scre ens 30.4.4 Report s Specifications The following table lists detailed specifications on the reports feature. T able 171 Report S pecifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: 20 Hit count limit: Up to 2 32 hits can be counted per web site.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 480 C HAPTER 31 Maintenance This chapter displays informat ion on the maintenance screens. 31.1 Maintenance Overview The maintenanc e screens can help you view system informa tion, upload new firmware, manage configuratio n and restart your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 481 Chapter 31 Maintenance Figure 245 General Setup The following table describes the labels in this screen. T able 172 General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification pu rposes.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 482 Figure 246 Password Setup The following table describes the labels in this screen. T able 173 Password Setup LABEL DESCRIPTION Old Password T ype the default password or the existi ng password you use to access the system in this field.
ZyWALL 5/35/70 Series User’s Guide 483 Chapter 31 Maintenance Figure 247 T ime and Date The following table describes the labels in this screen. Table 174 T ime and Date LABEL DESCRIPTION Current T ime and Date Current T ime This field displays the ZyWALL ’s present time .
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 484 Get from Time Server Select this radio button to have the Zy WALL get the time and date from the time server you specified below . T ime Protocol Select the time service protocol that your time server uses.
ZyWALL 5/35/70 Series User’s Guide 485 Chapter 31 Maintenance 31.5 Pre-defined NTP T ime Servers List When you turn on the ZyW ALL for the first time, the date an d time start at 20 00-01-01 00:00:00. The ZyW ALL then attempts to synchr onize with one of the following pre-defined list of NTP time servers.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 486 When the System Time and Date Synchr onization in Process screen appears, wait up to one minute. Figure 248 Synchronization in Process Click the Return button to go back to the T ime and Date screen after the time and date is updated successfully .
ZyWALL 5/35/70 Series User’s Guide 487 Chapter 31 Maintenance 31.6 Introduction T o T ransp arent Bridging A transparent bridge is invisibl e to the operatio n of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that po rt.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 488 3 As a transparent bridge does not modify the frames it forwards, it is ef fectively “stealth” as it is invisible to attackers. Bridging devices are most useful in complex envi ronments that require a rapid or new firewall deployment.
ZyWALL 5/35/70 Series User’s Guide 489 Chapter 31 Maintenance 31.9 Configuring Device Mode (Bridge) T o configure and have your ZyW ALL work as a router or a bridge, click MAINTENANCE , then the Device Mo de tab. The following applies when the ZyW ALL is in bridge mode.
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 490 31.10 F/W Upload Screen Find firmware at www .zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "z ywall.bin". The upload proces s uses HTTP (Hypertext T ransfer Protocol) and may take up to two minutes.
ZyWALL 5/35/70 Series User’s Guide 491 Chapter 31 Maintenance Figure 253 Firmware Uplo ad The following table describes the labels in this screen. T able 179 Firmware Upload LABEL DESCRIPTION File Path T ype in the loca tion of the file you wa nt to upload i n this field or click Browse .
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 492 Figure 255 Network T emporarily Disconnected After two minutes, log in again and check your new fi rmware version in t he HOME screen. If the upload was not successful, the fo llowing screen will appear .
ZyWALL 5/35/70 Series User’s Guide 493 Chapter 31 Maintenance Figure 257 Backup and Restore 31.1 1.1 Backup Configuration Backup Configurat ion allows you to b ack up (save) the ZyW ALL ’ s current configuration to a file on your computer .
ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 494 Note: Do not turn of f the ZyW ALL while configuration file upload is in progress. After you see a “restore configuration successf ul” scree n, you must then wait one minute before logging into the ZyW ALL again.
ZyWALL 5/35/70 Series User’s Guide 495 Chapter 31 Maintenance 31.1 1.3 Back to Factory Default s Pressing the Reset button in this section clears al l user-e ntered configuration information and returns the ZyW ALL to its factory defaults as shown on the screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 496 C HAPTER 32 Introducing the SMT This chapter explains how to access the System Management T erminal and gives an overview of its menus.
ZyWALL 5/35/70 Series User’s Guide 497 Chapter 32 Intr oducing the S MT Figure 263 Initial Screen Copyright (c) 1994 - 2004 Zy XEL Communications Corp.
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 498 32.3.1 Main Menu After you enter the passwor d, the SMT displays the ZyW ALL Main Menu , as shown next. This guide uses the ZyW ALL 70 menus as an example. The menus ma y vary slightly for different ZyW ALL models.
ZyWALL 5/35/70 Series User’s Guide 499 Chapter 32 Intr oducing the S MT Figure 265 Main Menu (Router Mo de) Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started Advanced Management 1. General Se tup 21. Filter and Firewall Setup 2.
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 500 32.3.2 SMT Menus Overview The following table gi ves you an overview o f your ZyW ALL ’ s various SMT menus. 3 LAN Setup Use this menu to apply L AN filters, configure LAN DHCP and TC P/IP settings.
ZyWALL 5/35/70 Series User’s Guide 501 Chapter 32 I ntroducing the S MT 6 Route Setup (for the ZyW ALL 35 and the ZyW ALL 70) 6.1 Route Assessment 6.2 T raffic Redirect 6.3 Route Failover 7 Wireless Setup 7.1 Wireless Setu p 7.1.1 WLAN MAC Address Filter 7.
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 502 32.4 Changing the System Password Change the system password by following the steps shown next. 1 Enter 23 in the main menu to open Menu 23 - System Password as shown next. 24 System Maintenance 24.
ZyWALL 5/35/70 Series User’s Guide 503 Chapter 32 Intr oducing the S MT Figure 267 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm = ? Enter here to CO NFIRM or ESC to CANCEL: 2 T ype your existing password and p ress [ENTER] .
ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 504 C HAPTER 33 SMT Menu 1 - General Setup Menu 1 - General Setup contains administra tive an d system-related information. 33.1 Introduction to General Setup Menu 1 - General Setup contains administra tive an d system-related information.
ZyWALL 5/35/70 Series User’s Guide 505 Chapter 33 SMT Menu 1 - Gene ral Setup Figure 269 Menu 1: General Setup (Bridge Mode) Menu 1 - Gener al Setup System Name= Domain Name= Device Mode= Bridge Mode IP Address= 192.168.1.1 Network Mask= 255.255.255.
ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 506 33.2.1 Configuring Dynamic DNS T o configure Dynamic DNS, set the ZyW ALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and pres s [SP ACE BAR] to select Ye s in the Edit Dynamic DNS field.
ZyWALL 5/35/70 Series User’s Guide 507 Chapter 33 SMT Menu 1 - Gene ral Setup Figure 271 Menu 1.1.1: Menu 1.1.1 DDN S Host Summary # S ummary --- - --------------------- ----------------------------.
ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 508 Figure 272 Menu 1.1.1: Menu 1.1.1 - DD NS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes En.
ZyWALL 5/35/70 Series User’s Guide 509 Chapter 33 SMT Menu 1 - Gene ral Setup The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. IP Address Update Policy: Y ou can select Ye s in either the Let D DNS Server Auto Detect field (recommende d) or the Use User-Defined field, but not both.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WAN and Di al Backup Setu p 510 C HAPTER 34 W AN and Dial Backup Setup This chapter describes how to configure the W AN using men u 2 and dial-backup u sing menus 2.
ZyWALL 5/35/70 Series User’s Guide 511 Chap ter 34 WAN and Dial Backup Setup The following table describes the fields in this screen. Table 189 MAC Address Cloning in W AN Setup FIELD DESCRIPTION (W AN 1/2) MAC Address Assigned By Press [SP ACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WAN and Di al Backup Setu p 512 Figure 274 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory defa ult IP Address= N/A.
ZyWALL 5/35/70 Series User’s Guide 513 Chap ter 34 WAN and Dial Backup Setup T o edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - W AN Setup , press the [SP ACE BAR] to se lect Ye s and then press [ENTER].
T able 192 Advanced W AN Port Setup: Call Contro l Parameters FIELD DESCRIPTION Call Con trol Dial T imeout (sec ) Enter a number of seconds fo r the ZyW ALL to keep trying to set up an outgoing call before timing out (stopp ing). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
ZyWALL 5/35/70 Series User’s Guide 515 Chap ter 34 WAN and Dial Backup Setup Figure 276 Menu 1 1.3: Remote N ode Profile (Backup ISP) Menu 11.3 - Remote Node Profile (Backup ISP) Rem Node Name= Edit.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setu p 516 34.7 Editing PPP Options The ZyW ALL ’ s dial back-up feature uses PPP . T o edit the remote node PPP Options, move the cursor to the Edit PPP Options field in Menu 1 1.
