ZyXEL 35 Series User's Manual

ZyXEL 35 Series User's Manual
ZyWALL 5/35/70 Series
Internet Security Appliance
User’s Guide
Version 4.00
12/2005
ZyWALL 5/35/70 Series User’s Guide
Copyright
Copyright © 2005 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed,
stored in a retrieval system, translated into any language, or transmitted in any form or by any
means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or
software described herein. Neither does it convey any license under its patent rights nor the
patent rights of others. ZyXEL further reserves the right to make changes in any products
described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL
Communications, Inc. Other trademarks mentioned in this publication are used for
identification purposes only and may be properties of their respective owners.
Copyright
2
ZyWALL 5/35/70 Series User’s Guide
Federal Communications
Commission (FCC) Interference
Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two
conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause
undesired operations.
This equipment has been tested and found to comply with the limits for a Class B digital
device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a commercial environment. This equipment
generates, uses, and can radiate radio frequency energy, and if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver
is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.
This Class B digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.
Certifications
1 Go to www.zyxel.com.
2 Select your product from the drop-down list box on the ZyXEL home page to go to that
product's page.
3 Select the certification you wish to view from this page.
3
Federal Communications Commission (FCC) Interference Statement
ZyWALL 5/35/70 Series User’s Guide
Federal Communications Commission (FCC) Interference Statement
4
ZyWALL 5/35/70 Series User’s Guide
Safety Warnings
For your safety, be sure to read and follow all warning notices and instructions.
• Do NOT open the device or unit. Opening or removing covers can expose you to
dangerous high voltage points or other risks. ONLY qualified service personnel can
service the device. Please contact your vendor for further information.
• Connect the power cord to the right supply voltage (110V AC in North America or 230V
AC in Europe).
• Place connecting cables carefully so that no one will step on them or stumble over them.
Do NOT allow anything to rest on the power cord and do NOT locate the product where
anyone can walk on the power cord.
• If you wall mount your device, make sure that no electrical, gas or water pipes will be
damaged.
• Do NOT install nor use your device during a thunderstorm. There may be a remote risk of
electric shock from lightning.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT use this product near water, for example, in a wet basement or near a swimming
pool.
• Make sure to connect the cables to the correct ports.
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your
device.
• Do NOT store things on the device.
• Connect ONLY suitable accessories to the device.
5
Safety Warnings
ZyWALL 5/35/70 Series User’s Guide
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects
in materials or workmanship for a period of up to two years from the date of purchase. During
the warranty period, and upon proof of purchase, should the product have indications of failure
due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the
defective products or components without charge for either parts or labor, and to whatever
extent it shall deem necessary to restore the product or components to proper operating
condition. Any replacement will consist of a new or re-manufactured functionally equivalent
product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not
apply if the product is modified, misused, tampered with, damaged by an act of God, or
subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the
purchaser. This warranty is in lieu of all other warranties, express or implied, including any
implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind of character to the
purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return
Material Authorization number (RMA). Products must be returned Postage Prepaid. It is
recommended that the unit be insured when shipped. Any returned products without proof of
purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of
ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products
will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty
gives you specific legal rights, and you may also have other rights that vary from country to
country.
ZyXEL Limited Warranty
6
ZyWALL 5/35/70 Series User’s Guide
Customer Support
Please have the following information ready when you contact customer support.
•
•
•
•
Product model and serial number.
Warranty Information.
Date that you received your device.
Brief description of the problem and the steps you took to solve it.
METHOD SUPPORT E-MAIL
TELEPHONEA
WEB SITE
FAX
FTP SITE
REGULAR MAIL
LOCATION
CORPORATE
HEADQUARTERS
(WORLDWIDE)
CZECH REPUBLIC
DENMARK
FINLAND
SALES E-MAIL
[email protected] +886-3-578-3942
[email protected]
+886-3-578-2439
[email protected]
+420-241-091-350
[email protected]
+420-241-091-359
[email protected]
+45-39-55-07-00
[email protected]
+45-39-55-07-07
[email protected]
+358-9-4780-8411
[email protected]
+358-9-4780 8448
[email protected]
+33-4-72-52-97-97
HUNGARY
KAZAKHSTAN
7
ZyXEL Communications
Czech s.r.o.
Modranská 621
143 01 Praha 4 - Modrany
Ceská Republika
www.zyxel.dk
ZyXEL Communications A/S
Columbusvej
2860 Soeborg
Denmark
www.zyxel.fi
ZyXEL Communications Oy
Malminkaari 10
00700 Helsinki
Finland
www.zyxel.fr
ZyXEL France
1 rue des Vergers
Bat. 1 / C
69760 Limonest
France
www.zyxel.de
ZyXEL Deutschland GmbH.
Adenauerstr. 20/A2 D-52146
Wuerselen
Germany
www.zyxel.hu
ZyXEL Hungary
48, Zoldlomb Str.
H-1025, Budapest
Hungary
www.zyxel.kz
ZyXEL Kazakhstan
43, Dostyk ave.,Office 414
Dostyk Business Centre
050010, Almaty
Republic of Kazakhstan
ZyXEL Communications Inc.
1130 N. Miller St.
Anaheim
CA 92806-2001
U.S.A.
[email protected]
+49-2405-6909-0
[email protected]
+49-2405-6909-99
[email protected]
+36-1-3361649
[email protected]
+36-1-3259100
http://zyxel.kz/support
+7-3272-590-698
[email protected]
+7-3272-590-689
[email protected]
1-800-255-4101
+1-714-632-0882
www.us.zyxel.com
[email protected]
+1-714-632-0858
ftp.us.zyxel.com
[email protected]
+47-22-80-61-80
www.zyxel.no
[email protected]
+47-22-80-61-81
NORTH AMERICA
NORWAY
www.zyxel.cz
+33-4-72-52-19-20
FRANCE
GERMANY
www.zyxel.com
ZyXEL Communications Corp.
www.europe.zyxel.com 6 Innovation Road II
Science Park
ftp.zyxel.com
Hsinchu 300
Taiwan
ftp.europe.zyxel.com
ZyXEL Communications A/S
Nils Hansens vei 13
0667 Oslo
Norway
Customer Support
ZyWALL 5/35/70 Series User’s Guide
TELEPHONEA
WEB SITE
SALES E-MAIL
FAX
FTP SITE
[email protected]
+48-22-5286603
www.pl.zyxel.com
ZyXEL Communications
ul.Emilli Plater 53
00-113 Warszawa
Poland
www.zyxel.ru
ZyXEL Russia
Ostrovityanova 37a Str.
Moscow, 117279
Russia
www.zyxel.es
ZyXEL Communications
Alejandro Villegas 33
1º, 28043 Madrid
Spain
www.zyxel.se
ZyXEL Communications A/S
Sjöporten 4, 41764 Göteborg
Sweden
www.ua.zyxel.com
ZyXEL Ukraine
13, Pimonenko Str.
Kiev, 04050
Ukraine
ZyXEL Communications UK
Ltd.,11 The Courtyard,
Eastern Road, Bracknell,
Berkshire, RG12 2XB,
United Kingdom (UK)
METHOD SUPPORT E-MAIL
REGULAR MAIL
LOCATION
POLAND
RUSSIA
SPAIN
SWEDEN
+48-22-5206701
http://zyxel.ru/support
+7-095-542-89-29
[email protected]
+7-095-542-89-25
[email protected]
+34-902-195-420
[email protected]
+34-913-005-345
[email protected]
+46-31-744-7700
[email protected]
+46-31-744-7701
[email protected] +380-44-247-69-78
UKRAINE
[email protected]
+380-44-494-49-32
[email protected]
+44-1344 303044
08707 555779 (UK only)
www.zyxel.co.uk
[email protected]
+44-1344 303034
ftp.zyxel.co.uk
UNITED KINGDOM
a. “+” is the (prefix) number you enter to make an international telephone call.
Customer Support
8
ZyWALL 5/35/70 Series User’s Guide
9
Customer Support
ZyWALL 5/35/70 Series User’s Guide
Table of Contents
Copyright .................................................................................................................. 2
Federal Communications Commission (FCC) Interference Statement ............... 3
Safety Warnings ....................................................................................................... 5
ZyXEL Limited Warranty.......................................................................................... 6
Customer Support.................................................................................................... 7
Table of Contents ................................................................................................... 10
List of Figures ........................................................................................................ 32
List of Tables .......................................................................................................... 44
Preface .................................................................................................................... 52
Chapter 1
Getting to Know Your ZyWALL ............................................................................. 54
1.1 ZyWALL Internet Security Appliance Overview ..................................................54
1.2 ZyWALL Features ..............................................................................................54
1.2.1 Physical Features .....................................................................................55
1.2.2 Non-Physical Features .............................................................................56
1.3 Applications for the ZyWALL ..............................................................................62
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem .................62
1.3.2 VPN Application ........................................................................................62
1.3.3 Front Panel LEDs .....................................................................................63
Chapter 2
Introducing the Web Configurator........................................................................ 66
2.1 Web Configurator Overview ...............................................................................66
2.2 Accessing the ZyWALL Web Configurator .........................................................66
2.3 Resetting the ZyWALL .......................................................................................67
2.3.1 Procedure To Use The Reset Button ........................................................68
2.3.2 Uploading a Configuration File Via Console Port .....................................68
2.4 Navigating the ZyWALL Web Configurator ........................................................68
2.4.1 Router Mode ..............................................................................................69
2.4.2 Bridge Mode ..............................................................................................71
2.4.3 Navigation Panel .......................................................................................74
2.4.4 System Statistics........................................................................................79
Table of Contents
10
ZyWALL 5/35/70 Series User’s Guide
2.4.5 Show Statistics: Line Chart ........................................................................80
2.4.6 DHCP Table Screen ..................................................................................81
2.4.7 VPN Status ................................................................................................82
Chapter 3
Wizard Setup .......................................................................................................... 84
3.1 Wizard Setup Overview ......................................................................................84
3.2 Internet Access .................................................................................................84
3.2.1 ISP Parameters ........................................................................................84
3.2.1.1 Ethernet ...........................................................................................84
3.2.1.2 PPPoE Encapsulation .....................................................................86
3.2.1.3 PPTP Encapsulation .......................................................................87
3.2.2 Internet Access Wizard: Second Screen ...................................................89
3.2.3 Internet Access Wizard: Registration.........................................................90
3.3 VPN Wizard Gateway Setting ............................................................................93
3.4 VPN Wizard Network Setting .............................................................................94
3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) .................................................96
3.6 VPN Wizard IPSec Setting (IKE Phase 2) .........................................................98
3.7 VPN Wizard Status Summary ............................................................................99
3.8 VPN Wizard Setup Complete ...........................................................................102
Chapter 4
Registration .......................................................................................................... 104
4.1 myZyXEL.com overview ...................................................................................104
4.1.1 Subscription Services Available on the ZyWALL ....................................104
4.2 Registration ......................................................................................................105
4.3 Service .............................................................................................................107
Chapter 5
LAN Screens......................................................................................................... 110
5.1 LAN Overview ..................................................................................................110
5.2 DHCP Setup .....................................................................................................110
5.2.1 IP Pool Setup ..........................................................................................110
5.3 LAN TCP/IP ......................................................................................................110
5.3.1 Factory LAN Defaults ..............................................................................110
5.3.2 IP Address and Subnet Mask ................................................................. 111
5.3.3 RIP Setup ............................................................................................... 111
5.3.4 Multicast ..................................................................................................112
5.4 DNS Servers ....................................................................................................112
5.5 LAN ..................................................................................................................112
5.6 LAN Static DHCP .............................................................................................115
5.7 LAN IP Alias .....................................................................................................116
5.8 LAN Port Roles ................................................................................................118
11
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
Chapter 6
Bridge Screens..................................................................................................... 122
6.1 Bridge Loop ......................................................................................................122
6.2 Spanning Tree Protocol (STP) .........................................................................122
6.2.1 Rapid STP ..............................................................................................123
6.2.2 STP Terminology ....................................................................................123
6.2.3 How STP Works .....................................................................................123
6.2.4 STP Port States ......................................................................................124
6.3 Bridge ...............................................................................................................124
6.4 Bridge Port Roles ............................................................................................126
Chapter 7
WAN Screens........................................................................................................ 130
7.1 WAN Overview .................................................................................................130
7.2 Multiple WAN ....................................................................................................130
7.3 Load Balancing Introduction .............................................................................131
7.4 Load Balancing Algorithms ..............................................................................131
7.4.1 Least Load First ......................................................................................131
7.4.1.1 Example 1 .....................................................................................132
7.4.1.2 Example 2 .....................................................................................132
7.4.2 Weighted Round Robin ...........................................................................133
7.4.3 Spillover ..................................................................................................133
7.5 TCP/IP Priority (Metric) ....................................................................................134
7.6 WAN General ...................................................................................................134
7.7 Configuring Load Balancing .............................................................................137
7.7.1 Least Load First ......................................................................................138
7.7.2 Weighted Round Robin ...........................................................................139
7.7.3 Spillover ..................................................................................................139
7.8 WAN Route ......................................................................................................140
7.9 WAN IP Address Assignment ...........................................................................142
7.10 DNS Server Address Assignment ..................................................................142
7.11 WAN MAC Address ........................................................................................143
7.12 WAN ...............................................................................................................143
7.12.1 WAN Ethernet Encapsulation ...............................................................143
7.12.2 PPPoE Encapsulation ...........................................................................146
7.12.3 PPTP Encapsulation .............................................................................150
7.13 Traffic Redirect ...............................................................................................153
7.14 Configuring Traffic Redirect ............................................................................154
7.15 Configuring Dial Backup .................................................................................155
7.16 Advanced Modem Setup ................................................................................159
7.16.1 AT Command Strings ............................................................................159
7.16.2 DTR Signal ...........................................................................................159
7.16.3 Response Strings ..................................................................................159
Table of Contents
12
ZyWALL 5/35/70 Series User’s Guide
7.17 Configuring Advanced Modem Setup ............................................................159
Chapter 8
DMZ Screens ........................................................................................................ 162
8.1 DMZ .................................................................................................................162
8.2 Configuring DMZ ..............................................................................................162
8.3 DMZ Static DHCP ............................................................................................165
8.4 DMZ IP Alias ....................................................................................................167
8.5 DMZ Public IP Address Example .....................................................................168
8.6 DMZ Private and Public IP Address Example ..................................................169
8.7 DMZ Port Roles ................................................................................................170
Chapter 9
Wireless LAN ........................................................................................................ 174
9.1 Wireless LAN Introduction ................................................................................174
9.1.1 Additional Installation Requirements for Using 802.1x ...........................174
9.2 Configuring WLAN ...........................................................................................174
9.3 WLAN Static DHCP ..........................................................................................177
9.4 WLAN IP Alias ..................................................................................................178
9.5 WLAN Port Roles .............................................................................................180
9.6 Wireless Security .............................................................................................182
9.6.1 Encryption ...............................................................................................183
9.6.2 Authentication .........................................................................................183
9.6.3 Restricted Access ...................................................................................184
9.6.4 Hide ZyWALL Identity .............................................................................184
9.7 Security Parameters Summary ........................................................................184
9.8 WEP Encryption ...............................................................................................184
9.9 802.1x Overview ..............................................................................................185
9.9.1 Introduction to RADIUS ..........................................................................185
9.9.1.1 Types of RADIUS Messages .........................................................185
9.9.2 EAP Authentication Overview .................................................................186
9.10 Dynamic WEP Key Exchange ........................................................................186
9.11 Introduction to WPA ........................................................................................187
9.11.1 User Authentication ...............................................................................187
9.11.2 Encryption .............................................................................................187
9.12 WPA-PSK Application Example .....................................................................188
9.13 Introduction to RADIUS ..................................................................................189
9.14 WPA with RADIUS Application Example ........................................................189
9.15 Wireless Client WPA Supplicants ...................................................................190
9.16 Wireless Card .................................................................................................190
9.16.1 Static WEP ............................................................................................192
9.16.2 WPA-PSK .............................................................................................193
9.16.3 WPA ......................................................................................................195
13
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
9.16.4 IEEE 802.1x + Dynamic WEP ..............................................................196
9.16.5 IEEE 802.1x + Static WEP ....................................................................197
9.16.6 IEEE 802.1x + No WEP ........................................................................198
9.16.7 No Access 802.1x + Static WEP ...........................................................199
9.16.8 No Access 802.1x + No WEP ...............................................................200
9.17 MAC Filter ......................................................................................................200
Chapter 10
Firewalls................................................................................................................ 202
10.1 Firewall Overview ...........................................................................................202
10.2 Types of Firewalls ..........................................................................................202
10.2.1 Packet Filtering Firewalls ......................................................................202
10.2.2 Application-level Firewalls ....................................................................202
10.2.3 Stateful Inspection Firewalls .................................................................203
10.3 Introduction to ZyXEL’s Firewall .....................................................................203
10.4 Denial of Service ............................................................................................204
10.4.1 Basics ...................................................................................................204
10.4.2 Types of DoS Attacks ...........................................................................205
10.4.2.1 ICMP Vulnerability ......................................................................207
10.4.2.2 Illegal Commands (NetBIOS and SMTP) ....................................207
10.4.2.3 Traceroute ...................................................................................208
10.5 Stateful Inspection ..........................................................................................208
10.5.1 Stateful Inspection Process ..................................................................209
10.5.2 Stateful Inspection and the ZyWALL .....................................................210
10.5.3 TCP Security .........................................................................................210
10.5.4 UDP/ICMP Security ..............................................................................211
10.5.5 Upper Layer Protocols ..........................................................................211
10.6 Guidelines For Enhancing Security With Your Firewall ..................................212
10.7 Packet Filtering Vs Firewall ............................................................................212
10.7.1 Packet Filtering: ....................................................................................212
10.7.1.1 When To Use Filtering .................................................................212
10.7.2 Firewall .................................................................................................213
10.7.2.1 When To Use The Firewall ..........................................................213
Chapter 11
Firewall Screens................................................................................................... 214
11.1 Access Methods .............................................................................................214
11.2 Firewall Policies Overview ..............................................................................214
11.3 Rule Logic Overview ......................................................................................216
11.3.1 Rule Checklist .......................................................................................216
11.3.2 Security Ramifications ..........................................................................216
11.3.3 Key Fields For Configuring Rules .........................................................216
11.3.3.1 Action ...........................................................................................216
Table of Contents
14
ZyWALL 5/35/70 Series User’s Guide
11.3.3.2 Service .........................................................................................217
11.3.3.3 Source Address ...........................................................................217
11.3.3.4 Destination Address ....................................................................217
11.4 Connection Direction Examples .....................................................................217
11.4.1 LAN To WAN Rules ...............................................................................217
11.4.2 WAN To LAN Rules ...............................................................................218
11.5 Alerts ..............................................................................................................218
11.6 Firewall Default Rule (Router Mode) ..............................................................219
11.7 Firewall Default Rule (Bridge Mode)
............................................................220
11.8 Firewall Rule Summary .................................................................................222
11.8.1 Firewall Edit Rule
11.9 Anti-Probing
..............................................................................223
................................................................................................226
11.10 Firewall Threshold
.....................................................................................227
11.10.1 Threshold Values ................................................................................227
11.10.2 Half-Open Sessions ............................................................................227
11.10.2.1 TCP Maximum Incomplete and Blocking Time ..........................228
11.11 Service .........................................................................................................230
11.11.1 Firewall Edit Custom Service ..............................................................232
11.11.2 Predefined Services ............................................................................233
11.12 Example Firewall Rule ..................................................................................235
Chapter 12
Intrusion Detection and Prevention (IDP) .......................................................... 240
12.1 Introduction to IDP
.......................................................................................240
12.1.1 Firewalls and Intrusions ........................................................................240
12.1.2 IDS and IDP .........................................................................................241
12.1.3 Host IDP ..............................................................................................241
12.1.4 Network IDP .........................................................................................241
12.1.5 Example Intrusions ...............................................................................242
12.1.5.1 SQL Slammer Worm ...................................................................242
12.1.5.2 Blaster W32.Worm ......................................................................242
12.1.5.3 Nimda ..........................................................................................242
12.1.5.4 MyDoom ......................................................................................243
12.1.6 ZyWALL IDP .........................................................................................243
Chapter 13
Configuring IDP .................................................................................................... 244
13.1 Overview ........................................................................................................244
13.1.1 Interfaces ..............................................................................................244
13.2 General Setup ................................................................................................245
13.3 IDP Signatures ...............................................................................................246
13.3.1 Attack Types .........................................................................................246
13.3.2 Intrusion Severity ..................................................................................248
15
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
13.3.3 Signature Actions ..................................................................................248
13.3.4 Configuring IDP Signatures ..................................................................249
13.3.5 Query View ...........................................................................................251
13.3.5.1 Query Example 1 ........................................................................251
13.3.5.2 Query Example 2 ........................................................................253
13.4 Update ...........................................................................................................254
13.4.1 mySecurity Zone ...................................................................................254
13.4.2 Configuring IDP Update ........................................................................255
13.5 Backup and Restore .......................................................................................257
Chapter 14
Anti-Virus .............................................................................................................. 258
14.1 Anti-Virus Overview .......................................................................................258
14.1.1 Types of Computer Viruses .................................................................258
14.1.2 Computer Virus Infection and Prevention .............................................258
14.1.3 Types of Anti-Virus Scanner ................................................................259
14.2 Introduction to the ZyWALL Anti-Virus Scanner .............................................259
14.2.1 How the ZyWALL Anti-Virus Scanner Works .......................................260
14.2.2 Notes About the ZyWALL Anti-Virus .....................................................260
14.3 General Anti-Virus Setup ...............................................................................261
14.4 Signature Update
.........................................................................................262
14.4.1 mySecurity Zone ...................................................................................263
14.4.2 Configuring Anti-virus Update ...............................................................263
Chapter 15
Anti-Spam ............................................................................................................. 266
15.1 Anti-Spam Overview
....................................................................................266
15.1.1 Anti-Spam External Database ...............................................................266
15.1.1.1 SpamBulk Engine ........................................................................267
15.1.1.2 SpamRepute Engine ...................................................................267
15.1.1.3 SpamContent Engine ..................................................................267
15.1.1.4 SpamTricks Engine .....................................................................268
15.1.2 Spam Threshold ....................................................................................268
15.1.3 Phishing ................................................................................................268
15.1.4 Whitelist ................................................................................................269
15.1.5 Blacklist .................................................................................................269
15.1.6 SMTP and POP3 ..................................................................................269
15.1.7 MIME Headers ......................................................................................270
15.2 Anti-Spam General Screen ............................................................................270
15.3 Anti-Spam External DB Screen
.................................................................271
15.4 Anti-Spam Lists Screen .................................................................................273
15.5 Anti-Spam Rule Edit Screen .........................................................................275
Table of Contents
16
ZyWALL 5/35/70 Series User’s Guide
Chapter 16
Content Filtering Screens ................................................................................... 278
16.1 Content Filtering Overview .............................................................................278
16.1.1 Restrict Web Features ..........................................................................278
16.1.2 Create a Filter List ................................................................................278
16.1.3 Customize Web Site Access ................................................................278
16.2 Content Filter General
.................................................................................278
16.3 Content Filtering with an External Database ..................................................280
16.4 Content Filter Categories
............................................................................281
16.5 Content Filter Customization
.......................................................................288
16.6 Customizing Keyword Blocking URL Checking ..............................................290
16.6.1 Domain Name or IP Address URL Checking ........................................290
16.6.2 Full Path URL Checking .......................................................................290
16.6.3 File Name URL Checking .....................................................................290
16.7 Content Filtering Cache .................................................................................291
Chapter 17
Content Filtering Reports .................................................................................... 294
17.1 Checking Content Filtering Activation ............................................................294
17.2 Viewing Content Filtering Reports ..................................................................294
17.3 Web Site Submission .....................................................................................299
Chapter 18
Introduction to IPSec ........................................................................................... 302
18.1 VPN Overview ................................................................................................302
18.1.1 IPSec ....................................................................................................302
18.1.2 Security Association .............................................................................302
18.1.3 Other Terminology ................................................................................302
18.1.3.1 Encryption ...................................................................................302
18.1.3.2 Data Confidentiality .....................................................................303
18.1.3.3 Data Integrity ...............................................................................303
18.1.3.4 Data Origin Authentication ..........................................................303
18.1.4 VPN Applications ..................................................................................303
18.1.4.1 Linking Two or More Private Networks Together .........................303
18.1.4.2 Accessing Network Resources When NAT Is Enabled ...............303
18.1.4.3 Unsupported IP Applications .......................................................303
18.2 IPSec Architecture .........................................................................................304
18.2.1 IPSec Algorithms ..................................................................................304
18.2.2 Key Management ..................................................................................304
18.3 Encapsulation .................................................................................................304
18.3.1 Transport Mode ....................................................................................305
18.3.2 Tunnel Mode .........................................................................................305
18.4 IPSec and NAT ...............................................................................................305
17
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
Chapter 19
VPN Screens......................................................................................................... 308
19.1 VPN/IPSec Overview .....................................................................................308
19.2 IPSec Algorithms ............................................................................................308
19.2.1 AH (Authentication Header) Protocol ....................................................308
19.2.2 ESP (Encapsulating Security Payload) Protocol ..................................308
19.3 My ZyWALL ....................................................................................................309
19.4 Remote Gateway Address .............................................................................309
19.4.1 Dynamic Remote Gateway Address .....................................................310
19.5 Nailed Up .......................................................................................................310
19.6 NAT Traversal ................................................................................................310
19.6.1 NAT Traversal Configuration .................................................................311
19.7 ID Type and Content ......................................................................................311
19.7.1 ID Type and Content Examples ............................................................312
19.8 IKE Phases ....................................................................................................313
19.8.1 Negotiation Mode ..................................................................................314
19.8.2 Pre-Shared Key ....................................................................................314
19.8.3 Diffie-Hellman (DH) Key Groups ...........................................................315
19.8.4 Perfect Forward Secrecy (PFS) ...........................................................315
19.9 X-Auth (Extended Authentication) ..................................................................315
19.9.1 Authentication Server ...........................................................................315
19.10 VPN Rules (IKE) .........................................................................................316
19.11 VPN Rules (IKE) Gateway Policy Edit .........................................................318
19.12 VPN Rules (IKE): Network Policy Edit
......................................................324
19.13 VPN Rules (IKE): Network Policy Move .....................................................328
19.14 VPN Rules (Manual) ...................................................................................329
19.15 VPN Rules (Manual): Edit
.........................................................................331
19.15.1 Security Parameter Index (SPI) ..........................................................331
19.16 VPN SA Monitor .........................................................................................335
19.17 VPN Global Setting .....................................................................................336
19.18 Telecommuter VPN/IPSec Examples ...........................................................337
19.18.1 Telecommuters Sharing One VPN Rule Example ..............................337
19.18.2 Telecommuters Using Unique VPN Rules Example ...........................338
19.19 VPN and Remote Management ...................................................................340
Chapter 20
Certificates............................................................................................................ 342
20.1 Certificates Overview .....................................................................................342
20.1.1 Advantages of Certificates ....................................................................343
20.2 Self-signed Certificates ..................................................................................343
20.3 Configuration Summary .................................................................................343
20.4 My Certificates ..............................................................................................344
20.5 My Certificate Import ....................................................................................346
Table of Contents
18
ZyWALL 5/35/70 Series User’s Guide
20.5.1 Certificate File Formats .........................................................................346
20.6 My Certificate Create
...................................................................................347
20.7 My Certificate Details
...................................................................................350
20.8 Trusted CAs
.................................................................................................353
20.9 Trusted CA Import ........................................................................................355
20.10 Trusted CA Details ......................................................................................356
20.11 Trusted Remote Hosts ................................................................................359
20.12 Verifying a Trusted Remote Host’s Certificate ..............................................361
20.12.1 Trusted Remote Host Certificate Fingerprints .....................................361
20.13 Trusted Remote Hosts Import
....................................................................362
20.14 Trusted Remote Host Certificate Details ....................................................363
20.15 Directory Servers ........................................................................................366
20.16 Directory Server Add or Edit
......................................................................367
Chapter 21
Authentication Server .......................................................................................... 370
21.1 Authentication Server Overview .....................................................................370
21.1.1 Local User Database ............................................................................370
21.1.2 RADIUS ................................................................................................370
21.2 Local User Database ....................................................................................370
21.3 RADIUS ........................................................................................................372
Chapter 22
Network Address Translation (NAT) ................................................................... 374
22.1 NAT Overview ................................................................................................374
22.1.1 NAT Definitions .....................................................................................374
22.1.2 What NAT Does ....................................................................................375
22.1.3 How NAT Works ...................................................................................375
22.1.4 NAT Application ....................................................................................376
22.1.5 Port Restricted Cone NAT ....................................................................377
22.1.6 NAT Mapping Types .............................................................................377
22.2 Using NAT ......................................................................................................378
22.2.1 SUA (Single User Account) Versus NAT ..............................................378
22.3 NAT Overview
..............................................................................................379
22.4 NAT Address Mapping
.................................................................................380
22.4.1 NAT Address Mapping Edit ..................................................................382
22.5 Port Forwarding ..............................................................................................383
22.5.1 Default Server IP Address ....................................................................384
22.5.2 Port Forwarding: Services and Port Numbers ......................................384
22.5.3 Configuring Servers Behind Port Forwarding (Example) ......................384
22.5.4 NAT and Multiple WAN .........................................................................385
22.5.5 Port Translation ....................................................................................385
22.6 Port Forwarding .............................................................................................386
19
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
22.7 Port Triggering ..............................................................................................388
Chapter 23
Static Route .......................................................................................................... 392
23.1 IP Static Route
............................................................................................392
23.2 IP Static Route ...............................................................................................392
23.2.1 IP Static Route Edit ..............................................................................394
Chapter 24
Policy Route ......................................................................................................... 396
24.1 Policy Route ..................................................................................................396
24.2 Benefits ..........................................................................................................396
24.3 Routing Policy ................................................................................................396
24.4 IP Routing Policy Setup .................................................................................397
24.5 Policy Route Edit ...........................................................................................398
Chapter 25
Bandwidth Management ...................................................................................... 402
25.1 Bandwidth Management Overview ...............................................................402
25.2 Bandwidth Classes and Filters .......................................................................402
25.3 Proportional Bandwidth Allocation .................................................................403
25.4 Application-based Bandwidth Management ...................................................403
25.5 Subnet-based Bandwidth Management .........................................................403
25.6 Application and Subnet-based Bandwidth Management ...............................404
25.7 Scheduler .......................................................................................................404
25.7.1 Priority-based Scheduler ......................................................................404
25.7.2 Fairness-based Scheduler ....................................................................404
25.7.3 Maximize Bandwidth Usage .................................................................404
25.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic ........................405
25.7.5 Maximize Bandwidth Usage Example ..................................................405
25.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth 406
25.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth ...
406
25.8 Bandwidth Borrowing .....................................................................................407
25.8.1 Bandwidth Borrowing Example .............................................................407
25.9 Maximize Bandwidth Usage With Bandwidth Borrowing ................................408
25.10 Configuring Summary ..................................................................................408
25.11 Configuring Class Setup .............................................................................410
25.11.1 Bandwidth Manager Class Configuration ...........................................411
25.11.2 Bandwidth Management Statistics
...................................................414
25.12 Configuring Monitor ...................................................................................415
Table of Contents
20
ZyWALL 5/35/70 Series User’s Guide
Chapter 26
DNS........................................................................................................................ 418
26.1 DNS Overview ..............................................................................................418
26.2 DNS Server Address Assignment ..................................................................418
26.3 DNS Servers ..................................................................................................418
26.4 Address Record .............................................................................................419
26.4.1 DNS Wildcard .......................................................................................419
26.5 Name Server Record .....................................................................................419
26.5.1 Private DNS Server ..............................................................................419
26.6 System Screen ...............................................................................................420
26.6.1 Adding an Address Record ..................................................................422
26.6.2 Inserting a Name Server record ...........................................................423
26.7 DNS Cache
..................................................................................................424
26.8 Configure DNS Cache ....................................................................................425
26.9 Configuring DNS DHCP ...............................................................................426
26.10 Dynamic DNS .............................................................................................428
26.10.1 DYNDNS Wildcard ..............................................................................428
26.10.2 High Availability ..................................................................................428
26.11 Configuring Dynamic DNS ...........................................................................428
Chapter 27
Remote Management ........................................................................................... 432
27.1 Remote Management Overview .....................................................................432
27.1.1 Remote Management Limitations .........................................................432
27.1.2 System Timeout ....................................................................................433
27.2 Introduction to HTTPS ....................................................................................433
27.3 WWW ...........................................................................................................434
27.4 HTTPS Example ............................................................................................436
27.4.1 Internet Explorer Warning Messages ...................................................436
27.4.2 Netscape Navigator Warning Messages ...............................................437
27.4.3 Avoiding the Browser Warning Messages ............................................438
27.4.4 Login Screen .........................................................................................438
27.5 SSH .............................................................................................................441
27.6 How SSH works .............................................................................................441
27.7 SSH Implementation on the ZyWALL .............................................................442
27.7.1 Requirements for Using SSH ................................................................443
27.8 Configuring SSH ............................................................................................443
27.9 Secure Telnet Using SSH Examples ..............................................................444
27.9.1 Example 1: Microsoft Windows .............................................................444
27.9.2 Example 2: Linux ..................................................................................444
27.10 Secure FTP Using SSH Example ................................................................445
27.11 Telnet ..........................................................................................................446
27.12 Configuring TELNET ....................................................................................446
21
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
27.13 FTP
............................................................................................................447
27.14 SNMP .........................................................................................................448
27.14.1 Supported MIBs .................................................................................450
27.14.2 SNMP Traps .......................................................................................450
27.14.3 REMOTE MANAGEMENT: SNMP ......................................................450
27.15 DNS ............................................................................................................452
27.16 Introducing Vantage CNM ...........................................................................452
27.17 Configuring CNM ..........................................................................................453
Chapter 28
UPnP...................................................................................................................... 456
28.1 Universal Plug and Play Overview ...............................................................456
28.1.1 How Do I Know If I'm Using UPnP? ......................................................456
28.1.2 NAT Traversal .......................................................................................456
28.1.3 Cautions with UPnP ..............................................................................456
28.1.4 UPnP and ZyXEL ..................................................................................457
28.2 Configuring UPnP ..........................................................................................457
28.3 Displaying UPnP Port Mapping
...................................................................458
28.4 Installing UPnP in Windows Example ............................................................459
28.4.1 Installing UPnP in Windows Me ............................................................460
28.4.2 Installing UPnP in Windows XP ............................................................461
28.5 Using UPnP in Windows XP Example ...........................................................461
28.5.1 Auto-discover Your UPnP-enabled Network Device .............................462
28.5.2 Web Configurator Easy Access ............................................................463
Chapter 29
ALG Screen........................................................................................................... 466
29.1 ALG Introduction ...........................................................................................466
29.1.1 ALG and NAT ........................................................................................466
29.1.2 ALG and the Firewall ............................................................................466
29.1.3 ALG and Multiple WAN .........................................................................466
29.2 FTP ................................................................................................................467
29.3 H.323 ..............................................................................................................467
29.4 RTP ................................................................................................................467
29.4.1 H.323 ALG Details ................................................................................467
29.5 SIP .................................................................................................................469
29.5.1 STUN ....................................................................................................469
29.5.2 SIP ALG Details ....................................................................................469
29.5.3 SIP Signaling Session Timeout ............................................................470
29.5.4 SIP Audio Session Timeout ..................................................................470
29.6 ALG Screen ....................................................................................................470
Table of Contents
22
ZyWALL 5/35/70 Series User’s Guide
Chapter 30
Logs Screens........................................................................................................ 472
30.1 Configuring View Log ....................................................................................472
30.2 Log Description Example ...............................................................................473
30.2.1 Certificate Not Trusted Log Note ..........................................................474
30.3 Configuring Log Settings ...............................................................................475
30.4 Configuring Reports ......................................................................................478
30.4.1 Viewing Web Site Hits ...........................................................................480
30.4.2 Viewing Protocol/Port ...........................................................................480
30.4.3 Viewing Host IP Address ......................................................................482
30.4.4 Reports Specifications ..........................................................................483
Chapter 31
Maintenance ......................................................................................................... 484
31.1 Maintenance Overview ...................................................................................484
31.2 General Setup ................................................................................................484
31.2.1 General Setup and System Name ........................................................484
31.2.2 General Setup .......................................................................................484
31.3 Configuring Password ...................................................................................485
31.4 Time and Date ...............................................................................................486
31.5 Pre-defined NTP Time Servers List ................................................................489
31.5.1 Resetting the Time ................................................................................489
31.5.2 Time Server Synchronization ................................................................489
31.6 Introduction To Transparent Bridging .............................................................491
31.7 Transparent Firewalls .....................................................................................491
31.8 Configuring Device Mode (Router) ................................................................492
31.9 Configuring Device Mode (Bridge) ................................................................493
31.10 F/W Upload Screen .....................................................................................494
31.11 Backup and Restore ....................................................................................496
31.11.1 Backup Configuration .........................................................................497
31.11.2 Restore Configuration ........................................................................497
31.11.3 Back to Factory Defaults ....................................................................499
31.12 Restart Screen ............................................................................................499
Chapter 32
Introducing the SMT ............................................................................................ 500
32.1 Introduction to the SMT ..................................................................................500
32.2 Accessing the SMT via the Console Port .......................................................500
32.2.1 Initial Screen .........................................................................................500
32.2.2 Entering the Password ..........................................................................501
32.3 Navigating the SMT Interface .........................................................................501
32.3.1 Main Menu ............................................................................................502
32.3.2 SMT Menus Overview ..........................................................................504
23
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
32.4 Changing the System Password ....................................................................506
32.5 Resetting the ZyWALL ...................................................................................507
Chapter 33
SMT Menu 1 - General Setup............................................................................... 508
33.1 Introduction to General Setup ........................................................................508
33.2 Configuring General Setup .............................................................................508
33.2.1 Configuring Dynamic DNS ....................................................................510
33.2.1.1 Editing DDNS Host ......................................................................510
Chapter 34
WAN and Dial Backup Setup ............................................................................... 514
34.1 Introduction to WAN and Dial Backup Setup ..................................................514
34.2 WAN Setup .....................................................................................................514
34.3 Dial Backup ....................................................................................................515
34.4 Configuring Dial Backup in Menu 2 ................................................................515
34.5 Advanced WAN Setup ....................................................................................516
34.6 Remote Node Profile (Backup ISP) ................................................................518
34.7 Editing PPP Options .......................................................................................520
34.8 Editing TCP/IP Options ..................................................................................521
34.9 Editing Login Script ........................................................................................523
34.10 Remote Node Filter ......................................................................................525
Chapter 35
LAN Setup............................................................................................................. 526
35.1 Introduction to LAN Setup ..............................................................................526
35.2 Accessing the LAN Menus .............................................................................526
35.3 LAN Port Filter Setup .....................................................................................526
35.4 TCP/IP and DHCP Ethernet Setup Menu ......................................................527
35.4.1 IP Alias Setup .......................................................................................530
Chapter 36
Internet Access .................................................................................................... 532
36.1 Introduction to Internet Access Setup ............................................................532
36.2 Ethernet Encapsulation ..................................................................................532
36.3 Configuring the PPTP Client ..........................................................................534
36.4 Configuring the PPPoE Client ........................................................................534
36.5 Basic Setup Complete ....................................................................................535
Chapter 37
DMZ Setup ............................................................................................................ 536
37.1 Configuring DMZ Setup ..................................................................................536
37.2 DMZ Port Filter Setup ....................................................................................536
Table of Contents
24
ZyWALL 5/35/70 Series User’s Guide
37.3 TCP/IP Setup .................................................................................................536
37.3.1 IP Address ............................................................................................537
37.3.2 IP Alias Setup .......................................................................................538
Chapter 38
Route Setup .......................................................................................................... 540
38.1 Configuring Route Setup ................................................................................540
38.2 Route Assessment .........................................................................................540
38.3 Traffic Redirect ...............................................................................................541
38.4 Route Failover ................................................................................................542
Chapter 39
Wireless Setup ..................................................................................................... 544
39.1 Wireless LAN Setup .......................................................................................544
39.1.1 MAC Address Filter Setup ....................................................................546
39.2 TCP/IP Setup .................................................................................................547
39.2.1 IP Address ............................................................................................547
39.2.2 IP Alias Setup .......................................................................................548
Chapter 40
Remote Node Setup ............................................................................................. 550
40.1 Introduction to Remote Node Setup ...............................................................550
40.2 Remote Node Setup .......................................................................................550
40.3 Remote Node Profile Setup ...........................................................................551
40.3.1 Ethernet Encapsulation .........................................................................551
40.3.2 PPPoE Encapsulation ...........................................................................553
40.3.2.1 Outgoing Authentication Protocol ................................................553
40.3.2.2 Nailed-Up Connection .................................................................553
40.3.2.3 Metric ..........................................................................................554
40.3.3 PPTP Encapsulation .............................................................................554
40.4 Edit IP .............................................................................................................555
40.5 Remote Node Filter ........................................................................................557
40.6 Traffic Redirect ...............................................................................................558
Chapter 41
IP Static Route Setup ........................................................................................... 560
41.1 IP Static Route Setup .....................................................................................560
Chapter 42
Network Address Translation (NAT) ................................................................... 562
42.1 Using NAT ......................................................................................................562
42.1.1 SUA (Single User Account) Versus NAT ..............................................562
42.1.2 Applying NAT ........................................................................................562
25
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
42.2 NAT Setup ......................................................................................................564
42.2.1 Address Mapping Sets ..........................................................................565
42.2.1.1 SUA Address Mapping Set .........................................................565
42.2.1.2 User-Defined Address Mapping Sets ..........................................566
42.2.1.3 Ordering Your Rules ....................................................................567
42.3 Configuring a Server behind NAT ..................................................................569
42.4 General NAT Examples ..................................................................................572
42.4.1 Internet Access Only .............................................................................572
42.4.2 Example 2: Internet Access with an Default Server ..............................574
42.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............574
42.4.4 Example 4: NAT Unfriendly Application Programs ...............................578
42.5 Trigger Port Forwarding .................................................................................579
42.5.1 Two Points To Remember About Trigger Ports .....................................579
Chapter 43
Introducing the ZyWALL Firewall ....................................................................... 582
43.1 Using ZyWALL SMT Menus ...........................................................................582
43.1.1 Activating the Firewall ...........................................................................582
Chapter 44
Filter Configuration .............................................................................................. 584
44.1 Introduction to Filters ......................................................................................584
44.1.1 The Filter Structure of the ZyWALL ......................................................585
44.2 Configuring a Filter Set ..................................................................................587
44.2.1 Configuring a Filter Rule .......................................................................588
44.2.2 Configuring a TCP/IP Filter Rule ..........................................................589
44.2.3 Configuring a Generic Filter Rule .........................................................591
44.3 Example Filter ................................................................................................593
44.4 Filter Types and NAT ......................................................................................595
44.5 Firewall Versus Filters ....................................................................................595
44.6 Applying a Filter ............................................................................................596
44.6.1 Applying LAN Filters .............................................................................596
44.6.2 Applying DMZ Filters ............................................................................596
44.6.3 Applying Remote Node Filters ..............................................................597
Chapter 45
SNMP Configuration ............................................................................................ 598
45.1 SNMP Configuration ......................................................................................598
45.2 SNMP Traps ...................................................................................................599
Chapter 46
System Information & Diagnosis ........................................................................ 600
46.1 Introduction to System Status ........................................................................600
Table of Contents
26
ZyWALL 5/35/70 Series User’s Guide
46.2 System Status ................................................................................................600
46.3 System Information and Console Port Speed ................................................602
46.3.1 System Information ...............................................................................602
46.3.2 Console Port Speed ..............................................................................603
46.4 Log and Trace ................................................................................................604
46.4.1 Viewing Error Log .................................................................................604
46.4.2 Syslog Logging .....................................................................................605
46.4.3 Call-Triggering Packet ..........................................................................608
46.5 Diagnostic ......................................................................................................608
46.5.1 WAN DHCP ..........................................................................................609
Chapter 47
Firmware and Configuration File Maintenance ................................................. 612
47.1 Introduction ....................................................................................................612
47.2 Filename Conventions ...................................................................................612
47.3 Backup Configuration .....................................................................................613
47.3.1 Backup Configuration ...........................................................................613
47.3.2 Using the FTP Command from the Command Line ..............................614
47.3.3 Example of FTP Commands from the Command Line .........................615
47.3.4 GUI-based FTP Clients .........................................................................615
47.3.5 File Maintenance Over WAN ................................................................615
47.3.6 Backup Configuration Using TFTP .......................................................616
47.3.7 TFTP Command Example ....................................................................616
47.3.8 GUI-based TFTP Clients ......................................................................617
47.3.9 Backup Via Console Port ......................................................................617
47.4 Restore Configuration ....................................................................................618
47.4.1 Restore Using FTP ...............................................................................618
47.4.2 Restore Using FTP Session Example ..................................................620
47.4.3 Restore Via Console Port .....................................................................620
47.5 Uploading Firmware and Configuration Files .................................................621
47.5.1 Firmware File Upload ............................................................................621
47.5.2 Configuration File Upload .....................................................................622
47.5.3 FTP File Upload Command from the DOS Prompt Example ................623
47.5.4 FTP Session Example of Firmware File Upload ...................................623
47.5.5 TFTP File Upload ..................................................................................623
47.5.6 TFTP Upload Command Example ........................................................624
47.5.7 Uploading Via Console Port ..................................................................624
47.5.8 Uploading Firmware File Via Console Port ...........................................624
47.5.9 Example Xmodem Firmware Upload Using HyperTerminal ..................625
47.5.10 Uploading Configuration File Via Console Port ..................................625
47.5.11 Example Xmodem Configuration Upload Using HyperTerminal .........626
27
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
Chapter 48
System Maintenance Menus 8 to 10 ................................................................... 628
48.1 Command Interpreter Mode ...........................................................................628
48.1.1 Command Syntax .................................................................................628
48.1.2 Command Usage ..................................................................................629
48.2 Call Control Support .......................................................................................630
48.2.1 Budget Management ............................................................................630
48.2.2 Call History ...........................................................................................631
48.3 Time and Date Setting ....................................................................................632
Chapter 49
Remote Management ........................................................................................... 636
49.1 Remote Management .....................................................................................636
49.1.1 Remote Management Limitations .........................................................638
Chapter 50
IP Policy Routing.................................................................................................. 640
50.1 IP Routing Policy Summary ...........................................................................640
50.2 IP Routing Policy Setup .................................................................................641
50.2.1 Applying Policy to Packets ....................................................................643
50.3 IP Policy Routing Example .............................................................................644
Chapter 51
Call Scheduling .................................................................................................... 648
51.1 Introduction to Call Scheduling ......................................................................648
Chapter 52
Troubleshooting ................................................................................................... 652
52.1 Problems Starting Up the ZyWALL .................................................................652
52.2 Problems with the LAN Interface ....................................................................652
52.3 Problems with the DMZ Interface ...................................................................653
52.4 Problems with the WAN Interface ..................................................................653
52.5 Problems Accessing the ZyWALL ..................................................................654
52.5.1 Pop-up Windows, JavaScripts and Java Permissions ..........................654
52.5.1.1 Internet Explorer Pop-up Blockers ..............................................655
52.5.1.2 JavaScripts ..................................................................................658
52.5.1.3 Java Permissions ........................................................................660
52.6 Packet Flow ....................................................................................................662
Appendix A
Product Specifications ........................................................................................ 664
Appendix B
Table of Contents
28
ZyWALL 5/35/70 Series User’s Guide
Hardware Installation........................................................................................... 672
Appendix C
Removing and Installing a Fuse ........................................................................ 676
Appendix D
Setting up Your Computer’s IP Address............................................................ 678
Appendix E
IP Subnetting ........................................................................................................ 694
Appendix F
PPPoE ................................................................................................................... 702
Appendix G
PPTP...................................................................................................................... 704
Appendix H
Wireless LANs ...................................................................................................... 708
Appendix I
Triangle Route ...................................................................................................... 722
Appendix J
Windows 98 SE/Me Requirements for Anti-Virus Message Display................ 726
Appendix K
VPN Setup............................................................................................................. 730
Appendix L
Importing Certificates .......................................................................................... 742
Appendix M
Command Interpreter........................................................................................... 754
Appendix N
Firewall Commands ............................................................................................. 756
Appendix O
NetBIOS Filter Commands .................................................................................. 762
Appendix P
Certificates Commands ....................................................................................... 766
Appendix Q
Brute-Force Password Guessing Protection..................................................... 770
Appendix R
Boot Commands .................................................................................................. 772
29
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
Appendix S
Log Descriptions.................................................................................................. 774
Index...................................................................................................................... 798
Table of Contents
30
ZyWALL 5/35/70 Series User’s Guide
31
Table of Contents
ZyWALL 5/35/70 Series User’s Guide
List of Figures
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................ 62
Figure 2 VPN Application .................................................................................................... 63
Figure 3 ZyWALL 70 Front Panel ........................................................................................ 63
Figure 4 ZyWALL 35 Front Panel ........................................................................................ 63
Figure 5 ZyWALL 5 Front Panel .......................................................................................... 63
Figure 6 Change Password Screen .................................................................................... 67
Figure 7 Replace Certificate Screen ................................................................................... 67
Figure 8 Example Xmodem Upload .................................................................................... 68
Figure 9 Web Configurator HOME Screen in Router Mode ................................................ 69
Figure 10 Web Configurator HOME Screen in Bridge Mode .............................................. 72
Figure 11 Home : Show Statistics ....................................................................................... 79
Figure 12 Home : Show Statistics: Line Chart ..................................................................... 80
Figure 13 Home : DHCP Table ............................................................................................ 81
Figure 14 Home : VPN Status ............................................................................................. 83
Figure 15 ISP Parameters : Ethernet Encapsulation .......................................................... 85
Figure 16 ISP Parameters : PPPoE Encapsulation ............................................................ 86
Figure 17 ISP Parameters: PPTP Encapsulation ................................................................ 88
Figure 18 Internet Access Wizard: Second Screen ............................................................ 89
Figure 19 Internet Access Setup Complete ........................................................................ 90
Figure 20 Internet Access Wizard: Registration .................................................................. 90
Figure 21 Internet Access Wizard: Registration in Progress ............................................... 91
Figure 22 Internet Access Wizard: Status ........................................................................... 92
Figure 23 Internet Access Wizard: Registration Failed ....................................................... 92
Figure 24 Internet Access Wizard: Registered Device ........................................................ 92
Figure 25 Internet Access Wizard: Activated Services ....................................................... 93
Figure 26 VPN Wizard: Gateway Setting ............................................................................ 93
Figure 27 VPN Wizard: Network Setting ............................................................................. 95
Figure 28 VPN Wizard: IKE Tunnel Setting ......................................................................... 96
Figure 29 VPN Wizard: IPSec Setting ................................................................................. 98
Figure 30 VPN Wizard: VPN Status .................................................................................... 100
Figure 31 VPN Wizard Setup Complete .............................................................................. 102
Figure 32 Registration ......................................................................................................... 105
Figure 33 Registration: Registered Device ......................................................................... 107
Figure 34 Registration: Service ........................................................................................... 107
Figure 35 LAN ..................................................................................................................... 113
Figure 36 LAN Static DHCP ................................................................................................ 115
Figure 37 Physical Network & Partitioned Logical Networks .............................................. 116
Figure 38 LAN IP Alias ........................................................................................................ 117
List of Figures
32
ZyWALL 5/35/70 Series User’s Guide
Figure 39 WLAN Port Role Example .................................................................................. 118
Figure 40 LAN Port Roles ................................................................................................... 119
Figure 41 Port Roles Change Complete ............................................................................. 120
Figure 42 Bridge Loop: Bridge Connected to Wired LAN ................................................... 122
Figure 43 Bridge .................................................................................................................. 125
Figure 44 WLAN Port Role Example .................................................................................. 127
Figure 45 Bridge Port Roles ................................................................................................ 127
Figure 46 Port Roles Change Complete ............................................................................. 128
Figure 47 Least Load First Example .................................................................................. 132
Figure 48 Weighted Round Robin Algorithm Example ........................................................ 133
Figure 49 Spillover Algorithm Example ............................................................................... 134
Figure 50 WAN General ...................................................................................................... 135
Figure 51 Load Balancing: Least Load First ....................................................................... 138
Figure 52 Load Balancing: Weighted Round Robin ............................................................ 139
Figure 53 Load Balancing: Spillover .................................................................................... 140
Figure 54 WAN Route ......................................................................................................... 141
Figure 55 WAN: Ethernet Encapsulation ............................................................................. 144
Figure 56 WAN: PPPoE Encapsulation ............................................................................... 147
Figure 57 WAN: PPTP Encapsulation ................................................................................. 150
Figure 58 Traffic Redirect WAN Setup ................................................................................ 153
Figure 59 Traffic Redirect LAN Setup ................................................................................. 154
Figure 60 Traffic Redirect .................................................................................................... 154
Figure 61 Dial Backup ......................................................................................................... 156
Figure 62 Advanced Setup .................................................................................................. 160
Figure 63 DMZ .................................................................................................................... 163
Figure 64 DMZ Static DHCP ............................................................................................... 166
Figure 65 DMZ: IP Alias ...................................................................................................... 167
Figure 66 DMZ Public Address Example ............................................................................ 169
Figure 67 DMZ Private and Public Address Example ......................................................... 170
Figure 68 WLAN Port Role Example .................................................................................. 171
Figure 69 DMZ: Port Roles ................................................................................................. 172
Figure 70 WLAN .................................................................................................................. 175
Figure 71 WLAN Static DHCP ............................................................................................. 178
Figure 72 WLAN IP Alias .................................................................................................... 179
Figure 73 WLAN Port Role Example .................................................................................. 180
Figure 74 WLAN Port Roles ................................................................................................ 181
Figure 75 WLAN Port Roles Change Complete .................................................................. 182
Figure 76 ZyWALL Wireless Security Levels ...................................................................... 183
Figure 77 EAP Authentication ............................................................................................. 186
Figure 78 WPA-PSK Authentication .................................................................................... 189
Figure 79 WPA with RADIUS Application Example ............................................................ 190
Figure 80 Wireless Card: No Security ................................................................................. 191
Figure 81 Wireless Card: Static WEP ................................................................................. 193
33
List of Figures
ZyWALL 5/35/70 Series User’s Guide
Figure 82 Wireless Card: WPA-PSK ................................................................................... 194
Figure 83 Wireless Card: WPA ........................................................................................... 195
Figure 84 Wireless Card: 802.1x + Dynamic WEP ............................................................. 196
Figure 85 Wireless Card: 802.1x + Static WEP ................................................................... 197
Figure 86 Wireless Card: 802.1x + No WEP ....................................................................... 198
Figure 87 Wireless Card: No Access 802.1x + Static WEP ................................................ 199
Figure 88 Wireless Card: MAC Address Filter .................................................................... 201
Figure 89 ZyWALL Firewall Application .............................................................................. 204
Figure 90 Three-Way Handshake ....................................................................................... 205
Figure 91 SYN Flood ........................................................................................................... 206
Figure 92 Smurf Attack ....................................................................................................... 207
Figure 93 Stateful Inspection ............................................................................................... 209
Figure 94 LAN to WAN Traffic ............................................................................................. 218
Figure 95 WAN to LAN Traffic ............................................................................................. 218
Figure 96 Default Rule (Router Mode) ................................................................................ 219
Figure 97 Default Rule (Bridge Mode) ................................................................................ 221
Figure 98 Rule Summary .................................................................................................... 222
Figure 99 Firewall Edit Rule ................................................................................................ 224
Figure 100 Anti-Probing ...................................................................................................... 226
Figure 101 Firewall Threshold ............................................................................................. 229
Figure 102 Firewall Service ................................................................................................. 231
Figure 103 Firewall Edit Custom Service ............................................................................ 232
Figure 104 Service .............................................................................................................. 236
Figure 105 Edit Custom Service Example .......................................................................... 236
Figure 106 Rule Summary .................................................................................................. 237
Figure 107 Rule Edit Example ............................................................................................ 237
Figure 108 My Service Rule Configuration ......................................................................... 238
Figure 109 My Service Example Rule Summary ................................................................ 239
Figure 110 Network Intrusions ........................................................................................... 240
Figure 111 Applying IDP to Interfaces ................................................................................. 245
Figure 112 IDP: General ..................................................................................................... 246
Figure 113 Attack Types ...................................................................................................... 247
Figure 114 Signature Actions .............................................................................................. 249
Figure 115 IDP: Signatures ................................................................................................. 250
Figure 116 Signature Query by Partial Name ..................................................................... 252
Figure 117 Signature Query by Complete ID ...................................................................... 253
Figure 118 Signature Query by Attribute. ............................................................................ 254
Figure 119 Signatures Update ............................................................................................ 255
Figure 120 IDP: Backup & Restore ..................................................................................... 257
Figure 121 ZyWALL Anti-virus Example
.......................................................................... 260
Figure 122 Anti-Virus: General ........................................................................................... 261
Figure 123 Anti-Virus: Update ............................................................................................. 264
Figure 124 Anti-spam External Database Example ............................................................ 268
List of Figures
34
ZyWALL 5/35/70 Series User’s Guide
Figure 125 Anti-Spam: General ........................................................................................... 270
Figure 126 Anti-Spam: External DB .................................................................................... 272
Figure 127 Anti-Spam: Lists ................................................................................................ 274
Figure 128 Anti-Spam Rule Edit ......................................................................................... 275
Figure 129 Content Filter : General ..................................................................................... 279
Figure 130 Content Filtering Lookup Procedure ................................................................. 281
Figure 131 Content Filter : Categories ................................................................................ 282
Figure 132 Content Filter: Customization ............................................................................ 288
Figure 133 Content Filter: Cache ........................................................................................ 291
Figure 134 myZyXEL.com: Login ........................................................................................ 295
Figure 135 myZyXEL.com: Welcome .................................................................................. 295
Figure 136 myZyXEL.com: Service Management ............................................................... 296
Figure 137 Blue Coat: Login ............................................................................................... 296
Figure 138 Content Filtering Reports Main Screen ............................................................. 297
Figure 139 Blue Coat: Report Home ................................................................................... 297
Figure 140 Global Report Screen Example ........................................................................ 298
Figure 141 Requested URLs Example ................................................................................ 299
Figure 142 Web Page Review Process Screen .................................................................. 300
Figure 143 Encryption and Decryption ................................................................................ 303
Figure 144 IPSec Architecture ............................................................................................ 304
Figure 145 Transport and Tunnel Mode IPSec Encapsulation ............................................ 305
Figure 146 NAT Router Between IPSec Routers ................................................................ 311
Figure 147 Two Phases to Set Up the IPSec SA ................................................................ 313
Figure 148 VPN Rules (IKE) ............................................................................................... 316
Figure 149 Gateway and Network Policies ........................................................................ 317
Figure 150 IPSec Fields Summary
................................................................................... 317
Figure 151 VPN Rules (IKE): Gateway Policy: Edit
.......................................................... 319
Figure 152 VPN Rules (IKE): Network Policy Edit ............................................................. 325
Figure 153 VPN Rules (IKE): Network Policy Move ........................................................... 329
Figure 154 VPN Rules (Manual) ........................................................................................ 330
Figure 155 VPN Rules (Manual): Edit ................................................................................ 332
Figure 156 VPN: SA Monitor ............................................................................................... 335
Figure 157 VPN: Global Setting .......................................................................................... 336
Figure 158 Telecommuters Sharing One VPN Rule Example ............................................. 338
Figure 159 Telecommuters Using Unique VPN Rules Example ......................................... 339
Figure 160 Certificate Configuration Overview ................................................................... 343
Figure 161 My Certificates ................................................................................................. 344
Figure 162 My Certificate Import ......................................................................................... 347
Figure 163 My Certificate Create ........................................................................................ 348
Figure 164 My Certificate Details ........................................................................................ 351
Figure 165 Trusted CAs ...................................................................................................... 354
Figure 166 Trusted CA Import ............................................................................................. 355
Figure 167 Trusted CA Details ............................................................................................ 357
35
List of Figures
ZyWALL 5/35/70 Series User’s Guide
Figure 168 Trusted Remote Hosts ...................................................................................... 360
Figure 169 Remote Host Certificates .................................................................................. 361
Figure 170 Certificate Details ............................................................................................. 362
Figure 171 Trusted Remote Host Import ............................................................................. 363
Figure 172 Trusted Remote Host Details ............................................................................ 364
Figure 173 Directory Servers .............................................................................................. 366
Figure 174 Directory Server Add ......................................................................................... 367
Figure 175 Local User Database ........................................................................................ 371
Figure 176 RADIUS ............................................................................................................ 372
Figure 177 How NAT Works ................................................................................................ 376
Figure 178 NAT Application With IP Alias ........................................................................... 376
Figure 179 Port Restricted Cone NAT Example .................................................................. 377
Figure 180 NAT Overview ................................................................................................... 379
Figure 181 NAT Address Mapping ...................................................................................... 381
Figure 182 NAT Address Mapping Edit ............................................................................... 382
Figure 183 Multiple Servers Behind NAT Example ............................................................. 385
Figure 184 Port Translation Example .................................................................................. 386
Figure 185 Port Forwarding ................................................................................................ 387
Figure 186 Trigger Port Forwarding Process: Example ...................................................... 388
Figure 187 Port Triggering .................................................................................................. 389
Figure 188 Example of Static Routing Topology ................................................................. 392
Figure 189 IP Static Route .................................................................................................. 393
Figure 190 IP Static Route Edit ........................................................................................... 394
Figure 191 Policy Route Summary ..................................................................................... 397
Figure 192 Edit IP Policy Route .......................................................................................... 399
Figure 193 Subnet-based Bandwidth Management Example ............................................. 403
Figure 194 Bandwidth Management: Summary .................................................................. 409
Figure 195 Bandwidth Management: Class Setup .............................................................. 410
Figure 196 Bandwidth Management: Edit Class ................................................................. 412
Figure 197 Bandwidth Management: Statistics ................................................................... 415
Figure 198 Bandwidth Management: Monitor .................................................................... 416
Figure 199 Private DNS Server Example ............................................................................ 420
Figure 200 System DNS ..................................................................................................... 421
Figure 201 System DNS: Add Address Record .................................................................. 422
Figure 202 System DNS: Insert Name Server Record ........................................................ 423
Figure 203 DNS Cache ....................................................................................................... 425
Figure 204 DNS DHCP ....................................................................................................... 427
Figure 205 DDNS ................................................................................................................ 429
Figure 206 HTTPS Implementation ..................................................................................... 434
Figure 207 WWW ................................................................................................................ 435
Figure 208 Security Alert Dialog Box (Internet Explorer) .................................................... 436
Figure 209 Security Certificate 1 (Netscape) ...................................................................... 437
Figure 210 Security Certificate 2 (Netscape) ...................................................................... 437
List of Figures
36
ZyWALL 5/35/70 Series User’s Guide
Figure 211 Login Screen (Internet Explorer) ....................................................................... 439
Figure 212 Login Screen (Netscape) .................................................................................. 439
Figure 213 Replace Certificate ............................................................................................ 440
Figure 214 Device-specific Certificate ................................................................................. 440
Figure 215 Common ZyWALL Certificate ............................................................................ 441
Figure 216 SSH Communication Example .......................................................................... 441
Figure 217 How SSH Works ............................................................................................... 442
Figure 218 SSH ................................................................................................................... 443
Figure 219 SSH Example 1: Store Host Key ....................................................................... 444
Figure 220 SSH Example 2: Test ....................................................................................... 445
Figure 221 SSH Example 2: Log in ..................................................................................... 445
Figure 222 Secure FTP: Firmware Upload Example .......................................................... 446
Figure 223 Telnet Configuration on a TCP/IP Network ....................................................... 446
Figure 224 Telnet ................................................................................................................ 447
Figure 225 FTP ................................................................................................................... 448
Figure 226 SNMP Management Model ............................................................................... 449
Figure 227 SNMP ................................................................................................................ 451
Figure 228 DNS .................................................................................................................. 452
Figure 229 CNM .................................................................................................................. 453
Figure 230 UPnP ................................................................................................................. 457
Figure 231 UPnP Ports ....................................................................................................... 458
Figure 232 H.323 ALG Example ........................................................................................ 468
Figure 233 H.323 with Multiple WAN IP Addresses ........................................................... 468
Figure 234 H.323 Calls from the WAN with Multiple Outgoing Calls .................................. 469
Figure 235 SIP ALG Example ............................................................................................ 470
Figure 236 ALG .................................................................................................................. 471
Figure 237 View Log ........................................................................................................... 472
Figure 238 myZyXEL.com: Download Center ..................................................................... 474
Figure 239 myZyXEL.com: Certificate Download ............................................................... 475
Figure 240 Log Settings ...................................................................................................... 476
Figure 241 Reports ............................................................................................................. 479
Figure 242 Web Site Hits Report Example ......................................................................... 480
Figure 243 Protocol/Port Report Example .......................................................................... 481
Figure 244 Host IP Address Report Example ..................................................................... 482
Figure 245 General Setup ................................................................................................... 485
Figure 246 Password Setup ................................................................................................ 486
Figure 247 Time and Date ................................................................................................... 487
Figure 248 Synchronization in Process ............................................................................... 490
Figure 249 Synchronization is Successful .......................................................................... 490
Figure 250 Synchronization Fail .......................................................................................... 490
Figure 251 Device Mode (Router Mode) ............................................................................. 492
Figure 252 Device Mode (Bridge Mode) ............................................................................. 493
Figure 253 Firmware Upload ............................................................................................... 495
37
List of Figures
ZyWALL 5/35/70 Series User’s Guide
Figure 254 Firmware Upload In Process ............................................................................. 495
Figure 255 Network Temporarily Disconnected .................................................................. 496
Figure 256 Firmware Upload Error ...................................................................................... 496
Figure 257 Backup and Restore ......................................................................................... 497
Figure 258 Configuration Upload Successful ...................................................................... 498
Figure 259 Network Temporarily Disconnected .................................................................. 498
Figure 260 Configuration Upload Error ............................................................................... 498
Figure 261 Reset Warning Message ................................................................................... 499
Figure 262 Restart Screen .................................................................................................. 499
Figure 263 Initial Screen ..................................................................................................... 501
Figure 264 Password Screen ............................................................................................. 501
Figure 265 Main Menu (Router Mode) ................................................................................ 503
Figure 266 Main Menu (Bridge Mode) ................................................................................ 503
Figure 267 Menu 23: System Password ............................................................................. 507
Figure 268 Menu 1: General Setup (Router Mode) ............................................................. 508
Figure 269 Menu 1: General Setup (Bridge Mode) ............................................................. 509
Figure 270 Menu 1.1: Configure Dynamic DNS .................................................................. 510
Figure 271 Menu 1.1.1: DDNS Host Summary ................................................................... 511
Figure 272 Menu 1.1.1: DDNS Edit Host ............................................................................ 512
Figure 273 MAC Address Cloning in WAN Setup ............................................................... 514
Figure 274 Menu 2: Dial Backup Setup ............................................................................ 516
Figure 275 Menu 2.1: Advanced WAN Setup ..................................................................... 517
Figure 276 Menu 11.3: Remote Node Profile (Backup ISP) ............................................... 519
Figure 277 Menu 11.3.1: Remote Node PPP Options ........................................................ 521
Figure 278 Menu 11.3.2: Remote Node Network Layer Options ........................................ 522
Figure 279 Menu 11.3.3: Remote Node Script .................................................................... 524
Figure 280 Menu 11.3.4: Remote Node Filter ..................................................................... 525
Figure 281 Menu 3: LAN Setup ........................................................................................... 526
Figure 282 Menu 3.1: LAN Port Filter Setup ....................................................................... 527
Figure 283 Menu 3: TCP/IP and DHCP Setup ................................................................... 527
Figure 284 Menu 3.2: TCP/IP and DHCP Ethernet Setup .................................................. 528
Figure 285 Menu 3.2.1: IP Alias Setup ............................................................................... 530
Figure 286 Menu 4: Internet Access Setup (Ethernet) ........................................................ 532
Figure 287 Internet Access Setup (PPTP) .......................................................................... 534
Figure 288 Internet Access Setup (PPPoE) ........................................................................ 535
Figure 289 Menu 5: DMZ Setup ......................................................................................... 536
Figure 290 Menu 5.1: DMZ Port Filter Setup ...................................................................... 536
Figure 291 Menu 5: DMZ Setup .......................................................................................... 537
Figure 292 Menu 5.2: TCP/IP and DHCP Ethernet Setup .................................................. 537
Figure 293 Menu 5.2.1: IP Alias Setup ............................................................................... 538
Figure 294 Menu 6: Route Setup ........................................................................................ 540
Figure 295 Menu 6.1: Route Assessment ........................................................................... 540
Figure 296 Menu 6.2: Traffic Redirect ................................................................................. 541
List of Figures
38
ZyWALL 5/35/70 Series User’s Guide
Figure 297 Menu 6.3: Route Failover .................................................................................. 542
Figure 298 Menu 7.1: Wireless Setup ................................................................................. 544
Figure 299 Menu 7.1.1: WLAN MAC Address Filter ........................................................... 546
Figure 300 Menu 7: WLAN Setup ....................................................................................... 547
Figure 301 Menu 7.2: TCP/IP and DHCP Ethernet Setup .................................................. 548
Figure 302 Menu 7.2.1: IP Alias Setup ............................................................................... 549
Figure 303 Menu 11: Remote Node Setup .......................................................................... 551
Figure 304 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........................... 551
Figure 305 Menu 11.1: Remote Node Profile for PPPoE Encapsulation ............................. 553
Figure 306 Menu 11.1: Remote Node Profile for PPTP Encapsulation ............................... 555
Figure 307 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation
556
Figure 308 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) ............................. 558
Figure 309 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) ................ 558
Figure 310 Menu 11.1.5: Traffic Redirect Setup .................................................................. 559
Figure 311 Menu 12: IP Static Route Setup ....................................................................... 560
Figure 312 Menu 12. 1: Edit IP Static Route ....................................................................... 561
Figure 313 Menu 4: Applying NAT for Internet Access ....................................................... 563
Figure 314 Menu 11.1.2: Applying NAT to the Remote Node ............................................. 563
Figure 315 Menu 15: NAT Setup ......................................................................................... 564
Figure 316 Menu 15.1: Address Mapping Sets ................................................................... 565
Figure 317 Menu 15.1.255: SUA Address Mapping Rules ................................................. 565
Figure 318 Menu 15.1.1: First Set ....................................................................................... 567
Figure 319 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ........................ 568
Figure 320 Menu 15.2: NAT Server Sets ............................................................................ 569
Figure 321 Menu 15.2.1: NAT Server Sets ......................................................................... 570
Figure 322 15.2.1.2: NAT Server Configuration .................................................................. 571
Figure 323 Menu 15.2.1: NAT Server Setup ...................................................................... 572
Figure 324 Server Behind NAT Example ............................................................................ 572
Figure 325 NAT Example 1 ................................................................................................. 573
Figure 326 Menu 4: Internet Access & NAT Example ......................................................... 573
Figure 327 NAT Example 2 ................................................................................................. 574
Figure 328 Menu 15.2.1: Specifying an Inside Server ........................................................ 574
Figure 329 NAT Example 3 ................................................................................................. 575
Figure 330 Example 3: Menu 11.1.2 ................................................................................... 576
Figure 331 Example 3: Menu 15.1.1.1 ................................................................................ 576
Figure 332 Example 3: Final Menu 15.1.1 .......................................................................... 577
Figure 333 Example 3: Menu 15.2.1 ................................................................................... 577
Figure 334 NAT Example 4 ................................................................................................. 578
Figure 335 Example 4: Menu 15.1.1.1: Address Mapping Rule .......................................... 578
Figure 336 Example 4: Menu 15.1.1: Address Mapping Rules ........................................... 579
Figure 337 Menu 15.3.1: Trigger Port Setup ....................................................................... 580
Figure 338 Menu 21: Filter and Firewall Setup ................................................................... 582
39
List of Figures
ZyWALL 5/35/70 Series User’s Guide
Figure 339 Menu 21.2: Firewall Setup ................................................................................ 583
Figure 340 Outgoing Packet Filtering Process .................................................................... 584
Figure 341 Filter Rule Process ............................................................................................ 586
Figure 342 Menu 21: Filter and Firewall Setup ................................................................... 587
Figure 343 Menu 21.1: Filter Set Configuration .................................................................. 587
Figure 344 Menu 21.1.1.1: TCP/IP Filter Rule .................................................................... 589
Figure 345 Executing an IP Filter ........................................................................................ 591
Figure 346 Menu 21.1.1.1: Generic Filter Rule ................................................................... 592
Figure 347 Telnet Filter Example ........................................................................................ 593
Figure 348 Example Filter: Menu 21.1.3.1 .......................................................................... 594
Figure 349 Example Filter Rules Summary: Menu 21.1.3 .................................................. 594
Figure 350 Protocol and Device Filter Sets ......................................................................... 595
Figure 351 Filtering LAN Traffic .......................................................................................... 596
Figure 352 Filtering DMZ Traffic .......................................................................................... 597
Figure 353 Filtering Remote Node Traffic ........................................................................... 597
Figure 354 Menu 22: SNMP Configuration ......................................................................... 598
Figure 355 Menu 24: System Maintenance ........................................................................ 600
Figure 356 Menu 24.1: System Maintenance: Status ........................................................ 601
Figure 357 Menu 24.2: System Information and Console Port Speed ................................ 602
Figure 358 Menu 24.2.1: System Maintenance: Information ............................................ 603
Figure 359 Menu 24.2.2: System Maintenance: Change Console Port Speed ................... 604
Figure 360 Menu 24.3: System Maintenance: Log and Trace ............................................ 604
Figure 361 Examples of Error and Information Messages .................................................. 605
Figure 362 Menu 24.3.2: System Maintenance: Syslog Logging ........................................ 605
Figure 363 Call-Triggering Packet Example ........................................................................ 608
Figure 364 Menu 24.4: System Maintenance: Diagnostic ................................................... 609
Figure 365 WAN & LAN DHCP ........................................................................................... 609
Figure 366 Telnet into Menu 24.5 ........................................................................................ 614
Figure 367 FTP Session Example ...................................................................................... 615
Figure 368 System Maintenance: Backup Configuration .................................................... 617
Figure 369 System Maintenance: Starting Xmodem Download Screen ............................. 617
Figure 370 Backup Configuration Example ......................................................................... 618
Figure 371 Successful Backup Confirmation Screen .......................................................... 618
Figure 372 Telnet into Menu 24.6 ........................................................................................ 619
Figure 373 Restore Using FTP Session Example ............................................................... 620
Figure 374 System Maintenance: Restore Configuration ................................................... 620
Figure 375 System Maintenance: Starting Xmodem Download Screen ............................. 620
Figure 376 Restore Configuration Example ........................................................................ 620
Figure 377 Successful Restoration Confirmation Screen ................................................... 621
Figure 378 Telnet Into Menu 24.7.1: Upload System Firmware .......................................... 622
Figure 379 Telnet Into Menu 24.7.2: System Maintenance ................................................ 622
Figure 380 FTP Session Example of Firmware File Upload ............................................... 623
Figure 381 Menu 24.7.1 As Seen Using the Console Port ................................................. 625
List of Figures
40
ZyWALL 5/35/70 Series User’s Guide
Figure 382 Example Xmodem Upload ................................................................................ 625
Figure 383 Menu 24.7.2 As Seen Using the Console Port ................................................ 626
Figure 384 Example Xmodem Upload ................................................................................ 626
Figure 385 Command Mode in Menu 24 ............................................................................. 628
Figure 386 Valid Commands ............................................................................................... 629
Figure 387 Call Control ....................................................................................................... 630
Figure 388 Budget Management ......................................................................................... 631
Figure 389 Call History ........................................................................................................ 632
Figure 390 Menu 24: System Maintenance ........................................................................ 633
Figure 391 Menu 24.10 System Maintenance: Time and Date Setting ............................... 633
Figure 392 Menu 24.11 – Remote Management Control .................................................... 637
Figure 393 Menu 25: Sample IP Routing Policy Summary ................................................. 640
Figure 394 Menu 25.1: IP Routing Policy Setup ................................................................. 642
Figure 395 Menu 25.1.1: IP Routing Policy Setup .............................................................. 644
Figure 396 Example of IP Policy Routing ............................................................................ 645
Figure 397 IP Routing Policy Example 1 ............................................................................. 645
Figure 398 IP Routing Policy Example 2 ............................................................................. 646
Figure 399 Schedule Setup ................................................................................................. 648
Figure 400 Schedule Set Setup .......................................................................................... 649
Figure 401 Applying Schedule Set(s) to a Remote Node (PPPoE) .................................... 650
Figure 402 Applying Schedule Set(s) to a Remote Node (PPTP) ....................................... 651
Figure 403 Pop-up Blocker ................................................................................................. 655
Figure 404 Internet Options: Privacy ................................................................................... 656
Figure 405 Internet Options: Privacy ................................................................................... 657
Figure 406 Pop-up Blocker Settings ................................................................................... 658
Figure 407 Internet Options: Security ................................................................................. 659
Figure 408 Security Settings - Java Scripting ..................................................................... 660
Figure 409 Security Settings - Java .................................................................................... 661
Figure 410 Java (Sun) ......................................................................................................... 662
Figure 411 WLAN Card Installation ..................................................................................... 669
Figure 412 Console/Dial Backup Port Pin Layout ............................................................... 669
Figure 413 Ethernet Cable Pin Assignments ...................................................................... 670
Figure 414 Attaching Rubber Feet .................................................................................... 673
Figure 415 Attaching Mounting Brackets and Screws ........................................................ 674
Figure 416 Rack Mounting .................................................................................................. 674
Figure 417 WIndows 95/98/Me: Network: Configuration ..................................................... 679
Figure 418 Windows 95/98/Me: TCP/IP Properties: IP Address ......................................... 680
Figure 419 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............................ 681
Figure 420 Windows XP: Start Menu .................................................................................. 682
Figure 421 Windows XP: Control Panel .............................................................................. 682
Figure 422 Windows XP: Control Panel: Network Connections: Properties ....................... 683
Figure 423 Windows XP: Local Area Connection Properties .............................................. 683
Figure 424 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 684
41
List of Figures
ZyWALL 5/35/70 Series User’s Guide
Figure 425 Windows XP: Advanced TCP/IP Properties ...................................................... 685
Figure 426 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 686
Figure 427 Macintosh OS 8/9: Apple Menu ........................................................................ 687
Figure 428 Macintosh OS 8/9: TCP/IP ................................................................................ 687
Figure 429 Macintosh OS X: Apple Menu ........................................................................... 688
Figure 430 Macintosh OS X: Network ................................................................................. 689
Figure 431 Red Hat 9.0: KDE: Network Configuration: Devices ........................................ 690
Figure 432 Red Hat 9.0: KDE: Ethernet Device: General ................................................. 690
Figure 433 Red Hat 9.0: KDE: Network Configuration: DNS ............................................. 691
Figure 434 Red Hat 9.0: KDE: Network Configuration: Activate ....................................... 691
Figure 435 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 .............................. 692
Figure 436 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0
Figure 437 Red Hat 9.0: DNS Settings in resolv.conf
.................................. 692
...................................................... 692
Figure 438 Red Hat 9.0: Restart Ethernet Card ................................................................ 693
Figure 439 Red Hat 9.0: Checking TCP/IP Properties ...................................................... 693
Figure 440 Single-Computer per Router Hardware Configuration ...................................... 703
Figure 441 ZyWALL as a PPPoE Client .............................................................................. 703
Figure 442 Transport PPP frames over Ethernet ............................................................... 704
Figure 443 PPTP Protocol Overview .................................................................................. 705
Figure 444 Example Message Exchange between Computer and an ANT ........................ 706
Figure 445 Peer-to-Peer Communication in an Ad-hoc Network ........................................ 708
Figure 446 Basic Service Set .............................................................................................. 709
Figure 447 Infrastructure WLAN ......................................................................................... 710
Figure 448 RTS/CTS ........................................................................................................... 711
Figure 449 EAP Authentication ........................................................................................... 714
Figure 450 WEP Authentication Steps ................................................................................ 717
Figure 451 Roaming Example ............................................................................................. 720
Figure 452 Ideal Setup ........................................................................................................ 722
Figure 453 “Triangle Route” Problem .................................................................................. 723
Figure 454 IP Alias .............................................................................................................. 724
Figure 455 Gateways on the WAN Side .............................................................................. 724
Figure 456 Windows 98 SE: WinPopup ............................................................................ 726
Figure 457 WIndows 98 SE: Program Task Bar ................................................................ 727
Figure 458 Windows 98 SE: Task Bar Properties
.......................................................... 727
Figure 459 Windows 98 SE: StartUp ................................................................................. 728
Figure 460 Windows 98 SE: Startup: Create Shortcut
..................................................... 728
Figure 461 Windows 98 SE: Startup: Select a Title for the Program
................................ 729
Figure 462 Windows 98 SE: Startup: Shortcut .................................................................. 729
Figure 463 VPN Rules ........................................................................................................ 731
Figure 464 Headquarters Gateway Policy Edit ................................................................... 732
Figure 465 Branch Office Gateway Policy Edit ................................................................... 733
Figure 466 Headquarters VPN Rule ................................................................................... 734
Figure 467 Branch Office VPN Rule ................................................................................... 734
List of Figures
42
ZyWALL 5/35/70 Series User’s Guide
Figure 468 Headquarters Network Policy Edit .................................................................... 735
Figure 469 Branch Office Network Policy Edit .................................................................... 736
Figure 470 VPN Rule Configured ........................................................................................ 737
Figure 471 VPN Dial ........................................................................................................... 737
Figure 472 VPN Tunnel Established ................................................................................... 737
Figure 473 VPN Log Example ............................................................................................ 739
Figure 474 IKE/IPSec Debug Example .............................................................................. 740
Figure 475 Security Certificate ............................................................................................ 742
Figure 476 Login Screen ..................................................................................................... 743
Figure 477 Certificate General Information before Import ................................................... 743
Figure 478 Certificate Import Wizard 1 ............................................................................... 744
Figure 479 Certificate Import Wizard 2 ............................................................................... 744
Figure 480 Certificate Import Wizard 3 ............................................................................... 745
Figure 481 Root Certificate Store ........................................................................................ 745
Figure 482 Certificate General Information after Import ...................................................... 746
Figure 483 ZyWALL Trusted CA Screen ............................................................................. 747
Figure 484 CA Certificate Example ..................................................................................... 748
Figure 485 Personal Certificate Import Wizard 1 ................................................................ 749
Figure 486 Personal Certificate Import Wizard 2 ................................................................ 749
Figure 487 Personal Certificate Import Wizard 3 ................................................................ 750
Figure 488 Personal Certificate Import Wizard 4 ................................................................ 750
Figure 489 Personal Certificate Import Wizard 5 ................................................................ 751
Figure 490 Personal Certificate Import Wizard 6 ................................................................ 751
Figure 491 Access the ZyWALL Via HTTPS ....................................................................... 751
Figure 492 SSL Client Authentication ................................................................................. 752
Figure 493 ZyWALL Secure Login Screen .......................................................................... 752
Figure 494 Option to Enter Debug Mode ............................................................................ 772
Figure 495 Boot Module Commands .................................................................................. 773
Figure 496 Displaying Log Categories Example ................................................................. 796
Figure 497 Displaying Log Parameters Example ................................................................ 796
43
List of Figures
ZyWALL 5/35/70 Series User’s Guide
List of Tables
Table 1 Model Specific Features ........................................................................................ 54
Table 2 Front Panel LEDs .................................................................................................. 64
Table 3 Web Configurator HOME Screen in Router Mode ................................................. 70
Table 4 Web Configurator HOME Screen in Bridge Mode ................................................. 72
Table 5 Bridge and Router Mode Features Comparison .................................................... 74
Table 6 Screens Summary ................................................................................................. 75
Table 7 Home: Show Statistics ........................................................................................... 79
Table 8 Home: Show Statistics: Line Chart ........................................................................ 81
Table 9 Home: DHCP Table ............................................................................................... 82
Table 10 Home : VPN Status .............................................................................................. 83
Table 11 ISP Parameters : Ethernet Encapsulation ........................................................... 85
Table 12 ISP Parameters: PPPoE Encapsulation .............................................................. 86
Table 13 ISP Parameters : PPTP Encapsulation ............................................................... 88
Table 14 Internet Access Wizard: Registration .................................................................. 91
Table 15 VPN Wizard: Gateway Setting ............................................................................. 94
Table 16 VPN Wizard : Network Setting ............................................................................. 95
Table 17 VPN Wizard: IKE Tunnel Setting ......................................................................... 97
Table 18 VPN Wizard: IPSec Setting ................................................................................. 98
Table 19 VPN Wizard: VPN Status ..................................................................................... 100
Table 20 Registration ......................................................................................................... 106
Table 21 Service ................................................................................................................. 108
Table 22 LAN ...................................................................................................................... 113
Table 23 LAN Static DHCP ................................................................................................. 115
Table 24 LAN IP Alias ........................................................................................................ 117
Table 25 LAN Port Roles .................................................................................................... 119
Table 26 STP Path Costs ................................................................................................... 123
Table 27 STP Port States ................................................................................................... 124
Table 28 Bridge .................................................................................................................. 125
Table 29 Bridge Port Roles ................................................................................................ 127
Table 30 Least Load First: Example 1 ................................................................................ 132
Table 31 Least Load First: Example 2 ................................................................................ 132
Table 32 WAN General ....................................................................................................... 136
Table 33 Load Balancing: Least Load First ........................................................................ 138
Table 34 Load Balancing: Weighted Round Robin ............................................................. 139
Table 35 Load Balancing: Spillover .................................................................................... 140
Table 36 WAN Route .......................................................................................................... 141
Table 37 Private IP Address Ranges ................................................................................. 142
Table 38 Example of Network Properties for LAN Servers with Fixed IP Addresses ......... 143
List of Tables
44
ZyWALL 5/35/70 Series User’s Guide
Table 39 WAN: Ethernet Encapsulation ............................................................................. 144
Table 40 WAN: PPPoE Encapsulation ............................................................................... 148
Table 41 WAN: PPTP Encapsulation ................................................................................. 151
Table 42 Traffic Redirect .................................................................................................... 154
Table 43 Dial Backup ......................................................................................................... 157
Table 44 Advanced Setup .................................................................................................. 160
Table 45 DMZ ..................................................................................................................... 163
Table 46 DMZ Static DHCP ................................................................................................ 166
Table 47 DMZ: IP Alias ....................................................................................................... 167
Table 48 DMZ: Port Roles .................................................................................................. 172
Table 49 WLAN .................................................................................................................. 175
Table 50 WLAN Static DHCP ............................................................................................. 178
Table 51 WLAN IP Alias ..................................................................................................... 179
Table 52 WLAN Port Roles ................................................................................................ 181
Table 53 Wireless Security Relational Matrix ..................................................................... 184
Table 54 Wireless Card: No Security ................................................................................. 191
Table 55 Wireless Card: Static WEP .................................................................................. 193
Table 56 Wireless Card: WPA-PSK .................................................................................... 194
Table 57 Wireless Card: WPA ............................................................................................ 195
Table 58 Wireless Card: 802.1x + Dynamic WEP .............................................................. 196
Table 59 Wireless Card: 802.1x + Static WEP ................................................................... 197
Table 60 Wireless Card: 802.1x + No WEP ....................................................................... 199
Table 61 Wireless Card: No Access 802.1x + Static WEP ................................................. 200
Table 62 Wireless Card: MAC Address Filter ..................................................................... 201
Table 63 Common IP Ports ................................................................................................ 204
Table 64 ICMP Commands That Trigger Alerts .................................................................. 207
Table 65 Legal NetBIOS Commands ................................................................................. 207
Table 66 Legal SMTP Commands ..................................................................................... 208
Table 67 Default Rule (Router Mode) ................................................................................. 219
Table 68 Default Rule (Bridge Mode) ................................................................................. 221
Table 69 Rule Summary ..................................................................................................... 222
Table 70 Firewall Edit Rule ................................................................................................. 225
Table 71 Anti-Probing ......................................................................................................... 226
Table 72 Firewall Threshold ............................................................................................... 229
Table 73 Firewall Service ................................................................................................... 231
Table 74 Firewall Edit Custom Service ............................................................................... 232
Table 75 Predefined Services ............................................................................................ 233
Table 76 IDP: General Setup ............................................................................................. 246
Table 77 Attack Types ........................................................................................................ 247
Table 78 Intrusion Severity ................................................................................................. 248
Table 79 Signature Actions ................................................................................................ 249
Table 80 IDP Signatures: Group View ................................................................................ 250
Table 81 Signatures Update ............................................................................................... 256
45
List of Tables
ZyWALL 5/35/70 Series User’s Guide
Table 82 Common Computer Virus Types ......................................................................... 258
Table 83 Anti-Virus: General .............................................................................................. 262
Table 84 Anti-Virus: Update ............................................................................................... 264
Table 85 Anti-Spam: General ............................................................................................. 271
Table 86 Anti-Spam: External DB ....................................................................................... 272
Table 87 Anti-Spam: Lists ................................................................................................... 274
Table 88 Anti-Spam Rule Edit ............................................................................................ 276
Table 89 Content Filter : General ....................................................................................... 279
Table 90 Content Filter: Categories .................................................................................... 282
Table 91 Content Filter: Customization .............................................................................. 289
Table 92 Content Filter: Cache ........................................................................................... 292
Table 93 VPN and NAT ...................................................................................................... 306
Table 94 ESP and AH ........................................................................................................ 309
Table 95 Local ID Type and Content Fields ....................................................................... 312
Table 96 Peer ID Type and Content Fields ........................................................................ 312
Table 97 Matching ID Type and Content Configuration Example ....................................... 312
Table 98 Mismatching ID Type and Content Configuration Example ................................. 313
Table 99 IPSec Fields Summary ........................................................................................ 316
Table 100 VPN screen Icons Key ....................................................................................... 317
Table 101 VPN Rules (IKE): Gateway Policy: Edit ............................................................. 320
Table 102 VPN Rules (IKE): Network Policy Edit ............................................................... 326
Table 103 VPN Rules (IKE): Network Policy Move ............................................................ 329
Table 104 VPN Rules (Manual) .......................................................................................... 330
Table 105 VPN Rules (Manual) Edit ................................................................................... 332
Table 106 VPN: SA Monitor ............................................................................................... 335
Table 107 VPN: Global Setting ........................................................................................... 336
Table 108 Telecommuters Sharing One VPN Rule Example ............................................. 338
Table 109 Telecommuters Using Unique VPN Rules Example .......................................... 339
Table 110 My Certificates ................................................................................................... 344
Table 111 My Certificate Import .......................................................................................... 347
Table 112 My Certificate Create ......................................................................................... 348
Table 113 My Certificate Details ......................................................................................... 352
Table 114 Trusted CAs ....................................................................................................... 354
Table 115 Trusted CA Import .............................................................................................. 356
Table 116 Trusted CA Details ............................................................................................. 357
Table 117 Trusted Remote Hosts ....................................................................................... 360
Table 118 Trusted Remote Host Import .............................................................................. 363
Table 119 Trusted Remote Host Details ............................................................................. 364
Table 120 Directory Servers ............................................................................................... 367
Table 121 Directory Server Add ......................................................................................... 368
Table 122 Local User Database ......................................................................................... 372
Table 123 RADIUS ............................................................................................................. 373
Table 124 NAT Definitions .................................................................................................. 374
List of Tables
46
ZyWALL 5/35/70 Series User’s Guide
Table 125 NAT Mapping Types .......................................................................................... 378
Table 126 NAT Overview .................................................................................................... 379
Table 127 NAT Address Mapping ....................................................................................... 381
Table 128 NAT Address Mapping Edit ............................................................................... 383
Table 129 Services and Port Numbers ............................................................................... 384
Table 130 Port Forwarding ................................................................................................. 387
Table 131 Port Triggering ................................................................................................... 389
Table 132 IP Static Route ................................................................................................... 393
Table 133 IP Static Route Edit ............................................................................................ 394
Table 134 Policy Route Summary ...................................................................................... 398
Table 135 Edit IP Policy Route ........................................................................................... 399
Table 136 Application and Subnet-based Bandwidth Management Example .................... 404
Table 137 Maximize Bandwidth Usage Example ............................................................... 405
Table 138 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example ....... 406
Table 139 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example .... 406
Table 140 Bandwidth Borrowing Example .......................................................................... 407
Table 141 Bandwidth Management: Summary .................................................................. 409
Table 142 Bandwidth Management: Class Setup .............................................................. 410
Table 143 Bandwidth Management: Edit Class .................................................................. 412
Table 144 Services and Port Numbers ............................................................................... 414
Table 145 Bandwidth Management: Statistics .................................................................... 415
Table 146 Bandwidth Management: Monitor ...................................................................... 416
Table 147 System DNS ...................................................................................................... 421
Table 148 System DNS: Add Address Record ................................................................... 423
Table 149 System DNS: Insert Name Server Record ........................................................ 424
Table 150 DNS Cache ........................................................................................................ 425
Table 151 DNS DHCP ........................................................................................................ 427
Table 152 DDNS ................................................................................................................ 429
Table 153 WWW ................................................................................................................ 435
Table 154 SSH ................................................................................................................... 443
Table 155 Telnet ................................................................................................................. 447
Table 156 FTP .................................................................................................................... 448
Table 157 SNMP Traps ...................................................................................................... 450
Table 158 SNMP ................................................................................................................ 451
Table 159 DNS ................................................................................................................... 452
Table 160 CNM .................................................................................................................. 453
Table 161 UPnP ................................................................................................................. 457
Table 162 UPnP Ports ........................................................................................................ 459
Table 163 ALG ................................................................................................................... 471
Table 164 View Log ............................................................................................................ 473
Table 165 Example Log Description ................................................................................... 473
Table 166 Log Settings ....................................................................................................... 477
Table 167 Reports .............................................................................................................. 479
47
List of Tables
ZyWALL 5/35/70 Series User’s Guide
Table 168 Web Site Hits Report ......................................................................................... 480
Table 169 Protocol/ Port Report ......................................................................................... 481
Table 170 Host IP Address Report ..................................................................................... 482
Table 171 Report Specifications ......................................................................................... 483
Table 172 General Setup ................................................................................................... 485
Table 173 Password Setup ................................................................................................ 486
Table 174 Time and Date ................................................................................................... 487
Table 175 Default Time Servers ......................................................................................... 489
Table 176 MAC-address-to-port Mapping Table ................................................................. 491
Table 177 Device Mode (Router Mode) ............................................................................. 492
Table 178 Device Mode (Bridge Mode) .............................................................................. 493
Table 179 Firmware Upload ............................................................................................... 495
Table 180 Restore Configuration ........................................................................................ 497
Table 181 Main Menu Commands ..................................................................................... 501
Table 182 Main Menu Summary ........................................................................................ 503
Table 183 SMT Menus Overview ....................................................................................... 504
Table 184 Menu 1: General Setup (Router Mode) ............................................................. 508
Table 185 Menu 1: General Setup (Bridge Mode) .............................................................. 509
Table 186 Menu 1.1: Configure Dynamic DNS .................................................................. 510
Table 187 Menu 1.1.1: DDNS Host Summary .................................................................... 511
Table 188 Menu 1.1.1: DDNS Edit Host ............................................................................. 512
Table 189 MAC Address Cloning in WAN Setup ................................................................ 515
Table 190 Menu 2: Dial Backup Setup ............................................................................... 516
Table 191 Advanced WAN Port Setup: AT Commands Fields ........................................... 517
Table 192 Advanced WAN Port Setup: Call Control Parameters ....................................... 518
Table 193 Menu 11.3: Remote Node Profile (Backup ISP) ................................................ 519
Table 194 Menu 11.3.1: Remote Node PPP Options ......................................................... 521
Table 195 Menu 11.3.2: Remote Node Network Layer Options ......................................... 522
Table 196 Menu 11.3.3: Remote Node Script .................................................................... 525
Table 197 Menu 3.2: DHCP Ethernet Setup Fields ............................................................ 528
Table 198 Menu 3.2: LAN TCP/IP Setup Fields ................................................................. 529
Table 199 Menu 3.2.1: IP Alias Setup ................................................................................ 530
Table 200 Menu 4: Internet Access Setup (Ethernet) ....................................................... 533
Table 201 New Fields in Menu 4 (PPTP) Screen ............................................................... 534
Table 202 New Fields in Menu 4 (PPPoE) screen ............................................................. 535
Table 203 Menu 6.1: Route Assessment ........................................................................... 541
Table 204 Menu 6.2: Traffic Redirect ................................................................................. 541
Table 205 Menu 6.3: Route Failover .................................................................................. 542
Table 206 Menu 7.1: Wireless Setup ................................................................................. 545
Table 207 Menu 7.1.1: WLAN MAC Address Filter ............................................................ 546
Table 208 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........................... 552
Table 209 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ....................................... 554
Table 210 Menu 11.1: Remote Node Profile for PPTP Encapsulation ............................... 555
List of Tables
48
ZyWALL 5/35/70 Series User’s Guide
Table 211 Remote Node Network Layer Options Menu Fields .......................................... 556
Table 212 Menu 11.1.5: Traffic Redirect Setup .................................................................. 559
Table 213 Menu 12. 1: Edit IP Static Route ........................................................................ 561
Table 214 Applying NAT in Menus 4 & 11.1.2 .................................................................... 564
Table 215 SUA Address Mapping Rules ............................................................................ 566
Table 216 Fields in Menu 15.1.1 ........................................................................................ 567
Table 217 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ........................ 568
Table 218 15.2.1.2: NAT Server Configuration ................................................................... 571
Table 219 Menu 15.3.1: Trigger Port Setup ....................................................................... 580
Table 220 Abbreviations Used in the Filter Rules Summary Menu .................................... 588
Table 221 Rule Abbreviations Used ................................................................................... 588
Table 222 Menu 21.1.1.1: TCP/IP Filter Rule ..................................................................... 589
Table 223 Generic Filter Rule Menu Fields ........................................................................ 592
Table 224 SNMP Configuration Menu Fields ..................................................................... 598
Table 225 SNMP Traps ...................................................................................................... 599
Table 226 System Maintenance: Status Menu Fields ........................................................ 601
Table 227 Fields in System Maintenance: Information ....................................................... 603
Table 228 System Maintenance Menu Syslog Parameters ................................................ 605
Table 229 System Maintenance Menu Diagnostic ............................................................. 610
Table 230 Filename Conventions ....................................................................................... 613
Table 231 General Commands for GUI-based FTP Clients ............................................... 615
Table 232 General Commands for GUI-based TFTP Clients ............................................. 617
Table 233 Valid Commands ............................................................................................... 629
Table 234 Budget Management ......................................................................................... 631
Table 235 Call History ........................................................................................................ 632
Table 236 Menu 24.10 System Maintenance: Time and Date Setting ............................... 634
Table 237 Menu 24.11 – Remote Management Control ..................................................... 637
Table 238 Menu 25: Sample IP Routing Policy Summary .................................................. 640
Table 239 IP Routing Policy Setup ..................................................................................... 641
Table 240 Menu 25.1: IP Routing Policy Setup .................................................................. 642
Table 241 Menu 25.1.1: IP Routing Policy Setup ............................................................... 644
Table 242 Schedule Set Setup ........................................................................................... 649
Table 243 Troubleshooting the Start-Up of Your ZyWALL .................................................. 652
Table 244 Troubleshooting the LAN Interface .................................................................... 652
Table 245 Troubleshooting the DMZ Interface ................................................................... 653
Table 246 Troubleshooting the WAN Interface ................................................................... 653
Table 247 Troubleshooting Accessing the ZyWALL ........................................................... 654
Table 248 Device Specifications ......................................................................................... 664
Table 249 Performance ...................................................................................................... 665
Table 250 Firmware Features ............................................................................................ 665
Table 251 Feature Specifications ....................................................................................... 667
Table 252 Compatible ZyXEL WLAN Cards and Security Features .................................. 668
Table 253 Console/Dial Backup Port Pin Assignments ...................................................... 670
49
List of Tables
ZyWALL 5/35/70 Series User’s Guide
Table 254 Classes of IP Addresses ................................................................................... 694
Table 255 Allowed IP Address Range By Class ................................................................. 695
Table 256 “Natural” Masks ................................................................................................ 695
Table 257 Alternative Subnet Mask Notation ..................................................................... 696
Table 258 Two Subnets Example ....................................................................................... 696
Table 259 Subnet 1 ............................................................................................................ 697
Table 260 Subnet 2 ............................................................................................................ 697
Table 261 Subnet 1 ............................................................................................................ 698
Table 262 Subnet 2 ............................................................................................................ 698
Table 263 Subnet 3 ............................................................................................................ 698
Table 264 Subnet 4 ............................................................................................................ 699
Table 265 Eight Subnets .................................................................................................... 699
Table 266 Class C Subnet Planning ................................................................................... 699
Table 267 Class B Subnet Planning ................................................................................... 700
Table 268 IEEE802.11g ...................................................................................................... 712
Table 269 Comparison of EAP Authentication Types ......................................................... 718
Table 270 Wireless Security Relational Matrix ................................................................... 719
Table 271 Firewall Commands ........................................................................................... 756
Table 272 NetBIOS Filter Default Settings ......................................................................... 763
Table 273 Certificates Commands ..................................................................................... 766
Table 274 Brute-Force Password Guessing Protection Commands .................................. 770
Table 275 System Maintenance Logs ................................................................................ 774
Table 276 System Error Logs ............................................................................................. 775
Table 277 Access Control Logs .......................................................................................... 776
Table 278 TCP Reset Logs ................................................................................................ 777
Table 279 Packet Filter Logs .............................................................................................. 777
Table 280 ICMP Logs ......................................................................................................... 778
Table 281 CDR Logs .......................................................................................................... 778
Table 282 PPP Logs ........................................................................................................... 778
Table 283 UPnP Logs ........................................................................................................ 779
Table 284 Content Filtering Logs ....................................................................................... 779
Table 285 Attack Logs ........................................................................................................ 780
Table 286 Remote Management Logs ............................................................................... 781
Table 287 Wireless Logs .................................................................................................... 782
Table 288 IPSec Logs ........................................................................................................ 782
Table 289 IKE Logs ............................................................................................................ 783
Table 290 PKI Logs ............................................................................................................ 786
Table 291 Certificate Path Verification Failure Reason Codes ........................................... 787
Table 292 802.1X Logs ...................................................................................................... 787
Table 293 ACL Setting Notes ............................................................................................. 788
Table 294 ICMP Notes ....................................................................................................... 789
Table 295 IDP Logs ............................................................................................................ 790
Table 296 AV Logs ............................................................................................................. 791
List of Tables
50
ZyWALL 5/35/70 Series User’s Guide
Table 297 AS Logs ............................................................................................................. 792
Table 298 Syslog Logs ....................................................................................................... 794
Table 299 RFC-2408 ISAKMP Payload Types ................................................................... 795
51
List of Tables
ZyWALL 5/35/70 Series User’s Guide
Preface
Congratulations on your purchase of the ZyWALL.