ZyWALL 5/35/70 Series User’s Guide 517 Chap ter 34 WAN and Dial Backup Setup Figure 277 Menu 1 1.3.1: Remote Node PPP Options Menu 11.3.1 - Remote Node PPP Options Encapsulation= Standard PPP Compre.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WAN and Di al Backup Setu p 518 Figure 278 Menu 1 1.3.2: Remote Node Network Layer Op tions Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignm ent= Static Rem IP Addr= 0.0.0 .0 Rem Subnet Mask= 0 .
ZyWALL 5/35/70 Series User’s Guide 519 Chap ter 34 WAN and Dial Backup Setup 34.9 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started.
ZyWALL 5/35/70 Series User’s Guide Chapter 34 WAN and Di al Backup Setu p 520 Y ou can use two varia bles, $USERNAME and $PASSWORD (all UPPER case), to re present the actual user name and password in the script, so they will not show in the clear .
ZyWALL 5/35/70 Series User’s Guide 521 Chap ter 34 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 196 Menu 11.3.3: Remote Node Script FIELD DESCRIPTION Active Press [SP ACE BAR] and then [ENTER] to select either Ye s to enable the A T strings or No to disable them.
ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 522 C HAPTER 35 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup . 35.1 Introduction to LAN Setup This chapter describes how to configure the ZyW ALL for LAN and wireless LAN connections.
ZyWALL 5/35/70 Series User’s Guide 523 Chapter 35 LAN Setu p Figure 282 Menu 3.1: LAN Port Filter Setu p Menu 3.1 - LAN Port Filter S etup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ES C to Cancel: 35.
ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 524 Figure 284 Menu 3.2: TCP/IP and DHCP Ethernet Setu p Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168. 1.33 IP Address= 192.168.
ZyWALL 5/35/70 Series User’s Guide 525 Chapter 35 LAN Setu p Use the instructions in the following table to configure TCP/IP parameters for the LAN port.
ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 526 35.4.1 IP Alias Setup IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide 527 Chapter 35 LAN Setup Outgoing Protocol Filters Enter the filter set(s) you wis h to apply to the outgoin g traffic between this node and the ZyWALL. When you have completed this menu, press [ENTER] at the p rompt [Press ENTER to C onfirm…] to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 5/35/70 Series User’s Guide Chapter 36 In ternet Access 528 C HAPTER 36 Internet Access This chapter shows you how to config ure your ZyW ALL for Internet access. 36.1 Introduction to Internet Access Setup Use information from your ISP along with the in st ructions in this chapter to set up your ZyW ALL to access the Internet.
ZyWALL 5/35/70 Series User’s Guide 529 Chapter 36 Internet Access The following table describes the fields in this menu. T able 200 Menu 4: Internet Acce ss Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identificati on purposes.
ZyWALL 5/35/70 Series User’s Guide Chapter 36 In ternet Access 530 36.3 Configuring the PPTP Client Note: The ZyW ALL supports only one PP TP server connection at any given time. T o configure a PP TP client, you must configure the My Login and Password fields for a PPP connection and the PP TP parame ters for a PP TP connection.
ZyWALL 5/35/70 Series User’s Guide 531 Chapter 36 Internet Access Figure 288 Internet Access Setup (PPPoE) Menu 4 - Intern et Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N.
ZyWALL 5/35/70 Series User’s Guide Chapter 37 DMZ Setup 532 C HAPTER 37 DMZ Setup This chapter describes how to co nfigure the ZyW ALL ’ s DMZ using Menu 5 - DMZ Setup . 37.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup .
ZyWALL 5/35/70 Series User’s Guide 533 Chap ter 37 DMZ Setup 37.3.1 IP Address From the main menu, enter 5 to ope n Menu 5 - DMZ Setup to configure TCP/IP (RFC 1 155). Figure 291 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 5, select th e submenu option 2.
ZyWALL 5/35/70 Series User’s Guide Chapter 37 DMZ Setup 534 37.3.2 IP Alias Setup Y ou must use menu 5.2 to con figure the first network. Move the cursor to the Edit IP Alias field, press [SP ACE BAR] to choose Ye s and press [ENTER] to configure the second and third network.
ZyWALL 5/35/70 Series User’s Guide 535 Chap ter 37 DMZ Setup.
ZyWALL 5/35/70 Series User’s Guide Chapter 38 Route Setup 536 C HAPTER 38 Route Setup This chapter describes how to configure the ZyW A LL's traffic redirect. This chapter applies to the ZyW ALL 35 and ZyW ALL 70. 38.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup .
ZyWALL 5/35/70 Series User’s Guide 537 Chapter 38 Route Setup The following table describes the fields in this menu. Table 203 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing W AN 1/2 Check Point Press [SP ACE BAR] and then press [ENTER] to choose Ye s to test your ZyW ALL's W AN accessibility .
ZyWALL 5/35/70 Series User’s Guide Chapter 38 Route Setup 538 38.4 Route Failover This menu allows you to configure how the ZyW ALL uses the rout e assessment ping check function.
ZyWALL 5/35/70 Series User’s Guide 539 Chapter 38 Route Setup.
ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 540 C HAPTER 39 Wireless Setup Use menu 7 to set up your ZyW ALL as the wireless access point.
ZyWALL 5/35/70 Series User’s Guide 541 Chapter 39 Wireless Setup Follow the instructions in the next table on how to configure the wireless LAN parameters. T able 206 Menu 7. 1: Wireless Setup FIELD DESCRIPTION Enable Wireless LAN Press [SP A CE BAR] to select Ye s to turn on the wireless LAN.
ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 542 39.1.1 MAC Address Filter Setup Y our ZyW ALL checks the MAC address of the wirele ss station device against a list of allowed or denied MAC addresses. However , intruders could fake allowed MAC addresses so MAC- based authentication is less secu re than EAP authentication.
ZyWALL 5/35/70 Series User’s Guide 543 Chapter 39 Wireless Setup 39.2 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 5 on page 10 6 . 39.2.1 IP Address From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP (RFC 11 5 5 ) .
ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 544 Figure 301 Menu 7.2: TCP/IP and DHCP Ethernet Setu p Menu 7.2 - TCP /IP and DHCP Ethernet Setup DHCP= None TCP/IP Setup: Client IP Pool: Starting Address= N/A IP Address= 0.0.0.0 Size of Client IP Poo l= N/A IP Subnet Mask= 0.
ZyWALL 5/35/70 Series User’s Guide 545 Chapter 39 Wireless Setup Figure 302 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Add ress= N/A IP Sub net Mask= N/A RIP Di rection.
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 546 C HAPTER 40 Remote Node Setup This chapter shows you how to configure a remote node. 40.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gatewa y .
ZyWALL 5/35/70 Series User’s Guide 547 Chapter 40 Remote No de Setup Figure 303 Menu 1 1: Remote Node Setup Menu 11 - Remote Node Setup 1. WAN_1 (ISP, SUA) 2. WAN_2 (ISP, NAT) 3. -Dial (BACKUP_ISP, SUA) Enter Node # to Edit: 40.3 Remote Node Profile Setup The following explains how to configure the re mote node profile menu.
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 548 The following table describes the fields in this menu. T able 208 Menu 1 1.1: Remote Node Profile for Ethernet Encap sulation FIELD DESCRIPTION Rem Node Name Enter a descriptiv e name for the remote node.
ZyWALL 5/35/70 Series User’s Guide 549 Chapter 40 Remote No de Setup 40.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Poi nt Pr otocol over Ethernet). Y ou can only use PPPoE encapsulation when you’re using th e ZyW ALL with a DSL modem as the W AN device.
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 550 40.3.2.3 Metric See Section 7.5 on page 1 30 for details on the Metric field. T able 209 Fields in Menu 1 1.1 (PPPo E Encapsulation S pecific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.
ZyWALL 5/35/70 Series User’s Guide 551 Chapter 40 Remote No de Setup Figure 306 Menu 1 1.1: Remote Node Prof ile for P PTP Encaps ulation Menu 11.1 - Remo te Node Profile Rem Node Name= ChangeMe Rou.
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 552 Figure 307 Menu 1 1.1.2: Remote Node Network Layer O ptions for Ethernet Encapsulation Menu 11.
ZyWALL 5/35/70 Series User’s Guide 553 Chapter 40 Remote No de Setup 40.5 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.1, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1.1.4 - Remote Node Filter .
ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 554 Figure 308 Menu 1 1.1.4: Remote Node Filter (Ethernet Encap sulation) Menu 11.1.4 - Remote Node Fi lter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 309 Menu 1 1.
ZyWALL 5/35/70 Series User’s Guide 555 Chapter 40 Remote No de Setup Figure 310 Menu 1 1.1.5: T raf fic Redirect Menu 11.1.5 - Traffic Redire ct Setup Active= Yes Configuration: Backup Gateway IP Address= 0 .0.0.0 Metric= 14 Check WAN IP Address= 0.
ZyWALL 5/35/70 Series User’s Guide Chapter 41 IP Static Ro ute Setup 556 C HAPTER 41 IP S t atic Route Setup This chapter shows you how to config ure static routes with your ZyW ALL. 41.1 IP S t atic Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.
ZyWALL 5/35/70 Series User’s Guide 557 Chapter 41 IP Static Route Setup Figure 312 Menu 12. 1: Edit IP S tatic Route Menu 12.1 - Edit IP Static R oute Route #: 3 Route Name= ? Active= No Destination.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 558 C HAPTER 42 Network Address T ranslation (NA T) This chapter discusses how to configure NA T on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 559 Chapter 42 Network Addr ess Translation (NAT) Figure 313 Menu 4: Applying NA T for Internet Access Menu 4 - Internet Access Set up ISP's Name= ChangeMe En.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 560 The following table describes the fields in this menu. T able 214 Applying NA T in Menus 4 & 1 1.1.2 FIELD DESCRIPTION OPTIONS Network Address T ranslation When you select this option the SMT will use Address Mapping Set 1 (menu 15.
ZyWALL 5/35/70 Series User’s Guide 561 Chapter 42 Network Addr ess Translation (NAT) 42.2.1 Address Mapping Set s Enter 1 to bring up Menu 15.1 - Addr ess Mapping Sets . Figure 316 Menu 15.1: Address Ma pping Sets Menu 15.1 - Address Mapping Sets 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 562 Note: Menu 15.1.255 is read-only . T able 215 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
ZyWALL 5/35/70 Series User’s Guide 563 Chapter 42 Network Addr ess Translation (NAT) Figure 318 Menu 15.1.1: First Set Menu 15 .1.1 - Address Mapping Rules Set Name= NAT_SET Idx Local St art IP Local End IP Global S tart IP Global End IP Type --- --------------- -------------- - --------------- --------------- -- 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 564 Note: Y ou must press [ENTER] at the bottom of the screen to save the whole set. Y ou must do this again if you make any changes to the set – including deleting a rule.
ZyWALL 5/35/70 Series User’s Guide 565 Chapter 42 Network Addr ess Translation (NAT) 42.3 Configuring a Server behind NA T Note: If you do not assign a Default Serve r IP address, the ZyW ALL discards all packet s received for port s that are not specified here or in th e remote management setup.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 566 Figure 321 Menu 15.2.1: NA T Server Se ts Menu 15 .2.1 - NAT Server Setup Default S erver: 0.0.0.0 Rule Act. Star t Port End Port IP Address ------------------ ------------------------------------ 001 No 0 0 0.
ZyWALL 5/35/70 Series User’s Guide 567 Chapter 42 Network Addr ess Translation (NAT) Figure 322 15.2.1.2: NA T Server Confi guration 15.2.1.2 - NAT Server Config uration Wan= 1 Index= 2 --------------------------- --------------------- Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 568 Figure 323 Menu 15.2.1: NA T Server Se tup Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. St art Port End Port IP Address ---------------- -------------------------------------- 001 No 0 0 0.
ZyWALL 5/35/70 Series User’s Guide 569 Chapter 42 Network Addr ess Translation (NAT) Figure 325 NA T Exam ple 1 Figure 326 Menu 4: Internet Access & NA T Example Menu 4 - Internet Access Set up .
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 570 42.4.2 Example 2: Interne t Access with an Default Server Figure 327 NA T Exam ple 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.
ZyWALL 5/35/70 Series User’s Guide 571 Chapter 42 Network Addr ess Translation (NAT) 1 Map the first IGA to the first inside FTP server for FTP t raf fic in both directions ( 1 : 1 mapping, giving bo th local and global IP addresses).
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 572 Figure 330 Example 3: Menu 1 1.1.2 Menu 11.1.2 - Remote Node Ne twork Layer Options IP Address Assignme nt= Dynami.
ZyWALL 5/35/70 Series User’s Guide 573 Chapter 42 Network Addr ess Translation (NAT) Figure 332 Example 3: Final Menu 15.1.1 Menu 15.1 .1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- ---- ----------- --------------- ---------- ----- --- 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 574 42.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NA T Mapping using TCP or UDP port address translation.
ZyWALL 5/35/70 Series User’s Guide 575 Chapter 42 Network Addr ess Translation (NAT) Figure 336 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- ---- ----------- --------------- ---------- ----- --- 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 576 Note: Only one LAN computer can use a trigge r port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - T rigger Ports . For a ZyW ALL with multiple W AN ports, enter 1 or 2 from me nu 15.
ZyWALL 5/35/70 Series User’s Guide 577 Chapter 42 Network Addr ess Translation (NAT).
ZyWALL 5/35/70 Series User’s Guide Chapter 43 Introducin g the ZyWALL Firewall 578 C HAPTER 43 Introducing the ZyW ALL Firewall This chapter shows you how to ge t started with the ZyW ALL firewall. 43.1 Using ZyW ALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
ZyWALL 5/35/70 Series User’s Guide 579 Chapter 43 Introduc ing the ZyWALL Firewall Figure 339 Menu 21.2: Fi rewall Setup Menu 21.2 - Fir ewall Setup The firewall protects agains t Denial of Service (DoS) attacks when it is active. Your network is vulnerable t o attacks when the firewall is turned off.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 580 C HAPTER 44 Filter Configuration This chapter shows you how to create and apply filters. 44.1 Introduction to Filters Y our ZyW ALL uses filte rs to decide whether to a llow passage of a data packet a nd/or to make a call.
ZyWALL 5/35/70 Series User’s Guide 581 Chapter 44 Filter Configuration 44.1.1 The Filter Structure of the ZyW AL L A filter set consists of one or more filter rules. Usually , you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 582 Figure 341 Filter Rule Process Y ou can apply up to four filter sets to a particular port to block multiple types of packets. W ith each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
ZyWALL 5/35/70 Series User’s Guide 583 Chapter 44 Filter Configuratio n 44.2 Configuring a Filter Set The ZyW ALL includes filtering for NetBIOS over TCP/IP packets by default. T o configure another filter set, follow the procedure below . 1 Enter 21 in the main me nu to open menu 2 1.
T able 220 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION A Active: “Y” means the rule is active . “N” means the rule is inactive. Ty p e The type of filter rule: “GEN” for Generic, “IP” for TCP/IP . Filter Rules These parameters are displayed here.
ZyWALL 5/35/70 Series User’s Guide 585 Chapter 44 Filter Configuratio n T o speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the firs t rule that you create.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 586 The following figure illustrates th e logic flow of an IP filter . Destination IP Addr Enter the destinati on IP Address of the packet you wish to filter. This field is ignored if it is 0.
ZyWALL 5/35/70 Series User’s Guide 587 Chapter 44 Filter Configuratio n Figure 345 Executing an IP Filter 44.2.3 Configuring a Generic Filter Rule This section shows y ou how to config ure a generi c filter rule.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 588 to allow you to filter non-IP packets. For IP , it is generally easier to us e the IP rules directly . For generic rules, the ZyW ALL treats a packet as a byte stream as opposed to an IP or IPX packet.
ZyWALL 5/35/70 Series User’s Guide 589 Chapter 44 Filter Configuratio n 44.3 Example Filter Let’ s look at an example to block outside us ers from accessing the ZyW ALL via telnet. Please see our included disk for more example filters. Figure 347 T elnet Filter Example 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup .
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 590 Figure 348 Example Filter: Menu 21 .1.3.1 Menu 21.1. 3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter R ule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.
ZyWALL 5/35/70 Series User’s Guide 591 Chapter 44 Filter Configuratio n M = N means an action can be taken immediately . The action is to drop the packet ( m = D ) if the action is matched and to fo.
ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 592 44.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyW ALL already has filters to prevent NetBIOS traffic fro m triggering calls, and block incoming telnet, FTP and HTTP connections.
ZyWALL 5/35/70 Series User’s Guide 593 Chapter 44 Filter Configuratio n Figure 352 Filtering DMZ T raffic Menu 5.1 - DMZ Port Fil ter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ES C to Cancel: 44.
ZyWALL 5/35/70 Series User’s Guide Chapter 45 SNMP Configuration 594 C HAPTER 45 SNMP Configuration This chapter explains SNMP configuratio n menu 22. 45.1 SNMP Configuration T o configure SNMP , enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next.
ZyWALL 5/35/70 Series User’s Guide 595 Chapter 45 SNMP Configu ration 45.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: T able 225 SNMP Trap s T RAP # T RAP NAME DESCRIPTION 0 coldS tart (defined in RFC-1215 ) A trap is sent after booting (power on).
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 596 C HAPTER 46 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 46.1 Introduction to System St atus This chapter covers the diagnostic tools that he lp you to maintain your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 597 Chapter 46 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - S tatus . Entering 1 drops the W AN co nnection, 9 resets the co unters and [ESC] takes you back to the previous screen.
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 598 46.3 System Information and Console Port S peed This section describes your system and allows you to choose different console port speeds. T o get to the System Informa tion and Console Port Speed: 1 Enter 24 to go to Menu 24 - System Maintenance .
ZyWALL 5/35/70 Series User’s Guide 599 Chapter 46 System Information & Diagnosis Figure 358 Menu 24.2.1: System Ma intenance: Informatio n Menu 24.2.1 - System Mai ntenance - Information Name: Routing: IP ZyNOS F/W Version: V4.00 (WM.0)b2 | 07/25/2005 Country Code: 255 LAN Ethernet Address: 00:A 0:C5:01:23:45 IP Address: 192.
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 600 Figure 359 Menu 24.2.2: System Maintenance: Change Cons ole Port S peed Menu 24.2.2 - System Mainten ance - Change Console Port Speed Console Por t Speed: 9600 Press ENTER t o Confirm or ESC to Cancel:Press Space Bar to Toggle.
ZyWALL 5/35/70 Series User’s Guide 601 Chapter 46 System Information & Diagnosis Figure 361 Examples of Error and Information Messages 52 Thu Jul 1 05:54:53 2004 PP05 ERROR Wireless LAN init fai.
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 602 Y our ZyW ALL sends five types of syslog messages . Some examples (not all ZyW ALL specific) of these syslog mes.
Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 604 46.4.3 Call-T riggering Packet Call-T riggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equiva lent information is available in menu 24.
ZyWALL 5/35/70 Series User’s Guide 605 Chapter 46 System Information & Diagnosis 1 From the main menu, select option 24 to open Menu 24 - System Maintenance . 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic .
T able 229 System Maintenance Menu D iagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN o r W AN. Enter its IP address in the Host IP Address field below . W AN DHCP Release Ente r 2 to release your W AN DHCP settings.
ZyWALL 5/35/70 Series User’s Guide 607 Chapter 46 System Information & Diagnosis.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 608 C HAPTER 47 Firmware and Configuration File Maintenance This chapter tells you how t o back up and rest ore your configuration file as well as upload new firmware and a new configura tion file.
ZyWALL 5/35/70 Series User’s Guide 609 Chapter 47 Firmw are and Configu ration File Maint enance The following table is a summary . Please note that the internal filename refe rs to the filename on .
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firmwa re and Configuration File Maintenance 610 Figure 366 T elnet into M enu 24.5 Menu 2 4.5 - Backup Configuration To transfer the configuration fi le to your workstation, follow the procedure below: 1.
ZyWALL 5/35/70 Series User’s Guide 611 Chapter 47 Firmw are and Configu ration File Maint enance 47.3.3 Example of FTP Comm ands from the Command Line Figure 367 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 612 4 The IP you entered in the Secured Client IP field in menu 24.1 1 does not match th e client IP . If it does not match, the Zy W ALL will disconnect the T elnet session immediately .
ZyWALL 5/35/70 Series User’s Guide 613 Chapter 47 Firmw are and Configu ration File Maint enance 47.3.8 GUI-based TFTP Client s The following table describes some of the fiel ds that you may see in GUI-based TFTP clients. T able 232 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firmwa re and Configuration File Maintenance 614 Figure 370 Backup Configuration Example T ype a location for storing the configuration file or click Br owse to look for one. Choose the Xmodem prot ocol.
ZyWALL 5/35/70 Series User’s Guide 615 Chapter 47 Firmw are and Configu ration File Maint enance Figure 372 T elnet into M enu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firmwa re and Configuration File Maintenance 616 47.4.2 Restore Usin g FTP Session Ex ample Figure 373 Restore Using FTP Session Example ftp> put config.
ZyWALL 5/35/70 Series User’s Guide 617 Chapter 47 Firmw are and Configu ration File Maint enance 4 After a successful restoration you will see the following screen. Press any key to restart the ZyW ALL and return to the SMT menu. Figure 377 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firmwa re and Configuration File Maintenance 618 Figure 378 T elnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Ma intenance - Upload System Firmware To upload the system firmwar e, follow the procedure below: 1.
ZyWALL 5/35/70 Series User’s Guide 619 Chapter 47 Firmw are and Configu ration File Maint enance 47.5.3 FTP File Upload Comman d from the DOS Prompt Example 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 620 1 Use telnet from your computer to connect to the ZyW ALL and log in. Because TFTP does not have any security checks, the ZyW A LL records the IP address of the telnet client and accepts TFTP request s only from this address.
ZyWALL 5/35/70 Series User’s Guide 621 Chapter 47 Firmw are and Configu ration File Maint enance Figure 381 Menu 24.7.1 As Seen Using th e Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt b elow to go into debug mode.
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firmwa re and Configuration File Maintenance 622 Figure 383 Menu 24.7.2 As Seen Using th e Console Port Menu 24.7.2 - System Mainten ance - Upload System Configuration File To upload system configurati on file: 1.
ZyWALL 5/35/70 Series User’s Guide 623 Chapter 47 Firmw are and Configu ration File Maint enance.
ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menu s 8 to 10 624 C HAPTER 48 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24. 10. 48.1 Command Interpreter Mode The Command Interpre ter (CI) is a part of the main router firmware.
ZyWALL 5/35/70 Series User’s Guide 625 Chapter 48 System Maintenance Menus 8 to 10 The required fields in a co mmand ar e enclosed in angle brac kets <> . The optional fields in a c ommand are enclosed in square brackets [] . The | symbol means “or”.
ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menu s 8 to 10 626 48.2 Call Control Support The ZyW ALL provides two call control fu nctions: budget management and call hi story . Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 1 1.
ZyWALL 5/35/70 Series User’s Guide 627 Chapter 48 System Maintenance Menus 8 to 10 Figure 388 Budget Management Menu 24.9.1 - Bu dget Management Remote Node Connection T ime/Total Budget Elapsed Time/Total Per iod 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.
ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menu s 8 to 10 628 Figure 389 Call History Menu 24.9.2 - Call History Phone Number Dir Rate #call Max Min Total 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Enter Entry to Delete(0 to e xit): The following table describes the fields in this screen.
ZyWALL 5/35/70 Series User’s Guide 629 Chapter 48 System Maintenance Menus 8 to 10 Figure 390 Menu 24: System Maintenan ce Menu 24 - System Maint enance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6.
ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 63 0 T able 236 Menu 24 .10 System Maint enan ce: Time and Date Setting FIELD DESCRIPTION T ime Protocol Enter the time service proto col that your timeserver uses.
ZyWALL 5/35/70 Series User’s Guide 631 Chapter 48 System Maintenance Menus 8 to 10 End Date (mm- nth-week-hr) Configure the day and time when Dayli ght Saving Time ends if you selected Ye s in the Daylight Saving fi eld. The hr field uses the 24 hour format.