Note: Register your product online to receive e-mail notices of firmware upgrades and
information at www.zyxel.com for global products, or at www.us.zyxel.com for
North American products.
Your ZyWALL is easy to install and configure.
About This User's Guide
This manual is designed to guide you through the configuration of your ZyWALL for its
various applications. The web configurator parts of this guide contain background information
on features configurable by web configurator. The SMT parts of this guide contain
background information solely on features not configurable by web configurator.
Note: Use the web configurator, System Management Terminal (SMT) or command
interpreter interface to configure your ZyWALL. Not all features can be
configured through all interfaces.
Related Documentation
• Supporting Disk
Refer to the included CD for support documents.
• Quick Start Guide
The Quick Start Guide is designed to help you get up and running right away. It contains
a detailed easy-to-follow connection diagram, default settings, handy checklists and
information on setting up your network and configuring for Internet access.
• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary
information.
• ZyXEL Glossary and Web Site
Please refer to www.zyxel.com for an online glossary of networking terms and additional
support documentation.
User Guide Feedback
Help us help you. E-mail all User Guide-related comments, questions or suggestions for
improvement to [email protected] or send regular mail to The Technical Writing
Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park,
Hsinchu, 300, Taiwan. Thank you!
Preface
52
ZyWALL 5/35/70 Series User’s Guide
Syntax Conventions
• “Enter” means for you to type one or more characters. “Select” or “Choose” means for
you to use one predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field
choices are in Bold Arial font. Command and arrow keys are enclosed in square
brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key
and [SPACE BAR] means the Space Bar.
• Mouse action sequences are denoted using a comma. For example, “In Windows, click
Start, Settings and then Control Panel” means first click the Start button, then point
your mouse pointer to Settings and then click Control Panel.
• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.
Graphics Icons Key
ZyWALL
Computer
Notebook computer
Server
DSLAM
Firewall
Telephone
Switch
Router
Wireless Signal
53
Preface
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 1
Getting to Know Your ZyWALL
This chapter introduces the main features and applications of the ZyWALL.
1.1 ZyWALL Internet Security Appliance Overview
The ZyWALL is loaded with security features including VPN, firewall, content filtering, antispam, IDP (Intrusion Detection and Prevention), anti-virus and certificates. The ZyWALL’s
De-Militarized Zone (DMZ) increases LAN security by providing separate ports for
connecting publicly accessible servers. The ZyWALL 70 and ZyWALL 35 are designed for
medium sized business that need the increased throughput and reliability of dual WAN ports
and load balancing. The ZyWALL 35 and ZyWALL 5 provide the option to change port roles
from LAN to DMZ.
You can also deploy the ZyWALL as a transparent firewall in an existing network with
minimal configuration.
The ZyWALL provides bandwidth management, NAT, port forwarding, policy routing (not
available for the ZyWALL 5), DHCP server and many other powerful features.
The PCMCIA/CardBus slot allows you to add a 802.11b/g-compliant wireless LAN. You can
use the wireless card as part of the LAN, DMZ or WLAN. The ZyWALL offers highly secured
wireless connectivity to your wired network with IEEE 802.1x, WEP data encryption, WPA
(Wi-Fi Protected Access) and MAC address filtering.
1.2 ZyWALL Features
The following table lists model specific features.
Note: See the product specifications in the appendix for detailed features and
standards support.
Table 1 Model Specific Features
MODEL
ZyWALL 35
ZyWALL 70
Multiple WAN
O
O
Load Balancing
O
O
FEATURE
Changing Port Roles between the LAN
and DMZ
Policy Route
Chapter 1 Getting to Know Your ZyWALL
ZyWALL 5
O
O
O
O
54
ZyWALL 5/35/70 Series User’s Guide
Table Key: An O in a mode’s column shows that the device mode has the specified feature.
The information in this table was correct at the time of writing, although it may be subject to
change.
1.2.1 Physical Features
LAN Port
The 10/100 Mbps auto-negotiating Ethernet LAN port allows the ZyWALL to detect the speed
of incoming transmissions and adjust appropriately without manual intervention. It allows data
transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending
on your Ethernet network. The port is also auto-crossover (MDI/MDI-X) meaning it
automatically adjusts to either a crossover or straight-through Ethernet cable.
DMZ Ports
Public servers (Web, FTP, etc.) attached to a DeMilitarized Zone (DMZ) port are visible to the
outside world (while still being protected from DoS (Denial of Service) attacks such as SYN
flooding and Ping of Death) and can also be accessed from the secure LAN.
The 10/100 Mbps auto-negotiating Ethernet ports allow the ZyWALL to detect the speed of
incoming transmissions and adjust appropriately without manual intervention. It allows data
transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending
on your Ethernet network. The ports are also auto-crossover (MDI/MDI-X) meaning they
automatically adjust to either a crossover or straight-through Ethernet cable.
WLAN Ports
You can set some of the Ethernet ports to a WLAN port role. This allows you to connect
wireless LAN Access Points (APs) to extend the ZyWALL’s wireless LAN coverage area.
Dual Auto-negotiating 10/100 Mbps Ethernet WAN (single on the ZyWALL 5)
The Ethernet WAN ports connect to the Internet via broadband modem or router. You can use
a second connection for load sharing to increase overall network throughput or as a backup to
enhance network reliability.
The 10/100 Mbps auto-negotiating Ethernet ports allow the ZyWALL to detect the speed of
incoming transmissions and adjust appropriately without manual intervention. They allow data
transfers of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending
on your Ethernet network. The ports are also auto-crossover (MDI/MDI-X) meaning they
automatically adjust to either a crossover or straight-through Ethernet cable.
Dial Backup WAN
The dial backup port can be used in reserve as a traditional dial-up connection when/if ever the
WAN, (or WAN 1, 2) and traffic redirect connections fail.
55
Chapter 1 Getting to Know Your ZyWALL
ZyWALL 5/35/70 Series User’s Guide
Time and Date
The ZyWALL allows you to get the current time and date from an external server when you
turn on your ZyWALL. You can also set the time manually. The Real Time Chip (RTC) keeps
track of the time and date.
Reset Button
Use the reset button to restore the factory default password to 1234; IP address to 192.168.1.1,
subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses
starting at 192.168.1.33.
Dual PCMCIA and CardBus Slot
The dual PCMCIA and CardBus slot provides the option of a wireless LAN. You can
alternatively insert a ZyWALL Turbo Card to use the anti-virus and IDP features.
IEEE 802.11 b/g Wireless LAN
The optional wireless LAN card provides mobility and a fast network environment for small
and home offices. Users can connect to the local area network without any wiring efforts and
enjoy reliable high-speed connectivity.
1.2.2 Non-Physical Features
Load Balancing
The ZyWALL improves quality of service and maximizes bandwidth utilization by dividing
traffic loads between the two WAN interfaces (or ports).
Transparent Firewall
Transparent firewall is also known as a bridge firewall. The ZyWALL can act as a bridge and
still have the capability of filtering and inspecting the packets between a router and the LAN,
or two routers. You do not need to do any other changes to your existing network.
SIP Passthrough
The ZyWALL includes a SIP Application Layer Gateway (ALG). It allows VoIP calls to pass
through NAT by examining and translating IP addresses embedded in the data stream. Use the
ALG screen to enable or disable the SIP ALG.
STP (Spanning Tree Protocol) / RSTP (Rapid STP)
When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and
provides backup links between switches, bridges or routers. It allows a bridge to interact with
other (R)STP -compliant bridges in your network to ensure that only one path exists between
any two stations on the network.
Chapter 1 Getting to Know Your ZyWALL
56
ZyWALL 5/35/70 Series User’s Guide
Bandwidth Management
Bandwidth management allows you to allocate network resources according to defined
policies. This policy-based bandwidth allocation helps your network to better handle real-time
applications such as Voice-over-IP (VoIP).
IPSec VPN Capability
Establish a Virtual Private Network (VPN) to connect with business partners and branch
offices using data encryption and the Internet to provide secure communications without the
expense of leased site-to-site lines. The ZyWALL VPN is based on the IPSec standard and is
fully interoperable with other IPSec-based VPN products.
X-Auth (Extended Authentication)
X-Auth provides added security for VPN by requiring each VPN client to use a username and
password.
Certificates
The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates
are based on public-private key pairs. Certificates provide a way to exchange public keys for
use in authentication.
SSH
The ZyWALL uses the SSH (Secure Shell) secure communication protocol to provide secure
encrypted communication between two hosts over an unsecured network.
HTTPS
HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol
that encrypts and decrypts web sessions. Use HTTPS for secure web configurator access to the
ZyWALL
Firewall
The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By
default, when the firewall is activated, all incoming traffic from the WAN to the LAN is
blocked unless it is initiated from the LAN. The ZyWALL firewall supports TCP/UDP
inspection, DoS detection and prevention, real time alerts, reports and logs.
57
Chapter 1 Getting to Know Your ZyWALL
ZyWALL 5/35/70 Series User’s Guide
Content Filtering
The ZyWALL can block web features such as ActiveX controls, Java applets and cookies, as
well as disable web proxies. The ZyWALL can block or allow access to web sites that you
specify. The ZyWALL can also block access to web sites containing keywords that you
specify. You can define time periods and days during which content filtering is enabled and
include or exclude a range of users on the LAN from content filtering.
You can also subscribe to category-based content filtering that allows your ZyWALL to check
web sites against an external database of dynamically updated ratings of millions of web sites.
Anti-Spam
The ZyWALL’s anti-spam feature helps detect and mark or discard junk e-mail (spam). The
ZyWALL has a whitelist for identifying legitimate e-mail and a blacklist for identifying spam
email. You can also subscribe to an anti-spam external database service that checks e-mail
against more than a million know spam patterns.
Anti-Virus Scanner
With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled
interfaces into the network. The ZyWALL helps stop threats at the network edge before they
reach the local host computers.
Intrusion Detection and Prevention (IDP)
IDP can detect and take actions on malicious or suspicious packets and traffic flows.
ZyWALL Turbo Card
ZyWALL Turbo Card is a co-processor accelerator that is used in conjunction with your
ZyWALL for fast, efficient IDP (Intrusion Detection and Prevention) and AV (Anti Virus)
traffic inspection.
Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the ZyWALL and other UPnP-enabled devices can
dynamically join a network, obtain an IP address and convey its capabilities to other devices
on the network.
RADIUS (RFC2138, 2139)
RADIUS (Remote Authentication Dial In User Service) server enables user authentication,
authorization and accounting.
Chapter 1 Getting to Know Your ZyWALL
58
ZyWALL 5/35/70 Series User’s Guide
IEEE 802.1x for Network Security
The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance
user authentication. With the local user profile, the ZyWALL allows you to configure up 32
user profiles without a network authentication server. In addition, centralized user and
accounting management is possible on an optional network authentication server.
Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft.
Key differences between WPA and WEP are user authentication and improved data
encryption.
Wireless LAN MAC Address Filtering
Your ZyWALL can check the MAC addresses of wireless stations against a list of allowed or
denied MAC addresses.
WEP Encryption
WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless
network to help keep network communications private.
Packet Filtering
The packet filtering mechanism blocks unwanted traffic from entering/leaving your network.
Call Scheduling
Configure call time periods to restrict and allow access for users on remote nodes.
PPPoE
PPPoE facilitates the interaction of a host with an Internet modem to achieve access to highspeed data networks via a familiar "dial-up networking" user interface.
PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of
data from a remote client to a private server, creating a Virtual Private Network (VPN) using a
TCP/IP-based network.
PPTP supports on-demand, multi-protocol and virtual private networking over public
networks, such as the Internet. The ZyWALL supports one PPTP server connection at any
given time.
59
Chapter 1 Getting to Know Your ZyWALL
ZyWALL 5/35/70 Series User’s Guide
Dynamic DNS Support
With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for
a dynamic IP address, allowing the host to be more easily accessible from various locations on
the Internet. You must register for this service with a Dynamic DNS service provider.
IP Multicast
Deliver IP packets to a specific group of hosts using IP multicast. IGMP (Internet Group
Management Protocol) is the protocol used to support multicast groups. The latest version is
version 2 (see RFC 2236); the ZyWALL supports both versions 1 and 2.
IP Alias
IP Alias allows you to partition a physical network into logical networks over the same
Ethernet interface. The ZyWALL supports three logical LAN, WLAN and/or DMZ interfaces
via its single physical Ethernet LAN, WLAN and/or DMZ interface with the ZyWALL itself
as the gateway for each network.
IP Policy Routing
IP Policy Routing provides a mechanism to override the default routing behavior and alter
packet forwarding based on the policies defined by the network administrator.
Central Network Management
Central Network Management (CNM) allows an enterprise or service provider network
administrator to manage your ZyWALL. The enterprise or service provider network
administrator can configure your ZyWALL, perform firmware upgrades and do
troubleshooting for you.
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging
management information between network devices. SNMP is a member of the TCP/IP
protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager
station to manage and monitor the ZyWALL through the network. The ZyWALL supports
SNMP version one (SNMPv1).
Network Address Translation (NAT)
Network Address Translation (NAT) allows the translation of an Internet protocol address
used within one network (for example a private IP address used in a local network) to a
different IP address known within another network (for example a public IP address used on
the Internet).
Chapter 1 Getting to Know Your ZyWALL
60
ZyWALL 5/35/70 Series User’s Guide
Traffic Redirect
Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyWALL
cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN
connection fails.
Port Forwarding
Use this feature to forward incoming service requests to a server on your local network. You
may enter a single port number or a range of port numbers to be forwarded, and the local IP
address of the desired server.
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol) allows the individual client computers to
obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyWALL has
built-in DHCP server capability, enabled by default, which means it can assign IP addresses,
an IP default gateway and DNS servers to all systems that support the DHCP client. The
ZyWALL can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address
assignment from the actual real DHCP server to the clients.
Full Network Management
The embedded web configurator is an all-platform web-based utility that allows you to easily
access the ZyWALL’s management settings and configure the firewall. Most functions of the
ZyWALL are also software configurable via the SMT (System Management Terminal)
interface. The SMT is a menu-driven interface that you can access from a terminal emulator
through the console port or over a telnet connection.
RoadRunner Support
In addition to standard cable modem services, the ZyWALL supports Time Warner’s
RoadRunner Service.
Logging and Tracing
Built-in message logging and packet tracing.
Syslog facility support.
Upgrade ZyWALL Firmware via LAN
The firmware of the ZyWALL can be upgraded via the LAN.
Embedded FTP and TFTP Servers
The ZyWALL’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as
configuration file backups and restoration.
61
Chapter 1 Getting to Know Your ZyWALL
ZyWALL 5/35/70 Series User’s Guide
1.3 Applications for the ZyWALL
Here are some examples of what you can do with your ZyWALL.
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem
You can connect a cable modem, DSL or wireless modem to the ZyWALL for broadband
Internet access via Ethernet or wireless port on the modem. The ZyWALL guarantees not only
high speed Internet access, but secure internal network protection and traffic management as
well.
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem
1.3.2 VPN Application
ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners
over the Internet without the need (and expense) for leased lines between sites.
Chapter 1 Getting to Know Your ZyWALL
62
ZyWALL 5/35/70 Series User’s Guide
Figure 2 VPN Application
1.3.3 Front Panel LEDs
Figure 3 ZyWALL 70 Front Panel
Figure 4 ZyWALL 35 Front Panel
Figure 5 ZyWALL 5 Front Panel
63
Chapter 1 Getting to Know Your ZyWALL
ZyWALL 5/35/70 Series User’s Guide
The following table describes the LEDs.
Table 2 Front Panel LEDs
LED
COLOR
STATUS
DESCRIPTION
Off
The ZyWALL is turned off.
Green
On
The ZyWALL is turned on.
Red
On
The power to the ZyWALL is too low.
Green
Off
The ZyWALL is not ready or has failed.
On
The ZyWALL is ready and running.
Flashing
The ZyWALL is restarting.
Off
The backup port is not connected.
Flashing
The backup port is sending or receiving packets.
Off
The wireless LAN is not ready, or has failed.
On
The wireless LAN is ready.
Flashing
The wireless LAN is sending or receiving packets.
Off
The LAN/DMZ is not connected.
On
The ZyWALL has a successful 10Mbps Ethernet connection.
Flashing
The 10M LAN is sending or receiving packets.
On
The ZyWALL has a successful 100Mbps Ethernet
connection.
Flashing
The 100M LAN is sending or receiving packets.
Off
The WAN connection is not ready, or has failed.
On
The ZyWALL has a successful 10Mbps WAN connection.
Flashing
The 10M WAN is sending or receiving packets.
On
The ZyWALL has a successful 100Mbps WAN connection.
Flashing
The 100M WAN is sending or receiving packets.
Off
The LAN/DMZ is not connected.
On
The ZyWALL has a successful 10Mbps Ethernet connection.
Flashing
The 10M LAN is sending or receiving packets.
On
The ZyWALL has a successful 100Mbps Ethernet
connection.
Flashing
The 100M LAN is sending or receiving packets.
Off
The LAN/DMZ is not connected.
On
The ZyWALL has a successful 10Mbps Ethernet connection.
Flashing
The 10M LAN is sending or receiving packets.
On
The ZyWALL has a successful 100Mbps Ethernet
connection.
Flashing
The 100M LAN is sending or receiving packets.
PWR
SYS
ACT
CARD
LAN 10/100
(ZyWALL 70
only)
Green
Green
Green
Orange
WAN1/2 10/100
or
Green
WAN 10/100
Orange
DMZ 10/100
(ZyWALL 70
only)
Green
Orange
LAN/DMZ 10/
100
Green
(ZyWALL 35
and ZyWALL 5)
Orange
Chapter 1 Getting to Know Your ZyWALL
64
ZyWALL 5/35/70 Series User’s Guide
65
Chapter 1 Getting to Know Your ZyWALL
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 2
Introducing the Web
Configurator
This chapter describes how to access the ZyWALL web configurator and provides an
overview of its screens.
2.1 Web Configurator Overview
The web configurator is an HTML-based management interface that allows easy ZyWALL
setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape
Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
In order to use the web configurator you need to allow:
• Web browser pop-up windows from your device. Web pop-up blocking is enabled by
default in Windows XP SP (Service Pack) 2.
• JavaScripts (enabled by default).
• Java permissions (enabled by default).
See the Troubleshooting chapter if you want to make sure these functions are allowed in
Internet Explorer or Netscape Navigator.
2.2 Accessing the ZyWALL Web Configurator
Note: By default, the packets from WLAN to WLAN/ZyWALL are dropped and users
cannot configure the ZyWALL wirelessly.
1 Make sure your ZyWALL hardware is properly connected and prepare your computer/
computer network to connect to the ZyWALL (refer to the Quick Start Guide).
2 Launch your web browser.
3 Type "192.168.1.1" as the URL.
4 Type "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
5 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click
Ignore.
Chapter 2 Introducing the Web Configurator
66
ZyWALL 5/35/70 Series User’s Guide
Figure 6 Change Password Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your
ZyWALL’s MAC address that will be specific to this device.
Note: If you do not replace the default certificate here or in the CERTIFICATES
screen, this screen displays every time you access the web configurator.
Figure 7 Replace Certificate Screen
7 You should now see the HOME screen (see Figure 9 on page 69).
Note: The management session automatically times out when the time period set in
the Administrator Inactivity Timer field expires (default five minutes). Simply
log back into the ZyWALL if this happens to you.
2.3 Resetting the ZyWALL
If you forget your password or cannot access the web configurator, you will need to reload the
factory-default configuration file or use the RESET button on the back of the ZyWALL.
Uploading this configuration file replaces the current configuration file with the factorydefault configuration file. This means that you will lose all configurations that you had
previously and the speed of the console port will be reset to the default of 9600bps with 8 data
bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234,
also.
67
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
2.3.1 Procedure To Use The Reset Button
Make sure the SYS LED is on (not blinking) before you begin this procedure.
1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to
blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.
2 Turn the ZyWALL off.
3 While pressing the RESET button, turn the ZyWALL on.
4 Continue to hold the RESET button. The SYS LED will begin to blink and flicker very
quickly after about 20 seconds. This indicates that the defaults have been restored and the
ZyWALL is now restarting.
5 Release the RESET button and wait for the ZyWALL to finish restarting.
2.3.2 Uploading a Configuration File Via Console Port
1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in
a folder.
2 Turn off the ZyWALL, begin a terminal emulation software session and turn on the
ZyWALL again. When you see the message "Press Any key to enter Debug Mode within
3 seconds", press any key to enter debug mode.
3 Enter "y" at the prompt below to go into debug mode.
4 Enter "atlc" after "Enter Debug Mode" message.
5 Wait for "Starting XMODEM upload" message before activating Xmodem upload on
your terminal. This is an example Xmodem configuration upload using HyperTerminal.
Figure 8 Example Xmodem Upload
Type the configuration file’s location,
or click Browse to search for it.
Choose the Xmodem protocol.
Then click Send.
6 After successful firmware upload, enter "atgo" to restart the router.
2.4 Navigating the ZyWALL Web Configurator
The following summarizes how to navigate the web configurator from the HOME screen.
This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for
different ZyWALL models.
Chapter 2 Introducing the Web Configurator
68
ZyWALL 5/35/70 Series User’s Guide
Note: Follow the instructions you see in the HOME screen or click the
icon.
The screen varies according to the device mode you select in the MAINTENANCE Device
Mode screen.
2.4.1 Router Mode
The following screen displays when the ZyWALL is set to router mode. The ZyWALL is set to
router mode by default. Not all fields are available on all models.
Figure 9 Web Configurator HOME Screen in Router Mode
Use submenus to configure
ZyWALL features.
Click LOGOUT at
any time to exit the
web configurator.
69
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 3 Web Configurator HOME Screen in Router Mode
LABEL
DESCRIPTION
Wizards for WAN 1
(WAN) and VPN
Quick Setup
Internet Access
Click Internet Access to use the initial configuration wizard. This configures
WAN1 on a ZyWALL with multiple WAN ports or the WAN port on a ZyWALL with
a single WAN port.
VPN
Click VPN to create VPN policies.
Device Information
System Name
This is the System Name you enter in the MAINTENANCE General screen. It is
for identification purposes.
Firmware Version
This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's
proprietary Network Operating System design.
Routing Protocol
This shows the routing protocol - IP for which the ZyWALL is configured. This field
is not configurable.
Device Mode
This displays whether the ZyWALL is functioning as a router or a bridge.
Firewall
This displays whether or not the ZyWALL’s firewall is activated.
System Time
This field displays your ZyWALL’s present date and time along with the difference
from the Greenwich Mean Time (GMT) zone. The difference from GMT is based
on the time zone. It is also adjusted for Daylight Saving Time if you set the
ZywALL to use it.
Memory
The first number shows how many kilobytes of the heap memory the ZyWALL is
using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL
Network Operating System) and is thus available for running processes like NAT,
VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in kilobytes).
The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
Sessions
The first number shows how many sessions are currently open on the ZyWALL.
This includes all sessions that are currently:
• Traversing the ZyWALL
• Terminating at the ZyWALL
• Initiated from the ZyWALL
The second number is the maximum number of sessions that can be open at one
time.
The bar displays what percent of the maximum number of sessions is in use. The
bar turns from green to red when the maximum is being approached.
Policy Routes
The first number shows how many policy routes you have configured.
The second number shows the maximum number of policy routes that you can
configure on the ZyWALL.
The bar displays what percent of the ZyWALL's possible policy routes are
configured. The bar turns from green to red when the maximum is being
approached.
Network Status
Chapter 2 Introducing the Web Configurator
70
ZyWALL 5/35/70 Series User’s Guide
Table 3 Web Configurator HOME Screen in Router Mode (continued)
LABEL
DESCRIPTION
Interface
This is the port type.
Port types for a ZyWALL with multiple WAN ports are: WAN1, WAN2, Dial
Backup, LAN, WLAN and DMZ.
Port types for a ZyWALL with a single WAN port are: WAN, Dial Backup, LAN,
WLAN and DMZ.
Click "+" to expand or "-" to collapse the LAN, WLAN (when the wireless card is
part of the WLAN in the Port Roles screen), and DMZ IP alias drop-down lists.
Status
For the LAN and DMZ ports, this displays the port speed and duplex setting.
For the WAN and Dial Backup ports, it displays the port speed and duplex setting
if you’re using Ethernet encapsulation and Down (line is down or not connected),
Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if
you’re using PPPoE encapsulation.
For the WLAN port, it displays the transmission rate when a wireless LAN card is
inserted and WLAN is enabled or Down when a wireless LAN card is not inserted
or WLAN is disabled.
IP Address
This shows the port’s IP address.
Subnet Mask
This shows the port’s subnet mask.
IP Assignment
This shows the WAN port’s DHCP role - DHCP Client or Static.
This shows the LAN, WLAN or DMZ port’s DHCP role - DHCP Server, DHCP
Relay or Static.
This shows N/A for the Dial Backup port and the WLAN port when you set the
wireless card to be part of the DMZ or LAN in the Port Roles screen.
Renew
If you are using Ethernet encapsulation and the WAN port is configured to get the
IP address automatically from the ISP, click Renew to release the WAN port’s
dynamically assigned IP address and get the IP address afresh. Click Dial to dial
up the PPTP, PPPoE or dial backup connection.
Show Statistics
Click Show Statistics to see router performance statistics such as the number of
packets sent and number of packets received for each port, including WAN (or
WAN1, WAN2), Dial Backup, LAN, WLAN and DMZ.
Show DHCP Table
Click Show DHCP Table to show current DHCP client information.
VPN Status
Click VPN Status to display the active VPN connections.
2.4.2 Bridge Mode
The following screen displays when the ZyWALL is set to bridge mode. While in bridge
mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and
WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the
ZyWALL's IP address in order to access the ZyWALL for management. If you connect your
computer directly to the ZyWALL, you also need to assign your computer a static IP address in
the same subnet as the ZyWALL's IP address in order to access the ZyWALL.
The ZyWALL bridges traffic traveling between the ZyWALL's interfaces.
You can use the firewall in bridge mode (refer to the firewall chapters for details on
configuring the firewall).
71
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
Figure 10 Web Configurator HOME Screen in Bridge Mode
The following table describes the labels in this screen.
Table 4 Web Configurator HOME Screen in Bridge Mode
LABEL
DESCRIPTION
Wizards for VPN
Quick Setup
VPN
Click VPN to create VPN policies.
Device
Information
System Name
This is the System Name you enter in the MAINTENANCE General screen. It is for
identification purposes.
Chapter 2 Introducing the Web Configurator
72
ZyWALL 5/35/70 Series User’s Guide
Table 4 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL
DESCRIPTION
Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's
proprietary Network Operating System design.
Device Mode
This displays whether the ZyWALL is functioning as a router or a bridge.
Firewall
This displays whether or not the ZyWALL’s firewall is activated.
System Time
This field displays your ZyWALL’s present date and time along with the difference
from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on
the time zone. It is also adjusted for Daylight Saving Time if you set the ZywALL to
use it.
Memory
The first number shows how many kilobytes of the heap memory the ZyWALL is
using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL
Network Operating System) and is thus available for running processes like NAT,
VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in kilobytes).
The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
Sessions
The first number shows how many sessions are currently open on the ZyWALL.
This includes all sessions that are currently:
• Traversing the ZyWALL
• Terminating at the ZyWALL
• Initiated from the ZyWALL
The second number is the maximum number of sessions that can be open at one
time.
The bar displays what percent of the maximum number of sessions is in use. The
bar turns from green to red when the maximum is being approached.
Network Status
IP Address
This is the IP address of your ZyWALL in dotted decimal notation.
Subnet Mask
This is the IP subnet mask of the ZyWALL.
Gateway IP
Address
This is the gateway IP address.
Rapid Spanning
Tree Protocol
This shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The
following labels or values relative to RSTP do not apply when RSTP is disabled.
Bridge Priority
This is the bridge priority of the ZyWALL.
Bridge Hello Time This is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge.
73
Bridge Max Age
This is the predefined interval that a bridge waits to get a Hello message (BPDU)
from the root bridge.
Forward Delay
This is the forward delay interval.
Bridge Port
This is the port type. Port types are: WAN (or WAN1, WAN2), LAN, Wireless Card,
DMZ and WLAN Interface.
Port Status
For the WAN, LAN, DMZ, and WLAN Interfaces, this displays the port speed and
duplex setting. For the WAN port, it displays Down when the link is not ready or has
failed. For the wireless card, it displays the transmission rate when a wireless LAN
card is inserted and WLAN is enabled or Down when a wireless LAN is not inserted
or WLAN is disabled.
RSTP Status
This is the RSTP status of the corresponding port.
RSTP Active
This shows whether or not RSTP is active on the corresponding port.
RSTP Priority
This is the RSTP priority of the corresponding port.
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
Table 4 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL
DESCRIPTION
RSTP Path Cost
This is the cost of transmitting a frame from the root bridge to the corresponding
port.
Show Statistics
Click Show Statistics to see bridge performance statistics such as the number of
packets sent and number of packets received for each port, including WAN (or
WAN1, WAN2), Dial Backup, LAN, WLAN and DMZ.
VPN Status
Click VPN Status to display the active VPN connections.
2.4.3 Navigation Panel
After you enter the password, use the sub-menus on the navigation panel to configure
ZyWALL features.
The following table lists the features available for each device mode. Not all ZyWALLs have
all features listed in this table.
Table 5 Bridge and Router Mode Features Comparison
FEATURE
BRIDGE MODE
Internet Access Wizard
VPN Wizard
ROUTER MODE
O
O
DHCP Table
O
O
System Statistics
O
O
Registration
O
O
LAN
O
WAN
O
DMZ
O
Bridge
O
WLAN
O
Wireless Card
O
O
Firewall
O
O
IDP
O
O
Anti-Virus
O
O
Anti-Spam
O
O
Content Filter
O
O
VPN
O
O
Certificates
O
O
Authentication Server
O
O
NAT
O
Static Route
O
Policy Route
O
Bandwidth Management
Chapter 2 Introducing the Web Configurator
O
O
74
ZyWALL 5/35/70 Series User’s Guide
Table 5 Bridge and Router Mode Features Comparison
FEATURE
BRIDGE MODE
DNS
ROUTER MODE
O
Remote Management
O
UPnP
O
O
ALG
O
O
Logs
O
O
Maintenance
O
O
Table Key: An O in a mode’s column shows that the device mode has the specified feature.
The information in this table was correct at the time of writing, although it may be subject to
change.
The following table describes the sub-menus.
Table 6 Screens Summary
LINK
TAB
FUNCTION
HOME
This screen shows the ZyWALL’s general device and network
status information. Use this screen to access the wizards, statistics
and DHCP table.
REGISTRATION Registration
Use this screen to register your ZyWALL and activate the trial
service subscriptions.
Service
Use this to manage and update the service status and license
information.
LAN
Use this screen to configure LAN DHCP and TCP/IP settings.
Static DHCP
Use this screen to assign fixed IP addresses on the LAN.
IP Alias
Use this screen to partition your LAN interface into subnets.
Port Roles
(ZyWALL 5
and ZyWALL
35)
Use this screen to change the LAN/DMZ/WLAN port roles.
Bridge
Use this screen to change the bridge settings on the ZyWALL.
Port Roles
Use this screen to change the DMZ/WLAN port roles on the
ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or
ZyWALL 35.
NETWORK
LAN
BRIDGE
75
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
Table 6 Screens Summary (continued)
LINK
TAB
FUNCTION
WAN
General
This screen allows you to configure load balancing, route priority
and traffic redirect properties.
Route
(ZyWALL 5
only)
This screen allows you to configure route priority.
WAN (ZyWALL Use this screen to configure the WAN port for internet access.
5 only)
WAN1
(ZyWALL 35
and ZyWALL
70)
Use this screen to configure the WAN1 port for Internet access.
WAN2
(ZyWALL 35
and ZyWALL
70)
Use this screen to configure the WAN2 port for Internet access.
Traffic Redirect Use this screen to configure your traffic redirect properties and
parameters.
DMZ
WLAN
WIRELESS
CARD
Dial Backup
Use this screen to configure the backup WAN dial-up connection.
DMZ
Use this screen to configure your DMZ connection.
Static DHCP
Use this screen to assign fixed IP addresses on the DMZ.
IP Alias
Use this screen to partition your DMZ interface into subnets.
Port Roles
Use this screen to change the DMZ/WLAN port roles on the
ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or
ZyWALL 35.
WLAN
Use this screen to configure your WLAN connection.
Static DHCP
Use this screen to assign fixed IP addresses on the WLAN.
IP Alias
Use this screen to partition your WLAN interface into subnets.
Port Roles
Use this screen to change the DMZ/WLAN port roles on the
ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or
ZyWALL 35.
Wireless Card
Use this screen to configure the wireless LAN settings and WLAN
authentication/security settings.
MAC Filter
Use this screen to change MAC filter settings on the ZyWALL
Default Rule
Use this screen to activate/deactivate the firewall and the direction
of network traffic to which to apply the rule
SECURITY
FIREWALL
Rule Summary This screen shows a summary of the firewall rules, and allows you
to edit/add a firewall rule.
Anti-Probing
Use this screen to change your anti-probing settings.
Threshold
Use this screen to configure the threshold for DoS attacks.
Chapter 2 Introducing the Web Configurator
76
ZyWALL 5/35/70 Series User’s Guide
Table 6 Screens Summary (continued)
LINK
TAB
FUNCTION
IDP
General
Use this screen to enable IDP on the ZyWALL and choose what
interface(s) you want to protect from intrusions.
Signature
Use these screens to view signatures by attack type or search for
signatures by signature name, ID, severity, target operating
system, action etc. You can also configure signature actions here.
Update
Use this screen to download new signature downloads. It is
important to do this as new intrusions evolve.
Backup &
Restore
Use this screen to back up, restore or revert to the default
signatures’ actions.
General
Use this screen to activate AV scanning on the interface(s) and
specify actions when a virus is detected.
Update
Use this screen to view the version number of the current
signatures and configure the signature update schedule.
General
Use this screen to turn the anti-spam feature on or off and set how
the ZyWALL treats spam.
External DB
Use this screen to enable or disable the use of the anti-spam
external database.
Customization
Use this screen to configure the whitelist to identify legitimate email and configure the blacklist to identify spam e-mail.
General
This screen allows you to enable content filtering and block certain
web features.
Categories
Use this screen to select which categories of web pages to filter
out, as well as to register for external database content filtering and
view reports.
Customization
Use this screen to customize the content filter list.
Cache
Use this screen to view and configure the ZyWALL’s URL caching.
VPN Rules
(IKE)
Use this screen to configure VPN connections using IKE key
management and view the rule summary.
VPN Rules
(Manual)
Use this screen to configure VPN connections using manual key
management and view the rule summary.
SA Monitor
Use this screen to display and manage active VPN connections.
Global Setting
Use this screen to configure the IPSec timer settings.
ANTI-VIRUS
ANTI-SPAM
CONTENT
FILTER
VPN
CERTIFICATES
AUTH SERVER
My Certificates Use this screen to view a summary list of certificates and manage
certificates and certification requests.
Trusted CAs
Use this screen to view and manage the list of the trusted CAs.
Trusted
Remote Hosts
Use this screen to view and manage the certificates belonging to
the trusted remote hosts.
Directory
Servers
Use this screen to view and manage the list of the directory
servers.
Local User
Database
Use this screen to configure the local user account(s) on the
ZyWALL.
RADIUS
Configure this screen to use an external server to authenticate
wireless and/or VPN users.
ADVANCED
77
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
Table 6 Screens Summary (continued)
LINK
TAB
FUNCTION
NAT
NAT Overview
Use this screen to enable NAT.
Address
Mapping
Use this screen to configure network address translation mapping
rules.
Port
Forwarding
Use this screen to configure servers behind the ZyWALL.
Port Triggering Use this screen to change your ZyWALL’s port triggering settings.
STATIC ROUTE
IP Static Route Use this screen to configure IP static routes.
POLICY ROUTE Policy Rout
Summary
Use this screen to view a summary list of all the policies and
configure policies for use in IP policy routing.
BW MGMT
Summary
Use this screen to enable bandwidth management on an interface.
Class Setup
Use this screen to set up the bandwidth classes.
Monitor
Use this screen to view the ZyWALL’s bandwidth usage and
allotments.
System
Use this screen to configure the address and name server records.
Cache
Use this screen to configure the DNS resolution cache.
DHCP
Use this screen to configure LAN/DMZ/WLAN DNS information.
DDNS
Use this screen to set up dynamic DNS.
DNS
REMOTE MGMT WWW
Use this screen to configure through which interface(s) and from
which IP address(es) users can use HTTPS or HTTP to manage
the ZyWALL.
SSH
Use this screen to configure through which interface(s) and from
which IP address(es) users can use Secure Shell to manage the
ZyWALL.
TELNET
Use this screen to configure through which interface(s) and from
which IP address(es) users can use Telnet to manage the
ZyWALL.
FTP
Use this screen to configure through which interface(s) and from
which IP address(es) users can use FTP to access the ZyWALL.
SNMP
Use this screen to configure your ZyWALL’s settings for Simple
Network Management Protocol management.
DNS
Use this screen to configure through which interface(s) and from
which IP address(es) users can send DNS queries to the ZyWALL.
CNM
Use this screen to configure and allow your ZyWALL to be
managed by the Vantage CNM server.
UPnP
Use this screen to enable UPnP on the ZyWALL.
Ports
Use this screen to view the NAT port mapping rules that UPnP
creates on the ZyWALL.
ALG
ALG
Use this screen to allow certain applications to pass through the
ZyWALL.
LOGS
View Log
Use this screen to view the logs for the categories that you
selected.
Log Settings
Use this screen to change your ZyWALL’s log settings.
Reports
Use this screen to have the ZyWALL record and display the
network usage reports.
UPnP
Chapter 2 Introducing the Web Configurator
78
ZyWALL 5/35/70 Series User’s Guide
Table 6 Screens Summary (continued)
LINK
TAB
FUNCTION
MAINTENANCE
General
This screen contains administrative.
Password
Use this screen to change your password.
Time and Date Use this screen to change your ZyWALL’s time and date.
Device Mode
Use this screen to configure and have your ZyWALL work as a
router or a bridge.
F/W Upload
Use this screen to upload firmware to your ZyWALL
Backup &
Restore
Use this screen to backup and restore the configuration or reset
the factory defaults to your ZyWALL.
Restart
This screen allows you to reboot the ZyWALL without turning the
power off.
LOGOUT
Click this label to exit the web configurator.
2.4.4 System Statistics
Click Show Statistics in the HOME screen. Read-only information here includes port status
and packet specific statistics. Also provided is "Up Time" and "poll interval(s)". The Poll
Interval(s) field is configurable. Not all fields are available on all models.
Figure 11 Home : Show Statistics
The following table describes the labels in this screen.
Table 7 Home: Show Statistics
LABEL
DESCRIPTION
Click the icon to display the chart of throughput statistics.
Port
79
These are the ZyWALL’s interfaces.
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
Table 7 Home: Show Statistics (continued)
LABEL
DESCRIPTION
Status
For the LAN and DMZ ports, this displays the port speed and duplex setting.
For the WAN and Dial Backup ports, this displays the port speed and duplex setting
if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle),
Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE
encapsulation.
For the WLAN port, it displays the transmission rate when a wireless LAN card is
inserted and WLAN is enabled or Down when a wireless LAN is not inserted or
WLAN is disabled.
TxPkts
This is the number of transmitted packets on this port.
RxPkts
This is the number of received packets on this port.
Tx B/s
This displays the transmission speed in bytes per second on this port.
Rx B/s
This displays the reception speed in bytes per second on this port.
Up Time
This is the total amount of time the line has been up.
System Up Time This is the total time the ZyWALL has been on.
Poll Interval(s)
Enter the time interval for refreshing statistics in this field.
Set Interval
Click this button to apply the new poll interval you entered in the Poll Interval(s)
field.
Stop
Click Stop to stop refreshing statistics.
2.4.5 Show Statistics: Line Chart
Click the icon in the Show Statistics screen. This screen shows you the line chart of each
port’s throughput statistics.
Figure 12 Home : Show Statistics: Line Chart
Chapter 2 Introducing the Web Configurator
80
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 8 Home: Show Statistics: Line Chart
LABEL
DESCRIPTION
Click the icon to go back to the Show Statistics screen.
Port
Select the check box(es) to display the throughput statistics of the corresponding
port(s).
B/s
Specify the direction of the traffic for which you want to show throughput statistics in
this table.
Select Tx to display transmitted traffic throughput statistics and the amount of traffic
(in bytes). Select Rx to display received traffic throughput statistics and the amount
of traffic (in bytes).
Throughput
Range
Set the range of the throughput (in B/s, KB/s or MB/s) to display.
Click Set Range to save this setting back to the ZyWALL.
2.4.6 DHCP Table Screen
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the
ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides
the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another
DHCP server on your LAN, or else the computer must be manually configured.
Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode.
Read-only information here relates to your DHCP status. The DHCP table shows current
DHCP client information (including IP Address, Host Name and MAC Address) of all
network clients using the ZyWALL’s DHCP server.
Figure 13 Home : DHCP Table
81
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 9 Home: DHCP Table
LABEL
DESCRIPTION
Interface
Select LAN, DMZ or WLAN to show the current DHCP client information for the
specified interface.
#
This is the index number of the host computer.
IP Address
This field displays the IP address relative to the # field listed above.
Host Name
This field displays the computer host name.
MAC Address
The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network)
is unique to your computer (six pairs of hexadecimal notation).
A network interface card such as an Ethernet adapter has a hardwired address that is
assigned at the factory. This address follows an industry standard that ensures no
other adapter has a similar address.
Reserve
Select the check box in the heading row to automatically select all check boxes or
select the check box(es) in each entry to have the ZyWALL always assign the
selected entry(ies)’s IP address(es) to the corresponding MAC address(es) (and host
name(s)). You can select up to 128 entries in this table. After you click Apply, the
MAC address and IP address also display in the LAN Static DHCP screen (where you
can edit them).
Refresh
Click Refresh to reload the DHCP table.
2.4.7 VPN Status
Click VPN Status in the HOME screen when the ZyWALL is set to router mode. Read-only
information here includes encapsulation mode and security protocol. The Poll Interval(s)
field is configurable.
Chapter 2 Introducing the Web Configurator
82
ZyWALL 5/35/70 Series User’s Guide
Figure 14 Home : VPN Status
The following table describes the labels in this screen.
Table 10 Home : VPN Status
LABEL
DESCRIPTION
#
This is the security association index number.
Name
This field displays the identification name for this VPN policy.
Local Network
This field displays the IP address of the computer using the VPN IPSec feature of
your ZyWALL.
Remote Network This field displays IP address (in a range) of computers on the remote network
behind the remote IPSec router.
83
Encapsulation
This field displays Tunnel or Transport mode.
IPSec Algorithm
This field displays the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and communications
latency (delay).
Poll Interval(s)
Enter the time interval for refreshing statistics in this field.
Set Interval
Click this button to apply the new poll interval you entered in the Poll Interval(s)
field.
Stop
Click Stop to stop refreshing statistics.
Chapter 2 Introducing the Web Configurator
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 3
Wizard Setup
This chapter provides information on the Wizard Setup screens in the web configurator. The
Internet access wizard is only applicable when the ZyWALL is in router mode.
3.1 Wizard Setup Overview
The web configurator's setup wizards help you configure WAN1 on a ZyWALL with multiple
WAN ports or the WAN port on a ZyWALL with a single WAN port to access the Internet and
edit VPN policies and configure IKE settings to establish a VPN tunnel.
3.2 Internet Access
The Internet access wizard screen has three variations depending on what encapsulation type
you use. Refer to information provided by your ISP to know what to enter in each field. Leave
a field blank if you don’t have that information.
3.2.1 ISP Parameters
The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
The wizard screen varies according to the type of encapsulation that you select in the
Encapsulation field.
3.2.1.1 Ethernet
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still
online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your
ISP to find the correct port number.
Choose Ethernet when the WAN port is used as a regular Ethernet.
Chapter 3 Wizard Setup
84
ZyWALL 5/35/70 Series User’s Guide
Figure 15 ISP Parameters : Ethernet Encapsulation
The following table describes the labels in this screen.
Table 11 ISP Parameters : Ethernet Encapsulation
LABEL
DESCRIPTION
ISP Parameters
for Internet
Access
Encapsulation
You must choose the Ethernet option when the WAN port is used as a regular
Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
WAN IP Address
Assignment
85
IP Address
Assignment
Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.
Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.
My WAN IP
Address
Enter your WAN IP address in this field.
My WAN IP
Subnet Mask
Enter the IP subnet mask in this field.
Gateway IP
Address
Enter the gateway IP address in this field.
First DNS Server
Second DNS
Server
Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to
access it.
Apply
Click Apply to save your changes and go to the next screen.
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
3.2.1.2 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an
IETF (Internet Engineering Task Force) standard specifying how a host personal computer
interacts with a broadband modem (for example xDSL, cable, wireless, etc.) to achieve access
to high-speed data networks.
Figure 16 ISP Parameters : PPPoE Encapsulation
The following table describes the labels in this screen.
Table 12 ISP Parameters: PPPoE Encapsulation
LABEL
DESCRIPTION
ISP Parameter for
Internet Access
Encapsulation
Choose an encapsulation method from the pull-down list box. PPP over Ethernet
forms a dial-up connection.
Service Name
Type the name of your service provider.
User Name
Type the user name given to you by your ISP.
Password
Type the password associated with the user name above.
Retype to Confirm Type your password again for confirmation.
Nailed-Up
Select Nailed-Up if you do not want the connection to time out.
Idle Timeout
Type the time in seconds that elapses before the router automatically disconnects
from the PPPoE server. The default time is 100 seconds.
WAN IP Address
Assignment
Chapter 3 Wizard Setup
86
ZyWALL 5/35/70 Series User’s Guide
Table 12 ISP Parameters: PPPoE Encapsulation (continued)
LABEL
DESCRIPTION
IP Address
Assignment
Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.
Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.
My WAN IP
Address
Enter your WAN IP address in this field.
First DNS Server
Second DNS
Server
Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to
access it.
Apply
Click Apply to save your changes and go to the next screen.
3.2.1.3 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data
from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/
IP-based networks.
PPTP supports on-demand, multi-protocol, and virtual private networking over public
networks, such as the Internet.
Refer to Appendix G on page 704 for more information on PPTP.
Note: The ZyWALL supports one PPTP server connection at any given time.
87
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 17 ISP Parameters: PPTP Encapsulation
The following table describes the labels in this screen.
Table 13 ISP Parameters : PPTP Encapsulation
LABEL
DESCRIPTION
ISP Parameters for
Internet Access
Encapsulation
Select PPTP from the drop-down list box. To configure a PPTP client, you must
configure the User Name and Password fields for a PPP connection and the
PPTP parameters for a PPTP connection.
User Name
Type the user name given to you by your ISP.
Password
Type the password associated with the User Name above.
Retype to Confirm
Type your password again for confirmation.
Nailed-Up
Select Nailed-Up if you do not want the connection to time out.
Idle Timeout
Type the time in seconds that elapses before the router automatically disconnects
from the PPTP server.
PPTP Configuration
My IP Address
Type the (static) IP address assigned to you by your ISP.
My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Server IP Address
Chapter 3 Wizard Setup
Type the IP address of the PPTP server.
88
ZyWALL 5/35/70 Series User’s Guide
Table 13 ISP Parameters : PPTP Encapsulation
LABEL
DESCRIPTION
Connection ID/
Name
Enter the connection ID or connection name in this field. It must follow the "c:id"
and "n:name" format. For example, C:12 or N:My ISP.
This field is optional and depends on the requirements of your xDSL modem.
WAN IP Address
Assignment
IP Address
Assignment
Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.
Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.
My WAN IP
Address
Enter your WAN IP address in this field.
First DNS Server
Second DNS
Server
Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do
not configure a DNS server, you must know the IP address of a machine in order
to access it.
Apply
Click Apply to save your changes and go to the next screen.
3.2.2 Internet Access Wizard: Second Screen
Click Next to go to the screen where you can register your ZyWALL and activate the free
content filtering, anti-spam, anti-virus and IDP trial applications. Otherwise, click Skip to
display the congratulations screen and click Close to complete the Internet access setup.
Note: Make sure you have installed the ZyWALL Turbo Card before you activate the
IDP and anti-virus subscription services.
Turn the ZyWALL off before you install or remove the ZyWALL Turbo Card.
Figure 18 Internet Access Wizard: Second Screen
89
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 19 Internet Access Setup Complete
3.2.3 Internet Access Wizard: Registration
If you clicked Next in the previous screen (see Figure 18 on page 89), the following screen
displays.
Note: If you want to activate a standard service with your iCard’s PIN number (license
key), use the REGISTRATION Service screen.
Figure 20 Internet Access Wizard: Registration
Chapter 3 Wizard Setup
90
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 14 Internet Access Wizard: Registration
LABEL
DESCRIPTION
Device Registration
If you select Existing myZyXEL.com account, only the User Name and
Password fields are available.
New myZyXEL.com
account
If you haven’t created an account at myZyXEL.com, select this option and
configure the following fields to create an account and register your ZyWALL.
Existing myZyXEL.com
account
If you already have an account at myZyXEL.com, select this option and enter
your user name and password in the fields below to register your ZyWALL.
User Name
Enter a user name for your myZyXEL.com account. The name should be
from six to 20 alphanumeric characters (and the underscore). Spaces are not
allowed.
Check
Click this button to check with the myZyXEL.com database to verify the user
name you entered has not been used.
Password
Enter a password of between six and 20 alphanumeric characters (and the
underscore). Spaces are not allowed.
Confirm Password
Enter the password again for confirmation.
E-Mail Address
Enter your e-mail address. You can use up to 80 alphanumeric characters
(periods and the underscore are also allowed) without spaces.
Country
Select your country from the drop-down box list.
Back
Click Back to return to the previous screen.
Next
Click Next to continue.
After you fill in the fields and click Next, the following screen shows indicating the
registration is in progress. Wait for the registration progress to finish.
Figure 21 Internet Access Wizard: Registration in Progress
Click Close to leave the wizard screen when the registration and activation are done.
91
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 22 Internet Access Wizard: Status
The following screen appears if the registration was not successful. Click Return to go back to
the Device Registration screen and check your settings.
Figure 23 Internet Access Wizard: Registration Failed
If the ZyWALL has been registered, the Device Registration screen is read-only and the
Service Activation screen appears indicating what trial applications are activated after you
click Next.
Figure 24 Internet Access Wizard: Registered Device
Chapter 3 Wizard Setup
92
ZyWALL 5/35/70 Series User’s Guide
Figure 25 Internet Access Wizard: Activated Services
3.3 VPN Wizard Gateway Setting
Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key. If you want to
set the rule to use a certificate, please go to the VPN screens for configuration.
Click VPN Wizard in the HOME screen to open the VPN configuration wizard. The first
screen displays as shown next.
Figure 26 VPN Wizard: Gateway Setting
93
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 15 VPN Wizard: Gateway Setting
LABEL
DESCRIPTION
Gateway Policy
Property
Name
Type up to 32 characters to identify this VPN gateway policy. You may use any
character, including spaces, but the ZyWALL drops trailing spaces.
My ZyWALL
When the ZyWALL is in router mode, enter the WAN IP address or the domain name
of your ZyWALL or leave the field set to 0.0.0.0.
For a ZyWALL with multiple WAN ports, the following applies if the My ZyWALL field
is configured as 0.0.0.0:
• When the WAN port operation mode is set to Active/Passive, the ZyWALL uses
the IP address (static or dynamic) of the WAN port that is in use.
• When the WAN port operation mode is set to Active/Active, the ZyWALL uses
the IP address (static or dynamic) of the primary (highest priority) WAN port to set
up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is
up. If the corresponding WAN1 or WAN2 connection goes down, the ZyWALL
uses the IP address of the other WAN port.
• If both WAN connections go down, the ZyWALL uses the dial backup IP address
for the VPN tunnel when using dial backup or the LAN IP address when using
traffic redirect. See the chapter on WAN for details on dial backup and traffic
redirect.
A ZyWALL with a single WAN port uses its current WAN IP address (static or
dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN
connection goes down, the ZyWALL uses the dial backup IP address for the VPN
tunnel when using dial backup or the LAN IP address when using traffic redirect.
The VPN tunnel has to be rebuilt if this IP address changes.
When the ZyWALL is in bridge mode, this field is read-only and displays the
ZyWALL’s IP address.
Remote
Gateway
Address
Enter the WAN IP address or domain name of the remote IPSec router (secure
gateway) in the field below to identify the remote IPSec router by its IP address or a
domain name. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN
IP address.
Next
Click Next to continue.
3.4 VPN Wizard Network Setting
Two active SAs cannot have the local and remote IP address(es) both the same. Two active
SAs can have the same local or remote IP address, but not both. You can configure multiple
SAs between the same local and remote IP addresses, as long as only one is active at any time.
Chapter 3 Wizard Setup
94
ZyWALL 5/35/70 Series User’s Guide
Figure 27 VPN Wizard: Network Setting
The following table describes the labels in this screen.
Table 16 VPN Wizard : Network Setting
LABEL
DESCRIPTION
Network Policy
Property
Active
If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build
the tunnel.
Clear the Active check box to turn the network policy off. The ZyWALL does not apply
the policy. Packets for the tunnel do not trigger the tunnel.
Name
Type up to 32 characters to identify this VPN network policy. You may use any
character, including spaces, but the ZyWALL drops trailing spaces.
Network Policy
Setting
95
Local Network
Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Starting IP
Address
When the Local Network field is configured to Single, enter a (static) IP address on
the LAN behind your ZyWALL. When the Local Network field is configured to Range
IP, enter the beginning (static) IP address, in a range of computers on the LAN behind
your ZyWALL. When the Local Network field is configured to Subnet, this is a (static)
IP address on the LAN behind your ZyWALL.
Ending IP
Address/
Subnet Mask
When the Local Network field is configured to Single, this field is N/A. When the
Local Network field is configured to Range IP, enter the end (static) IP address, in a
range of computers on the LAN behind your ZyWALL. When the Local Network field
is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL.
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
Table 16 VPN Wizard : Network Setting
LABEL
DESCRIPTION
Remote
Network
Remote IP addresses must be static and correspond to the remote IPSec router's
configured local IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Starting IP
Address
When the Remote Network field is configured to Single, enter a (static) IP address
on the network behind the remote IPSec router. When the Remote Network field is
configured to Range IP, enter the beginning (static) IP address, in a range of
computers on the network behind the remote IPSec router. When the Remote
Network field is configured to Subnet, enter a (static) IP address on the network
behind the remote IPSec router
Ending IP
Address/
Subnet Mask
When the Remote Network field is configured to Single, this field is N/A. When the
Remote Network field is configured to Range IP, enter the end (static) IP address, in
a range of computers on the network behind the remote IPSec router. When the
Remote Network field is configured to Subnet, enter a subnet mask on the network
behind the remote IPSec router.
Back
Click Back to return to the previous screen.
Next
Click Next to continue.
3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1)
Figure 28 VPN Wizard: IKE Tunnel Setting
Chapter 3 Wizard Setup
96
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 17 VPN Wizard: IKE Tunnel Setting
LABEL
DESCRIPTION
Negotiation Mode
Select Main Mode for identity protection. Select Aggressive Mode to allow
more incoming connections from dynamic IP addresses to use separate
passwords.
Note: Multiple SAs (security associations) connecting through a
secure gateway must have the same negotiation mode.
Encryption Algorithm When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES.
97
Authentication
Algorithm
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
Key Group
You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Pre-Shared Key
Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero
x), which is not counted as part of the 16 to 62 character range for the key. For
example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal
and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key
is not used on both ends.
Back
Click Back to return to the previous screen.
Next
Click Next to continue.
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
3.6 VPN Wizard IPSec Setting (IKE Phase 2)
Figure 29 VPN Wizard: IPSec Setting
The following table describes the labels in this screen.
Table 18 VPN Wizard: IPSec Setting
LABEL
DESCRIPTION
Encapsulation Mode
Tunnel is compatible with NAT, Transport is not.
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel
mode is required for gateway services to provide access to internal systems.
Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
Transport mode is used to protect upper layer protocols and only affects the
data in the IP packet. In Transport mode, the IP packet contains the security
protocol (AH or ESP) located after the original IP header and options, but before
any upper layer protocols contained in the packet (such as TCP and UDP).
IPSec Protocol
Select the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and
communications latency (delay).
Encryption Algorithm When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES. Select NULL to set up a tunnel without encryption. When you select
NULL, you do not enter an encryption key.
Authentication
Algorithm
Chapter 3 Wizard Setup
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
98
ZyWALL 5/35/70 Series User’s Guide
Table 18 VPN Wizard: IPSec Setting (continued)
LABEL
DESCRIPTION
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Perfect Forward
Secret (PFS)
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768
bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb)
random number (more secure, yet slower).
Back
Click Back to return to the previous screen.
Next
Click Next to continue.
3.7 VPN Wizard Status Summary
This read-only screen shows the status of the current VPN setting. Use the summary table to
check whether what you have configured is correct.
99
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 30 VPN Wizard: VPN Status
The following table describes the labels in this screen.
Table 19 VPN Wizard: VPN Status
LABEL
DESCRIPTION
Gateway Policy
Property
Name
This is the name of this VPN gateway policy.
Gateway Policy
Setting
My ZyWALL
This is the WAN IP address or the domain name of your ZyWALL in router mode
or the ZyWALL’s IP address in bridge mode.
Remote Gateway
Address
This is the IP address or the domain name used to identify the remote IPSec
router.
Network Policy
Property
Active
Chapter 3 Wizard Setup
This displays whether this VPN network policy is enabled or not.
100
ZyWALL 5/35/70 Series User’s Guide
Table 19 VPN Wizard: VPN Status (continued)
LABEL
DESCRIPTION
Name
This is the name of this VPN network policy.
Network Policy
Setting
Local Network
Starting IP Address
This is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/
Subnet Mask
When the local network is configured for a single IP address, this field is N/A.
When the local network is configured for a range IP address, this is the end
(static) IP address, in a range of computers on the LAN behind your ZyWALL.
When the local network is configured for a subnet, this is a subnet mask on the
LAN behind your ZyWALL.
Remote Network
Starting IP Address
This is a (static) IP address on the network behind the remote IPSec router.
Ending IP Address/
Subnet Mask
When the remote network is configured for a single IP address, this field is N/A.
When the remote network is configured for a range IP address, this is the end
(static) IP address, in a range of computers on the network behind the remote
IPSec router. When the remote network is configured for a subnet, this is a
subnet mask on the network behind the remote IPSec router.
IKE Tunnel Setting
(IKE Phase 1)
Negotiation Mode
This shows Main Mode or Aggressive Mode. Multiple SAs connecting through
a secure gateway must have the same negotiation mode.
Encryption Algorithm This is the method of data encryption. Options can be DES, 3DES or AES.
Authentication
Algorithm
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.
Key Group
This is the key group you chose for phase 1 IKE setup.
SA Life Time
(Seconds)
This is the length of time before an IKE SA automatically renegotiates.
Pre-Shared Key
This is a pre-shared key identifying a communicating party during a phase 1 IKE
negotiation.
IPSec Setting (IKE
Phase 2)
Encapsulation Mode This shows Tunnel mode or Transport mode.
IPSec Protocol
ESP or AH are the security protocols used for an SA.
Encryption Algorithm This is the method of data encryption. Options can be DES, 3DES, AES or
NULL.
101
Authentication
Algorithm
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.
SA Life Time
(Seconds)
This is the length of time before an IKE SA automatically renegotiates.
Perfect Forward
Secret (PFS)
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA
setup. Otherwise, DH1 or DH2 are selected to enable PFS.
Back
Click Back to return to the previous screen.
Finish
Click Finish to complete and save the wizard setup.
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
3.8 VPN Wizard Setup Complete
Congratulations! You have successfully set up the VPN rule after any existing rule(s) for your
ZyWALL.
Figure 31 VPN Wizard Setup Complete
Chapter 3 Wizard Setup
102
ZyWALL 5/35/70 Series User’s Guide
103
Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 4
Registration
4.1 myZyXEL.com overview
myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and
manage subscription services available for the ZyWALL.
Note: You need to create an account before you can register your device and activate
the services at myZyXEL.com.
You can directly create a myZyXEL.com account, register your ZyWALL and activate a
service using the REGISTRATION screen. Alternatively, go to http://www.myZyXEL.com
with the ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s
on-line help for details.
Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that
ZyWALL.
4.1.1 Subscription Services Available on the ZyWALL
At the time of writing, the ZyWALL can use content filtering, anti-spam, anti-virus and IDP
(Intrusion Detection and Prevention) subscription services.
Content filtering allows or blocks access to web sites. Subscribe to category-based content
filtering to block access to categories of web sites based on content. Your ZyWALL accesses
an external database that has millions of web sites categorized based on content. You can have
the ZyWALL block, block and/or log access to web sites based on these categories.
Anti-spam identifies and marks or discards spam e-mail. An anti-spam subscription lets the
ZyWALL check e-mail with an external anti-spam server.
Anti-virus allows the ZyWALL to scan packets for computer viruses and deletes the infected
packets.
IDP allows the ZyWALL to detect malicious or suspicious packets and respond immediately.
The ID&P and anti-virus features use the same signature files on the ZyWALL to detect and
scan for viruses. After the service is activated, the ZyWALL downloads the up-to-date
signature files from the update server (http://myupdate.zywall.zyxel.com).
Chapter 4 Registration
104
ZyWALL 5/35/70 Series User’s Guide
You will get automatic e-mail notification of new signature releases from mySecurityZone
after you activate the IDP/Anti-virus service. You can also check for new signature or virus
updates at http://mysecurity.zyxel.com.
See the chapters about content filtering, anti-virus, anti-spam and IDP for more information.
Note: To update the signature file or use a subscription service, you have to register
and activate the corresponding service at myZyXEL.com (through the
ZyWALL).
4.2 Registration
To register your ZyWALL with myXEL.com and activate a service, such as content filtering,
anti-spam or anti-virus, click REGISTRATION in the navigation panel to open the screen as
shown next.
Note: Make sure you have installed the ZyWALL Turbo extension card before you
activate the IDP and anti-virus subscription services.
Turn the ZyWALL off before you install or remove the ZyWALL Turbo Card.
See the ZyWALL Turbo Card guide for more information.
Figure 32 Registration
105
Chapter 4 Registration
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 20 Registration
LABEL
DESCRIPTION
Device Registration
If you select Existing myZyXEL.com account, only the User Name and
Password fields are available.
New myZyXEL.com
account
If you haven’t created an account at myZyXEL.com, select this option and
configure the following fields to create an account and register your ZyWALL.
Existing myZyXEL.com
account
If you already have an account at myZyXEL.com, select this option and enter
your user name and password in the fields below to register your ZyWALL.
User Name
Enter a user name for your myZyXEL.com account. The name should be
from six to 20 alphanumeric characters (and the underscore). Spaces are not
allowed.
Check
Click this button to check with the myZyXEL.com database to verify the user
name you entered has not been used.
Password
Enter a password of between six and 20 alphanumeric characters (and the
underscore). Spaces are not allowed.
Confirm Password
Enter the password again for confirmation.
E-Mail Address
Enter your e-mail address. You can use up to 80 alphanumeric characters
(periods and the underscore are also allowed) without spaces.
Country
Select your country from the drop-down box list.
Service Activation
You can try trial service subscription. After the trial expires, you can buy an
iCard and enter the license key in the REGISTRATION Service screen to
extend the service.
Content Filtering 1month Trial
Select the check box to activate a trial. The trial period starts the day you
activate the trial.
Anti Spam 3-month Trial Select the check box to activate a trial. The trial period starts the day you
activate the trial.
IDP/AV 3-month Trial
Select the check box to activate a trial. The trial period starts the day you
activate the trial.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Note: If the ZyWALL is registered already, this screen is read-only and indicates
whether trial services are activated. Use the Service screen to update your
service subscription status.
Chapter 4 Registration
106
ZyWALL 5/35/70 Series User’s Guide
Figure 33 Registration: Registered Device
4.3 Service
After you activate a trial, you can also use the Service screen to register and enter your iCard’s
PIN number (license key). Click REGISTRATION, Service to open the screen as shown
next.
Note: If you restore the ZyWALL to the default configuration file or upload a different
configuration file after you register, click the Service License Refresh button to
update license information.
Figure 34 Registration: Service
107
Chapter 4 Registration
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 21 Service
LABEL
DESCRIPTION
Service Management
Service
This field displays the service name available on the ZyWALL.
Status
This field displays whether a service is activated (Active) or not (Inactive).
Registration Type
This field displays whether you applied for a trial application (Trial) or
registered a service with your iCard’s PIN number (Standard).
Expiration Day
This field displays the date your service expires.
License Upgrade
License Key
Enter your iCard’s PIN number and click Update to activate or extend a
standard service subscription.
If a standard service subscription runs out, you need to buy a new iCard
(specific to your ZyWALL) and enter the new PIN number to extend the
service.
Service License Refresh Click this button to renew service license information (such as the license
key, registration status and expiration day).
Chapter 4 Registration
108
ZyWALL 5/35/70 Series User’s Guide
109
Chapter 4 Registration
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 5
LAN Screens
This chapter describes how to configure LAN settings. This chapter is only applicable when
the ZyWALL is in router mode. The LAN Port Roles screen is available on the ZyWALL 5
and ZyWALL 35.
5.1 LAN Overview
Local Area Network (LAN) is a shared communication system to which many computers are
attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses,
and partition your physical network into logical networks.
5.2 DHCP Setup
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the
ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides
the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another
DHCP server on your LAN, or else the computer must be manually configured.
5.2.1 IP Pool Setup
The ZyWALL is pre-configured with a pool of IP addresses for the DHCP clients (DHCP
Pool). See the product specifications in the appendices. Do not assign static IP addresses from
the DHCP pool to your LAN computers.
5.3 LAN TCP/IP
The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers
to systems that support DHCP client capability.
5.3.1 Factory LAN Defaults
The LAN parameters of the ZyWALL are preset in the factory with the following values:
• IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)
• DHCP server enabled with 128 client IP addresses starting from 192.168.1.33.
Chapter 5 LAN Screens
110
ZyWALL 5/35/70 Series User’s Guide
These parameters should work for the majority of installations. If your ISP gives you explicit
DNS server address(es), read the embedded web configurator help regarding what fields need
to be configured.
5.3.2 IP Address and Subnet Mask
Similar to the way houses on a street share a common street name, so too do computers on a
LAN share one common network number.
Where you obtain your network number depends on your particular situation. If the ISP or
your network administrator assigns you a block of registered IP addresses, follow their
instructions in selecting the IP addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single
user account and the ISP will assign you a dynamic IP address when the connection is
established. If this is the case, it is recommended that you select a network number from
192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT)
feature of the ZyWALL. The Internet Assigned Number Authority (IANA) reserved this block
of addresses specifically for private use; please do not use any other number unless you are
told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254
individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other
words, the first three numbers specify the network number while the last number identifies an
individual computer on that network.
Once you have decided on the network number, pick an IP address that is easy to remember,
for instance, 192.168.1.1, for your ZyWALL, but make sure that no other device on your
network is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyWALL will
compute the subnet mask automatically based on the IP address that you entered. You don't
need to change the subnet mask computed by the ZyWALL unless you are instructed to do
otherwise.
5.3.3 RIP Setup
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange
routing information with other routers. RIP Direction controls the sending and receiving of
RIP packets. When set to Both or Out Only, the ZyWALL will broadcast its routing table
periodically. When set to Both or In Only, it will incorporate the RIP information that it
receives; when set to None, it will not send any RIP packets and will ignore any RIP packets
received.
RIP Version controls the format and the broadcasting method of the RIP packets that the
ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported;
but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you
have an unusual network topology.
111
Chapter 5 LAN Screens
ZyWALL 5/35/70 Series User’s Guide
Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the
load on non-router machines since they generally do not listen to the RIP multicast address
and so will not receive the RIP packets. However, if one router uses multicasting, then all
routers on your network must use multicasting, also.
By default, RIP Direction is set to Both and RIP Version to RIP-1.
5.3.4 Multicast
Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1
recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to
a group of hosts on the network - not everybody and not just 1.
IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish
membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC
2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If
you would like to read more detailed information about interoperability between IGMP
version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is
used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address
224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address
224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts
(including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP.
The address 224.0.0.2 is assigned to the multicast routers group.
The ZyWALL supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At
start up, the ZyWALL queries all directly connected networks to gather group membership.
After that, the ZyWALL periodically updates this information. IP multicasting can be enabled/
disabled on the ZyWALL LAN and/or WAN interfaces in the web configurator (LAN;
WAN). Select None to disable IP multicasting on these interfaces.
5.4 DNS Servers
Use the DNS LAN screen to configure the DNS server information that the ZyWALL sends to
the DHCP client devices on the LAN.
5.5 LAN
Click NETWORK, LAN to open the LAN screen. Use this screen to configure the
ZyWALL’s IP address and other LAN TCP/IP settings as well as the built-in DHCP server
capability that assigns IP addresses and DNS servers to systems that support DHCP client
capability.
Chapter 5 LAN Screens
112
ZyWALL 5/35/70 Series User’s Guide
Figure 35 LAN
The following table describes the labels in this screen.
Table 22 LAN
LABEL
DESCRIPTION
LAN TCP/IP
113
IP Address
Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the
factory default. Alternatively, click the right mouse button to copy and/or paste the
IP address.
IP Subnet Mask
The subnet mask specifies the network number portion of an IP address. Your
ZyWALL automatically calculates the subnet mask based on the IP address that
you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyWALL.
RIP Direction
RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In
Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the RIP
information that it receives; when set to None, it will not send any RIP packets and
will ignore any RIP packets received. Both is the default.
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being
that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.
Multicasting can reduce the load on non-router machines since they generally do
not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must use
multicasting, also. By default, RIP direction is set to Both and the Version set to
RIP-1.
Chapter 5 LAN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 22 LAN (continued)
LABEL
DESCRIPTION
Multicast
Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is
a network-layer protocol used to establish membership in a Multicast group - it is
not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over
version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to
read more detailed information about interoperability between IGMP version 2 and
version 1, please see sections 4 and 5 of RFC 2236.
DHCP Setup
DHCP
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows
individual clients (workstations) to obtain TCP/IP configuration at startup from a
server. Unless you are instructed by your ISP, leave this field set to Server. When
configured as a server, the ZyWALL provides TCP/IP configuration for the clients.
When set as a server, fill in the IP Pool Starting Address and Pool Size fields.
Select Relay to have the ZyWALL forward DHCP requests to another DHCP
server. When set to Relay, fill in the DHCP Server Address field.
Select None to stop the ZyWALL from acting as a DHCP server. When you select
None, you must have another DHCP server on your LAN, or else the computers
must be manually configured.
IP Pool Starting
Address
This field specifies the first of the contiguous addresses in the IP address pool.
Pool Size
This field specifies the size, or count of the IP address pool.
DHCP Server
Address
Type the IP address of the DHCP server to which you want the ZyWALL to relay
DHCP requests. Use dotted decimal notation. Alternatively, click the right mouse
button to copy and/or paste the IP address.
Windows
Networking
(NetBIOS over
TCP/IP)
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to connect to and communicate with a LAN. For some dial-up
services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
However it may sometimes be necessary to allow NetBIOS packets to pass
through to the WAN in order to find a computer on the WAN.
Allow between
LAN and WAN
Select this check box to forward NetBIOS packets from the LAN to the WAN and
from the WAN to the LAN. If your firewall is enabled with the default policy set to
block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall
rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the WAN
and from the WAN to the LAN.
Allow between
LAN and DMZ
Select this check box to forward NetBIOS packets from the LAN to the DMZ and
from the DMZ to the LAN. If your firewall is enabled with the default policy set to
block DMZ to LAN traffic, you also need to enable the default DMZ to LAN firewall
rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the DMZ
and from the DMZ to the LAN.
Allow between
LAN and WLAN
Select this check box to forward NetBIOS packets from the LAN to the WLAN and
from the WLAN to the LAN.
Clear this check box to block all NetBIOS packets going from the LAN to the WLAN
and from the WLAN to the LAN.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 5 LAN Screens
114
ZyWALL 5/35/70 Series User’s Guide
5.6 LAN Static DHCP
This table allows you to assign IP addresses on the LAN to specific individual computers
based on their MAC Addresses.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
To change your ZyWALL’s static DHCP settings, click NETWORK, LAN and then the
Static DHCP tab. The screen appears as shown.
Figure 36 LAN Static DHCP
The following table describes the labels in this screen.
Table 23 LAN Static DHCP
115
LABEL
DESCRIPTION
#
This is the index number of the Static IP table entry (row).
MAC Address
Type the MAC address of a computer on your LAN.
Chapter 5 LAN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 23 LAN Static DHCP
LABEL
DESCRIPTION
IP Address
Type the IP address that you want to assign to the computer on your LAN.
Alternatively, click the right mouse button to copy and/or paste the IP address.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
5.7 LAN IP Alias
IP alias allows you to partition a physical network into different logical networks over the
same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single
physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network.
When you use IP alias, you can also configure firewall rules to control access between the
LAN's logical networks (subnets).
Note: Make sure that the subnets of the logical networks do not overlap.
The following figure shows a LAN divided into subnets A, B, and C.
Figure 37 Physical Network & Partitioned Logical Networks
To change your ZyWALL’s IP alias settings, click NETWORK, LAN and then the IP Alias
tab. The screen appears as shown.
Chapter 5 LAN Screens
116
ZyWALL 5/35/70 Series User’s Guide
Figure 38 LAN IP Alias
The following table describes the labels in this screen.
Table 24 LAN IP Alias
117
LABEL
DESCRIPTION
Enable IP Alias 1,
2
Select the check box to configure another LAN network for the ZyWALL.
IP Address
Enter the IP address of your ZyWALL in dotted decimal notation.
Alternatively, click the right mouse button to copy and/or paste the IP address.
IP Subnet Mask
Your ZyWALL will automatically calculate the subnet mask based on the IP
address that you assign. Unless you are implementing subnetting, use the subnet
mask computed by the ZyWALL.
RIP Direction
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In
Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the
RIP information that it receives; when set to None, it will not send any RIP packets
and will ignore any RIP packets received.
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being
that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.
Multicasting can reduce the load on non-router machines since they generally do
not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must
use multicasting, also. By default, RIP direction is set to Both and the Version set
to RIP-1.
Chapter 5 LAN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 24 LAN IP Alias
LABEL
DESCRIPTION
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
5.8 LAN Port Roles
Use the Port Roles screen to set ports as LAN, DMZ or WLAN interfaces. The LAN port role
is not available on all models.
Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL’s
wireless LAN coverage. The WLAN port role allows the ZyWALL’s firewall to treat traffic
from connected APs as part of the ZyWALL’s WLAN. You can specify firewall rules for
traffic going to or from the WLAN. The WLAN includes the ZyWALL’s own WLAN and the
Ethernet ports in the WLAN port role.
The following figure shows the ZyWALL with a wireless card installed and an AP connected
to an Ethernet port in the WLAN port role.
Figure 39 WLAN Port Role Example
Note: Do the following if you are configuring from a computer connected to a LAN,
DMZ or WLAN port and changing the port's role:
1. A port's IP address varies as its role changes, make sure your computer's IP
address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP
address.
2. Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL.
Chapter 5 LAN Screens
118
ZyWALL 5/35/70 Series User’s Guide
To change your ZyWALL’s port role settings, click NETWORK, LAN and then the Port
Roles tab. The screen appears as shown.
The radio buttons on the left correspond to Ethernet ports on the front panel of the ZyWALL.
Ports 1 to 4 are all LAN ports by default. The radio buttons on the right are for the wireless
card.
Note: Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles
screens.
Figure 40 LAN Port Roles
The following table describes the labels in this screen.
Table 25 LAN Port Roles
LABEL
DESCRIPTION
LAN
Select a port’s LAN radio button to use the port as part of the LAN. The port will
use the LAN IP address and MAC address.
DMZ
Select a port’s DMZ radio button to use the port as part of the DMZ. The port will
use the DMZ IP address and MAC address.
WLAN
When you have the wireless card set to WLAN, you can select a port’s WLAN
radio button to use the port as part of the WLAN.
The port will use the ZyWALL’s WLAN IP address and the MAC address of the
WLAN card.
Note: You must install a wireless card to use the WLAN port role.
See Appendix A on page 664 for how to install a WLAN card.
Wireless Card
Select LAN to use the wireless card as part of the LAN.
Select DMZ to use the wireless card as part of the DMZ.
Select WLAN to use the wireless card as part of the WLAN.
The ZyWALL restarts after you change the wireless card setting.
Note: If you set the wireless card to be part of the LAN or DMZ, you
can still use wireless access, but not the WLAN interface in
the firewall. The firewall will treat the wireless card as part of
the LAN or DMZ respectively.
119
Chapter 5 LAN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 25 LAN Port Roles (continued)
LABEL
DESCRIPTION
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few
seconds until the following screen appears. Click Return to go back to the Port Roles screen.
Figure 41 Port Roles Change Complete
Chapter 5 LAN Screens
120
ZyWALL 5/35/70 Series User’s Guide
121
Chapter 5 LAN Screens
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 6
Bridge Screens
This chapter describes how to configure bridge settings. This chapter is only applicable when
the ZyWALL is in bridge mode.
6.1 Bridge Loop
The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers.
Be careful to avoid bridge loops when you enable bridging in the ZyWALL. Bridge loops
cause broadcast traffic to circle the network endlessly, resulting in possible throughput
degradation and disruption of communications. The following example shows the network
topology that can lead to this problem:
• If your ZyWALL (in bridge mode) is connected to a wired LAN while communicating
with another bridge or a switch that is also connected to the same wired LAN as shown
next.
Figure 42 Bridge Loop: Bridge Connected to Wired LAN
To prevent bridge loops, ensure that your ZyWALL is not set to bridge mode while connected
to two wired segments of the same LAN or you enable RSTP in the Bridge screen.
6.2 Spanning Tree Protocol (STP)
STP detects and breaks network loops and provides backup links between switches, bridges or
routers. It allows a bridge to interact with other STP-compliant bridges in your network to
ensure that only one route exists between any two stations on the network.
Chapter 6 Bridge Screens
122
ZyWALL 5/35/70 Series User’s Guide
6.2.1 Rapid STP
The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster
convergence of the spanning tree (while also being backwards compatible with STP-only
aware bridges). Using RSTP topology change information does not have to propagate to the
root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP,
the port states are Discarding, Learning, and Forwarding.
6.2.2 STP Terminology
The root bridge is the base of the spanning tree; it is the bridge with the lowest identifier value
(MAC address).
Path cost is the cost of transmitting a frame from the root bridge to that port. It is assigned
according to the speed of the link to which a port is attached. The slower the media, the higher
the cost - see the next table.
Table 26 STP Path Costs
LINK SPEED
RECOMMENDED
VALUE
RECOMMENDED
RANGE
ALLOWED
RANGE
Path Cost
4Mbps
250
100 to 1000
1 to 65535
Path Cost
10Mbps
100
50 to 600
1 to 65535
Path Cost
16Mbps
62
40 to 400
1 to 65535
Path Cost
100Mbps
19
10 to 60
1 to 65535
Path Cost
1Gbps
4
3 to 10
1 to 65535
Path Cost
10Gbps
2
1 to 5
1 to 65535
On each bridge, the root port is the port through which this bridge communicates with the root.
It is the port on this switch with the lowest path cost to the root (the root path cost). If there is
no root port, then this bridge has been accepted as the root bridge of the spanning tree network.
For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the
root among the bridges connected to the LAN.
6.2.3 How STP Works
After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and
the ports that are the designated ports for connected LANs, and disables all other ports that
participate in STP. Network packets are therefore only forwarded between enabled ports,
eliminating any possible network loops.
STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the
bridged LAN topology changes, a new spanning tree is constructed.
123
Chapter 6 Bridge Screens
ZyWALL 5/35/70 Series User’s Guide
Once a stable network topology has been established, all bridges listen for Hello BPDUs
(Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello
BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root
bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the
network to re-establish a valid network topology.
6.2.4 STP Port States
STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not
allowed to go directly from blocking state to forwarding state so as to eliminate transient
loops.
Table 27 STP Port States
PORT STATE
DESCRIPTION
Disabled
STP is disabled (default).
Blocking
Only configuration and management BPDUs are received and processed.
Listening
All BPDUs are received and processed.
Learning
All BPDUs are received and processed. Information frames are submitted to the
learning process but not forwarded.
Forwarding
All BPDUs are received and processed. All information frames are received and
forwarded.
6.3 Bridge
Select Bridge and click Apply in the MAINTENANCE Device Mode screen to have the
ZyWALL function as a bridge.
Click NETWORK, BRIDGE to display the screen shown next. Use this screen to configure
bridge and RSTP (Rapid Spanning Tree Protocol) settings.
Chapter 6 Bridge Screens
124
ZyWALL 5/35/70 Series User’s Guide
Figure 43 Bridge
The following table describes the labels in this screen.
Table 28 Bridge
LABEL
DESCRIPTION
Bridge IP Address Setup
125
IP Address
Type the IP address of your ZyWALL in dotted decimal notation.
IP Subnet Mask
The subnet mask specifies the network number portion of an IP address.
Gateway IP Address
Enter the gateway IP address.
First/Second/Third DNS
Server
DNS (Domain Name System) is for mapping a domain name to its
corresponding IP address and vice versa. The DNS server is extremely
important because without it, you must know the IP address of a machine
before you can access it. The ZyWALL uses a system DNS server (in the
order you specify here) to resolve domain names for content filtering, the
time server, etc.
If you have the IP address(es) of the DNS server(s), enter the DNS server's
IP address(es) in the field(s) to the right.
Chapter 6 Bridge Screens
ZyWALL 5/35/70 Series User’s Guide
Table 28 Bridge (continued)
LABEL
DESCRIPTION
Rapid Spanning Tree
Protocol Setup
Enable Rapid Spanning
Tree Protocol
Select the check box to activate RSTP on the ZyWALL.
Bridge Priority
Enter a number between 0 and 61440 as bridge priority of the ZyWALL. 0 is
the highest.
Bridge Hello Time
Enter an interval (between 1 and 10) in seconds that the root bridge
waits before sending a hello packet.
Bridge Max Age
Enter an interval (between 6 and 40) in seconds that a bridge waits to
get a Hello BPDU from the root bridge.
Forward Delay
Enter the length of time (between 4 and 30) in seconds that a bridge
remains in the listening and learning port states. The default is 15 seconds.
Bridge Port
This is the bridge port type.
RSTP Active
Select the check box to enable RSTP on the corresponding port.
RSTP Priority
0(Highest)~240(Lowest)
Enter a number between 0 and 240 as RSTP priority for the corresponding
port. 0 is the highest.
RSTP Path Cost
Enter a number between 1 and 65535 as RSTP path cost for the
1(Lowest)~65535(Highes corresponding port. 65535 is the highest.
t)
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
6.4 Bridge Port Roles
Use the Port Roles screen to set ports as LAN, DMZ or WLAN interfaces. The LAN port role
is not available on all models.
Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL’s
wireless LAN coverage. The WLAN port role allows the ZyWALL’s firewall to treat traffic
from connected APs as part of the ZyWALL’s WLAN. You can specify firewall rules for
traffic going to or from the WLAN. The WLAN includes the ZyWALL’s own WLAN and the
Ethernet ports in the WLAN port role.
The following figure shows the ZyWALL with a wireless card installed and an AP connected
to an Ethernet port in the WLAN port role.
Chapter 6 Bridge Screens
126
ZyWALL 5/35/70 Series User’s Guide
Figure 44 WLAN Port Role Example
To change your ZyWALL’s port role settings, click NETWORK, BRIDGE and then the Port
Roles tab. The screen appears as shown.
The radio buttons on the left correspond to Ethernet ports on the front panel of the ZyWALL.
Ports 1 to 4 are all DMZ ports on the ZyWALL 70 and all LAN ports on the ZyWALL 5 or
ZyWALL 35 by default. The radio buttons on the right are for the WLAN card.
Figure 45 Bridge Port Roles
The following table describes the labels in this screen.
Table 29 Bridge Port Roles
127
LABEL
DESCRIPTION
LAN
Select a port’s LAN radio button to use the port as part of the LAN. The port will
use the LAN IP address and MAC address.
DMZ
Select a port’s DMZ radio button to use the port as part of the DMZ. The port will
use the DMZ IP address and MAC address.
Chapter 6 Bridge Screens
ZyWALL 5/35/70 Series User’s Guide
Table 29 Bridge Port Roles (continued)
LABEL
DESCRIPTION
WLAN
When you have the wireless card set to WLAN, you can select a port’s WLAN
radio button to use the port as part of the WLAN.
The port will use the ZyWALL’s WLAN IP address and the MAC address of the
WLAN card.
Note: You must install a wireless card to use the WLAN port role.
See Appendix A on page 664 for how to install a WLAN card.
Wireless Card
Select LAN to use the wireless card as part of the LAN.
Select DMZ to use the wireless card as part of the DMZ.
Select WLAN to use the wireless card as part of the WLAN.
The ZyWALL restarts after you change the wireless card setting.
Note: If you set the wireless card to be part of the LAN or DMZ, you
can still use wireless access, but not the WLAN interface in
the firewall. The firewall will treat the wireless card as part of
the LAN or DMZ respectively.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few
seconds until the following screen appears. Click Return to go back to the Port Roles screen.
Figure 46 Port Roles Change Complete
Chapter 6 Bridge Screens
128
ZyWALL 5/35/70 Series User’s Guide
129
Chapter 6 Bridge Screens
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 7
WAN Screens
This chapter describes how to configure WAN settings. Multiple WAN and load balancing are
not available on the ZyWALL 5.
7.1 WAN Overview
• Use the WAN General screen to configure load balancing, route priority and traffic
redirect properties for the ZyWALL 70 and ZyWALL 35.
• Use the WAN Route screen to configure route priority for the ZyWALL 5.
• Use the WAN1 screen to configure the WAN1 port for Internet access on the ZyWALL 70
and ZyWALL 35.
• Use the WAN2 screen to configure the WAN2 port for Internet access on the ZyWALL 70
and ZyWALL 35.
• Use the WAN screen to configure the WAN port for Internet access on the ZyWALL 5.
• Use the Traffic Redirect screen to configure your traffic redirect properties and
parameters.
• Use the Dial Backup screen to configure the backup WAN dial-up connection.
7.2 Multiple WAN
You can use a second connection for load sharing to increase overall network throughput or as
a backup to enhance network reliability.
The ZyWALL has two WAN ports. You can connect one port to one ISP (or network) and
connect the other to a second ISP (or network).
The ZyWALL can balance the load between the two WAN ports (see Section 7.3 on page
131).
You can use policy routing to specify the WAN port that specific services go through. An ISP
may give traffic from certain (more expensive) connections priority over the traffic from other
accounts. You could route delay intolerant traffic (like voice over IP calls) through this kind of
connection. Other traffic could be routed through a cheaper broadband Internet connection that
does not provide priority service. If one WAN port's connection goes down, the ZyWALL can
automatically send its traffic through the other WAN port. See Chapter 24 on page 396 for
details.
The ZyWALL's NAT feature allows you to configure sets of rules for one WAN port and
separate sets of rules for the other WAN port. Refer to Chapter 22 on page 374 for details.
Chapter 7 WAN Screens
130
ZyWALL 5/35/70 Series User’s Guide
You can select through which WAN port you want to send out traffic from UPnP-enabled
applications (see Chapter 28 on page 456).
The ZyWALL's DDNS lets you select which WAN interface you want to use for each
individual domain name. The DDNS high availability feature lets you have the ZyWALL use
the other WAN interface for a domain name if the configured WAN interface's connection
goes down. See Section 26.10.2 on page 428 for details.
When configuring a VPN rule, you have the option of selecting one of the ZyWALL's domain
names in the My Address field.
7.3 Load Balancing Introduction
On the ZyWALL, load balancing is the process of dividing traffic loads between the two WAN
interfaces (or ports). This allows you to improve quality of services and maximize bandwidth
utilization.
See also policy routing to provide quality of service by dedicating a route for a specific traffic
type and bandwidth management to specify a set amount of bandwidth for a specific traffic
type on an interface.
7.4 Load Balancing Algorithms
The ZyWALL uses three load balancing methods (Least Load First, Weighted Round Robin
and Spillover) to decide which WAN port the traffic for a session1 (from the LAN) should
use.
The following sections describe each load balancing method. The available bandwidth you
configure on the ZyWALL refers to the actual bandwidth provided by the ISP and the
measured bandwidth refers to as the bandwidth an interface is currently using.
7.4.1 Least Load First
The least load first algorithm uses the current (or recent) outbound and/or inbound bandwidth
utilization of each WAN interface as the load balancing index(es) when making decisions
about to which WAN interface a new LAN-originated session is to be distributed. The
outbound bandwidth utilization is defined as the measured outbound throughput over the
available outbound bandwidth and the inbound bandwidth utilization is defined as the
measured inbound throughput over the available inbound bandwidth.
1.
131
In the load balancing section, a session may refer to normal connection-oriented, UDP and
SNMP2 traffic.
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
7.4.1.1 Example 1
The following figure depicts an example where both the WAN ports on the ZyWALL are
connected to the Internet. The configured available outbound bandwidths for WAN 1 and
WAN 2 are 512K and 256K respectively.
Figure 47 Least Load First Example
If the outbound bandwidth utilization is used as the load balancing index and the measured
outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the
load balancing index as shown in the table below.
Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1),
the ZyWALL will send the subsequent new session traffic through WAN 2.
Table 30 Least Load First: Example 1
OUTBOUND
INTERFACE
AVAILABLE (A)
LOAD BALANCING INDEX
(M/A)
MEASURED (M)
WAN 1
512 K
412 K
0.8
WAN 2
256 K
198 K
0.77
7.4.1.2 Example 2
This example uses the same network scenario as in Figure 47 on page 132, but uses both the
outbound and inbound bandwidth utilization in calculating the load balancing index. If the
measured inbound stream throughput for both WAN 1 and WAN 2 is 102K, the ZyWALL
calculates the average load balancing indices as shown in the table below.
Since WAN 1 has a smaller load balancing index (meaning that it is less utilized than WAN 2),
the ZyWALL will send the next new session traffic through WAN 1.
Table 31 Least Load First: Example 2
OUTBOUND
INTERFACE
AVAILABLE
(OA)
MEASURED
(OM)
INBOUND
AVAILABLE
(IA)
AVERAGE LOAD
BALANCING
INDEX
MEASURED
(OM
/
OA
+
IM
/ IA) / 2
(IM)
WAN 1
512 K
412 K
256 K
102 K
( 0.8 + 0.4) / 2 = 0.6
WAN 2
256 K
198 K
128 K
102 K
( 0.77 + 0.8 ) / 2 = 0.79
Chapter 7 WAN Screens
132
ZyWALL 5/35/70 Series User’s Guide
7.4.2 Weighted Round Robin
Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets
the ZyWALL to send traffic through each WAN interface in turn. In addition, the WAN
interfaces are assigned weights. An interface with a larger weight gets more of the traffic than
an interface with a smaller weight.
This algorithm is best suited for situations when the bandwidths set for the two WAN
interfaces are different.
For example, in the figure below, the configured available bandwidth of WAN1 is 1M and
WAN2 is 512K. You can set the ZyWALL to distribute the network traffic between the two
interfaces by setting the weight of WAN1 and WAN2 to 2 and 1 respectively. The ZyWALL
assigns the traffic of two sessions to WAN1 for every session's traffic assigned to WAN2.
Figure 48 Weighted Round Robin Algorithm Example
7.4.3 Spillover
With the spillover load balancing algorithm, the ZyWALL sends network traffic to the primary
interface until the maximum allowable load is reached, then the ZyWALL sends the excess
network traffic of new sessions to the secondary WAN interface. Configure the Route
Priority metrics in the WAN General screen to determine the primary and secondary WANs.
In cases where the primary WAN interface uses an unlimited access Internet connection and
the secondary WAN uses a per-use timed access plan, the ZyWALL will only use the
secondary WAN interface when the traffic load reaches the upper threshold on the primary
WAN interface. This allows you to fully utilize the bandwidth of the primary WAN interface
while avoiding overloading it and reducing Internet connection fees at the same time.
In the following example figure, the upper threshold of the primary WAN interface is set to
800K. The ZyWALL sends network traffic of new sessions that exceeds this limit to the
secondary WAN interface.
133
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 49 Spillover Algorithm Example
7.5 TCP/IP Priority (Metric)
The metric represents the "cost of transmission". A router determines the best route for
transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the
measurement of cost, with a minimum of "1" for directly connected networks. The number
must be between "1" and "15"; a number greater than "15" means the link is down. The
smaller the number, the lower the "cost".
1 The metric sets the priority for the ZyWALL's routes to the Internet. Each route must
have a unique metric.
2 The priorities of the WAN port routes must always be higher than the dial-backup and
traffic redirect route priorities.
Take a ZyWALL with multiple WAN ports as an example, lets say that you have the WAN
operation mode set to active/passive and the WAN 1 route has a metric of "2", the WAN 2
route has a metric of "3", the traffic-redirect route has a metric of "14" and the dial-backup
route has a metric of "15". In this case, the WAN 1 route acts as the primary default route. If
the WAN 1 route fails to connect to the Internet, the ZyWALL tries the WAN 2 route next. If
the WAN 2 route fails, the ZyWALL tries the traffic-redirect route. In the same manner, the
ZyWALL uses the dial-backup route if the traffic-redirect route also fails.
For a ZyWALL with a single WAN port, if the WAN port route has a metric of "1" and the
traffic-redirect route has a metric of "2" and dial-backup route has a metric of "3", then the
WAN port route acts as the primary default route. If the WAN port route fails to connect to the
Internet, the ZyWALL tries the traffic-redirect route next. In the same manner, the ZyWALL
uses the dial-backup route if the traffic-redirect route also fails.
The dial-backup or traffic redirect routes cannot take priority over the WAN (or WAN 1 and
WAN 2) routes.
7.6 WAN General
Click NETWORK, WAN to open the General screen. Use this screen to configure load
balancing, route priority and traffic redirect properties.
Chapter 7 WAN Screens
134
ZyWALL 5/35/70 Series User’s Guide
Figure 50 WAN General
135
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 32 WAN General
LABEL
DESCRIPTION
Active/Passive
(Fail Over) Mode
Select the Active/Passive (fail over) operation mode to have the ZyWALL use the
second highest priority WAN port as a back up. This means that the ZyWALL will
normally use the highest priority (primary) WAN port (depending on the priorities
you configure in the Route Priority fields). The ZyWALL will switch to the
secondary (second highest priority) WAN port when the primary WAN port's
connection fails.
Fall Back to
Primary WAN
When Possible
This field determines the action the ZyWALL takes after the primary WAN port fails
and the ZyWALL starts using the secondary WAN port.
Select this check box to have the ZyWALL change back to using the primary WAN
port when the ZyWALL can connect through the primary WAN port again.
Clear this check box to have the ZyWALL continue using the secondary WAN port,
even after the ZyWALL can connect through the primary WAN port again. The
ZyWALL continues to use the secondary WAN port until it's connection fails (at
which time it will change back to using the primary WAN port if its connection is up.
Active/Active
Mode
Select Active/Active Mode to have the ZyWALL use both of the WAN ports at the
same time and allow you to enable load balancing.
Load Balancing
Algorithm
Select Least Load First, Weighted Round Robin or Spillover to activate load
balancing and set the related fields. Otherwise, select None.
Refer to Section 7.7 on page 137 for load balancing configuration.
Route Priority
WAN1
WAN2
Traffic Redirect
Dial Backup
The default WAN connection is "1' as your broadband connection via the WAN port
should always be your preferred method of accessing the WAN. The ZyWALL
switches from WAN port 1 to WAN port 2 if WAN port 1's connection fails and then
back to WAN port 1 when WAN port 1's connection comes back up. The default
priority of the routes is WAN 1, WAN 2, Traffic Redirect and then Dial Backup:
You have three choices for an auxiliary connection (WAN 2, Traffic Redirect and
Dial Backup) in the event that your regular WAN connection goes down. If Dial
Backup is preferred to Traffic Redirect, then type "14" in the Dial Backup Priority
(metric) field (and leave the Traffic Redirect Priority (metric) at the default of
"15").
The Dial Backup field is available only when you enable the corresponding dial
backup feature in the Dial Backup screen.
Connectivity
Check
Check Period
The ZyWALL tests a WAN connection by periodically sending a ping to either the
default gateway or the address in the Ping this Address field.
Type a number of seconds (5 to 300) to set the time interval between checks. Allow
more time if your destination IP address handles lots of traffic.
Check Timeout
Type the number of seconds (1 to 10) for your ZyWALL to wait for a response to the
ping before considering the check to have failed. This setting must be less than the
Check Period. Use a higher value in this field if your network is busy or congested.
Check Fail
Tolerance
Type how many WAN connection checks can fail (1-10) before the connection is
considered "down" (not connected). The ZyWALL still checks a "down" connection
to detect if it reconnects.
Chapter 7 WAN Screens
136
ZyWALL 5/35/70 Series User’s Guide
Table 32 WAN General (continued)
LABEL
DESCRIPTION
Check WAN1/2
Connectivity
Select the check box to have the ZyWALL periodically test the respective WAN
port's connection.
Select Ping Default Gateway to have the ZyWALL ping the WAN port's default
gateway IP address.
Select Ping this Address and enter a domain name or IP address of a reliable
nearby computer (for example, your ISP's DNS server address) to have the
ZyWALL ping that address. For a domain name, use up to 63 alphanumeric
characters (hyphens, periods and the underscore are also allowed) without spaces.
Check Traffic
Redirection
Connectivity
Select the check box to have the ZyWALL periodically test the traffic redirect
connection.
Select Ping Default Gateway to have the ZyWALL ping the backup gateway's IP
address.
Select Ping this Address and enter a domain name or IP address of a reliable
nearby computer (for example, your ISP's DNS server address) to have the
ZyWALL ping that address. For a domain name, use up to 63 alphanumeric
characters (hyphens, periods and the underscore are also allowed) without spaces.
Windows
Networking
(NetBIOS over
TCP/IP):
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to connect to and communicate with a LAN. For some dial-up
services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Allow between
WAN and LAN
Select this check box to forward NetBIOS packets from the LAN to the WAN and
from the WAN to the LAN. If your firewall is enabled with the default policy set to
block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall
rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the WAN
and from the WAN to the LAN.
Allow between
WAN and DMZ
Select this check box to forward NetBIOS packets from the WAN to the DMZ and
from the DMZ to the WAN.
Clear this check box to block all NetBIOS packets going from the WAN to the DMZ
and from the DMZ to the WAN.
Allow between
WAN and WLAN
Select this check box to forward NetBIOS packets from the WLAN to the WAN and
from the WAN to the WLAN.
Clear this check box to block all NetBIOS packets going from the WLAN to the WAN
and from the WAN to the WLAN.
Allow Trigger Dial
Select this option to allow NetBIOS packets to initiate calls.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
7.7 Configuring Load Balancing
To configure load balancing on the ZyWALL, click NETWORK, WAN in the navigation
panel. The WAN General screen displays by default. Select Active/Active Mode under
Operation Mode to enable load balancing on the ZyWALL.
The WAN General screen varies depending on what you select in the Load Balancing
Algorithm field.
137
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
7.7.1 Least Load First
To configure Least Load First, select Least Load First in the Load Balancing Algorithm
field.
Figure 51 Load Balancing: Least Load First
The following table describes the related fields in this screen.
Table 33 Load Balancing: Least Load First
LABEL
DESCRIPTION
Active/Active
Mode
Select Active/Active Mode and set the related fields to enable load balancing on the
ZyWALL.
Load Balancing
Algorithm
Select a load balancing method to use from the drop-down list box.
Time Frame
You can set the ZyWALL to get the measured bandwidth using the average
bandwidth in the specified time interval.
Enter the time interval between 10 and 600 seconds.
Load Balancing
Index(es)
Specify the direction of the traffic utilization you want the ZyWALL to use in
calculating the load balancing index.
Select Outbound Only, Inbound Only or Outbound + Inbound.
Interface This field displays the name of the WAN interface (WAN1 and WAN2).
Available This field is applicable when you select Outbound + Inbound or Inbound Only in
Inbound the Load Balancing Index(es) field.
Bandwidth Specify the inbound (or downstream) bandwidth (in kilo bites per second) for the
interface.
Available This field is applicable when you select Outbound + Inbound or Outbound Only in
Outbound the Load Balancing Index(es) field.
Bandwidth Specify the outbound (or upstream) bandwidth (in kilo bites per second) for the
interface.
Chapter 7 WAN Screens
138
ZyWALL 5/35/70 Series User’s Guide
7.7.2 Weighted Round Robin
To load balance using the weighted round robin method, select Weighted Round Robin in the
Load Balancing Algorithm field.
Figure 52 Load Balancing: Weighted Round Robin
The following table describes the related fields in this screen.
Table 34 Load Balancing: Weighted Round Robin
LABEL
DESCRIPTION
Active/Active
Mode
Select Active/Active Mode and set the related fields to enable load balancing on the
ZyWALL.
Load Balancing Select a load balancing method to use from the drop-down list box.
Algorithm
Interface This field displays the name of the WAN interface (WAN1 and WAN2).
Ratio Specify the weighted ration for the interface. Enter 0 to set the ZyWALL not to send
traffic load to the interface.
7.7.3 Spillover
To load balance using the spillover method, select Spillover in the Load Balancing
Algorithm field.
Configure the Route Priority metrics in the WAN General screen to determine the primary
and secondary WANs. By default, WAN1 is the primary WAN and WAN2 is the secondary
WAN.
139
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 53 Load Balancing: Spillover
The following table describes the related fields in this screen.
Table 35 Load Balancing: Spillover
LABEL
DESCRIPTION
Active/Active
Mode
Select Active/Active Mode and set the related fields to enable load balancing on the
ZyWALL.
Load Balancing
Algorithm
Select a load balancing method to use from the drop-down list box.
Time Frame You can set the ZyWALL to get the measured bandwidth using the average
bandwidth in the specified time interval.
Enter the time interval between 10 and 600 seconds.
Send traffic to
secondary WAN
when primary
WAN bandwidth
exceeds
Specify the maximum allowable bandwidth on the primary WAN. Once this maximum
bandwidth is reached, the ZyWALL sends the new session traffic that exceeds this
limit to the secondary WAN. The ZyWALL continues to send traffic of existing
session to the primary WAN.
7.8 WAN Route
Click NETWORK, WAN to open the Route screen. Use this screen to configure route
priority.
Chapter 7 WAN Screens
140
ZyWALL 5/35/70 Series User’s Guide
Figure 54 WAN Route
The following table describes the labels in this screen.
Table 36 WAN Route
LABEL
DESCRIPTION
Route Priority
141
WAN
Traffic Redirect
Dial Backup
The default WAN connection is "1' as your broadband connection via the WAN port
should always be your preferred method of accessing the WAN. The default priority
of the routes is WAN, Traffic Redirect and then Dial Backup:
You have two choices for an auxiliary connection (Traffic Redirect and Dial
Backup) in the event that your regular WAN connection goes down. If Dial Backup
is preferred to Traffic Redirect, then type "14" in the Dial Backup Priority (metric)
field (and leave the Traffic Redirect Priority (metric) at the default of "15").
The Dial Backup field is available only when you enable the corresponding dial
backup feature in the Dial Backup screen.
Windows
Networking
(NetBIOS over
TCP/IP):
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to connect to and communicate with a LAN. For some dial-up
services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Allow between
WAN and LAN
Select this check box to forward NetBIOS packets from the LAN to the WAN and
from the WAN to the LAN. If your firewall is enabled with the default policy set to
block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall
rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the WAN
and from the WAN to the LAN.
Allow between
WAN and DMZ
Select this check box to forward NetBIOS packets from the WAN to the DMZ and
from the DMZ to the WAN.
Clear this check box to block all NetBIOS packets going from the WAN to the DMZ
and from the DMZ to the WAN.
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 36 WAN Route (continued)
LABEL
DESCRIPTION
Allow between
WAN and WLAN
Select this check box to forward NetBIOS packets from the WLAN to the WAN and
from the WAN to the WLAN.
Clear this check box to block all NetBIOS packets going from the WLAN to the WAN
and from the WAN to the WLAN.
Allow Trigger Dial
Select this option to allow NetBIOS packets to initiate calls.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
7.9 WAN IP Address Assignment
Every computer on the Internet must have a unique IP address. If your networks are isolated
from the Internet, for instance, only between your two branch offices, you can assign any IP
addresses to the hosts without problems. However, the Internet Assigned Numbers Authority
(IANA) has reserved the following three blocks of IP addresses specifically for private
networks.
Table 37 Private IP Address Ranges
10.0.0.0
-
10.255.255.255
172.16.0.0
-
172.31.255.255
192.168.0.0
-
192.168.255.255
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private
network. If you belong to a small organization and your Internet access is through an ISP, the
ISP can provide you with the Internet addresses for your local networks. On the other hand, if
you are part of a much larger organization, you should consult your network administrator for
the appropriate IP addresses.
Note: Regardless of your particular situation, do not create an arbitrary IP address;
always follow the guidelines above. For more information on address
assignment, please refer to RFC 1597, Address Allocation for Private Internets
and RFC 1466, Guidelines for Management of IP Address Space.
7.10 DNS Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and
vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is
extremely important because without it, you must know the IP address of a computer before
you can access it.
The ZyWALL can get the DNS server addresses in the following ways.
Chapter 7 WAN Screens
142
ZyWALL 5/35/70 Series User’s Guide
1 The ISP tells you the DNS server addresses, usually in the form of an information sheet,
when you sign up. If your ISP gives you DNS server addresses, manually enter them in
the DNS server fields.
2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s
WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
3 You can manually enter the IP addresses of other DNS servers. These servers can be
public or private. A DNS server could even be behind a remote IPSec router (see Section
26.5.1 on page 419).
7.11 WAN MAC Address
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
You can configure the WAN port's MAC address by either using the factory default or cloning
the MAC address from a computer on your LAN. Once it is successfully configured, the
address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless
you change the setting or upload a different "rom" file.
Table 38 Example of Network Properties for LAN Servers with Fixed IP Addresses
Choose an IP address
192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.
Subnet mask
255.255.255.0
Gateway (or default route)
192.168.1.1(ZyWALL LAN IP)
7.12 WAN
To change your ZyWALL's WAN ISP, IP and MAC settings, click NETWORK, WAN and
then the WAN, WAN1 or WAN2 tab. The screen differs by the encapsulation.
Note: The WAN1 and WAN2 IP addresses of a ZyWALL with multiple WAN ports
must be on different subnets.
7.12.1 WAN Ethernet Encapsulation
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still
online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your
ISP to find the correct port number.
The screen shown next is for Ethernet encapsulation.
143
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 55 WAN: Ethernet Encapsulation
The following table describes the labels in this screen.
Table 39 WAN: Ethernet Encapsulation
LABEL
DESCRIPTION
ISP Parameters
for Internet
Access
Encapsulation
You must choose the Ethernet option when the WAN port is used as a regular
Ethernet.
Service Type
Choose from Standard, Telstra (RoadRunner Telstra authentication method), RRManager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner
Toshiba authentication method) or Telia Login.
The following fields do not appear with the Standard service type.
User Name
Type the user name given to you by your ISP.
Password
Type the password associated with the user name above.
Chapter 7 WAN Screens
144
ZyWALL 5/35/70 Series User’s Guide
Table 39 WAN: Ethernet Encapsulation (continued)
LABEL
DESCRIPTION
Retype to Confirm Type your password again to make sure that you have entered is correctly.
Login Server IP
Address
Type the authentication server IP address here if your ISP gave you one.
This field is not available for Telia Login.
Login Server
(Telia Login only)
Type the domain name of the Telia login server, for example login1.telia.com.
Relogin
Every(min)
(Telia Login only)
The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait
between logins.
WAN IP Address
Assignment
Get automatically
from ISP
Select this option If your ISP did not assign you a fixed IP address. This is the
default selection.
Use Fixed IP
Address
Select this option If the ISP assigned a fixed IP address.
My WAN IP
Address
Enter your WAN IP address in this field if you selected Use Fixed IP Address.
My WAN IP
Subnet Mask
Enter the IP subnet mask (if your ISP gave you one) in this field if you selected Use
Fixed IP Address.
Gateway IP
Address
Enter the gateway IP address (if your ISP gave you one) in this field if you selected
Use Fixed IP Address.
Advanced Setup
Enable NAT
Network Address Translation (NAT) allows the translation of an Internet protocol
(Network Address address used within one network (for example a private IP address used in a local
Translation)
network) to a different IP address known within another network (for example a
public IP address used on the Internet).
Select this check box to enable NAT.
RIP Direction
145
RIP (Routing Information Protocol) allows a router to exchange routing information
with other routers. The RIP Direction field controls the sending and receiving of
RIP packets.
Choose Both, None, In Only or Out Only.
When set to Both or Out Only, the ZyWALL will broadcast its routing table
periodically.
When set to Both or In Only, the ZyWALL will incorporate RIP information that it
receives.
When set to None, the ZyWALL will not send any RIP packets and will ignore any
RIP packets received.
By default, RIP Direction is set to Both.
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 39 WAN: Ethernet Encapsulation (continued)
LABEL
DESCRIPTION
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving).
Choose RIP-1, RIP-2B or RIP-2M.
RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is
probably adequate for most networks, unless you have an unusual network
topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the
difference being that RIP-2B uses subnet broadcasting while RIP-2M uses
multicasting. Multicasting can reduce the load on non-router machines since they
generally do not listen to the RIP multicast address and so will not receive the RIP
packets. However, if one router uses multicasting, then all routers on your network
must use multicasting, also. By default, the RIP Version field is set to RIP-1.
Enable Multicast
Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is
a network-layer protocol used to establish membership in a Multicast group - it is
not used to carry user data.
Multicast Version
Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast
Protocol) is a session-layer protocol used to establish membership in a Multicast
group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an
improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If
you would like to read more detailed information about interoperability between
IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Spoof WAN MAC
Address
You can use the factory assigned default MAC Address or cloning the MAC
address from a computer on your LAN.
Otherwise, select the check box next to Spoof WAN MAC Address and enter the
IP address of the computer on the LAN whose MAC you are cloning. Once it is
successfully configured, the address will be copied to the rom file (ZyNOS
configuration file). It will not change unless you change the setting or upload a
different ROM file.
Clone the
computer’s MAC
address – IP
Address
Enter the IP address of the computer on the LAN whose MAC you are cloning.
It is recommended that you clone the MAC address prior to hooking up the WAN
port.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
7.12.2 PPPoE Encapsulation
The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF
standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband
modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection
using PPPoE.
For the service provider, PPPoE offers an access and authentication method that works with
existing access control systems (for example RADIUS).
One of the benefits of PPPoE is the ability to let you access one of multiple network services,
a function known as dynamic service selection. This enables the service provider to easily
create and offer new IP services for individuals.
Chapter 7 WAN Screens
146
ZyWALL 5/35/70 Series User’s Guide
Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires
no specific configuration of the broadband modem at the customer site.
By implementing PPPoE directly on the ZyWALL (rather than individual computers), the
computers on the LAN do not need PPPoE software installed, since the ZyWALL does that
part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.
Refer to Appendix F on page 702 for more information on PPPoE.
The screen shown next is for PPPoE encapsulation.
Figure 56 WAN: PPPoE Encapsulation
147
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 40 WAN: PPPoE Encapsulation
LABEL
DESCRIPTION
ISP Parameters
for Internet
Access
Encapsulation
The PPPoE choice is for a dial-up connection using PPPoE. The router supports
PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF standard (RFC
2516) specifying how a personal computer (PC) interacts with a broadband modem
(i.e. DSL, cable, wireless, etc.) connection. Operationally, PPPoE saves significant
effort for both the end user and ISP/carrier, as it requires no specific configuration of
the broadband modem at the customer site. By implementing PPPoE directly on the
router rather than individual computers, the computers on the LAN do not need
PPPoE software installed, since the router does that part of the task. Further, with
NAT, all of the LAN's computers will have access.
Service Name
Type the PPPoE service name provided to you. PPPoE uses a service name to
identify and reach the PPPoE server.
User Name
Type the user name given to you by your ISP.
Password
Type the password associated with the user name above.
Retype to
Confirm
Type your password again to make sure that you have entered is correctly.
Authentication
Type
Use the drop-down list box to select an authentication protocol for outgoing calls.
Options are:
CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this
remote node.
CHAP - Your ZyWALL accepts CHAP only.
PAP - Your ZyWALL accepts PAP only.
Nailed-Up
Select Nailed-Up if you do not want the connection to time out.
Idle Timeout
This value specifies the time in seconds that elapses before the ZyWALL
automatically disconnects from the PPPoE server.
WAN IP Address
Assignment
Get automatically Select this option If your ISP did not assign you a fixed IP address. This is the
from ISP
default selection.
Use Fixed IP
Address
Select this option If the ISP assigned a fixed IP address.
My WAN IP
Address
Enter your WAN IP address in this field if you selected Use Fixed IP Address.
Advanced Setup
Enable NAT
(Network
Address
Translation)
Chapter 7 WAN Screens
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network (for example a private IP address used in a local
network) to a different IP address known within another network (for example a
public IP address used on the Internet).
Select this checkbox to enable NAT.
For more information about NAT see Chapter 22 on page 374.
148
ZyWALL 5/35/70 Series User’s Guide
Table 40 WAN: PPPoE Encapsulation
LABEL
DESCRIPTION
RIP Direction
RIP (Routing Information Protocol) allows a router to exchange routing information
with other routers. The RIP Direction field controls the sending and receiving of RIP
packets.
Choose Both, None, In Only or Out Only.
When set to Both or Out Only, the ZyWALL will broadcast its routing table
periodically.
When set to Both or In Only, the ZyWALL will incorporate RIP information that it
receives.
When set to None, the ZyWALL will not send any RIP packets and will ignore any
RIP packets received.
By default, RIP Direction is set to Both.
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving).
Choose RIP-1, RIP-2B or RIP-2M.
RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is
probably adequate for most networks, unless you have an unusual network
topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the
difference being that RIP-2B uses subnet broadcasting while RIP-2M uses
multicasting. Multicasting can reduce the load on non-router machines since they
generally do not listen to the RIP multicast address and so will not receive the RIP
packets. However, if one router uses multicasting, then all routers on your network
must use multicasting, also. By default, the RIP Version field is set to RIP-1.
Enable Multicast
Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is
a network-layer protocol used to establish membership in a Multicast group - it is
not used to carry user data.
Multicast Version
Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast
Protocol) is a session-layer protocol used to establish membership in a Multicast
group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an
improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If
you would like to read more detailed information about interoperability between
IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Spoof WAN MAC You can use the factory assigned default MAC Address or cloning the MAC address
Address
from a computer on your LAN.
Otherwise, select the check box next to Spoof WAN MAC Address and enter the
IP address of the computer on the LAN whose MAC you are cloning. Once it is
successfully configured, the address will be copied to the rom file (ZyNOS
configuration file). It will not change unless you change the setting or upload a
different ROM file.
149
Clone the
computer’s MAC
address – IP
Address
Enter the IP address of the computer on the LAN whose MAC you are cloning.
It is recommended that you clone the MAC address prior to hooking up the WAN
port.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
7.12.3 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of
data from a remote client to a private server, creating a Virtual Private Network (VPN) using
TCP/IP-based networks.
PPTP supports on-demand, multi-protocol and virtual private networking over public
networks, such as the Internet. The screen shown next is for PPTP encapsulation.
Refer to Appendix G on page 704 for more information on PPTP.
Figure 57 WAN: PPTP Encapsulation
Chapter 7 WAN Screens
150
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 41 WAN: PPTP Encapsulation
LABEL
DESCRIPTION
ISP Parameters for
Internet Access
Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables
secure transfer of data from a remote client to a private server, creating a Virtual
Private Network (VPN) using TCP/IP-based networks. PPTP supports ondemand, multi-protocol, and virtual private networking over public networks, such
as the Internet. The ZyWALL supports only one PPTP server connection at any
given time. To configure a PPTP client, you must configure the User Name and
Password fields for a PPP connection and the PPTP parameters for a PPTP
connection.
User Name
Type the user name given to you by your ISP.
Password
Type the password associated with the user name above.
Retype to Confirm
Type your password again to make sure that you have entered is correctly.
Authentication
Type
Use the drop-down list box to select an authentication protocol for outgoing calls.
Options are:
CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this
remote node.
CHAP - Your ZyWALL accepts CHAP only.
PAP - Your ZyWALL accepts PAP only.
Nailed-up
Select Nailed-Up if you do not want the connection to time out.
Idle Timeout
This value specifies the time in seconds that elapses before the ZyWALL
automatically disconnects from the PPTP server.
PPTP
Configuration
My IP Address
Type the (static) IP address assigned to you by your ISP.
My IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP
address that you assign. Unless you are implementing subnetting, use the subnet
mask computed by the ZyWALL.
Server IP Address
Type the IP address of the PPTP server.
Connection ID/
Name
Type your identification name for the PPTP server.
WAN IP Address
Assignment
Get automatically
from ISP
Select this option If your ISP did not assign you a fixed IP address. This is the
default selection.
Use Fixed IP
Address
Select this option If the ISP assigned a fixed IP address.
My WAN IP
Address
Enter your WAN IP address in this field if you selected Use Fixed IP Address.
Advanced Setup
151
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 41 WAN: PPTP Encapsulation
LABEL
DESCRIPTION
Enable NAT
(Network Address
Translation)
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network (for example a private IP address used in a local
network) to a different IP address known within another network (for example a
public IP address used on the Internet).
Select this checkbox to enable NAT.
For more information about NAT see Chapter 22 on page 374.
RIP Direction
RIP (Routing Information Protocol) allows a router to exchange routing information
with other routers. The RIP Direction field controls the sending and receiving of
RIP packets.
Choose Both, None, In Only or Out Only.
When set to Both or Out Only, the ZyWALL will broadcast its routing table
periodically.
When set to Both or In Only, the ZyWALL will incorporate RIP information that it
receives.
When set to None, the ZyWALL will not send any RIP packets and will ignore any
RIP packets received.
By default, RIP Direction is set to Both.
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving).
Choose RIP-1, RIP-2B or RIP-2M.
RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is
probably adequate for most networks, unless you have an unusual network
topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the
difference being that RIP-2B uses subnet broadcasting while RIP-2M uses
multicasting. Multicasting can reduce the load on non-router machines since they
generally do not listen to the RIP multicast address and so will not receive the RIP
packets. However, if one router uses multicasting, then all routers on your network
must use multicasting, also. By default, the RIP Version field is set to RIP-1.
Enable Multicast
Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is
a network-layer protocol used to establish membership in a Multicast group - it is
not used to carry user data.
Multicast Version
Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast
Protocol) is a session-layer protocol used to establish membership in a Multicast
group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an
improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If
you would like to read more detailed information about interoperability between
IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Spoof WAN MAC
Address
You can use the factory assigned default MAC Address or cloning the MAC
address from a computer on your LAN.
Otherwise, select the check box next to Spoof WAN MAC Address and enter the
IP address of the computer on the LAN whose MAC you are cloning. Once it is
successfully configured, the address will be copied to the rom file (ZyNOS
configuration file). It will not change unless you change the setting or upload a
different ROM file.
Clone the
computer’s MAC
address – IP
Address
Enter the IP address of the computer on the LAN whose MAC you are cloning.
It is recommended that you clone the MAC address prior to hooking up the WAN
port.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 7 WAN Screens
152
ZyWALL 5/35/70 Series User’s Guide
7.13 Traffic Redirect
Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect
to the Internet through its normal gateway. Connect the backup gateway on the WAN so that
the ZyWALL still provides firewall protection.
Figure 58 Traffic Redirect WAN Setup
The following network topology allows you to avoid triangle route security issues (see
Appendix I on page 722) when the backup gateway is connected to the LAN or DMZ. Use IP
alias to configure the LAN into two or three logical networks with the ZyWALL itself as the
gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the
following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to
LAN/ZyWALL firewall rule that forwards packets from the protected LAN (Subnet 1) to the
backup gateway (Subnet 2).
The following network topology allows you to avoid triangle route security issues (see
Appendix I on page 722) when the backup gateway is connected to the LAN or DMZ. Use IP
alias to configure the LAN into two or three logical networks with the ZyWALL itself as the
gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the
following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to
LAN/ZyWALL firewall rule that forwards packets from the protected LAN (Subnet 1) to the
backup gateway (Subnet 2).
153
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 59 Traffic Redirect LAN Setup
7.14 Configuring Traffic Redirect
To change your ZyWALL’s traffic redirect settings, click NETWORK, WAN and then the
Traffic Redirect tab. The screen appears as shown. Not all fields are available on all models.
Figure 60 Traffic Redirect
The following table describes the labels in this screen.
Table 42 Traffic Redirect
LABEL
DESCRIPTION
Active
Select this check box to have the ZyWALL use traffic redirect if the normal WAN
connection goes down.
Backup
Gateway IP
Address
Type the IP address of your backup gateway in dotted decimal notation. The ZyWALL
automatically forwards traffic to this IP address if the ZyWALL's Internet connection
terminates.
Check WAN IP Configuration of this field is optional. If you do not enter an IP address here, the
Address
ZyWALL will use the default gateway IP address. Configure this field to test your
ZyWALL's WAN accessibility. Type the IP address of a reliable nearby computer (for
example, your ISP's DNS server address).
Chapter 7 WAN Screens
154
ZyWALL 5/35/70 Series User’s Guide
Table 42 Traffic Redirect (continued)
LABEL
DESCRIPTION
Fail Tolerance
Type how many WAN connection checks can fail (1 to 10) before the connection is
considered "down" (not connected). The ZyWALL still checks a "down" connection to
detect if it reconnects.
Period
The ZyWALL tests a WAN connection by periodically sending a ping to either the
default gateway or the address in the Check WAN IP Address field.
Type a number of seconds (5 to 300) to set the time interval between checks. Allow
more time if your destination IP address handles lots of traffic.
Timeout
Type the number of seconds (1 to 10) for your ZyWALL to wait for a response to the
ping before considering the check to have failed. This setting must be less than the
Period. Use a higher value in this field if your network is busy or congested.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
7.15 Configuring Dial Backup
Click NETWORK, WAN and then the Dial Backup tab to display the Dial Backup screen.
Use this screen to configure the backup WAN dial-up connection.
155
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 61 Dial Backup
Chapter 7 WAN Screens
156
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 43 Dial Backup
LABEL
DESCRIPTION
Dial Backup Setup
Enable Dial Backup Select this check box to turn on dial backup.
Basic Settings
Login Name
Type the login name assigned by your ISP.
Password
Type the password assigned by your ISP.
Retype to Confirm
Type your password again to make sure that you have entered is correctly.
Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls.
Options are:
CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this
remote node.
CHAP - Your ZyWALL accepts CHAP only.
PAP - Your ZyWALL accepts PAP only.
Primary/ Secondary Type the first (primary) phone number from the ISP for this remote node. If the
Phone Number
Primary Phone number is busy or does not answer, your ZyWALL dials the
Secondary Phone number if available. Some areas require dialing the pound sign
# before the phone number for local calls. Include a # symbol at the beginning of
the phone numbers as required.
Dial Backup Port
Speed
Use the drop-down list box to select the speed of the connection between the Dial
Backup port and the external device. Available speeds are: 9600, 19200, 38400,
57600, 115200 or 230400 bps.
AT Command Initial Type the AT command string to initialize the WAN device. Consult the manual of
String
your WAN device connected to your Dial Backup port for specific AT commands.
Advanced Modem
Setup
Click Edit to display the Advanced Setup screen and edit the details of your dial
backup setup.
TCP/IP Options
157
Get IP Address
Automatically from
Remote Server
Type the login name assigned by your ISP for this remote node.
Used Fixed IP
Address
Select this check box if your ISP assigned you a fixed IP address, then enter the
IP address in the following field.
My WAN IP
Address
Leave the field set to 0.0.0.0 (default) to have the ISP or other remote router
dynamically (automatically) assign your WAN IP address if you do not know it.
Type your WAN IP address here if you know it (static). This is the address
assigned to your local ZyWALL, not the remote router.
Remote IP Subnet
Mask
Leave this field set to 0.0.0.0 (default) to have the ISP or other remote router
dynamically send its subnet mask if you do not know it. Type the remote
gateway's subnet mask here if you know it (static).
Remote Node IP
Address
Leave this field set to 0.0.0.0 (default) to have the ISP or other remote router
dynamically (automatically) send its IP address if you do not know it. Type the
remote gateway's IP address here if you know it (static).
Enable NAT
(Network Address
Translation)
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network to a different IP address known within another
network.
Select the check box to enable NAT. Clear the check box to disable NAT so the
ZyWALL does not perform any NAT mapping for the dial backup connection.
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 43 Dial Backup (continued)
LABEL
DESCRIPTION
Enable RIP
Select this check box to turn on RIP (Routing Information Protocol), which allows
a router to exchange routing information with other routers.
RIP Version
The RIP Version field controls the format and the broadcasting method of the
RIP packets that the ZyWALL sends (it recognizes both formats when receiving).
Choose RIP-1, RIP-2B or RIP-2M.
RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is
probably adequate for most networks, unless you have an unusual network
topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the
difference being that RIP-2B uses subnet broadcasting while RIP-2M uses
multicasting. Multicasting can reduce the load on non-router machines since they
generally do not listen to the RIP multicast address and so will not receive the
RIP packets. However, if one router uses multicasting, then all routers on your
network must use multicasting, also.
RIP Direction
RIP (Routing Information Protocol) allows a router to exchange routing
information with other routers. The RIP Direction field controls the sending and
receiving of RIP packets.
Choose Both, In Only or Out Only.
When set to Both or Out Only, the ZyWALL will broadcast its routing table
periodically.
When set to Both or In Only, the ZyWALL will incorporate RIP information that it
receives.
Broadcast Dial
Backup Route
Select this check box to forward the backup route broadcasts to the WAN.
Enable Multicast
Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP
is a network-layer protocol used to establish membership in a Multicast group - it
is not used to carry user data.
Multicast Version
Select IGMP-v1 or IGMP-v2. IGMP version 2 (RFC 2236) is an improvement
over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like
to read more detailed information about interoperability between IGMP version 2
and version 1, please see sections 4 and 5 of RFC 2236.
PPP Options
PPP Encapsulation
Select CISCO PPP from the drop-down list box if your dial backup WAN device
uses Cisco PPP encapsulation, otherwise select Standard PPP.
Enable
Compression
Select this check box to turn on stac compression.
Budget
Always On
Select this check box to have the dial backup connection on all of the time.
Configure Budget
Select this check box to have the dial backup connection on during the time that
you select.
Allocated Budget
Type the amount of time (in minutes) that the dial backup connection can be used
during the time configured in the Period field. Set an amount that is less than the
time period configured in the Period field.
Period
Type the time period (in hours) for how often the budget should be reset. For
example, to allow calls to this remote node for a maximum of 10 minutes every
hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour).
Idle Timeout
Type the number of seconds of idle time (when there is no traffic from the
ZyWALL to the remote node) for the ZyWALL to wait before it automatically
disconnects the dial backup connection. This option applies only when the
ZyWALL initiates the call. The dial backup connection never times out if you set
this field to "0" (it is the same as selecting Always On).
Chapter 7 WAN Screens
158
ZyWALL 5/35/70 Series User’s Guide
Table 43 Dial Backup (continued)
LABEL
DESCRIPTION
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
7.16 Advanced Modem Setup
7.16.1 AT Command Strings
For regular telephone lines, the default Dial string tells the modem that the line uses tone
dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires
pulse dialing, change the string to ATDP.
For ISDN lines, there are many more protocols and operational modes. Please consult the
documentation of your TA. You may need additional commands in both Dial and Init strings.
7.16.2 DTR Signal
The majority of WAN devices default to hanging up the current call when the DTR (Data
Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check
box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in
addition to issuing the drop command ATH.
7.16.3 Response Strings
The response strings tell the ZyWALL the tags, or labels, immediately preceding the various
call parameters sent from the WAN device. The response strings have not been standardized;
please consult the documentation of your WAN device to find the correct tags.
7.17 Configuring Advanced Modem Setup
Click the Edit button in the Dial Backup screen to display the Advanced Setup screen.
Note: Consult the manual of your WAN device connected to your dial backup port for
specific AT commands.
159
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 62 Advanced Setup
The following table describes the labels in this screen.
Table 44 Advanced Setup
LABEL
DESCRIPTION
AT Command
Strings
Dial
Type the AT Command string to make a call.
Drop
Type the AT Command string to drop a call. "~" represents a one second wait, for
example, "~~~+++~~ath" can be used if your modem has a slow response time.
Answer
Type the AT Command string to answer a call.
Drop DTR When
Hang Up
Select this check box to have the ZyWALL drop the DTR (Data Terminal Ready)
signal after the "AT Command String: Drop" is sent out.
AT Response
Strings
CLID
Type the keyword that precedes the CLID (Calling Line Identification) in the AT
response string. This lets the ZyWALL capture the CLID in the AT response string
that comes from the WAN device. CLID is required for CLID authentication.
Called ID
Type the keyword preceding the dialed number.
Speed
Type the keyword preceding the connection speed.
Call Control
Chapter 7 WAN Screens
160
ZyWALL 5/35/70 Series User’s Guide
Table 44 Advanced Setup (continued)
LABEL
DESCRIPTION
Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before
timing out (stopping).
161
Retry Count
Type a number of times for the ZyWALL to retry a busy or no-answer phone
number before blacklisting the number.
Retry Interval
(sec)
Type a number of seconds for the ZyWALL to wait before trying another call after a
call has failed. This applies before a phone number is blacklisted.
Drop Timeout
(sec)
Type the number of seconds for the ZyWALL to wait before dropping the DTR
signal if it does not receive a positive disconnect confirmation.
Call Back Delay
(sec)
Type a number of seconds for the ZyWALL to wait between dropping a callback
request call and dialing the corresponding callback call.
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 8
DMZ Screens
This chapter describes how to configure the ZyWALL’s DMZ.
8.1 DMZ
The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to
be visible to the outside world (while still being protected from DoS (Denial of Service)
attacks such as SYN flooding and Ping of Death). These public servers can also still be
accessed from the secure LAN.
By default the firewall allows traffic between the WAN and the DMZ, traffic from the DMZ to
the LAN is denied, and traffic from the LAN to the DMZ is allowed. Internet users can have
access to host servers on the DMZ but no access to the LAN, unless special filter rules
allowing access were configured by the administrator or the user is an authorized remote user.
It is highly recommended that you connect all of your public servers to the DMZ port(s).
It is also highly recommended that you keep all sensitive information off of the public servers
connected to the DMZ port. Store sensitive information on LAN computers.
8.2 Configuring DMZ
The DMZ and the connected computers can have private or public IP addresses.
When the DMZ uses public IP addresses, the WAN and DMZ ports must use public IP
addresses that are on separate subnets. See Appendix E on page 694 for information on IP
subnetting. If you do not configure SUA NAT or any full feature NAT mapping rules for the
public IP addresses on the DMZ, the ZyWALL will route traffic to the public IP addresses on
the DMZ without performing NAT. This may be useful for hosting servers for NAT unfriendly
applications (see Chapter 22 on page 374 for more information).
If the DMZ computers use private IP addresses, use NAT if you want to make them publicly
accessible.
Like the LAN, the ZyWALL can also assign TCP/IP configuration via DHCP to computers
connected to the DMZ ports.
From the main menu, click NETWORK, DMZ to open the DMZ screen. The screen appears
as shown next.
Chapter 8 DMZ Screens
162
ZyWALL 5/35/70 Series User’s Guide
Figure 63 DMZ
The following table describes the labels in this screen.
Table 45 DMZ
LABEL
DESCRIPTION
DMZ TCP/IP
IP Address
Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation.
Note: Make sure the IP addresses of the LAN, WAN, WLAN and
DMZ are on separate subnets.
163
IP Subnet Mask
The subnet mask specifies the network number portion of an IP address. Your
ZyWALL will automatically calculate the subnet mask based on the IP address
that you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyWALL 255.255.255.0.
RIP Direction
RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In
Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the
RIP information that it receives; when set to None, it will not send any RIP
packets and will ignore any RIP packets received. Both is the default.
Chapter 8 DMZ Screens
ZyWALL 5/35/70 Series User’s Guide
Table 45 DMZ (continued)
LABEL
DESCRIPTION
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP1 is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being
that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.
Multicasting can reduce the load on non-router machines since they generally do
not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must
use multicasting, also. By default, RIP direction is set to Both and the Version set
to RIP-1.
Multicast
Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol)
is a network-layer protocol used to establish membership in a Multicast group - it
is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement
over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like
to read more detailed information about interoperability between IGMP version 2
and version 1, please see sections 4 and 5 of RFC 2236.
DHCP Setup
DHCP
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows
individual clients (workstations) to obtain TCP/IP configuration at startup from a
server. Unless you are instructed by your ISP, leave this field set to Server. When
configured as a server, the ZyWALL provides TCP/IP configuration for the clients.
When set as a server, fill in the IP Pool Starting Address and Pool Size fields.
Select Relay to have the ZyWALL forward DHCP requests to another DHCP
server. When set to Relay, fill in the DHCP Server Address field.
Select None to stop the ZyWALL from acting as a DHCP server. When you select
None, you must have another DHCP server on your LAN, or else the computers
must be manually configured.
IP Pool Starting
Address
This field specifies the first of the contiguous addresses in the IP address pool.
Pool Size
This field specifies the size, or count of the IP address pool.
DHCP Server
Address
Type the IP address of the DHCP server to which you want the ZyWALL to relay
DHCP requests. Use dotted decimal notation. Alternatively, click the right mouse
button to copy and/or paste the IP address.
Windows
Networking
(NetBIOS over
TCP/IP)
Allow between DMZ Select this check box to forward NetBIOS packets from the LAN to the DMZ and
and LAN
from the DMZ to the LAN. If your firewall is enabled with the default policy set to
block DMZ to LAN traffic, you also need to enable the default DMZ to LAN firewall
rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the DMZ
and from the DMZ to the LAN.
Allow between DMZ Select this check box to forward NetBIOS packets from the WAN to the DMZ and
and WAN
from the DMZ to the WAN.
Clear this check box to block all NetBIOS packets going from the WAN to the
DMZ and from the DMZ to the WAN.
Chapter 8 DMZ Screens
164
ZyWALL 5/35/70 Series User’s Guide
Table 45 DMZ (continued)
LABEL
DESCRIPTION
Allow between DMZ Select this check box to forward NetBIOS packets from the WLAN to the DMZ
and WLAN
and from the DMZ to the WLAN.
Clear this check box to block all NetBIOS packets going from the WLAN to the
DMZ and from the DMZ to the WLAN.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
8.3 DMZ Static DHCP
This table allows you to assign IP addresses on the DMZ to specific individual computers
based on their MAC Addresses.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
To change your ZyWALL’s static DHCP settings on the DMZ, click NETWORK, DMZ and
then the Static DHCP tab. The screen appears as shown.
165
Chapter 8 DMZ Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 64 DMZ Static DHCP
The following table describes the labels in this screen.
Table 46 DMZ Static DHCP
LABEL
DESCRIPTION
#
This is the index number of the Static IP table entry (row).
MAC Address
Type the MAC address of a computer on your DMZ.
IP Address
Type the IP address that you want to assign to the computer on your DMZ.
Alternatively, click the right mouse button to copy and/or paste the IP address.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 8 DMZ Screens
166
ZyWALL 5/35/70 Series User’s Guide
8.4 DMZ IP Alias
IP alias allows you to partition a physical network into different logical networks over the
same Ethernet interface. The ZyWALL supports three logical DMZ interfaces via its single
physical Ethernet interface with the ZyWALL itself as the gateway for each DMZ network.
The IP alias IP addresses can be either private or public regardless of whether the physical
DMZ interface is set to use a private or public IP address. Use NAT if you want to make DMZ
computers with private IP addresses publicly accessible (see Chapter 22 on page 374 for more
information). When you use IP alias, you can have the DMZ use both public and private IP
addresses at the same time.
Note: Make sure that the subnets of the logical networks do not overlap.
To change your ZyWALL’s IP alias settings, click NETWORK, DMZ and then the IP Alias
tab. The screen appears as shown.
Figure 65 DMZ: IP Alias
The following table describes the labels in this screen.
Table 47 DMZ: IP Alias
LABEL
DESCRIPTION
Enable IP Alias 1,
2
Select the check box to configure another DMZ network for the ZyWALL.
IP Address
Enter the IP address of your ZyWALL in dotted decimal notation.
Note: Make sure the IP addresses of the LAN, WAN, WLAN and
DMZ are on separate subnets.
167
Chapter 8 DMZ Screens
ZyWALL 5/35/70 Series User’s Guide
Table 47 DMZ: IP Alias (continued)
LABEL
DESCRIPTION
IP Subnet Mask
Your ZyWALL will automatically calculate the subnet mask based on the IP
address that you assign. Unless you are implementing subnetting, use the subnet
mask computed by the ZyWALL.
RIP Direction
RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In
Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the
RIP information that it receives; when set to None, it will not send any RIP packets
and will ignore any RIP packets received.
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being
that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.
Multicasting can reduce the load on non-router machines since they generally do
not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must use
multicasting, also. By default, RIP direction is set to Both and the Version set to
RIP-1.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
8.5 DMZ Public IP Address Example
The following figure shows a simple network setup with public IP addresses on the WAN and
DMZ and private IP addresses on the LAN. Lower case letters represent public IP addresses
(like a.b.c.d for example). The LAN port and connected computers (A through C) use private
IP addresses that are in one subnet. The DMZ port and connected servers (D through F) use
public IP addresses that are in another subnet. The public IP addresses of the DMZ and WAN
ports are in separate subnets.
Chapter 8 DMZ Screens
168
ZyWALL 5/35/70 Series User’s Guide
Figure 66 DMZ Public Address Example
8.6 DMZ Private and Public IP Address Example
The following figure shows a network setup with both private and public IP addresses on the
DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN
port and connected computers (A through C) use private IP addresses that are in one subnet.
The DMZ port and server F use private IP addresses that are in one subnet. The private IP
addresses of the LAN and DMZ are on separate subnets. The DMZ port and connected servers
(D and E) use public IP addresses that are in one subnet. The public IP addresses of the DMZ
and WAN are on separate subnets.
Configure both DMZ and DMZ IP alias to use this kind of network setup. You also need to
configure NAT for the private DMZ IP addresses.
169
Chapter 8 DMZ Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 67 DMZ Private and Public Address Example
8.7 DMZ Port Roles
Use the Port Roles screen to set ports as LAN, DMZ or WLAN interfaces. The LAN port role
is not available on all models.
Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL’s
wireless LAN coverage. The WLAN port role allows the ZyWALL’s firewall to treat traffic
from connected APs as part of the ZyWALL’s WLAN. You can specify firewall rules for
traffic going to or from the WLAN. The WLAN includes the ZyWALL’s own WLAN and the
Ethernet ports in the WLAN port role.
The following figure shows the ZyWALL with a wireless card installed and an AP connected
to an Ethernet port in the WLAN port role.
Chapter 8 DMZ Screens
170
ZyWALL 5/35/70 Series User’s Guide
Figure 68 WLAN Port Role Example
Note: Do the following if you are configuring from a computer connected to a LAN,
DMZ or WLAN port and changing the port's role:
1. A port's IP address varies as its role changes, make sure your computer's IP
address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP
address.
2. Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL.
To change your ZyWALL’s port role settings, click NETWORK, DMZ and then the Port
Roles tab. The screen appears as shown.
The radio buttons on the left correspond to Ethernet ports on the front panel of the ZyWALL.
Ports 1 to 4 are all DMZ ports on the ZyWALL 70 and all LAN ports on the ZyWALL 5 or
ZyWALL 35 by default. The radio buttons on the right are for the WLAN card.
Note: Your changes are also reflected in the LAN and/or WLAN Port Roles screens.
171
Chapter 8 DMZ Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 69 DMZ: Port Roles
The following table describes the labels in this screen.
Table 48 DMZ: Port Roles
LABEL
DESCRIPTION
LAN
Select a port’s LAN radio button to use the port as part of the LAN. The port will
use the LAN IP address and MAC address.
DMZ
Select a port’s DMZ radio button to use the port as part of the DMZ. The port will
use the DMZ IP address and MAC address.
WLAN
When you have the wireless card set to WLAN, you can select a port’s WLAN
radio button to use the port as part of the WLAN.
The port will use the ZyWALL’s WLAN IP address and the MAC address of the
WLAN card.
Note: You must install a wireless card to use the WLAN port role.
See Appendix A on page 664 for how to install a WLAN card.
Wireless Card
Select LAN to use the wireless card as part of the LAN.
Select DMZ to use the wireless card as part of the DMZ.
Select WLAN to use the wireless card as part of the WLAN.
The ZyWALL restarts after you change the wireless card setting.
Note: If you set the wireless card to be part of the LAN or DMZ, you
can still use wireless access, but not the WLAN interface in
the firewall. The firewall will treat the wireless card as part of
the LAN or DMZ respectively.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 8 DMZ Screens
172
ZyWALL 5/35/70 Series User’s Guide
173
Chapter 8 DMZ Screens
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 9
Wireless LAN
This chapter discusses how to configure wireless LAN on the ZyWALL.
9.1 Wireless LAN Introduction
A wireless LAN can be as simple as two computers with wireless LAN adapters
communicating in a peer-to-peer network or as complex as a number of computers with
wireless LAN adapters communicating through access points which bridge network traffic to
the wired LAN.
Note: See Appendix A on page 664 for how to install a WLAN card.
See the WLAN appendix for more detailed information on WLANs.
9.1.1 Additional Installation Requirements for Using 802.1x
• A computer with an IEEE 802.11b wireless LAN card.
• A computer equipped with a web browser (with JavaScript enabled) and/or Telnet.
• A wireless station must be running IEEE 802.1x-compliant software. Currently, this is
offered in Windows XP.
• An optional network RADIUS server for remote user authentication and accounting.
9.2 Configuring WLAN
The WLAN interface uses the ZyWALL's WLAN IP address and the MAC address of the
WLAN card. You need to insert a compatible wireless LAN card and enable the card in the
Wireless Card screen (see Figure 80 on page 191) to have wireless functionality. You can
also use the Port Roles screen to set a port to be part of the WLAN and connect an access
point (AP) to the WLAN interface to extend the ZyWALL’s wireless LAN coverage.
There is a WLAN interface in the firewall. You can specify firewall rules for traffic going to or
from the WLAN.
Click NETWORK, WLAN to open the WLAN screen to configure the IP address for
ZyWALL’s WLAN interface, other TCP/IP and DHCP settings.
Chapter 9 Wireless LAN
174
ZyWALL 5/35/70 Series User’s Guide
Figure 70 WLAN
The following table describes the labels in this screen.
Table 49 WLAN
LABEL
DESCRIPTION
WLAN TCP/IP
IP Address
Type the IP address of your ZyWALL’s WLAN interface in dotted decimal notation.
Alternatively, click the right mouse button to copy and/or paste the IP address.
Note: Make sure the IP addresses of the LAN, WAN, WLAN and
DMZ are on separate subnets.
175
IP Subnet Mask
The subnet mask specifies the network number portion of an IP address. Your
ZyWALL automatically calculates the subnet mask based on the IP address that
you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyWALL.
RIP Direction
RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In
Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the RIP
information that it receives; when set to None, it will not send any RIP packets and
will ignore any RIP packets received. Both is the default.
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Table 49 WLAN (continued)
LABEL
DESCRIPTION
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being
that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.
Multicasting can reduce the load on non-router machines since they generally do
not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must use
multicasting, also. By default, RIP direction is set to Both and the Version set to
RIP-1.
Multicast
Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is
a network-layer protocol used to establish membership in a Multicast group - it is
not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over
version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to
read more detailed information about interoperability between IGMP version 2 and
version 1, please see sections 4 and 5 of RFC 2236.
DHCP Setup
DHCP
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows
individual clients (workstations) to obtain TCP/IP configuration at startup from a
server. Unless you are instructed by your ISP, leave this field set to Server. When
configured as a server, the ZyWALL provides TCP/IP configuration for the clients.
When set as a server, fill in the IP Pool Starting Address and Pool Size fields.
Select Relay to have the ZyWALL forward DHCP requests to another DHCP
server. When set to Relay, fill in the DHCP Server Address field.
Select None to stop the ZyWALL from acting as a DHCP server. When you select
None, you must have another DHCP server on your LAN, or else the computers
must be manually configured.
IP Pool Starting
Address
This field specifies the first of the contiguous addresses in the IP address pool.
Pool Size
This field specifies the size, or count of the IP address pool.
DHCP Server
Address
Type the IP address of the DHCP server to which you want the ZyWALL to relay
DHCP requests. Use dotted decimal notation. Alternatively, click the right mouse
button to copy and/or paste the IP address.