ZyWALL 5/35/70 Series User’s Guide Chapter 49 Remo te Management 632 C HAPTER 49 Remote Management This chapter covers remote management found in SMT menu 24.1 1. 49.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers.
ZyWALL 5/35/70 Series User’s Guide 633 Chapter 49 Remote Manageme nt Figure 392 Menu 24.1 1 – Remote Manage ment Contro l Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Cl ient IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Cl ient IP = 0.
ZyWALL 5/35/70 Series User’s Guide Chapter 49 Remo te Management 634 49.1.1 Remote Management Limit ations Remote management over LAN or W AN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service.
ZyWALL 5/35/70 Series User’s Guide 635 Chapter 49 Remote Manag ement.
ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 636 C HAPTER 50 IP Policy Routing This chapter covers setting and ap plying policies used for IP routing.
ZyWALL 5/35/70 Series User’s Guide 637 Chapter 50 IP Policy Routing 50.2 IP Routing Policy Setup T o setup a routing policy , perform the following procedures: Criteria/Action This displays the details about to which packets the policy applies and how the policy has the Zy W ALL handle those packets.
ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 638 1 T ype 25 in the main menu to open Menu 25 - IP Routing Policy Summary . 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in th e Select Rule field and press [ENTER] to open Menu 25.
ZyWALL 5/35/70 Series User’s Guide 639 Chapter 50 IP Policy Routing 50.2.1 Applying Policy to Packet s T o apply the policy to packets received on the selected interface (s), go to Menu 25.1: IP Routing Policy Setup and press [SP ACE BAR] to select Ye s in the Edit policy to packets received fr om field.
ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 640 Figure 395 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Po licy Setup Apply policy to packets received from: LAN=.
ZyWALL 5/35/70 Series User’s Guide 641 Chapter 50 IP Policy Routing Figure 396 Example of IP Policy Routing T o force W eb packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the W AN port of the ZyW ALL, follow the steps as shown next.
ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 642 4 Create another rule in menu 25 .1 for this rule to route pa ckets from any host (IP= 0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.
ZyWALL 5/35/70 Series User’s Guide 643 Chapter 50 IP Policy Routing.
ZyWALL 5/35/70 Series User’s Guide Chapter 51 Call Scheduling 644 C HAPTER 51 Call Scheduling Call scheduling allows you to dictate when a re mote node sho uld be called and for how l ong.
ZyWALL 5/35/70 Series User’s Guide 645 Chapter 51 Call Scheduling Figure 400 Schedule Set Setup Menu 26.1 - Schedule Set Set up Active= Yes How Often= Once Start Date(yyyy-mm-dd) = N/A Once: Date(yy.
ZyWALL 5/35/70 Series User’s Guide Chapter 51 Call Scheduling 646 Once your schedule sets are conf igured, yo u must then apply them to the desired remote node(s).
ZyWALL 5/35/70 Series User’s Guide 647 Chapter 51 Call Scheduling Figure 402 Applying Schedule Set(s ) to a Remote Node (PPTP) Menu 11.1 - Rem ote Node Profile Rem Node Name= ChangeMe Route= IP Acti.
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 648 C HAPTER 52 T roubleshooting This chapter covers potential pr oblems and possible remedies. After each problem descri ption, some instructions are provided to help you to diagnose and to solve the problem.
ZyWALL 5/35/70 Series User’s Guide 649 Chapter 52 Trou bleshooting 52.3 Problems with the DMZ Interface Table 245 Troubleshooting th e DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access servers on the DMZ from the LAN. Check your Ethernet cable type and connections.
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 650 52.5 Problems Accessing the ZyW ALL Table 247 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the ZyW ALL. The default password is “1234”. The passwor d field is case sensitive.
ZyWALL 5/35/70 Series User’s Guide 651 Chapter 52 Trou bleshooting • W eb browser pop-up win dows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for o ther Internet Explorer versions may vary .
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 652 Figure 404 Internet Options : Privacy 3 Click Apply to save this setting. 52.5.1.1.2 Enable pop-up Blockers with Exceptions Alternatively , if you only want to allow pop-up windows from your device, see the follo wing steps.
ZyWALL 5/35/70 Series User’s Guide 653 Chapter 52 Trou bleshooting Figure 405 Internet Options : Privacy 3 T ype the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 654 Figure 406 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 52.5.1.2 JavaScript s If pages of the web configurat or do not display properly in Inte rnet Explorer , check that JavaScripts are allowed.
ZyWALL 5/35/70 Series User’s Guide 655 Chapter 52 Trou bleshooting Figure 407 Internet Options : Security 2 Click the Custom Level... button. 3 Scroll down to Scripting . 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is sele cted (the default).
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 656 Figure 408 Security Settings - Java Scripting 52.5.1.3 Java Permissions 1 From Internet Explorer , click To o l s , In ternet Options and then the Security tab. 2 Click the Custom Level.
ZyWALL 5/35/70 Series User’s Guide 657 Chapter 52 Trou bleshooting Figure 409 Security Settings - Java 52.5.1.3.1 JA V A (Sun) 1 From Internet Explorer , click To o l s , In ternet Options and then the Adva nced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected.
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 658 Figure 410 Java (Sun) 52.6 Packet Flow The following is the packet check flow on t he ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 659 Chapter 52 Trou bleshooting.
ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 660 A PPENDIX A Product S pecifications See also the Introduction ch apter for a general overv iew of the key features. S pecification T ables Table 248 Device Specifications Default IP Address 192.
ZyWALL 5/35/70 Series User’s Guide 661 Appendix A Product Specifications Operatio n Humidit y 20% ~ 95% RH (non -condensing) S torag e Humidity 20% ~ 95% RH (non-condensing) Certific ations EMC: FCC.
ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 662 Anti-S pam S pam, Phishing d etection Configurable white and black lists SMTP , POP3 support External S pam dat abase Conte.
ZyWALL 5/35/70 Series User’s Guide 663 Appendix A Product Specifications Table 251 Feature Specifica tions FEATURE SPECIFICATION ZYW ALL 70 ZYW ALL 35 ZYW ALL 5 Number of S tatic DHCP T able Entries.
ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specification s 664 Comp atible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyW ALL at the time of writing. It also shows the secu rity features that each card supports.
ZyWALL 5/35/70 Series User’s Guide 665 Appendix A Product Specifications Figure 41 1 WLAN Card Installation Cable Pin Assignment s In a serial communications connection, gene rally a computer is DTE (Data T erminal Equipment) and a modem is DCE (Data Circ uit-terminating Equipment).
ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specification s 666 Table 253 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-.
ZyWALL 5/35/70 Series User’s Guide 667 Appendix A Product Specifications.
ZyWALL 5/35/70 Series User’s Guide Appendix B Hardware Installation 668 A PPENDIX B Hardware Inst allation The ZyW ALL can be placed on a desktop or ra ck-mounted on a stan da rd EIA rack.
ZyWALL 5/35/70 Series User’s Guide 669 Appendix B Hardware Installation Figure 414 Attaching Rubber Feet Note: Do not block the ventilation holes . Leave space betwee n ZyW ALLs when stacking. Rack-mounted Inst allation Requirement s The ZyW ALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment.
ZyWALL 5/35/70 Series User’s Guide Appendix B Hardware Installation 670 Figure 415 Attaching Mounting Bracket s and Screws 3 After attaching both mounting brackets, pos ition the ZyW ALL in the rack by lining up the holes in the bracket s with the appropri ate holes on the rack.
ZyWALL 5/35/70 Series User’s Guide 671 Appendix B Hardware Installation.
ZyWALL 5/35/70 Series User’s Guide Appendix C Removing and Installing a Fuse 672 A PPENDIX C Removing and Inst alling a Fuse This appendix shows you how to remo ve and install fuses for the ZyW ALL. If you need to install a new fuse, follow the procedure below .
ZyWALL 5/35/70 Series User’s Guide 673 Appendix C Removing and In stalling a Fuse.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 674 A PPENDIX D Setting up Y our Computer ’ s IP Address All computers must have a 10M or 100M Et hernet adapter card and TCP/IP installed.
ZyWALL 5/35/70 Series User’s Guide 675 Appendix D Setting up Your Computer’s IP Address Figure 417 WIndows 95/98 /Me: Networ k: Configu ration Inst alling Components The Network window Configuration tab displays a list of installed components. Y ou need a network adapter , the TCP/IP protocol and Client for Microsof t Networks.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Address 676 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK . 5 Restart your computer so the changes you made take ef fect.
ZyWALL 5/35/70 Series User’s Guide 677 Appendix D Setting up Your Computer’s IP Address Figure 419 Windows 95/98/Me : TCP/IP Pr operties: DNS Configuration 4 Click the Gateway tab. • If you do not know your g ateway’ s IP address, remove previously installed gateways.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Address 678 Figure 420 Windows XP: S tart Menu 2 In the Control Panel , double-click Network Connections ( Network and Dial-up Connections in W i ndows 2000/NT). Figure 421 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Pr oper ties .
ZyWALL 5/35/70 Series User’s Guide 679 Appendix D Setting up Your Computer’s IP Address Figure 422 Windows XP: Control Panel: Network Connections: Proper ties 4 Select Internet Protocol (TCP/IP) (under the Genera l tab in W in XP) and then click Properties .
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Address 680 • If you have a static IP address click Use the following IP Address and fill in the IP addr ess , Subnet mask , and Default gateway fields. • Click Advanced .
ZyWALL 5/35/70 Series User’s Guide 681 Appendix D Setting up Your Computer’s IP Address Figure 425 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS se rver address automatically if you do not know your DNS server IP address(es ).
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Address 682 Figure 426 Windows XP: Internet Protocol (TCP/IP) P roperties 8 Click OK to close the Internet Protocol (TCP/IP) Pr operties window . 9 Click Close ( OK in W indows 2000/NT) to close the Local Area Connection Pr operties window .
ZyWALL 5/35/70 Series User’s Guide 683 Appendix D Setting up Your Computer’s IP Address Figure 427 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 428 Macintosh O S 8/9: TC P/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configur e: list.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Address 684 4 For statically assigned settings, do the following: •F r o m t h e Configure box, select Manually . • T ype your IP address in the IP Address box. • T ype your subne t mask in the Subnet mask box.
ZyWALL 5/35/70 Series User’s Guide 685 Appendix D Setting up Your Computer’s IP Address Figure 430 Macintosh O S X: Netw ork 4 For statically assigned settings, do the following: •F r o m t h e Configure box, select Manually . • T ype your IP address in the IP Address box.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Address 686 Note: Make sure you are logged in as the ro ot administrator . Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE.
ZyWALL 5/35/70 Series User’s Guide 687 Appendix D Setting up Your Computer’s IP Address • If you hav e a dynamic IP address, cl ick Automatically obtain IP address settings with and select dhcp from the drop down list.
ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Address 688 1 Assuming that you have only one network card on th e computer , locate the ifconfig- eth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor .
ZyWALL 5/35/70 Series User’s Guide 689 Appendix D Setting up Your Computer’s IP Address Figure 438 Red Hat 9.0: Resta rt Ethernet Card [root@localhost init.
ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 690 A PPENDIX E IP Subnetting IP Addressing Routers “route” based on the network number .
ZyWALL 5/35/70 Series User’s Guide 691 Appendix E IP Subnettin g Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 692 Since the mask is always a continuous number of ones begin ning from the left, fo llowed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet.
ZyWALL 5/35/70 Series User’s Guide 693 Appendix E IP Subnettin g Note: In the following chart s, shaded/bolded last o ctet bit values indicate host ID bit s “borrowed” to form network ID bit s. The number of “borrowed” host ID bits determines the number of sub nets y ou can have.
ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 694 Example: Four Subnet s The above exampl e illustrated using a 25-bit subne t mask to divide a class “C” address space into two subnets.
Table 264 Subnet 4 NETWORK NUMBER LAST OCTET BIT V ALUE IP Address 192.168.1. 192 IP Address (Binary) 1 1000000.10101000.00 000001. 11 000000 Subnet Mask (Binary) 11111111 . 11111111 . 11111111 . 11 000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.
ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 696 Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet ma sk also determines which bits are part of the network number and which are part of the h ost ID.
ZyWALL 5/35/70 Series User’s Guide 697 Appendix E IP Subnettin g.
ZyWALL 5/35/70 Series User’s Guide Appendix F PPPoE 698 A PPENDIX F PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP ov er Ethernet, RFC 2516) from your computer to an A TM PVC (Permanent V irt ual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see F igure 440 o n page 699 ).
ZyWALL 5/35/70 Series User’s Guide 699 Appendix F PPPoE Figure 440 Single-Compute r per Router Hard ware Configuration How PPPoE W orks The PPPoE driver makes the Ethernet appea r as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).
ZyWALL 5/35/70 Series User’s Guide Appendix G PPT P 700 A PPENDIX G PPTP What is PPTP? PP TP (Point-to-Point T unneling Protocol) is a Microsoft proprietary protocol (RFC 26 37 for PP TP is informational only) to tunnel PPP frames.
ZyWALL 5/35/70 Series User’s Guide 701 Appendix G PPTP PPTP Protocol Overview PP TP is very simila r to L2TP , since L2TP is based on both PP TP and L2F (Cisco’ s Layer 2 Forwarding). Conceptually , the re are three pa rties in PP TP , namely the PNS (PP TP Network Server), the P AC (PP TP Access Concentrator) a nd the PP TP user .
ZyWALL 5/35/70 Series User’s Guide Appendix G PPT P 702 Figure 444 Example Message Exchange between Computer and an ANT PPP Dat a Connection The PPP frames are tunneled between the PN S and P AC over GRE (General Routing Encapsulation, RFC 1701, 1702 ).
ZyWALL 5/35/70 Series User’s Guide 703 Appendix G PPTP.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 704 A PPENDIX H Wireless LANs Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies.
ZyWALL 5/35/70 Series User’s Guide 705 Appendix H Wire less LANs Figure 446 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 706 Figure 447 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.
ZyWALL 5/35/70 Series User’s Guide 707 Appendix H Wire less LANs Figure 448 RTS / CT S When station A sends data to the AP , it migh t no t know that the station B is already using the channel.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 708 A large Fragmentation Thr eshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks tha t are prone to interference.
ZyWALL 5/35/70 Series User’s Guide 709 Appendix H Wire less LANs IEEE 802.1x In June 2001, the IEEE 802.1x st andard was designed to extend th e features of IEEE 802.1 1 to support extended authentication as well as providing additional accounting and control features.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 710 • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access- Request message.
ZyWALL 5/35/70 Series User’s Guide 711 Appendix H Wire less LANs 3 The wireless station replies with identity info rmation, including username and password. 4 The RADIUS server checks the user informa tion against its user profile database and determines whether or not to au thenticate the wireless station.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 712 PEAP (Protected EAP) Like EAP-TTLS, server-side certific ate authentication is used to establish a secure connection, then use simple username and p assword methods through the secured connection to authenticate the clients, thus hiding client identity .
ZyWALL 5/35/70 Series User’s Guide 713 Appendix H Wire less LANs Figure 450 WEP Authentication S teps Open system authentication in volves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP , which will then automatically accept and connect the wireless station to the network.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 714 Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security , certificate-based authen tications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption.
ZyWALL 5/35/70 Series User’s Guide 715 Appendix H Wire less LANs The Message Integrity Check (MIC ) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC.
ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 716 In a network environment with multiple access points, wireless st ations are able to switch from one access point to another as they move between the coverage areas.
ZyWALL 5/35/70 Series User’s Guide 717 Appendix H Wire less LANs Requirement s for Roaming The following requirements must be met in order for wirele ss stations to roam between the coverage areas . 1 All the access points must be on the same subnet and configured wi th the same ESSID.
ZyWALL 5/35/70 Series User’s Guide Appendix I Triangle Route 718 A PPENDIX I T riangle Route The Ideal Setup When the firewall is on, your ZyW ALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology , all incoming and outgoing network traf fic passes through the ZyW ALL to protect your LAN against attacks.
ZyWALL 5/35/70 Series User’s Guide 719 Appendix I Triangle Route Figure 453 “T riangle Route” Problem The “T riangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide Appendix I Triangle Route 720 Figure 454 IP Alias Gateways on the W AN Side A second solution to the “triangle route” problem is to put all of your network gateways on the W AN side as the following figure shows.
ZyWALL 5/35/70 Series User’s Guide 721 Appendix I Triangle Route.