Windows
Networking
(NetBIOS over
TCP/IP)
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to connect to and communicate with a LAN. For some dial-up
services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
However it may sometimes be necessary to allow NetBIOS packets to pass through
to the WAN in order to find a computer on the WAN.
Allow between
WLAN and LAN
Select this check box to forward NetBIOS packets from the LAN to the WLAN and
from the WLAN to the LAN. If your firewall is enabled with the default policy set to
block WLAN to LAN traffic, you also need to enable the default WLAN to LAN
firewall rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the WLAN
and from the WLAN to the LAN.
Allow between
WLAN and WAN
Select this check box to forward NetBIOS packets from the WLAN to the WAN and
from the WAN to the WLAN.
Clear this check box to block all NetBIOS packets going from the WLAN to the
WAN and from the WAN to the WLAN.
Chapter 9 Wireless LAN
176
ZyWALL 5/35/70 Series User’s Guide
Table 49 WLAN (continued)
LABEL
DESCRIPTION
Allow between
WLAN and DMZ
Select this check box to forward NetBIOS packets from the LAN to the DMZ and
from the DMZ to the WLAN. If your firewall is enabled with the default policy set to
block DMZ to WLAN traffic, you also need to enable the default DMZ to WLAN
firewall rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ
and from the DMZ to the WLAN.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
9.3 WLAN Static DHCP
This table allows you to assign IP addresses on the WLAN to specific individual computers
based on their MAC addresses.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
To change your ZyWALL’s WLAN static DHCP settings, click NETWORK, WLAN and
then the Static DHCP tab. The screen appears as shown.
177
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Figure 71 WLAN Static DHCP
The following table describes the labels in this screen.
Table 50 WLAN Static DHCP
LABEL
DESCRIPTION
#
This is the index number of the Static IP table entry (row).
MAC Address
Type the MAC address of a computer on your WLAN.
IP Address
Type the IP address that you want to assign to the computer on your WLAN.
Alternatively, click the right mouse button to copy and/or paste the IP address.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
9.4 WLAN IP Alias
IP alias allows you to partition a physical network into different logical networks over the
same Ethernet interface. The ZyWALL supports three logical WLAN interfaces via its single
physical Ethernet interface with the ZyWALL itself as the gateway for each WLAN network.
Chapter 9 Wireless LAN
178
ZyWALL 5/35/70 Series User’s Guide
When you use IP alias, you can also configure firewall rules to control access between the
WLAN's logical networks (subnets).
Note: Make sure that the subnets of the logical networks do not overlap.
To change your ZyWALL’s IP alias settings, click NETWORK, WLAN and then the IP Alias
tab. The screen appears as shown.
Figure 72 WLAN IP Alias
The following table describes the labels in this screen.
Table 51 WLAN IP Alias
179
LABEL
DESCRIPTION
Enable IP Alias 1,
2
Select the check box to configure another WLAN network for the ZyWALL.
IP Address
Enter the IP address of your ZyWALL in dotted decimal notation.
Alternatively, click the right mouse button to copy and/or paste the IP address.
IP Subnet Mask
Your ZyWALL will automatically calculate the subnet mask based on the IP
address that you assign. Unless you are implementing subnetting, use the subnet
mask computed by the ZyWALL.
RIP Direction
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In
Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the
RIP information that it receives; when set to None, it will not send any RIP packets
and will ignore any RIP packets received.
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Table 51 WLAN IP Alias
LABEL
DESCRIPTION
RIP Version
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being
that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.
Multicasting can reduce the load on non-router machines since they generally do
not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must use
multicasting, also. By default, RIP direction is set to Both and the Version set to
RIP-1.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
9.5 WLAN Port Roles
Use the Port Roles screen to set ports as LAN, DMZ or WLAN interfaces. The LAN port role
is not available on all models.
Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL’s
wireless LAN coverage. The WLAN port role allows the ZyWALL’s firewall to treat traffic
from connected APs as part of the ZyWALL’s WLAN. You can specify firewall rules for
traffic going to or from the WLAN. The WLAN includes the ZyWALL’s own WLAN and the
Ethernet ports in the WLAN port role.
The following figure shows the ZyWALL with a wireless card installed and an AP connected
to an Ethernet port in the WLAN port role.
Figure 73 WLAN Port Role Example
Chapter 9 Wireless LAN
180
ZyWALL 5/35/70 Series User’s Guide
Note: Do the following if you are configuring from a computer connected to a LAN,
DMZ or WLAN port and changing the port's role:
1. A port's IP address varies as its role changes, make sure your computer's IP
address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP
address.
2. Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL.
To change your ZyWALL’s port role settings, click NETWORK, WLAN and then the Port
Roles tab. The screen appears as shown.
The radio buttons on the left correspond to Ethernet ports on the front panel of the ZyWALL.
Ports 1 to 4 are all DMZ ports on the ZyWALL 70 and all LAN ports on the ZyWALL 5 or
ZyWALL 35 by default. The radio buttons on the right are for the WLAN card.
Note: Your changes are also reflected in the LAN and/or DMZ Port Roles screen.
Figure 74 WLAN Port Roles
The following table describes the labels in this screen.
Table 52 WLAN Port Roles
LABEL
DESCRIPTION
LAN
Select a port’s LAN radio button to use the port as part of the LAN. The port will
use the LAN IP address and MAC address.
DMZ
Select a port’s DMZ radio button to use the port as part of the DMZ. The port will
use the DMZ IP address and MAC address.
WLAN
When you have the wireless card set to WLAN, you can select a port’s WLAN
radio button to use the port as part of the WLAN.
The port will use the ZyWALL’s WLAN IP address and the MAC address of the
WLAN card.
Note: You must install a wireless card to use the WLAN port role.
See Appendix A on page 664 for how to install a WLAN card.
181
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Table 52 WLAN Port Roles (continued)
LABEL
DESCRIPTION
Wireless Card
Select LAN to use the wireless card as part of the LAN.
Select DMZ to use the wireless card as part of the DMZ.
Select WLAN to use the wireless card as part of the WLAN.
The ZyWALL restarts after you change the wireless card setting.
Note: If you set the wireless card to be part of the LAN or DMZ, you
can still use wireless access, but not the WLAN interface in
the firewall. The firewall will treat the wireless card as part of
the LAN or DMZ respectively.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few
seconds until the following screen appears. Click Return to go back to the Port Roles screen.
Figure 75 WLAN Port Roles Change Complete
9.6 Wireless Security
Wireless security is vital to your network to protect wireless communication between wireless
stations, access points and other wireless.
The figure below shows the possible wireless security levels on your ZyWALL. EAP
(Extensible Authentication Protocol) is used for authentication and utilizes dynamic WEP key
exchange. It requires interaction with a RADIUS (Remote Authentication Dial-In User
Service) server either on the WAN or your LAN to provide authentication service for wireless
stations.
Chapter 9 Wireless LAN
182
ZyWALL 5/35/70 Series User’s Guide
Figure 76 ZyWALL Wireless Security Levels
If you do not enable any wireless security on your ZyWALL, your network is accessible to any
wireless networking device that is within range.
Use the ZyWALL web configurator to set up your wireless LAN security settings. Refer to the
chapter on using the ZyWALL web configurator to see how to access the web configurator.
9.6.1 Encryption
• Use WPA security if you have WPA-aware wireless clients and a RADIUS server. WPA
has user authentication and improved data encryption over WEP.
• Use WPA-PSK if you have WPA-aware wireless clients but no RADIUS server.
• If you don’t have WPA-aware wireless clients, then use WEP key encrypting. A higher
bit key offers better security at a throughput trade-off. You can use Passphrase to
automatically generate 64-bit or 128-bit WEP keys or manually enter 64-bit, 128-bit or
256-bit WEP keys.
9.6.2 Authentication
Use a RADIUS server with WPA or IEEE 802.1x key management protocol. You can also
configure IEEE 802.1x to use the built-in database (Local User Database) to authenticate
wireless clients before joining your network.
• Use RADIUS authentication if you have a RADIUS server. See the appendices for
information on protocols used when a client authenticates with a RADIUS server via the
ZyWALL.
• Use the Local User Database if you have less than 32 wireless clients in your network.
The ZyWALL uses MD5 encryption when a client authenticates with the Local User
Database
183
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
9.6.3 Restricted Access
The MAC Filter screen allows you to configure the AP to give exclusive access to devices
(Allow Association) or exclude them from accessing the AP (Deny Association).
9.6.4 Hide ZyWALL Identity
If you hide the ESSID, then the ZyWALL cannot be seen when a wireless client scans for local
APs. The trade-off for the extra security of “hiding” the ZyWALL may be inconvenience for
some valid WLAN clients.
9.7 Security Parameters Summary
Refer to this table to see what other security parameters you should configure for each
authentication method/ key management protocol type. You enter manual keys when using
WEP encryption or WPA-PSK. MAC address filters are not dependent on how you configure
these security features.
Table 53 Wireless Security Relational Matrix
AUTHENTICATION
ENCRYPTION
METHOD/ KEY
METHOD
MANAGEMENT PROTOCOL
ENTER
IEEE 802.1X
MANUAL KEY
Open
No
None
Disable
Enable without Dynamic WEP Key
Open
Shared
WEP
WEP
No
Enable with Dynamic WEP Key
Yes
Enable without Dynamic WEP Key
Yes
Disable
No
Enable with Dynamic WEP Key
Yes
Enable without Dynamic WEP Key
Yes
Disable
WPA
TKIP
No
Enable
WPA-PSK
TKIP
Yes
Enable
9.8 WEP Encryption
WEP (Wired Equivalent Privacy) as specified in the IEEE 802.11 standard provides methods
for both data encryption and wireless station authentication. WEP provides a mechanism for
encrypting data using encryption keys. Both the AP and the wireless stations must use the
same WEP key to encrypt and decrypt data. Your ZyWALL allows you to configure up to four
64-bit or 128-bit WEP keys, but only one key can be used at any one time.
Chapter 9 Wireless LAN
184
ZyWALL 5/35/70 Series User’s Guide
9.9 802.1x Overview
The IEEE 802.1x standard outlines enhanced security methods for both the authentication of
wireless stations and encryption key management. Authentication can be done using the local
user database internal to the ZyWALL (authenticate up to 32 users) or an external RADIUS
server for an unlimited number of users.
9.9.1 Introduction to RADIUS
RADIUS is based on a client-sever model that supports authentication and accounting, where
access point is the client and the server is the RADIUS server. The RADIUS server handles
the following tasks among others:
• Authentication
Determines the identity of the users.
• Accounting
Keeps track of the client’s network activity.
RADIUS user is a simple package exchange in which your ZyWALL acts as a message relay
between the wireless station and the network RADIUS server.
9.9.1.1 Types of RADIUS Messages
The following types of RADIUS messages are exchanged between the access point and the
RADIUS server for user authentication:
• Access-Request
Sent by an access point requesting authentication.
• Access-Reject
Sent by a RADIUS server rejecting access.
• Access-Accept
Sent by a RADIUS server allowing access.
• Access-Challenge
Sent by a RADIUS server requesting more information in order to allow access. The
access point sends a proper response from the user and then sends another AccessRequest message.
The following types of RADIUS messages are exchanged between the access point and the
RADIUS server for user accounting:
• Accounting-Request
Sent by the access point requesting accounting.
• Accounting-Response
185
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Sent by the RADIUS server to indicate that it has started or stopped accounting.
In order to ensure network security, the access point and the RADIUS server use a shared
secret key, which is a password, they both know. The key is not sent over the network. In
addition to the shared key, password information exchanged is also encrypted to protect the
network from unauthorized access.
9.9.2 EAP Authentication Overview
EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the
IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By
using EAP to interact with an EAP-compatible RADIUS server, the access point helps a
wireless station and a RADIUS server perform authentication.
The type of authentication you use depends on the RADIUS server or the AP.
Your ZyWALL supports EAP-MD5 (Message-Digest Algorithm 5) with the local user
database.
The following figure shows an overview of authentication when you specify a RADIUS server
on your access point.
Figure 77 EAP Authentication
The details below provide a general description of how IEEE 802.1x EAP authentication
works.
• The wireless station sends a start message to the ZyWALL.
• The ZyWALL sends a request identity message to the wireless station for identity
information.
• The wireless station replies with identity information, including user name and password.
• The RADIUS server checks the user information against its user profile database and
determines whether or not to authenticate the wireless station.
9.10 Dynamic WEP Key Exchange
The AP maps a unique key that is generated with the RADIUS server. This key expires when
the wireless connection times out, disconnects or reauthentication times out. A new WEP key
is generated each time reauthentication is performed.
Chapter 9 Wireless LAN
186
ZyWALL 5/35/70 Series User’s Guide
If this feature is enabled, it is not necessary to configure a default encryption key in the
Wireless Card screen (see Section 9.16.4 on page 196). You may still configure and store
keys here, but they will not be used while dynamic WEP is enabled.
To use dynamic WEP, enable and configure dynamic WEP key exchange in the Wireless
Card screen and configure RADIUS server settings in the AUTH SERVER RADIUS screen
(see Section 21.3 on page 372). Ensure that the wireless station's EAP type is configured to
one of the following:
• EAP-TLS
• EAP-TTLS
• PEAP
Note: EAP-MD5 cannot be used with dynamic WEP key exchange.
9.11 Introduction to WPA
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences
between WPA and WEP are user authentication and improved data encryption.
9.11.1 User Authentication
WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate
wireless clients using an external RADIUS database. You can't use the ZyWALL's Local User
Database for WPA authentication purposes since the Local User Database uses EAP-MD5
which cannot be used to generate keys. See later in this chapter and the appendices for more
information on IEEE 802.1x, RADIUS and EAP.
If you don't have an external RADIUS server you should use WPA-PSK (WPA -Pre-Shared
Key) that only requires a single (identical) password entered into each access point, wireless
gateway and wireless client. As long as the passwords match, a client will be granted access to
a WLAN.
9.11.2 Encryption
WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message
Integrity Check (MIC) and IEEE 802.1x.
Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and
distributed by the authentication server. It includes a per-packet key mixing function, a
Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with
sequencing rules, and a re-keying mechanism.
187
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
TKIP regularly changes and rotates the encryption keys so that the same encryption key is
never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP
that then sets up a key hierarchy and management system, using the pair-wise key to
dynamically generate unique data encryption keys to encrypt every data packet that is
wirelessly communicated between the AP and the wireless clients. This all happens in the
background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data
packets, altering them and resending them. The MIC provides a strong mathematical function
in which the receiver and the transmitter each compute and then compare the MIC. If they do
not match, it is assumed that the data has been tampered with and the packet is dropped.
By generating unique data encryption keys for every data packet and by creating an integrity
checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi
network than WEP, making it difficult for an intruder to break into the network.
The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference
between the two is that WPA-PSK uses a simple common password, instead of user-specific
credentials. The common-password approach makes WPA-PSK susceptible to brute-force
password-guessing attacks but it's still an improvement over WEP as it employs an easier-touse, consistent, single, alphanumeric password.
9.12 WPA-PSK Application Example
A WPA-PSK application looks as follows.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key
(PSK) must consist of between 8 and 63 ASCII characters (including spaces and
symbols).
2 The AP checks each client's password and (only) allows it to join the network if it
matches its password.
3 The AP derives and distributes keys to the wireless clients.
4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged
between them.
Chapter 9 Wireless LAN
188
ZyWALL 5/35/70 Series User’s Guide
Figure 78 WPA-PSK Authentication
9.13 Introduction to RADIUS
The ZyWALL can use an external RADIUS server to authenticate an unlimited number of
users. RADIUS is based on a client-sever model that supports authentication and accounting,
where access point is the client and the server is the RADIUS server.
• Authentication
Determines the identity of the users.
• Accounting
Keeps track of the client’s network activity.
RADIUS user is a simple package exchange in which your ZyWALL acts as a message relay
between the wireless station and the network RADIUS server.
9.14 WPA with RADIUS Application Example
You need the IP address of the RADIUS server, its port number (default is 1812), and the
RADIUS shared secret. A WPA application example with an external RADIUS server looks as
follows. "A" is the RADIUS server. "DS" is the distribution system.
1 The AP passes the wireless client's authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants
or denies network access accordingly.
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then
sets up a key hierarchy and management system, using the pair-wise key to dynamically
generate unique data encryption keys to encrypt every data packet that is wirelessly
communicated between the AP and the wireless clients.
189
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Figure 79 WPA with RADIUS Application Example
9.15 Wireless Client WPA Supplicants
A wireless client supplicant is the software that runs on an operating system instructing the
wireless client how to use WPA. At the time of writing, the most widely available supplicants
are the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data
Communications' AEGIS client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in
"Zero Configuration" wireless client. However, you must run Windows XP to use it.
9.16 Wireless Card
Note: If you are configuring the ZyWALL from a computer connected to the wireless
LAN and you change the ZyWALL’s ESSID or security settings, you will lose
your wireless connection when you press Apply to confirm. You must then
change the wireless settings of your computer to match the ZyWALL’s new
settings.
Click NETWORK and WIRELESS CARD to open the Wireless Card screen. The screen
varies according to the security features you select.
Chapter 9 Wireless LAN
190
ZyWALL 5/35/70 Series User’s Guide
Figure 80 Wireless Card: No Security
The following table describes the labels in this screen.
Table 54 Wireless Card: No Security
LABEL
DESCRIPTION
Enable
Wireless Card
The wireless LAN is turned off by default, before you enable the wireless LAN you
should configure some security by setting MAC filters and/or 802.1x security;
otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box
to enable the wireless LAN.
Wireless Card
This field displays whether or not a compatible ZyXEL wireless LAN card is installed.
You can only use the wireless LAN feature if a compatible ZyXEL wireless LAN card is
installed.
Note: Turn the ZyWALL off before you install or remove the wireless
LAN card. See the product specifications appendix for a table of
compatible ZyXEL WLAN cards (and the WLAN security
features each card supports) and how to install a WLAN card.
191
ESSID
(Extended Service Set IDentity) The ESSID identifies the Service Set with which a
wireless station is associated. Wireless stations associating to the access point (AP)
must have the same ESSID. Enter a descriptive name (up to 32 printable 7-bit ASCII
characters) for the wireless LAN.
Hide ESSID
Select to hide the ESSID in the outgoing beacon frame so a station cannot obtain the
ESSID through scanning.
Channel ID
This allows you to set the operating frequency/channel depending on your particular
region. Select a channel from the drop-down list box.
RTS/CTS
Threshold
The RTS (Request To Send) threshold (number of bytes) is for enabling RTS/CTS.
Data with its frame size larger than this value will perform the RTS/CTS handshake.
Setting this value to be larger than the maximum MSDU (MAC service data unit) size
turns off RTS/CTS. Setting this value to zero turns on RTS/CTS.
Select the check box to change the default value and enter a new value between 0 and
2432.
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Table 54 Wireless Card: No Security (continued)
LABEL
DESCRIPTION
Fragmentation This is the threshold (number of bytes) for the fragmentation boundary for directed
Threshold
messages. It is the maximum data fragment size that can be sent.
Select the check box to change the default value and enter a value between 256 and
2432.
Security
Choose from one of the security settings listed in the drop-down box.
• No Security
• Static WEP
• WPA-PSK
• WPA
• 802.1x + Dynamic WEP
• 802.1x + Static WEP
• 802.1x + No WEP
• No Access 802.1x + Static WEP
• No Access 802.1x + No WEP
Select No Security to allow wireless stations to communicate with the access points
without any data encryption. Otherwise, select the security you need and see the
following sections for more information.
Note: The installed ZyXEL WLAN card may not support all of the
WLAN security features you can configure in the ZyWALL.
Please see the product specifications appendix for a table of
compatible ZyXEL WLAN cards and the WLAN security features
each card supports.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
9.16.1 Static WEP
Static WEP provides a mechanism for encrypting data using encryption keys. Both the AP and
the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyWALL
allows you to configure up to four 64-bit or 128-bit WEP keys, but only one key can be used at
any one time.
In order to configure and enable WEP encryption, click the NETWORK and WIRELESS
CARD to display the Wireless Card screen. Select Static WEP from the Security list.
Chapter 9 Wireless LAN
192
ZyWALL 5/35/70 Series User’s Guide
Figure 81 Wireless Card: Static WEP
The following table describes the wireless LAN security labels in this screen.
Table 55 Wireless Card: Static WEP
LABEL
DESCRIPTION
Security
Select Static WEP from the drop-down list.
WEP
Encryption
WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized
wireless stations from accessing data transmitted over the wireless network.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters
(ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters
(ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
There are four data encryption keys to secure your data from eavesdropping by
unauthorized wireless users. The values for the keys must be set up exactly the same
on the access points as they are on the wireless stations.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
9.16.2 WPA-PSK
Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select
WPA-PSK from the Security list.
193
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Figure 82 Wireless Card: WPA-PSK
The following wireless LAN security fields become available when you select WPA-PSK in
the Security drop down list-box.
Table 56 Wireless Card: WPA-PSK
LABEL
DESCRIPTION
Security
Select WPA-PSK from the drop-down list.
Pre-Shared Key
The encryption mechanisms used for WPA and WPA-PSK are the same. The only
difference between the two is that WPA-PSK uses a simple common password,
instead of user-specific credentials.
Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including
spaces and symbols).
ReAuthentication
Timer (Seconds)
Specify how often wireless stations have to resend user names and passwords in
order to stay connected. Enter a time interval between 10 and 65535 seconds.
If wireless station authentication is done using a RADIUS server, the
reauthentication timer on the RADIUS server has priority.
Idle Timeout
(Seconds)
The ZyWALL automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the user name and
password again before access to the wired network is allowed.
WPA Group Key
Update Timer
(Seconds)
The WPA Group Key Update Timer is the rate at which the AP (if using WPA-PSK
key management) or RADIUS server (if using WPA key management) sends a new
group key out to all clients. The re-keying process is the WPA equivalent of
automatically changing the WEP key for an AP and all stations in a WLAN on a
periodic basis. Setting of the WPA Group Key Update Timer is also supported in
WPA-PSK mode.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 9 Wireless LAN
194
ZyWALL 5/35/70 Series User’s Guide
9.16.3 WPA
Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select
WPA from the Security list.
Figure 83 Wireless Card: WPA
The following wireless LAN security fields become available when you select WPA in the
Security drop down list-box.
Table 57 Wireless Card: WPA
195
LABEL
DESCRIPTION
Security
Select WPA from the drop-down list.
ReAuthentication
Timer (Seconds)
Specify how often wireless stations have to resend user names and passwords in
order to stay connected. Enter a time interval between 10 and 65535 seconds.
If wireless station authentication is done using a RADIUS server, the
reauthentication timer on the RADIUS server has priority.
Idle Timeout
(Seconds)
The ZyWALL automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the user name and
password again before access to the wired network is allowed.
Authentication
Databases
Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to
check an external RADIUS server.
WPA Group Key
Update Timer
(Seconds)
The WPA Group Key Update Timer is the rate at which the AP (if using WPA-PSK
key management) or RADIUS server (if using WPA key management) sends a new
group key out to all clients. The re-keying process is the WPA equivalent of
automatically changing the WEP key for an AP and all stations in a WLAN on a
periodic basis. Setting of the WPA Group Key Update Timer is also supported in
WPA-PSK mode.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
9.16.4 IEEE 802.1x + Dynamic WEP
Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select
802.1x + Dynamic WEP from the Security list.
Figure 84 Wireless Card: 802.1x + Dynamic WEP
The following wireless LAN security fields become available when you select 802.1x +
Dynamic WEP in the Security drop down list-box.
Table 58 Wireless Card: 802.1x + Dynamic WEP
LABEL
DESCRIPTION
Security
Select 802.1x + Dynamic WEP from the drop-down list.
ReAuthentication
Timer (Seconds)
Specify how often wireless stations have to resend user names and passwords in
order to stay connected. Enter a time interval between 10 and 65535 seconds.
If wireless station authentication is done using a RADIUS server, the
reauthentication timer on the RADIUS server has priority.
Idle Timeout
(Seconds)
The ZyWALL automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the user name and
password again before access to the wired network is allowed.
Authentication
Databases
Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to
check an external RADIUS server.
Dynamic WEP
Key Exchange
Select 64-bit WEP or 128-bit WEP to enable data encryption.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 9 Wireless LAN
196
ZyWALL 5/35/70 Series User’s Guide
9.16.5 IEEE 802.1x + Static WEP
Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select
802.1x + Static WEP from the Security list.
Figure 85 Wireless Card: 802.1x + Static WEP
The following wireless LAN security fields become available when you select 802.1x + Static
WEP in the Security drop down list-box.
Table 59 Wireless Card: 802.1x + Static WEP
197
LABEL
DESCRIPTION
Security
Select 802.1x + Static WEP from the drop-down list.
WEP Encryption
WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized
wireless stations from accessing data transmitted over the wireless network.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
Key 1 to Key 4
If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters
(ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each
key.
If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters
(ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each
key.
There are four data encryption keys to secure your data from eavesdropping by
unauthorized wireless users. The values for the keys must be set up exactly the
same on the access points as they are on the wireless stations.
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
Table 59 Wireless Card: 802.1x + Static WEP (continued)
LABEL
DESCRIPTION
ReAuthentication Specify how often wireless stations have to resend user names and passwords in
Timer (Seconds) order to stay connected. Enter a time interval between 10 and 65535 seconds.
If wireless station authentication is done using a RADIUS server, the
reauthentication timer on the RADIUS server has priority.
Idle Timeout
(Seconds)
The ZyWALL automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the user name and
password again before access to the wired network is allowed.
Authentication
Databases
Click Local User to go to the Local User Database screen where you can view and/
or edit the list of users and passwords. Click RADIUS to go to the RADIUS screen
where you can configure the ZyWALL to check an external RADIUS server.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
9.16.6 IEEE 802.1x + No WEP
Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select
802.1x + No WEP from the Security list.
Figure 86 Wireless Card: 802.1x + No WEP
Chapter 9 Wireless LAN
198
ZyWALL 5/35/70 Series User’s Guide
The following wireless LAN security fields become available when you select 802.1x + No
WEP in the Security drop down list-box.
Table 60 Wireless Card: 802.1x + No WEP
LABEL
DESCRIPTION
Security
Select 802.1x + No WEP from the drop-down list.
ReAuthentication Specify how often wireless stations have to resend user names and passwords in
Timer (Seconds) order to stay connected. Enter a time interval between 10 and 65535 seconds.
If wireless station authentication is done using a RADIUS server, the
reauthentication timer on the RADIUS server has priority.
Idle Timeout
(Seconds)
The ZyWALL automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the user name and
password again before access to the wired network is allowed.
Authentication
Databases
Click Local User to go to the Local User Database screen where you can view and/
or edit the list of users and passwords. Click RADIUS to go to the RADIUS screen
where you can configure the ZyWALL to check an external RADIUS server.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
9.16.7 No Access 802.1x + Static WEP
Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select
No Access 802.1x + Static WEP to deny all wireless stations access to your wired network
and allow wireless stations to communicate with the ZyWALL using static WEP keys for data
encryption.
Figure 87 Wireless Card: No Access 802.1x + Static WEP
199
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
The following wireless LAN security fields become available when you select No Access
802.1x + Static WEP in the Security drop down list-box.
Table 61 Wireless Card: No Access 802.1x + Static WEP
LABEL
DESCRIPTION
Security
Select No Access 802.1x + Static WEP from the drop-down list.
WEP
Encryption
WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized
wireless stations from accessing data transmitted over the wireless network.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters
(ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters
(ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
There are four data encryption keys to secure your data from eavesdropping by
unauthorized wireless users. The values for the keys must be set up exactly the same
on the access points as they are on the wireless stations.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
9.16.8 No Access 802.1x + No WEP
Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select
No Access 802.1x + No WEP to deny all wireless stations access to your wired network and
block all wireless stations from communicating with the ZyWALL.
9.17 MAC Filter
The MAC filter screen allows you to configure the ZyWALL to give exclusive access to
specific devices (Allow Association) or exclude specific devices from accessing the ZyWALL
(Deny Association). Every Ethernet device has a unique MAC (Media Access Control)
address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal
characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the
devices to configure this screen.
To change your ZyWALL’s MAC filter settings, click the NETWORK, WIRELESS CARD
and then the MAC Filter tab. The screen appears as shown.
Chapter 9 Wireless LAN
200
ZyWALL 5/35/70 Series User’s Guide
Figure 88 Wireless Card: MAC Address Filter
The following table describes the labels in this menu.
Table 62 Wireless Card: MAC Address Filter
201
LABEL
DESCRIPTION
Active
Select or clear the check box to enable or disable MAC address filtering.
Enable MAC address filtering to have the router allow or deny access to wireless
stations based on MAC addresses. Disable MAC address filtering to have the router not
perform MAC filtering on the wireless stations.
Association
Define the filter action for the list of MAC addresses in the MAC address filter table.
Select Deny to block access to the router, MAC addresses not listed will be allowed to
access the router. Select Allow to permit access to the router, MAC addresses not listed
will be denied access to the router.
#
This is the index number of the MAC address.
User Name
Enter a descriptive name for the MAC address.
MAC
Address
Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless stations that
are allowed or denied access to the ZyWALL in these address fields.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 9 Wireless LAN
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 10
Firewalls
This chapter gives some background information on firewalls and introduces the ZyWALL
firewall.
10.1 Firewall Overview
Originally, the term firewall referred to a construction technique designed to prevent the
spread of fire from one room to another. The networking term firewall is a system or group of
systems that enforces an access-control policy between two networks. It may also be defined
as a mechanism used to protect a trusted network from an untrusted network. Of course,
firewalls cannot solve every security problem. A firewall is one of the mechanisms used to
establish a network security perimeter in support of a network security policy. It should never
be the only mechanism or method employed. For a firewall to guard effectively, you must
design and deploy it appropriately. This requires integrating the firewall into a broad
information-security policy. In addition, specific policies must be implemented within the
firewall itself.
10.2 Types of Firewalls
There are three main types of firewalls:
1 Packet Filtering Firewalls
2 Application-level Firewalls
3 Stateful Inspection Firewalls
10.2.1 Packet Filtering Firewalls
Packet filtering firewalls restrict access based on the source/destination computer network
address of a packet and the type of application.
10.2.2 Application-level Firewalls
Application-level firewalls restrict access by serving as proxies for external servers. Since they
use programs written for specific Internet services, such as HTTP, FTP and telnet, they can
evaluate network packets for valid application-specific data. Application-level gateways have
a number of general advantages over the default mode of permitting application traffic directly
to internal hosts:
Chapter 10 Firewalls
202
ZyWALL 5/35/70 Series User’s Guide
1 Information hiding prevents the names of internal systems from being made known via
DNS to outside systems, since the application gateway is the only host whose name must
be made known to outside systems.
2 Robust authentication and logging pre-authenticates application traffic before it reaches
internal hosts and causes it to be logged more effectively than if it were logged with
standard host logging. Filtering rules at the packet filtering router can be less complex
than they would be if the router needed to filter application traffic and direct it to a
number of specific systems. The router need only allow application traffic destined for
the application gateway and reject the rest.
10.2.3 Stateful Inspection Firewalls
Stateful inspection firewalls restrict access by screening data packets against defined access
rules. They make access control decisions based on IP address and protocol. They also
"inspect" the session data to assure the integrity of the connection and to adapt to dynamic
protocols. These firewalls generally provide the best speed and transparency; however, they
may lack the granular application level access control or caching that some proxies support.
See Section 10.5 on page 208 for more information on Stateful Inspection.
Firewalls, of one type or another, have become an integral part of standard security solutions
for enterprises.
10.3 Introduction to ZyXEL’s Firewall
The ZyWALL firewall is a stateful inspection firewall and is designed to protect against
Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator). The
ZyWALL’s purpose is to allow a private Local Area Network (LAN) to be securely connected
to the Internet. The ZyWALL can be used to prevent theft, destruction and modification of
data, as well as log events, which may be important to the security of your network. The
ZyWALL also has packet-filtering capabilities.
The ZyWALL is installed between the LAN and a broadband modem connecting to the
Internet. This allows it to act as a secure gateway for all data passing between the Internet and
the LAN.
The ZyWALL allows you to physically separate the network into the following areas:
• The WAN (Wide Area Network) port(s) attaches to the broadband modem (cable or
ADSL) connecting to the Internet.
• The LAN (Local Area Network) port(s) attaches to a network of computers, which needs
security from the outside world. These computers will have access to Internet services
such as e-mail, FTP, and the World Wide Web. However, inbound access will not be
allowed unless the remote host is authorized to use a specific service.
203
Chapter 10 Firewalls
ZyWALL 5/35/70 Series User’s Guide
Figure 89 ZyWALL Firewall Application
10.4 Denial of Service
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the
Internet. Their goal is not to steal information, but to disable a device or network so users no
longer have access to network resources. The ZyWALL is pre-configured to automatically
detect and thwart all known DoS attacks.
10.4.1 Basics
Computers share information over the Internet using a common language called TCP/IP. TCP/
IP, in turn, is a set of application protocols that perform specific functions. An extension
number, called the "TCP port" or "UDP port" identifies these protocols, such as HTTP (Web),
FTP (File Transfer Protocol), POP3 (E-mail), etc. For example, Web traffic by default uses
TCP port 80.
When computers communicate on the Internet, they are using the client/server model, where
the server "listens" on a specific TCP/UDP port for information requests from remote client
computers on the network. For example, a Web server typically listens on port 80. Please note
that while a computer may be intended for use over a single port, such as Web on port 80,
other ports are also active. If the person configuring or managing the computer is not careful, a
hacker could attack it over an unprotected port.
Some of the most common IP ports are:
Table 63 Common IP Ports
21
FTP
53
DNS
23
Telnet
80
HTTP
25
SMTP
110
POP3
Chapter 10 Firewalls
204
ZyWALL 5/35/70 Series User’s Guide
10.4.2 Types of DoS Attacks
There are four types of DoS attacks:
1 Those that exploit bugs in a TCP/IP implementation.
2 Those that exploit weaknesses in the TCP/IP specification.
3 Brute-force attacks that flood a network with useless data.
4 IP Spoofing.
• "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of
various computer and host systems.
a
Ping of Death uses a "ping" utility to create an IP packet that exceeds
the maximum 65,536 bytes of data allowed by the IP specification.
The oversize packet is then sent to an unsuspecting system. Systems
may crash, hang or reboot.
b
Teardrop attack exploits weaknesses in the reassembly of IP packet
fragments. As data is transmitted through a network, IP packets are
often broken up into smaller chunks. Each fragment looks like the
original IP packet except that it contains an offset field that says, for
instance, "This fragment is carrying bytes 200 through 400 of the
original (non fragmented) IP packet." The Teardrop program creates a
series of IP fragments with overlapping offset fields. When these
fragments are reassembled at the destination, some systems will
crash, hang, or reboot.
• Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND"
attacks. These attacks are executed during the handshake that initiates a communication
session between two applications.
Figure 90 Three-Way Handshake
Under normal circumstances, the application that initiates a session sends a SYN
(synchronize) packet to the receiving server. The receiver sends back an ACK
(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established.
a
205
SYN Attack floods a targeted system with a series of SYN packets.
Each packet causes the targeted system to issue a SYN-ACK
Chapter 10 Firewalls
ZyWALL 5/35/70 Series User’s Guide
response. While the targeted system waits for the ACK that follows
the SYN-ACK, it queues up all outstanding SYN-ACK responses on
what is known as a backlog queue. SYN-ACKs are moved off the
queue only when an ACK comes back or when an internal timer
(which is set at relatively long intervals) terminates the three-way
handshake. Once the queue is full, the system will ignore all
incoming SYN requests, making the system unavailable for
legitimate users.
Figure 91 SYN Flood
b
In a LAND Attack, hackers flood SYN packets into the network with
a spoofed source IP address of the targeted system. This makes it
appear as if the host computer sent the packets to itself, making the
system unavailable while the target system tries to respond to itself.
• A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification
known as directed or subnet broadcasting, to quickly flood the target network with
useless data. A Smurf hacker floods a router with Internet Control Message Protocol
(ICMP) echo request packets (pings). Since the destination IP address of each packet is
the broadcast address of the network, the router will broadcast the ICMP echo request
packet to all hosts on the network. If there are numerous hosts, this will create a large
amount of ICMP echo request and response traffic. If a hacker chooses to spoof the
source IP address of the ICMP echo request packet, the resulting ICMP traffic will not
only clog up the "intermediary" network, but will also congest the network of the spoofed
source IP address, known as the "victim" network. This flood of broadcast traffic
consumes all available bandwidth, making communications impossible.
Chapter 10 Firewalls
206
ZyWALL 5/35/70 Series User’s Guide
Figure 92 Smurf Attack
10.4.2.1 ICMP Vulnerability
ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types
trigger an alert:
Table 64 ICMP Commands That Trigger Alerts
5
REDIRECT
13
TIMESTAMP_REQUEST
14
TIMESTAMP_REPLY
17
ADDRESS_MASK_REQUEST
18
ADDRESS_MASK_REPLY
10.4.2.2 Illegal Commands (NetBIOS and SMTP)
The only legal NetBIOS commands are the following - all others are illegal.
Table 65 Legal NetBIOS Commands
MESSAGE:
REQUEST:
POSITIVE:
NEGATIVE:
RETARGET:
KEEPALIVE:
207
Chapter 10 Firewalls
ZyWALL 5/35/70 Series User’s Guide
All SMTP commands are illegal except for those displayed in the following tables.
Table 66 Legal SMTP Commands
AUTH
DATA
EHLO
ETRN
EXPN
HELO
HELP
MAIL
QUIT
RCPT
RSET
SAML
SEND
SOML
TURN
VRFY
NOOP
10.4.2.3 Traceroute
Traceroute is a utility used to determine the path a packet takes between two endpoints.
Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute
the firewall gaining knowledge of the network topology inside the firewall.
Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their
attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to
magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized
access to computers by tricking a router or firewall into thinking that the communications are
coming from within the trusted network. To engage in IP spoofing, a hacker must modify the
packet headers so that it appears that the packets originate from a trusted host and should be
allowed through the router or firewall. The ZyWALL blocks all IP Spoofing attempts.
10.5 Stateful Inspection
With stateful inspection, fields of the packets are compared to packets that are already known
to be trusted. For example, if you access some outside service, the proxy server remembers
things about your original request, like the port number and source and destination addresses.
This remembering is called saving the state. When the outside system responds to your
request, the firewall compares the received packets with the saved state to determine if they
are allowed in. The ZyWALL uses stateful packet inspection to protect the private LAN from
hackers and vandals on the Internet. By default, the ZyWALL’s stateful inspection allows all
communications to the Internet that originate from the LAN, and blocks all traffic to the LAN
that originates from the Internet. In summary, stateful inspection:
• Allows all sessions originating from the LAN (local network) to the WAN (Internet).
• Denies all sessions originating from the WAN to the LAN.
Chapter 10 Firewalls
208
ZyWALL 5/35/70 Series User’s Guide
Figure 93 Stateful Inspection
The previous figure shows the ZyWALL’s default firewall rules in action as well as
demonstrates how stateful inspection works. User A can initiate a Telnet session from within
the LAN and responses to this request are allowed. However other Telnet traffic initiated from
the WAN is blocked.
10.5.1 Stateful Inspection Process
In this example, the following sequence of events occurs when a TCP packet leaves the LAN
network through the firewall's WAN interface. The TCP packet is the first in a session, and the
packet's application layer protocol is configured for a firewall rule inspection:
1 The packet travels from the firewall's LAN to the WAN.
2 The packet is evaluated against the interface's existing outbound access list, and the
packet is permitted (a denied packet would simply be dropped at this point).
3 The firewall inspects packets to determine and record information about the state of the
packet's connection. This information is recorded in a new state table entry created for the
new connection. If there is not a firewall rule for this packet and it is not an attack, then
the setting in the Firewall Default Rule screen determines the action for this packet.
4 Based on the obtained state information, a firewall rule creates a temporary access list
entry that is inserted at the beginning of the WAN interface's inbound extended access
list. This temporary access list entry is designed to permit inbound packets of the same
connection as the outbound packet just inspected.
5 The outbound packet is forwarded out through the interface.
6 Later, an inbound packet reaches the interface. This packet is part of the connection
previously established with the outbound packet. The inbound packet is evaluated against
the inbound access list, and is permitted because of the temporary access list entry
previously created.
7 The packet is inspected by a firewall rule, and the connection's state table entry is updated
as necessary. Based on the updated state information, the inbound extended access list
209
Chapter 10 Firewalls
ZyWALL 5/35/70 Series User’s Guide
temporary entries might be modified, in order to permit only packets that are valid for the
current state of the connection.
8 Any additional inbound or outbound packets that belong to the connection are inspected
to update the state table entry and to modify the temporary inbound access list entries as
required, and are forwarded through the interface.
9 When the connection terminates or times out, the connection's state table entry is deleted
and the connection's temporary inbound access list entries are deleted.
10.5.2 Stateful Inspection and the ZyWALL
Additional rules may be defined to extend or override the default rules. For example, a rule
may be created which will:
1 Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
2 Allow certain types of traffic from the Internet to specific hosts on the LAN.
3 Allow access to a Web server to everyone but competitors.
4 Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by evaluating the network traffic’s Source IP address, Destination IP
address, IP protocol type, and comparing these to rules set by the administrator.
Note: The ability to define firewall rules is a very powerful tool. Using custom rules, it
is possible to disable all firewall protection or block all access to the Internet.
Use extreme caution when creating or deleting firewall rules. Test changes
after creating them to make sure they work correctly.
Below is a brief technical description of how these connections are tracked. Connections may
either be defined by the upper protocols (for instance, TCP), or by the ZyWALL itself (as with
the "virtual connections" created for UDP and ICMP).
10.5.3 TCP Security
The ZyWALL uses state information embedded in TCP packets. The first packet of any new
connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All
packets that do not have this flag structure are called "subsequent" packets, since they
represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer
Protocols" shown next), these packets are dropped and logged.
Chapter 10 Firewalls
210
ZyWALL 5/35/70 Series User’s Guide
If an initiation packet originates on the LAN, this means that someone is trying to make a
connection from the LAN to the Internet. Assuming that this is an acceptable part of the
security policy (as is the case with the default policy), the connection will be allowed. A cache
entry is added which includes connection information such as IP addresses, TCP ports,
sequence numbers, etc.
When the ZyWALL receives any subsequent packet (from the Internet or from the LAN), its
connection information is extracted and checked against the cache. A packet is only allowed to
pass through if it corresponds to a valid connection (that is, if it is a response to a connection
which originated on the LAN).
10.5.4 UDP/ICMP Security
UDP and ICMP do not themselves contain any connection information (such as sequence
numbers). However, at the very minimum, they contain an IP address pair (source and
destination). UDP also contains port pairs, and ICMP has type and code information. All of
this data can be analyzed in order to build "virtual connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP
address and port pairs will be stored. For a short period of time, UDP packets from the WAN
that have matching IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the ZyWALL is even more restrictive.
Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask
requests will allow incoming address mask replies, and outgoing timestamp requests will
allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall,
simply because they are too dangerous and contain too little tracking information. For
instance, ICMP redirect packets are never allowed in, since they could be used to reroute
traffic through attacking machines.
10.5.5 Upper Layer Protocols
Some higher layer protocols (such as FTP and RealAudio) utilize multiple network
connections simultaneously. In general terms, they usually have a "control connection" which
is used for sending commands between endpoints, and then "data connections" which are used
for transmitting bulk information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the
Internet and requests a file. At this point, the remote server will open a data connection from
the Internet. For FTP to work properly, this connection must be allowed to pass through even
though a connection from the Internet would normally be rejected.
In order to achieve this, the ZyWALL inspects the application-level FTP data. Specifically, it
searches for outgoing "PORT" commands, and when it sees these; it adds a cache entry for the
anticipated data connection. This can be done safely, since the PORT command contains
address and port information, which can be used to uniquely identify the connection.
211
Chapter 10 Firewalls
ZyWALL 5/35/70 Series User’s Guide
Any protocol that operates in this way must be supported on a case-by-case basis. You can use
the web configurator’s Custom Services feature to do this.
10.6 Guidelines For Enhancing Security With Your Firewall
1 Change the default password via SMT or web configurator.
2 Think about access control before you connect a console port to the network in any way,
including attaching a modem to the port. Be aware that a break on the console port might
give unauthorized individuals total control of the firewall, even with access control
configured.
3 Limit who can telnet into your router.
4 Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.
10.7 Packet Filtering Vs Firewall
Below are some comparisons between the ZyWALL’s filtering and firewall functions.
10.7.1 Packet Filtering:
• The router filters packets as they pass through the router’s interface according to the filter
rules you designed.
• Packet filtering is a powerful tool, yet can be complex to configure and maintain,
especially if you need a chain of rules to filter a service.
• Packet filtering only checks the header portion of an IP packet.
10.7.1.1 When To Use Filtering
1 To block/allow LAN packets by their MAC addresses.
2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.
3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic
between the specific inside host/network "A" and outside host/network "B". If the filter
blocks the traffic from A to B, it also blocks the traffic from B to A. Filters cannot
distinguish traffic originating from an inside host or an outside host by IP address.
4 To block/allow IP trace route.
Chapter 10 Firewalls
212
ZyWALL 5/35/70 Series User’s Guide
10.7.2 Firewall
• The firewall inspects packet contents as well as their source and destination addresses.
Firewalls of this type employ an inspection module, applicable to all protocols, that
understands data in the packet is intended for other layers, from the network layer (IP
headers) up to the application layer.
• The firewall performs stateful inspection. It takes into account the state of connections it
handles so that, for example, a legitimate incoming packet can be matched with the
outbound request for that packet and allowed in. Conversely, an incoming packet
masquerading as a response to a nonexistent outbound request can be blocked.
• The firewall uses session filtering, i.e., smart rules, that enhance the filtering process and
control the network session rather than control individual packets in a session.
• The firewall provides e-mail service to notify you of routine reports and when alerts
occur.
10.7.2.1 When To Use The Firewall
1 To prevent DoS attacks and prevent hackers cracking your network.
2 A range of source and destination IP addresses as well as port numbers can be specified
within one firewall rule making the firewall a better choice when complex rules are
required.
3 To selectively block/allow inbound or outbound traffic between inside host/networks and
outside host/networks. Remember that filters cannot distinguish traffic originating from
an inside host or an outside host by IP address.
4 The firewall performs better than filtering if you need to check many rules.
5 Use the firewall if you need routine e-mail reports about your system or need to be alerted
when attacks occur.
6 The firewall can block specific URL traffic that might occur in the future. The URL can
be saved in an Access Control List (ACL) database.
213
Chapter 10 Firewalls
ZyWALL 5/35/70 Series User’s Guide
C H A P T E R 11
Firewall Screens
This chapter shows you how to configure your ZyWALL firewall.
11.1 Access Methods
The web configurator is, by far, the most comprehensive firewall configuration tool your
ZyWALL has to offer. For this reason, it is recommended that you configure your firewall
using the web configurator. SMT screens allow you to activate the firewall. CLI commands
provide limited configuration options and are only recommended for advanced users, please
refer to Appendix N on page 756 for firewall CLI commands.
11.2 Firewall Policies Overview
Firewall rules are grouped based on the direction of travel of packets to which they apply:
• LAN to LAN/ZyWALL
• WAN to LAN
• DMZ to LAN
• LAN to WAN
• WAN to WAN/ZyWALL
• DMZ to WAN
• LAN to DMZ
• WAN to DMZ
• DMZ to DMZ/ZyWALL
• LAN to WLAN
• WAN to WLAN
• DMZ to WLAN
• WLAN to LAN
• WLAN to WAN
• WLAN to DMZ
• WLAN to WLAN/ZyWALL
Note: You can only use the wireless LAN feature if a compatible ZyXEL wireless LAN
card is installed.
By default, the ZyWALL’s stateful packet inspection allows packets traveling in the following
directions:
• LAN to LAN/ZyWALL
This allows computers on the LAN to manage the ZyWALL and communicate between
networks or subnets connected to the LAN interface.
•
•
•
•
•
LAN to WAN
LAN to DMZ
LAN to WLAN
WAN to DMZ
DMZ to WAN
Chapter 11 Firewall Screens
214
ZyWALL 5/35/70 Series User’s Guide
• WLAN to WAN
By default, the ZyWALL’s stateful packet inspection drops packets traveling in the following
directions:
• WAN to LAN
• WAN to WAN/ZyWALL
This prevents computers on the WAN from using the ZyWALL as a gateway to
communicate with other computers on the WAN and/or managing the ZyWALL.
• WAN to WLAN
This drops any packets travelling from the WAN to the WLAN and creates a log.
• DMZ to LAN
• DMZ to DMZ/ZyWALL
This prevents computers on the DMZ from communicating between networks or subnets
connected to the DMZ interface and/or managing the ZyWALL.
•
•
•
•
DMZ to WLAN
WLAN to LAN
WLAN to DMZ
WLAN to WLAN/ZyWALL
This prevents computers on the WLAN from communicating between networks or
subnets connected to the WLAN interface and/or managing the ZyWALL.
You may define additional rules and sets or modify existing ones but please exercise extreme
caution in doing so.
Note: If you configure firewall rules without a good understanding of how they work,
you might inadvertently introduce security risks to the firewall and to the
protected network. Make sure you test your rules after you configure them.
For example, you may create rules to:
• Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
• Allow certain types of traffic, such as Lotus Notes database synchronization, from
specific hosts on the Internet to specific hosts on the LAN.
• Allow everyone except your competitors to access a Web server.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the source IP address, destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the ZyWALL’s default rules.
215
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
11.3 Rule Logic Overview
Note: Study these points carefully before configuring rules.
11.3.1 Rule Checklist
1 State the intent of the rule. For example, This restricts all IRC access from the LAN to the
Internet. Or, This allows a remote Lotus Notes server to synchronize over the Internet to
an inside Notes server.
2 Is the intent of the rule to forward or block traffic?
3 What direction of traffic does the rule apply to (see Section 10.2 on page 202)?
4 What IP services will be affected?
5 What computers on the LAN or DMZ are to be affected (if any)?
6 What computers on the Internet will be affected? The more specific, the better. For
example, if traffic is being allowed from the Internet to the LAN, it is better to allow only
certain machines on the Internet to access the LAN.
11.3.2 Security Ramifications
Once the logic of the rule has been defined, it is critical to consider the security ramifications
created by the rule:
1 Does this rule stop LAN users from accessing critical resources on the Internet? For
example, if IRC is blocked, are there users that require this service?
2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all
users, will a rule that blocks just certain users be more effective?
3 Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the
LAN, Internet users may be able to connect to computers with running FTP servers.
4 Does this rule conflict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of plugging the
information into the correct fields in the web configurator screens.
11.3.3 Key Fields For Configuring Rules
11.3.3.1 Action
Should the action be to Drop, Reject or Permit?
Note: “Drop” means the firewall silently discards the packet. “Reject” means the
firewall discards packets and sends an ICMP destination-unreachable
message to the sender.
Chapter 11 Firewall Screens
216
ZyWALL 5/35/70 Series User’s Guide
11.3.3.2 Service
Select the service from the Service scrolling list box. If the service is not listed, it is necessary
to first define it. See Section 11.11.2 on page 233 for more information on predefined services.
11.3.3.3 Source Address
What is the connection’s source address; is it on the LAN, DMZ, WLAN or WAN? Is it a
single IP, a range of IPs or a subnet?
11.3.3.4 Destination Address
What is the connection’s destination address; is it on the LAN, DMZ, WLAN or WAN? Is it a
single IP, a range of IPs or a subnet?
11.4 Connection Direction Examples
This section describes examples for firewall rules for connections going from LAN to WAN
and from WAN to LAN. Rules for the WLAN or DMZ work in a similar fashion.
LAN to LAN/ZyWALL, WAN to WAN/ZyWALL, WLAN to WLAN/ZyWALL and DMZ to
DMZ/ZyWALL rules apply to packets coming in on the associated interface (LAN, WAN,
WLAN, or DMZ respectively). LAN to LAN/ZyWALL means policies for LAN-to-ZyWALL
(the policies for managing the ZyWALL through the LAN interface) and policies for LAN-toLAN (the policies that control routing between two subnets on the LAN). Similarly, WAN to
WAN/ZyWALL, WLAN to WLAN/ZyWALL and DMZ to DMZ/ZyWALL polices apply in
the same way to the WAN, WLAN and DMZ ports.
11.4.1 LAN To WAN Rules
The default rule for LAN to WAN traffic is that all users on the LAN are allowed nonrestricted access to the WAN. When you configure a LAN to WAN rule, you in essence want
to limit some or all users from accessing certain services on the WAN. See the following
figure.
217
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 94 LAN to WAN Traffic
11.4.2 WAN To LAN Rules
The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If
you wish to allow certain WAN users to have access to your LAN, you will need to create
custom rules to allow it.
See the following figure.
Figure 95 WAN to LAN Traffic
11.5 Alerts
Alerts are reports on events, such as attacks, that you may want to know about right away. You
can choose to generate an alert when a rule is matched in the Edit Rule screen (see Figure 99
on page 224). Configure the Log Settings screen to have the ZyWALL send an immediate email message to you when an event generates an alert. Refer to the chapter on logs for details.
Chapter 11 Firewall Screens
218
ZyWALL 5/35/70 Series User’s Guide
11.6 Firewall Default Rule (Router Mode)
Click SECURITY, FIREWALL to open the Default Rule screen. Enable (or activate) the
firewall by selecting the Enable Firewall check box.
Use this screen to configure general firewall settings when the ZyWALL is set to router mode.
Figure 96 Default Rule (Router Mode)
The following table describes the labels in this screen.
Table 67 Default Rule (Router Mode)
LABEL
DESCRIPTION
Enable Firewall
Select this check box to activate the firewall. The ZyWALL performs access control
and protects against Denial of Service (DoS) attacks when the firewall is activated.
Allow
Asymmetrical
Route
Select this check box to have the ZyWALL firewall permit the use of triangle route
topology on the network.
Note: Allowing asymmetrical routes may let traffic from the WAN go
directly to a LAN computer without passing through the
ZyWALL. See Appendix I on page 722 for more on triangle
route topology and how to deal with this problem.
219
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Table 67 Default Rule (Router Mode) (continued)
LABEL
DESCRIPTION
Packet Direction This is the direction of travel of packets (LAN to LAN/ZyWALL, LAN to WAN, LAN
to DMZ, LAN to WLAN, WAN to LAN, WAN to WAN/ZyWALL, WAN to DMZ,
WAN to WLAN, DMZ to LAN, DMZ to WAN, DMZ to DMZ/ZyWALL, DMZ to
WLAN, WLAN to LAN, WLAN to WAN, WLAN to DMZ or WLAN to WLAN/
ZyWALL).
Firewall rules are grouped based on the direction of travel of packets to which they
apply. For example, LAN to LAN/ZyWALL means packets traveling from a
computer/subnet on the LAN to either another computer/subnet on the LAN interface
of the ZyWALL or the ZyWALL itself.
Default Action
Use the drop-down list boxes to select whether to Drop (silently discard), Reject
(discard and send an ICMP destination-unreachable message to the sender) or
Permit (allow the passage of) packets that are traveling in the selected direction.
Log
Select the check box to create a log (when the above action is taken) for packets
that are traveling in the selected direction and do not match any of your customized
rules.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
11.7 Firewall Default Rule (Bridge Mode)
Click SECURITY, FIREWALL to open the Default Rule screen. Enable (or activate) the
firewall by selecting the Enable Firewall check box.
Use this screen to configure general firewall settings when the ZyWALL is set to bridge mode.
Chapter 11 Firewall Screens
220
ZyWALL 5/35/70 Series User’s Guide
Figure 97 Default Rule (Bridge Mode)
The following table describes the labels in this screen.
Table 68 Default Rule (Bridge Mode)
LABEL
DESCRIPTION
Enable Firewall
Select this check box to activate the firewall. The ZyWALL performs access control
and protects against Denial of Service (DoS) attacks when the firewall is activated.
Packet Direction This is the direction of travel of packets (LAN to LAN/ZyWALL, LAN to WAN, LAN
to DMZ, LAN to WLAN, WAN to LAN, WAN to WAN/ZyWALL, WAN to DMZ,
WAN to WLAN, DMZ to LAN, DMZ to WAN, DMZ to DMZ/ZyWALL, DMZ to
WLAN, WLAN to LAN, WLAN to WAN, WLAN to DMZ or WLAN to WLAN/
ZyWALL).
Firewall rules are grouped based on the direction of travel of packets to which they
apply. For example, LAN to LAN/ZyWALL means packets traveling from a
computer/subnet on the LAN to either another computer/subnet on the LAN interface
of the ZyWALL or the ZyWALL itself.
221
Default Action
Use the drop-down list boxes to select whether to Drop (silently discard), Reject
(discard and send an ICMP destination-unreachable message to the sender) or
Permit (allow the passage of) packets that are traveling in the selected direction.
Log
Select the check box to create a log (when the above action is taken) for packets
that are traveling in the selected direction and do not match any of your customized
rules.
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Table 68 Default Rule (Bridge Mode)
LABEL
DESCRIPTION
Log Broadcast
Frame
Select the check box to create a log for any Layer 2 broadcast frames that are
traveling in the selected direction.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
11.8 Firewall Rule Summary
Click SECURITY, FIREWALL, then the Rule Summary tab to open the screen. This screen
displays a list of the configured firewall rules.
Note: The ordering of your rules is very important as rules are applied in turn.
Figure 98 Rule Summary
The following table describes the labels in this screen.
Table 69 Rule Summary
LABEL
DESCRIPTION
Firewall Rules
Storage Space
in Use
This bar displays the percentage of the ZyWALL’s firewall rules storage space that is
currently in use. The bar turns from green to red when the maximum is being
approached. When the bar is red, you should consider deleting unnecessary firewall
rules before adding more firewall rules.
Packet Direction Use the drop-down list box to select a direction of travel of packets (LAN to LAN/
ZyWALL, LAN to WAN, LAN to DMZ, LAN to WLAN, WAN to LAN, WAN to WAN/
ZyWALL, WAN to DMZ, WAN to WLAN, DMZ to LAN, DMZ to WAN, DMZ to
DMZ/ZyWALL, DMZ to WLAN, WLAN to LAN, WLAN to WAN, WLAN to DMZ or
WLAN to WLAN/ZyWALL) for which you want to configure firewall rules.
Default Policy
Chapter 11 Firewall Screens
This field displays the default action and log policy you selected in the Default Rule
screen for the packet direction shown in the field above.
222
ZyWALL 5/35/70 Series User’s Guide
Table 69 Rule Summary
LABEL
DESCRIPTION
The following read-only fields summarize the rules you have created that apply to traffic traveling in the
selected packet direction. The firewall rules that you configure (summarized below) take priority over
the general firewall action settings above.
#
This is your firewall rule number. The ordering of your rules is important as rules are
applied in turn. Click + to expand or - to collapse the Source Address, Destination
Address and Service Type drop down lists.
Name
This is the name of the firewall rule.
Active
This field displays whether a firewall is turned on (Y) or not (N).
Source Address
This drop-down list box displays the source addresses or ranges of addresses to
which this firewall rule applies. Please note that a blank source or destination
address is equivalent to Any.
Destination
Address
This drop-down list box displays the destination addresses or ranges of addresses to
which this firewall rule applies. Please note that a blank source or destination
address is equivalent to Any.
Service Type
This drop-down list box displays the services to which this firewall rule applies. See
Table 75 on page 233 for more information.
Action
This field displays whether the firewall silently discards packets (Drop), discards
packets and sends an ICMP destination-unreachable message to the sender
(Reject) or allow the passage of packets (Permit).
Sch.
This field tells you whether a schedule is specified (Yes) or not (No).
Log
This field shows you whether a log is created when packets match this rule (Yes) or
not (No).
Modify
Click the edit icon to go to the screen where you can edit the rule.
Click the delete icon to delete an existing firewall rule. A window display asking you
to confirm that you want to delete the firewall rule. Note that subsequent firewall
rules move up by one when you take this action.
Insert
Type the index number for where you want to put a rule. For example, if you type 6,
your new rule becomes number 6 and the previous rule 6 (if there is one) becomes
rule 7.
Click Insert to display this screen and refer to the following table for information on
the fields.
Move
Type a rule’s index number and the number for where you want to put that rule. Click
Move to move the rule to the number that you typed. The ordering of your rules is
important as they are applied in order of their numbering.
11.8.1 Firewall Edit Rule
Follow these directions to create a new rule.
1 In the Rule Summary screen, type the index number for where you want to put the rule.
For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if
there is one) becomes rule 7.
2 Click Insert to display the Firewall Edit Rule screen and refer to the following table for
information on the labels.
223
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 99 Firewall Edit Rule
Chapter 11 Firewall Screens
224
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 70 Firewall Edit Rule
LABEL
DESCRIPTION
Rule Name
Enter a descriptive name of up to 31 printable ASCII characters (except Extended
ASCII characters) for the firewall rule. Spaces are allowed.
Edit Source/
Destination
Address
Address Type
Do you want your rule to apply to packets with a particular (single) IP, a range of IP
addresses (for example 192.168.1.10 to 192.169.1.50), a subnet or any IP
address? Select an option from the drop-down list box that includes: Single
Address, Range Address, Subnet Address and Any Address.
You can configure up to 20 source or destination IP address entries in a rule.
Start IP Address
Enter the single IP address or the starting IP address in a range here.
End IP Address
Enter the ending IP address in a range here.
Subnet Mask
Enter the subnet mask here, if applicable.
Add
Click Add to add a new address to the Source or Destination Address(es) box.
You can add multiple addresses, ranges of addresses, and/or subnets.
Modify
To edit an existing source or destination address, select it from the box and click
Modify.
Delete
Highlight an existing source or destination address from the Source or Destination
Address(es) box above and click Delete to remove it.
Edit Service
Available/
Please see Section 11.11 on page 230 for more information on services available.
Selected Services Highlight a service from the Available Services box on the left, then click >> to add
it to the Selected Service(s) box on the right. To remove a service, highlight it in
the Selected Service(s) box on the right, then click <<.
Edit Schedule
Day to Apply
Select everyday or the day(s) of the week to apply the rule.
Time of Day to
Apply (24-Hour
Format)
Select All Day or enter the start and end times in the hour-minute format to apply
the rule.
Actions When
Matched
Log Packet
This field determines if a log for packets that match the rule is created (Yes) or not
Information When (No). Go to the Log Settings page and select the Access Control logs category to
Matched
have the ZyWALL record these logs.
225
Send Alert
Message to
Administrator
When Matched
Select the check box to have the ZyWALL generate an alert when the rule is
matched.
Action for
Matched Packets
Use the drop-down list box to select whether to discard (Drop), deny and send an
ICMP destination-unreachable message to the sender of (Reject) or allow the
passage of (Permit) packets that match this rule.
Apply
Click Apply to save your customized settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving.
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
11.9 Anti-Probing
If an outside user attempts to probe an unsupported port on your ZyWALL, an ICMP response
packet is automatically returned. This allows the outside user to know the ZyWALL exists.
The ZyWALL supports anti-probing, which prevents the ICMP response packet from being
sent. This keeps outsiders from discovering your ZyWALL when unsupported ports are
probed.
Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol
between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP)
datagrams, but the messages are processed by the TCP/IP software and directly apparent to the
application user.
Click SECURITY, FIREWALL, then the Anti-Probing tab to open the screen.
Figure 100 Anti-Probing
The following table describes the labels in this screen.
Table 71 Anti-Probing
LABEL
DESCRIPTION
Respond to PING
on
The ZyWALL does not respond to any incoming Ping requests when Disable is
selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply
to incoming WAN Ping requests. Select DMZ to reply to incoming DMZ Ping
requests. Select WLAN to reply to incoming WLAN Ping requests. Otherwise
select ALL to reply to both incoming LAN and WAN and DMZ and WLAN Ping
requests.
Do not respond to
requests for
unauthorized
services.
Select this option to prevent hackers from finding the ZyWALL by probing for
unused ports. If you select this option, the ZyWALL will not respond to port
request(s) for unused ports, thus leaving the unused ports and the ZyWALL
unseen. By default this option is not selected and the ZyWALL will reply with an
ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a
TCP Reset packet for a port probe on its unused TCP ports.
Note that the probing packets must first traverse the ZyWALL's firewall mechanism
before reaching this anti-probing mechanism. Therefore if the firewall mechanism
blocks a probing packet, the ZyWALL reacts based on the corresponding firewall
policy to send a TCP reset packet for a blocked TCP packet or an ICMP portunreachable packet for a blocked UDP packets or just drop the packets without
sending a response packet.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 11 Firewall Screens
226
ZyWALL 5/35/70 Series User’s Guide
11.10 Firewall Threshold
In the Threshold screen, shown later, you may choose to generate an alert whenever an attack
is detected. For DoS attacks, the ZyWALL uses thresholds to determine when to drop sessions
that do not become fully established. These thresholds apply globally to all sessions.
You can use the default threshold values, or you can change them to values more suitable to
your security requirements.
11.10.1 Threshold Values
Tune these parameters when the ZyWALL is under DoS attacks and after you have checked
the firewall logs. These default values should work fine for normal small offices with ADSL
bandwidth. Factors influencing choices for threshold values are:
1 The maximum number of opened sessions.
2 The minimum capacity of server backlog in your LAN network.
3 The CPU power of servers in your LAN network.
4 Network bandwidth.
5 Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you have servers
that are slow or handle many tasks and are often busy), then the default values should be
reduced.
If you use P2P applications such as file sharing with eMule or eDonkey quite often, it’s
recommended that you increase the threshold values since lots of sessions will be established
during a small period of time and the ZyWALL may take them as DoS attacks.
11.10.2 Half-Open Sessions
For TCP, half-open means that the session has not reached the established state-the TCP threeway handshake has not yet been completed (see Figure 90 on page 205). For UDP, half-open
means that the firewall has detected no return traffic. An unusually high number of half-open
sessions (either an absolute number or measured as the arrival rate) could indicate that a
Denial of Service attack is occurring.
The ZyWALL measures both the total number of existing half-open sessions and the rate of
session establishment attempts. Both TCP and UDP half-open sessions are counted in the total
number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete
high), the ZyWALL starts deleting half-open sessions as required to accommodate new
connection requests. The ZyWALL continues to delete half-open requests as necessary, until
the number of existing half-open sessions drops below another threshold (max-incomplete
low).
227
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
When the rate of new connection attempts rises above a threshold (one-minute high), the
ZyWALL starts deleting half-open sessions as required to accommodate new connection
requests. The ZyWALL continues to delete half-open sessions as necessary, until the rate of
new connection attempts drops below another threshold (one-minute low). The rate is the
number of new attempts detected in the last one-minute sample period.
11.10.2.1 TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could
indicate that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above
a threshold (TCP Maximum Incomplete), the ZyWALL starts deleting half-open sessions
according to one of the following methods:
1 If the Blocking Time timeout is 0 (the default), then the ZyWALL deletes the oldest
existing half-open session for the host for every new connection request to the host. This
ensures that the number of half-open sessions to a given host will never exceed the
threshold.
2 If the Blocking Time timeout is greater than 0, then the ZyWALL blocks all new
connection requests to the host giving the server time to handle the present connections.
The ZyWALL continues to block all new connection requests until the Blocking Time
expires.
The ZyWALL also sends alerts whenever TCP Maximum Incomplete is exceeded. The
global values specified for the threshold and timeout apply to all TCP connections. Click
SECURITY, FIREWALL and then the Threshold tab to bring up the next screen.
Chapter 11 Firewall Screens
228
ZyWALL 5/35/70 Series User’s Guide
Figure 101 Firewall Threshold
The following table describes the labels in this screen.
Table 72 Firewall Threshold
LABEL
DESCRIPTION
Disable DoS Attack Select the check box of an interface to which the ZyWALL does not apply the
Protection on
thresholds. This disables DoS protection on the selected interface.
Denial of Service
Thresholds
229
One Minute Low
This is the rate of new half-open sessions that causes the firewall to stop deleting
half-open sessions. The ZyWALL continues to delete half-open sessions as
necessary, until the rate of new connection attempts drops below this number.
One Minute High
This is the rate of new half-open sessions that causes the firewall to start deleting
half-open sessions. When the rate of new connection attempts rises above this
number, the ZyWALL deletes half-open sessions as required to accommodate
new connection attempts.
The numbers, say 80 in the One Minute Low field and 100 in this field, cause the
ZyWALL to start deleting half-open sessions when more than 100 session
establishment attempts have been detected in the last minute, and to stop
deleting half-open sessions when fewer than 80 session establishment attempts
have been detected in the last minute.
Maximum
Incomplete Low
This is the number of existing half-open sessions that causes the firewall to stop
deleting half-open sessions. The ZyWALL continues to delete half-open requests
as necessary, until the number of existing half-open sessions drops below this
number.
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Table 72 Firewall Threshold (continued)
LABEL
DESCRIPTION
Maximum
Incomplete High
This is the number of existing half-open sessions that causes the firewall to start
deleting half-open sessions. When the number of existing half-open sessions
rises above this number, the ZyWALL deletes half-open sessions as required to
accommodate new connection requests. Do not set Maximum Incomplete High
to lower than the current Maximum Incomplete Low number.
The above values, say 80 in the Maximum Incomplete Low field and 100 in this
field, cause the ZyWALL to start deleting half-open sessions when the number of
existing half-open sessions rises above 100, and to stop deleting half-open
sessions with the number of existing half-open sessions drops below 80.
TCP Maximum
Incomplete
This is the number of existing half-open TCP sessions with the same destination
host IP address that causes the firewall to start dropping half-open sessions to
that same destination host IP address. Enter a number between 1 and 256. As a
general rule, you should choose a smaller number for a smaller network, a slower
system or limited bandwidth.
Action taken when
the TCP Maximum
Incomplete
threshold is
reached.
Delete the oldest
half open session
when new
connection request
comes
Select this radio button to clear the oldest half open session when a new
connection request comes.
Deny new
connection request
for
Select this radio button and specify for how long the ZyWALL should block new
connection requests when TCP Maximum Incomplete is reached.
Enter the length of blocking time in minutes (between 1 and 256).
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
11.11 Service
Click SECURITY, FIREWALL, then the Service tab to open the screen as shown next. Use
this screen to configure custom services for use in firewall rules or view the services that are
predefined in the ZyWALL.
Chapter 11 Firewall Screens
230
ZyWALL 5/35/70 Series User’s Guide
Figure 102 Firewall Service
The following table describes the labels in this screen.
Table 73 Firewall Service
231
LABEL
DESCRIPTION
Custom Service
This table shows all configured custom services.
#
This is the index number of the custom service.
Service Name
This is the name of the service.
Protocol
This is the IP protocol type.
If you selected Custom, this is the IP protocol value you entered.
Attribute
This is the IP port number or ICMP type and code that defines the service.
Modify
Click the edit icon to go to the screen where you can edit the service.
Click the delete icon to remove an existing service. A window displays asking you
to confirm that you want to delete the service. Note that subsequent services move
up by one when you take this action.
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Table 73 Firewall Service
LABEL
DESCRIPTION
Add
Click this button to bring up the screen that you use to configure a new custom
service that is not in the predefined list of services.
Predefined
Service
This table shows all the services that are already configured for use in firewall
rules. See Section 11.11.2 on page 233 for more on the services.
#
This is the index number of the predefined service.
Service Name
This is the name of the service.
Protocol
This is the IP protocol type. There may be more than one IP protocol type.
Attribute
This is the IP port number or ICMP type and code that defines the service.
11.11.1 Firewall Edit Custom Service
Configure customized ports for services not predefined by the ZyWALL (see Section 11.11.2
on page 233 for a list of predefined services). For a comprehensive list of port numbers, ICMP
type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web
site.
Click the Add button under Custom Service to configure a custom service. This displays the
following screen.
Figure 103 Firewall Edit Custom Service
The following table describes the labels in this screen.
Table 74 Firewall Edit Custom Service
LABEL
DESCRIPTION
Service Name
Enter a unique name for your custom service.
IP Protocol
Choose the IP protocol (TCP, UDP, TCP/UDP, ICMP or Custom) that defines
your customized service from the drop down list box.
Port Range
Enter the port number (from 1 to 255) that defines the customized service
To specify one port only, enter the port number in the From field and enter it
again in the To field.
To specify a span of ports, enter the first port in the From field and enter the last
port in the To field.
Chapter 11 Firewall Screens
232
ZyWALL 5/35/70 Series User’s Guide
Table 74 Firewall Edit Custom Service
LABEL
DESCRIPTION
Type/Code
This field is available only when you select ICMP in the IP Protocol field.
The ICMP messages are identified by their types and in some cases codes.
Enter the type number in the Type field and select the Code radio button and
enter the code number if any.
Apply
Click Apply to save your customized settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving.
11.11.2 Predefined Services
The Predefined Services table in the Service screen displays all predefined services that the
ZyWALL already supports. Next to the name of the service, two fields appear in brackets. The
first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the
IP port number that defines the service. Note that there may be more than one IP protocol type.
For example, DNS (UDP/TCP:53) means UDP port 53 and TCP port 53.
Table 75 Predefined Services
233
SERVICE
DESCRIPTION
Any_All(ALL:0)
This is for any IP protocol using any port or type.
Any_TCP(TCP:1~65535)
This is for any TCP protocol using any TCP port.
Any_UDP(UDP:1~65535)
This is for any UDP protocol using any UDP port.
Any_ICMP(ICMP:0)
This is for any ICMP protocol using any ICMP type and code.
AIM/New-ICQ(TCP:5190)
AOL’s Internet Messenger service, used as a listening port by ICQ.
AUTH(TCP:113)
Authentication protocol used by some servers.
BGP(TCP:179)
Border Gateway Protocol.
BOOTP_CLIENT(UDP:68)
DHCP Client.
BOOTP_SERVER(UDP:67)
DHCP Server.
CU-SEEME (TCP/UDP:7648,
24032)
A popular videoconferencing solution from White Pines Software.
DNS(TCP/UDP:53)
Domain Name Server, a service that matches web names (e.g.
www.zyxel.com) to IP numbers.
FINGER(TCP:79)
Finger is a UNIX or Internet related command that can be used to find
out if a user is logged on.
FTP(TCP:20.21)
File Transfer Program, a program to enable fast transfer of files,
including large files that may not be possible by e-mail.
H.323(TCP:1720)
NetMeeting uses this protocol.
HTTP(TCP:80)
Hyper Text Transfer Protocol – a client/server protocol for the world
wide web.
HTTPS(TCP:443)
HTTPS is a secured http session often used in e-commerce.
ICQ(UDP:4000)
This is a popular Internet chat program.
IKE(UDP:500)
The Internet Key Exchange algorithm is used for key distribution and
management.
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Table 75 Predefined Services (continued)
SERVICE
DESCRIPTION
IMAP(TCP/UDP:143)
Internet Message Access Protocol (IMAP) is used to access mail
stored on a remote mail server over a TCP/IP connection using port
143. IMAP has shorter response times than POP3.
IMAPS(TCP/UDP:993)
IMAP over TLS/SSL (IMAPS) is a secure protocol (that encrypts
IMAP traffic) for receiving mail using a TLS/SSL connection.
AX.25(AX.25:0)
AX.25 (Amateur X.25, an “Amateur” version of X.25) is the
communications protocol used for packet radio.
IPv6(IPv6:0)
IPv6 (Internet Protocol version 6) is a protocol designed by the IETF
to replace and solve many problems of the version 4 (IPv4).
IPSEC_ TRANSPORT /
TUNNEL(AH:0)
The IPSEC AH (Authentication Header) tunneling protocol uses this
service.
IPSEC_TUNNEL(ESP:0)
The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol
uses this service.
IRC(TCP/UDP:6667)
This is another popular Internet chat program.
MSN(TCP:1863)
Microsoft Networks’ messenger service uses this protocol.
MULTICAST(IGMP:0)
Internet Group Multicast Protocol is used when sending packets to a
specific group of hosts.
NetBIOS(TCP/UDP:137~139,
445)
NetBIOS (Network Basic Input/Output System) are TCP or UDP
broadcast packets that enable a computer to connect to and
communicate with a LAN.
NEWS(TCP:144)
A protocol for news groups.
NFS(UDP:2049)
Network File System – NFS is a client/server distributed file service
that provides transparent file sharing for network environments.
NNTP(TCP:119)
Network News Transport Protocol is the delivery mechanism for the
USENET newsgroup service.
POP3(TCP:110)
Post Office Protocol version 3 lets a client computer get e-mail from a
POP3 server through a temporary connection (TCP/IP or other).
POP3S(TCP/UDP:995)
POP3 over TLS/SSL allows users to download mail over a secure
POP3 connection using TLS/SSL.
PPTP(TCP:1723)
Point-to-Point Tunneling Protocol enables secure transfer of data
over public networks. This is the control channel.
PPTP_TUNNEL(GRE:0)
Point-to-Point Tunneling Protocol enables secure transfer of data
over public networks. This is the data channel.
RCMD(TCP:512)
Remote Command Service.
REAL_AUDIO(TCP:7070)
A streaming audio service that enables real time sound over the web.
REXEC(TCP:514)
Remote Execution Daemon.
RLOGIN(TCP:513)
Remote Login.
ROADRUNNER(TCP/
UDP:1026)
This is Time Warner’s cable modem session management protocol. It
handles authentication and dynamic addressing.
RTELNET(TCP:107)
Remote Telnet.
RTSP(TCP/UDP:554)
The Real Time Streaming (media control) Protocol (RTSP) is a
remote control for multimedia on the Internet.
SFTP(TCP:115)
Simple File Transfer Protocol.
Chapter 11 Firewall Screens
234
ZyWALL 5/35/70 Series User’s Guide
Table 75 Predefined Services (continued)
SERVICE
DESCRIPTION
SIP-V2(UDP:5060)
The Session Initiation Protocol (SIP) is an application-layer control
(signaling) protocol that handles the setting up, altering and tearing
down of voice and multimedia sessions over the Internet. SIP is used
in VoIP (Voice over IP), the sending of voice signals over the Internet
Protocol.
SMTP(TCP:25)
Simple Mail Transfer Protocol is the message-exchange standard for
the Internet. SMTP enables you to move messages from one e-mail
server to another.
SNMP(TCP/UDP:161)
Simple Network Management Program.
SNMP-TRAPS(TCP/UDP:162)
Traps for use with the SNMP (RFC:1215).
SQL-NET(TCP:1521)
Structured Query Language is an interface to access data on many
different types of database systems, including mainframes, midrange
systems, UNIX systems and network servers.
SSDP(UDP:1900)
Simple Service Discovery Protocol (SSDP) is a discovery service
searching for Universal Plug and Play devices on your home network
or upstream Internet gateways using UDP port 1900.
SSH(TCP/UDP:22)
Secure Shell Remote Login Program.
STRMWORKS(UDP:1558)
Stream Works Protocol.
SYSLOG(UDP:514)
Syslog allows you to send system logs to a UNIX server.
TACACS(UDP:49)
Login Host Protocol used for (Terminal Access Controller Access
Control System).
TELNET(TCP:23)
Telnet is the login and terminal emulation protocol common on the
Internet and in UNIX environments. It operates over TCP/IP networks.
Its primary function is to allow users to log into remote host systems.
TFTP(UDP:69)
Trivial File Transfer Protocol is an Internet file transfer protocol similar
to FTP, but uses the UDP (User Datagram Protocol) rather than TCP
(Transmission Control Protocol).
VDOLIVE(TCP:7000)
Another videoconferencing solution.
Microsoft RDP(TCP:3389)
Microsoft offers terminal services through RDP (Remote Desktop
Protocol) to allow RDP clients to connect to a Windows terminal
server using UDP port 3389.
VNC(TCP:5900)
Virtual Network Computing (VNC) is used for remote connection
(desktop sharing) between a VNC server and a VNC viewer on TCP
port 5900.
NTP(TCP/UDP:123)
NTP (Network Time Protocol) is commonly used to synchronize the
time with a remote time server.
11.12 Example Firewall Rule
The following Internet firewall rule example allows a hypothetical My Service connection
from the Internet.
1 In the Service screen, click Add to open the Edit Custom Service screen.
235
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 104 Service
2 Configure it as follows and click Apply.
Figure 105 Edit Custom Service Example
3 Click the Rule Summary tab. Select WAN to LAN from the Packet Direction dropdown list box.
4 In the Rule Summary screen, type the index number for where you want to put the rule.
For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if
there is one) becomes rule 7.
5 Click Insert to display the firewall rule configuration screen.
Chapter 11 Firewall Screens
236
ZyWALL 5/35/70 Series User’s Guide
Figure 106 Rule Summary
6 Enter the name of the firewall rule.
7 Select Any in the Destination Address(es) box and then click Delete.
8 Configure the destination address screen as follows and click Add.
Figure 107 Rule Edit Example
9 In the Edit Rule screen, use the arrows between Available Services and Selected
Service(s) to configure it as follows. Click Apply when you are done.
237
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
Note: Custom services show up with an * before their names in the Services list box
and the Rule Summary list box.
Figure 108 My Service Rule Configuration
Chapter 11 Firewall Screens
238
ZyWALL 5/35/70 Series User’s Guide
Figure 109 My Service Example Rule Summary
Rule 1: Allows a My Service connection from
the WAN to IP addresses 10.0.0.10 through
10.0.0.15 on the LAN.
239
Chapter 11 Firewall Screens
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 12
Intrusion Detection and
Prevention (IDP)
This chapter introduces some background information on IDP. Skip to the next chapter to see
how to configure IDP on your ZyWALL.
12.1 Introduction to IDP
An IDP system can detect malicious or suspicious packets and respond instantaneously. It can
detect anomalies based on violations of protocol standards (RFCs – Requests for Comments)
or traffic flows and abnormal flows such as port scans.
Figure 110 on page 240 represents a typical business network consisting of a LAN, a DMZ
(DeMilitarized Zone) containing the company web, FTP, mail servers etc., a firewall and/or
NAT router connected to a broadband modem (M) for Internet access.
Figure 110 Network Intrusions
12.1.1 Firewalls and Intrusions
Firewalls are designed to block clearly suspicious traffic and forward other traffic through.
Many exploits take advantage of weaknesses in the protocols that are allowed through the
firewall, so that once an inside server has been compromised it can be used as a backdoor to
launch attacks on other servers.
Chapter 12 Intrusion Detection and Prevention (IDP)
240
ZyWALL 5/35/70 Series User’s Guide
Firewalls are usually deployed at the network edge. However, many attacks (inadvertently) are
launched from within an organization. Virtual private networks (VPN), removable storage
devices and wireless networks may all provide access to the internal network without going
through the firewall.
12.1.2 IDS and IDP
An Intrusion Detection System (IDS) can detect suspicious activity, but does not take action
against attacks. On the other hand an IDP is a proactive defense mechanisms designed to
detect malicious packets within normal network traffic and take an action (block, drop, log,
send an alert) against the offending traffic automatically before it does any damage. An IDS
only raises an alert after the malicious payload has been delivered. Worms such as Slammer
and Blaster have such fast proliferation speeds that by the time an alert is generated, the
damage is already done and spreading fast.
There are two main categories of IDP; Host IDP and Network IDP.
12.1.3 Host IDP
The goal of host-based intrusions is to infiltrate files on an individual computer or server in
with the goal of accessing confidential information or destroying information on a computer.
You must install Host IDP directly on the system being protected. It works closely with the
operating system, monitoring and intercepting system calls to the kernel or APIs in order to
prevent attacks as well as log them.
Disadvantages of host IDPs are that you have to install them on each device (that you want to
protect) in your network and due to the necessarily tight integration with the host operating
system, future operating system upgrades could cause problems.
12.1.4 Network IDP
Network-based intrusions have the goal of bringing down a network or networks by attacking
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example,
then the whole LAN is compromised, resulting in the equivalent of a LAN Denial of Service
(DoS) attack. Host-based intrusions may be used to cause network-based intrusions when the
goal of the host virus is to propagate attacks on the network, or attack computer/server
operating system vulnerabilities with the goal of bringing down the computer/server. Typical
“network-based intrusions” are SQL slammer, Blaster, Nimda, MyDoom etc.
A Network IDP has at least two network interfaces, one internal and one external. As packets
appear at an interface they are passed to the detection engine, which determines whether they
are malicious or not. If a malicious packet is detected, an action is taken. The remaining
packets that make up that particular TCP session are also discarded.
241
Chapter 12 Intrusion Detection and Prevention (IDP)
ZyWALL 5/35/70 Series User’s Guide
12.1.5 Example Intrusions
The following are some examples of intrusions.
12.1.5.1 SQL Slammer Worm
W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000,
as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port
1434, the SQL Server Resolution Service Port. The worm has the unintended payload of
performing a Denial of Service attack due to the large number of packets it sends. Refer to
Microsoft SQL Server 2000 or MSDE 2000 vulnerabilities in Microsoft Security Bulletin
MS02-039 and Microsoft Security Bulletin MS02-061.
12.1.5.2 Blaster W32.Worm
This is a worm that exploits the DCOM RPC vulnerability (see Microsoft Security Bulletin
MS03-026 and Microsoft Security Bulletin MS03-039) using TCP port 135. The worm targets
only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003
Server machines are vulnerable (if not properly patched), the worm is not coded to replicate on
those systems. This worm attempts to download the msblast.exe file to the
%WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not mass mail to
other devices.
12.1.5.3 Nimda
Its name (backwards for "admin") refers to an "admin.DLL" file that, when run, continues to
propagate the virus. Nimda probes each IP address within a randomly selected range of IP
addresses, attempting to exploit weaknesses that, unless already patched, are known to exist in
computers with Microsoft's Internet Information Server. A system with an exposed IIS Web
server will read a Web page containing an embedded JavaScript that automatically executes,
causing the same JavaScript code to propagate to all Web pages on that server. As Microsoft
Internet Explorer browsers version 5.01 or earlier visit sites at the infected Web server, they
unwittingly download pages with the JavaScript code that automatically executes, causing the
virus to be sent to other computers on the Internet in a somewhat random fashion. Nimda also
can infect users within the Web server's own internal network that have been given a network
share (a portion of file space). Finally, one of the things that Nimda has an infected system do
is to send an e-mail with a "readme.exe" attachment to the addresses in the local Windows
address book. A user who opens or previews this attachment (which is a Web page with the
JavaScript) propagates the virus further.
Server administrators should get and apply the cumulative IIS patch that Microsoft has
provided for previous viruses and ensure that no one at the server opens e-mail. You should
update your Internet Explorer version to IE 5.5 SP2 or later. Scan and cleanse your system
with anti-virus software.
Chapter 12 Intrusion Detection and Prevention (IDP)
242
ZyWALL 5/35/70 Series User’s Guide
12.1.5.4 MyDoom
MyDoom [email protected] (also known as W32.Novarg.A) is a mass-mailing worm
that arrives as an attachment with an bat, cmd, exe, pif, scr, or zip file extension. When a
computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127
through 3198, which can potentially allow an attacker to connect to the computer and use it as
a proxy to gain access to its network resources. In addition, the backdoor can download and
execute arbitrary files. Systems affected are Windows 95, Windows 98, Windows Me,
Windows NT, Windows 2000, Windows XP and Windows Server 2003.
W32/MyDoom-A is a worm that is spread by email. When the infected attachment is
launched, the worm gathers e-mail addresses from address books and from files with the
following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. W32/
MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the
contents, which displays random characters. W32/MyDoom-A creates randomly chosen
email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line.
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.
12.1.6 ZyWALL IDP
The ZyWALL Internet Security Appliance is designed to protect against network-based
intrusions. See Section 13.2 on page 245 for more information on how to apply IDP to
ZyWALL interfaces.
IDP is regularly updated by the ZyXEL Security Response Team (ZSRT). Regular updates are
vital as new intrusions evolve.
243
Chapter 12 Intrusion Detection and Prevention (IDP)
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 13
Configuring IDP
This chapter shows you how to configure IDP on the ZyWALL.
13.1 Overview
To use IDP on the ZyWALL, you need to insert the ZyWALL Turbo Card into the rear panel
slot of the ZyWALL. See the ZyWALL Turbo Card guide for details.
Note: The ZyWALL has no wireless capability when ZyWALL Turbo Card is in place.
The ZyWALL Turbo Card does not have a MAC address.
IDP cannot check encrypted traffic such as VPN tunnel traffic.
13.1.1 Interfaces
The ZyWALL checks traffic going out from the ZyWALL to the interface(s) you specify for
signature matches.
If a packet matches a signature, the action specified by the signature is taken. You can change
the default signature actions in the Signatures screen.
Chapter 13 Configuring IDP
244
ZyWALL 5/35/70 Series User’s Guide
Figure 111 Applying IDP to Interfaces
13.2 General Setup
Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to
protect from intrusions.
Click IDP from the navigation panel. General is the first screen as shown in the following
figure.
245
Chapter 13 Configuring IDP
ZyWALL 5/35/70 Series User’s Guide
Figure 112 IDP: General
The following table describes the labels in this screen.
Table 76 IDP: General Setup
LABEL
DESCRIPTION
General Setup
Enable Intrusion
Detection and
Protection
Select this check box to enable IDP on the ZyWALL. When this check box is
cleared the ZyWALL is in IDP “bypass” mode and no IDP checking is done.
Turbo Card
This field displays whether or not a ZyWALL Turbo Card is installed.
Note: You cannot configure and save the IDP and Anti-Virus
screens if the ZyWALL Turbo Card is not installed.
Protected Interface
Select the Active check box to apply IDP to the corresponding interface. Traffic
going from the ZyWALL out through this interface is then checked against the
signature database for possible intrusions. For example, if you want to protect
the LAN computers from intrusions, select the LAN interface.
Apply
Click this button to save your changes back to the ZyWALL.
Reset
Click this button to begin configuring this screen afresh.
13.3 IDP Signatures
The rules that define how to identify and respond to intrusions are called “signatures”. Click
IDP in the navigation panel and then click the Signatures tab to see the ZyWALL’s
signatures.
13.3.1 Attack Types
Click IDP in the navigation panel and then select the Signatures tab. The Attack Type list
box displays all intrusion types supported by the ZyWALL. Other covers all intrusion types
not covered by other types listed.
Chapter 13 Configuring IDP
246
ZyWALL 5/35/70 Series User’s Guide
To see signatures listed by intrusion type supported by the ZyWALL, select that type from the
Attack Type list box.
Figure 113 Attack Types
The following table describes each attack type.
Table 77 Attack Types
247
TYPE
DESCRIPTION
DoS/DDoS
The goal of Denial of Service (DoS) attacks is not to steal information, but to
disable a device or network on the Internet. A distributed denial-of-service (DDoS)
attack is one in which multiple compromised systems attack a single target,
thereby causing denial of service for users of the targeted system.
Buffer Overflow
A buffer overflow occurs when a program or process tries to store more data in a
buffer (temporary data storage area) than it was intended to hold. The excess
information can overflow into adjacent buffers, corrupting or overwriting the valid
data held in them.
Intruders could run codes in the overflow buffer region to obtain control of the
system, install a backdoor or use the victim to launch attacks on other devices.
Access Control
Access control refers to procedures and controls that limit or detect access. Access
control is used typically to control user access to network resources such as
servers, directories, and files.
Scan
Scan refers to all port, IP or vulnerability scans. Hackers scan ports to find targets.
They may use a TCP connect() call, SYN scanning (half-open scanning), Nmap
etc. After a target has been found, a vulnerability scanner can be used to exploit
exposures.
Trojan Horse
A Trojan horse is a harmful program that’s hidden inside apparently harmless
programs or data. It could be used to steal information or remotely control a device.
P2P
Peer-to-peer (P2P) is where computing devices link directly to each other and can
directly initiate communication with each other; they do not need an intermediary. A
device can be both the client and the server. In the ZyWALL, P2P refers to peer-topeer applications such as eMule, eDonkey, BitTorrent, iMesh etc.
IM
IM (Instant Messaging) refers to chat applications. Chat is real-time communication
between two or more users via networks-connected computers. After you enter a
chat (or chat room), any member can type a message that will appear on the
monitors of all the other participants.
Chapter 13 Configuring IDP
ZyWALL 5/35/70 Series User’s Guide
Table 77 Attack Types (continued)
TYPE
DESCRIPTION
Virus/Worm
A computer virus is a small program designed to corrupt and/or alter the operation
of other legitimate programs. A worm is a program that is designed to copy itself
from one computer to another on a network. A worm’s uncontrolled replication
consumes system resources thus slowing or stopping other tasks.
The IDP VirusWorm category refers to network-based viruses and worms. The
Anti-Virus (AV) screen refers to file-based viruses and worms. Refer to the antivirus chapter for additional information on file-based anti-virus scanning in the
ZyWALL.
Porn
The ZyWALL can block web sites if their URLs contain certain pornographic words.
It cannot block web pages containing those words if the associated URL does not.
Web Attack
Web attack signatures refer to attacks on web servers such as IIS (Internet
Information Services).
SPAM
Spam is unsolicited "junk" e-mail sent to large numbers of people to promote
products or services. Refer to the anti-spam chapter for more detailed information.
Other
This category refers to signatures for attacks that do not fall into the previously
mentioned categories.
13.3.2 Intrusion Severity
Intrusions are assigned a severity level based on the following table. The intrusion severity
level then determines the default signature action.
Table 78 Intrusion Severity
SEVERITY
DESCRIPTION
Severe
These are intrusions that try to run arbitrary code or gain system privileges.
High
These are known serious vulnerabilities or intrusions that are probably not false
alarms.
Medium
These are medium threats, access control intrusions or intrusions that could be false
alarms.
Low
These are mild threats or intrusions that could be false alarms.
Very Low
These are possible intrusions caused by traffic such as Ping, trace route, ICMP
queries etc.
13.3.3 Signature Actions
You can enable/disable individual signatures. You can log and/or have an alert sent when
traffic meets a signature criteria. You can also change the default action to be taken when a
packet or stream matches a signature. The following figure and table describes these actions.
Note that in addition to these actions, a log may be generated or an alert sent, if those check
boxes are selected and the signature is enabled.
Chapter 13 Configuring IDP
248
ZyWALL 5/35/70 Series User’s Guide
Figure 114 Signature Actions
The following table describes signature actions.
Table 79 Signature Actions
ACTION
DESCRIPTION
No Action
The intrusion is detected but no action is taken.
Drop Packet
The packet is silently discarded.
Drop Session
When the firewall is enabled, subsequent TCP/IP packets belonging to the
same connection are dropped. Neither sender nor receiver are sent TCP RST
packets. If the firewall is not enabled only the packet that matched the signature
is dropped.
Reset Sender
When the firewall is enabled, the TCP/IP connection is silently torn down. Just
the sender is sent TCP RST packets. If the firewall is not enabled only the
packet that matched the signature is dropped.
Reset Receiver
When the firewall is enabled, the TCP/IP connection is silently torn down. Just
the receiver is sent TCP RST packets. If the firewall is not enabled only the
packet that matched the signature is dropped.
Reset Both
When the firewall is enabled, the TCP/IP connection is silently torn down. Both
sender and receiver are sent TCP RST packets. If the firewall is not enabled
only the packet that matched the signature is dropped.
13.3.4 Configuring IDP Signatures
Click IDP in the navigation panel and then click the Signatures tab to see the ZyWALL’s
“group view” signature screen where you can view signatures by attack type. To search for
signatures based on other criteria such as signature name or ID, then click the Switch to query
view link to go to the “query view” screen.
You can take actions on these signatures as described in Section 13.3.3 on page 248. To revert
to the default actions or to save sets of actions, go to the Backup & Restore screen.
249
Chapter 13 Configuring IDP
ZyWALL 5/35/70 Series User’s Guide
Figure 115 IDP: Signatures
The following table describes the labels in this screen.
Table 80 IDP Signatures: Group View
LABEL
DESCRIPTION
Signature Groups
Attack Type
Select the type of signatures you want to view from the list box. See Section 13.3.1 on
page 246 for information on types of signatures.
Switch to
query view
Click this hyperlink to go to a screen where you can search for signatures based on
criteria other than attack type.
Name
The (read-only) signature name identifies a specific signature targeted at a specific
intrusion. Click the hyperlink for more detailed information on the intrusion.
ID
Each intrusion has a unique identification number. This number may be searched at
myZyXEL.com for more detailed information.
Severity
This field displays the level of threat that the intrusion may pose. See Table 78 on page
248 for more information on intrusion severity.
Platform
This field displays the computer or network device operating system that the intrusion
targets or is vulnerable to the intrusion. These icons represent a Windows operating
system, a UNIX-based operating system and a network device respectively.
Active
Select the check box in the heading row to automatically select all check boxes and
enable all signatures.
Clear it to clear all entries and disable all signatures on the current page. For example,
you could clear all check boxes for signatures that targets operating systems not in
your network. This would speed up the IDP signature checking process.
Alternatively, you may select or clear individual entries. The check box becomes gray
when you select the check box.
If you edited any of the check boxes in this column on the current page, use the check
box in the heading row to switch between the settings (last partial edited, all selected
and all cleared).
Chapter 13 Configuring IDP
250
ZyWALL 5/35/70 Series User’s Guide
Table 80 IDP Signatures: Group View (continued)
LABEL
DESCRIPTION
Log
Select this check box to have a log generated when a match is found for a signature.
Select the check box in the heading row to automatically select all check boxes or clear
it to clear all entries on the current page.
Alternatively, you may select or clear individual entries. The check box becomes gray
when you select the check box.
If you edited any of the check boxes in this column on the current page, use the check
box in the heading row to switch between the settings (last partial edited, all selected
and all cleared).
Alert
You can only edit the Alert check box when the corresponding Log check box is
selected.
Select this check box to have an e-mail sent when a match is found for a signature.
Select the check box in the heading row to automatically select all check boxes or clear
it to clear all entries on the current page.
Alternatively, you may select or clear individual entries. The check box becomes gray
when you select the check box.
If you edited any of the check boxes in this column on the current page, use the check
box in the heading row to switch between the settings (last partial edited, all selected
and all cleared).
Action
You can change the default signature action here. See Table 79 on page 249 for more
details on actions.
Apply
Click this button to save your changes back to the ZyWALL.
Reset
Click this button to begin configuring this screen afresh.
13.3.5 Query View
Click IDP in the navigation panel and then click the Signatures tab to see the ZyWALL’s
“group view” signature screen, then click the Switch to query view link to go to this ‘query
view” screen.
In this screen you can search for signatures based on:
• Signature name or ID or
• Severity, category (type), target operating system and by type of signature action such as
active, log, alert and action as shown in the next two screen examples.
13.3.5.1 Query Example 1
1 From the “group view” signature screen, click the Switch to query view link.
1 Select Signature Search.
2 Select By Name or By ID from the list box.
3 Enter a name (complete or partial) or complete ID to display all relevant signatures in the
signature database.
251
Chapter 13 Configuring IDP
ZyWALL 5/35/70 Series User’s Guide
Note: A partial name may be searched but a complete ID number must be entered
before a match can be found. For example, a search by name for “w” (in the
first example) finds all intrusions that contain this letter in the name field.
However a search by ID for “1” would return no match. You must enter the
complete ID as shown in the second example.
4 Click Search. If the search finds more signatures than can be displayed on one page, use
the Go to Page list box to view other pages of signatures found in the search.
5 If you change the Active, Log, Alert and/or Action signature fields in the signatures
found, then click Apply to save the changes to the ZyWALL.
Figure 116 Signature Query by Partial Name
Chapter 13 Configuring IDP
252
ZyWALL 5/35/70 Series User’s Guide
Figure 117 Signature Query by Complete ID
13.3.5.2 Query Example 2
1 From the “group view” signature screen, click the Switch to query view link.
1 Select Signature Search By Attributes.
2 Select the Severity, Type, Platform, Active, Log, Alert and/or Action items. In this
example all severe DDoS type signatures that target the Windows operating system are
displayed.
3 Click Search.
If you change the Active, Log, Alert and/or Action signature fields in the signatures found,
then click Apply to save the changes to the ZyWALL.
253
Chapter 13 Configuring IDP
ZyWALL 5/35/70 Series User’s Guide
Figure 118 Signature Query by Attribute.
13.4 Update
The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team
(ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to
immediately download or schedule new signature downloads.
Note: You should have already registered the ZyWALL at myZyXEL.com (http://
www.myzyxel.com/myzyxel/) and also have either activated the trial license or
standard license (iCard). If your license has expired, you will have to renew it
before updates are allowed.
13.4.1 mySecurity Zone
mySecurityZone is a web portal that provides all security-related information such as intrusion
and anti-virus information for ZyXEL security products.
Click the intrusion ID hyperlink to go directly to information on that signature or enter https://
mysecurity.zyxel.com/mysecurity/ as the URL in your web browser.
You should have already registered your ZyWALL on myZyXEL.com at:
http://www.myzyxel.com/myzyxel/.
You can use your myZyXEL.com username and password to log into mySecurity Zone.
Chapter 13 Configuring IDP
254
ZyWALL 5/35/70 Series User’s Guide
13.4.2 Configuring IDP Update
When scheduling signature updates, you should choose a day and time when your network is
least busy so as to minimize disruption to your network. Your custom signature configurations
are not over-written when you download new signatures.
File-based anti-virus signatures (see the anti-virus chapter) are included with IDP signatures.
When you download new signatures using the anti-virus Update screen, IDP signatures are
also downloaded. The version number changes both in the anti-virus Update screen and this
screen. Both screens also share the same Auto-Update schedule. Changes made to the
schedule in one screen are reflected in the other.
Note: The ZyWALL does not have to reboot when you upload new signatures.
Click IDP from the navigation panel and then click the Update tab.
Figure 119 Signatures Update
255
Chapter 13 Configuring IDP
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 81 Signatures Update
LABEL
DESCRIPTION
Signature Information
Current Pattern
Version
This field displays the signatures version number currently used by the ZyWALL.
This number is defined by the ZyXEL Security Response Team (ZSRT) who
maintain and update them.
This number increments as new signatures are added, so you should refer to this
number regularly. Go to https://mysecurity.zyxel.com/mysecurity/ to see what the
latest version number is. You can also subscribe to signature update e-mail
notifications.
Release Date
This field displays the time (hour, minutes second) and date (month, date, year)
that the above signature set was created.
Last Update
This field displays the last date and time you downloaded new signatures to the
ZyWALL. It displays N/A if you have not downloaded any new signatures yet.
Current IDP
Signatures
This field displays the number of IDP-related signatures.
Signature Update
Service Status
This field displays License Inactive if you have not yet activated your trial or iCard
license at myZyXEL.com.
It displays License Inactive and an expiration date if your trial or iCard license has
expired (the expiration date is the date it expired).
It displays Trial Active and an expiration date when you have activated your trial
license.
It displays License Active and an expiration date when you have activated your
iCard license (the expiration date is the date it will expire).
Update Server
This is the URL of the signature server from which you download signatures.The
default server at the time of writing is displayed as shown in the screen.
Update Now
Click this button to begin downloading signatures from the Update Server
immediately.
Auto Update
Select the check box to configure a schedule for automatic signature updates. The
Hourly, Daily and Weekly fields display when the check box is selected. The
ZyWALL then automatically downloads signatures from the Update Server
regularly at the time and/or day you specify.
Hourly
Select this option to have the ZyWALL check the update server for new signatures
every hour. This may be advisable when new intrusions are currently spreading
throughout the Internet.
Daily
Select this option to have the ZyWALL check the update server for new signatures
every day at the hour you select from the list box. The ZyWALL uses a 24-hour
clock. For example, choose 15 from the O’clock list box to have the ZyWALL
check the update server for new signatures at 3 PM every day.
Weekly
Select this option to have the ZyWALL check the update server for new signatures
once a week on the day and hour you select from the list boxes. The ZyWALL uses
a 24-hour clock, so for example, choose Wednesday and 15 from the respective
list boxes to have the ZyWALL check the update server for new signatures at 3PM
every Wednesday.
Apply
Click this button to save your changes back to the ZyWALL.
Reset
Click this button to close this screen without saving any changes.
Chapter 13 Configuring IDP
256
ZyWALL 5/35/70 Series User’s Guide
13.5 Backup and Restore
You can change the pre-defined Active, Log, Alert and/or Action settings of individual
signatures.
Figure 120 IDP: Backup & Restore
Use the Backup & Restore screen to:
• Back up IDP signatures with your custom configured settings. Click Backup and then
choose a location and filename for the IDP configuration set.
• Restore previously saved IDP signatures (with your custom configured settings). Click
Restore and choose the path and location where the previously saved file resides on your
computer.
• Revert to the original ZSRT-defined signature Active, Log, Alert and/or Action settings.
Click Reset.
257
Chapter 13 Configuring IDP
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 14
Anti-Virus
This chapter introduces and shows you how to configure the anti-virus scanner.
14.1 Anti-Virus Overview
A computer virus is a small program designed to corrupt and/or alter the operation of other
legitimate programs. A worm is a self-replicating virus that resides in active memory and
duplicates itself. The effect of a virus attack varies from doing so little damage that you are
unaware your computer is infected to wiping out the entire contents of a hard drive to
rendering your computer inoperable.
14.1.1 Types of Computer Viruses
The following table describes some of the common computer viruses.
Table 82 Common Computer Virus Types
TYPE
DESCRIPTION
File Infector
This is a small program that embeds itself in a legitimate program. A file infector is
able to copy and attach itself to other programs that are executed on an infected
computer.
Boot Sector Virus
This type of virus infects the area of a hard drive that a computer reads and
executes during startup. The virus causes computer crashes and to some extend
renders the infected computer inoperable.
Macro Virus
Macro viruses or Macros are small programs that are created to perform repetitive
actions. Macros run automatically when a file to which they are attached is
opened. Macros spread more rapidly than other types of viruses as data files are
often shared on a network.
E-mail Virus
E-mail viruses are malicious programs that spread through e-mail.
Polyphormic Virus
A polymorphic virus (also known as a mutation virus) tries to evade detection by
changing a portion of its code structure after each execution or self replication.
This makes it harder for an anti-virus scanner to detect or intercept it.
A polymorphic virus can also belong to any of the virus types discussed above.
14.1.2 Computer Virus Infection and Prevention
The following describes a simple life cycle of a computer virus.
1 A computer gets a copy of a virus from a source such as the Internet, e-mail, file sharing
or any removable storage media. The virus is harmless until the execution of an infected
program.
Chapter 14 Anti-Virus
258
ZyWALL 5/35/70 Series User’s Guide
2 The virus spreads to other files and programs on the computer.
3 The infected files are unintentionally sent to another computer thus starting the spread of
the virus.
4 Once the virus is spread through the network, the number of infected networked
computers can grow exponentially.
14.1.3 Types of Anti-Virus Scanner
The section describes two types of anti-virus scanner: host-based and network-based.
A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers
in the network. It inspects files for virus patterns as they are moved in and out of the hard
drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of
reasons:
• HAV scanners are slow in stopping virus threats through real-time traffic (such as from
the Internet).
• HAV scanners may reduce computing performance as they also share the resources (such
as CPU time) on the computer for file inspection.
• You have to update the virus signatures and/or perform virus scans on all computers in
the network regularly.
A network-based anti-virus (NAV) scanner is often deployed as a dedicated security device
(such as your ZyWALL) on the network edge. NAV scanners inspect real-time data traffic
(such as E-mail messages or web) that tends to bypass HAV scanners. The following lists
some of the benefits of NAV scanners.
• NAV scanners stops virus threats at the network edge before they enter or exit a network.
• NAV scanners reduce computing loading on computers as the read-time data traffic
inspection is done on a dedicated security device.
14.2 Introduction to the ZyWALL Anti-Virus Scanner
The ZyWALL has a built-in signature database. Setting up the ZyWALL between your local
network and the Internet allows the ZyWALL to scan files transmitting through the enabled
interfaces into your network. As a network-based anti-virus scanner, the ZyWALL helps stop
threats at the network edge before they reach the local host computers.
You can set the ZyWALL to examine files received through the following protocols:
•
•
•
•
259
FTP (File Transfer Protocol)
HTTP (Hyper Text Transfer Protocol)
SMTP (Simple Mail Transfer Protocol)
POP3 (Post Office Protocol version 3)
Chapter 14 Anti-Virus
ZyWALL 5/35/70 Series User’s Guide
14.2.1 How the ZyWALL Anti-Virus Scanner Works
The ZyWALL checks traffic going to the interface(s) you specify for signature matches.
Figure 121 ZyWALL Anti-virus Example
The following describes the virus scanning process on the ZyWALL.
1 The ZyWALL first identifies SMTP, POP3, HTTP and FTP packets through standard
ports.
2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the
ZyWALL records the sequence of the packets.
3 The scanning engine checks the contents of the packets for virus.
4 If a virus pattern is matched, the ZyWALL “destroys” the file by removing the infected
portion of the file.
5 If the send alert message function is enabled, the ZyWALL sends an alert to the file’s
indented destination computer(s).
Note: Since the ZyWALL erases the infected portion of the file before sending it, you
may not be able to open the file.
14.2.2 Notes About the ZyWALL Anti-Virus
To use the anti-virus scanner on the ZyWALL, you need to insert the ZyWALL Turbo Card
into the rear panel slot of the ZyWALL. See the ZyWALL Turbo Card guide for details.
Note: The ZyWALL has no wireless capability when the ZyWALL Turbo Card is in
place.
The ZyWALL Turbo Card does not have a MAC address.
The following lists important notes about the anti-virus scanner:
Chapter 14 Anti-Virus
260
ZyWALL 5/35/70 Series User’s Guide
1 The ZyWALL anti-virus scanner cannot detect polymorphic viruses.
2 The ZyWALL does not scan the following file/traffic types:
• Simultaneous downloads of a file using multiple connections. For example, when
you use FlashGet to download sections of a file simultaneously.
• Encrypted traffic (such as on a VPN) or password-protected files.
• Traffic through custom (none-standard) ports.
• ZIP file(s) within a ZIP file.
3 When a virus is detected, an alert message is displayed in Microsoft Windows
computers.2
14.3 General Anti-Virus Setup
Click SECURITY, ANTI-VIRUS to display the configuration screen as shown next.
Figure 122 Anti-Virus: General
2.
261
For Windows 98/Me, refer to the Appendix J on page 726 for requirements.
Chapter 14 Anti-Virus
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 83 Anti-Virus: General
LABEL
DESCRIPTION
General Setup
Enable Anti-Virus
Select Enable Anti-Virus to activate the anti-virus feature on the ZyWALL. Clear
this check box to disable it.
Note: Before you use the anti-virus feature, you must register for
the service (refer to the chapter on registration for more
information).
Enable ZIP File
Scan
Select this check box to have the ZyWALL scan a ZIP file (with the “zip” or “gzip”
file extension). The ZyWALL first decompresses the ZIP file and then scans the
contents for viruses.
Note: The ZyWALL decompresses a ZIP file once. The ZyWALL
does NOT decompress any ZIP file(s) within the ZIP file.
Turbo Card
This field displays whether or not a ZyWALL Turbo Card is installed.
Note: You cannot configure and save the IDP and Anti-Virus
screens if the ZyWALL Turbo Card is not installed.
Available Service
Service
This field displays the service names and standard port numbers that identify them.
Active
Select Active to enable anti-virus scanner for the corresponding service.
Log
Select Log to create a log when a virus is detected.
Alert
This field is applicable only when you select Log.
Select Alert to create an alert when a virus is detected.
Protected Interface Select the interface(s) where you want the ZyWALL to scan files for viruses.
Choices are LAN, WAN (or WAN1, WAN2) and DMZ.
Send Windows
Message
Select this check box to set the ZyWALL to send a message alert to files’ intended
user(s) using Microsoft Windows computer connected to the protected interface.
Destroy File
Select this check box to set the ZyWALL to erase the infected portion of the file
before sending it. Once destroyed, you may not be able to open the file.
Apply
Click Apply to save your changes.
Reset
Click Reset to start configuring this screen again.
14.4 Signature Update
The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team
(ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to
immediately download or schedule new signature downloads.
Chapter 14 Anti-Virus
262
ZyWALL 5/35/70 Series User’s Guide
Note: You should have already registered the ZyWALL at myZyXEL.com (http://
www.myzyxel.com/myzyxel/) and also have either activated the trial license or
standard license (iCard). If your license has expired, you will have to renew it
before updates are allowed.
14.4.1 mySecurity Zone
mySecurity Zone is a web portal that provides all security-related information such as
intrusion and anti-virus information for ZyXEL security products.
You should have already registered your ZyWALL on myZyXEL.com at:
http://www.myzyxel.com/myzyxel/.
You can use your myZyXEL.com username and password to log into mySecurity Zone.
14.4.2 Configuring Anti-virus Update
When scheduling signature updates, you should choose a day and time when your network is
least busy so as to minimize disruption to your network. Your custom signature configurations
are not over-written when you download new signatures.
IDP signatures (see the chapters on IDP) are included with file-based anti-virus signatures.
When you download new signatures using the IDP Update screen, anti-virus signatures are
also downloaded. The version number changes both in the IDP Update screen and this screen.
Both screens also share the same Auto-Update schedule. Changes made to the schedule in one
screen are reflected in the other.
Note: The ZyWALL does not have to reboot when you upload new signatures.
Click SECURITY, ANTI-VIRUS from the navigation panel and then click the Update tab.
263
Chapter 14 Anti-Virus
ZyWALL 5/35/70 Series User’s Guide
Figure 123 Anti-Virus: Update
The following table describes the labels in this screen.
Table 84 Anti-Virus: Update
LABEL
DESCRIPTION
Signature Information
Current Pattern
Version
This field displays the signatures version number currently used by the ZyWALL.
This number is defined by the ZyXEL Security Response Team (ZSRT) who
maintain and update them.
This number increments as new signatures are added, so you should refer to this
number regularly. Go to https://mysecurity.zyxel.com/mysecurity/ to see what the
latest version number is. You can also subscribe to signature update e-mail
notifications.
Release Date
This field displays the time (hour, minutes second) and date (month, date, year)
that the above signature set was created.
Last Update
This field displays the last date and time you downloaded new signatures to the
ZyWALL. It displays N/A if you have not downloaded any new signatures yet.
Current Anti-Virus This field displays the number of Anti-Virus-related signatures.
Signatures
Signature Update
Service Status
This field displays License Inactive if you have not yet activated your trial or iCard
license at myZyXEL.com.
It displays License Inactive and an expiration date if your trial or iCard license has
expired (the expiration date is the date it expired).
It displays Trial Active and an expiration date when you have activated your trial
license.
It displays License Active and an expiration date when you have activated your
iCard license (the expiration date is the date it will expire).
Update Server
This is the URL of the signature server from which you download signatures.The
default server at the time of writing is displayed as shown in the screen.
Chapter 14 Anti-Virus
264
ZyWALL 5/35/70 Series User’s Guide
Table 84 Anti-Virus: Update (continued)
265
LABEL
DESCRIPTION
Update Now
Click this button to begin downloading signatures from the Update Server
immediately.
Auto Update
Select the check box to configure a schedule for automatic signature updates. The
Hourly, Daily and Weekly fields display when the check box is selected. The
ZyWALL then automatically downloads signatures from the Update Server
regularly at the time and/or day you specify.
Hourly
Select this option to have the ZyWALL check the update server for new signatures
every hour. This may be advisable when new viruses are currently spreading
throughout the Internet.
Daily
Select this option to have the ZyWALL check the update server for new signatures
every day at the hour you select from the list box. The ZyWALL uses a 24-hour
clock. For example, choose 15 from the O’clock list box to have the ZyWALL
check the update server for new signatures at 3 PM every day.
Weekly
Select this option to have the ZyWALL check the update server for new signatures
once a week on the day and hour you select from the list boxes. The ZyWALL uses
a 24-hour clock, so for example, choose Wednesday and 15 from the respective
list boxes to have the ZyWALL check the update server for new signatures at 3PM
every Wednesday.
Apply
Click this button to save your changes back to the ZyWALL.
Reset
Click this button to close this screen without saving any changes.
Chapter 14 Anti-Virus
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 15
Anti-Spam
This chapter covers how to use the ZyWALL’s anti-spam feature to deal with junk e-mail
(spam).
15.1 Anti-Spam Overview
The ZyWALL’s anti-spam feature identifies unsolicited commercial or junk e-mail (spam).
You can set the ZyWALL to mark or discard spam. The ZyWALL can use an anti-spam
external database to help identify spam. Use the whitelist to identify legitimate e-mail. Use the
blacklist to identify spam e-mail.
15.1.1 Anti-Spam External Database
If an e-mail does not match any of the whitelist or blacklist entries, the ZyWALL calculates a
digest (fingerprint ID) of the e-mail and sends it to the anti-spam external database. The antispam external database checks the digest against (more than a million) known spam patterns.
The anti-spam external database uses the following spam detection engines in checking each
e-mail.
• SpamBulk: This engine identifies e-mail that has been sent in bulk or is similar to e-mail
that is sent in bulk.
• SpamRepute: This engine checks to see if most people want the e-mail.
• SpamContent: This engine checks to see if the message would generally be considered
offensive.
• SpamTricks: This engine checks to see if the e-mail is formatted to be economical for
spammers or to circumvent anti-spam rules.
The anti-spam external database then uses a proprietary Bayesian1 statistical formula to
combine the results into one score of how likely the e-mail is to be spam and sends it to the
ZyWALL. The possible range for the spam score is 0~100. The closer the score is to 100, the
more likely the e-mail is to be spam. You must subscribe to and activate the anti-spam external
database service in order to use it (see Section 15.1.7 on page 270 for details).
1.
Bayesian analysis interprets probabilities as degrees of belief rather than as proportions,
frequencies and such. Bayesian analysis frequently uses Bayes' theorem, hence the name.
Chapter 15 Anti-Spam
266
ZyWALL 5/35/70 Series User’s Guide
15.1.1.1 SpamBulk Engine
The e-mail fingerprint ID that the ZyWALL generates and sends to the anti-spam external
database only includes the parts of the e-mail that are the most difficult for spammers (senders
of spam) to change or fake. The anti-spam external database maintains a database of e-mail
fingerprint IDs. The anti-spam external database SpamBulk engine then queries the database
in analyzing later e-mails.
The SpamBulk Engine also uses Bayesian statistical analysis to detect whether an e-mail is
fundamentally the same as a known spam message in spite of a spammer’s attempt to disguise
it.
15.1.1.2 SpamRepute Engine
The SpamRepute engine calculates the reputation of the sender (whether or not most people
want to receive the e-mail from this sender).
The SpamRepute engine checks proprietary and third-party databases of known spammer
email addresses, domains and IP addresses. The SpamRepute engine also uses Bayesian
statistical analysis to detect whether an e-mail is sent from a known in spite of a spammer’s
attempt to disguise the sender’s identity. The anti-spam external database combines all of this
data into a SpamRepute Index for calculating the reputation of the sender in order to guard
against foreign language spam, fraud and phishing.
15.1.1.3 SpamContent Engine
The SpamContent engine examines the e-mail’s content to decide if it would generally be
considered offensive. The vocabulary design, format and layout are considered as part of
thousands of checks on message attributes that include the following.
•
•
•
•
•
•
•
•
•
•
•
To Field
Subject Field
Header Fields
Email Format, Design, and Layout
Vocabulary, Word Formatting and Word Patterns
Foreign Language Detection
SMTP Envelope Content and Analysis
Country Trace
Image Layout Classification
Hyperlink Analysis and Comparison
Contact Verification
The SpamContent engine parses words into pieces to detect similar vocabulary even if the
words do not match exactly. The anti-spam external database also performs Bayesian
statistical analysis on the e-mail’s content. The engine uses artificial intelligence technology to
'learn' over time, as spam changes.
267
Chapter 15 Anti-Spam
ZyWALL 5/35/70 Series User’s Guide
15.1.1.4 SpamTricks Engine
The SpamTricks engine checks for the tactics that spammers use to minimize the expense of
sending lots of e-mail and tactics that they use to bypass spam filters.
Use of relays, image-only e-mails, manipulation of mail formats and HTML obfuscation are
common tricks for which the SpamTricks engine checks. The SpamTricks engine also checks
for “phishing” (see Section 15.1.3 on page 268 for more on phishing).
15.1.2 Spam Threshold
You can configure the threshold for what spam score is classified as spam. The ZyWALL
considers any e-mail with a spam score higher than the spam threshold to be spam. Any e-mail
with a score less than or equal to the spam threshold is treated as legitimate. The following is
an example of the ZyWALL checking e-mail with the external database.
Figure 124 Anti-spam External Database Example
1 E-mail comes into the ZyWALL from an e-mail server (A in the figure).
2 The ZyWALL calculates a digest of the e-mail and sends it to the anti-spam external
database.
3 The anti-spam external database calculates a spam score for the e-mail and sends the
score back to the ZyWALL.
4 The ZyWALL forwards the e-mail if the spam score is at or below the ZyWALL’s spam
threshold. If the spam score is higher than the spam threshold, the ZyWALL takes the
action that you configured for dealing with spam.
15.1.3 Phishing
Phishing is a scam where fraudsters send e-mail claiming to be from a well-known enterprise
in an attempt to steal private information. For example, the e-mail might appear to be from a
bank, online payment service, or even a government agency. It generally tells you to click a
link and update your identity information in order for the business or organization to verify
your account. The link directs you to a phony website that mimics the business or
organization’s website. The fraudsters then use your personal information to pretend to be you
and commit crimes like running up bills in your name (identity theft).
Chapter 15 Anti-Spam
268
ZyWALL 5/35/70 Series User’s Guide
The anti-spam external database checks for spoofing of e-mail attributes (like the IP address)
and uses statistical analysis to detect phishing.
15.1.4 Whitelist
Configure whitelist entries to identify legitimate e-mail. The whitelist entries have the
ZyWALL classify any e-mail that is from a specified sender or uses a specified MIME
(Multipurpose Internet Mail Extensions) header or MIME header value as being legitimate
(see Section 15.1.7 on page 270 for more on MIME headers). The anti-spam feature checks an
e-mail against the whitelist entries before doing any other anti-spam checking. If the e-mail
matches a whitelist entry, the ZyWALL classifies the e-mail as legitimate and does not
perform any more anti-spam checking on that individual e-mail. A properly configured
whitelist helps keep important e-mail from being incorrectly classified as spam. The whitelist
can also increases the ZyWALL’s anti-spam speed and efficiency by not having the ZyWALL
perform the full anti-spam checking process on legitimate e-mail.
15.1.5 Blacklist
Configure blacklist entries to identify spam. The blacklist entries have the ZyWALL classify
any e-mail that is from a specified sender or uses a specified MIME (Multipurpose Internet
Mail Extensions) header or MIME header value as being spam. If an e-mail does not match
any of the whitelist entries, the ZyWALL checks it against the blacklist entries. The ZyWALL
classifies an e-mail that matches a blacklist entry as spam and immediately takes the action
that you configured for dealing with spam. The ZyWALL does not perform any more antispam checking on that individual e-mail. A properly configured blacklist helps catch spam email and increases the ZyWALL’s anti-spam speed and efficiency.
15.1.6 SMTP and POP3
Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls
the sending of e-mail messages between servers. E-mail clients (also called e-mail
applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP
(Internet Message Access Protocol) to retrieve e-mail. E-mail clients also generally use SMTP
to send messages to a mail server. The older POP2 requires SMTP for sending messages while
the newer POP3 can be used with or without it. This is why many e-mail applications require
you to specify both the SMTP server and the POP or IMAP server (even though they may
actually be the same server).
The ZyWALL’s anti-spam feature checks SMTP (TCP port 25) and POP3 (TCP port 110) emails. The anti-spam feature does not check (or act upon) e-mails that use other protocols
(such as IMAP) or other port numbers.
269
Chapter 15 Anti-Spam
ZyWALL 5/35/70 Series User’s Guide
15.1.7 MIME Headers
MIME (Multipurpose Internet Mail Extensions) allows varied media types to be used in email. MIME headers describe an e-mail’s content encoding and type. For example, it may
show which program generated the e-mail and what type of text is used in the e-mail body.
Here are some examples of MIME headers:
•
•
•
•
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
In an MIME header, the part that comes before the colon (:) is the header. The part that comes
after the colon is the value. Spam often has blank header values or comments in them that are
part of an attempt to bypass spam filters.
15.2 Anti-Spam General Screen
Click SECURITY, ANTI-SPAM to open the Anti-Spam General screen. Use this screen to
turn the anti-spam feature on or off and set how the ZyWALL treats spam.
Figure 125 Anti-Spam: General
Chapter 15 Anti-Spam
270
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 85 Anti-Spam: General
LABEL
DESCRIPTION
General Setup
Enable Anti-spam
Select this check box to enable the anti-spam feature.
Note: The anti-spam feature checks all SMTP and POP3 email going through the ZyWALL, regardless of through
which port the e-mail came in or to which port it is going.
Action for Spam Mails
Use this section to set how the ZyWALL is to handle spam mail.
Phishing Tag
Enter a message or label (up to 16 ASCII characters) to add to the mail
subject of e-mails that the anti-spam external database classifies as phishing.
Note: You must register for and enable the anti-spam external
database feature in order for the ZyWALL to use this tag
(see Chapter 10 on page 185 for details).
Spam Tag
Enter a message or label (up to 16 ASCII characters) to add to the mail
subject of e-mails that the ZyWALL classifies as spam.
Forward SMTP & POP3 Select this radio button to have the ZyWALL forward spam e-mail with the tag
mail with tag in mail
that you define.
subject
Even if you plan to use the discard option, you may want to use this initially
as a test to check how accurate your anti-spam settings are. Check the email the ZyWALL forwards to you to make sure that unwanted e-mail is
marked as spam and legitimate e-mail is not marked as spam.
Discard SMTP mail.
Select this radio button to have the ZyWALL discard spam SMTP e-mail. The
Forward POP3 mail with ZyWALL will still forward spam POP3 e-mail with the tag that you define.
tag in mail subject
Action taken when mail
sessions threshold is
reached
The anti-spam feature limits the number of concurrent e-mail sessions. An email session is when an e-mail client and e-mail server (or two e-mail
servers) connect through the ZyWALL. Use this section to configure what the
ZyWALL does when the number of concurrent e-mail sessions goes over the
threshold (see the appendix of product specifications for the threshold).
Select Forward to have the ZyWALL allow the excess e-mail sessions
without any spam filtering.
Select Block to have the ZyWALL drop mail connections to stop the excess
e-mail sessions. The e-mail client or server will have to attempt to send or
receive e-mail later when the number of e-mail sessions is under the
threshold.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
15.3 Anti-Spam External DB Screen
Click SECURITY, ANTI-SPAM, External DB to display the Anti-Spam External DB
screen. Use this screen to enable or disable the use of the anti-spam external database. You can
also configure the spam threshold and what to do when no valid spam score is received. You
must register for this service before you can use it (see Chapter 4 on page 104 for details).
271
Chapter 15 Anti-Spam
ZyWALL 5/35/70 Series User’s Guide
Figure 126 Anti-Spam: External DB
The following table describes the labels in this screen.
Table 86 Anti-Spam: External DB
LABEL
DESCRIPTION
External Database
Enable External
Database
Enable the anti-spam external database feature to have the ZyWALL calculate
a digest of an e-mail and send it to an anti-spam external database.
The anti-spam external database sends a spam score for the e-mail back to
the ZyWALL.
Spam Threshold
The anti-spam external database checks an e-mail’s digest and sends back a
score that rates how likely the e-mail is to be spam. The possible range for the
spam score is 0~100. The closer the score is to 100, the more likely the e-mail
is to be spam.
Set the spam score threshold (from 0 to 100) for considering an e-mail to be
spam. The ZyWALL classifies any e-mail with a spam score at or below the
spam threshold as not being spam and any e-mail with a spam score higher
than the spam threshold as being spam.
A lower spam threshold catches more spam e-mails, but may also classify
more legitimate e-mail as spam.
A higher spam threshold lessens the chance of classifying legitimate e-mail as
spam, but may allow more spam to get through.
Chapter 15 Anti-Spam
272
ZyWALL 5/35/70 Series User’s Guide
Table 86 Anti-Spam: External DB (continued)
LABEL
DESCRIPTION
Action for No Spam
Score
Use this field to configure what the ZyWALL does if it does not receive a valid
response from the anti-spam external database.
If the ZyWALL does not receive a response within seven seconds, it sends the
e-mail digest a second time. If the ZyWALL still does not receive a response
after another seven seconds, it takes the action that you configure here. The
ZyWALL also takes this action if it receives an invalid response.
Here are possible reasons that would cause the ZyWALL to take this action:
1. The ZyWALL was not able to connect to the anti-spam external database.
2. The ZyWALL connected to the anti-spam external database, but there was
no HTTP response within seven seconds.
3. The ZyWALL received an error code from the anti-spam external database.
4. The ZyWALL received an invalid spam score (for example a number higher
than 100).
5. The ZyWALL received an unknown response to the anti-spam query.
Tag for No Spam Score Enter a message or label (up to 16 ASCII characters) to add to the mail
subject of e-mails that it forwards if a valid spam score was not received within
ten seconds.
Forward SMTP &
POP3 mail with tag in
mail subject
Select this radio button to have the ZyWALL forward mail with the tag that you
define.
Discard SMTP mail.
Select this radio button to have the ZyWALL discard SMTP mail. The ZyWALL
Forward POP3 mail
will still forward POP3 mail with the tag that you define.
with tag in mail subject
External Database
Service Status
This read-only field displays the status of your anti-spam external database
service registration and activation.
License Inactive displays if you have not successfully registered and
activated the anti-spam external database service.
License Inactive and the date your subscription expired display if your
subscription to the anti-spam external database service has expired.
License Active and the subscription expiration date display if you have
successfully registered the ZyWALL and activated the anti-spam external
database service.
Trial Active and the trial subscription expiration date display if you have
successfully registered the ZyWALL and activated the anti-spam external
database service trial subscription.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
15.4 Anti-Spam Lists Screen
Click SECURITY, ANTI-SPAM, Lists to display the Anti-Spam Lists screen.
Configure the whitelist to identify legitimate e-mail. Configure the blacklist to identify spam
e-mail. You can create whitelist or blacklist entries based on the sender’s IP address or e-mail
address. You can also create entries that check for particular MIME headers or MIME header
values.
273
Chapter 15 Anti-Spam
ZyWALL 5/35/70 Series User’s Guide
Figure 127 Anti-Spam: Lists
The following table describes the labels in this screen.
Table 87 Anti-Spam: Lists
LABEL
DESCRIPTION
Resource Usage
Whitelist & Blacklist
Storage Space in
Use
This bar displays the percentage of the ZyWALL’s anti-spam whitelist and
blacklist storage space that is currently in use. The bar turns from green to red
when the maximum is being approached. When the bar is red, you should
consider deleting unnecessary entries before adding more.
Whitelist
Use Whitelist
Select this check box to have the ZyWALL forward e-mail that matches a
whitelist entry without doing any more anti-spam checking on that individual email.
Active
This field shows whether or not an entry is turned on.
Type
This field displays whether the entry is based on the e-mail’s source IP address,
source e-mail address or an MIME header.
Content
This field displays the source IP address, source e-mail address or MIME
header for which the entry checks.
Modify
Click the Edit icon to change the entry. Click the Remove icon to delete the
entry. Click the Move icon to change the entry’s position in the list.
Chapter 15 Anti-Spam
274
ZyWALL 5/35/70 Series User’s Guide
Table 87 Anti-Spam: Lists (continued)
LABEL
DESCRIPTION
Insert
Type the index number where you want to put an entry. For example, if you type
6, your new entry becomes number 6 and the previous entry 6 (if there is one)
becomes entry 7.
Click Insert to display the screen where you edit an entry.
Blacklist
Use Blacklist
Select this check box to have the ZyWALL treat e-mail that matches a blacklist
entry as spam.
Active
This field shows whether or not an entry is turned on.
Type
This field displays whether the entry is based on the e-mail’s source IP address,
source e-mail address or an MIME header.
Content
This field displays the source IP address, source e-mail address or MIME
header for which the entry checks.
Modify
Click the Edit icon to change the entry. Click the Remove icon to delete the
entry. Click the Move icon to change the entry’s position in the list.
Insert
Type the index number where you want to put an entry. For example, if you type
6, your new entry becomes number 6 and the previous entry 6 (if there is one)
becomes entry 7.
Click Insert to display the screen where you edit an entry.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
15.5 Anti-Spam Rule Edit Screen
Click SECURITY, ANTI-SPAM, Lists to display the Anti-Spam Lists screen. To create a
new anti-spam whitelist or blacklist entry, type the index number where you want to put the
entry. and click Insert to display the ANTI-SPAM Rule Edit screen.
If you have already configured an anti-spam whitelist or blacklist entry, you can click the edit
icon to display the ANTI-SPAM Rule Edit screen.
Figure 128 Anti-Spam Rule Edit
275
Chapter 15 Anti-Spam
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 88 Anti-Spam Rule Edit
LABEL
DESCRIPTION
Rule Edit
Active
Turn this entry on to have the ZyWALL use it as part of the whitelist or blacklist. You
must also turn on the use of the corresponding list (in the Anti-Spam
Customization screen) and the anti-spam feature (in the Anti-Spam General
screen).
Type
Use this field to base the entry on the e-mail’s source IP address, source e-mail
address or an MIME header.
Select IP to have the ZyWALL check e-mail for a specific source IP address.
You can create whitelist IP address entries for e-mail servers on your LAN or DMZ
to speed up the ZyWALL’s processing of your outgoing e-mail.
Select E-Mail to have the ZyWALL check e-mail for a specific source e-mail
address or domain name.
You can create a whitelist entry for your company’s domain name (or e-mail
accounts) to speed up the ZyWALL’s processing of e-mail sent by your company’s
employees.
Select MIME Header to have the ZyWALL check e-mail for specific MIME headers
or values.
Configure blacklist MIME header entries to check for e-mail from bulk mail
programs or that have content that are commonly used in spam. You can also
configure whitelist MIME header entries to allow certain MIME headers or values
that identify the e-mail as being from a trusted source.
IP Address
This field displays when you select the IP type. Enter an IP address in dotted
decimal notation.
IP Subnet Mask
This field displays when you select the IP type. Enter the subnet mask here, if
applicable.
E-Mail Address
This field displays when you select the E-Mail type. Enter an e-mail address or
domain name (up to 63 ASCII characters).
You can enter an individual e-mail address like [email protected]
If you enter a domain name, the ZyWALL searches the source e-mail address
string after the “@” symbol to see if it matches the domain name.
For example, you configure a entry with “def.com” as the domain name:
E-mails sent from def.com e-mail addresses such as [email protected] match the
entry.
E-mails sent from mail.def.com, such as [email protected] do not match the entry
since “mail.def.com” does not match “def.com”.
Header
This field displays when you select the MIME Header type.
Type the header part of an MIME header (up to 63 ASCII characters).
In an MIME header, the header is the part that comes before the colon (:).
For example, if you want the whitelist or blacklist entry to check for the MIME
header “X-MSMail-Priority: Normal”, enter “X-MSMail-Priority” here as the MIME
header.
Value
This field displays when you select the MIME Header type.
Type the value part of an MIME header (up to 63 ASCII characters).
In an MIME header, the part that comes after the colon is the value.
For example, if you want the whitelist or blacklist entry to check for the MIME
header “X-MSMail-Priority: Normal”, enter “Normal” here as the MIME value.
Chapter 15 Anti-Spam
276
ZyWALL 5/35/70 Series User’s Guide
Table 88 Anti-Spam Rule Edit
277
LABEL
DESCRIPTION
Apply
Click Apply to save your settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving.
Chapter 15 Anti-Spam
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 16
Content Filtering Screens
This chapter provides an overview of content filtering.
16.1 Content Filtering Overview
Content filtering allows you to block certain web features, such as Cookies, and/or restrict
specific websites. With content filtering, you can do the following:
16.1.1 Restrict Web Features
The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and
disable web proxies.
16.1.2 Create a Filter List
You can select categories, such as pornography or racial intolerance, to block from a predefined list.
16.1.3 Customize Web Site Access
You can specify URLs to which the ZyWALL blocks access. You can alternatively block
access to all URLs except ones that you specify. You can also have the ZyWALL block access
to URLs that contain key words that you specify.
16.2 Content Filter General
Click SECURITY, CONTENT FILTER to open the CONTENT FILTER General screen.
Use this screen to enable content filtering, configure a schedule, and create a denial message.
You can also choose specific computers to be included in or excluded from the content
filtering configuration.
Chapter 16 Content Filtering Screens
278
ZyWALL 5/35/70 Series User’s Guide
Figure 129 Content Filter : General
The following table describes the labels in this screen.
Table 89 Content Filter : General
LABEL
DESCRIPTION
General Setup
279
Enable Content Filter
Select this check box to enable the content filter.
Restrict Web Features
Select the check box(es) to restrict a feature. When you download a page
containing a restricted feature, that part of the web page will appear blank or
grayed out.
Block
ActiveX
ActiveX is a tool for building dynamic and active web pages and distributed
object applications. When you visit an ActiveX web site, ActiveX controls are
downloaded to your browser, where they remain in case you visit the site
again.
Java
Java is a programming language and development environment for building
downloadable Web components or Internet and intranet business
applications of all kinds.
Cookies
Cookies are files stored on a computer’s hard drive. Some web servers use
them to track usage and provide service based on ID.
Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide
Table 89 Content Filter : General
LABEL
DESCRIPTION
Web Proxy
A server that acts as an intermediary between a user and the Internet to
provide security, administrative control, and caching service. When a proxy
server is located on the WAN it is possible for LAN users to circumvent
content filtering by pointing to this proxy server.
Schedule to Block
Content filtering scheduling applies to the Filter List, Customized sites and
Keywords. Restricted web server data, such as ActiveX, Java, Cookies and
Web Proxy are not affected.
Always Block
Click this option button to have content filtering always active with Time of
Day limitations not enforced. This is enabled by default.
Block From/To
Click this option button to have content filtering only active during the time
interval specified. In the Block From and To fields, enter the time period, in
24-hour format, during which content filtering will be enforced.
Message to display
when a site is blocked
Denied Access
Message
Enter a message to be displayed when a user tries to access a restricted web
site. The default message is Please contact your network administrator!!
Exempt Computers
Enforce content filter
policies for all
computers
Select this checkbox to have all users on your LAN follow content filter
policies (default).
Include specified
address ranges in the
content filter
enforcement
Select this checkbox to have a specific range of users on your LAN follow
content filter policies.
Exclude specified
Select this checkbox to exempt a specific range of users on your LAN from
address ranges from the content filter policies.
content filter
enforcement
Add Address Ranges
From
Type the beginning IP address (in dotted decimal notation) of the specific
range of users on your LAN.
To
Type the ending IP address (in dotted decimal notation) of the specific range
of users on your LAN, then click Add Range.
Address List
This text field shows the address ranges that are blocked.
Add Range
Click Add Range after you have filled in the From and To fields above.
Delete Range
Click Delete Range after you select the range of addresses you wish to
delete.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
16.3 Content Filtering with an External Database
When you register for and enable external database content filtering, your ZyWALL accesses
an external database that has millions of web sites categorized based on content. You can have
the ZyWALL block, block and/or log access to web sites based on these categories. The
content filtering lookup process is described below.
Chapter 16 Content Filtering Screens
280
ZyWALL 5/35/70 Series User’s Guide
Figure 130 Content Filtering Lookup Procedure
1 A computer behind the ZyWALL tries to access a web site.
2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was
made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The
ZyWALL blocks, blocks and logs or just logs the request based on your configuration.
3 Use the CONTENT FILTER Cache screen to configure how long a web site address
remains in the cache as well as view those web site addresses (see Section 16.7 on page
291). All of the web site address records are also cleared from the local cache when the
ZyWALL restarts.
4 If the ZyWALL has no record of the web site, it will query the external content filtering
database and simultaneously send the request to the web server.
The external content filtering database may change a web site’s category or categorize a
previously uncategorized web site.
5 The external content filtering server sends the category information back to the
ZyWALL, which then blocks and/or logs access to the web site. The web site’s address
and category are then stored in the ZyWALL’s content filtering cache.
16.4 Content Filter Categories
Click SECURITY, CONTENT FILTER, and then the Categories tab to display the
CONTENT FILTER Categories screen. Use this screen to configure category-based content
filtering. You can set the ZyWALL to use external database content filtering and select which
web site categories to block and/or log. You must register for external content filtering before
you can use it. Use the REGISTRATION screens (see Chapter 4 on page 104) to create a
myZyXEL.com account, register your device and activate the external content filtering
service.
Do the following to view content filtering reports (see Chapter 17 on page 294 for details).
1 Log into myZyXEL.com and click your device’s link to open it’s Service Management
screen.
2 Click Content Filter in the Service Name field to open the Blue Coat login screen.
3 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find
this MAC address in the Service Management screen (Figure 136 on page 296). Type
your myZyXEL.com account password in the Password field. Click Submit.
281
Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 131 Content Filter : Categories
The following table describes the labels in this screen.
Table 90 Content Filter: Categories
LABEL
DESCRIPTION
Auto Category Setup
Enable External Database
Content Filtering
Enable external database content filtering to have the ZyWALL check an
external database to find to which category a requested web page
belongs. The ZyWALL then blocks or forwards access to the web page
depending on the configuration of the rest of this page.
Matched Web Pages
Select Block to prevent users from accessing web pages that match the
categories that you select below.
When external database content filtering blocks access to a web page, it
displays the denied access message that you configured in the
CONTENT FILTER General screen along with the category of the
blocked web page.
Select Log to record attempts to access prohibited web pages.
Chapter 16 Content Filtering Screens
282
ZyWALL 5/35/70 Series User’s Guide
Table 90 Content Filter: Categories (continued)
LABEL
DESCRIPTION
Unrated Web Pages
Select Block to prevent users from accessing web pages that the external
database content filtering has not categorized.
When the external database content filtering blocks access to a web
page, it displays the denied access message that you configured in the
CONTENT FILTER General screen along with the category of the
blocked web page.
Select Log to record attempts to access web pages that are not
categorized.
When Content Filter Server Select Block to block access to any requested web page if the external
Is Unavailable
content filtering database is unavailable. The following are possible
causes:
There is no response from the external content filtering server within
the time period specified in the Content Filter Server Unavailable
Timeout field.
The ZyWALL is not able to resolve the domain name of the external
content filtering database.
There is an error response from the external content filtering
database. This can be caused by an expired content filtering
registration (External content filtering’s license key is invalid”).
Select Log to record attempts to access web pages that occur when the
external content filtering database is unavailable.
Content Filter Server
Unavailable Timeout
Specify a number of seconds (1 to 30) for the ZyWALL to wait for a
response from the external content filtering server. If there is still no
response by the time this period expires, the ZyWALL blocks or allows
access to the requested web page based on the setting in the Block
When Content Filter Server Is Unavailable field.
Select Categories
283
Select All Categories
Select this check box to restrict access to all site categories listed below.
Clear All Categories
Select this check box to clear the selected categories below.
Adult/Mature Content
Selecting this category excludes pages that contain material of adult
nature that does not necessarily contain excessive violence, sexual
content, or nudity. These pages include very profane or vulgar content
and pages that are not appropriate for children.
Pornography
Selecting this category excludes pages that contain sexually explicit
material for the purpose of arousing a sexual or prurient interest.
Sex Education
Selecting this category excludes pages that provide graphic information
(sometimes graphic) on reproduction, sexual development, safe sex
practices, sexuality, birth control, and sexual development. It also
includes pages that offer tips for better sex as well as products used for
sexual enhancement.
Intimate Apparel/Swimsuit
Selecting this category excludes pages that contain images or offer the
sale of swimsuits or intimate apparel or other types of suggestive clothing.
It does not include pages selling undergarments as a subsection of other
products offered.
Nudity
Selecting this category excludes pages containing nude or seminude
depictions of the human body. These depictions are not necessarily
sexual in intent or effect, but may include pages containing nude paintings
or photo galleries of artistic nature. This category also includes nudist or
naturist pages that contain pictures of nude individuals.
Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide
Table 90 Content Filter: Categories (continued)
LABEL
DESCRIPTION
Alcohol/Tobacco
Selecting this category excludes pages that promote or offer the sale
alcohol/tobacco products, or provide the means to create them. It also
includes pages that glorify, tout, or otherwise encourage the consumption
of alcohol/tobacco. It does not include pages that sell alcohol or tobacco
as a subset of other products.
Illegal/Questionable
Selecting this category excludes pages that advocate or give advice on
performing illegal acts such as service theft, evading law enforcement,
fraud, burglary techniques and plagiarism. It also includes pages that
provide or sell questionable educational materials, such as term papers.
Note: This category includes sites identified as being
malicious in any way (such as having viruses,
spyware and etc.).
Gambling
Selecting this category excludes pages where a user can place a bet or
participate in a betting pool (including lotteries) online. It also includes
pages that provide information, assistance, recommendations, or training
on placing bets or participating in games of chance. It does not include
pages that sell gambling related products or machines. It also does not
include pages for offline casinos and hotels (as long as those pages do
not meet one of the above requirements).
Violence/Hate/Racism
Selecting this category excludes pages that depict extreme physical harm
to people or property, or that advocate or provide instructions on how to
cause such harm. It also includes pages that advocate, depict hostility or
aggression toward, or denigrate an individual or group on the basis of
race, religion, gender, nationality, ethnic origin, or other characteristics.
Weapons
Selecting this category excludes pages that sell, review, or describe
weapons such as guns, knives or martial arts devices, or provide
information on their use, accessories, or other modifications. It does not
include pages that promote collecting weapons, or groups that either
support or oppose weapons use.
Abortion
Selecting this category excludes pages that provide information or
arguments in favor of or against abortion, describe abortion procedures,
offer help in obtaining or avoiding abortion, or provide information on the
effects, or lack thereof, of abortion.
Arts/Entertainment
Selecting this category excludes pages that promote and provide
information about motion pictures, videos, television, music and
programming guides, books, comics, movie theatres, galleries, artists or
reviews on entertainment.
Business/Economy
Selecting this category excludes pages devoted to business firms,
business information, economics, marketing, business management and
entrepreneurship. This does not include pages that perform services that
are defined in another category (such as Information Technology
companies, or companies that sell travel services).
Cult/Occult
Selecting this category excludes pages that promote or offer methods,
means of instruction, or other resources to affect or influence real events
through the use of spells, curses, magic powers and satanic or
supernatural beings.
Illegal Drugs
Selecting this category excludes pages that promote, offer, sell, supply,
encourage or otherwise advocate the illegal use, cultivation, manufacture,
or distribution of drugs, pharmaceuticals, intoxicating plants or chemicals
and their related paraphernalia.
Chapter 16 Content Filtering Screens
284
ZyWALL 5/35/70 Series User’s Guide
Table 90 Content Filter: Categories (continued)
285
LABEL
DESCRIPTION
Education
Selecting this category excludes pages that offer educational information,
distance learning and trade school information or programs. It also
includes pages that are sponsored by schools, educational facilities,
faculty, or alumni groups.
Cultural Institutions
Selecting this category excludes pages sponsored by cultural institutions,
or those that provide information about museums, galleries, and theaters
(not movie theaters). It includes groups such as 4H and the Boy Scouts of
America.
Financial Services
Selecting this category excludes pages that provide or advertise banking
services (online or offline) or other types of financial information, such as
loans. It does not include pages that offer market information, brokerage
or trading services.
Brokerage/Trading
Selecting this category excludes pages that provide or advertise trading of
securities and management of investment assets (online or offline). It
also includes insurance pages, as well as pages that offer financial
investment strategies, quotes, and news.
Games
Selecting this category excludes pages that provide information and
support game playing or downloading, video games, computer games,
electronic games, tips, and advice on games or how to obtain cheat
codes. It also includes pages dedicated to selling board games as well as
journals and magazines dedicated to game playing. It includes pages that
support or host online sweepstakes and giveaways.
Government/Legal
Selecting this category excludes pages sponsored by or which provide
information on government, government agencies and government
services such as taxation and emergency services. It also includes pages
that discuss or explain laws of various governmental entities.
Military
Selecting this category excludes pages that promote or provide
information on military branches or armed services.
Political/Activist Groups
Selecting this category excludes pages sponsored by or which provide
information on political parties, special interest groups, or any
organization that promotes change or reform in public policy, public
opinion, social practice, or economic activities.
Health
Selecting this category excludes pages that provide advice and
information on general health such as fitness and well-being, personal
health or medical services, drugs, alternative and complimentary
therapies, medical information about ailments, dentistry, optometry,
general psychiatry, self-help, and support organizations dedicated to a
disease or condition.
Computers/Internet
Selecting this category excludes pages that sponsor or provide
information on computers, technology, the Internet and technologyrelated organizations and companies.
Hacking/Proxy Avoidance
Pages providing information on illegal or questionable access to or the
use of communications equipment/software, or provide information on
how to bypass proxy server features or gain access to URLs in any way
that bypasses the proxy server.
Search Engines/Portals
Selecting this category excludes pages that support searching the
Internet, indices, and directories.
Web Communications
Selecting this category excludes pages that allow or offer Web-based
communication via e-mail, chat, instant messaging, message boards, etc.
Job Search/Careers
Selecting this category excludes pages that provide assistance in finding
employment, and tools for locating prospective employers.
Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide
Table 90 Content Filter: Categories (continued)
LABEL
DESCRIPTION
News/Media
Selecting this category excludes pages that primarily report information or
comments on current events or contemporary issues of the day. It also
includes radio stations and magazines. It does not include pages that can
be rated in other categories.
Personals/Dating
Selecting this category excludes pages that promote interpersonal
relationships.
Reference
Selecting this category excludes pages containing personal, professional,
or educational reference, including online dictionaries, maps, census,
almanacs, library catalogues, genealogy-related pages and scientific
information.
Chat/Instant Messaging
Selecting this category excludes pages that provide chat or instant
messaging capabilities or client downloads.
Email
Selecting this category excludes pages offering web-based email
services, such as online email reading, e-cards, and mailing list services.
Newsgroups
Selecting this category excludes pages that offer access to Usenet news
groups or other messaging or bulletin board systems.
Religion
Selecting this category excludes pages that promote and provide
information on conventional or unconventional religious or quasi-religious
subjects, as well as churches, synagogues, or other houses of worship. It
does not include pages containing alternative religions such as Wicca or
witchcraft (Cult/Occult) or atheist beliefs (Political/Activist Groups).
Shopping
Selecting this category excludes pages that provide or advertise the
means to obtain goods or services. It does not include pages that can be
classified in other categories (such as vehicles or weapons).
Auctions
Selecting this category excludes pages that support the offering and
purchasing of goods between individuals. This does not include classified
advertisements.
Real Estate
Selecting this category excludes pages that provide information on
renting, buying, or selling real estate or properties.
Society/Lifestyle
Selecting this category excludes pages providing information on matters
of daily life. This does not include pages relating to entertainment, sports,
jobs, sex or pages promoting alternative lifestyles such as homosexuality.
Personal homepages fall within this category if they cannot be classified
in another category.
Gay/Lesbian
Selecting this category excludes pages that provide information, promote,
or cater to gay and lesbian lifestyles. This does not include pages that are
sexually oriented.
Restaurants/Dining/Food
Selecting this category excludes pages that list, review, discuss, advertise
and promote food, catering, dining services, cooking and recipes.
Sports/Recreation/Hobbies Selecting this category excludes pages that promote or provide
information about spectator sports, recreational activities, or hobbies.
This includes pages that discuss or promote camping, gardening, and
collecting.
Travel
Selecting this category excludes pages that promote or provide
opportunity for travel planning, including finding and making travel
reservations, vehicle rentals, descriptions of travel destinations, or
promotions for hotels or casinos.
Vehicles
Selecting this category excludes pages that provide information on or
promote vehicles, boats, or aircraft, including pages that support online
purchase of vehicles or parts.
Chapter 16 Content Filtering Screens
286
ZyWALL 5/35/70 Series User’s Guide
Table 90 Content Filter: Categories (continued)
LABEL
DESCRIPTION
Humor/Jokes
Selecting this category excludes pages that primarily focus on comedy,
jokes, fun, etc. This may include pages containing jokes of adult or
mature nature. Pages containing humorous Adult/Mature content also
have an Adult/Mature category rating.
Streaming Media/MP3
Selecting this category excludes pages that sell, deliver, or stream music
or video content in any format, including pages that provide downloads for
such viewers.
Software Downloads
Selecting this category excludes pages that are dedicated to the
electronic download of software packages, whether for payment or at no
charge.
Pay to Surf
Selecting this category excludes pages that pay users in the form of cash
or prizes, for clicking on or reading specific links, email, or web pages.
For Kids
Selecting this category excludes pages designed specifically for children.
Web Advertisements
Selecting this category excludes pages that provide online
advertisements or banners. This does not include advertising servers that
serve adult-oriented advertisements.
Web Hosting
Selecting this category excludes pages of organizations that provide toplevel domain pages, as well as web communities or hosting services.
Advanced/Basic
Click Advanced to see an expanded list of categories, or click Basic to
see a smaller list.
Test Web Site Attribute
Test if Web site is blocked
You can check whether or not the content filter currently blocks any given
web page. Enter a web site URL in the text box.
Test Against Local Cache
Click this button to test whether or not the web site above is saved in the
ZyWALL’s database of restricted web pages.
Test Against Internet
Server
Click this button to test whether or not the web site above is saved in the
external content filter server’s database of restricted web pages.
Content Filter Service
Status
This read-only field displays the status of your category-based content
filtering (using an external database) service subscription.
License Inactive displays if you have not registered and activated the
category-based content filtering service.
License Active and the subscription expiration date display if you have
registered the ZyWALL and activated the category-based content filtering
service.
Trial Active and the trial subscription expiration date display if you have
registered the ZyWALL and activated the category-based content filtering
service.
License Inactive and the date your subscription expired display if your
subscription to the category-based content filtering service has expired.
Note: After you register for content filtering, you need to wait
up to five minutes for content filtering to be activated.
See Section 17.1 on page 294 for how to check the
content filtering activation.
287
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide
16.5 Content Filter Customization
Click SECURITY, CONTENT FILTER, then the Customization tab to display the
CONTENT FILTER Customization screen.
You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site
addresses. You can also block web sites based on whether the web site’s address contains a
keyword. Use this screen to add or remove specific sites or keywords from the filter list.
Figure 132 Content Filter: Customization
Chapter 16 Content Filtering Screens
288
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 91 Content Filter: Customization
LABEL
DESCRIPTION
Web Site List Customization
Enable Web site
customization
Select this check box to allow trusted web sites and block forbidden web
sites. Content filter list customization may be enabled and disabled
without re-entering these site names.
Disable all Web traffic except When this box is selected, the ZyWALL only allows Web access to sites
for trusted Web sites
on the Trusted Web Site list. If they are chosen carefully, this is the
most effective way to block objectionable material.
Don't block Java/ActiveX/
When this box is selected, the ZyWALL will permit Java, ActiveX and
Cookies/Web proxy to trusted Cookies from sites on the Trusted Web Site list to the LAN. In certain
Web sites
cases, it may be desirable to allow Java, ActiveX or Cookies from sites
that are known and trusted.
Trusted Web Sites
These are sites that you want to allow access to, regardless of their
content rating, can be allowed by adding them to this list. You can enter
up to 32 entries.
Add Trusted Web Site
Enter host names such as www.good-site.com into this text field. Do not
enter the complete URL of the site – that is, do not include “http://”. All
subdomains are allowed. For example, entering “zyxel.com” also allows
“www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
Trusted Web Sites
This list displays the trusted web sites already added.
Add
Click this button when you have finished adding the host name in the
text field above.
Delete
Select a web site name from the Trusted Web Site List, and then click
this button to delete it from that list.
Forbidden Web Site List
Sites that you want to block access to, regardless of their content rating,
can be allowed by adding them to this list. You can enter up to 32
entries.
Add Forbidden Web Site
Enter host names such as www.bad-site.com into this text field. Do not
enter the complete URL of the site – that is, do not include “http://”. All
subdomains are blocked. For example, entering “bad-site.com” also
blocks “www.bad-site.com”, “partner.bad-site.com”, “press.badsite.com”, etc.
Forbidden Web Sites
This list displays the forbidden web sites already added.
Add
Click this button when you have finished adding the host name in the
text field above.
Delete
Select a web site name from the Forbidden Web Site List, and then
click this button to delete it from that list.
Keyword Blocking
Keyword Blocking allows you to block websites with URLs that contain
certain keywords in the domain name or IP address.
Note: See Section 16.6 on page 290 for how to set how
much of the URL the ZyWALL checks.
289
Block Web sites which
contain these keywords.
Select this checkbox to enable keyword blocking.
Add Keyword
Enter a keyword (up to 31 printable ASCII characters) to block. You can
also enter a numerical IP address.
Keyword List
This list displays the keywords already added.
Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide
Table 91 Content Filter: Customization (continued)
LABEL
DESCRIPTION
Add
Click this button when you have finished adding the key words field
above.
Delete
Select a keyword from the Keyword List, and then click this button to
delete it from that list.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
16.6 Customizing Keyword Blocking URL Checking
You can use commands to set how much of a website’s URL the content filter is to check for
keyword blocking. See the appendices for information on how to access and use the command
interpreter.
16.6.1 Domain Name or IP Address URL Checking
By default, the ZyWALL checks the URL’s domain name or IP address when performing
keyword blocking.
This means that the ZyWALL checks the characters that come before the first slash in the
URL.
For example, with the URL www.zyxel.com.tw/news/pressroom.php, content filtering only
searches for keywords within www.zyxel.com.tw.
16.6.2 Full Path URL Checking
Full path URL checking has the ZyWALL check the characters that come before the last slash
in the URL.
For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking
searches for keywords within www.zyxel.com.tw/news/.
Use the ip urlfilter customize actionFlags 6 [disable | enable] command
to extend (or not extend) the keyword blocking search to include the URL's full path.
16.6.3 File Name URL Checking
Filename URL checking has the ZyWALL check all of the characters in the URL.
For example, filename URL checking searches for keywords within the URL
www.zyxel.com.tw/news/pressroom.php.
Chapter 16 Content Filtering Screens
290
ZyWALL 5/35/70 Series User’s Guide
Use the ip urlfilter customize actionFlags 8 [disable | enable] command
to extend (or not extend) the keyword blocking search to include the URL's complete
filename.
16.7 Content Filtering Cache
Click SECURITY, CONTENT FILTER, then the Cache tab to display the CONTENT
FILTER Cache screen. Use this screen to view and configure your ZyWALL’s URL caching.
You can also configure how long a categorized web site address remains in the cache as well
as view those web site addresses to which access has been allowed or blocked based on the
responses from the external content filtering server. The ZyWALL only queries the external
content filtering database for sites not found in the cache.
You can remove individual entries from the cache. When you do this, the ZyWALL queries
the external content filtering database the next time someone tries to access that web site. This
allows you to check whether a web site’s category has been changed.
Please see Section 17.3 on page 299 for how to submit a web site that has been incorrectly
categorized.
Figure 133 Content Filter: Cache
291
Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 92 Content Filter: Cache
LABEL
DESCRIPTION
URL Cache Setup
Maximum TTL
Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the
ZyWALL is to allow an entry to remain in the URL cache before discarding it.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
URL Cache Entry
Flush
Click this button to clear all web site addresses from the cache manually.
Refresh
Click this button to reload the cache.
#
This is the index number of a categorized web site address record.
Action
This field shows whether access to the web site’s URL was blocked or allowed.
Click the column heading to sort the entries. Point the triangle up to display the
blocked URLs before the URLs to which access was allowed. Point the triangle
down to display the URLs to which access was allowed before the blocked URLs.
URL
This is a web site’s address that the ZyWALL previously checked with the external
content filtering database.
Port
This is the service port number for which access was requested.
Remaining Time
(hour)
This is the number of hours left before the URL entry is discarded from the cache.
Modify
Click the delete icon to remove the URL entry from the cache.
Chapter 16 Content Filtering Screens
292
ZyWALL 5/35/70 Series User’s Guide
293
Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 17
Content Filtering Reports
This chapter describes how to view content filtering reports after you have activated the
category-based content filtering subscription service.
See Chapter 4 on page 104 on how to create a myZyXEL.com account, register your device
and activate the subscription services using the REGISTRATION screens.
17.1 Checking Content Filtering Activation
After you activate content filtering, you need to wait up to five minutes for content filtering to
be turned on.
Since there will be no content filtering activation notice, you can do the following to see if
content filtering is active.
1 Go to your device’s web configurator’s CONTENT FILTER Categories screen.
2 Select at least one category and click Apply.
3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and
click the Test Against Internet Server button.
When content filtering is active, you should see an access blocked or access forwarded
message. An error message displays if content filtering is not active.
17.2 Viewing Content Filtering Reports
Content filtering reports are generated statistics and charts of access attempts to web sites
belonging to the categories you selected in your device content filter screen.
You need to register your iCard before you can view content filtering reports.
Alternatively, you can also view content filtering reports during the free trial (up to 30 days).
1 Go to http://www.myZyXEL.com.
2 Fill in your myZyXEL.com account information and click Submit.
Chapter 17 Content Filtering Reports
294
ZyWALL 5/35/70 Series User’s Guide
Figure 134 myZyXEL.com: Login
3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address
under Registered ZyXEL Products. You can change the descriptive name for your
ZyWALL using the Rename button in the Service Management screen (see Figure 136
on page 296).
Figure 135 myZyXEL.com: Welcome
4 In the Service Management screen click Content Filter in the Service Name field to
open the Blue Coat login screen.
295
Chapter 17 Content Filtering Reports
ZyWALL 5/35/70 Series User’s Guide
Figure 136 myZyXEL.com: Service Management
5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find
this MAC address in the Service Management screen (Figure 136 on page 296). Type
your myZyXEL.com account password in the Password field.
6 Click Submit.
Figure 137 Blue Coat: Login
7 In the Web Filter Home screen, click the Reports tab.
Chapter 17 Content Filtering Reports
296
ZyWALL 5/35/70 Series User’s Guide
Figure 138 Content Filtering Reports Main Screen
8 Select items under Global Reports or Single User Reports to view the corresponding
reports.
Figure 139 Blue Coat: Report Home
9 Select a time period in the Date Range field, either Allowed or Blocked in the Action
Taken field and a category (or enter the user name if you want to view single user
reports) and click Run Report.The screens vary according to the report type you selected
in the Report Home screen.
10A chart and/or list of requested web site categories display in the lower half of the screen.
297
Chapter 17 Content Filtering Reports
ZyWALL 5/35/70 Series User’s Guide
Figure 140 Global Report Screen Example
11You can click a category in the Categories report or click URLs in the Report Home
screen to see the URLs that were requested.
Chapter 17 Content Filtering Reports
298
ZyWALL 5/35/70 Series User’s Guide
Figure 141 Requested URLs Example
17.3 Web Site Submission
You may find that a web site has not been accurately categorized or that a web site’s contents
have changed and the content filtering category needs to be updated. Use the following
procedure to submit the web site for review.
1 Log into the content filtering reports web site (see Section 17.2 on page 294).
2 In the Web Filter Home screen (see Figure 138 on page 297), click Site Submissions to
open the Web Page Review Process screen shown next.
299
Chapter 17 Content Filtering Reports
ZyWALL 5/35/70 Series User’s Guide
Figure 142 Web Page Review Process Screen
3 Type the web site’s URL in the field and click Submit to have the web site reviewed.
Chapter 17 Content Filtering Reports
300
ZyWALL 5/35/70 Series User’s Guide
301
Chapter 17 Content Filtering Reports
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 18
Introduction to IPSec
This chapter introduces the basics of IPSec VPNs.
18.1 VPN Overview
A VPN (Virtual Private Network) provides secure communications between sites without the
expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption,
authentication, access control and auditing technologies/services used to transport traffic over
the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
18.1.1 IPSec
Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for
secure data communications across a public network like the Internet. IPSec is built around a
number of standardized cryptographic techniques to provide confidentiality, data integrity and
authentication at the IP layer.
18.1.2 Security Association
A Security Association (SA) is a contract between two parties indicating what security
parameters, such as keys and algorithms they will use.
18.1.3 Other Terminology
18.1.3.1 Encryption
Encryption is a mathematical operation that transforms data from "plaintext" (readable) to
"ciphertext" (scrambled text) using a "key". The key and clear text are processed by the
encryption operation, which leads to the data scrambling that makes encryption secure.
Decryption is the opposite of encryption: it is a mathematical operation that transforms
ciphertext to plaintext. Decryption also requires a key.
Chapter 18 Introduction to IPSec
302
ZyWALL 5/35/70 Series User’s Guide
Figure 143 Encryption and Decryption
18.1.3.2 Data Confidentiality
The IPSec sender can encrypt packets before transmitting them across a network.
18.1.3.3 Data Integrity
The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not
been altered during transmission.
18.1.3.4 Data Origin Authentication
The IPSec receiver can verify the source of IPSec packets. This service depends on the data
integrity service.
18.1.4 VPN Applications
The ZyWALL supports the following VPN applications.
18.1.4.1 Linking Two or More Private Networks Together
Connect branch offices and business partners over the Internet with significant cost savings
and improved performance when compared to leased lines between sites.
18.1.4.2 Accessing Network Resources When NAT Is Enabled
When NAT is enabled, remote users are not able to access hosts on the LAN unless the host is
designated a public LAN server for that specific protocol. Since the VPN tunnel terminates
inside the LAN, remote users will be able to access all computers that use private IP addresses
on the LAN.