ZyWALL 5/35/70 Series User’s Guide Appendix J Windows 98 SE/Me Requirements for Anti-V irus Message Display 722 A PPENDIX J Windows 98 SE/Me Requirement s for Anti-V irus Message Display W ith the anti-virus packet scan, w hen a virus is detected, an alert message is displayed on Miscrosoft W indows-based computers.
ZyWALL 5/35/70 Series User’s Guide 723 Appendix J Windows 98 SE/Me Requirements for Anti-Virus Messag e Display Figure 457 WIndows 98 SE: Program T ask Bar 2 Click the S tart Menu Programs tab and click Advanced .. . Figure 458 Windows 98 SE: T ask Bar Properties 3 Double-click Programs and click St a r t U p .
ZyWALL 5/35/70 Series User’s Guide Appendix J Windows 98 SE/Me Requirements for Anti-V irus Message Display 724 Figure 459 Windows 98 SE: S tartUp 5 A Create Shortcut window disp lays. Enter “winpo pup” in the Command line field and click Next .
ZyWALL 5/35/70 Series User’s Guide 725 Appendix J Windows 98 SE/Me Requirements for Anti-Virus Messag e Display Figure 461 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created in the St a r t U p pane. Restart the computer when prompted.
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 726 A PPENDIX K VPN Setup This appendix will help you to quickly crea te a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users.
ZyWALL 5/35/70 Series User’s Guide 727 Appendix K VPN Setup The following pages show a ty pical configuration that build s a tunnel between two private networks. One network is the head quarters (HQ) and the other is a branch of fice. Both sites have static (fixed) public addresses.
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 728 Figure 464 The IP address of the branch office IPSec router . Headquarters Gateway Policy Edit.
ZyWALL 5/35/70 Series User’s Guide 729 Appendix K VPN Setup Figure 465 Branch Office Gateway Policy Edit The IP address of the headquarters IPSec router . 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN p olicy .
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 730 Figure 466 Headquarte rs VPN Rule Figure 467 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply .
ZyWALL 5/35/70 Series User’s Guide 731 Appendix K VPN Setup Figure 468 Headquarte rs Network Policy Edit IP addresses on different subnets. Activate t he network policy .
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 732 Figure 469 IP addresses on different subnets. Activate t he network policy . Branch Office Network Policy Edit Dialing the VPN T unnel via.
ZyWALL 5/35/70 Series User’s Guide 733 Appendix K VPN Setup Figure 470 VPN Rule Configured The following screen displays. Figure 471 VPN Dial This screen displays later if the I PSec routers can build the VPN tunnel.
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 734 VPN T roubleshooting If the IPSec tunnel does not build properly , the pr oblem is likely a configuration error at one of the IPSec routers. Log into the web conf igurators of both ZyXEL IPSec routers.
ZyWALL 5/35/70 Series User’s Guide 735 Appendix K VPN Setup Figure 473 VPN Log Example ras> sys log disp ike ipsec # .time sou rce destination notes message 0|01/11/2001 18:47:22 |5.6 .7.8 |5.1.2.3 |IKE Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.
ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 736 IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyX EL IPSec router , ad vanced users may wish to examine the IPSec debug feature ( Menu 24.
ZyWALL 5/35/70 Series User’s Guide 737 Appendix K VPN Setup Use a VPN T unnel A VPN tunnel gives you a se cure connection to ano ther computer or ne twork.
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 738 A PPENDIX L Importing Certificates This appendix shows importing certificat es examples using In ternet Ex plorer 5.
ZyWALL 5/35/70 Series User’s Guide 739 Appendix L Importing Certificates Figure 476 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 477 Certificate General Information befor e Import 3 Click Next to begin the Install Certificate wizard.
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 740 Figure 478 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next . Figure 479 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.
ZyWALL 5/35/70 Series User’s Guide 741 Appendix L Importing Certificates Figure 480 Certificate Import Wizard 3 6 Click Ye s to add the ZyW ALL certifi cate to the root store.
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 742 Figure 482 Certificate General Information af ter Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide 743 Appendix L Importing Certificates Figure 483 ZyW ALL Trusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your personal certificate(s) and a password to inst all the personal certificate(s).
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 744 Figure 484 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. Inst alling Y our Personal Certificate(s) Y ou need a password in a dvance.
ZyWALL 5/35/70 Series User’s Guide 745 Appendix L Importing Certificates Figure 485 Personal Certificate Import Wizard 1 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br owse if you wish to import a different certificate.
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 746 Figure 487 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificat e should be saved on your computer or select Place all certificates in the following stor e and choose a different location.
ZyWALL 5/35/70 Series User’s Guide 747 Appendix L Importing Certificates Figure 489 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the ce rtificate is correctly installed on your computer .
ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 748 Figure 492 SSL Client Authentication 3 Y ou next see the ZyW ALL login screen.
ZyWALL 5/35/70 Series User’s Guide 749 Appendix L Importing Certificates.
ZyWALL 5/35/70 Series User’s Guide Appendix M Comma nd Interpret er 750 A PPENDIX M Command Interpreter The following describes how to use the comman d interpreter . Enter 24 in the main menu to bring up the system maintena nce menu. Enter 8 to go to Menu 24.
ZyWALL 5/35/70 Series User’s Guide 751 Appendix M Command Interpreter.
ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 752 A PPENDIX N Firewall Commands The following des cribes th e firewall commands. See Appendix M on page 750 for information on the command structure.
ZyWALL 5/35/70 Series User’s Guide 753 Appendix N Firewall Commands E-mail config edit firewall e-mail mail-server <ip address of mail server> This command sets the IP address to which the e-mail messages are sent.
ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 754 config edit firewall attack minute-high <0-255> This command sets the threshold rate of new half-open sessions per minute where the ZyW ALL starts deleting old half-opene d sessions until it gets t hem down to the minute- low threshold.
ZyWALL 5/35/70 Series User’s Guide 755 Appendix N Firewall Commands Config edit firewall set <set #> tcp-idle-timeout <seconds> This command sets how long ZyWALL lets an inactive TCP connection remain open before considering it closed.
ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 756 config edit firewall set <set #> rule <rule #> destaddr- subnet <ip address> <subnet mask> This command sets a rule to have the ZyW ALL check for traffic with a p articular subnet destination (def ined by IP address and subnet mask).
ZyWALL 5/35/70 Series User’s Guide 757 Appendix N Firewall Commands.
ZyWALL 5/35/70 Series User’s Guide Appendix O Net BIOS Filter Comma nds 758 A PPENDIX O NetBIOS Filter Commands The following describes the NetB IOS packet filter commands.
ZyWALL 5/35/70 Series User’s Guide 759 Appendix O NetBIOS Filter Commands The filter types and their defa ult settings are as follows. Table 272 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded between the LAN and the WAN.
ZyWALL 5/35/70 Series User’s Guide Appendix O Net BIOS Filter Command s 760 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets.
ZyWALL 5/35/70 Series User’s Guide 761 Appendix O NetBIOS Filter Commands.
ZyWALL 5/35/70 Series User’s Guide Appendix P Certificates Commands 762 A PPENDIX P Certificates Commands The following describes the certificate commands. See Appendix M on page 750 for information on the command structure. All of these commands start with certificates.
ZyWALL 5/35/70 Series User’s Guide 763 Appendix P Certificates Commands create cmp_enroll <name> <CA addr> <CA cert> <auth key> <subject> [key size] Create a certificate request and enroll for a certificate immediately online using CMP protocol.
ZyWALL 5/35/70 Series User’s Guide Appendix P Certificates Commands 764 replace_fact ory Create a certificate using your device MAC address that will be specific to this device. The factory default certificate is a common default certificate for al l ZyWALL models.
ZyWALL 5/35/70 Series User’s Guide 765 Appendix P Certificates Commands delete <name> Delete the specified trusted remote host certificate. <name> sp ecifies the name of the certificate to be dele ted. list List all trusted remote host certificate names and basic info rmation.
ZyWALL 5/35/70 Series User’s Guide Appendix Q Brute-Forc e Passwo rd Guessing Pr otection 766 A PPENDIX Q Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-ti me that must ex pire before entering a fourth password after th ree incorrect passwords have been entered.
ZyWALL 5/35/70 Series User’s Guide 767 Appendix Q Brute-Force Passwor d Guessing Protection.
ZyWALL 5/35/70 Series User’s Guide Appendix R Boot Commands 768 A PPENDIX R Boot Commands The BootModule A T comman ds execute fro m wi thin the router ’ s bootup software, when debug mode is selected before the main router firmware is start ed.