18.1.4.3 Unsupported IP Applications
A VPN tunnel may be created to add support for unsupported emerging IP applications. See
Chapter 1 on page 54 for an example of a VPN application.
303
Chapter 18 Introduction to IPSec
ZyWALL 5/35/70 Series User’s Guide
18.2 IPSec Architecture
The overall IPSec architecture is shown as follows.
Figure 144 IPSec Architecture
18.2.1 IPSec Algorithms
The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication
Header) protocol (RFC 2402) describe the packet formats and the default standards for packet
structure (including implementation algorithms).
The Encryption Algorithm describes the use of encryption techniques such as DES (Data
Encryption Standard), AES (Advanced Encryption Standard) and Triple DES algorithms.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404,
provide an authentication mechanism for the AH and ESP protocols. Refer to Section 19.2 on
page 308 for more information.
18.2.2 Key Management
Key management allows you to determine whether to use IKE (ISAKMP) or manual key
configuration in order to set up a VPN.
18.3 Encapsulation
The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode.
Chapter 18 Introduction to IPSec
304
ZyWALL 5/35/70 Series User’s Guide
Figure 145 Transport and Tunnel Mode IPSec Encapsulation
18.3.1 Transport Mode
Transport mode is used to protect upper layer protocols and only affects the data in the IP
packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located
after the original IP header and options, but before any upper layer protocols contained in the
packet (such as TCP and UDP).
With ESP, protection is applied only to the upper layer protocols contained in the packet. The
IP header information and options are not used in the authentication process. Therefore, the
originating IP address cannot be verified for integrity against the data.
With the use of AH as the security protocol, protection is extended forward into the IP header
to verify the integrity of the entire packet by use of portions of the original IP header in the
hashing process.
18.3.2 Tunnel Mode
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is
required for gateway services to provide access to internal systems. Tunnel mode is
fundamentally an IP tunnel with authentication and encryption. This is the most common
mode of operation. Tunnel mode is required for gateway to gateway and host to gateway
communications. Tunnel mode communications have two sets of IP headers:
• Outside header: The outside IP header contains the destination IP address of the VPN
gateway.
• Inside header: The inside IP header contains the destination IP address of the final
system behind the VPN gateway. The security protocol appears after the outer IP header
and before the inside IP header.
18.4 IPSec and NAT
Read this section if you are running IPSec on a host computer behind the ZyWALL.
305
Chapter 18 Introduction to IPSec
ZyWALL 5/35/70 Series User’s Guide
NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec
VPN using the AH protocol digitally signs the outbound packet, both data payload and
headers, with a hash value appended to the packet. When using AH protocol, packet contents
(the data payload) are not encrypted.
A NAT device in between the IPSec endpoints will rewrite either the source or destination
address with one of its own choosing. The VPN device at the receiving end will verify the
integrity of the incoming packet by computing its own hash value, and complain that the hash
value appended to the received packet doesn't match. The VPN device at the receiving end
doesn't know about the NAT in the middle, so it assumes that the data has been maliciously
altered.
IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers)
in a new IP packet. The new IP packet's source address is the outbound address of the sending
VPN gateway, and its destination address is the inbound address of the VPN device at the
receiving end. When using ESP protocol with authentication, the packet contents (in this case,
the entire original packet) are encrypted. The encrypted contents, but not the new headers, are
signed with a hash value appended to the packet.
Tunnel mode ESP with authentication is compatible with NAT because integrity checks are
performed over the combination of the "original header plus original payload," which is
unchanged by a NAT device. Transport mode ESP with authentication is not compatible with
NAT, although NAT traversal provides a way to use Transport mode ESP when there is a
NAT router between the IPSec endpoints (See Section 19.6 on page 310 for details).
Table 93 VPN and NAT
SECURITY PROTOCOL
MODE
NAT
AH
Transport
N
AH
Tunnel
N
ESP
Transport
N
ESP
Tunnel
Y
Chapter 18 Introduction to IPSec
306
ZyWALL 5/35/70 Series User’s Guide
307
Chapter 18 Introduction to IPSec
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 19
VPN Screens
This chapter introduces the VPN Web Configurator. See Chapter 30 on page 472 for
information on viewing logs and Appendix S on page 774 for IPSec log descriptions.
19.1 VPN/IPSec Overview
Use the screens documented in this chapter to configure rules for VPN connections and
manage VPN connections.
19.2 IPSec Algorithms
The ESP and AH protocols are necessary to create a Security Association (SA), the
foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and
ESP protocols. The primary function of key management is to establish and maintain the SA
between systems. Once the SA is established, the transport of data may commence.
19.2.1 AH (Authentication Header) Protocol
AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not for confidentiality, for which the ESP was designed.
In applications where confidentiality is not required or not sanctioned by government
encryption restrictions, an AH can be employed to ensure integrity. This type of
implementation does not protect the information from dissemination but will allow for
verification of the integrity of the information and authentication of the originator.
19.2.2 ESP (Encapsulating Security Payload) Protocol
The ESP protocol (RFC 2406) provides encryption as well as the services offered by AH. ESP
authenticating properties are limited compared to the AH due to the non-inclusion of the IP
header information during the authentication process. However, ESP is sufficient if only the
upper layer protocols need to be authenticated.
An added feature of the ESP is payload padding, which further protects communications by
concealing the size of the packet being transmitted.
Chapter 19 VPN Screens
308
ZyWALL 5/35/70 Series User’s Guide
Table 94 ESP and AH
ESP
Encryption
AH
DES (default)
Data Encryption Standard (DES) is a
widely used method of data encryption
using a secret key. DES applies a 56-bit
key to each 64-bit block of data.
3DES
Triple DES (3DES) is a variant of DES,
which iterates three times with three
separate keys (3 x 56 = 168 bits),
effectively doubling the strength of DES.
AES
Advanced Encryption Standard is a
newer method of data encryption that
also uses a secret key. This
implementation of AES applies a 128-bit
key to 128-bit blocks of data. AES is
faster than 3DES.
Select NULL to set up a phase 2 tunnel
without encryption.
Authentication
MD5 (default)
MD5 (Message Digest 5) produces a
128-bit digest to authenticate packet
data.
MD5 (default)
MD5 (Message Digest 5) produces a
128-bit digest to authenticate packet
data.
SHA1
SHA1 (Secure Hash Algorithm) produces
a 160-bit digest to authenticate packet
data.
SHA1
SHA1 (Secure Hash Algorithm) produces
a 160-bit digest to authenticate packet
data.
Select MD5 for minimal security and SHA-1 for maximum security.
19.3 My ZyWALL
My ZyWALL identifies the WAN IP address or domain name of the ZyWALL (if it has one)
or leave the field set to 0.0.0.0 when the ZyWALL is in router mode. This field displays the
ZyWALL’s IP address when the ZyWALL is in bridge mode. The ZyWALL has to rebuild the
VPN tunnel if the My ZyWALL IP address changes after setup.
19.4 Remote Gateway Address
Remote Gateway Address is the WAN IP address or domain name of the remote IPSec router
(secure gateway).
309
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
If the remote secure gateway has a static WAN IP address, enter it in the Remote Gateway
Address field. You may alternatively enter the remote secure gateway’s domain name (if it
has one).
You can also enter a remote secure gateway’s domain name in the Remote Gateway Address
field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The
ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP
address changes (there may be a delay until the DDNS servers are updated with the remote
gateway’s new WAN IP address).
19.4.1 Dynamic Remote Gateway Address
If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter
0.0.0.0 as the remote gateway’s address. In this case only the remote secure gateway can
initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company
network. See Section 19.18 on page 337 for configuration examples.
Note: The Remote Gateway Address may be configured as 0.0.0.0 only when using
IKE key management and not Manual key management.
19.5 Nailed Up
When you initiate an IPSec tunnel with nailed up enabled, the ZyWALL automatically
renegotiates the tunnel when the IPSec SA lifetime period expires (see Section 19.8 on page
313 for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an always on
connection after you initiate it. Both IPSec routers must have a ZyWALL-compatible nailed
up feature enabled in order for this feature to work.
If the ZyWALL has its maximum number of simultaneous IPSec tunnels connected to it and
they all have nailed up enabled, then no other tunnels can take a turn connecting to the
ZyWALL because the ZyWALL never drops the tunnels that are already connected.
Note: When there is outbound traffic with no inbound traffic, the ZyWALL
automatically drops the tunnel after two minutes.
19.6 NAT Traversal
NAT traversal allows you to set up a VPN connection when there are NAT routers between
the two IPSec routers.
Chapter 19 VPN Screens
310
ZyWALL 5/35/70 Series User’s Guide
Figure 146 NAT Router Between IPSec Routers
Normally you cannot set up a VPN connection with a NAT router between the two IPSec
routers because the NAT router changes the header of the IPSec packet. In the previous figure,
IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes
the IPSec packet’s header so it does not match the header for which IPSec router B is
checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built.
NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The
NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router
B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN
connection.
19.6.1 NAT Traversal Configuration
For NAT traversal to work you must:
• Use ESP security protocol (in either transport or tunnel mode).
• Use IKE keying mode.
• Enable NAT traversal on both IPSec endpoints.
In order for IPSec router A (see Figure 146 on page 311) to receive an initiating IPSec packet
from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A.
19.7 ID Type and Content
With aggressive negotiation mode (see Section 19.8.1 on page 314), the ZyWALL identifies
incoming SAs by ID type and content since this identifying information is not encrypted. This
enables the ZyWALL to distinguish between multiple rules for SAs that connect from remote
IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate
passwords to simultaneously connect to the ZyWALL from IPSec routers with dynamic IP
addresses (see Section 19.18.2 on page 338 for a telecommuter configuration example).
Note: Regardless of the ID type and content configuration, the ZyWALL does not
allow you to save multiple active rules with overlapping local and remote IP
addresses.
With main mode (see Section 19.8.1 on page 314), the ID type and content are encrypted to
provide identity protection. In this case the ZyWALL can only distinguish between up to 12
different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP
addresses. The ZyWALL can distinguish up to 12 incoming SAs because you can select
311
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
between three encryption algorithms (DES, 3DES and AES), two authentication algorithms
(MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see
Section 19.12 on page 324). The ID type and content act as an extra level of identification for
incoming SAs.
The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP
address, domain name, or e-mail address.
Table 95 Local ID Type and Content Fields
LOCAL ID TYPE= CONTENT=
IP
Type the IP address of your computer or leave the field blank to have the ZyWALL
automatically use its own IP address.
DNS
Type a domain name (up to 31 characters) by which to identify this ZyWALL.
E-mail
Type an e-mail address (up to 31 characters) by which to identify this ZyWALL.
The domain name or e-mail address that you use in the Content field is used for identification purposes
only and does not need to be a real domain name or e-mail address.
Table 96 Peer ID Type and Content Fields
PEER ID TYPE=
CONTENT=
IP
Type the IP address of the computer with which you will make the VPN connection
or leave the field blank to have the ZyWALL automatically use the address in the
Remote Gateway Address field.
DNS
Type a domain name (up to 31 characters) by which to identify the remote IPSec
router.
E-mail
Type an e-mail address (up to 31 characters) by which to identify the remote IPSec
router.
Subject Name
Type the subject name (up to 255 characters) by which to identify the remote IPSec
router. This option is available only when you set Authentication Key to
Certificate.
The domain name or e-mail address that you use in the Content field is used for identification purposes
only and does not need to be a real domain name or e-mail address. The domain name also does not
have to match the remote router’s IP address or what you configure in the Remote Gateway Address
field below.
19.7.1 ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order to set up a
VPN tunnel.
The two ZyWALLs in this example can complete negotiation and establish a VPN tunnel.
Table 97 Matching ID Type and Content Configuration Example
ZYWALL A
ZYWALL B
Local ID type: E-mail
Local ID type: IP
Local ID content: [email protected]
Local ID content: 1.1.1.2
Chapter 19 VPN Screens
312
ZyWALL 5/35/70 Series User’s Guide
Table 97 Matching ID Type and Content Configuration Example
ZYWALL A
ZYWALL B
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.2
Peer ID content: [email protected]
The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s
Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail. An ID mismatched
message displays in the IPSec log.
Table 98 Mismatching ID Type and Content Configuration Example
ZYWALL A
ZYWALL B
Local ID type: IP
Local ID type: IP
Local ID content: 1.1.1.10
Local ID content: 1.1.1.10
Peer ID type: E-mail
Peer ID type: IP
Peer ID content: [email protected]
Peer ID content: N/A
19.8 IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and
the second one uses that SA to negotiate SAs for IPSec.
Figure 147 Two Phases to Set Up the IPSec SA
In phase 1 you must:
• Choose a negotiation mode.
• Authenticate the connection by entering a pre-shared key.
• Choose an encryption algorithm.
313
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
• Choose an authentication algorithm.
• Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
• Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should
stay up before it times out. An IKE SA times out when the IKE SA lifetime period
expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA
stays connected.
In phase 2 you must:
•
•
•
•
Choose which protocol to use (ESP or AH) for the IKE key exchange.
Choose an encryption algorithm.
Choose an authentication algorithm
Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman publickey cryptography – see Section 19.8.4 on page 315. Select None (the default) to disable
PFS.
• Choose Tunnel mode or Transport mode.
• Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA
should stay up before it times out. The ZyWALL automatically renegotiates the IPSec SA
if there is traffic when the IPSec SA lifetime period expires. The ZyWALL also
automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled,
even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate
the SA the next time someone attempts to send traffic.
19.8.1 Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will
be established for each connection through IKE negotiations.
• Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips: SA
negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random
number). This mode features identity protection (your identity is not revealed in the
negotiation).
• Aggressive Mode is quicker than Main Mode because it eliminates several steps when
the communicating parties are negotiating authentication (phase 1). However the tradeoff is that faster speed limits its negotiating power and it also does not provide identity
protection. It is useful in remote access situations where the address of the initiator is not
know by the responder and both parties want to use pre-shared key authentication.
19.8.2 Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is
called pre-shared because you have to share it with another party before you can communicate
with them over a secure connection.
Chapter 19 VPN Screens
314
ZyWALL 5/35/70 Series User’s Guide
19.8.3 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish
a shared secret over an unsecured communications channel. Diffie-Hellman is used within
IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 –
DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman
exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For
authentication, use pre-shared keys.
19.8.4 Perfect Forward Secrecy (PFS)
Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand
new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS
enabled, if one key is compromised, previous and subsequent keys are not compromised,
because subsequent keys are not derived from previous keys. The (time-consuming) DiffieHellman exchange is the trade-off for this extra security.
This may be unnecessary for data that does not require such security, so PFS is disabled
(None) by default in the ZyWALL. Disabling PFS means new authentication and encryption
keys are derived from the same root secret (which may have security implications in the long
run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
19.9 X-Auth (Extended Authentication)
Extended authentication provides added security by allowing you to use usernames and
passwords for VPN connections. This is especially helpful when multiple ZyWALLs use one
VPN rule to connect to a single ZyWALL. An attacker cannot make a VPN connection
without a valid username and password.
The extended authentication server checks the user names and passwords of the extended
authentication clients before completing the IPSec connection (see Chapter 21 on page 370).
A ZyWALL can be an extended authentication server for some VPN connections and an
extended authentication client for other VPN connections.
19.9.1 Authentication Server
A ZyWALL set to be a VPN extended authentication server can use either the local user
database internal to the ZyWALL or an external RADIUS server for an unlimited number of
users. The ZyWALL uses the same local user database for VPN extended authentication and
wireless LAN security.
315
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
19.10 VPN Rules (IKE)
Click VPN to display the VPN Rules (IKE) screen. This is a read-only menu of your IPSec
)
rule (tunnel). To add an IPSec rule (or gateway policy), click the add gateway policy (
icon. Edit an IPSec rule by clicking the edit (
) icon to configure the associated submenus.
Refer to Table 100 on page 317 for descriptions of the icons used in this screen.
Figure 148 VPN Rules (IKE)
The following table introduces some of the general IPSec terms used in the VPN screens.
Table 99 IPSec Fields Summary
LABEL
DESCRIPTION
VPN Tunnel
A VPN (Virtual Private Network) tunnel gives you a secure connection to another
computer or network.
Gateway Policy
A gateway policy identifies the IPSec routers at either end of a VPN tunnel and
specifies the authentication, encryption and other settings needed to negotiate a
phase 1 IKE SA.
Network Policy
A network policy identifies the devices behind the IPSec routers at either end of a
VPN tunnel and specifies the authentication, encryption and other settings
needed to negotiate a phase 2 IPSec SA.
My ZyWALL
This is the WAN IP address or the domain name of your ZyWALL in router mode
or the ZyWALL’s IP address in bridge mode.
Local Network
This is the network behind the ZyWALL.
Remote Gateway
Address
This is the WAN IP address or domain name of the IPSec router with which you're
making the VPN connection.
Remote Network
This is the remote network behind the remote IPsec router.
Chapter 19 VPN Screens
316
ZyWALL 5/35/70 Series User’s Guide
Figure 149 Gateway and Network Policies
This figure helps explain the main fields in the VPN setup.
Figure 150 IPSec Fields Summary
Note: Local and remote network IP addresses must be static.
The following table describes the icons used in the VPN screens.
Table 100 VPN screen Icons Key
ICON
DESCRIPTION
This represents your ZyWALL.
This represents the remote secure gateway.
This represents the local network.
This represents the remote network.
Click this icon to add a VPN gateway policy (or IPSec rule).
Click this icon to add a VPN network policy.
Click this icon to display a screen in which you can associate a network policy to a gateway
policy.
Click this icon to display a screen in which you can change the settings of a gateway or
network policy.
Click this icon to delete a gateway or network policy.
When you delete a gateway policy, the ZyWALL automatically deletes the network policy(ies)
associated to that gateway policy.
317
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 100 VPN screen Icons Key
ICON
DESCRIPTION
Click this icon to establish a VPN connection to a remote network.
This indicates that a gateway or network policy is not active.
Note: The Recycle Bin gateway policy is a virtual placeholder for any network
policy(ies) without an associated gateway policy. When there is a network
policy in the Recycle Bin, the Recycle Bin gateway policy automatically
displays in this screen. See Section 19.13 on page 328 for more information.
19.11 VPN Rules (IKE) Gateway Policy Edit
In the VPN Rule (IKE) screen, click the add gateway policy (
to display the VPN-Gateway Policy -Edit screen.
Chapter 19 VPN Screens
) icon or the edit (
) icon
318
ZyWALL 5/35/70 Series User’s Guide
Figure 151 VPN Rules (IKE): Gateway Policy: Edit
319
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 101 VPN Rules (IKE): Gateway Policy: Edit
LABEL
DESCRIPTION
Property
Name
Type up to 32 characters to identify this VPN gateway policy. You may use any
character, including spaces, but the ZyWALL drops trailing spaces.
NAT Traversal
Select this check box to enable NAT traversal. NAT traversal allows you to set up
a VPN connection when there are NAT routers between the two IPSec routers.
Note: The remote IPSec router must also have NAT traversal
enabled. See Section 19.6 on page 310 for more
information.
You can use NAT traversal with ESP protocol using Transport or Tunnel mode,
but not with AH protocol nor with manual key management. In order for an IPSec
router behind a NAT router to receive an initiating IPSec packet, set the NAT
router to forward UDP port 500 to the IPSec router behind the NAT router.
Gateway Policy
Information
My ZyWALL
Chapter 19 VPN Screens
When the ZyWALL is in router mode, this field identifies the WAN IP address or
domain name of the ZyWALL. You can select My Address and enter the
ZyWALL's static WAN IP address (if it has one) or leave the field set to 0.0.0.0.
For a ZyWALL with multiple WAN ports, the following applies if the My ZyWALL
field is configured as 0.0.0.0:
• When the WAN port operation mode is set to Active/Passive, the ZyWALL
uses the IP address (static or dynamic) of the WAN port that is in use.
• When the WAN port operation mode is set to Active/Active, the ZyWALL
uses the IP address (static or dynamic) of the primary (highest priority) WAN
port to set up the VPN tunnel as long as the corresponding WAN1 or WAN2
connection is up. If the corresponding WAN1 or WAN2 connection goes down,
the ZyWALL uses the IP address of the other WAN port.
• If both WAN connections go down, the ZyWALL uses the dial backup IP
address for the VPN tunnel when using dial backup or the LAN IP address
when using traffic redirect. See the chapter on WAN for details on dial backup
and traffic redirect.
A ZyWALL with a single WAN port uses its current WAN IP address (static or
dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN
connection goes down, the ZyWALL uses the dial backup IP address for the VPN
tunnel when using dial backup or the LAN IP address when using traffic redirect.
Otherwise, you can select My Domain Name and choose one of the dynamic
domain names that you have configured (in the DDNS screen) to have the
ZyWALL use that dynamic domain name's IP address.
When the ZyWALL is in bridge mode, this field is read-only and displays the
ZyWALL’s IP address.
The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after
setup.
320
ZyWALL 5/35/70 Series User’s Guide
Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued)
LABEL
DESCRIPTION
Remote Gateway
Address
Type the WAN IP address or the domain name (up to 31 characters) of the IPSec
router with which you're making the VPN connection. Set this field to 0.0.0.0 if the
remote IPSec router has a dynamic WAN IP address.
In order to have more than one active rule with the Remote Gateway Address
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between
rules.
If you configure an active rule with 0.0.0.0 in the Remote Gateway Address field
and the LAN’s full IP address range as the local IP address, then you cannot
configure any other active rules with the Remote Gateway Address field set to
0.0.0.0.
Authentication Key
321
Pre-Shared Key
Select the Pre-Shared Key radio button and type your pre-shared key in this field.
A pre-shared key identifies a communicating party during a phase 1 IKE
negotiation. It is called "pre-shared" because you have to share it with another
party before you can communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero
x), which is not counted as part of the 16 to 62 character range for the key. For
example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal
and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is
not used on both ends.
Certificate
Select the Certificate radio button to identify the ZyWALL by a certificate.
Use the drop-down list box to select the certificate to use for this VPN tunnel. You
must have certificates already configured in the My Certificates screen. Click My
Certificates to go to the My Certificates screen where you can view the
ZyWALL's list of certificates.
Local ID Type
Select IP to identify this ZyWALL by its IP address.
Select DNS to identify this ZyWALL by a domain name.
Select E-mail to identify this ZyWALL by an e-mail address.
You do not configure the local ID type and content when you set Authentication
Key to Certificate. The ZyWALL takes them from the certificate you select.
Content
When you select IP in the Local ID Type field, type the IP address of your
computer in the local Content field. The ZyWALL automatically uses the IP
address in the My ZyWALL field (refer to the My ZyWALL field description) if you
configure the local Content field to 0.0.0.0 or leave it blank.
It is recommended that you type an IP address other than 0.0.0.0 in the local
Content field or use the DNS or E-mail ID type in the following situations.
• When there is a NAT router between the two IPSec routers.
• When you want the remote IPSec router to be able to distinguish between
VPN connection requests that come in from IPSec routers with dynamic WAN
IP addresses.
When you select DNS or E-mail in the Local ID Type field, type a domain name
or e-mail address by which to identify this ZyWALL in the local Content field. Use
up to 31 ASCII characters including spaces, although trailing spaces are
truncated. The domain name or e-mail address is for identification purposes only
and can be any string.
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued)
LABEL
DESCRIPTION
Peer ID Type
Select from the following when you set Authentication Key to Pre-shared Key.
• Select IP to identify the remote IPSec router by its IP address.
• Select DNS to identify the remote IPSec router by a domain name.
• Select E-mail to identify the remote IPSec router by an e-mail address.
Select from the following when you set Authentication Key to Certificate.
• Select IP to identify the remote IPSec router by the IP address in the subject
alternative name field of the certificate it uses for this VPN connection.
• Select DNS to identify the remote IPSec router by the domain name in the
subject alternative name field of the certificate it uses for this VPN connection.
• Select E-mail to identify the remote IPSec router by the e-mail address in the
subject alternative name field of the certificate it uses for this VPN connection.
• Select Subject Name to identify the remote IPSec router by the subject name
of the certificate it uses for this VPN connection.
• Select Any to have the ZyWALL not check the remote IPSec router's ID.
Content
The configuration of the peer content depends on the peer ID type.
Do the following when you set Authentication Key to Pre-shared Key.
• For IP, type the IP address of the computer with which you will make the VPN
connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyWALL
will use the address in the Remote Gateway Address field (refer to the
Remote Gateway Address field description).
• For DNS or E-mail, type a domain name or e-mail address by which to identify
the remote IPSec router. Use up to 31 ASCII characters including spaces,
although trailing spaces are truncated. The domain name or e-mail address is
for identification purposes only and can be any string.
It is recommended that you type an IP address other than 0.0.0.0 or use the DNS
or E-mail ID type in the following situations:
• When there is a NAT router between the two IPSec routers.
• When you want the ZyWALL to distinguish between VPN connection requests
that come in from remote IPSec routers with dynamic WAN IP addresses.
Do the following when you set Authentication Key to Certificate.
• For IP, type the IP address from the subject alternative name field of the
certificate the remote IPSec router will use for this VPN connection. If you
configure this field to 0.0.0.0 or leave it blank, the ZyWALL will use the
address in the Remote Gateway Address field (refer to the Remote
Gateway Address field description).
• For DNS or E-mail, type the domain name or e-mail address from the subject
alternative name field of the certificate the remote IPSec router will use for this
VPN connection.
• For Subject Name, type the subject name of the certificate the remote IPSec
router will use for this VPN connection. Use up to255 ASCII characters
including spaces.
• For Any, the peer Content field is not available.
• Regardless of how you configure the ID Type and Content fields, two active
SAs cannot have both the local and remote IP address ranges overlap
between rules.
Extended
Authentication
Enable Extended
Authentication
Chapter 19 VPN Screens
Select this check box to activate extended authentication.
322
ZyWALL 5/35/70 Series User’s Guide
Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued)
LABEL
DESCRIPTION
Server Mode
Select Server Mode to have this ZyWALL authenticate extended authentication
clients that request this VPN connection.
You must also configure the extended authentication clients’ usernames and
passwords in the authentication server’s local user database or a RADIUS server
(see Chapter 21 on page 370).
Click Local User to go to the Local User Database screen where you can view
and/or edit the list of user names and passwords. Click RADIUS to go to the
RADIUS screen where you can configure the ZyWALL to check an external
RADIUS server.
During authentication, if the ZyWALL (in server mode) does not find the extended
authentication clients’ user name in its internal user database and an external
RADIUS server has been enabled, it attempts to authenticate the client through
the RADIUS server.
Client Mode
Select Client Mode to have your ZyWALL use a username and password when
initiating this VPN connection to the extended authentication server ZyWALL.
Only a VPN extended authentication client can initiate this VPN connection.
User Name
Enter a user name for your ZyWALL to be authenticated by the VPN peer (in
server mode). The user name can be up to 31 case-sensitive ASCII characters,
but spaces are not allowed. You must enter a user name and password when you
select client mode.
Password
Enter the corresponding password for the above user name. The password can
be up to 31 case-sensitive ASCII characters, but spaces are not allowed.
IKE Proposal
323
Negotiation Mode
Select Main or Aggressive from the drop-down list box. Multiple SAs connecting
through a secure gateway must have the same negotiation mode.
Encryption
Algorithm
Select DES, 3DES or AES from the drop-down list box.
When you use one of these encryption algorithms for data communications, both
the sending device and the receiving device must use the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a
message authentication code. The DES encryption algorithm uses a 56-bit key.
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,
3DES is more secure than DES. It also requires more processing power, resulting
in increased latency and decreased throughput. This implementation of AES uses
a 128-bit key. AES is faster than 3DES.
Authentication
Algorithm
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The SHA1 algorithm is generally considered stronger than MD5, but is
slower. Select MD5 for minimal security and SHA-1 for maximum security.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this field.
It may range from 180 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Key Group
You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued)
LABEL
DESCRIPTION
Enable Multiple
Proposals
Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2
encryption and authentication algorithms when negotiating an IPSec SA.
When you enable multiple proposals, the ZyWALL allows the remote IPSec router
to select which encryption and authentication algorithms to use for the VPN
tunnel, even if they are less secure than the ones you configure for the VPN rule.
Clear this check box to have the ZyWALL use only the phase 1 or phase 2
encryption and authentication algorithms configured below when negotiating an
IPSec SA.
Associated
Network Policies
The following table shows the policy(ies) you configure for this rule.
To add a VPN policy, click the add network policy (
) icon in the VPN Rules
(IKE) screen (see Figure 148 on page 316). Refer to Section 19.12 on page 324
for more information.
#
This field displays the policy index number.
Name
This field displays the policy name.
Local Network
This field displays one or a range of IP address(es) of the computer(s) behind the
ZyWALL.
Remote Network
This field displays one or a range of IP address(es) of the remote network behind
the remote IPsec router.
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
19.12 VPN Rules (IKE): Network Policy Edit
Click VPN and the add network policy (
) icon in the VPN Rules (IKE) screen to display
the VPN-Network Policy -Edit screen. Use this screen to configure a network policy.
Chapter 19 VPN Screens
324
ZyWALL 5/35/70 Series User’s Guide
Figure 152 VPN Rules (IKE): Network Policy Edit
325
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 102 VPN Rules (IKE): Network Policy Edit
LABEL
DESCRIPTION
Active
If the Active check box is selected, packets for the tunnel trigger the ZyWALL to
build the tunnel.
Clear the Active check box to turn the network policy off. The ZyWALL does not
apply the policy. Packets for the tunnel do not trigger the tunnel.
If you clear the Active check box while the tunnel is up (and click Apply), you
turn off the network policy and the tunnel goes down.
Name
Type a name to identify this VPN network policy. You may use any character,
including spaces, but the ZyWALL drops trailing spaces.
Protocol
Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any
protocol.
Nailed-Up
Select this check box to turn on the nailed up feature for this SA.
Turn on nailed up to have the ZyWALL automatically reinitiate the SA after the
SA lifetime times out, even if there is no traffic. The ZyWALL also reinitiates the
SA when it restarts.
The ZyWALL also rebuilds the tunnel if it was disconnected due to the output or
input idle timer.
Allow NetBIOS
Traffic Through
IPSec Tunnel
This field is not available when the ZyWALL is in bridege mode.
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to connect to and communicate with a LAN. It may
sometimes be necessary to allow NetBIOS packets to pass through VPN
tunnels in order to allow local computers to find computers on the remote
network and vice versa.
Select this check box to send NetBIOS packets through the VPN connection.
Check IPSec Tunnel
Connectivity
Select the check box and configure an IP address in the Ping this Address field
to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router.
The ZyWALL pings the IP address every minute. The ZyWALL starts the IPSec
connection idle timeout timer when it sends the ping packet. If there is no traffic
from the remote IPSec router by the time the timeout period expires, the
ZyWALL disconnects the VPN tunnel.
Log
Select this check box to set the ZyWALL to create logs when it cannot ping the
remote device.
Ping this Address
If you select Check IPSec Tunnel Connectivity, enter the IP address of a
computer at the remote IPSec network. The computer's IP address must be in
this IP policy's remote range (see the Remote Network fields).
Gateway Policy
Information
Gateway Policy
Select the gateway policy with which you want to use the VPN policy.
Local Network
Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both.
You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.
Address Type
Use the drop-down list box to choose Single Address, Range Address, or
Subnet Address. Select Single Address for a single IP address. Select Range
Address for a specific range of IP addresses. Select Subnet Address to
specify IP addresses on a network by their subnet mask.
Chapter 19 VPN Screens
326
ZyWALL 5/35/70 Series User’s Guide
Table 102 VPN Rules (IKE): Network Policy Edit (continued)
LABEL
DESCRIPTION
Starting IP Address
When the Address Type field is configured to Single Address, enter a (static)
IP address on the LAN behind your ZyWALL. When the Address Type field is
configured to Range Address, enter the beginning (static) IP address, in a
range of computers on the LAN behind your ZyWALL. When the Address Type
field is configured to Subnet Address, this is a (static) IP address on the LAN
behind your ZyWALL.
Ending IP Address/
Subnet Mask
When the Address Type field is configured to Single Address, this field is N/A.
When the Address Type field is configured to Range Address, enter the end
(static) IP address, in a range of computers on the LAN behind your ZyWALL.
When the Address Type field is configured to Subnet Address, this is a subnet
mask on the LAN behind your ZyWALL.
Local Port
0 is the default and signifies any port. Type a port number from 0 to 65535 in the
Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS;
23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
Remote Network
Remote IP addresses must be static and correspond to the remote IPSec
router's configured local IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both.
You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.
Address Type
Use the drop-down list box to choose Single Address, Range Address, or
Subnet Address. Select Single Address with a single IP address. Select
Range Address for a specific range of IP addresses. Select Subnet Address
to specify IP addresses on a network by their subnet mask.
Starting IP Address
When the Address Type field is configured to Single Address, enter a (static)
IP address on the network behind the remote IPSec router. When the Addr Type
field is configured to Range Address, enter the beginning (static) IP address, in
a range of computers on the network behind the remote IPSec router. When the
Address Type field is configured to Subnet Address, enter a (static) IP
address on the network behind the remote IPSec router.
Ending IP Address/
Subnet Mask
When the Address Type field is configured to Single Address, this field is N/A.
When the Address Type field is configured to Range Address, enter the end
(static) IP address, in a range of computers on the network behind the remote
IPSec router. When the Address Type field is configured to Subnet Address,
enter a subnet mask on the network behind the remote IPSec router.
Remote Port
0 is the default and signifies any port. Type a port number from 0 to 65535 in the
Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS;
23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
IPSec Proposal
Encapsulation Mode
Select Tunnel mode or Transport mode.
Active Protocol
Select the security protocols used for an SA.
Both AH and ESP increase processing requirements and communications
latency (delay).
Encryption Algorithm When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES. Select NULL to set up a tunnel without encryption. When you select
NULL, you do not enter an encryption key.
327
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 102 VPN Rules (IKE): Network Policy Edit (continued)
LABEL
DESCRIPTION
Authentication
Algorithm
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
SA Life Time
(Seconds)
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Perfect Forward
Secret (PFS)
Perfect Forward Secret (PFS) is disabled (NONE) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768
bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb)
random number (more secure, yet slower).
Enable Replay
Detection
As a VPN setup is processing intensive, the system is vulnerable to Denial of
Service (DOS) attacks. The IPSec receiver can detect and reject old or duplicate
packets to protect against replay attacks. Enable replay detection by selecting
this check box.
Enable Multiple
Proposals
Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2
encryption and authentication algorithms when negotiating an IPSec SA.
When you enable multiple proposals, the ZyWALL allows the remote IPSec
router to select which encryption and authentication algorithms to use for the
VPN tunnel, even if they are less secure than the ones you configure for the
VPN rule.
Clear this check box to have the ZyWALL use only the phase 1 or phase 2
encryption and authentication algorithms configured below when negotiating an
IPSec SA.
Apply
Click Apply to save the changes.
Cancel
Click Cancel to discard all changes and return to the main VPN screen.
19.13 VPN Rules (IKE): Network Policy Move
Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE):
Network Policy Move screen. Use this screen to associate a network policy to a gateway rule.
Chapter 19 VPN Screens
328
ZyWALL 5/35/70 Series User’s Guide
Figure 153 VPN Rules (IKE): Network Policy Move
The following table describes the labels in this screen.
Table 103 VPN Rules (IKE): Network Policy Move
LABEL
DESCRIPTION
Network Policy
Information
The following fields display the general network settings of this VPN policy.
Name
This field displays the policy name.
Local Network
This field displays one or a range of IP address(es) of the computer(s) behind the
ZyWALL.
Remote Network
This field displays one or a range of IP address(es) of the remote network behind
the remote IPsec router.
Gateway Policy
Information
Gateway Policy
Select the name of a VPN rule (or gateway policy) to which you want to associate
this VPN network policy.
If you do not want to associate a network policy to any gateway policy, select
Recycle Bin from the drop-down list box. The Recycle Bin gateway policy is a
virtual placeholder for any network policy(ies) without an associated gateway
policy. When there is a network policy in Recycle Bin, the Recycle Bin gateway
policy automatically displays in the VPN Rules (IKE) screen.
Apply
Click Apply to save the changes.
Cancel
Click Cancel to discard all changes and return to the main VPN screen.
19.14 VPN Rules (Manual)
Refer to Figure 150 on page 317 for a graphical representation of the fields in the web
configurator.
Click VPN and the VPN Rules (Manual) tab to open the VPN Rules screen. This is a readonly menu of your IPSec rules (tunnels). Edit an IPSec rule by clicking the edit icon to
configure the associated submenus.
329
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
You may want to configure a VPN rule that uses manual key management if you are having
problems with IKE key management.
Refer to Table 100 on page 317 for descriptions of the icons used in this screen.
Figure 154 VPN Rules (Manual)
The following table describes the labels in this screen.
Table 104 VPN Rules (Manual)
LABEL
DESCRIPTION
#
This is the VPN policy index number.
Name
This field displays the identification name for this VPN policy.
Active
This field displays whether the VPN policy is active or not. A Yes signifies that this
VPN policy is active. No signifies that this VPN policy is not active.
Local Network
This is the IP address(es) of computer(s) on your local network behind your
ZyWALL.
The same (static) IP address is displayed twice when the Local Network Address
Type field in the VPN - Manual Key - Edit screen is configured to Single Address.
The beginning and ending (static) IP addresses, in a range of computers are
displayed when the Local Network Address Type field in the VPN - Manual Key Edit screen is configured to Range Address.
A (static) IP address and a subnet mask are displayed when the Local Network
Address Type field in the VPN - Manual Key - Edit screen is configured to Subnet
Address.
Remote Network
This is the IP address(es) of computer(s) on the remote network behind the remote
IPSec router.
This field displays N/A when the Remote Gateway Address field displays 0.0.0.0.
In this case only the remote IPSec router can initiate the VPN.
The same (static) IP address is displayed twice when the Remote Network
Address Type field in the VPN - Manual Key - Edit screen is configured to Single
Address.
The beginning and ending (static) IP addresses, in a range of computers are
displayed when the Remote Network Address Type field in the VPN - Manual
Key - Edit screen is configured to Range Address.
A (static) IP address and a subnet mask are displayed when the Remote Network
Address Type field in the VPN - Manual Key - Edit screen is configured to Subnet
Address.
Encap.
This field displays Tunnel or Transport mode (Tunnel is the default selection).
Chapter 19 VPN Screens
330
ZyWALL 5/35/70 Series User’s Guide
Table 104 VPN Rules (Manual) (continued)
LABEL
DESCRIPTION
IPSec Algorithm
This field displays the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and communications
latency (delay).
Remote Gateway
Address
This is the static WAN IP address or domain name of the remote IPSec router.
Modify
Click the edit icon to edit the VPN policy.
Click the delete icon to remove the VPN policy. A window displays asking you to
confirm that you want to delete the VPN rule. When a VPN policy is deleted,
subsequent policies move up in the page list.
Click the dial icon to dial up the connection manually. If a VPN tunnel has been built
and dialed up, every time you click this icon, a warning message appears in the
status bar on the bottom of the screen.
Add
Click Add to add a new VPN policy.
19.15 VPN Rules (Manual): Edit
Manual key management is useful if you have problems with IKE key management.
19.15.1 Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI (Security Parameter Index) along with a destination IP address uniquely identify a
particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to
the local VPN gateway. The local VPN gateway then uses the network, encryption and key
values that the administrator associated with the SPI to establish the tunnel.
Note: Current ZyXEL implementation assumes identical outgoing and incoming SPIs.
Click the edit icon on the VPN Rules (Manual) screen to edit VPN rules.
331
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 155 VPN Rules (Manual): Edit
The following table describes the labels in this screen.
Table 105 VPN Rules (Manual) Edit
LABEL
DESCRIPTION
Property
Active
Select this check box to activate this VPN policy.
Name
Type up to 32 characters to identify this VPN policy. You may use any character,
including spaces, but the ZyWALL drops trailing spaces.
Allow NetBIOS
Traffic Through
IPSec Tunnel
This field is not available when the ZyWALL is in bridege mode.
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to find other computers. It may sometimes be necessary to
allow NetBIOS packets to pass through VPN tunnels in order to allow local
computers to find computers on the remote network and vice versa.
Select this check box to send NetBIOS packets through the VPN connection.
Chapter 19 VPN Screens
332
ZyWALL 5/35/70 Series User’s Guide
Table 105 VPN Rules (Manual) Edit (continued)
LABEL
DESCRIPTION
Local Network
Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both. You
can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
Address Type
Use the drop-down list box to choose Single Address, Range Address, or
Subnet Address. Select Single Address for a single IP address. Select Range
Address for a specific range of IP addresses. Select Subnet Address to specify
IP addresses on a network by their subnet mask.
Starting IP
Address
When the Address Type field is configured to Single Address, enter a (static) IP
address on the LAN behind your ZyWALL. When the Address Type field is
configured to Range Address, enter the beginning (static) IP address, in a range
of computers on the LAN behind your ZyWALL. When the Address Type field is
configured to Subnet Address, this is a (static) IP address on the LAN behind your
ZyWALL.
Ending IP
Address/Subnet
Mask
When the Address Type field is configured to Single Address, this field is N/A.
When the Address Type field is configured to Range Address, enter the end
(static) IP address, in a range of computers on the LAN behind your ZyWALL.
When the Address Type field is configured to Subnet Address, this is a subnet
mask on the LAN behind your ZyWALL.
Remote Network
Remote IP addresses must be static and correspond to the remote IPSec router's
configured local IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both. You
can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
Address Type
Use the drop-down list box to choose Single Address, Range Address, or
Subnet Address. Select Single Address with a single IP address. Select Range
Address for a specific range of IP addresses. Select Subnet Address to specify
IP addresses on a network by their subnet mask.
Starting IP
Address
When the Address Type field is configured to Single Address, enter a (static) IP
address on the network behind the remote IPSec router. When the Addr Type field
is configured to Range Address, enter the beginning (static) IP address, in a
range of computers on the network behind the remote IPSec router. When the
Address Type field is configured to Subnet Address, enter a (static) IP address
on the network behind the remote IPSec router.
Ending IP
Address/Subnet
Mask
When the Address Type field is configured to Single Address, this field is N/A.
When the Address Type field is configured to Range Address, enter the end
(static) IP address, in a range of computers on the network behind the remote
IPSec router. When the Address Type field is configured to Subnet Address,
enter a subnet mask on the network behind the remote IPSec router.
Gateway Policy
Information
333
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 105 VPN Rules (Manual) Edit (continued)
LABEL
DESCRIPTION
My ZyWALL
When the ZyWALL is in router mode, enter the WAN IP address or the domain
name of your ZyWALL or leave the field set to 0.0.0.0.
For a ZyWALL with multiple WAN ports, the following applies if the My ZyWALL
field is configured as 0.0.0.0:
• When the WAN port operation mode is set to Active/Passive, the ZyWALL
uses the IP address (static or dynamic) of the WAN port that is in use.
• When the WAN port operation mode is set to Active/Active, the ZyWALL uses
the IP address (static or dynamic) of the primary (highest priority) WAN port to
set up the VPN tunnel as long as the corresponding WAN1 or WAN2
connection is up. If the corresponding WAN1 or WAN2 connection goes down,
the ZyWALL uses the IP address of the other WAN port.
• If both WAN connections go down, the ZyWALL uses the dial backup IP
address for the VPN tunnel when using dial backup or the LAN IP address
when using traffic redirect. See the chapter on WAN for details on dial backup
and traffic redirect.
A ZyWALL with a single WAN port uses its current WAN IP address (static or
dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN
connection goes down, the ZyWALL uses the dial backup IP address for the VPN
tunnel when using dial backup or the LAN IP address when using traffic redirect.
The VPN tunnel has to be rebuilt if this IP address changes.
When the ZyWALL is in bridge mode, this field is read-only and displays the
ZyWALL’s IP address.
Remote Gateway
Addr
Type the WAN IP address or the domain name (up to 31 characters) of the IPSec
router with which you're making the VPN connection.
Manual Proposal
SPI
Type a unique SPI (Security Parameter Index) from one to four characters long.
Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".
Encapsulation
Mode
Select Tunnel mode or Transport mode from the drop-down list box.
Active Protocol
Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP
protocol (RFC 2406) provides encryption as well as some of the services offered
by AH. If you select ESP here, you must select options from the Encryption
Algorithm and Authentication Algorithm fields (described next).
Select AH if you want to use AH (Authentication Header Protocol). The AH protocol
(RFC 2402) was designed for integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not for confidentiality, for which the ESP was
designed. If you select AH here, you must select options from the Authentication
Algorithm field (described next).
Encryption
Algorithm
Select DES, 3DES or NULL from the drop-down list box.
When DES is used for data communications, both sender and receiver must know
the Encryption Key, which can be used to encrypt and decrypt the message or to
generate and verify a message authentication code. The DES encryption algorithm
uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key.
As a result, 3DES is more secure than DES. It also requires more processing
power, resulting in increased latency and decreased throughput. Select NULL to
set up a tunnel without encryption. When you select NULL, you do not enter an
encryption key.
Authentication
Algorithm
Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The SHA1 algorithm is generally considered stronger than MD5, but is
slower. Select MD5 for minimal security and SHA-1 for maximum security.
Chapter 19 VPN Screens
334
ZyWALL 5/35/70 Series User’s Guide
Table 105 VPN Rules (Manual) Edit (continued)
LABEL
DESCRIPTION
Encryption Key
This field is applicable when you select ESP in the Active Protocol field above.
With DES, type a unique key 8 characters long. With 3DES, type a unique key 24
characters long. Any characters may be used, including spaces, but trailing spaces
are truncated.
Authentication
Key
Type a unique authentication key to be used by IPSec if applicable. Enter 16
characters for MD5 authentication or 20 characters for SHA-1 authentication. Any
characters may be used, including spaces, but trailing spaces are truncated.
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
19.16 VPN SA Monitor
In the web configurator, click VPN and the SA Monitor tab. Use this screen to display and
manage active VPN connections.
A Security Association (SA) is the group of security settings related to a specific VPN tunnel.
This screen displays active VPN connections. Use Refresh to display active VPN
connections. This screen is read-only.
Figure 156 VPN: SA Monitor
The following table describes the labels in this screen.
Table 106 VPN: SA Monitor
335
LABEL
DESCRIPTION
#
This is the security association index number.
Name
This field displays the identification name for this VPN policy.
Local Network
This field displays the IP address of the computer using the VPN IPSec feature of
your ZyWALL.
Remote Network
This field displays IP address (in a range) of computers on the remote network
behind the remote IPSec router.
Encapsulation
This field displays Tunnel or Transport mode.
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 106 VPN: SA Monitor (continued)
LABEL
DESCRIPTION
IPSec Algorithm
This field displays the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and
communications latency (delay).
Refresh
Click Refresh to display the current active VPN connection(s).
Disconnect
Select a security association index number that you want to disconnect and then
click Disconnect.
19.17 VPN Global Setting
Click VPN, then the Global Setting tab to open the VPN Global Setting screen. Use this
screen to change your ZyWALL’s global settings.
Figure 157 VPN: Global Setting
The following table describes the labels in this screen.
Table 107 VPN: Global Setting
LABEL
DESCRIPTION
Output Idle Timer
When traffic is sent to a remote IPSec router from which no reply is received
after the specified time period, the ZyWALL checks the VPN connectivity. If
the remote IPSec router does not reply, the ZyWALL automatically
disconnects the VPN tunnel.
Enter the time period (between 30 and 3600 seconds) to wait before the
ZyWALL checks all of the VPN connections to remote IPSec routers.
Enter 0 to disable this feature.
Input Idle Timer
When no traffic is received from a remote IPSec router after the specified
time period, the ZyWALL checks the VPN connectivity. If the remote IPSec
router does not reply, the ZyWALL automatically disconnects the VPN tunnel.
Enter the time period (between 30 and 3600 seconds) to wait before the
ZyWALL checks all of the VPN connections to remote IPSec routers.
Enter 0 to disable this feature.
Chapter 19 VPN Screens
336
ZyWALL 5/35/70 Series User’s Guide
Table 107 VPN: Global Setting (continued)
LABEL
DESCRIPTION
Gateway Domain Name This field is applicable when you enter a domain name to identify the
Update Timer
ZyWALL and/or the remote secure gateway.
Enter the time period (between 2 and 60 minutes) to wait before the ZyWALL
updates the domain name and IP address mapping through a DNS server.
The ZyWALL rebuilds the VPN tunnel if it finds that the domain name is now
using a different IP address (any users of the VPN tunnel will be temporarily
disconnected).
Enter 0 to disable this feature.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
19.18 Telecommuter VPN/IPSec Examples
The following examples show how multiple telecommuters can make VPN connections to a
single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP
addresses. The ZyWALL at headquarters has a static public IP address.
19.18.1 Telecommuters Sharing One VPN Rule Example
See the following figure and table for an example configuration that allows multiple
telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a
ZyWALL at headquarters (HQ in the figure). The telecommuters do not have domain names
mapped to the WAN IP addresses of their IPSec routers. The telecommuters must all use the
same IPSec parameters but the local IP addresses (or ranges of addresses) should not overlap.
337
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 158 Telecommuters Sharing One VPN Rule Example
Table 108 Telecommuters Sharing One VPN Rule Example
FIELDS
TELECOMMUTERS
HEADQUARTERS
My ZyWALL:
0.0.0.0 (dynamic IP address
assigned by the ISP)
Public static IP address
Remote Gateway
Address:
Public static IP address
0.0.0.0
With this IP address only
the telecommuter can initiate the
IPSec tunnel.
Local Network - Single
IP Address:
Telecommuter A: 192.168.2.12
Telecommuter B: 192.168.3.2
Telecommuter C: 192.168.4.15
192.168.1.10
Remote Network Single IP Address:
192.168.1.10
Not Applicable
19.18.2 Telecommuters Using Unique VPN Rules Example
In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain
names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this).
With aggressive negotiation mode (see Section 19.8.1 on page 314), the ZyWALL can use the
ID types and contents to distinguish between VPN rules. Telecommuters can each use a
separate VPN rule to simultaneously access a ZyWALL at headquarters. They can use
different IPSec parameters. The local IP addresses (or ranges of addresses) of the rules
configured on the ZyWALL at headquarters can overlap. The local IP addresses of the rules
configured on the telecommuters’ IPSec routers should not overlap.
See the following table and figure for an example where three telecommuters each use a
different VPN rule for a VPN connection with a ZyWALL located at headquarters. The
ZyWALL at headquarters (HQ in the figure) identifies each incoming SA by its ID type and
content and uses the appropriate VPN rule to establish the VPN connection.
The ZyWALL at headquarters can also initiate VPN connections to the telecommuters since it
can find the telecommuters by resolving their domain names.
Chapter 19 VPN Screens
338
ZyWALL 5/35/70 Series User’s Guide
Figure 159 Telecommuters Using Unique VPN Rules Example
Table 109 Telecommuters Using Unique VPN Rules Example
TELECOMMUTERS
HEADQUARTERS
All Telecommuter Rules:
All Headquarters Rules:
My ZyWALL 0.0.0.0
My ZyWALL: bigcompanyhq.com
Remote Gateway Address: bigcompanyhq.com
Local Network - Single IP Address: 192.168.1.10
Remote Network - Single IP Address: 192.168.1.10 Local ID Type: E-mail
Peer ID Type: E-mail
Local ID Content: [email protected]
Peer ID Content: [email protected]
Telecommuter A (telecommutera.dydns.org)
Headquarters ZyWALL Rule 1:
Local ID Type: IP
Peer ID Type: IP
Local ID Content: 192.168.2.12
Peer ID Content: 192.168.2.12
Local IP Address: 192.168.2.12
Remote Gateway Address:
telecommutera.dydns.org
Remote Address 192.168.2.12
Telecommuter B (telecommuterb.dydns.org)
Headquarters ZyWALL Rule 2:
Local ID Type: DNS
Peer ID Type: DNS
Local ID Content: telecommuterb.com
Peer ID Content: telecommuterb.com
Local IP Address: 192.168.3.2
Remote Gateway Address:
telecommuterb.dydns.org
Remote Address 192.168.3.2
339
Telecommuter C (telecommuterc.dydns.org)
Headquarters ZyWALL Rule 3:
Local ID Type: E-mail
Peer ID Type: E-mail
Local ID Content: [email protected]
Peer ID Content: [email protected]
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
Table 109 Telecommuters Using Unique VPN Rules Example
TELECOMMUTERS
HEADQUARTERS
Local IP Address: 192.168.4.15
Remote Gateway Address:
telecommuterc.dydns.org
Remote Address 192.168.4.15
19.19 VPN and Remote Management
If a VPN tunnel uses Telnet, FTP, WWW, SNMP, DNS or ICMP, then you should configure
remote management (REMOTE MGMT) to allow access for that service.
Chapter 19 VPN Screens
340
ZyWALL 5/35/70 Series User’s Guide
341
Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 20
Certificates
This chapter gives background information about public-key certificates and explains how to
use them.
20.1 Certificates Overview
The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates
are based on public-private key pairs. A certificate contains the certificate owner’s identity and
public key. Certificates provide a way to exchange public keys for use in authentication.
A Certification Authority (CA) issues certificates and guarantees the identity of each
certificate owner. There are commercial certification authorities like CyberTrust or VeriSign
and government certification authorities. You can use the ZyWALL to generate certification
requests that contain identifying information and public keys and then send the certification
requests to a certification authority.
In public-key encryption and decryption, each host has two keys. One key is public and can be
made openly available; the other key is private and must be kept secure. Public-key encryption
in general works as follows.
1 Tim wants to send a private message to Jenny. Tim generates a public key pair. What is
encrypted with one key can only be decrypted using the other.
2 Tim keeps the private key and makes the public key openly available.
3 Tim uses his private key to encrypt the message and sends it to Jenny.
4 Jenny receives the message and uses Tim’s public key to decrypt it.
5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s
public key to decrypt the message.
The ZyWALL uses certificates based on public-key cryptology to authenticate users
attempting to establish a connection, not to encrypt the data that you send after establishing a
connection. The method used to secure the data that you send through an established
connection depends on the type of connection. For example, a VPN tunnel might use the triple
DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the
certification authority’s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a
certificate. The ZyWALL does not trust a certificate if any certificate on its path has expired or
been revoked.
Chapter 20 Certificates
342
ZyWALL 5/35/70 Series User’s Guide
Certification authorities maintain directory servers with databases of valid and revoked
certificates. A directory of certificates that have been revoked before the scheduled expiration
is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate
against a directory server’s list of revoked certificates. The framework of servers, software,
procedures and policies that handles keys is called PKI (public-key infrastructure).
20.1.1 Advantages of Certificates
Certificates offer the following benefits.
• The ZyWALL only has to store the certificates of the certification authorities that you
decide to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and
you never need to transmit private keys.
20.2 Self-signed Certificates
Until public-key infrastructure becomes more mature, it may not be available in some areas.
You can have the ZyWALL act as a certification authority and sign its own certificates.
20.3 Configuration Summary
This section summarizes how to manage certificates on the ZyWALL.
Figure 160 Certificate Configuration Overview
Use the My Certificate screens to generate and export self-signed certificates or certification
requests and import the ZyWALL’s CA-signed certificates.
Use the Trusted CA screens to save CA certificates to the ZyWALL.
Use the Trusted Remote Hosts screens to import self-signed certificates.
Use the Directory Servers screen to configure a list of addresses of directory servers (that
contain lists of valid and revoked certificates).
343
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
20.4 My Certificates
Click SECURITY, CERTIFICATES, My Certificates to open the My Certificates screen.
This is the ZyWALL’s summary list of certificates and certification requests. Certificates
display in black and certification requests display in gray.
Figure 161 My Certificates
The following table describes the labels in this screen.
Table 110 My Certificates
LABEL
DESCRIPTION
PKI Storage
Space in Use
This bar displays the percentage of the ZyWALL’s PKI storage space that is
currently in use. The bar turns from green to red when the maximum is being
approached. When the bar is red, you should consider deleting expired or
unnecessary certificates before adding more certificates.
Replace
This button displays when the ZyWALL has the factory default certificate. The
factory default certificate is common to all ZyWALLs that use certificates. ZyXEL
recommends that you use this button to replace the factory default certificate with
one that uses your ZyWALL's MAC address.
#
This field displays the certificate index number. The certificates are listed in
alphabetical order.
Name
This field displays the name used to identify this certificate. It is recommended that
you give each certificate a unique name.
Chapter 20 Certificates
344
ZyWALL 5/35/70 Series User’s Guide
Table 110 My Certificates (continued)
345
LABEL
DESCRIPTION
Type
This field displays what kind of certificate this is.
REQ represents a certification request and is not yet a valid certificate. Send a
certification request to a certification authority, which then issues a certificate. Use
the My Certificate Import screen to import the certificate and replace the request.
SELF represents a self-signed certificate.
*SELF represents the default self-signed certificate, which the ZyWALL uses to
sign imported trusted remote host certificates.
CERT represents a certificate issued by a certification authority.
Subject
This field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or
company) and C (Country). It is recommended that each certificate have unique
subject information.
Issuer
This field displays identifying information about the certificate’s issuing certification
authority, such as a common name, organizational unit or department,
organization or company and country. With self-signed certificates, this is the same
information as in the Subject field.
Valid From
This field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not yet
become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expiring! or Expired! message if the certificate is about to expire or has
already expired.
Modify
Click the details icon to open a screen with an in-depth list of information about the
certificate.
Click the delete icon to remove the certificate. A window displays asking you to
confirm that you want to delete the certificate.
You cannot delete a certificate that one or more features is configured to use.
Do the following to delete a certificate that shows *SELF in the Type field.
1. Make sure that no other features, such as HTTPS, VPN, SSH are configured to
use the *SELF certificate.
2. Click the details icon next to another self-signed certificate (see the description
on the Create button if you need to create a self-signed certificate).
3. Select the Default self-signed certificate which signs the imported remote
host certificates check box.
4. Click Apply to save the changes and return to the My Certificates screen.
5. The certificate that originally showed *SELF displays SELF and you can delete
it now.
Note that subsequent certificates move up by one when you take this action
Import
Click Import to open a screen where you can save the certificate that you have
enrolled from a certification authority from your computer to the ZyWALL.
Create
Click Create to go to the screen where you can have the ZyWALL generate a
certificate or a certification request.
Refresh
Click Refresh to display the current validity status of the certificates.
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
20.5 My Certificate Import
Click SECURITY, CERTIFICATES, My Certificates and then Import to open the My
Certificate Import screen. Follow the instructions in this screen to save an existing certificate
to the ZyWALL.
Note: You can only import a certificate that matches a corresponding certification
request that was generated by the ZyWALL.
The certificate you import replaces the corresponding request in the My
Certificates screen.
You must remove any spaces from the certificate’s filename before you can
import it.
20.5.1 Certificate File Formats
The certification authority certificate that you want to import has to be in one of these file
formats:
• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509
certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII
characters to convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including
digital signatures) that may be encrypted. The ZyWALL currently allows the importation
of a PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64
ASCII characters to convert a binary PKCS#7 certificate into a printable form.
Chapter 20 Certificates
346
ZyWALL 5/35/70 Series User’s Guide
Figure 162 My Certificate Import
The following table describes the labels in this screen.
Table 111 My Certificate Import
LABEL
DESCRIPTION
File Path
Type in the location of the file you want to upload in this field or click Browse to find it.
Browse
Click Browse to find the certificate file you want to upload.
Apply
Click Apply to save the certificate on the ZyWALL.
Cancel
Click Cancel to quit and return to the My Certificates screen.
20.6 My Certificate Create
Click SECURITY, CERTIFICATES, My Certificates and then Create to open the My
Certificate Create screen. Use this screen to have the ZyWALL create a self-signed
certificate, enroll a certificate with a certification authority or generate a certification request.
347
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
Figure 163 My Certificate Create
The following table describes the labels in this screen.
Table 112 My Certificate Create
LABEL
DESCRIPTION
Certificate Name
Type up to 31 ASCII characters (not including spaces) to identify this
certificate.
Subject Information
Use these fields to record information that identifies the owner of the
certificate. You do not have to fill in every field, although the Common Name is
mandatory. The certification authority may add fields (such as a serial number)
to the subject information when it issues a certificate. It is recommended that
each certificate have unique subject information.
Common Name
Select a radio button to identify the certificate’s owner by IP address, domain
name or e-mail address. Type the IP address (in dotted decimal notation),
domain name or e-mail address in the field provided. The domain name or email address can be up to 31 ASCII characters. The domain name or e-mail
address is for identification purposes only and can be any string.
Organizational Unit
Type up to 127 characters to identify the organizational unit or department to
which the certificate owner belongs. You may use any character, including
spaces, but the ZyWALL drops trailing spaces.
Organization
Type up to 127 characters to identify the company or group to which the
certificate owner belongs. You may use any character, including spaces, but
the ZyWALL drops trailing spaces.
Chapter 20 Certificates
348
ZyWALL 5/35/70 Series User’s Guide
Table 112 My Certificate Create (continued)
349
LABEL
DESCRIPTION
Country
Type up to 127 characters to identify the nation where the certificate owner is
located. You may use any character, including spaces, but the ZyWALL drops
trailing spaces.
Key Length
Select a number from the drop-down list box to determine how many bits the
key should use (512 to 2048). The longer the key, the more secure it is. A
longer key also uses more PKI storage space.
Enrollment Options
These radio buttons deal with how and when the certificate is to be generated.
Create a self-signed
certificate
Select Create a self-signed certificate to have the ZyWALL generate the
certificate and act as the Certification Authority (CA) itself. This way you do not
need to apply to a certification authority for certificates.
Create a certification
request and save it
locally for later manual
enrollment
Select Create a certification request and save it locally for later manual
enrollment to have the ZyWALL generate and store a request for a certificate.
Use the My Certificate Details screen to view the certification request and
copy it to send to the certification authority.
Copy the certification request from the My Certificate Details screen (see
Section 20.7 on page 350) and then send it to the certification authority.
Create a certification
request and enroll for
a certificate
immediately online
Select Create a certification request and enroll for a certificate
immediately online to have the ZyWALL generate a request for a certificate
and apply to a certification authority for a certificate.
You must have the certification authority’s certificate already imported in the
Trusted CAs screen.
When you select this option, you must select the certification authority’s
enrollment protocol and the certification authority’s certificate from the dropdown list boxes and enter the certification authority’s server address. You also
need to fill in the Reference Number and Key if the certification authority
requires them.
Enrollment Protocol
Select the certification authority’s enrollment protocol from the drop-down list
box.
Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment
protocol that was developed by VeriSign and Cisco.
Certificate Management Protocol (CMP) is a TCP-based enrollment protocol
that was developed by the Public Key Infrastructure X.509 working group of
the Internet Engineering Task Force (IETF) and is specified in RFC 2510.
CA Server Address
Enter the IP address (or URL) of the certification authority server.
CA Certificate
Select the certification authority’s certificate from the CA Certificate dropdown list box.
You must have the certification authority’s certificate already imported in the
Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen
where you can view (and manage) the ZyWALL's list of certificates of trusted
certification authorities.
Request
Authentication
When you select Create a certification request and enroll for a certificate
immediately online, the certification authority may want you to include a
reference number and key to identify you when you send a certification
request. Fill in both the Reference Number and the Key fields if your
certification authority uses CMP enrollment protocol. Just fill in the Key field if
your certification authority uses the SCEP enrollment protocol.
Key
Type the key that the certification authority gave you.
Apply
Click Apply to begin certificate or certification request generation.
Cancel
Click Cancel to quit and return to the My Certificates screen.
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
After you click Apply in the My Certificate Create screen, you see a screen that tells you the
ZyWALL is generating the self-signed certificate or certification request.
After the ZyWALL successfully enrolls a certificate or generates a certification request or a
self-signed certificate, you see a screen with a Return button that takes you back to the My
Certificates screen.
If you configured the My Certificate Create screen to have the ZyWALL enroll a certificate
and the certificate enrollment is not successful, you see a screen with a Return button that
takes you back to the My Certificate Create screen. Click Return and check your
information in the My Certificate Create screen. Make sure that the certification authority
information is correct and that your Internet connection is working properly if you want the
ZyWALL to enroll a certificate online.
20.7 My Certificate Details
Click SECURITY, CERTIFICATES, and then My Certificates to open the My
Certificates screen (see Figure 161 on page 344). Click the details icon to open the My
Certificate Details screen. You can use this screen to view in-depth certificate information
and change the certificate’s name. In the case of a self-signed certificate, you can set it to be
the one that the ZyWALL uses to sign the trusted remote host certificates that you import to
the ZyWALL.
Chapter 20 Certificates
350
ZyWALL 5/35/70 Series User’s Guide
Figure 164 My Certificate Details
351
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 113 My Certificate Details
LABEL
DESCRIPTION
Name
This field displays the identifying name of this certificate. If you want to change
the name, type up to 31 characters to identify this certificate. You may use any
character (not including spaces).
Property
Default self-signed
certificate which
signs the imported
remote host
certificates.
Select this check box to have the ZyWALL use this certificate to sign the trusted
remote host certificates that you import to the ZyWALL. This check box is only
available with self-signed certificates.
If this check box is already selected, you cannot clear it in this screen, you must
select this check box in another self-signed certificate’s details screen. This
automatically clears the check box in the details screen of the certificate that was
previously set to sign the imported trusted remote host certificates.
Certification Path
Click the Refresh button to have this read-only text box display the hierarchy of
certification authorities that validate the certificate (and the certificate itself).
If the issuing certification authority is one that you have imported as a trusted
certification authority, it may be the only certification authority in the list (along
with the certificate itself). If the certificate is a self-signed certificate, the
certificate itself is the only one in the list. The ZyWALL does not trust the
certificate and displays “Not trusted” in this field if any certificate on the path has
expired or been revoked.
Refresh
Click Refresh to display the certification path.
Certificate
Information
These read-only fields display detailed information about the certificate.
Type
This field displays general information about the certificate. CA-signed means
that a Certification Authority signed the certificate. Self-signed means that the
certificate’s owner signed the certificate (not a certification authority). “X.509”
means that this certificate was created and signed according to the ITU-T X.509
recommendation that defines the formats for public-key certificates.
Version
This field displays the X.509 version number.
Serial Number
This field displays the certificate’s identification number given by the certification
authority or generated by the ZyWALL.
Subject
This field displays information that identifies the owner of the certificate, such as
Common Name (CN), Organizational Unit (OU), Organization (O) and Country
(C).
Issuer
This field displays identifying information about the certificate’s issuing
certification authority, such as Common Name, Organizational Unit,
Organization and Country.
With self-signed certificates, this is the same as the Subject Name field.
Signature Algorithm
This field displays the type of algorithm that was used to sign the certificate. The
ZyWALL uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and
the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not
yet become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red
and includes an Expiring! or Expired! message if the certificate is about to expire
or has already expired.
Key Algorithm
This field displays the type of algorithm that was used to generate the
certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the
key set in bits (1024 bits for example).
Chapter 20 Certificates
352
ZyWALL 5/35/70 Series User’s Guide
Table 113 My Certificate Details (continued)
LABEL
DESCRIPTION
Subject Alternative
Name
This field displays the certificate owner‘s IP address (IP), domain name (DNS) or
e-mail address (EMAIL).
Key Usage
This field displays for what functions the certificate’s key can be used. For
example, “DigitalSignature” means that the key can be used to sign certificates
and “KeyEncipherment” means that the key can be used to encrypt text.
Basic Constraint
This field displays general information about the certificate. For example,
Subject Type=CA means that this is a certification authority’s certificate and
“Path Length Constraint=1” means that there can only be one certification
authority in the certificate’s path.
MD5 Fingerprint
This is the certificate’s message digest that the ZyWALL calculated using the
MD5 algorithm.
SHA1 Fingerprint
This is the certificate’s message digest that the ZyWALL calculated using the
SHA1 algorithm.
Certificate in PEM
(Base-64) Encoded
Format
This read-only text box displays the certificate or certification request in Privacy
Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the
binary certificate into a printable form.
You can copy and paste a certification request into a certification authority’s web
page, an e-mail that you send to the certification authority or a text editor and
save the file on a management computer for later manual enrollment.
You can copy and paste a certificate into an e-mail to send to friends or
colleagues or you can copy and paste a certificate into a text editor and save the
file on a management computer for later distribution (via floppy disk for
example).
Export
Click this button and then Save in the File Download screen. The Save As
screen opens, browse to the location that you want to use and click Save.
Apply
Click Apply to save your changes back to the ZyWALL. You can only change
the name, except in the case of a self-signed certificate, which you can also set
to be the default self-signed certificate that signs the imported trusted remote
host certificates.
Cancel
Click Cancel to quit and return to the My Certificates screen.
20.8 Trusted CAs
Click SECURITY, CERTIFICATES, Trusted CAs to open the Trusted CAs screen. This
screen displays a summary list of certificates of the certification authorities that you have set
the ZyWALL to accept as trusted. The ZyWALL accepts any valid certificate signed by a
certification authority on this list as being trustworthy; thus you do not need to import any
certificate that is signed by one of these certification authorities.
353
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
Figure 165 Trusted CAs
The following table describes the labels in this screen.
Table 114 Trusted CAs
LABEL
DESCRIPTION
PKI Storage
Space in Use
This bar displays the percentage of the ZyWALL’s PKI storage space that is
currently in use. The bar turns from green to red when the maximum is being
approached. When the bar is red, you should consider deleting expired or
unnecessary certificates before adding more certificates.
#
This field displays the certificate index number. The certificates are listed in
alphabetical order.
Name
This field displays the name used to identify this certificate.
Subject
This field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or
company) and C (Country). It is recommended that each certificate have unique
subject information.
Issuer
This field displays identifying information about the certificate’s issuing certification
authority, such as a common name, organizational unit or department,
organization or company and country. With self-signed certificates, this is the same
information as in the Subject field.
Valid From
This field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not yet
become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expiring! or Expired! message if the certificate is about to expire or has
already expired.
Chapter 20 Certificates
354
ZyWALL 5/35/70 Series User’s Guide
Table 114 Trusted CAs (continued)
LABEL
DESCRIPTION
CRL Issuer
This field displays Yes if the certification authority issues Certificate Revocation
Lists for the certificates that it has issued and you have selected the Issues
certificate revocation lists (CRL) check box in the certificate’s details screen to
have the ZyWALL check the CRL before trusting any certificates issued by the
certification authority. Otherwise the field displays “No”.
Modify
Click the details icon to open a screen with an in-depth list of information about the
certificate.
Click the delete icon to remove the certificate. A window displays asking you to
confirm that you want to delete the certificates. Note that subsequent certificates
move up by one when you take this action.
Import
Click Import to open a screen where you can save the certificate of a certification
authority that you trust, from your computer to the ZyWALL.
Refresh
Click this button to display the current validity status of the certificates.
20.9 Trusted CA Import
Click SECURITY, CERTIFICATES, Trusted CAs to open the Trusted CAs screen and
then click Import to open the Trusted CA Import screen. Follow the instructions in this
screen to save a trusted certification authority’s certificate to the ZyWALL.
Note: You must remove any spaces from the certificate’s filename before you can
import the certificate.
Figure 166 Trusted CA Import
355
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 115 Trusted CA Import
LABEL
DESCRIPTION
File Path
Type in the location of the file you want to upload in this field or click Browse to find it.
Browse
Click Browse to find the certificate file you want to upload.
Apply
Click Apply to save the certificate on the ZyWALL.
Cancel
Click Cancel to quit and return to the Trusted CAs screen.
20.10 Trusted CA Details
Click SECURITY, CERTIFICATES, Trusted CAs to open the Trusted CAs screen. Click
the details icon to open the Trusted CA Details screen. Use this screen to view in-depth
information about the certification authority’s certificate, change the certificate’s name and set
whether or not you want the ZyWALL to check a certification authority’s list of revoked
certificates before trusting a certificate issued by the certification authority.
Chapter 20 Certificates
356
ZyWALL 5/35/70 Series User’s Guide
Figure 167 Trusted CA Details
The following table describes the labels in this screen.
Table 116 Trusted CA Details
357
LABEL
DESCRIPTION
Name
This field displays the identifying name of this certificate. If you want to change
the name, type up to 31 characters to identify this key certificate. You may use
any character (not including spaces).
Property
Check incoming
certificates issued by
this CA against a
CRL
Select this check box to have the ZyWALL check incoming certificates that are
issued by this certification authority against a Certificate Revocation List (CRL).
Clear this check box to have the ZyWALL not check incoming certificates that
are issued by this certification authority against a Certificate Revocation List
(CRL).
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
Table 116 Trusted CA Details (continued)
LABEL
DESCRIPTION
Certification Path
Click the Refresh button to have this read-only text box display the end entity’s
certificate and a list of certification authority certificates that shows the hierarchy
of certification authorities that validate the end entity’s certificate. If the issuing
certification authority is one that you have imported as a trusted certification
authority, it may be the only certification authority in the list (along with the end
entity’s own certificate). The ZyWALL does not trust the end entity’s certificate
and displays “Not trusted” in this field if any certificate on the path has expired or
been revoked.
Refresh
Click Refresh to display the certification path.
Certificate
Information
These read-only fields display detailed information about the certificate.
Type
This field displays general information about the certificate. CA-signed means
that a Certification Authority signed the certificate. Self-signed means that the
certificate’s owner signed the certificate (not a certification authority). X.509
means that this certificate was created and signed according to the ITU-T X.509
recommendation that defines the formats for public-key certificates.
Version
This field displays the X.509 version number.
Serial Number
This field displays the certificate’s identification number given by the certification
authority.
Subject
This field displays information that identifies the owner of the certificate, such as
Common Name (CN), Organizational Unit (OU), Organization (O) and Country
(C).
Issuer
This field displays identifying information about the certificate’s issuing
certification authority, such as Common Name, Organizational Unit,
Organization and Country.
With self-signed certificates, this is the same information as in the Subject
Name field.
Signature Algorithm
This field displays the type of algorithm that was used to sign the certificate.
Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key
encryption algorithm and the SHA1 hash algorithm). Other certification
authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm
and the MD5 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not
yet become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red
and includes an Expiring! or Expired! message if the certificate is about to expire
or has already expired.
Key Algorithm
This field displays the type of algorithm that was used to generate the
certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the
key set in bits (1024 bits for example).
Subject Alternative
Name
This field displays the certificate’s owner‘s IP address (IP), domain name (DNS)
or e-mail address (EMAIL).
Key Usage
This field displays for what functions the certificate’s key can be used. For
example, “DigitalSignature” means that the key can be used to sign certificates
and “KeyEncipherment” means that the key can be used to encrypt text.
Basic Constraint
This field displays general information about the certificate. For example,
Subject Type=CA means that this is a certification authority’s certificate and
“Path Length Constraint=1” means that there can only be one certification
authority in the certificate’s path.
Chapter 20 Certificates
358
ZyWALL 5/35/70 Series User’s Guide
Table 116 Trusted CA Details (continued)
LABEL
DESCRIPTION
CRL Distribution
Points
This field displays how many directory servers with Lists of revoked certificates
the issuing certification authority of this certificate makes available. This field
also displays the domain names or IP addresses of the servers.
MD5 Fingerprint
This is the certificate’s message digest that the ZyWALL calculated using the
MD5 algorithm. You can use this value to verify with the certification authority
(over the phone for example) that this is actually their certificate.
SHA1 Fingerprint
This is the certificate’s message digest that the ZyWALL calculated using the
SHA1 algorithm. You can use this value to verify with the certification authority
(over the phone for example) that this is actually their certificate.
Certificate in PEM
(Base-64) Encoded
Format
This read-only text box displays the certificate or certification request in Privacy
Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the
binary certificate into a printable form.
You can copy and paste the certificate into an e-mail to send to friends or
colleagues or you can copy and paste the certificate into a text editor and save
the file on a management computer for later distribution (via floppy disk for
example).
Export
Click this button and then Save in the File Download screen. The Save As
screen opens, browse to the location that you want to use and click Save.
Apply
Click Apply to save your changes back to the ZyWALL. You can only change
the name and/or set whether or not you want the ZyWALL to check the CRL that
the certification authority issues before trusting a certificate issued by the
certification authority.
Cancel
Click Cancel to quit and return to the Trusted CAs screen.
20.11 Trusted Remote Hosts
Click SECURITY, CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote
Hosts screen. This screen displays a list of the certificates of peers that you trust but which are
not signed by one of the certification authorities on the Trusted CAs screen.
You do not need to add any certificate that is signed by one of the certification authorities on
the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed
by a trusted certification authority as being trustworthy.
359
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
Figure 168 Trusted Remote Hosts
The following table describes the labels in this screen.
Table 117 Trusted Remote Hosts
LABEL
DESCRIPTION
PKI Storage
Space in Use
This bar displays the percentage of the ZyWALL’s PKI storage space that is
currently in use. The bar turns from green to red when the maximum is being
approached. When the bar is red, you should consider deleting expired or
unnecessary certificates before adding more certificates.
Issuer (My Default This field displays identifying information about the default self-signed certificate
Self-signed
on the ZyWALL that the ZyWALL uses to sign the trusted remote host certificates.
Certificate)
#
This field displays the certificate index number. The certificates are listed in
alphabetical order.
Name
This field displays the name used to identify this certificate.
Subject
This field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or
company) and C (Country). It is recommended that each certificate have unique
subject information.
Valid From
This field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not yet
become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expiring! or Expired! message if the certificate is about to expire or has
already expired.
Modify
Click the details icon to open a screen with an in-depth list of information about the
certificate.
Click the delete icon to remove the certificate. A window displays asking you to
confirm that you want to delete the certificate. Note that subsequent certificates
move up by one when you take this action.
Chapter 20 Certificates
360
ZyWALL 5/35/70 Series User’s Guide
Table 117 Trusted Remote Hosts (continued)
LABEL
DESCRIPTION
Import
Click Import to open a screen where you can save the certificate of a remote host
(which you trust) from your computer to the ZyWALL.
Refresh
Click this button to display the current validity status of the certificates.
20.12 Verifying a Trusted Remote Host’s Certificate
Certificates issued by certification authorities have the certification authority’s signature for
you to check. Self-signed certificates only have the signature of the host itself. This means that
you must be very careful when deciding to import (and thereby trust) a remote host’s selfsigned certificate.
20.12.1 Trusted Remote Host Certificate Fingerprints
A certificate’s fingerprints are message digests calculated using the MD5 or SHA1 algorithms.
The following procedure describes how to use a certificate’s fingerprint to verify that you have
the remote host’s actual certificate.
1 Browse to where you have the remote host’s certificate saved on your computer.
2 Make sure that the certificate has a “.cer” or “.crt” file name extension.
Figure 169 Remote Host Certificates
3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab
and scroll down to the Thumbprint Algorithm and Thumbprint fields.
361
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
Figure 170 Certificate Details
Verify (over the phone for example) that the remote host has the same information in the
Thumbprint Algorithm and Thumbprint fields.
20.13 Trusted Remote Hosts Import
Click SECURITY, CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote
Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow
the instructions in this screen to save a trusted host’s certificate to the ZyWALL.
Note: The trusted remote host certificate must be a self-signed certificate; and you
must remove any spaces from its filename before you can import it.
Chapter 20 Certificates
362
ZyWALL 5/35/70 Series User’s Guide
Figure 171 Trusted Remote Host Import
The following table describes the labels in this screen.
Table 118 Trusted Remote Host Import
LABEL
DESCRIPTION
File Path
Type in the location of the file you want to upload in this field or click Browse to find it.
Browse
Click Browse to find the certificate file you want to upload.
Apply
Click Apply to save the certificate on the ZyWALL.
Cancel
Click Cancel to quit and return to the Trusted Remote Hosts screen.
20.14 Trusted Remote Host Certificate Details
Click SECURITY, CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote
Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You
can use this screen to view in-depth information about the trusted remote host’s certificate
and/or change the certificate’s name.
363
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
Figure 172 Trusted Remote Host Details
The following table describes the labels in this screen.
Table 119 Trusted Remote Host Details
LABEL
DESCRIPTION
Name
This field displays the identifying name of this certificate. If you want to change
the name, type up to 31 characters to identify this key certificate. You may use
any character (not including spaces).
Certification Path
Click the Refresh button to have this read-only text box display the end entity’s
own certificate and a list of certification authority certificates in the hierarchy of
certification authorities that validate a certificate’s issuing certification authority.
For a trusted host, the list consists of the end entity’s own certificate and the
default self-signed certificate that the ZyWALL uses to sign remote host
certificates.
Refresh
Click Refresh to display the certification path.
Chapter 20 Certificates
364
ZyWALL 5/35/70 Series User’s Guide
Table 119 Trusted Remote Host Details (continued)
LABEL
DESCRIPTION
Certificate Information These read-only fields display detailed information about the certificate.
365
Type
This field displays general information about the certificate. With trusted remote
host certificates, this field always displays CA-signed. The ZyWALL is the
Certification Authority that signed the certificate. X.509 means that this
certificate was created and signed according to the ITU-T X.509
recommendation that defines the formats for public-key certificates.
Version
This field displays the X.509 version number.
Serial Number
This field displays the certificate’s identification number given by the device that
created the certificate.
Subject
This field displays information that identifies the owner of the certificate, such
as Common Name (CN), Organizational Unit (OU), Organization (O) and
Country (C).
Issuer
This field displays identifying information about the default self-signed
certificate on the ZyWALL that the ZyWALL uses to sign the trusted remote
host certificates.
Signature Algorithm
This field displays the type of algorithm that the ZyWALL used to sign the
certificate, which is rsa-pkcs1-sha1 (RSA public-private key encryption
algorithm and the SHA1 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not
yet become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red
and includes an Expiring! or Expired! message if the certificate is about to
expire or has already expired.
Key Algorithm
This field displays the type of algorithm that was used to generate the
certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the
key set in bits (1024 bits for example).
Subject Alternative
Name
This field displays the certificate’s owner‘s IP address (IP), domain name (DNS)
or e-mail address (EMAIL).
Key Usage
This field displays for what functions the certificate’s key can be used. For
example, “DigitalSignature” means that the key can be used to sign certificates
and “KeyEncipherment” means that the key can be used to encrypt text.
Basic Constraint
This field displays general information about the certificate. For example,
Subject Type=CA means that this is a certification authority’s certificate and
“Path Length Constraint=1” means that there can only be one certification
authority in the certificate’s path.
MD5 Fingerprint
This is the certificate’s message digest that the ZyWALL calculated using the
MD5 algorithm. You cannot use this value to verify that this is the remote host’s
actual certificate because the ZyWALL has signed the certificate; thus causing
this value to be different from that of the remote hosts actual certificate. See
Section 20.12 on page 361 for how to verify a remote host’s certificate.
SHA1 Fingerprint
This is the certificate’s message digest that the ZyWALL calculated using the
SHA1 algorithm. You cannot use this value to verify that this is the remote
host’s actual certificate because the ZyWALL has signed the certificate; thus
causing this value to be different from that of the remote hosts actual certificate.
See Section 20.12 on page 361 for how to verify a remote host’s certificate.
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
Table 119 Trusted Remote Host Details (continued)
LABEL
DESCRIPTION
Certificate in PEM
(Base-64) Encoded
Format
This read-only text box displays the certificate or certification request in Privacy
Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the
binary certificate into a printable form.
You can copy and paste the certificate into an e-mail to send to friends or
colleagues or you can copy and paste the certificate into a text editor and save
the file on a management computer for later distribution (via floppy disk for
example).
Export
Click this button and then Save in the File Download screen. The Save As
screen opens, browse to the location that you want to use and click Save.
Apply
Click Apply to save your changes back to the ZyWALL. You can only change
the name of the certificate.
Cancel
Click Cancel to quit configuring this screen and return to the Trusted Remote
Hosts screen.
20.15 Directory Servers
Click SECURITY, CERTIFICATES, Directory Servers to open the Directory Servers
screen. This screen displays a summary list of directory servers (that contain lists of valid and
revoked certificates) that have been saved into the ZyWALL. If you decide to have the
ZyWALL check incoming certificates against the issuing certification authority’s list of
revoked certificates, the ZyWALL first checks the server(s) listed in the CRL Distribution
Points field of the incoming certificate. If the certificate does not list a server or the listed
server is not available, the ZyWALL checks the servers listed here.
Figure 173 Directory Servers
Chapter 20 Certificates
366
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 120 Directory Servers
LABEL
DESCRIPTION
PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is
in Use
currently in use. The bar turns from green to red when the maximum is being
approached. When the bar is red, you should consider deleting expired or
unnecessary certificates before adding more certificates.
#
The index number of the directory server. The servers are listed in alphabetical
order.
Name
This field displays the name used to identify this directory server.
Address
This field displays the IP address or domain name of the directory server.
Port
This field displays the port number that the directory server uses.
Protocol
This field displays the protocol that the directory server uses.
Modify
Click the details icon to open a screen where you can change the information
about the directory server.
Click the delete icon to remove the directory server entry. A window displays
asking you to confirm that you want to delete the directory server. Note that
subsequent certificates move up by one when you take this action.
Add
Click Add to open a screen where you can configure information about a directory
server so that the ZyWALL can access it.
20.16 Directory Server Add or Edit
Click SECURITY, CERTIFICATES, Directory Servers to open the Directory Servers
screen. Click Add (or the details icon) to open the Directory Server Add screen. Use this
screen to configure information about a directory server that the ZyWALL can access.
Figure 174 Directory Server Add
367
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 121 Directory Server Add
LABEL
DESCRIPTION
Directory Service
Setting
Name
Type up to 31 ASCII characters (spaces are not permitted) to identify this directory
server.
Access Protocol
Use the drop-down list box to select the access protocol used by the directory
server.
LDAP (Lightweight Directory Access Protocol) is a protocol over TCP that
specifies how clients access directories of certificates and lists of revoked
certificates.a
Server Address
Type the IP address (in dotted decimal notation) or the domain name of the
directory server.
Server Port
This field displays the default server port number of the protocol that you select in
the Access Protocol field.
You may change the server port number if needed, however you must use the
same server port number that the directory server uses.
389 is the default server port number for LDAP.
Login Setting
Login
The ZyWALL may need to authenticate itself in order to assess the directory
server. Type the login name (up to 31 ASCII characters) from the entity
maintaining the directory server (usually a certification authority).
Password
Type the password (up to 31 ASCII characters) from the entity maintaining the
directory server (usually a certification authority).
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to quit configuring this screen and return to the Directory Servers
screen.
a.
At the time of writing, LDAP is the only choice of directory server access protocol.
Chapter 20 Certificates
368
ZyWALL 5/35/70 Series User’s Guide
369
Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 21
Authentication Server
This chapter discusses how to configure the ZyWALL’s authentication server feature.
21.1 Authentication Server Overview
A ZyWALL set to be a VPN extended authentication server can use either the local user
database internal to the ZyWALL or an external RADIUS server for an unlimited number of
users. The ZyWALL uses the same local user database for VPN extended authentication and
wireless LAN security. See Section 9.14 on page 189 for more information about RADIUS.
21.1.1 Local User Database
By storing user profiles locally on the ZyWALL, your ZyWALL is able to authenticate users
without interacting with a network RADIUS server. However, there is a limit on the number of
users you may authenticate in this way.
21.1.2 RADIUS
The ZyWALL can use an external RADIUS server to authenticate an unlimited number of
users.
21.2 Local User Database
Click SECURITY and then AUTH SERVER to open the Local User Database screen. Use
this screen to change your ZyWALL’s local user list.
Chapter 21 Authentication Server
370
ZyWALL 5/35/70 Series User’s Guide
Figure 175 Local User Database
371
Chapter 21 Authentication Server
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 122 Local User Database
LABEL
DESCRIPTION
Active
Select this check box to enable the user profile.
User Name
Enter the user name of the user profile.
Password
Enter a password up to 31 characters long for this user profile.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
21.3 RADIUS
Use RADIUS to authenticate users using an external server.
Click SECURITY, AUTH SERVER, then the RADIUS tab to open the RADIUS screen.
Use this screen to set up your ZyWALL’s RADIUS server settings.
Figure 176 RADIUS
Chapter 21 Authentication Server
372
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 123 RADIUS
LABEL
DESCRIPTION
Authentication Server
Active
Select the check box to enable user authentication through an external
authentication server.
Clear the check box to enable user authentication using the local user profile
on the ZyWALL.
Server IP Address
Enter the IP address of the external authentication server in dotted decimal
notation.
Port Number
The default port of the RADIUS server for authentication is 1812.
You need not change this value unless your network administrator instructs
you to do so with additional information.
Key
Enter a password (up to 31 alphanumeric characters) as the key to be shared
between the external authentication server and the ZyWALL.
The key is not sent over the network. This key must be the same on the
external authentication server and ZyWALL.
Accounting Server
373
Active
Select the check box to enable user accounting through an external
authentication server.
Server IP Address
Enter the IP address of the external accounting server in dotted decimal
notation.
Port Number
The default port of the RADIUS server for accounting is 1813.
You need not change this value unless your network administrator instructs
you to do so with additional information.
Key
Enter a password (up to 31 alphanumeric characters) as the key to be shared
between the external accounting server and the ZyWALL.
The key is not sent over the network. This key must be the same on the
external accounting server and ZyWALL.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 21 Authentication Server
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 22
Network Address Translation
(NAT)
This chapter discusses how to configure NAT on the ZyWALL.
22.1 NAT Overview
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a
host in a packet. For example, the source address of an outgoing packet, used within one
network is changed to a different IP address known within another network.
22.1.1 NAT Definitions
Inside/outside denotes where a host is located relative to the ZyWALL. For example, the
computers of your subscribers are the inside hosts, while the web servers on the Internet are
the outside hosts.
Global/local denotes the IP address of a host in a packet as the packet traverses a router. For
example, the local address refers to the IP address of a host when the packet is in the local
network, while the global address refers to the IP address of the host when the same packet is
traveling in the WAN side.
Note that inside/outside refers to the location of a host, while global/local refers to the IP
address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an
inside host in a packet when the packet is still in the local network, while an inside global
address (IGA) is the IP address of the same inside host when the packet is on the WAN side.
The following table summarizes this information.
Table 124 NAT Definitions
TERM
DESCRIPTION
Inside
This refers to the host on the LAN.
Outside
This refers to the host on the WAN.
Local
This refers to the packet address (source or destination) as the packet travels on the LAN.
Global
This refers to the packet address (source or destination) as the packet travels on the
WAN.
Note: NAT never changes the IP address (either local or global) of an outside host.
Chapter 22 Network Address Translation (NAT)
374
ZyWALL 5/35/70 Series User’s Guide
22.1.2 What NAT Does
In the simplest form, NAT changes the source IP address in a packet received from a
subscriber (the inside local address) to another (the inside global address) before forwarding
the packet to the WAN side. When the response comes back, NAT translates the destination
address (the inside global address) back to the inside local address before forwarding it to the
original inside host. Note that the IP address (either local or global) of an outside host is never
changed.
The global IP addresses for the inside hosts can be either static or dynamically assigned by the
ISP. In addition, you can designate servers (for example a web server and a telnet server) on
your local network and make them accessible to the outside world. Although you can make
designated servers on the LAN accessible to the outside world, it is strongly recommended
that you attach those servers to the DMZ port instead. If you do not define any servers (for
Many-to-One and Many-to-Many Overload mapping), NAT offers the additional benefit of
firewall protection. With no servers defined, your ZyWALL filters out all incoming inquiries,
thus preventing intruders from probing your network. For more information on IP address
translation, refer to RFC 1631, The IP Network Address Translator (NAT).
22.1.3 How NAT Works
Each packet has two addresses – a source address and a destination address. For outgoing
packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside
Global Address) is the source address on the WAN. For incoming packets, the ILA is the
destination address on the LAN, and the IGA is the destination address on the WAN. NAT
maps private (local) IP addresses to globally unique ones required for communication with
hosts on other networks. It replaces the original IP source address (and TCP or UDP source
port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet
and then forwards it to the Internet. The ZyWALL keeps track of the original addresses and
port numbers so incoming reply packets can have their original values restored. The following
figure illustrates this.
375
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Figure 177 How NAT Works
22.1.4 NAT Application
The following figure illustrates a possible NAT application, where three inside LANs (logical
LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN
networks. More examples follow at the end of this chapter.
Figure 178 NAT Application With IP Alias
Chapter 22 Network Address Translation (NAT)
376
ZyWALL 5/35/70 Series User’s Guide
22.1.5 Port Restricted Cone NAT
At the time of writing ZyWALL ZyNOS version 4.00 uses port restricted cone NAT. Port
restricted cone NAT maps all outgoing packets from an internal IP address and port to a single
IP address and port on the external network. In the following example, the ZyWALL maps the
source address of all packets sent from internal IP address 1 and port A to IP address 2 and
port B on the external network. A host on the external network (IP address 3 and Port C for
example) can only send packets to the internal host if the internal host has already sent a
packet to the external host’s IP address and port.
A server with IP address 1 and port A sends packets to IP address 3, port C and IP address 4,
port D. The ZyWALL changes the server’s IP address to 2 and port to B.
Since 1, A has already sent packets to 3, C and 4, D, they can send packets back to 2, B and the
ZyWALL will perform NAT on them and send them to the server at IP address 1, port A.
Packets have not been sent from 1, A to 4, E or 5, so they cannot send packets to 1, A.
Figure 179 Port Restricted Cone NAT Example
22.1.6 NAT Mapping Types
NAT supports five types of IP/port mapping. They are:
• One to One: In One-to-One mode, the ZyWALL maps one local IP address to one global
IP address.
• Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to
one global IP address. This is equivalent to SUA (i.e., PAT, port address translation),
ZyXEL's Single User Account feature (the SUA option).
• Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the
multiple local IP addresses to shared global IP addresses.
• Many One to One: In Many-One-to-One mode, the ZyWALL maps each local IP
address to a unique global IP address.
377
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
• Server: This type allows you to specify inside servers of different services behind the
NAT to be accessible to the outside world although, it is highly recommended that you
use the DMZ port for these servers instead.
Note: Port numbers do not change for One-to-One and Many-One-to-One NAT
mapping types.
The following table summarizes these types.
Table 125 NAT Mapping Types
TYPE
IP MAPPING
SMT ABBREVIATION
One-to-One
ILA1ÅÆ IGA1
1-1
Many-to-One (SUA/PAT)
ILA1ÅÆ IGA1
ILA2ÅÆ IGA1
…
M-1
Many-to-Many Overload
ILA1ÅÆ IGA1
ILA2ÅÆ IGA2
ILA3ÅÆ IGA1
ILA4ÅÆ IGA2
…
M-M Ov
Many-One-to-One
ILA1ÅÆ IGA1
ILA2ÅÆ IGA2
ILA3ÅÆ IGA3
…
M-1-1
Server
Server 1 IPÅÆ IGA1
Server 2 IPÅÆ IGA1
Server 3 IPÅÆ IGA1
Server
22.2 Using NAT
Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow
traffic from the WAN to be forwarded through the ZyWALL.
22.2.1 SUA (Single User Account) Versus NAT
SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two
types of mapping, Many-to-One and Server. The ZyWALL also supports Full Feature NAT
to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers
using mapping types. Select either SUA or Full Feature in NAT Overview.
Selecting SUA means (latent) multiple WAN-to-LAN and WAN-to-DMZ address translation.
That means that computers on your DMZ with public IP addresses will still have to undergo
NAT mapping if you’re using SUA NAT mapping. If this is not your intention, then select
Full Feature NAT and don’t configure NAT mapping rules to those computers with public
IP addresses on the DMZ.
Chapter 22 Network Address Translation (NAT)
378
ZyWALL 5/35/70 Series User’s Guide
22.3 NAT Overview
Click ADVANCED, NAT to open the NAT Overview screen. Not all fields are available on
all models.
Figure 180 NAT Overview
The following table describes the labels in this screen.
Table 126 NAT Overview
LABEL
DESCRIPTION
Global Settings
Max. Concurrent This read-only field displays the highest number of NAT sessions that the ZyWALL
Sessions
will permit at one time.
Max. Concurrent Use this field to set the highest number of NAT sessions that the ZyWALL will permit
Sessions Per
a host to have at one time.
Host
WAN Operation
Mode
379
This read-only field displays the operation mode of the ZyWALL's WAN ports.
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Table 126 NAT Overview (continued)
LABEL
DESCRIPTION
WAN 1, 2
Enable NAT
Select this check box to turn on the NAT feature for the WAN port. Clear this check
box to turn off the NAT feature for the WAN port.
Address
Mapping Rules
Select SUA to have the ZyWALL use its permanent, pre-defined NAT address
mapping rules.
Select Full Feature to have the ZyWALL use the address mapping rules that you
configure. This is the equivalent of what used to be called full feature NAT.
The bar displays how many of the ZyWALL's possible address mapping rules are
configured. The first number shows how many address mapping rules are configured
on the ZyWALL. The second number shows the maximum number of address
mapping rules that can be configured on the ZyWALL.
Port Forwarding The bar displays how many of the ZyWALL's possible port forwarding rules are
Rules
configured. The first number shows how many port forwarding rules are configured
on the ZyWALL. The second number shows the maximum number of port forwarding
rules that can be configured on the ZyWALL.
Port Triggering
Rules
The bar displays how many of the ZyWALL's possible trigger port rules are
configured. The first number shows how many trigger port rules are configured on
the ZyWALL. The second number shows the maximum number of trigger port rules
that can be configured on the ZyWALL.
Copy to WAN 2
(and Copy to
WAN 1)
Click Copy to WAN 2 (or Copy to WAN 1) to duplicate this WAN port's NAT port
forwarding or trigger port rules on the other WAN port.
Note: Using the copy button overwrites the other WAN port's existing
rules.
The copy button is best suited for initial NAT configuration where you have
configured NAT port forwarding or trigger port rules for one port and want to use
similar rules for the other WAN port. You can use the other NAT screens to edit the
NAT rules after you copy them from one WAN port to the other.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
22.4 NAT Address Mapping
Ordering your rules is important because the ZyWALL applies the rules in the order that you
specify. When a rule matches the current packet, the ZyWALL takes the corresponding action
and the remaining rules are ignored. If there are any empty rules before your new configured
rule, your configured rule will be pushed up by that number of empty rules. For example, if
you have already configured rules 1 to 6 in your current set and now you configure rule
number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule
4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6.
To change your ZyWALL’s address mapping settings, click ADVANCED, NAT and then the
Address Mapping tab. The screen appears as shown (some of the screen’s blank rows are not
shown). Not all fields are available on all models.
Chapter 22 Network Address Translation (NAT)
380
ZyWALL 5/35/70 Series User’s Guide
Figure 181 NAT Address Mapping
The following table describes the labels in this screen.
Table 127 NAT Address Mapping
LABEL
DESCRIPTION
SUA Address This read-only table displays the default address mapping rules.
Mapping Rules
Full Feature
Address
Mapping Rules
WAN Interface Select the WAN port for which you want to view or configure address mapping rules.
381
Go To Page
Choose a page from the drop-down list box to display the corresponding summary
page of address mapping rules.
#
This is the rule index number.
Local Start IP
This refers to the Inside Local Address (ILA), which is the starting local IP address. If
the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start
IP address. Local IP addresses are N/A for Server port mapping.
Local End IP
This is the end Inside Local Address (ILA). If the rule is for all local IP addresses, then
this field displays 255.255.255.255 as the Local End IP address. This field is N/A for
One-to-One and Server mapping types.
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Table 127 NAT Address Mapping (continued)
LABEL
DESCRIPTION
Global Start IP
This refers to the Inside Global IP Address (IGA), that is the starting global IP address.
0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server
mapping types.
Global End IP
This is the ending Inside Global Address (IGA). This field is N/A for One-to-One,
Many-to-One and Server mapping types.
Type
1. One-to-One mode maps one local IP address to one global IP address. Note that
port numbers do not change for the One-to-One NAT mapping type.
2. Many-to-One mode maps multiple local IP addresses to one global IP address.
This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User
Account feature that previous ZyXEL routers supported only.
3. Many-to-Many Overload mode maps multiple local IP addresses to shared global
IP addresses.
4. Many One-to-One mode maps each local IP address to unique global IP
addresses.
5. Server allows you to specify inside servers of different services behind the NAT to
be accessible to the outside world.
Modify
Click the edit icon to go to the screen where you can edit the address mapping rule.
Click the delete icon to delete an existing address mapping rule. A window display
asking you to confirm that you want to delete the address mapping rule. Note that
subsequent address mapping rules move up by one when you take this action.
Insert
Click Insert to insert a new mapping rule before an existing one.
22.4.1 NAT Address Mapping Edit
Click the Edit button to display the NAT Address Mapping Edit screen. Use this screen to
edit an address mapping rule.
Figure 182 NAT Address Mapping Edit
Chapter 22 Network Address Translation (NAT)
382
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 128 NAT Address Mapping Edit
LABEL
DESCRIPTION
Type
Choose the port mapping type from one of the following.
1. One-to-One: One-to-One mode maps one local IP address to one global IP
address. Note that port numbers do not change for One-to-One NAT mapping
type.
2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one
global IP address. This is equivalent to SUA (i.e., PAT, port address translation),
ZyXEL's Single User Account feature.
3. Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP
addresses to shared global IP addresses.
4. Many One-to-One: Many One-to-One mode maps each local IP address to
unique global IP addresses.
5. Server: This type allows you to specify inside servers of different services
behind the NAT to be accessible to the outside world.
Local Start IP
This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for
Server port mapping.
Local End IP
This is the end Inside Local IP Address (ILA). If your rule is for all local IP
addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255
as the Local End IP address.
This field is N/A for One-to-One and Server mapping types.
Global Start IP
This is the starting Inside Global IP Address (IGA). Enter 0.0.0.0 here if you have a
dynamic IP address from your ISP.
Global End IP
This is the ending Inside Global IP Address (IGA). This field is N/A for One-toOne, Many-to-One and Server mapping types.
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
22.5 Port Forwarding
A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or
FTP, that you can make visible to the outside world even though NAT makes your whole
inside network appear as a single computer to the outside world.
You may enter a single port number or a range of port numbers to be forwarded, and the local
IP address of the desired server. The port number identifies a service; for example, web
service is on port 80 and FTP on port 21. In some cases, such as for unknown services or
where one server can support more than one service (for example both FTP and web service),
it might be better to specify a range of port numbers. You can allocate a server IP address that
corresponds to a port or a range of ports.
Many residential broadband ISP accounts do not allow you to run any server processes (such
as a Web or FTP server) from your location. Your ISP may periodically check for servers and
may suspend your account if it discovers any active services at your location. If you are
unsure, refer to your ISP.
383
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
22.5.1 Default Server IP Address
In addition to the servers for specified services, NAT supports a default server IP address. A
default server receives packets from ports that are not specified in this screen.
Note: If you do not assign a Default Server IP address, the ZyWALL discards all
packets received for ports that are not specified here or in the remote
management setup.
22.5.2 Port Forwarding: Services and Port Numbers
The ZyWALL provides the additional safety of the DMZ ports for connecting your publicly
accessible servers. This makes the LAN more secure by physically separating it from your
public servers.
Use the Port Forwarding screen to forward incoming service requests to the server(s) on your
local network.
The most often used port numbers are shown in the following table. Please refer to RFC 1700
for further information about port numbers. Please also refer to the Supporting CD for more
examples and details on port forwarding and NAT.
Table 129 Services and Port Numbers
SERVICES
PORT NUMBER
ECHO
7
FTP (File Transfer Protocol)
21
SMTP (Simple Mail Transfer Protocol)
25
DNS (Domain Name System)
53
Finger
79
HTTP (Hyper Text Transfer protocol or WWW, Web)
80
POP3 (Post Office Protocol)
110
NNTP (Network News Transport Protocol)
119
SNMP (Simple Network Management Protocol)
161
SNMP trap
162
PPTP (Point-to-Point Tunneling Protocol)
1723
22.5.3 Configuring Servers Behind Port Forwarding (Example)
Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the
example), port 80 to another (B in the example) and assign a default server IP address of
192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP
assigns the WAN IP address. The NAT network appears as a single host on the Internet.
Chapter 22 Network Address Translation (NAT)
384
ZyWALL 5/35/70 Series User’s Guide
Figure 183 Multiple Servers Behind NAT Example
22.5.4 NAT and Multiple WAN
The ZyWALL has two WAN ports. You can configure port forwarding and trigger port rule
sets for the first WAN port and separate sets of rules for the second WAN port.
22.5.5 Port Translation
The ZyWALL can translate the destination port number or a range of port numbers of packets
coming from the WAN to another destination port number or range of port numbers on the
LAN (or DMZ). When you use port forwarding without port translation, a single server on the
LAN or DMZ can use a specific port number and be accessible to the outside world through a
single WAN IP address. When you use port translation with port forwarding, multiple servers
on the LAN or DMZ can use the same port number and still be accessible to the outside world
through a single WAN IP address.
The following example has two web servers on a LAN. Server A uses IP address 192.168.1.33
and server B uses 192.168.1.34. Both servers use port 80. The letters a.b.c.d represent the
WAN port’s IP address. The ZyWALL translates port 8080 of traffic received on the WAN
port (IP address a.b.c.d) to port 80 and sends it to server A (IP address 192.168.1.33). The
ZyWALL also translates port 8100 of traffic received on the WAN port (also IP address
a.b.c.d) to port 80, but sends it to server B (IP address 192.168.1.34).
Note: In this example, anyone wanting to access server A from the Internet must use
port 8080. Anyone wanting to access server B from the Internet must use port
8100.
385
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Figure 184 Port Translation Example
22.6 Port Forwarding
Note: If you do not assign a Default Server IP address, the ZyWALL discards all
packets received for ports that are not specified here or in the remote
management setup.
Click ADVANCED, NAT and Port Forwarding to open the Port Forwarding screen. Not
all fields are available on all models.
Refer to Figure 129 on page 384 for port numbers commonly used for particular services.
Note: The last port forwarding rule is reserved for Roadrunner services. The rule is
activated only when you set the WAN Encapsulation to Ethernet and the
Service Type to something other than Standard.
Chapter 22 Network Address Translation (NAT)
386
ZyWALL 5/35/70 Series User’s Guide
Figure 185 Port Forwarding
The following table describes the labels in this screen.
Table 130 Port Forwarding
LABEL
DESCRIPTION
WAN Interface
Select the WAN port for which you want to view or configure address mapping rules.
Default Server
In addition to the servers for specified services, NAT supports a default server. A
default server receives packets from ports that are not specified in this screen. If you
do not assign a Default Server IP address, the ZyWALL discards all packets
received for ports that are not specified here or in the remote management setup.
Go To Page
Choose a page from the drop-down list box to display the corresponding summary
page of the port forwarding servers.
#
This is the number of an individual port forwarding server entry.
Active
Select this check box to enable the port forwarding server entry. Clear this check box
to disallow forwarding of these ports to an inside server without having to delete the
entry.
Name
Enter a name to identify this port-forwarding rule.
Incoming Port(s) Enter a port number here. To forward only one port, enter it again in the second field.
To specify a range of ports, enter the last port to be forwarded in the second field.
Port Translation
387
Enter the port number here to which you want the ZyWALL to translate the incoming
port. For a range of ports, you only need to enter the first number of the range to
which you want the incoming ports translated, the ZyWALL automatically calculates
the last port of the translated port range.
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Table 130 Port Forwarding
LABEL
DESCRIPTION
Server IP
Address
Enter the inside IP address of the server here.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
22.7 Port Triggering
Some services use a dedicated range of ports on the client side and a dedicated range of ports
on the server side. With regular port forwarding you set a forwarding port in NAT to forward a
service (coming in from the server on the WAN) to the IP address of a computer on the client
side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP
address. In order to use the same service on a different LAN computer, you have to manually
replace the LAN computer's IP address in the forwarding port with another LAN computer's IP
address.
Trigger port forwarding solves this problem by allowing computers on the LAN to
dynamically take turns using the service. The ZyWALL records the IP address of a LAN
computer that sends traffic to the WAN to request a service with a specific port number and
protocol (a "trigger" port). When the ZyWALL's WAN port receives a response with a specific
port number and protocol ("incoming" port), the ZyWALL forwards the traffic to the LAN IP
address of the computer that sent the request. After that computer’s connection for that service
closes, another computer on the LAN can use the service in the same manner. This way you do
not need to configure a new IP address each time you want a different LAN computer to use
the application.
For example:
Figure 186 Trigger Port Forwarding Process: Example
1 Jane requests a file from the Real Audio server (port 7070).
2 Port 7070 is a “trigger” port and causes the ZyWALL to record Jane’s computer IP
address. The ZyWALL associates Jane's computer IP address with the "incoming" port
range of 6970-7170.
3 The Real Audio server responds using a port number ranging between 6970-7170.
Chapter 22 Network Address Translation (NAT)
388
ZyWALL 5/35/70 Series User’s Guide
4 The ZyWALL forwards the traffic to Jane’s computer IP address.
5 Only Jane can connect to the Real Audio server until the connection is closed or times
out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two
hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
To change your ZyWALL’s trigger port settings, click ADVANCED, NAT and the Port
Triggering tab. The screen appears as shown. Not all fields are available on all models.
Figure 187 Port Triggering
The following table describes the labels in this screen.
Table 131 Port Triggering
389
LABEL
DESCRIPTION
WAN
Interface
Select the WAN port for which you want to view or configure address mapping rules.
#
This is the rule index number (read-only).
Name
Type a unique name (up to 15 characters) for identification purposes. All characters are
permitted - including spaces.
Incoming
Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out
a particular service. The ZyWALL forwards the traffic with this port (or range of ports) to
the client computer on the LAN that requested the service.
Start Port
Type a port number or the starting port number in a range of port numbers.
End Port
Type a port number or the ending port number in a range of port numbers.
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Table 131 Port Triggering
LABEL
DESCRIPTION
Trigger
The trigger port is a port (or a range of ports) that causes (or triggers) the ZyWALL to
record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Start Port
Type a port number or the starting port number in a range of port numbers.
End Port
Type a port number or the ending port number in a range of port numbers.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 22 Network Address Translation (NAT)
390
ZyWALL 5/35/70 Series User’s Guide
391
Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 23
Static Route
This chapter shows you how to configure static routes for your ZyWALL.
23.1 IP Static Route
Each remote node specifies only the network to which the gateway is directly connected, and
the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows
about network N2 in the following figure through remote node Router 1. However, the
ZyWALL is unable to route a packet to network N3 because it doesn't know that there is a
route through the same remote node Router 1 (via gateway Router 2). The static routes are for
you to tell the ZyWALL about the networks beyond the remote nodes.
Figure 188 Example of Static Routing Topology
23.2 IP Static Route
Click ADVANCED, STATIC ROUTE to open the IP Static Route screen (some of the
screen’s blank rows are not shown).
Note: The first two static route entries are for default WAN1 and WAN2 routes on a
ZyWALL with multiple WAN ports; the first static route entry is for the default
WAN route on a ZyWALL with a single WAN port. You cannot modify or delete
a static default route. The name of the default static route is left blank unless
you configure a static WAN IP address.
Chapter 23 Static Route
392
ZyWALL 5/35/70 Series User’s Guide
Note: The default route is disabled after you change the static WAN IP address to a
dynamic WAN IP address.
Figure 189 IP Static Route
The following table describes the labels in this screen.
Table 132 IP Static Route
393
LABEL
DESCRIPTION
#
This is the number of an individual static route.
Name
This is the name that describes or identifies this route.
Chapter 23 Static Route
ZyWALL 5/35/70 Series User’s Guide
Table 132 IP Static Route
LABEL
DESCRIPTION
Active
This field shows whether this static route is active (Yes) or not (No).
Destination
This parameter specifies the IP network address of the final destination. Routing is
always based on network number.
Gateway
This is the IP address of the gateway. The gateway is a router or switch on the same
network segment as the device's LAN or WAN port. The gateway helps forward
packets to their destinations.
Modify
Click the edit icon to go to the screen where you can set up a static route on the
ZyWALL.
Click the delete icon to remove a static route from the ZyWALL. A window displays
asking you to confirm that you want to delete the route.
23.2.1 IP Static Route Edit
Select a static route index number and click Edit. The screen shown next appears. Use this
screen to configure the required information for a static route.
Figure 190 IP Static Route Edit
The following table describes the labels in this screen.
Table 133 IP Static Route Edit
LABEL
DESCRIPTION
Route Name
Enter the name of the IP static route. Leave this field blank to delete this static route.
Active
This field allows you to activate/deactivate this static route.
Destination IP
Address
This parameter specifies the IP network address of the final destination. Routing is
always based on network number. If you need to specify a route to a single host, use
a subnet mask of 255.255.255.255 in the subnet mask field to force the network
number to be identical to the host ID.
IP Subnet Mask
Enter the IP subnet mask here.
Chapter 23 Static Route
394
ZyWALL 5/35/70 Series User’s Guide
Table 133 IP Static Route Edit
395
LABEL
DESCRIPTION
Gateway IP
Address
Enter the IP address of the gateway. The gateway is a router or switch on the same
network segment as the device's LAN or WAN port. The gateway helps forward
packets to their destinations.
Metric
Metric represents the “cost” of transmission for routing purposes. IP routing uses
hop count as the measurement of cost, with a minimum of 1 for directly connected
networks. Enter a number that approximates the cost for this link. The number need
not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good
number.
Private
This parameter determines if the ZyWALL will include this route to a remote node in
its RIP broadcasts.
Select this check box to keep this route private and not included in RIP broadcasts.
Clear this check box to propagate this route to other hosts through RIP broadcasts.
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
Chapter 23 Static Route
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 24
Policy Route
This chapter covers setting and applying policies used for IP routing. This chapter applies to
the ZyWALL 35 and ZyWALL 70.
24.1 Policy Route
Traditionally, routing is based on the destination address only and the ZyWALL takes the
shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override
the default routing behavior and alter the packet forwarding based on the policy defined by the
network administrator. Policy-based routing is applied to incoming packets on a per interface
basis, prior to the normal routing.
24.2 Benefits
• Source-Based Routing – Network administrators can use policy-based routing to direct
traffic from different users through different connections.
• Quality of Service (QoS) – Organizations can differentiate traffic by setting the
precedence or ToS (Type of Service) values in the IP header at the periphery of the
network to enable the backbone to prioritize traffic.
• Cost Savings – IPPR allows organizations to distribute interactive traffic on highbandwidth, high-cost paths while using low-cost paths for batch traffic.
• Load Sharing – Network administrators can use IPPR to distribute traffic among multiple
paths.
24.3 Routing Policy
Individual routing policies are used as part of the overall IPPR process. A policy defines the
matching criteria and the action to take when a packet meets the criteria. The action is taken
only when all the criteria are met. The criteria include the source address and port, IP protocol
(ICMP, UDP, TCP, etc.), destination address and port, ToS and precedence (fields in the IP
header) and length. The inclusion of length criterion is to differentiate between interactive and
bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic,
e.g., file transfer, tends to have large packets.
The actions that can be taken include:
• Routing the packet to a different gateway (and hence the outgoing interface).
• Setting the ToS and precedence fields in the IP header.
Chapter 24 Policy Route
396
ZyWALL 5/35/70 Series User’s Guide
IPPR follows the existing packet filtering facility of RAS in style and in implementation.
24.4 IP Routing Policy Setup
Click ADVANCED, POLICY ROUTE to open the Policy Route Summary screen (some of
the screen’s blank rows are not shown).
Figure 191 Policy Route Summary
397
Chapter 24 Policy Route
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 134 Policy Route Summary
LABEL
DESCRIPTION
#
This is the number of an individual policy route.
Active
This field shows whether the policy is active or inactive.
Source Address/ This is the source IP address range and/or port number range.
Port
Destination
Address/Port
This is the destination IP address range and/or port number range.
Gateway
Enter the IP address of the gateway. The gateway is a router or switch on the same
network segment as the device's LAN or WAN port. The gateway helps forward
packets to their destinations.
Protocol
This is the IP protocol and can be ALL(0), ICMP(1), IGMP(2), TCP(6), UDP(17),
GRE(47), ESP(50) or AH(51).
Action
This field specifies whether action should be taken on criteria Matched or Not
Matched.
Modify
Click the edit icon to go to the screen where you can edit the routing policy on the
ZyWALL.
Click the delete icon to remove an existing routing policy from the ZyWALL. A
window display asking you to confirm that you want to delete the routing policy.
Move
Type a policy route's index number and the number for where you want to put that
rule. Click Move to move the rule to the number that you typed.
The ordering of your rules is important as they are applied in order of their
numbering.
24.5 Policy Route Edit
Click POLICY ROUTE to open the Policy Route Summary screen. Then click the edit icon
to open the Edit IP Policy Route screen.
Chapter 24 Policy Route
398
ZyWALL 5/35/70 Series User’s Guide
Figure 192 Edit IP Policy Route
The following table describes the labels in this screen.
Table 135 Edit IP Policy Route
LABEL
DESCRIPTION
Criteria
399
Active
Select the check box to activate the policy.
Rule Index
This is the index number of the policy route.
IP Protocol
Select Predefined and then the IP protocol from ALL(0), ICMP(1), IGMP(2),
TCP(6), UDP(17), GRE(47), ESP(50) or AH(51).
Otherwise, select Custom and enter a number from 0 to 255.
Type of Service
Prioritize incoming network traffic by choosing from Any, Normal, Min Delay, Max
Thruput, Max Reliable or Mix Cost.
Precedence
Precedence value of the incoming packet. Select a value from 0 to 7 or Any.
Chapter 24 Policy Route
ZyWALL 5/35/70 Series User’s Guide
Table 135 Edit IP Policy Route (continued)
LABEL
DESCRIPTION
Packet Length
Type a length of packet (in bytes). The operators in the Len Compare field apply to
incoming packets of this length.
Length
Comparison
Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or
Equal.
Source
Interface
Use the check box to select LAN, DMZ, WAN_1, WAN_2 and/or WLAN.
Starting IP
Address
Enter the source starting IP address.
Ending IP
Address
Enter the source ending IP address.
Starting Port
Enter the source starting port number. This field is applicable only when you select
TCP or UDP in the IP Protocol field.
Ending Port
Enter the source ending port number. This field is applicable only when you select
TCP or UDP in the IP Protocol field.
Destination
Starting IP
Address
Enter the destination starting IP address.
Ending IP
Address
Enter the destination ending IP address.
Starting Port
Enter the destination starting port number. This field is applicable only when you
select TCP or UDP in the IP Protocol field.
Ending Port
Enter the destination ending port number. This field is applicable only when you
select TCP or UDP in the IP Protocol field.
Action Applies to
Specifies whether action should be taken on criteria Matched or Not Matched.
Routing Action
Gateway
Select User-Defined and enter the IP address of the gateway if you want to specify
the IP address of the gateway. The gateway is an immediate neighbor of your
ZyWALL that will forward the packet to the destination. The gateway must be a
router on the same segment as your ZyWALL's LAN or WAN port.
Select WAN Interface to have the ZyWALL send traffic that matches the policy
route through a specific WAN port. Select the WAN port from the drop-down list
box.
Select the Use another interface when the specified WAN interface is not
available. check box to have the ZyWALL send traffic that matches the policy route
through the other WAN interface if it cannot send the traffic through the WAN
interface you selected. This option is only available when you select WAN
Interface.
Converted Type
of Service
Set the new TOS value of the outgoing packet. Prioritize incoming network traffic by
choosing Don’t Change, Normal, Min Delay, Max Thruput, Max Reliable or Min
Cost.
Converted
Precedence
Set the new outgoing packet precedence value. Values are 0 to 7 or Don’t
Change.
Log
Select Yes from the drop-down list box to make an entry in the system log when a
policy is executed.
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
Chapter 24 Policy Route
400
ZyWALL 5/35/70 Series User’s Guide
401
Chapter 24 Policy Route
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 25
Bandwidth Management
This chapter describes the functions and configuration of bandwidth management with
multiple levels of sub-classes.
25.1 Bandwidth Management Overview
Bandwidth management allows you to allocate an interface’s outgoing capacity to specific
types of traffic. It can also help you make sure that the ZyWALL forwards certain types of
traffic (especially real-time applications) with minimum delay. With the use of real-time
applications such as Voice-over-IP (VoIP) increasing, the requirement for bandwidth
allocation is also increasing.
Bandwidth management addresses questions such as:
•
•
•
•
Who gets how much access to specific applications?
What priority level should you give to each type of traffic?
Which traffic must have guaranteed delivery?
How much bandwidth should be allotted to guarantee delivery?
Bandwidth management also allows you to configure the allowed output for an interface to
match what the network can handle. This helps reduce delays and dropped packets at the next
routing device. For example, you can set the WAN interface speed to 1024 kbps (or less) if the
broadband device connected to the WAN port has an upstream speed of 1024 kbps.
25.2 Bandwidth Classes and Filters
Use bandwidth classes and sub-classes to allocate specific amounts of bandwidth capacity
(bandwidth budgets). Configure a bandwidth filter to define a bandwidth class (or sub-class)
based on a specific application and/or subnet. Use the Class Setup screen (see Section 25.11.1
on page 411) to set up a bandwidth class’s name, bandwidth allotment, and bandwidth filter.
You can configure up to one bandwidth filter per bandwidth class. You can also configure
bandwidth classes without bandwidth filters. However, it is recommended that you configure
sub-classes with filters for any classes that you configure without filters. The ZyWALL leaves
the bandwidth budget allocated and unused for a class that does not have a filter or sub-classes
with filters. View your configured bandwidth classes and sub-classes in the Class Setup
screen (see Section 25.11 on page 410 for details).
The total of the configured bandwidth budgets for sub-classes cannot exceed the configured
bandwidth budget speed of the parent class.
Chapter 25 Bandwidth Management
402
ZyWALL 5/35/70 Series User’s Guide
25.3 Proportional Bandwidth Allocation
Bandwidth management allows you to define how much bandwidth each class gets; however,
the actual bandwidth allotted to each class decreases or increases in proportion to actual
available bandwidth.
25.4 Application-based Bandwidth Management
You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, Email and Video for example).
25.5 Subnet-based Bandwidth Management
You can create bandwidth classes based on subnets.
The following figure shows LAN subnets. You could configure one bandwidth class for
subnet A and another for subnet B.
Figure 193 Subnet-based Bandwidth Management Example
403
Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide
25.6 Application and Subnet-based Bandwidth Management
You could also create bandwidth classes based on a combination of a subnet and an
application. The following example table shows bandwidth allocations for application specific
traffic from separate LAN subnets.
Table 136 Application and Subnet-based Bandwidth Management Example
TRAFFIC TYPE
FROM SUBNET A
FROM SUBNET B
VoIP
64 Kbps
64 Kbps
Web
64 Kbps
64 Kbps
FTP
64 Kbps
64 Kbps
E-mail
64 Kbps
64 Kbps
Video
64 Kbps
64 Kbps
25.7 Scheduler
The scheduler divides up an interface’s bandwidth among the bandwidth classes. The
ZyWALL has two types of scheduler: fairness-based and priority-based.
25.7.1 Priority-based Scheduler
With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes
according to the priorities that you assign to the bandwidth classes. The larger a bandwidth
class’s priority number is, the higher the priority. Assign real-time applications (like those
using audio or video) a higher priority number to provide smoother operation.
25.7.2 Fairness-based Scheduler
The ZyWALL divides bandwidth equally among bandwidth classes when using the fairnessbased scheduler; thus preventing one bandwidth class from using all of the interface’s
bandwidth.
25.7.3 Maximize Bandwidth Usage
The maximize bandwidth usage option (see Figure 194 on page 409) allows the ZyWALL to
divide up any available bandwidth on the interface (including unallocated bandwidth and any
allocated bandwidth that a class is not using) among the bandwidth classes that require more
bandwidth.
Chapter 25 Bandwidth Management
404
ZyWALL 5/35/70 Series User’s Guide
When you enable maximize bandwidth usage, the ZyWALL first makes sure that each
bandwidth class gets up to its bandwidth allotment. Next, the ZyWALL divides up an
interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes)
depending on how many bandwidth classes require more bandwidth and on their priority
levels. When only one class requires more bandwidth, the ZyWALL gives extra bandwidth to
that class.
When multiple classes require more bandwidth, the ZyWALL gives the highest priority
classes the available bandwidth first (as much as they require, if there is enough available
bandwidth), and then to lower priority classes if there is still bandwidth available. The
ZyWALL distributes the available bandwidth equally among classes with the same priority
level.
25.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic
Do the following three steps to configure the ZyWALL to allow bandwidth for traffic that is
not defined in a bandwidth filter.
1 Leave some of the interface’s bandwidth unbudgeted.
2 Do not enable the interface’s Maximize Bandwidth Usage option.
3 Do not enable bandwidth borrowing on the sub-classes that have the root class as their
parent (see Section 25.8 on page 407).
25.7.5 Maximize Bandwidth Usage Example
Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface.
The following table shows each bandwidth class’s bandwidth budget. The classes are set up
based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps. The
unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when
you do not select the maximize bandwidth option.
Table 137 Maximize Bandwidth Usage Example
BANDWIDTH CLASSES AND ALLOTMENTS
Root Class: 10240 kbps
Administration: 2048 kbps
Sales: 2048 kbps
Marketing: 2048 kbps
Research: 2048 kbps
The ZyWALL divides up the unbudgeted 2048 kbps among the classes that require more
bandwidth. If the administration department only uses 1024 kbps of the budgeted 2048 kbps,
the ZyWALL also divides the remaining 1024 kbps among the classes that require more
bandwidth. Therefore, the ZyWALL divides a total of 3072 kbps of unbudgeted and unused
bandwidth among the classes that require more bandwidth.
405
Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide
25.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth
The following table shows the priorities of the bandwidth classes and the amount of bandwidth
that each class gets.
Table 138 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example
BANDWIDTH CLASSES, PRIORITIES AND ALLOTMENTS
Root Class: 10240 kbps
Administration: Priority 4, 1024 kbps
Sales: Priority 6, 3584 kbps
Marketing: Priority 6, 3584 kbps
Research: Priority 5, 2048 kbps
Suppose that all of the classes except for the administration class need more bandwidth.
• Each class gets up to its budgeted bandwidth. The administration class only uses 1024
kbps of its budgeted 2048 kbps.
• The sales and marketing are first to get extra bandwidth because they have the highest
priority (6). If they each require 1536 kbps or more of extra bandwidth, the ZyWALL
divides the total 3072 kbps total of unbudgeted and unused bandwidth equally between
the sales and marketing departments (1536 kbps extra to each for a total of 3584 kbps for
each) because they both have the highest priority level.
• Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the
unbudgeted and unused bandwidth goes to the higher priority sales and marketing
classes.
25.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth
The following table shows the amount of bandwidth that each class gets.
Table 139 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example
BANDWIDTH CLASSES AND ALLOTMENTS
Root Class: 10240 kbps
Administration: 1024 kbps
Sales: 3072 kbps
Marketing: 3072 kbps
Research: 3072 kbps
Suppose that all of the classes except for the administration class need more bandwidth.
• Each class gets up to its budgeted bandwidth. The administration class only uses 1024
kbps of its budgeted 2048 kbps.
• The ZyWALL divides the total 3072 kbps total of unbudgeted and unused bandwidth
equally among the other classes. 1024 kbps extra goes to each so the other classes each
get a total of 3072 kbps.
Chapter 25 Bandwidth Management
406
ZyWALL 5/35/70 Series User’s Guide
25.8 Bandwidth Borrowing
Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class,
whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or
unbudgeted bandwidth on the whole interface.
Enable bandwidth borrowing on a sub-class to allow the sub-class to use its parent class’s
unused bandwidth. A parent class’s unused bandwidth is given to the highest priority sub-class
first. The sub-class can also borrow bandwidth from a higher parent class (grandparent class)
if the sub-class’s parent class is also configured to borrow bandwidth from its parent class.
This can go on for as many levels as are configured to borrow bandwidth from their parent
class (see Section 25.8.1 on page 407).
The total of the bandwidth allotments for sub-classes cannot exceed the bandwidth allotment
of their parent class. The ZyWALL uses the scheduler to divide a parent class’s unused
bandwidth among the sub-classes.
25.8.1 Bandwidth Borrowing Example
Here is an example of bandwidth management with classes configured for bandwidth
borrowing. The classes are set up based on departments and individuals within certain
departments.
Refer to the product specifications in the appendix to see how many class levels you can
configure on your ZyWALL.
Table 140 Bandwidth Borrowing Example
BANDWIDTH CLASSES AND BANDWIDTH BORROWING SETTINGS
Root Class:
Administration: Borrowing
Enabled
Sales: Borrowing Disabled
Sales USA: Borrowing
Enabled
Bill: Borrowing Enabled
Sales Asia: Borrowing
Disabled
Tina: Borrowing Enabled
Amy: Borrowing Disabled
Fred: Borrowing Disabled
Marketing: Borrowing
Enabled
Research: Borrowing
Enabled
Software: Borrowing
Enabled
Hardware: Borrowing
Enabled
• The Bill class can borrow unused bandwidth from the Sales USA class because the Bill
class has bandwidth borrowing enabled.
• The Bill class can also borrow unused bandwidth from the Sales class because the Sales
USA class also has bandwidth borrowing enabled.
407
Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide
• The Bill class cannot borrow unused bandwidth from the Root class because the Sales
class has bandwidth borrowing disabled.
• The Amy class cannot borrow unused bandwidth from the Sales USA class because the
Amy class has bandwidth borrowing disabled.
• The Research Software and Hardware classes can both borrow unused bandwidth from
the Research class because the Research Software and Hardware classes both have
bandwidth borrowing enabled.
• The Research Software and Hardware classes can also borrow unused bandwidth from
the Root class because the Research class also has bandwidth borrowing enabled.
25.9 Maximize Bandwidth Usage With Bandwidth Borrowing
If you configure both maximize bandwidth usage (on the interface) and bandwidth borrowing
(on individual sub-classes), the ZyWALL functions as follows.
1 The ZyWALL sends traffic according to each bandwidth class’s bandwidth budget.
2 The ZyWALL assigns a parent class’s unused bandwidth to its sub-classes that have more
traffic than their budgets and have bandwidth borrowing enabled. The ZyWALL gives
priority to sub-classes of higher priority and treats classes of the same priority equally.
3 The ZyWALL assigns any remaining unused or unbudgeted bandwidth on the interface to
any class that requires it. The ZyWALL gives priority to classes of higher priority and
treats classes of the same level equally.
4 If the bandwidth requirements of all of the traffic classes are met and there is still some
unbudgeted bandwidth, the ZyWALL assigns it to traffic that does not match any of the
classes.
25.10 Configuring Summary
Click ADVANCED, BW MGMT to open the Summary screen.
Enable bandwidth management on an interface and set the maximum allowed bandwidth for
that interface.
Chapter 25 Bandwidth Management
408
ZyWALL 5/35/70 Series User’s Guide
Figure 194 Bandwidth Management: Summary
The following table describes the labels in this screen.
Table 141 Bandwidth Management: Summary
409
LABEL
DESCRIPTION
Class
These read-only labels represent the physical interfaces. Select an interface’s check
box to enable bandwidth management on that interface. Bandwidth management
applies to all traffic flowing out of the router through the interface, regardless of the
traffic’s source.
Traffic redirect or IP alias may cause LAN-to-LAN or DMZ-to-DMZ traffic to pass
through the ZyWALL and be managed by bandwidth management.
Active
Select an interface’s check box to enable bandwidth management on that interface.
Speed (kbps)
Enter the amount of bandwidth for this interface that you want to allocate using
bandwidth management.
This appears as the bandwidth budget of the interface’s root class (see Section
25.11 on page 410). The recommendation is to set this speed to match what the
device connected to the port can handle. For example, set the WAN interface speed
to 1000 kbps if the broadband device connected to the WAN port has an upstream
speed of 1000 kbps.
Scheduler
Select either Priority-Based or Fairness-Based from the drop-down menu to
control the traffic flow.
Select Priority-Based to give preference to bandwidth classes with higher priorities.
Select Fairness-Based to treat all bandwidth classes equally. See Section 25.7 on
page 404.
Maximize
Bandwidth
Usage
Select this check box to have the ZyWALL divide up all of the interface’s unallocated
and/or unused bandwidth among the bandwidth classes that require bandwidth. Do
not select this if you want to reserve bandwidth for traffic that does not match a
bandwidth class (see Section 25.7.4 on page 405) or you want to limit the speed of
this interface (see the Speed field description).
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide
25.11 Configuring Class Setup
The Class Setup screen displays the configured bandwidth classes by individual interface.
Select an interface and click the buttons to perform the actions described next. Click “+” to
expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root
class. The bandwidth budget of the root class is equal to the speed you configured on the
interface (see Section 25.10 on page 408 to configure the speed of the interface). Configure
sub-class layers for the root class.
To add or delete child classes on an interface, click ADVANCED, BW MGMT, then the
Class Setup tab. The screen appears as shown (with example classes).
Figure 195 Bandwidth Management: Class Setup
The following table describes the labels in this screen.
Table 142 Bandwidth Management: Class Setup
LABEL
DESCRIPTION
Interface
Select an interface from the drop-down list box for which you wish to set up classes.
Bandwidth management controls outgoing traffic on an interface, not incoming. So,
in order to limit the download bandwidth of the LAN users, set the bandwidth
management class on the LAN. In order to limit the upload bandwidth, set the
bandwidth management class on the corresponding WAN interface.
Bandwidth
Management
This field displays whether bandwidth management on the interface you selected in
the field above is enabled (Active) or not (Inactive).
Add Sub-Class
Click Add Sub-class to add a sub-class.
Chapter 25 Bandwidth Management
410
ZyWALL 5/35/70 Series User’s Guide
Table 142 Bandwidth Management: Class Setup (continued)
LABEL
DESCRIPTION
Edit
Click Edit to configure the selected class. You cannot edit the root class.
Delete
Click Delete to delete the class and all its sub-classes. You cannot delete the root
class.
Statistics
Click Statistics to display the status of the selected class.
Filter List
This list displays the bandwidth management filters that are configured for the
classes on the selected interface. The ZyWALL applies the bandwidth management
filters in the order that they appear here. Once a connection matches a bandwidth
management filter, the ZyWALL applies the rules of the corresponding bandwidth
management class and does not check the connection against any other bandwidth
management filters.
#
This is the index number of an individual bandwidth management filter.
Filter Name
This is the name that identifies a bandwidth management filter.
Service
This is the service that this bandwidth management filter is configured to manage.
Destination IP
Address
This is the destination IP address for connections to which this bandwidth
management filter applies.
Destination Port
This is the destination port for connections to which this bandwidth management
filter applies.
Source IP
Address
This is the source IP address for connections to which this bandwidth management
filter applies.
Source Port
This is the source port for connections to which this bandwidth management filter
applies.
Protocol ID
This is the protocol ID (service type) number for connections to which this bandwidth
management filter applies. For example: 1 for ICMP, 6 for TCP or 17 for UDP.
Move
Type a filter’s index number and the number for where you want to put that filter.
Click Move to move the filter to the number that you typed. The ordering of your
filters is important as they are applied in order of their numbering.
25.11.1 Bandwidth Manager Class Configuration
Configure a bandwidth management class in the Class Setup screen. You must use the
Summary screen to enable bandwidth management on an interface before you can configure
classes for that interface.
To add a child class, click ADVANCED, BW MGMT, then the Class Setup tab. Click the
Add Sub-Class button to open the following screen.
411
Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide
Figure 196 Bandwidth Management: Edit Class
The following table describes the labels in this screen.
Table 143 Bandwidth Management: Edit Class
LABEL
DESCRIPTION
Class Configuration
Class Name
Use the auto-generated name or enter a descriptive name of up to 20
alphanumeric characters, including spaces.
Bandwidth Budget
(kbps)
Specify the maximum bandwidth allowed for the class in kbps. The
recommendation is a setting between 20 kbps and 20000 kbps for an individual
class.
Priority
Enter a number between 0 and 7 to set the priority of this class. The higher the
number, the higher the priority. The default setting is 3.
Borrow bandwidth
from parent class
Select this option to allow a sub-class to borrow bandwidth from its parent class
if the parent class is not using up its bandwidth budget.
Bandwidth borrowing is governed by the priority of the sub-classes. That is, a
sub-class with the highest priority (7) is the first to borrow bandwidth from its
parent class.
Do not select this for the classes directly below the root class if you want to
leave bandwidth available for other traffic types (see Section 25.7.4 on page
405) or you want to set the interface’s speed to match what the next device in
network can handle (see the Speed field description in Table 141 on page
409).
Filter Configuration
Chapter 25 Bandwidth Management
412
ZyWALL 5/35/70 Series User’s Guide
Table 143 Bandwidth Management: Edit Class (continued)
LABEL
DESCRIPTION
Enable Bandwidth
Filter
Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter
when it performs bandwidth management.
You must enter a value in at least one of the following fields (other than the
Subnet Mask fields which are only available when you enter the destination or
source IP address).
Service
This field simplifies bandwidth class configuration by allowing you to select a
predefined application. When you select a predefined application, you do not
configure the rest of the bandwidth filter fields (other than enabling or disabling
the filter).
FTP (File Transfer Program) is a program to enable fast transfer of files,
including large files that may not be possible by e-mail. Select FTP from the
drop-down list box to configure the bandwidth filter for FTP traffic.
H.323 is a protocol used for multimedia communications over networks, for
example NetMeeting. Select H.323 from the drop-down list box to configure the
bandwidth filter for H.323 traffic.
Note: If you select H.323, make sure you also use the ALG
screen to turn on the H.323 ALG.
SIP (Session Initiation Protocol) is a signaling protocol used in Internet
telephony, instant messaging, events notification and conferencing. The
ZyWALL supports SIP traffic pass-through. Select SIP from the drop-down list
box to configure this bandwidth filter for SIP traffic. This option makes it easier
to manage bandwidth for SIP traffic and is useful for example when there is a
VoIP (Voice over Internet Protocol) device on your LAN.
Note: If you select SIP, make sure you also use the ALG screen
to turn on the SIP ALG.
Select Custom from the drop-down list box if you do not want to use a
predefined application for the bandwidth class. When you select Custom, you
need to configure at least one of the following fields (other than the Subnet
Mask fields which you only enter if you also enter a corresponding destination
or source IP address).
413
Destination IP
Address
Enter the destination IP address in dotted decimal notation.
Destination Subnet
Mask
Enter the destination subnet mask. This field is N/A if you do not specify a
Destination IP Address. Refer to Appendix E on page 694 for more
information on IP subnetting.
Destination Port
Enter the port number of the destination. See Section 11.11.2 on page 233 for a
table of services and port numbers.
Source IP Address
Enter the source IP address.
Source Subnet Mask
Enter the source subnet mask. This field is N/A if you do not specify a Source
IP Address. Refer to Appendix E on page 694 for more information on IP
subnetting.
Source Port
Enter the port number of the source. See the following table for some common
services and port numbers.
Protocol ID
Enter the protocol ID (service type) number, for example: 1 for ICMP, 6 for TCP
or 17 for UDP.
Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide
Table 143 Bandwidth Management: Edit Class (continued)
LABEL
DESCRIPTION
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
Table 144 Services and Port Numbers
SERVICES
PORT NUMBER
ECHO
7
FTP (File Transfer Protocol)
21
SMTP (Simple Mail Transfer Protocol)
25
DNS (Domain Name System)
53
Finger
79
HTTP (Hyper Text Transfer protocol or WWW, Web)
80
POP3 (Post Office Protocol)
110
NNTP (Network News Transport Protocol)
119
SNMP (Simple Network Management Protocol)
161
SNMP trap
162
PPTP (Point-to-Point Tunneling Protocol)
1723
25.11.2 Bandwidth Management Statistics
Use the Bandwidth Management Statistics screen to view network performance
information. Click the Statistics button in the Class Setup screen to open the Statistics
screen.
Chapter 25 Bandwidth Management
414
ZyWALL 5/35/70 Series User’s Guide
Figure 197 Bandwidth Management: Statistics
The following table describes the labels in this screen.
Table 145 Bandwidth Management: Statistics
LABEL
DESCRIPTION
Class Name
This field displays the name of the class the statistics page is showing.
Budget (kbps)
This field displays the amount of bandwidth allocated to the class.
Tx Packets
This field displays the total number of packets transmitted.
Tx Bytes
This field displays the total number of bytes transmitted.
Dropped
Packets
This field displays the total number of packets dropped.
Dropped Bytes
This field displays the total number of bytes dropped.
Bandwidth Statistics for the Past 8 Seconds (t-8 to t-1)
This field displays the bandwidth statistics (in bps) for the past one to eight seconds. For example, t-1
means one second ago.
Update Period
(Seconds)
Enter the time interval in seconds to define how often the information should be
refreshed.
Set Interval
Click Set Interval to apply the new update period you entered in the Update Period
field above.
Stop Update
Click Stop Update to stop the browser from refreshing bandwidth management
statistics.
Clear Counter
Click Clear Counter to clear all of the bandwidth management statistics.
25.12 Configuring Monitor
To view the device’s bandwidth usage and allotments, click ADVANCED, BW MGMT, then
the Monitor tab. The screen appears as shown.
415
Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide
Figure 198 Bandwidth Management: Monitor
The following table describes the labels in this screen.
Table 146 Bandwidth Management: Monitor
LABEL
DESCRIPTION
Interface
Select an interface from the drop-down list box to view the bandwidth usage of
its bandwidth classes.
Class
This field displays the name of the bandwidth class.
A Default Class automatically displays for all the bandwidth in the Root
Class that is not allocated to bandwidth classes. If you do not enable
maximize bandwidth usage on an interface, the ZyWALL uses the bandwidth
in this default class to send traffic that does not match any of the bandwidth
classes.a
Budget (kbps)
This field displays the amount of bandwidth allocated to the bandwidth class.
Current Usage (kbps)
This field displays the amount of bandwidth that each bandwidth class is
using.
Refresh
Click Refresh to update the page.
a.If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a
budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class).
Chapter 25 Bandwidth Management
416
ZyWALL 5/35/70 Series User’s Guide
417
Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 26
DNS
This chapter shows you how to configure the DNS screens.
26.1 DNS Overview
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address
and vice versa. The DNS server is extremely important because without it, you must know the
IP address of a machine before you can access it. The ZyWALL uses a system DNS server (in
the order you specify in the DNS System screen) to resolve domain names, for example, VPN,
DDNS and the time server.
26.2 DNS Server Address Assignment
The ZyWALL can get the DNS server addresses in the following ways.
1 The ISP tells you the DNS server addresses, usually in the form of an information sheet,
when you sign up. If your ISP gives you DNS server addresses, manually enter them in
the DNS server fields.
2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s
WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
3 You can manually enter the IP addresses of other DNS servers. These servers can be
public or private. A DNS server could even be behind a remote IPSec router (see Section
26.5.1 on page 419).
26.3 DNS Servers
There are three places where you can configure DNS setup on the ZyWALL.
1 Use the DNS System screen to configure the ZyWALL to use a DNS server to resolve
domain names for ZyWALL system features like VPN, DDNS and the time server.
2 Use the DNS DHCP screen to configure the DNS server information that the ZyWALL
sends to the DHCP client devices on the LAN, DMZ or WLAN.
3 Use the REMOTE MGMT DNS screen to configure the ZyWALL (in router mode) to
accept or discard DNS queries.
Chapter 26 DNS
418
ZyWALL 5/35/70 Series User’s Guide
26.4 Address Record
An address record contains the mapping of a fully qualified domain name (FQDN) to an IP
address. An FQDN consists of a host and domain name and includes the top-level domain. For
example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host,
“zyxel” is the second-level domain, and “com.tw” is the top level domain.
mail.myZyXEL.com.tw is also a FQDN, where "mail" is the host, "myZyXEL" is the secondlevel domain, and "com.tw" is the top level domain.
The ZyWALL allows you to configure address records about the ZyWALL itself or another
device. This way you can keep a record of DNS names and addresses that people on your
network may use frequently. If the ZyWALL receives a DNS query for an FQDN for which
the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response
without having to query a DNS name server.
26.4.1 DNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.com to be aliased to the same IP
address as yourhost.com. This feature is useful if you want to be able to use, for example,
www.yourhost.com and still reach your hostname.
26.5 Name Server Record
A name server record contains a DNS server’s IP address. The ZyWALL can query the DNS
server to resolve domain names for features like VPN, DDNS and the time server. A domain
zone may also be included. A domain zone is a fully qualified domain name without the host.
For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified
domain name.
26.5.1 Private DNS Server
In cases where you want to use domain names to access Intranet servers on a remote private
network that has a DNS server, you must identify that DNS server. You cannot use DNS
servers on the LAN or from the ISP since these DNS servers cannot resolve domain names to
private IP addresses on the remote private network.
The following figure depicts an example where three VPN tunnels are created from ZyWALL
A; one to branch office 2, one to branch office 3 and another to headquarters (HQ). In order to
access computers that use private domain names on the HQ network, the ZyWALL at branch
office 1 uses the Intranet DNS server in headquarters.
419
Chapter 26 DNS
ZyWALL 5/35/70 Series User’s Guide
Figure 199 Private DNS Server Example
Note: If you do not specify an Intranet DNS server on the remote network, then the
VPN host must use IP addresses to access the computers on the remote
private network.
26.6 System Screen
To configure your ZyWALL’s DNS address and name server records, click ADVANCED,
DNS. The screen appears as shown.
Chapter 26 DNS
420
ZyWALL 5/35/70 Series User’s Guide
Figure 200 System DNS
The following table describes the labels in this screen.
Table 147 System DNS
421
LABEL
DESCRIPTION
Address Record
An address record specifies the mapping of a fully qualified domain name
(FQDN) to an IP address. An FQDN consists of a host and domain name and
includes the top-level domain. For example, www.zyxel.com.tw is a fully
qualified domain name, where “www” is the host, “zyxel” is the second-level
domain, and “com.tw” is the top level domain.
#
This is the index number of the address record.
FQDN
This is a host’s fully qualified domain name.
Wildcard
This column displays whether or not the DNS wildcard feature is enabled for this
domain name.
IP Address
This is the IP address of a host.
Modify
Click the edit icon to go to the screen where you can edit the record.
Click the delete icon to remove an existing record. A window display asking you
to confirm that you want to delete the record. Note that subsequent records
move up by one when you take this action.
Add
Click Add to open a screen where you can add a new address record. Refer to
Table 148 on page 423 for information on the fields.
Chapter 26 DNS
ZyWALL 5/35/70 Series User’s Guide
Table 147 System DNS
LABEL
DESCRIPTION
Name Server Record A name server record contains a DNS server’s IP address. The ZyWALL can
query the DNS server to resolve domain names for features like VPN, DDNS
and the time server.
When the ZyWALL needs to resolve a domain name, it checks it against the
name server record entries in the order that they appear in this list.
A “*” indicates a name server record without a domain zone. The default record
is grayed out. The ZyWALL uses this default record if the domain name that
needs to be resolved does not match any of the other name server records.
#
This is the index number of the name server record.
Domain Zone
A domain zone is a fully qualified domain name without the host. For example,
zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified
domain name.
From
This field displays whether the IP address of a DNS server is from a WAN
interface (and which it is) or specified by the user.
DNS Server
This is the IP address of a DNS server.
Modify
Click a triangle icon to move the record up or down in the list.
Click the edit icon to go to the screen where you can edit the record.
Click the delete icon to remove an existing record. A window display asking you
to confirm that you want to delete the record. Note that subsequent records
move up by one when you take this action.
Insert
Click Insert to open a screen where you can insert a new name server record.
Refer to Table 149 on page 424 for information on the fields.
26.6.1 Adding an Address Record
Click Add in the System screen to add an address record.
Figure 201 System DNS: Add Address Record
Chapter 26 DNS
422
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 148 System DNS: Add Address Record
LABEL
DESCRIPTION
FQDN
Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a
host name and continues all the way up to the top-level domain name. For
example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the
host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
IP Address
If this entry is for one of the WAN ports on a ZyWALL with multiple WAN ports,
select WAN Interface and select WAN 1 or WAN 2 from the drop-down list box.
If this entry is for the WAN port on a ZyWALL with a single WAN port, select WAN
Interface.
For entries that are not for the WAN port(s), select Custom and enter the IP
address of the host in dotted decimal notation.
Enable Wildcard
Select the check box to enable DNS wildcard.
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
26.6.2 Inserting a Name Server record
Click Insert in the System screen to insert a name server record.
Figure 202 System DNS: Insert Name Server Record
423
Chapter 26 DNS
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 149 System DNS: Insert Name Server Record
LABEL
DESCRIPTION
Domain Zone
This field is optional.
A domain zone is a fully qualified domain name without the host. For example,
zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain
name. For example, whenever the ZyWALL receives needs to resolve a
zyxel.com.tw domain name, it can send a query to the recorded name server IP
address.
Leave this field blank if all domain zones are served by the specified DNS server(s).
DNS Server
Select the DNS Server(s) from ISP radio button if your ISP dynamically assigns
DNS server information. The fields below display the (read-only) DNS server IP
address(es) that the ISP assigns. N/A displays for any DNS server IP address fields
for which the ISP does not assign an IP address. N/A displays for all of the DNS
server IP address fields if the ZyWALL has a fixed WAN IP address.
Select Public DNS Server if you have the IP address of a DNS server. The IP
address must be public or a private address on your local LAN. Enter the DNS
server's IP address in the field to the right.
Public DNS Server entries with the IP address set to 0.0.0.0 are not allowed.
Select Private DNS Server if the DNS server has a private IP address and is located
behind a VPN peer. Enter the DNS server's IP address in the field to the right.
With a private DNS server, you must also configure the first DNS server entry for the
LAN, DMZ and/or WLAN in the DNS DHCP screen to use DNS Relay.
You must also configure a VPN rule since the ZyWALL uses a VPN tunnel when it
relays DNS queries to the private DNS server. The rule must include the LAN IP
address of the ZyWALL as a local IP address and the IP address of the DNS server
as a remote IP address.
Private DNS Server entries with the IP address set to 0.0.0.0 are not allowed.
Apply
Click Apply to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.
26.7 DNS Cache
DNS cache is the temporary storage area where a router stores responses from DNS servers.
When the ZyWALL receives a positive or negative response for a DNS query, it records the
response in the DNS cache. A positive response means that the ZyWALL received the IP
address for a domain name that it checked with a DNS server within the five second DNS
timeout period. A negative response means that the ZyWALL did not receive a response for a
query it sent to a DNS server within the five second DNS timeout period.
When the ZyWALL receives DNS queries, it compares them against the DNS cache before
querying a DNS server. If the DNS query matches a positive entry, the ZyWALL responses
with the IP address from the entry. If the DNS query matches a negative entry, the ZyWALL
replies that the DNS query failed.
Chapter 26 DNS
424
ZyWALL 5/35/70 Series User’s Guide
26.8 Configure DNS Cache
To configure your ZyWALL’s DNS caching, click ADVANCED, DNS, then the Cache tab.
The screen appears as shown.
Figure 203 DNS Cache
The following table describes the labels in this screen.
Table 150 DNS Cache
LABEL
DESCRIPTION
DNS Cache Setup
425
Cache Positive DNS
Resolutions
Select the check box to record the positive DNS resolutions in the cache.
Caching positive DNS resolutions helps speed up the ZyWALL’s processing of
commonly queried domain names and reduces the amount of traffic that the
ZyWALL sends out to the WAN.
Maximum TTL
Type the maximum time to live (TTL) (60 to 3600 seconds). This sets how long
the ZyWALL is to allow a positive resolution entry to remain in the DNS cache
before discarding it.
Cache Negative
DNS Resolutions
Caching negative DNS resolutions helps speed up the ZyWALL’s processing of
commonly queried domain names (for which DNS resolution has failed) and
reduces the amount of traffic that the ZyWALL sends out to the WAN.
Negative Cache
Period
Type the time (60 to 3600 seconds) that the ZyWALL is to allow a negative
resolution entry to remain in the DNS cache before discarding it.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 26 DNS
ZyWALL 5/35/70 Series User’s Guide
Table 150 DNS Cache
LABEL
DESCRIPTION
DNS Cache Entry
Flush
Click this button to clear the cache manually. After you flush the cache, the
ZyWALL must query the DNS servers again for any domain names that had
been previously resolved.
Refresh
Click this button to reload the cache.
#
This is the index number of a record.
Cache Type
This displays whether the response for the DNS request is positive or negative.
Domain Name
This is the domain name of a host.
IP Address
This is the (resolved) IP address of a host. This field displays 0.0.0.0 for
negative DNS resolution entries.
Remaining Time
(sec)
This is the number of seconds left before the DNS resolution entry is discarded
from the cache.
Modify
Click the delete icon to remove the DNS resolution entry from the cache.
26.9 Configuring DNS DHCP
Click ADVANCED, DNS and then the DHCP tab to open the DNS DHCP screen shown
next. Use this screen to configure the DNS server information that the ZyWALL sends to its
LAN, DMZ or WLAN DHCP clients.
Chapter 26 DNS
426
ZyWALL 5/35/70 Series User’s Guide
Figure 204 DNS DHCP
The following table describes the labels in this screen.
Table 151 DNS DHCP
427
LABEL
DESCRIPTION
DNS Servers
Assigned by DHCP
Server
The ZyWALL passes a DNS (Domain Name System) server IP address to the
DHCP clients.
Selected Interface
Select an interface from the drop-down list box to configure the DNS servers for
the specified interface.
DNS
These read-only labels represent the DNS servers.
IP
Select From ISP if your ISP dynamically assigns DNS server information (and
the ZyWALL's WAN IP address). Use the drop-down list box to select a DNS
server IP address that the ISP assigns in the field to the right.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS
server's IP address in the field to the right. If you chose User-Defined, but leave
the IP address set to 0.0.0.0, User-Defined changes to None after you click
Apply. If you set a second choice to User-Defined, and enter the same IP
address, the second User-Defined changes to None after you click Apply.
Select DNS Relay to have the ZyWALL act as a DNS proxy. The ZyWALL's
LAN, DMZ or WLAN IP address displays in the field to the right (read-only). The
ZyWALL tells the DHCP clients on the LAN, DMZ or WLAN that the ZyWALL
itself is the DNS server. When a computer on the LAN, DMZ or WLAN sends a
DNS query to the ZyWALL, the ZyWALL forwards the query to the ZyWALL's
system DNS server (configured in the DNS System screen) and relays the
response back to the computer. You can only select DNS Relay for one of the
three servers; if you select DNS Relay for a second or third DNS server, that
choice changes to None after you click Apply.
Select None if you do not want to configure DNS servers. You must have
another DHCP sever on your LAN, or else the computers must have their DNS
server addresses manually configured. If you do not configure a DNS server,
you must know the IP address of a computer in order to access it.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 26 DNS
ZyWALL 5/35/70 Series User’s Guide
26.10 Dynamic DNS
Dynamic DNS allows you to update your current dynamic IP address with one or many
dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You
can also access your FTP server or Web site on your own computer using a domain name (for
instance myhost.dhs.org, where myhost is a name of your choice) that will never change
instead of using an IP address that changes each time you reconnect. Your friends or relatives
will always be able to call you even if they don't know your IP address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is
for people with a dynamic IP from their ISP or DHCP server that would still like to have a
domain name. The Dynamic DNS service provider will give you a password or key.
Note: You must go to the Dynamic DNS service provider’s website and register a
user account and a domain name before you can use the Dynamic DNS
service with your ZyWALL.
26.10.1 DYNDNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the
same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use,
for example, www.yourhost.dyndns.org and still reach your hostname.
Note: If you have a private WAN IP address, then you cannot use Dynamic DNS.
26.10.2 High Availability
A DNS server maps a domain name to a port's IP address. If that WAN port loses its
connection, high availability allows the router to substitute another port's IP address for the
domain name mapping.
26.11 Configuring Dynamic DNS
To change your ZyWALL’s DDNS, click ADVANCED, DNS, then the DDNS tab. The
screen appears as shown. Not all fields are available on all models.
Chapter 26 DNS
428
ZyWALL 5/35/70 Series User’s Guide
Figure 205 DDNS
The following table describes the labels in this screen.
Table 152 DDNS
LABEL
DESCRIPTION
Account Setup
Active
Select this check box to use dynamic DNS.
Service Provider
This is the name of your Dynamic DNS service provider.
Username
Enter your user name. You can use up to 31 alphanumeric characters (and the
underscore). Spaces are not allowed.
Password
Enter the password associated with the user name above. You can use up to 31
alphanumeric characters (and the underscore). Spaces are not allowed.
My Domain Names
429
Domain Name 1~5
Enter the host names in these fields.
DDNS Type
Select the type of service that you are registered for from your Dynamic DNS
service provider.
Select Dynamic if you have the Dynamic DNS service.
Select Static if you have the Static DNS service.
Select Custom if you have the Custom DNS service.
Offline
This option is available when Custom is selected in the DDNS Type field.
Check with your Dynamic DNS service provider to have traffic redirected to a
URL (that you can specify) while you are off line.
Wildcard
Select the check box to enable DYNDNS Wildcard.
Chapter 26 DNS
ZyWALL 5/35/70 Series User’s Guide
Table 152 DDNS
LABEL
DESCRIPTION
WAN Interface
Select the WAN port to use for updating the IP address of the domain name.
IP Address Update
Policy
Select Use WAN IP Address to have the ZyWALL update the domain name
with the WAN port's IP address.
Select Use User-Defined and enter the IP address if you have a static IP
address.
Select Let DDNS Server Auto Detect only when there are one or more NAT
routers between the ZyWALL and the DDNS server. This feature has the DDNS
server automatically detect and use the IP address of the NAT router that has a
public IP address.
Note: The DDNS server may not be able to detect the proper IP
address if there is an HTTP proxy server between the
ZyWALL and the DDNS server.
HA
Select this check box to enable the high availability (HA) feature. High
availability has the ZyWALL update a domain name with another port’s IP
address when the normal WAN port does not have a connection.
If the WAN port specified in the WAN Interface field does not have a
connection, the ZyWALL will attempt to use the IP address of another WAN port
to update the domain name.
When the WAN ports are in the active/passive operating mode, the ZyWALL will
update the domain name with the IP address of whichever WAN port has a
connection, regardless of the setting in the WAN Interface field.
Disable this feature and the ZyWALL will only update the domain name with an
IP address of the WAN port specified in the WAN Interface field. If that WAN
port does not have a connection, the ZyWALL will not update the domain name
with another port’s IP address.
Note: If you enable high availability, DDNS can also function
when the ZyWALL uses the dial backup port. DDNS does
not function when the ZyWALL uses traffic redirect.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 26 DNS
430
ZyWALL 5/35/70 Series User’s Guide
431
Chapter 26 DNS
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 27
Remote Management
This chapter provides information on the Remote Management screens.
27.1 Remote Management Overview
Remote management allows you to determine which services/protocols can access which
ZyWALL interface (if any) from which computers.
Note: When you configure remote management to allow management from the WAN,
you still need to configure a firewall rule to allow access. See Chapter 11 on
page 214 for details on configuring firewall rules.
You may manage your ZyWALL from a remote location via:
• Internet (WAN only)
• ALL (LAN&WAN&DMZ&WLAN)
• LAN only,
• DMZ only,
• WLAN only,
• Neither (Disable).
Note: When you choose DMZ only, WAN only, WLAN only or ALL (LAN & WAN&
DMZ& WLAN), you still need to configure a firewall rule to allow access.
To disable remote management of a service, select Disable in the corresponding Server
Access field.
You may only have one remote management session running at a time. The ZyWALL
automatically disconnects a remote management session of lower priority when another
remote management session of higher priority starts. The priorities for the different types of
remote management sessions are as follows.
1 Console port
2 SSH
3 Telnet
4 HTTPS and HTTP
27.1.1 Remote Management Limitations
Remote management over LAN or WAN will not work when:
Chapter 27 Remote Management
432
ZyWALL 5/35/70 Series User’s Guide
1 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet,
FTP or Web service.
2 You have disabled that service in one of the remote management screens.
3 The IP address in the Secure Client IP Address field does not match the client IP
address. If it does not match, the ZyWALL will disconnect the session immediately.
4 There is already another remote management session with an equal or higher priority
running. You may only have one remote management session running at one time.
5 There is a firewall rule that blocks it.
27.1.2 System Timeout
There is a default system management idle timeout of five minutes (three hundred seconds).
The ZyWALL automatically logs you out if the management session remains idle for longer
than this timeout period. The management session does not time out when a statistics screen is
polling. You can change the timeout period in the System screen.
27.2 Introduction to HTTPS
HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web
protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an applicationlevel protocol that enables secure transactions of data by ensuring confidentiality (an
unauthorized party cannot read the transferred data), authentication (one party can identify the
other party) and data integrity (you know if data has been changed).
It relies upon certificates, public keys, and private keys (see Chapter 20 on page 342 for more
information).
HTTPS on the ZyWALL is used so that you may securely access the ZyWALL using the web
configurator. The SSL protocol specifies that the SSL server (the ZyWALL) must always
authenticate itself to the SSL client (the computer which requests the HTTPS connection with
the ZyWALL), whereas the SSL client only should authenticate itself when the SSL server
requires it to do so (select Authenticate Client Certificates in the REMOTE MGMT,
WWW screen). Authenticate Client Certificates is optional and if selected means the SSLclient must send the ZyWALL a certificate. You must apply for a certificate for the browser
from a CA that is a trusted CA on the ZyWALL.
Please refer to the following figure.
1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default)
on the ZyWALL’s WS (web server).
2 HTTP connection requests from a web browser go to port 80 (by default) on the
ZyWALL’s WS (web server).
433
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
Figure 206 HTTPS Implementation
Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW
screen, then the ZyWALL blocks all HTTP connection attempts.
27.3 WWW
Click ADVANCED, REMOTE MGMT to open the WWW screen. Use this screen to
change your ZyWALL’s web settings.
Chapter 27 Remote Management
434
ZyWALL 5/35/70 Series User’s Guide
Figure 207 WWW
The following table describes the labels in this screen.
Table 153 WWW
LABEL
DESCRIPTION
HTTPS
Server
Certificate
Select the Server Certificate that the ZyWALL will use to identify itself. The
ZyWALL is the SSL server and must always authenticate itself to the SSL client (the
computer which requests the HTTPS connection with the ZyWALL).
Authenticate
Client
Certificates
Select Authenticate Client Certificates (optional) to require the SSL client to
authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that
the SSL client must have a CA-signed certificate from a CA that has been imported
as a trusted CA on the ZyWALL (see Appendix L on page 742 on importing
certificates for details).
Server Port
The HTTPS proxy server listens on port 443 by default. If you change the HTTPS
proxy server port to a different number on the ZyWALL, for example 8443, then you
must notify people who need to access the ZyWALL web configurator to use “https:/
/ZyWALL IP Address:8443” as the URL.
Server Access
Select a ZyWALL interface from Server Access on which incoming HTTPS access
is allowed.
You can allow only secure web configurator access by setting the HTTP Server
Access field to Disable and setting the HTTPS Server Access field to an
interface(s).
Secure Client IP
Address
A secure client is a “trusted” computer that is allowed to communicate with the
ZyWALL using this service.
Select All to allow any computer to access the ZyWALL using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyWALL using this service.
HTTP
435
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
Table 153 WWW (continued)
LABEL
DESCRIPTION
Server Port
You may change the server port number for a service if needed, however you must
use the same port number in order to use that service for remote management.
Server Access
Select the interface(s) through which a computer may access the ZyWALL using this
service.
Secure Client IP
Address
A secure client is a “trusted” computer that is allowed to communicate with the
ZyWALL using this service.
Select All to allow any computer to access the ZyWALL using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyWALL using this service.
Apply
Click Apply to save your customized settings and exit this screen.
Reset
Click Reset to begin configuring this screen afresh.
27.4 HTTPS Example
If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter
“https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address” is the IP
address or domain name of the ZyWALL you wish to access.
27.4.1 Internet Explorer Warning Messages
When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up
asking if you trust the server certificate. Click View Certificate if you want to verify that the
certificate is from the ZyWALL.
You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the
web configurator login screen; if you select No, then web configurator access is blocked.
Figure 208 Security Alert Dialog Box (Internet Explorer)
Chapter 27 Remote Management
436
ZyWALL 5/35/70 Series User’s Guide
27.4.2 Netscape Navigator Warning Messages
When you attempt to access the ZyWALL HTTPS server, a Website Certified by an
Unknown Authority screen pops up asking if you trust the server certificate. Click Examine
Certificate if you want to verify that the certificate is from the ZyWALL.
If Accept this certificate temporarily for this session is selected, then click OK to continue
in Netscape.
Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL
client.
Figure 209 Security Certificate 1 (Netscape)
Figure 210 Security Certificate 2 (Netscape)
437
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
27.4.3 Avoiding the Browser Warning Messages
The following describes the main reasons that your browser displays warnings about the
ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings.
• The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of
the browser’s trusted certificate authorities. The issuing certificate authority of the
ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a selfsigned certificate.
• For the browser to trust a self-signed certificate, import the selfsigned certificate into your operating system as a trusted certificate.
• To have the browser trust the certificates issued by a certificate
authority, import the certificate authority’s certificate into your
operating system as a trusted certificate. Refer to Appendix L on page
742 for details.
• The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that
you are trying to access) does not match the common name specified in the ZyWALL’s
HTTPS server certificate that your browser received. Do the following to check the
common name specified in the certificate that your ZyWALL sends to HTTPS clients.
a
Click REMOTE MGMT. Write down the name of the certificate
displayed in the Server Certificate field.
b
Click CERTIFICATES. Find the certificate and check its Subject
column. CN stands for certificate’s common name (see Figure 214 on
page 440 for an example).