ZyWALL 5/35/70 Series User’s Guide 769 Appendix R Boot Co mmands Figure 495 Boot Module Commands AT just answer OK ATHE print help ATBAx chan ge baudrate.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 770 A PPENDIX S Log Descriptions This appendix provides descrip tions of example log messages. Table 275 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on informati on from the time server .
ZyWALL 5/35/70 Series User’s Guide 771 Appendix S Log Descriptions Configuration Change: PC = 0x%x, Task ID = 0x%x The router is saving configuration changes. Successful SSH login Someone has logged on to the router ’s SSH server . SSH login failed Someone has failed to log on to the router ’s SSH server .
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 772 Table 277 Access Control Log s LOG MESSAGE DESCRIPTION Firewall default policy: [ TC P | UDP | IGMP | ESP | GRE | OSP F ] <Packe.
ZyWALL 5/35/70 Series User’s Guide 773 Appendix S Log Descriptions Table 278 TCP Reset Lo gs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was unde r a SYN flood attack (the TCP incompl ete count is per d estination host.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 774 Table 280 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy: ICM P <Packet Direction>, <type:%d >, <code:%d> ICMP access matched the default policy and was blocked or forwarded according to the user's setting .
ZyWALL 5/35/70 Series User’s Guide 775 Appendix S Log Descriptions Table 283 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through Firewall UPnP packet s can pass through the firewall. ppp:LCP Closing The PPP con nection’s Link Control Protocol stage is closing.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 776 For type and code details, see T abl e 294 on page 785 . Connecting to content filter server fail The connection to the external content fi ltering server failed. License key is invalid The external content filter ing licen se key is invalid.
ZyWALL 5/35/70 Series User’s Guide 777 Appendix S Log Descriptions Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS attack ICMP Source Quench ICMP Th e firewall detecte d an ICMP Source Quench attack.
Table 287 Wireless Logs LOG MESSAGE DESCRIPTION WLAN MAC Filter Fail The MAC filter blocked a wireless station from connecting to the device. WLAN MAC Filter Success The MAC filter all owed a wireless station to connect to the device. WLAN STA Association A wireless station associ ated with the device.
ZyWALL 5/35/70 Series User’s Guide 779 Appendix S Log Descriptions Table 289 IKE Logs LOG MESSAGE DESCRIPTION Active connection allowed exceeded The IKE process for a ne w conn ection fa iled because the limit of simultaneous phase 2 SAs has been reached.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 780 Remote IP <Remote IP> / <Remote IP> conflicts The security gateway is set to “0.0.0.0” and the router used the peer ’s “Local Address” as the router ’s “Remote Address”.
ZyWALL 5/35/70 Series User’s Guide 781 Appendix S Log Descriptions Rule [%d] Phase 2 authentication algorithm mismatch The listed rule’s IKE phase 2 authentication algorithm did not match between the router an d the peer .
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 782 Table 290 PKI Logs LOG MESSAGE DESCRIPTION Enrollment successful Th e SCEP online certificate enrollment was successful. The Destination field records the certi fication auth ority server IP add ress and port.
ZyWALL 5/35/70 Series User’s Guide 783 Appendix S Log Descriptions Table 291 Certificate Path Verificati on Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the cert ificate and the search co nstraints. 2 Key usage mismatch between the cert ificate and the search constraints.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 784 Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in th e local user database. RADIUS accepts user.
ZyWALL 5/35/70 Series User’s Guide 785 Appendix S Log Descriptions (L to L/ZW) LAN to LAN/ ZyW ALL ACL set for packet s traveling from the LAN to the LAN or the ZyW ALL. (W to W/ZW) WA N t o WA N / ZyW ALL ACL set for packet s traveling from the W AN to the W AN or the ZyW ALL.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 786 11 T ime Exceeded 0 T ime to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates .
ZyWALL 5/35/70 Series User’s Guide 787 Appendix S Log Descriptions Signature update OK - New signature version: <Signature version> Release Date: <Release date>! The device updated the signa ture file successfully . The sign ature file’s version and re lease date a re included.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 788 The turbo card is not ready , please insert the card and reboot! The turbo card i s not in stalled. The system is doing signature update now , please wait! The device is updating the signatu re file.
ZyWALL 5/35/70 Series User’s Guide 789 Appendix S Log Descriptions Remove rating server [%Rating Server IP Address%] from server list! The listed server IP address has been removed from the list of anti- spam external database servers.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 790 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack.
ZyWALL 5/35/70 Series User’s Guide 791 Appendix S Log Descriptions The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.
ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 792 Log Commands Go to the command interpreter interface. Appendix M on page 750 explains how to access and use the commands.
ZyWALL 5/35/70 Series User’s Guide 793 Appendix S Log Descriptions • Use the sys logs clear command to erase all of the ZyW ALL ’ s logs. Log Command Example This example shows how to set the ZyW ALL to record the access logs and alerts and then view the results.
ZyWALL 5/35/70 Series User’s Guide Index 794 Index Numerics 10/100 Mbps Ethernet WAN 51 11 0 V A C 5 230V AC 5 A Abnormal Working Conditions 6 AC 5 Access control 243 Access Point 541 Accessories 5 .
ZyWALL 5/35/70 Series User’s Guide 795 Index C CA 71 1 Cable Modem 199 Cables, Connecting 5 Call Back Delay 514 Call Control 626 Call History 62 7 , 628 Call Scheduling 55 , 644 Max Number of Schedu.
ZyWALL 5/35/70 Series User’s Guide Index 796 DNS 448 DNS Server For VPN Host 415 Domain Name 138 , 272 , 38 0 , 480 , 599 DoS Basics 200 Ty p e s 201 DoS (Denial of Service) 53 Drop T imeout 514 DSL.
ZyWALL 5/35/70 Series User’s Guide 797 Index Firmware File Maintenance 608 Fitness 6 Flow Control 496 Fragmentation Threshold 707 Fragmentation threshold 707 France, Contact Information 7 Fraudsters.
ZyWALL 5/35/70 Series User’s Guide Index 798 IP Addressing 690 IP Alias 56 , 526 IP Alias Setup 526 IP Classes 690 IP Multicast 56 Internet Group Manage ment Protocol (IGMP) 56 IP Policy Routing 56 .
ZyWALL 5/35/70 Series User’s Guide 799 Index MIME 269 MIME Header 272 MIME Headers 266 MIME V alue 27 2 Modifications 3 MSDU 541 Multicast 108 , 11 0 , 172 , 519 , 525 , 553 Multimedia 231 , 465 Mul.
ZyWALL 5/35/70 Series User’s Guide Index 800 Levels 244 Policy-based Routing 392 Polyphormic virus 254 Pool 5 POP2 265 POP3 200 , 265 , 26 7 , 269 , 380 Port Forwarding 57 Port Restricted Cone NA T 373 port scans 236 Post Office Protocol 265 Postage Prepaid.
ZyWALL 5/35/70 Series User’s Guide 801 Index Return Material Auth orization (RMA) Number 6 Returned Products 6 Returns 6 RFC 1889 463 RFC 3489 465 Rights 2 Rights, Legal 6 RIP 107 , 108 , 51 9 , 525.
ZyWALL 5/35/70 Series User’s Guide Index 802 SSH 53 , 437 SSH Implement ation 438 startup 724 S tateful Inspection 53 , 198 , 199 , 204 , 205 Process 205 ZyW ALL 206 S tatic Route 388 S torage Sp ac.
ZyWALL 5/35/70 Series User’s Guide 803 Index Unsolicited Commercial E-mail 262 Upload Firmware 617 UPnP 54 , 452 UPnP Examples 455 UPnP Port Mapping 454 Upper Layer Prot ocols 206 , 207 Use Server D.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté ZyXEL Communications ZyWALL5UTM 4.0 c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du ZyXEL Communications ZyWALL5UTM 4.0 - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation ZyXEL Communications ZyWALL5UTM 4.0, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le ZyXEL Communications ZyWALL5UTM 4.0 va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le ZyXEL Communications ZyWALL5UTM 4.0, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du ZyXEL Communications ZyWALL5UTM 4.0.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le ZyXEL Communications ZyWALL5UTM 4.0. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei ZyXEL Communications ZyWALL5UTM 4.0 ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.