Use this procedure to have the ZyWALL use a certificate with a common name that matches
the ZyWALL’s actual IP address. You cannot use this procedure if you need to access the
WAN port and it uses a dynamically assigned IP address.
a
Create a new certificate for the ZyWALL that uses the IP address (of
the ZyWALL’s port that you are trying to access) as the certificate’s
common name. For example, to use HTTPS to access a LAN port
with IP address 192.168.1.1, create a certificate that uses 192.168.1.1
as the common name.
b
Go to the remote management WWW screen and select the newly
created certificate in the Server Certificate field. Click Apply.
27.4.4 Login Screen
After you accept the certificate, the ZyWALL login screen appears. The lock displayed in the
bottom right of the browser status bar denotes a secure connection.
Chapter 27 Remote Management
438
ZyWALL 5/35/70 Series User’s Guide
Figure 211 Login Screen (Internet Explorer)
Figure 212 Login Screen (Netscape)
Click Login and you then see the next screen.
The factory default certificate is a common default certificate for all ZyWALL models.
439
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
Figure 213 Replace Certificate
Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s
MAC address that will be specific to this device. Click CERTIFICATES to open the My
Certificates screen. You will see information similar to that shown in the following figure.
Figure 214 Device-specific Certificate
Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You
will then see this information in the My Certificates screen.
Chapter 27 Remote Management
440
ZyWALL 5/35/70 Series User’s Guide
Figure 215 Common ZyWALL Certificate
27.5 SSH
Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure
communication protocol that combines authentication and data encryption to provide secure
encrypted communication between two hosts over an unsecured network.
Figure 216 SSH Communication Example
27.6 How SSH works
The following table summarizes how a secure connection is established between two remote
hosts.
441
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
Figure 217 How SSH Works
1 Host Identification
The SSH client sends a connection request to the SSH server. The server identifies itself
with a host key. The client encrypts a randomly generated session key with the host key
and server key and sends the result back to the server.
The client automatically saves any new server public keys. In subsequent connections,
the server public key is checked against the saved version on the client computer.
2 Encryption Method
Once the identification is verified, both the client and server must agree on the type of
encryption method to use.
3 Authentication and Data Transmission
After the identification is verified and data encryption activated, a secure tunnel is
established between the client and the server. The client then sends its authentication
information (user name and password) to the server to log in to the server.
27.7 SSH Implementation on the ZyWALL
Your ZyWALL supports SSH version 1.5 using RSA authentication and three encryption
methods (DES, 3DES and Blowfish). The SSH server is implemented on the ZyWALL for
remote SMT management and file transfer on port 22. Only one SSH connection is allowed at
a time.
Chapter 27 Remote Management
442
ZyWALL 5/35/70 Series User’s Guide
27.7.1 Requirements for Using SSH
You must install an SSH client program on a client computer (Windows or Linux operating
system) that is used to connect to the ZyWALL over SSH.
27.8 Configuring SSH
Click ADVANCED, REMOTE MGMT and then the SSH tab to change your ZyWALL’s
Secure Shell settings.
Note: It is recommended that you disable Telnet and FTP when you configure SSH
for secure connections.
Figure 218 SSH
The following table describes the labels in this screen.
Table 154 SSH
443
LABEL
DESCRIPTION
Server Host Key
Select the certificate whose corresponding private key is to be used to identify the
ZyWALL for SSH connections. You must have certificates already configured in the
My Certificates screen (Click My Certificates and see Chapter 20 on page 342 for
details).
Server Port
You may change the server port number for a service if needed, however you must
use the same port number in order to use that service for remote management.
Server Access
Select the interface(s) through which a computer may access the ZyWALL using
this service.
Secure Client IP
Address
A secure client is a “trusted” computer that is allowed to communicate with the
ZyWALL using this service.
Select All to allow any computer to access the ZyWALL using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyWALL using this service.
Apply
Click Apply to save your customized settings and exit this screen.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
27.9 Secure Telnet Using SSH Examples
This section shows two examples using a command interface and a graphical interface SSH
client program to remotely access the ZyWALL. The configuration and connection steps are
similar for most SSH client programs. Refer to your SSH client program user’s guide.
27.9.1 Example 1: Microsoft Windows
This section describes how to access the ZyWALL using the Secure Shell Client program.
1 Launch the SSH client and specify the connection information (IP address, port number
or device name) for the ZyWALL.
2 Configure the SSH client to accept connection using SSH version 1.
3 A window displays prompting you to store the host key in you computer. Click Yes to
continue.
Figure 219 SSH Example 1: Store Host Key
Enter the password to log in to the ZyWALL. The SMT main menu displays next.
27.9.2 Example 2: Linux
This section describes how to access the ZyWALL using the OpenSSH client program that
comes with most Linux distributions.
1 Test whether the SSH service is available on the ZyWALL.
Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The
computer attempts to connect to port 22 on the ZyWALL (using the default IP address of
192.168.1.1).
A message displays indicating the SSH protocol version supported by the ZyWALL.
Chapter 27 Remote Management
444
ZyWALL 5/35/70 Series User’s Guide
Figure 220 SSH Example 2: Test
$ telnet 192.168.1.1 22
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
SSH-1.5-1.0.0
2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to
the ZyWALL using SSH version 1. If this is the first time you are connecting to the
ZyWALL using SSH, a message displays prompting you to save the host information of
the ZyWALL. Type “yes” and press [ENTER].
Then enter the password to log in to the ZyWALL.
Figure 221 SSH Example 2: Log in
$ ssh –1 192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be
established.
RSA1 key fingerprint is
21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (RSA1) to the list of
known hosts.
[email protected]'s password:
3 The SMT main menu displays next.
27.10 Secure FTP Using SSH Example
This section shows an example on file transfer using the OpenSSH client program. The
configuration and connection steps are similar for other SSH client programs. Refer to your
SSH client program user’s guide.
1 Enter “sftp –1 192.168.1.1”. This command forces your computer to connect to
the ZyWALL for secure file transfer using SSH version 1. If this is the first time you are
connecting to the ZyWALL using SSH, a message displays prompting you to save the
host information of the ZyWALL. Type “yes” and press [ENTER].
2 Enter the password to login to the ZyWALL.
3 Use the “put” command to upload a new firmware to the ZyWALL.
445
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
Figure 222 Secure FTP: Firmware Upload Example
$ sftp -1 192.168.1.1
Connecting to 192.168.1.1...
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be
established.
RSA1 key fingerprint is
21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (RSA1) to the list of
known hosts.
[email protected]'s password:
sftp> put firmware.bin ras
Uploading firmware.bin to /ras
Read from remote host 192.168.1.1: Connection reset by peer
Connection closed
$
27.11 Telnet
You can configure your ZyWALL for remote Telnet access as shown next.
Figure 223 Telnet Configuration on a TCP/IP Network
27.12 Configuring TELNET
Click ADVANCED, REMOTE MGMT and then the TELNET tab to configure your
ZyWALL for remote Telnet access.
Note: It is recommended that you disable Telnet and FTP when you configure SSH
for secure connections.
Chapter 27 Remote Management
446
ZyWALL 5/35/70 Series User’s Guide
Figure 224 Telnet
The following table describes the labels in this screen.
Table 155 Telnet
LABEL
DESCRIPTION
Server Port
You may change the server port number for a service if needed, however you must
use the same port number in order to use that service for remote management.
Server Access
Select the interface(s) through which a computer may access the ZyWALL using
this service.
Secure Client IP
Address
A secure client is a “trusted” computer that is allowed to communicate with the
ZyWALL using this service.
Select All to allow any computer to access the ZyWALL using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyWALL using this service.
Apply
Click Apply to save your customized settings and exit this screen.
Reset
Click Reset to begin configuring this screen afresh.
27.13 FTP
You can upload and download the ZyWALL’s firmware and configuration files using FTP,
please see the chapter on firmware and configuration file maintenance for details. To use this
feature, your computer must have an FTP client.
To change your ZyWALL’s FTP settings, click ADVANCED, REMOTE MGMT and then
the FTP tab. The screen appears as shown.
Note: It is recommended that you disable Telnet and FTP when you configure SSH
for secure connections.
447
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
Figure 225 FTP
The following table describes the labels in this screen.
Table 156 FTP
LABEL
DESCRIPTION
Server Port
You may change the server port number for a service if needed, however you must
use the same port number in order to use that service for remote management.
Server Access
Select the interface(s) through which a computer may access the ZyWALL using this
service.
Secure Client IP
Address
A secure client is a “trusted” computer that is allowed to communicate with the
ZyWALL using this service.
Select All to allow any computer to access the ZyWALL using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyWALL using this service.
Apply
Click Apply to save your customized settings.
Reset
Click Reset to begin configuring this screen afresh.
27.14 SNMP
Simple Network Management Protocol is a protocol used for exchanging management
information between network devices. SNMP is a member of the TCP/IP protocol suite. Your
ZyWALL supports SNMP agent functionality, which allows a manager station to manage and
monitor the ZyWALL through the network. The ZyWALL supports SNMP version one
(SNMPv1). The next figure illustrates an SNMP management operation. SNMP is only
available if TCP/IP is configured.
Note: SNMP is only available if TCP/IP is configured.
Chapter 27 Remote Management
448
ZyWALL 5/35/70 Series User’s Guide
Figure 226 SNMP Management Model
An SNMP managed network consists of two main types of component: agents and a manager.
An agent is a management software module that resides in a managed device (the ZyWALL).
An agent translates the local management information from the managed device into a form
compatible with SNMP. The manager is the console through which network administrators
perform network management functions. It executes applications that control and monitor
managed devices.
The managed devices contain object variables/managed objects that define each piece of
information to be collected about a device. Examples of variables include such as number of
packets received, node port status etc. A Management Information Base (MIB) is a collection
of managed objects. SNMP allows a manager and agents to communicate for the purpose of
accessing these objects.
SNMP itself is a simple request/response protocol based on the manager/agent model. The
manager issues a request and the agent returns responses using the following protocol
operations:
• Get - Allows the manager to retrieve an object variable from the agent.
• GetNext - Allows the manager to retrieve the next object variable from a table or list
within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table
from an agent, it initiates a Get operation, followed by a series of GetNext operations.
• Set - Allows the manager to set values for object variables within an agent.
• Trap - Used by the agent to inform the manager of some events.
449
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
27.14.1 Supported MIBs
The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the
MIBs is to let administrators collect statistical data and monitor status and performance.
27.14.2 SNMP Traps
The ZyWALL will send traps to the SNMP manager when any one of the following events
occurs:
Table 157 SNMP Traps
TRAP #
TRAP NAME
DESCRIPTION
0
coldStart (defined in RFC-1215)
A trap is sent after booting (power on).
1
warmStart (defined in RFC-1215) A trap is sent after booting (software reboot).
4
authenticationFailure (defined in
RFC-1215)
A trap is sent to the manager when receiving any SNMP
get or set requirements with the wrong community
(password).
6
whyReboot (defined in ZYXELMIB)
A trap is sent with the reason of restart before rebooting
when the system is going to restart (warm start).
6a
For intentional reboot :
A trap is sent with the message "System reboot by user!"
if reboot is done intentionally, (for example, download
new files, CI command "sys reboot", etc.).
6b
For fatal error :
A trap is sent with the message of the fatal code if the
system reboots because of fatal errors.
27.14.3 REMOTE MANAGEMENT: SNMP
To change your ZyWALL’s SNMP settings, click ADVANCED, REMOTE MGMT and
then the SNMP tab. The screen appears as shown.
Chapter 27 Remote Management
450
ZyWALL 5/35/70 Series User’s Guide
Figure 227 SNMP
The following table describes the labels in this screen.
Table 158 SNMP
LABEL
DESCRIPTION
SNMP
Configuration
Get Community
Enter the Get Community, which is the password for the incoming Get and GetNext
requests from the management station. The default is public and allows all requests.
Set Community
Enter the Set community, which is the password for incoming Set requests from the
management station. The default is public and allows all requests.
Trap
Community
Type the trap community, which is the password sent with each trap to the SNMP
manager. The default is public and allows all requests.
Destination
Type the IP address of the station to send your SNMP traps to.
SNMP
451
Service Port
You may change the server port number for a service if needed, however you must
use the same port number in order to use that service for remote management.
Service Access
Select the interface(s) through which a computer may access the ZyWALL using this
service.
Secure Client IP
Address
A secure client is a “trusted” computer that is allowed to communicate with the
ZyWALL using this service.
Select All to allow any computer to access the ZyWALL using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyWALL using this service.
Apply
Click Apply to save your customized settings.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
27.15 DNS
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and
vice versa. Refer to Chapter 7 on page 130 for more information.
Click ADVANCED, REMOTE MGMT and then the DNS tab to change your ZyWALL’s
DNS settings. Use this screen to set from which IP address the ZyWALL will accept DNS
queries and on which interface it can send them your ZyWALL’s DNS settings. This feature is
not available when the ZyWALL is set to bridge mode.
Figure 228 DNS
The following table describes the labels in this screen.
Table 159 DNS
LABEL
DESCRIPTION
Server Port
The DNS service port number is 53 and cannot be changed here.
Service Access
Select the interface(s) through which a computer may send DNS queries to the
ZyWALL.
Secure Client IP
Address
A secure client is a “trusted” computer that is allowed to send DNS queries to the
ZyWALL.
Select All to allow any computer to send DNS queries to the ZyWALL.
Choose Selected to just allow the computer with the IP address that you specify to
send DNS queries to the ZyWALL.
Apply
Click Apply to save your customized settings.
Reset
Click Reset to begin configuring this screen afresh.
27.16 Introducing Vantage CNM
Vantage CNM (Centralized Network Management) is a browser-based global management
solution that allows an administrator from any location to easily configure, manage, monitor
and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for
details.
Chapter 27 Remote Management
452
ZyWALL 5/35/70 Series User’s Guide
If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not
do any configurations directly to the ZyWALL (using either the web configurator, SMT
menus or commands) without notifying the Vantage CNM administrator.
27.17 Configuring CNM
Vantage CNM is disabled on the device by default. Click ADVANCED, REMOTE MGMT
in the navigation panel and then click the CNM tab to configure your device’s Vantage CNM
settings.
Figure 229 CNM
The following table describes the labels in this screen.
Table 160 CNM
LABEL
DESCRIPTION
Registration
Information
Registration Status
453
This read only field displays Not Registered when Enable is not selected.
It displays Registering when the ZyWALL first connects with the Vantage
CNM server and then Registered after it has been successfully registered
with the Vantage CNM server. It will continue to display Registering until it
successfully registers with the Vantage CNM server. It will not be able to
register with the Vantage CNM server if:
• The Vantage CNM server is down.
• The Vantage CNM server IP address is incorrect.
• The Vantage CNM server is behind a NAT router or firewall that does not
forward packets through to the Vantage CNM server.
• The encryption algorithms and/or encryption keys do not match between
the ZyWALL and the Vantage CNM server.
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
Table 160 CNM (continued)
LABEL
DESCRIPTION
Last Registration Time This field displays the last date (year-month-date) and time (hours-minutesseconds) that the ZyWALL registered with the Vantage CNM server. It
displays all zeroes if it has not yet registered with the Vantage CNM server.
Refresh
Click Refresh to update the registration status and last registration time.
Vantage CNM Setup
Enable
Select this check box to allow Vantage CNM to manage your ZyWALL.
Vantage CNM Server
Address
If the Vantage server is on the same subnet as the ZyXEL device, enter the
private or public IP address of the Vantage server.
If the Vantage CNM server is on a different subnet to the ZyWALL, enter the
public IP address of the Vantage server.
If the Vantage CNM server is on a different subnet to the ZyWALL and is
behind a NAT router, enter the WAN IP address of the NAT router here and
configure the NAT router to forward UDP port 1864 traffic to the Vantage CNM
server.
If the Vantage CNM server is behind a firewall, you may have to create a rule
on the firewall to allow UDP port 1864 traffic through to the Vantage CNM
server (most (new) ZyXEL firewalls automatically allow this).
Encryption Algorithm
The Encryption Algorithm field is used to encrypt communications between
the ZyWALL and the Vantage CNM server. Choose from None (no
encryption), DES or 3DES. The Encryption Key field appears when you
select DES or 3DES. The ZyWALL must use the same encryption algorithm as
the Vantage CNM server.
Encryption Key
Type eight alphanumeric characters ("0" to "9", "a" to "z" or "A" to "Z") when
you choose the DES encryption algorithm and 24 alphanumeric characters
("0" to "9", "a" to "z" or "A" to "Z") when you choose the 3DES encryption
algorithm. The ZyWALL must use the same encryption key as the Vantage
CNM server.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 27 Remote Management
454
ZyWALL 5/35/70 Series User’s Guide
455
Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 28
UPnP
This chapter introduces the Universal Plug and Play feature. This chapter is only applicable
when the ZyWALL is in router mode.
28.1 Universal Plug and Play Overview
Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP
for simple peer-to-peer network connectivity between devices. A UPnP device can
dynamically join a network, obtain an IP address, convey its capabilities and learn about other
devices on the network. In turn, a device can leave a network smoothly and automatically
when it is no longer in use.
28.1.1 How Do I Know If I'm Using UPnP?
UPnP hardware is identified as an icon in the Network Connections folder (Windows XP).
Each UPnP compatible device installed on your network will appear as a separate icon.
Selecting the icon of a UPnP device will allow you to access the information and properties of
that device.
28.1.2 NAT Traversal
UPnP NAT traversal automates the process of allowing an application to operate through
NAT. UPnP network devices can automatically configure network addressing, announce their
presence in the network to other UPnP devices and enable exchange of simple product and
service descriptions. NAT traversal allows the following:
• Dynamic port mapping
• Learning public IP addresses
• Assigning lease times to mappings
Windows Messenger is an example of an application that supports NAT traversal and UPnP.
See Chapter 22 on page 374 for further information about NAT.
28.1.3 Cautions with UPnP
The automated nature of NAT traversal applications in establishing their own services and
opening firewall ports may present network security issues. Network information and
configuration may also be obtained and modified by users in some network environments.
Chapter 28 UPnP
456
ZyWALL 5/35/70 Series User’s Guide
All UPnP-enabled devices may communicate freely with each other without additional
configuration. Disable UPnP if this is not your intention.
28.1.4 UPnP and ZyXEL
ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates
UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0
(Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports
Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being
tested.
The ZyWALL only sends UPnP multicasts to the LAN.
Please see later in this User’s Guide for examples of installing UPnP in Windows XP and
Windows Me as well as an example of using UPnP in Windows.
28.2 Configuring UPnP
Click UPnP to display the UPnP screen. Not all fields are available on all models.
Figure 230 UPnP
The following table describes the fields in this screen.
Table 161 UPnP
LABEL
DESCRIPTION
UPnP Setup
457
Device Name
This identifies the ZyXEL device in UPnP applications.
Enable the Universal
Plug and Play (UPnP)
feature
Select this checkbox to activate UPnP. Be aware that anyone could use a
UPnP application to open the web configurator's login screen without
entering the ZyWALL's IP address (although you must still enter the
password to access the web configurator).
Chapter 28 UPnP
ZyWALL 5/35/70 Series User’s Guide
Table 161 UPnP
LABEL
DESCRIPTION
Allow users to make
configuration
changes through
UPnP
Select this check box to allow UPnP-enabled applications to automatically
configure the ZyWALL so that they can communicate through the ZyWALL,
for example by using NAT traversal, UPnP applications automatically reserve
a NAT forwarding port in order to communicate with another UPnP enabled
device; this eliminates the need to manually configure port forwarding for the
UPnP enabled application.
Allow UPnP to pass
through Firewall
Select this check box to allow traffic from UPnP-enabled applications to
bypass the firewall.
Clear this check box to have the firewall block all UPnP application packets
(for example, MSN packets).
Outgoing WAN
Interface
Select through which WAN port you want to send out traffic from UPnPenabled applications. If the WAN port you select loses its connection, the
ZyWALL attempts to use the other WAN port. If the other WAN port also
does not work, the ZyWALL drops outgoing packets from UPnP-enabled
applications.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
28.3 Displaying UPnP Port Mapping
Click UPnP and then Ports to display the UPnP Ports screen. Use this screen to view the NAT
port mapping rules that UPnP creates on the ZyWALL. Not all fields are available on all
models.
Figure 231 UPnP Ports
Chapter 28 UPnP
458
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 162 UPnP Ports
LABEL
DESCRIPTION
Reserve UPnP
NAT rules in flash
after system
bootup
Select this check box to have the ZyWALL retain UPnP created NAT rules even
after restarting. If you use UPnP and you set a port on your computer to be fixed for
a specific service (for example FTP for file transfers), this option allows the
ZyWALL to keep a record when your computer uses UPnP to create a NAT
forwarding rule for that service.
WAN Interface in
Use
This field displays through which WAN port the ZyWALL is currently sending out
traffic from UPnP-enabled applications. This field displays None when UPnP is
disabled or neither of the WAN ports has a connection.
The following read-only table displays information about the UPnP-created NAT mapping rule entries in
the ZyWALL’s NAT routing table.
#
This is the index number of the UPnP-created NAT mapping rule entry.
Remote Host
This field displays the source IP address (on the WAN) of inbound IP packets.
Since this is often a wildcard, the field may be blank. When the field is blank, the
ZyWALL forwards all traffic sent to the External Port on the WAN interface to the
Internal Client on the Internal Port. When this field displays an external IP
address, the NAT rule has the ZyWALL forward inbound packets to the Internal
Client from that IP address only.
External Port
This field displays the port number that the ZyWALL “listens” on (on the WAN port)
for connection requests destined for the NAT rule’s Internal Port and Internal
Client. The ZyWALL forwards incoming packets (from the WAN) with this port
number to the Internal Client on the Internal Port (on the LAN). If the field
displays “0”, the ZyWALL ignores the Internal Port value and forwards requests on
all external port numbers (that are otherwise unmapped) to the Internal Client.
Protocol
This field displays the protocol of the NAT mapping rule (TCP or UDP).
Internal Port
This field displays the port number on the Internal Client to which the ZyWALL
should forward incoming connection requests.
Internal Client
This field displays the DNS host name or IP address of a client on the LAN. Multiple
NAT clients can use a single port simultaneously if the internal client field is set to
255.255.255.255 for UDP mappings.
Enabled
This field displays whether or not this UPnP-created NAT mapping rule is turned
on. The UPnP-enabled device that connected to the ZyWALL and configured the
UPnP-created NAT mapping rule on the ZyWALL determines whether or not the
rule is enabled.
Description
This field displays a text explanation of the NAT mapping rule.
Lease Duration
This field displays a dynamic port-mapping rule’s time to live (in seconds). It
displays “0” if the port mapping is static.
Apply
Click Apply to save your changes back to the ZyWALL.
Refresh
Click Refresh update the screen’s table.
28.4 Installing UPnP in Windows Example
This section shows how to install UPnP in Windows Me and Windows XP.
459
Chapter 28 UPnP
ZyWALL 5/35/70 Series User’s Guide
28.4.1 Installing UPnP in Windows Me
Follow the steps below to install UPnP in Windows Me.
1 Click Start, Settings and Control
Panel. Double-click Add/Remove
Programs.
2 Click on the Windows Setup tab and
select Communication in the
Components selection box. Click
Details.
3 In the Communications window, select
the Universal Plug and Play check box
in the Components selection box.
4 Click OK to go back to the Add/
Remove Programs Properties window
and click Next.
5 Restart the computer when prompted.
Chapter 28 UPnP
460
ZyWALL 5/35/70 Series User’s Guide
28.4.2 Installing UPnP in Windows XP
Follow the steps below to install UPnP in Windows XP.
1 Click Start, Settings and Control
Panel.
2 Double-click Network Connections.
3 In the Network Connections window,
click Advanced in the main menu and
select Optional Networking
Components ….
The Windows Optional Networking
Components Wizard window displays.
4 Select Networking Service in the
Components selection box and click
Details.
5 In the Networking Services window,
select the Universal Plug and Play
check box.
6 Click OK to go back to the Windows
Optional Networking Component
Wizard window and click Next.
28.5 Using UPnP in Windows XP Example
This section shows you how to use the UPnP feature in Windows XP. You must already have
UPnP installed in Windows XP and UPnP activated on the ZyXEL device.
Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your
computer and the ZyXEL device.
461
Chapter 28 UPnP
ZyWALL 5/35/70 Series User’s Guide
28.5.1 Auto-discover Your UPnP-enabled Network Device
1 Click Start and Control Panel. Doubleclick Network Connections. An icon
displays under Internet Gateway.
2 Right-click the icon and select
Properties.
3 In the Internet Connection Properties
window, click Settings to see the port
mappings that were automatically
created.
Chapter 28 UPnP
You may edit or delete the port mappings or
click Add to manually add port mappings.
462
ZyWALL 5/35/70 Series User’s Guide
Note: When the UPnP-enabled device is disconnected from your computer, all port
mappings will be deleted automatically.
4 Select the Show icon in notification
area when connected check box and
click OK. An icon displays in the system
tray.
5 Double-click the icon to display your
current Internet connection status.
28.5.2 Web Configurator Easy Access
With UPnP, you can access the web-based configurator on the ZyXEL device without finding
out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address
of the ZyXEL device.
463
Chapter 28 UPnP
ZyWALL 5/35/70 Series User’s Guide
Follow the steps below to access the web configurator.
1 Click Start and then Control Panel.
2 Double-click Network Connections.
3 Select My Network Places under Other
Places.
4 An icon with the description for each
UPnP-enabled device displays under
Local Network.
5 Right-click the icon for your ZyXEL
device and select Invoke. The web
configurator login screen displays.
Chapter 28 UPnP
464
ZyWALL 5/35/70 Series User’s Guide
6 Right-click the icon for your ZyXEL
device and select Properties. A
properties window displays with basic
information about the ZyXEL device.
465
Chapter 28 UPnP
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 29
ALG Screen
This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to
pass through the ZyWALL.
29.1 ALG Introduction
The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL.
Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP
addresses and port numbers in their packets’ data payload. The ZyWALL examines and uses
IP address and port number information embedded in the data stream. When a device behind
the ZyWALL uses an application for which the ZyWALL has ALG service enabled, the
ZyWALL translates the device’s private IP address inside the data stream to a public IP
address. It also records session port numbers and dynamically creates implicit NAT port
forwarding and firewall rules for the application’s traffic to come in from the WAN to the
LAN.
29.1.1 ALG and NAT
The ZyWALL dynamically creates an implicit NAT session for the application’s traffic from
the WAN to the LAN.
The ALG on the ZyWALL supports all NAT mapping types, including One to One, Many to
One, Many to Many Overload and Many One to One.
29.1.2 ALG and the Firewall
The ZyWALL uses the dynamic port that the session uses for data transfer in creating an
implicit temporary firewall rule for the session’s traffic. The firewall rule only allows the
session’s traffic to go through in the direction that the ZyWALL determines from its
inspection of the data payload of the application’s packets. The firewall rule is automatically
deleted after the application’s traffic has gone through.
29.1.3 ALG and Multiple WAN
When the ZyWALL has two WAN ports and uses the second highest priority WAN port as a
back up, traffic cannot pass through when the primary WAN port connection fails. The
ZyWALL does not automatically change the connection to the secondary WAN port.
Chapter 29 ALG Screen
466
ZyWALL 5/35/70 Series User’s Guide
If the primary WAN connection fails, the client needs to re-initialize the connection through
the secondary WAN port to have the connection go through the secondary WAN port.
When the ZyWALL uses both of the WAN ports at the same time, you can configure routing
policies to specify the WAN port that the connection’s traffic is to use.
29.2 FTP
File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and
over TCP/IP networks. A system running the FTP server accepts commands from a system
running an FTP client. The service allows users to send commands to the server for uploading
and downloading files. The FTP ALG allows TCP packets with a port 21 destination to pass
through. If the FTP server is located on the LAN, you must also configure NAT port
forwarding and firewall rules if you want to allow access to the server from the WAN.
29.3 H.323
H.323 is a standard teleconferencing protocol suite that provides audio, data and video
conferencing. It allows for real-time point-to-point and multipoint communication between
client computers over a packet-based network that does not provide a guaranteed quality of
service. NetMeeting uses H.323.
29.4 RTP
When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is
used to handle voice data transfer. See RFC 1889 for details on RTP.
29.4.1 H.323 ALG Details
• The H.323 ALG supports peer-to-peer H.323 calls.
• The H.323 ALG handles H.323 calls that go through NAT or that the ZyWALL routes.
You can also make other H.323 calls that do not go through NAT or routing. Examples
would be calls between LAN IP addresses that are on the same subnet.
• The H.323 ALG allows calls to go out through NAT. For example, you could make a call
from a private IP address on the LAN to a peer device on the WAN.
• You must configure the firewall and port forwarding to allow incoming (peer-to-peer)
calls from the WAN to a private IP address on the LAN (or DMZ). The following
example shows H.323 signaling and audio sessions between H.323 devices A and B.
467
Chapter 29 ALG Screen
ZyWALL 5/35/70 Series User’s Guide
Figure 232 H.323 ALG Example
Signaling session over
TCP port 1720
• With multiple WAN IP addresses on the ZyWALL, you can configure different firewall
and port forwarding rules to allow incoming calls from each WAN IP address to go to a
specific IP address on the LAN (or DMZ). Use policy routing to have the H.323 calls
from each of those LAN or DMZ IP addresses go out through the same WAN IP address
that calls come in on. The policy routing lets the ZyWALL correctly forward the return
traffic for the calls initiated from the LAN IP addresses.
For example, you configure firewall and port forwarding rules to allow LAN IP address
A to receive calls through public WAN IP address 1. You configure different firewall and
port forwarding rules to allow LAN IP address B to receive calls through public WAN IP
address 2. You configure corresponding policy routes to have calls from LAN IP address
A go out through WAN IP address 1 and calls from LAN IP address B go out through
WAN IP address 2.
Figure 233 H.323 with Multiple WAN IP Addresses
• When you configure the firewall and port forwarding to allow calls from the WAN to a
specific IP address on the LAN, you can also use policy routing to have H.323 calls from
other LAN or DMZ IP addresses go out through a different WAN IP address. The policy
routing lets the ZyWALL correctly forward the return traffic for the calls initiated from
the LAN IP addresses.
For example, you configure the firewall and port forwarding to allow LAN IP address A
to receive calls from the Internet through WAN IP address 1. You also use a policy route
to have LAN IP address A make calls out through WAN IP address 1. Configure another
policy route to have H.323 calls from LAN IP addresses B and C go out through WAN IP
address 2. Even though only LAN IP address A can receive incoming calls from the
Internet, LAN IP addresses B and C can still make calls out to the Internet.
Chapter 29 ALG Screen
468
ZyWALL 5/35/70 Series User’s Guide
Figure 234 H.323 Calls from the WAN with Multiple Outgoing Calls
• The H.323 ALG operates on TCP packets with a port 1720 destination.
• The ZyWALL allows H.323 audio connections.
• The ZyWALL can also apply bandwidth management to traffic that goes through the
H.323 ALG.
29.5 SIP
The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that
handles the setting up, altering and tearing down of voice and multimedia sessions over the
Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet
Protocol.
SIP signaling is separate from the media for which it handles sessions. The media that is
exchanged during the session can use a different path from that of the signaling. SIP handles
telephone calls and can interface with traditional circuit-switched telephone networks.
29.5.1 STUN
STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address
Translators) allows the VoIP device to find the presence and types of NAT routers and/or
firewalls between it and the public Internet. STUN also allows the VoIP device to find the
public IP address that NAT assigned, so the VoIP device can embed it in the SIP data stream.
See RFC 3489 for details on STUN. You do not need to use STUN for devices behind the
ZyWALL if you enable the SIP ALG.
29.5.2 SIP ALG Details
• SIP clients can be connected to the LAN, WLAN or DMZ. A SIP server must be on the
WAN.
• You can make and receive calls between the LAN and the WAN, between the WLAN
and the WAN and/or between the DMZ and the WAN. You cannot make a call between
the LAN and the LAN, between the LAN and the DMZ, between the LAN and the
WLAN, between the DMZ and the DMZ, and so on.
• The SIP ALG allows UDP packets with a port 5060 destination to pass through.
• The ZyWALL allows SIP audio connections.
469
Chapter 29 ALG Screen
ZyWALL 5/35/70 Series User’s Guide
The following example shows SIP signaling and audio sessions between SIP clients A and B
and the SIP server (1).
Figure 235 SIP ALG Example
Signaling session
over UDP port 5060
Audio session using RTP
29.5.3 SIP Signaling Session Timeout
Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions.
The SIP user agent sends registration packets to the SIP server periodically and keeps the
session alive in the ZyWALL.
If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP
timeout default (60 minutes), the ZyWALL SIP ALG drops any incoming calls after the
timeout period.
29.5.4 SIP Audio Session Timeout
If no voice packets go through the SIP ALG before the timeout period (default 5 minutes)
expires, the SIP ALG does not drop the call but blocks all voice traffic and deletes the audio
session. You cannot hear anything and you will need to make a new call to continue your
conversation.
29.6 ALG Screen
Click ADVANCED, ALG to open the ALG screen. Use the ALG screen to turn individual
ALGs off or on and set the SIP timeout.
Note: If the ZyWALL provides an ALG for a service, you must enable the ALG in order
to perform bandwidth management on that service’s traffic.
Chapter 29 ALG Screen
470
ZyWALL 5/35/70 Series User’s Guide
Figure 236 ALG
The following table describes the labels in this screen.
Table 163 ALG
LABEL
DESCRIPTION
Enable FTP
ALG
Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File
Transfer Program) is a program that enables fast transfer of files, including large files
that may not be possible by e-mail.
Enable H.323
ALG
Select this check box to allow H.323 sessions to pass through the ZyWALL. H.323 is
a protocol used for audio communications over networks.
Enable SIP ALG Select this check box to allow SIP sessions to pass through the ZyWALL. SIP is a
signaling protocol used in VoIP (Voice over IP), the sending of voice signals over
Internet Protocol.
471
SIP Timeout
Most SIP clients have an “expire” mechanism indicating the lifetime of signaling
sessions. The SIP user agent sends registration packets to the SIP server
periodically and keeps the session alive in the ZyWALL.
If the SIP client does not have this mechanism and makes no calls during the
ZyWALL SIP timeout (default 60 minutes), the ZyWALL SIP ALG drops any incoming
calls after the timeout period. Enter the SIP signaling session timeout value.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 29 ALG Screen
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 30
Logs Screens
This chapter contains information about configuring general log settings and viewing the
ZyWALL’s logs. Refer to Appendix S on page 774 for example log message explanations.
30.1 Configuring View Log
The web configurator allows you to look at all of the ZyWALL’s logs in one location.
Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the
categories that you selected in the Log Settings screen (see Section 30.3 on page 475).
Options include logs about system maintenance, system errors, access control, allowed or
blocked web sites, blocked web features (such as ActiveX controls, java and cookies), attacks
(such as DoS) and IPSec.
Log entries in red indicate system error logs. The log wraps around and deletes the old entries
after it fills. Click a column heading to sort the entries. A triangle indicates ascending or
descending sort order.
Figure 237 View Log
Chapter 30 Logs Screens
472
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 164 View Log
LABEL
DESCRIPTION
Display
The categories that you select in the Log Settings page (see Section 30.3 on page
475) display in the drop-down list box.
Select a category of logs to view; select All Logs to view logs from all of the log
categories that you selected in the Log Settings page.
#
This field displays the log number.
Time
This field displays the time the log was recorded. See Section 31.4 on page 486 to
configure the ZyWALL’s time and date.
Message
This field states the reason for the log.
Source
This field lists the source IP address and the port number of the incoming packet.
Destination
This field lists the destination IP address and the port number of the incoming packet.
Note
This field displays additional information about the log entry.
Email Log Now
Click Email Log Now to send the log screen to the e-mail address specified in the
Log Settings page (make sure that you have first filled in the E-mail Log Settings
fields in Log Settings, see Section 30.3 on page 475).
Refresh
Click Refresh to renew the log screen.
Clear Log
Click Clear Log to delete all the logs.
30.2 Log Description Example
The following is an example of how a log displays in the command line interpreter and a
description of the sample log. Refer to the appendices for more log message descriptions and
details on using the command line interpreter to display logs.
# .time
notes
source
destination
message
5|06/08/2004 05:58:20 |172.21.4.187:137
|ACCESS BLOCK
|172.21.255.255:137
Firewall default policy: UDP (W to W/ZW)
Table 165 Example Log Description
LABEL
DESCRIPTION
#
This is log number five.
time
The log was generated on June 8, 2004 at 5:58 and 20 seconds AM.
source
The log was generated due to a NetBIOS packet sent from IP address 172.21.4.187 port
137.
destination The NetBIOS packet was sent to the 172.21.255.255 subnet port 137. This was a
NetBIOS UDP broadcast packet meant to discover devices on the network.
473
Chapter 30 Logs Screens
ZyWALL 5/35/70 Series User’s Guide
Table 165 Example Log Description
LABEL
DESCRIPTION
notes
The ZyWALL blocked the packet.
message
The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking
sessions that are initiated from the WAN. “UDP” means that this was a User Datagram
Protocol packet. “W to W/ZW” indicates that the packet was traveling from the WAN to the
WAN or the ZyWALL.
30.2.1 Certificate Not Trusted Log Note
myZyXEL.com and the update server use certificate signed by VeriSign to identify
themselves. If the ZyWALL does not have a CA certificate signed by VeriSign as a trusted
CA, the ZyWALL will not trust the certificate from myZyXEL.com and the update server. The
ZyWALL will generate a log like "Due to error code(11), cert not trusted: SSL/TLS peer
certif..." for every time it attempt to establish a (HTTPS) connection with myZyXEL.com and
the update server. The V4.00 default configuration file includes a trusted CA certificate signed
by VeriSign. If you upgraded to ZyNOS V4.00 firmware without uploading the V4.00 default
configuration file, you can download a CA certificate signed by VeriSign from
myZyXEL.com and import it into the ZyWALL as a trusted CA. This will stop the ZyWALL
from generating this log every time it attempts to connect with myzyxel.com and the update
server.
Follow the steps below to download the certificate from myZyXEL.com.
1 Go to http://www.myZyXEL.com and log in with your account.
2 Click Download Center and then Certificate Download.
Figure 238 myZyXEL.com: Download Center
3 Click the link in the Certificate Download screen.
Chapter 30 Logs Screens
474
ZyWALL 5/35/70 Series User’s Guide
Figure 239 myZyXEL.com: Certificate Download
30.3 Configuring Log Settings
To change your ZyWALL’s log settings, click LOGS, then the Log Settings tab. The screen
appears as shown.
Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule
for when the ZyWALL is to send the logs and which logs and/or immediate alerts the
ZyWALL is to send.
An alert is a type of log that warrants more serious attention. They include system errors,
attacks (access control) and attempted access to blocked web sites or web sites with restricted
web features such as cookies, active X and so on. Some categories such as System Errors
consist of both logs and alerts. You may differentiate them by their color in the View Log
screen. Alerts display in red and logs display in black.
Note: Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as
the log is full (see Log Schedule). Selecting many alert and/or log categories
(especially Access Control) may result in many e-mails being sent.
475
Chapter 30 Logs Screens
ZyWALL 5/35/70 Series User’s Guide
Figure 240 Log Settings
Chapter 30 Logs Screens
476
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 166 Log Settings
LABEL
DESCRIPTION
E-mail Log Settings
Mail Server
Enter the server name or the IP address of the mail server for the e-mail
addresses specified below. If this field is left blank, logs and alert messages will
not be sent via e-mail.
Mail Subject
Type a title that you want to be in the subject line of the log e-mail message
that the ZyWALL sends.
Mail Sender
Enter the e-mail address that you want to be in the from/sender line of the log
e-mail message that the ZyWALL sends. If you activate SMTP authentication,
the e-mail address must be able to be authenticated by the mail server as well.
Send Log To
Logs are sent to the e-mail address specified in this field. If this field is left
blank, logs will not be sent via e-mail.
Send Alerts To
Alerts are sent to the e-mail address specified in this field. If this field is left
blank, alerts will not be sent via e-mail.
Log Schedule
This drop-down menu is used to configure the frequency of log messages
being sent as E-mail:
• Daily
• Weekly
• Hourly
• When Log is Full
• None.
If you select Weekly or Daily, specify a time of day when the E-mail should be
sent. If you select Weekly, then also specify which day of the week the E-mail
should be sent. If you select When Log is Full, an alert is sent when the log
fills up. If you select None, no log messages are sent.
Day for Sending Log
Use the drop down list box to select which day of the week to send the logs.
Time for Sending Log
Enter the time of the day in 24-hour format (for example 23:00 equals 11:00
pm) to send the logs.
SMTP Authentication
SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for
the Internet. SMTP enables you to move messages from one e-mail server to
another.
Select the check box to activate SMTP authentication. If mail server
authentication is needed but this feature is disabled, you will not receive the email logs.
User Name
Enter the user name (up to 31 characters) (usually the user name of a mail
account).
Password
Enter the password associated with the user name above.
Syslog Logging
Syslog logging sends a log to an external syslog server used to store logs.
Active
Click Active to enable syslog logging.
Syslog Server
Enter the server name or IP address of the syslog server that will log the
selected categories of logs.
Log Facility
Select a location from the drop down list box. The log facility allows you to log
the messages to different files in the syslog server. Refer to the documentation
of your syslog program for more details.
Active Log and Alert
Log
477
Select the categories of logs that you want to record. Logs include alerts.
Chapter 30 Logs Screens
ZyWALL 5/35/70 Series User’s Guide
Table 166 Log Settings (continued)
LABEL
DESCRIPTION
Send Immediate Alert
Select the categories of alerts for which you want the ZyWALL to instantly email alerts to the e-mail address specified in the Send Alerts To field.
Log Consolidation
Active
Some logs (such as the Attacks logs) may be so numerous that it becomes
easy to ignore other important log messages. Select this check box to merge
logs with identical messages into one log.
You can use the sys log consolidate msglist command to see what
log messages will be consolidated.
Log Consolidation
Period
Specify the time interval during which the ZyWALL merges logs with identical
messages into one log.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
30.4 Configuring Reports
The Reports page displays which computers on the LAN send and receive the most traffic,
what kinds of traffic are used the most and which web sites are visited the most often. Use the
Reports screen to have the ZyWALL record and display the following network usage details:
•
•
•
•
•
•
Web sites visited the most often
Number of times the most visited web sites were visited
The most-used protocols or service ports
The amount of traffic for the most used protocols or service ports
The LAN IP addresses to and/or from which the most traffic has been sent
How much traffic has been sent to and from the LAN IP addresses to and/or from which
the most traffic has been sent
Note: The web site hit count may not be 100% accurate because sometimes when an
individual web page loads, it may contain references to other web sites that
also get counted as hits.
The ZyWALL records web site hits by counting the HTTP GET packets. Many web sites
include HTTP GET references to other web sites and the ZyWALL may count these as hits,
thus the web hit count is not (yet) 100% accurate.
To change your ZyWALL’s log reports, click LOGS, then the Reports tab. The screen
appears as shown.
Chapter 30 Logs Screens
478
ZyWALL 5/35/70 Series User’s Guide
Figure 241 Reports
Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by
about 1 Mbps.
The following table describes the labels in this screen.
Table 167 Reports
LABEL
DESCRIPTION
Collect Statistics Select the check box and click Apply to have the ZyWALL record report data.
Send Raw
Select the check box and click Apply to have the ZyWALL send unprocessed traffic
Traffic Statistics statistics to a syslog server for analysis.
to Syslog Server You must have the syslog server already configured in the Log Settings screen.
for Analysis
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Interface
Select on which interface (LAN, DMZ or WLAN) the logs will be collected. The logs
on the DMZ, LAN or WLAN IP alias 1 and 2 are also recorded.
Report Type
Use the drop-down list box to select the type of reports to display.
Web Site Hits displays the web sites that have been visited the most often from the
LAN and how many times they have been visited.
Protocol/Port displays the protocols or service ports that have been used the most
and the amount of traffic for the most used protocols or service ports.
Host IP Address displays the LAN, DMZ or WLAN IP addresses to and /or from
which the most traffic has been sent and how much traffic has been sent to and from
those IP addresses.
Refresh
Click Refresh to update the report display. The report also refreshes automatically
when you close and reopen the screen.
Flush
Click Flush to discard the old report data and update the report display.
Note: All of the recorded reports data is erased when you turn off the ZyWALL.
479
Chapter 30 Logs Screens
ZyWALL 5/35/70 Series User’s Guide
30.4.1 Viewing Web Site Hits
In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have
the ZyWALL record and display which web sites have been visited the most often and how
many times they have been visited.
Figure 242 Web Site Hits Report Example
The following table describes the label in this screen.
Table 168 Web Site Hits Report
LABEL
DESCRIPTION
Web Site
This column lists the domain names of the web sites visited most often from
computers on the LAN, DMZ or WLAN. The names are ranked by the number of
visits to each web site and listed in descending order with the most visited web site
listed first. The ZyWALL counts each page viewed in a web site as another hit on the
web site.
Hits
This column lists how many times each web site has been visited. The count starts
over at 0 if a web site passes the hit count limit (see Table 171 on page 483).
30.4.2 Viewing Protocol/Port
In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have
the ZyWALL record and display which protocols or service ports have been used the most and
the amount of traffic for the most used protocols or service ports.
Chapter 30 Logs Screens
480
ZyWALL 5/35/70 Series User’s Guide
Figure 243 Protocol/Port Report Example
The following table describes the labels in this screen.
Table 169 Protocol/ Port Report
481
LABEL
DESCRIPTION
Protocol/Port
This column lists the protocols or service ports for which the most traffic has gone
through the ZyWALL. The protocols or service ports are listed in descending order with
the most used protocol or service port listed first.
Direction
This field displays Incoming to denote traffic that is coming in from the WAN to the
LAN, DMZ or WLAN. This field displays Outgoing to denote traffic that is going out
from the LAN, DMZ or WLAN to the WAN.
Amount
This column lists how much traffic has been sent and/or received for each protocol or
service port. The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies
with the amount of traffic for the particular protocol or service port. The count starts
over at 0 if a protocol or port passes the bytes count limit (see Table 171 on page 483).
Chapter 30 Logs Screens
ZyWALL 5/35/70 Series User’s Guide
30.4.3 Viewing Host IP Address
In the Reports screen, select Host IP Address from the Report Type drop-down list box to
have the ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most
traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP
addresses.
Note: Computers take turns using dynamically assigned LAN, DMZ or WLAN IP
addresses. The ZyWALL continues recording the bytes sent to or from a LAN,
DMZ or WLAN IP address when it is assigned to a different computer.
Figure 244 Host IP Address Report Example
The following table describes the labels in this screen.
Table 170 Host IP Address Report
LABEL
DESCRIPTION
IP Address
This column lists the LAN, DMZ or WLAN IP addresses to and/or from which the
most traffic has been sent. The LAN, DMZ or WLAN IP addresses are listed in
descending order with the LAN, DMZ or WLAN IP address to and/or from which the
most traffic was sent listed first.
Direction
This field displays Incoming to denote traffic that is coming in from the WAN to the
LAN, DMZ or WLAN. This field displays Outgoing to denote traffic that is going out
from the LAN, DMZ or WLAN to the WAN.
Amount
This column displays how much traffic has gone to and from the listed LAN, DMZ or
WLAN IP addresses. The measurement unit shown (bytes, Kbytes, Mbytes or
Gbytes) varies with the amount of traffic sent to and from the LAN, DMZ or WLAN IP
address. The count starts over at 0 if the total traffic sent to and from a LAN, DMZ or
WLAN IP passes the bytes count limit (see Table 171 on page 483).
Chapter 30 Logs Screens
482
ZyWALL 5/35/70 Series User’s Guide
30.4.4 Reports Specifications
The following table lists detailed specifications on the reports feature.
Table 171 Report Specifications
LABEL
DESCRIPTION
Number of web 20
sites/protocols
or ports/IP
addresses listed:
483
Hit count limit:
Up to 232 hits can be counted per web site. The count starts over at 0 if it passes four
billion.
Bytes count
limit:
Up to 264 bytes can be counted per protocol/port or LAN IP address. The count starts
over at 0 if it passes 264 bytes.
Chapter 30 Logs Screens
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 31
Maintenance
This chapter displays information on the maintenance screens.
31.1 Maintenance Overview
The maintenance screens can help you view system information, upload new firmware,
manage configuration and restart your ZyWALL.
31.2 General Setup
31.2.1 General Setup and System Name
General Setup contains administrative and system-related information. System Name is for
identification purposes. However, because some ISPs check this name you should enter your
computer's "Computer Name".
• In Windows 95/98 click Start, Settings, Control Panel, Network. Click the
Identification tab, note the entry for the Computer Name field and enter it as the System
Name.
• In Windows 2000, click Start, Settings, Control Panel and then double-click System.
Click the Network Identification tab and then the Properties button. Note the entry for
the Computer name field and enter it as the System Name.
• In Windows XP, click Start, My Computer, View system information and then click
the Computer Name tab. Note the entry in the Full computer name field and enter it as
the ZyWALL System Name.
31.2.2 General Setup
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave
this blank, the domain name obtained by DHCP from the ISP is used. While you must enter
the host name (System Name), the domain name can be assigned from the ZyWALL via
DHCP.
Click MAINTENANCE to open the General screen.
Chapter 31 Maintenance
484
ZyWALL 5/35/70 Series User’s Guide
Figure 245 General Setup
The following table describes the labels in this screen.
Table 172 General Setup
LABEL
DESCRIPTION
General Setup
System Name
Choose a descriptive name for identification purposes. It is recommended you enter
your computer’s “Computer name” in this field. This name can be up to 30
alphanumeric characters long. Spaces are not allowed, but dashes “-” and
underscores "_" are accepted.
Domain Name
Enter the domain name (if you know it) here. If you leave this field blank, the ISP
may assign a domain name via DHCP.
The domain name entered by you is given priority over the ISP assigned domain
name.
Administrator
Inactivity Timer
Type how many minutes a management session (either via the web configurator or
SMT) can be left idle before the session times out. The default is 5 minutes. After it
times out you have to log in with your password again. Very long idle timeouts may
have security risks. A value of "0" means a management session never times out, no
matter how long it has been left idle (not recommended).
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
31.3 Configuring Password
To change your ZyWALL’s password (recommended), click MAINTENANCE, then the
Password tab. The screen appears as shown. This screen allows you to change the ZyWALL’s
password.
485
Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide
Figure 246 Password Setup
The following table describes the labels in this screen.
Table 173 Password Setup
LABEL
DESCRIPTION
Old Password
Type the default password or the existing password you use to access the system
in this field.
New Password
Type your new system password (up to 30 characters). Note that as you type a
password, the screen displays a (*) for each character you type.
Retype to Confirm
Type the new password again for confirmation.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
31.4 Time and Date
The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date. There is also a
software mechanism to set the time manually or get the current time and date from an external
server when you turn on your ZyWALL.
To change your ZyWALL’s time and date, click MAINTENANCE, then the Time and Date
tab. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on
your local time zone.
Chapter 31 Maintenance
486
ZyWALL 5/35/70 Series User’s Guide
Figure 247 Time and Date
The following table describes the labels in this screen.
Table 174 Time and Date
LABEL
DESCRIPTION
Current Time and
Date
Current Time
This field displays the ZyWALL’s present time.
Current Date
This field displays the ZyWALL’s present date.
Time and Date
Setup
487
Manual
Select this radio button to enter the time and date manually. If you configure a
new time and date, Time Zone and Daylight Saving at the same time, the new
time and date you entered has priority and the Time Zone and Daylight Saving
settings do not affect it.
New Time
(hh:mm:ss)
This field displays the last updated time from the time server or the last time
configured manually.
When you set Time and Date Setup to Manual, enter the new time in this field
and then click Apply.
New Date
(yyyy-mm-dd)
This field displays the last updated date from the time server or the last date
configured manually.
When you set Time and Date Setup to Manual, enter the new date in this field
and then click Apply.
Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide
Table 174 Time and Date (continued)
LABEL
DESCRIPTION
Get from Time
Server
Select this radio button to have the ZyWALL get the time and date from the time
server you specified below.
Time Protocol
Select the time service protocol that your time server uses. Not all time servers
support all protocols, so you may have to check with your ISP/network
administrator or use trial and error to find a protocol that works.
The main difference between them is the format.
Daytime (RFC 867) format is day/month/year/time zone of the server.
Time (RFC 868) format displays a 4-byte integer giving the total number of
seconds since 1970/1/1 at 0:0:0.
The default, NTP (RFC 1305), is similar to Time (RFC 868).
Time Server
Address
Enter the IP address or URL of your time server. Check with your ISP/network
administrator if you are unsure of this information.
Synchronize Now
Click this button to have the ZyWALL get the time and date from a time server
(see the Time Server Address field). This also saves your changes (including
the time server address).
Time Zone Setup
Time Zone
Choose the time zone of your location. This will set the time difference between
your time zone and Greenwich Mean Time (GMT).
Enable Daylight
Saving
Daylight saving is a period from late spring to early fall when many countries set
their clocks ahead of normal local time by one hour to give more daytime light in
the evening.
Select this option if you use Daylight Saving Time.
Start Date
Configure the day and time when Daylight Saving Time starts if you selected
Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a
couple of examples:
Daylight Saving Time starts in most parts of the United States on the first Sunday
of April. Each time zone in the United States starts using Daylight Saving Time at
2 A.M. local time. So in the United States you would select First, Sunday, April
and type 2 in the o'clock field.
Daylight Saving Time starts in the European Union on the last Sunday of March.
All of the time zones in the European Union start using Daylight Saving Time at
the same moment (1 A.M. GMT or UTC). So in the European Union you would
select Last, Sunday, March. The time you type in the o'clock field depends on
your time zone. In Germany for instance, you would type 2 because Germany's
time zone is one hour ahead of GMT or UTC (GMT+1).
End Date
Configure the day and time when Daylight Saving Time ends if you selected
Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a
couple of examples:
Daylight Saving Time ends in the United States on the last Sunday of October.
Each time zone in the United States stops using Daylight Saving Time at 2 A.M.
local time. So in the United States you would select Last, Sunday, October and
type 2 in the o'clock field.
Daylight Saving Time ends in the European Union on the last Sunday of October.
All of the time zones in the European Union stop using Daylight Saving Time at
the same moment (1 A.M. GMT or UTC). So in the European Union you would
select Last, Sunday, October. The time you type in the o'clock field depends on
your time zone. In Germany for instance, you would type 2 because Germany's
time zone is one hour ahead of GMT or UTC (GMT+1).
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.
Chapter 31 Maintenance
488
ZyWALL 5/35/70 Series User’s Guide
31.5 Pre-defined NTP Time Servers List
When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01
00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined
list of NTP time servers.
The ZyWALL continues to use the following pre-defined list of NTP time servers if you do
not specify a time server or it cannot synchronize with the time server you specified.
Note: The ZyWALL can use this pre-defined list of time servers regardless of the
Time Protocol you select.
Table 175 Default Time Servers
ntp1.cs.wisc.edu
ntp1.gbg.netnod.se
ntp2.cs.wisc.edu
tock.usno.navy.mil
ntp3.cs.wisc.edu
ntp.cs.strath.ac.uk
ntp1.sp.se
time1.stupi.se
tick.stdtime.gov.tw
tock.stdtime.gov.tw
time.stdtime.gov.tw
When the ZyWALL uses the pre-defined list of NTP time servers, it randomly selects one
server and tries to synchronize with it. If the synchronization fails, then the ZyWALL goes
through the rest of the list in order from the first one tried until either it is successful or all the
pre-defined NTP time servers have been tried.
31.5.1 Resetting the Time
The ZyWALL resets the time in the following instances:
•
•
•
•
When you click Synchronize Now.
On saving your changes.
When the ZyWALL starts up.
24-hour intervals after starting.
31.5.2 Time Server Synchronization
Click the Synchronize Now button to get the time and date from the predefined time server or
the time server you specified in the Time Server Address field.
489
Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide
When the System Time and Date Synchronization in Process screen appears, wait up to one
minute.
Figure 248 Synchronization in Process
Click the Return button to go back to the Time and Date screen after the time and date is
updated successfully.
Figure 249 Synchronization is Successful
If the update was not successful, the following screen appears. Click Return to go back to the
Time and Date screen.
Figure 250 Synchronization Fail
Chapter 31 Maintenance
490
ZyWALL 5/35/70 Series User’s Guide
31.6 Introduction To Transparent Bridging
A transparent bridge is invisible to the operation of a network in that it does not modify the
frames it forwards. The bridge checks the source address of incoming frames on the port and
learns MAC addresses to associate with that port. All future communications to that MAC
address will only be sent on that port.
The bridge gradually builds a host MAC-address-to-port mapping table such as in the
following example, during the learning process.
Table 176 MAC-address-to-port Mapping Table
HOST MAC ADDRESS PORT
00a0c5123456
3
00a0c5123478 (host A) 1
00a0c512349a
3
00a0c51234bc
2
00a0c51234de
4
For example, if a bridge receives a frame via port 1 from host A (MAC address
00a0c5123478), the bridge associates host A with port 1. When the bridge receives another
frame on one of its ports with destination address 00a0c5123478, it forwards the frame
directly through port 1 after checking the internal table.
The bridge takes one of these actions after it checks the destination address of an incoming
frame with its internal table:
• If the table contains an association between the destination address and any of the bridge's
ports aside from the one on which the frame was received, the frame is forwarded out the
associated port.
• If no association is found, the frame is flooded to all ports except the inbound port.
Broadcasts and multicasts also are flooded in this way.
• If the associated port is the same as the incoming port, then the frame is dropped
(filtered).
31.7 Transparent Firewalls
A transparent firewall (also known as a transparent, in-line, shadow, stealth or bridging
firewall) has the following advantages over “router firewalls”:
1 The use of a bridging firewall reduces configuration and deployment time because no
networking configuration changes to your existing network (hosts, neighboring routers
and the firewall itself) are needed. Just put it in-line with the network it is protecting. As
it only moves frames between ports (after inspecting them), it is completely transparent.
2 Performance is improved as there's less processing overhead.
491
Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide
3 As a transparent bridge does not modify the frames it forwards, it is effectively “stealth”
as it is invisible to attackers.
Bridging devices are most useful in complex environments that require a rapid or new firewall
deployment. A transparent, bridging firewall can also be good for companies with several
branch offices since the setups at these offices are often the same and it's likely that one design
can be used for many of the networks. A bridging firewall could be configured at HQ, sent to
the branches and then installed directly without additional configuration.
31.8 Configuring Device Mode (Router)
To configure and have your ZyWALL work as a router or a bridge, click MAINTENANCE,
then the Device Mode tab. The following applies when the ZyWALL is in router mode.
Figure 251 Device Mode (Router Mode)
The following table describes the labels in this screen.
Table 177 Device Mode (Router Mode)
LABEL
DESCRIPTION
Current Device
Mode
Device Mode
This displays whether the ZyWALL is functioning as a router or a bridge.
Device Mode Setup
Router
When the ZyWALL is in router mode, there is no need to select or clear this radio
button.
IP Address
Click LAN, WAN, DMZ or WLAN to go to the LAN, WAN, DMZ or WLAN screen
where you can view and/or change the corresponding settings.
Chapter 31 Maintenance
492
ZyWALL 5/35/70 Series User’s Guide
Table 177 Device Mode (Router Mode) (continued)
LABEL
DESCRIPTION
Bridge
Select this radio button and configure the following fields, then click Apply to set
the ZyWALL to bridge mode.
IP Address
Enter the IP address of your ZyWALL in dotted decimal notation.
IP Subnet Mask
Enter the IP subnet mask of the ZyWALL.
Gateway IP
Address
Enter the gateway IP address.
Apply
Click Apply to save your changes back to the ZyWALL. After you click Apply,
please wait for one minute and use the IP address you configured in the IP
Address field to access the ZyWALL again.
Reset
Click Reset to begin configuring this screen afresh.
31.9 Configuring Device Mode (Bridge)
To configure and have your ZyWALL work as a router or a bridge, click MAINTENANCE,
then the Device Mode tab. The following applies when the ZyWALL is in bridge mode.
Figure 252 Device Mode (Bridge Mode)
The following table describes the labels in this screen.
Table 178 Device Mode (Bridge Mode)
LABEL
DESCRIPTION
Current Device
Mode
Device Mode
493
This displays whether the ZyWALL is functioning as a router or a bridge.
Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide
Table 178 Device Mode (Bridge Mode) (continued)
LABEL
DESCRIPTION
Device Mode Setup
Router
Select this radio button and click Apply to set the ZyWALL to router mode.
LAN Interface IP
Address
Enter the IP address of your ZyWALL’ s LAN port in dotted decimal notation.
192.168.1.1 is the factory default.
LAN Interface
Subnet Mask
Enter the IP subnet mask of the ZyWALL’s LAN port.
DHCP
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows
individual clients (computers) to obtain TCP/IP configuration at startup from a
server. Unless you are instructed by your ISP, leave the DHCP check box
selected. Clear it to stop the ZyWALL from acting as a DHCP server. When
configured as a server, the ZyWALL provides TCP/IP configuration for the clients.
If not, DHCP service is disabled and you must have another DHCP server on
your LAN, or else the computers must be manually configured. When set as a
server, fill in the rest of the DHCP setup fields.
IP Pool Starting
Address
This field specifies the first of the contiguous addresses in the IP address pool.
Pool Size
This field specifies the size, or count of the IP address pool.
Bridge
When the ZyWALL is in bridge mode, there is no need to select or clear this radio
button.
IP Address
Click Bridge to go to the Bridge screen where you can view and/or change the
bridge settings.
Apply
Click Apply to save your changes back to the ZyWALL. After you click Apply,
please wait for one minute and use the IP address you configured in the LAN
Interface IP Address field to access the ZyWALL again.
Reset
Click Reset to begin configuring this screen afresh.
31.10 F/W Upload Screen
Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a
.bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext Transfer
Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
See Section 47.5 on page 621 for upgrading firmware using FTP/TFTP commands.
Click MAINTENANCE, and then the F/W UPLOAD tab. Follow the instructions in this
screen to upload firmware to your ZyWALL.
Chapter 31 Maintenance
494
ZyWALL 5/35/70 Series User’s Guide
Figure 253 Firmware Upload
The following table describes the labels in this screen.
Table 179 Firmware Upload
LABEL
DESCRIPTION
File Path
Type in the location of the file you want to upload in this field or click Browse ... to find it.
Browse...
Click Browse... to find the .bin file you want to upload. Remember that you must
decompress compressed (.zip) files before you can upload them.
Upload
Click Upload to begin the upload process. This process may take up to two minutes.
Note: Do not turn off the ZyWALL while firmware upload is in progress!
After you see the Firmware Upload in Process screen, wait two minutes before logging into
the ZyWALL again.
Figure 254 Firmware Upload In Process
The ZyWALL automatically restarts in this time causing a temporary network disconnect. In
some operating systems, you may see the following icon on your desktop.
495
Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide
Figure 255 Network Temporarily Disconnected
After two minutes, log in again and check your new firmware version in the HOME screen.
If the upload was not successful, the following screen will appear. Click Return to go back to
the F/W Upload screen.
Figure 256 Firmware Upload Error
31.11 Backup and Restore
See Section 47.5 on page 621 for transferring configuration files using FTP/TFTP commands.
Click MAINTENANCE, and then the Backup & Restore tab. Information related to factory
defaults, backup configuration, and restoring configuration appears as shown next.
Chapter 31 Maintenance
496
ZyWALL 5/35/70 Series User’s Guide
Figure 257 Backup and Restore
31.11.1 Backup Configuration
Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a
file on your computer. Once your ZyWALL is configured and functioning properly, it is
highly recommended that you back up your configuration file before making configuration
changes. The backup configuration file will be useful in case you need to return to your
previous settings.
Click Backup to save the ZyWALL’s current configuration to your computer.
31.11.2 Restore Configuration
Restore Configuration allows you to upload a new or previously saved configuration file from
your computer to your ZyWALL.
Table 180 Restore Configuration
497
LABEL
DESCRIPTION
File Path
Type in the location of the file you want to upload in this field or click Browse ... to find it.
Browse...
Click Browse... to find the file you want to upload. Remember that you must decompress
compressed (.ZIP) files before you can upload them.
Upload
Click Upload to begin the upload process.
Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide
Note: Do not turn off the ZyWALL while configuration file upload is in progress.
After you see a “restore configuration successful” screen, you must then wait one minute
before logging into the ZyWALL again.
Figure 258 Configuration Upload Successful
The ZyWALL automatically restarts in this time causing a temporary network disconnect. In
some operating systems, you may see the following icon on your desktop.
Figure 259 Network Temporarily Disconnected
If you uploaded the default configuration file you may need to change the IP address of your
computer to be in the same subnet as that of the default device IP address (192.168.1.1). See
your Quick Start Guide for details on how to set up your computer’s IP address.
If the upload was not successful, the following screen will appear. Click Return to go back to
the Configuration screen.
Figure 260 Configuration Upload Error
Chapter 31 Maintenance
498
ZyWALL 5/35/70 Series User’s Guide
31.11.3 Back to Factory Defaults
Pressing the Reset button in this section clears all user-entered configuration information and
returns the ZyWALL to its factory defaults as shown on the screen. The following warning
screen will appear.
Figure 261 Reset Warning Message
You can also press the RESET button on the rear panel to reset the factory defaults of your
ZyWALL. Refer to Section 2.3 on page 67 for more information on the RESET button.
31.12 Restart Screen
System restart allows you to reboot the ZyWALL without turning the power off.
Click MAINTENANCE, and then Restart. Click Restart to have the ZyWALL reboot. This
does not affect the ZyWALL's configuration.
Figure 262 Restart Screen
499
Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 32
Introducing the SMT
This chapter explains how to access the System Management Terminal and gives an overview
of its menus.
32.1 Introduction to the SMT
The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can
access from a terminal emulator through the console port or over a telnet connection. This
chapter shows you how to access the SMT (System Management Terminal) menus via console
port, how to navigate the SMT and how to configure SMT menus.
32.2 Accessing the SMT via the Console Port
Make sure you have the physical connection properly set up as described in the Quick Start
Guide.
When configuring using the console port, you need a computer equipped with
communications software configured to the following parameters:
• VT100 terminal emulation.
• 9600 Baud.
• No parity, 8 data bits, 1 stop bit, flow control set to none.
32.2.1 Initial Screen
When you turn on your ZyWALL, it performs several internal tests as well as line
initialization.
After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next.
Chapter 32 Introducing the SMT
500
ZyWALL 5/35/70 Series User’s Guide
Figure 263 Initial Screen
Copyright (c) 1994 - 2004 ZyXEL Communications Corp.
initialize ch =0, ethernet
initialize ch =1, ethernet
initialize ch =2, ethernet
initialize ch =3, ethernet
initialize ch =4, ethernet
AUX port init . done
Modem init . inactive
address:
address:
address:
address:
address:
00:A0:C5:01:23:45
00:A0:C5:01:23:46
00:A0:C5:01:23:47
00:A0:C5:01:23:48
00:00:00:00:00:00
Press ENTER to continue...
32.2.2 Entering the Password
The login screen appears after you press [ENTER], prompting you to enter the password, as
shown below.
For your first login, enter the default password “1234”. As you type the password, the screen
displays an “X” for each character you type.
Please note that if there is no activity for longer than five minutes after you log in, your
ZyWALL will automatically log you out and display a blank screen. If you see a blank screen,
press [ENTER] to bring up the login screen again.
Figure 264 Password Screen
Enter Password : XXXX
32.3 Navigating the SMT Interface
The SMT is an interface that you use to configure your ZyWALL.
Several operations that you should be familiar with before you attempt to modify the
configuration are listed in the table below.
Table 181 Main Menu Commands
501
OPERATION KEYSTROKES
DESCRIPTION
Move down to [ENTER]
another menu
To move forward to a submenu, type in the number of the desired
submenu and press [ENTER].
Move up to a
previous
menu
Press the [ESC] key to move back to the previous menu.
[ESC]
Chapter 32 Introducing the SMT
ZyWALL 5/35/70 Series User’s Guide
Table 181 Main Menu Commands
OPERATION KEYSTROKES
DESCRIPTION
Move to a
“hidden”
menu
Press [SPACE
Fields beginning with “Edit” lead to hidden menus and have a
BAR] to change No default setting of No. Press [SPACE BAR] to change No to Yes,
to Yes then press and then press [ENTER] to go to a “hidden” menu.
[ENTER].
Move the
cursor
[ENTER] or [UP]/
[DOWN] arrow
keys
Within a menu, press [ENTER] to move to the next field. You can
also use the [UP]/[DOWN] arrow keys to move to the previous and
the next field, respectively.
When you are at the top of a menu, press the [UP] arrow key to
move to the bottom of a menu.
Entering
information
Fill in, or press
[SPACE BAR],
then press
[ENTER] to select
from choices.
You need to fill in two types of fields. The first requires you to type
in the appropriate information. The second allows you to cycle
through the available choices by pressing [SPACE BAR].
Required
fields
<? >
All fields with the symbol <?> must be filled in order be able to
save the new configuration.
N/A fields
<N/A>
Some of the fields in the SMT will show a <N/A>. This symbol
refers to an option that is Not Applicable.
Save your
configuration
[ENTER]
Save your configuration by pressing [ENTER] at the message
“Press ENTER to confirm or ESC to cancel”. Saving the data on
the screen will take you, in most cases to the previous menu.
Make sure you save your settings in each screen that you
configure.
Exit the SMT
Type 99, then
press [ENTER].
Type 99 at the main menu prompt and press [ENTER] to exit the
SMT interface.
32.3.1 Main Menu
After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next.
This guide uses the ZyWALL 70 menus as an example. The menus may vary slightly for
different ZyWALL models. Not all fields or menus are available on all models.
Chapter 32 Introducing the SMT
502
ZyWALL 5/35/70 Series User’s Guide
Figure 265 Main Menu (Router Mode)
Copyright (c) 1994 - 2005 ZyXEL Communications Corp.
ZyWALL 70 Main Menu
Getting Started
1. General Setup
2. WAN Setup
3. LAN Setup
4. Internet Access Setup
5. DMZ Setup
6. Route Setup
7. Wireless Setup
Advanced Applications
11. Remote Node Setup
12. Static Routing Setup
15. NAT Setup
Advanced Management
21. Filter and Firewall Setup
22. SNMP Configuration
23. System Password
24. System Maintenance
25. IP Routing Policy Setup
26. Schedule Setup
99. Exit
Enter Menu Selection Number:
Figure 266 Main Menu (Bridge Mode)
Copyright (c) 1994 - 2005 ZyXEL Communications Corp.
ZyWALL 70 Main Menu
Getting Started
1. General Setup
Advanced Management
21. Filter and Firewall Setup
22. SNMP Configuration
23. System Password
24. System Maintenance
7. Wireless Setup
99. Exit
Enter Menu Selection Number:
The following table describes the fields in this menu.
Table 182 Main Menu Summary
503
NO. MENU TITLE
FUNCTION
1
General Setup
Use this menu to set up device mode, dynamic DNS and administrative
information.
2
WAN Setup
Use this menu to clone a MAC address from a computer on your LAN
and configure the backup WAN dial-up connection.
Chapter 32 Introducing the SMT
ZyWALL 5/35/70 Series User’s Guide
Table 182 Main Menu Summary
NO. MENU TITLE
FUNCTION
3
LAN Setup
Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP
settings.
4
Internet Access Setup
Configure your Internet access setup (Internet address, gateway, login,
etc.) with this menu.
5
DMZ Setup
Use this menu to apply DMZ filters, and configure DHCP and TCP/IP
settings for the DMZ port.
6
Route Setup
This menu is not available on the ZyWALL 5.
Use this menu to configure your WAN route assessment, traffic redirect
properties and failover parameters.
7
Wireless Setup
Use this menu to configure wireless security, WLAN DHCP and TCP/IP
settings for the wireless LAN interface.
11
Remote Node Setup
Use this menu to configure detailed remote node settings (your ISP is
also a remote node) as well as apply WAN filters.
12
Static Routing Setup
Configure IP static routes in this menu.
15
NAT Setup
Use this menu to configure Network Address Translation.
21
Filter and Firewall
Setup
Configure filters and activate/deactivate the firewall.
22
SNMP Configuration
Use this menu to configure SNMP-related parameters.
23
System Password
Change your password in this menu (recommended).
24
System Maintenance
From displaying system status to uploading firmware, this menu
provides comprehensive system maintenance.
25
IP Routing Policy Setup This menu is not available on the ZyWALL 5.
From displaying system status to uploading firmware, this menu
provides comprehensive system maintenance.
26
Schedule Setup
Use this menu to schedule outgoing calls.
99
Exit
Use this menu to exit (necessary for remote configuration).
32.3.2 SMT Menus Overview
The following table gives you an overview of your ZyWALL’s various SMT menus.
Table 183 SMT Menus Overview
MENUS
SUB MENUS
1 General Setup
1.1 Configure Dynamic DNS
2 WAN Setup
2.1 Advanced WAN Setup
3 LAN Setup
3.1 LAN Port Filter Setup
3.2 TCP/IP and DHCP
Ethernet Setup
1.1.1 DDNS Host Summary
1.1.1 DDNS Edit Host
3.2.1 IP Alias Setup
4 Internet Access Setup
5 DMZ Setup
5.1 DMZ Port Filter Setup
5.2 TCP/IP and DHCP
Ethernet Setup
Chapter 32 Introducing the SMT
5.2.1 IP Alias Setup
504
ZyWALL 5/35/70 Series User’s Guide
Table 183 SMT Menus Overview (continued)
MENUS
SUB MENUS
6 Route Setup (for the
ZyWALL 35 and the
ZyWALL 70)
6.1 Route Assessment
6.2 Traffic Redirect
6.3 Route Failover
7 Wireless Setup
11 Remote Node Setup
7.1 Wireless Setup
7.1.1 WLAN MAC Address
Filter
7.2 TCP/IP and DHCP
Ethernet Setup
7.2.1 IP Alias Setup
11.1 Remote Node Profile
11.1.2 Remote Node Network
Layer Options
11.1.4 Remote Node Filter
11.1.5 Traffic Redirect Setup
(for the ZyWALL 5 only)
11.2 Remote Node Profile (for
the ZyWALL 35 and the
ZyWALL 70)
11.2.2 Remote Node Network
Layer Options
11.3 Remote Node Profile
(Backup ISP)
11.3.1 Remote Node PPP
Options
11.2.4 Remote Node Filter
11.3.2 Remote Node Network
Layer Options
11.3.3 Remote Node Script
11.3.4 Remote Node Filter
12 Static Routing Setup
12.1 Edit Static Route Setup
15 NAT Setup
15.1 Address Mapping Sets
15.1.x Address Mapping
Rules
15.1.x.x Address
Mapping Rule
15.2 NAT Server Sets
15.2.x NAT Server Setup
15.2.x.x - NAT Server
Configuration
15.3 Trigger Ports
15.3.x Trigger Port Setup
21.1 Filter Set Configuration
21.1.x Filter Rules Summary
21 Filter and Firewall
Setup
21.1.x.x Generic Filter
Rule
21.1.x.x TCP/IP Filter
Rule
21.2 Firewall Setup
23 System Password
505
Chapter 32 Introducing the SMT
ZyWALL 5/35/70 Series User’s Guide
Table 183 SMT Menus Overview (continued)
MENUS
SUB MENUS
24 System Maintenance 24.1 System Status
24.2 System Information and
Console Port Speed
24.2.1 System Information
24.3 Log and Trace
24.3.1 View Error Log
24.2.2 Console Port Speed
24.3.2 Syslog Logging
24.3.4 Call-Triggering Packet
24.4 Diagnostic
24.5 Backup Configuration
24.6 Restore Configuration
24.7 Upload Firmware
24.7.1 Upload System
Firmware
24.7.2 Upload System
Configuration File
24.8 Command Interpreter
Mode
24.9 Call Control
24.9.1 Budget Management
24.9.2 Call History
24.10 Time and Date Setting
24.11 Remote Management
Setup
25 IP Routing Policy
Summary (for the
ZyWALL 35 and the
ZyWALL 70)
25.1 IP Routing Policy Setup
26 Schedule Setup
26.1 Schedule Set Setup
25.1.1 IP Routing Policy
Setup
32.4 Changing the System Password
Change the system password by following the steps shown next.
1 Enter 23 in the main menu to open Menu 23 - System Password as shown next.
Chapter 32 Introducing the SMT
506
ZyWALL 5/35/70 Series User’s Guide
Figure 267 Menu 23: System Password
Menu 23 - System Password
Old Password= ?
New Password= ?
Retype to confirm= ?
Enter here to CONFIRM or ESC to CANCEL:
2 Type your existing password and press [ENTER].
3 Type your new system password and press [ENTER].
4 Re-type your new system password for confirmation and press [ENTER].
Note that as you type a password, the screen displays an “x” for each character you type.
32.5 Resetting the ZyWALL
See Section 2.3 on page 67 for directions on resetting the ZyWALL.
507
Chapter 32 Introducing the SMT
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 33
SMT Menu 1 - General Setup
Menu 1 - General Setup contains administrative and system-related information.
33.1 Introduction to General Setup
Menu 1 - General Setup contains administrative and system-related information.
33.2 Configuring General Setup
1 Enter 1 in the main menu to open Menu 1 - General Setup.
2 The Menu 1 - General Setup screen appears, as shown next. Fill in the required fields.
Figure 268 Menu 1: General Setup (Router Mode)
Menu 1 - General Setup
System Name=
Domain Name=
Device Mode= Router Mode
Edit Dynamic DNS= No
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this menu.
Table 184 Menu 1: General Setup (Router Mode)
FIELD
DESCRIPTION
System Name
Choose a descriptive name for identification purposes. It is recommended you enter
your computer’s “Computer name” in this field. This name can be up to 30
alphanumeric characters long. Spaces are not allowed, but dashes “-” and
underscores "_" are accepted.
Domain Name
Enter the domain name (if you know it) here. If you leave this field blank, the ISP
may assign a domain name via DHCP. You can go to menu 24.8 and type "sys
domain name" to see the current domain name used by your router.
The domain name entered by you is given priority over the ISP assigned domain
name. If you want to clear this field just press [SPACE BAR] and then [ENTER].
Device Mode
Press [SPACE BAR] and then [ENTER] to select Router Mode.
Chapter 33 SMT Menu 1 - General Setup
508
ZyWALL 5/35/70 Series User’s Guide
Table 184 Menu 1: General Setup (Router Mode) (continued)
FIELD
DESCRIPTION
Edit Dynamic
DNS
Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to
configure Menu 1.1: Configure Dynamic DNS discussed next.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to
save your configuration, or press [ESC] at any time to cancel.
Figure 269 Menu 1: General Setup (Bridge Mode)
Menu 1 - General Setup
System Name=
Domain Name=
Device Mode= Bridge Mode
IP Address= 192.168.1.1
Network Mask= 255.255.255.0
Gateway= 0.0.0.0
First System DNS Server
IP Address= 0.0.0.0
Second System DNS Server
IP Address= 0.0.0.0
Third System DNS Server
IP Address= 0.0.0.0
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields not previously discussed (see Table 184 on page 508).
Table 185 Menu 1: General Setup (Bridge Mode)
509
FIELD
DESCRIPTION
Device Mode
Press [SPACE BAR] and then [ENTER] to select Bridge Mode.
IP Address
Enter the IP address of your ZyWALL in dotted decimal notation.
Network Mask
Enter the subnet mask of your ZyWALL.
Gateway
Enter the gateway IP address.
First System
DNS Server
Second System
DNS Server
Third System
DNS Server
Enter the DNS server's IP address(es) in the IP Address field(s) if you have the IP
address(es) of the DNS server(s).
Chapter 33 SMT Menu 1 - General Setup
ZyWALL 5/35/70 Series User’s Guide
33.2.1 Configuring Dynamic DNS
To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the
MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press
[SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display
Menu 1.1 - Configure Dynamic DNS (shown next).
Figure 270 Menu 1.1: Configure Dynamic DNS
Menu 1.1 - Configure Dynamic DNS
Service Provider= WWW.DynDNS.ORG
Active= No
Username=
Password= ********
Edit Host= No
Press ENTER to Confirm or ESC to Cancel:
Follow the instructions in the next table to configure Dynamic DNS parameters.
Table 186 Menu 1.1: Configure Dynamic DNS
FIELD
DESCRIPTION
Service
Provider
This is the name of your Dynamic DNS service provider.
Active
Press [SPACE BAR] to select Yes and then press [ENTER] to make dynamic DNS
active.
Username
Enter your user name.
Password
Enter the password assigned to you.
Edit Host
Press [SPACE BAR] and then [ENTER] to select Yes if you want to configure a DDNS
host.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to
save your configuration, or press [ESC] at any time to cancel.
33.2.1.1 Editing DDNS Host
To configure a DDNS host, follow the procedure below.
1 Configure your ZyWALL as a router in menu 1 or the MAINTENANCE Device Mode
screen.
2 Enter 1 in the main menu to open Menu 1 - General Setup.
3 Press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to
display Menu 1.1 - Configure Dynamic DNS.
4 Press [SPACE BAR] and then [ENTER] to select Yes in the Edit Host field. Press
[ENTER] to display Menu 1.1.1 - DDNS Host Summary.
Chapter 33 SMT Menu 1 - General Setup
510
ZyWALL 5/35/70 Series User’s Guide
Figure 271 Menu 1.1.1: DDNS Host Summary
Menu 1.1.1 DDNS Host Summary
#
Summary
--- - ------------------------------------------------------01
Hostname=ZyWALL,
Type=Dynamic,WC=Yes,Offline=No,Policy=DDNS Server
Detect, WAN1, HA=Yes
02
_______________________________________________________
_______________________________________________________
03
_______________________________________________________
_______________________________________________________
04
_______________________________________________________
_______________________________________________________
05
_______________________________________________________
_______________________________________________________
Select Command= None
Select Rule= N/A
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this screen.
Table 187 Menu 1.1.1: DDNS Host Summary
FIELD
DESCRIPTION
#
This is the DDNS host index number.
Summary
This displays the details about the DDNS host.
Select Command
Press [SPACE BAR] to choose from None, Edit, Delete, Next Page or Previous
Page and then press [ENTER]. You must select a DDNS host in the next field
when you choose the Edit or Delete commands.
Select None and then press [ENTER] to go to the "Press ENTER to Confirm…"
prompt.
Use Edit to create or edit a rule. Use Delete to remove a rule. To edit or delete a
DDNS host, first make sure you are on the correct page. When a rule is deleted,
subsequent rules do not move up in the page list.
Select Next Page or Previous Page to view the next or previous page of DDNS
hosts (respectively).
Select Rule
Type the DDNS host index number you wish to edit or delete and then press
[ENTER].
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to
save your configuration, or press [ESC] at any time to cancel.
5 Select Edit in the Select Command field; type the index number of the DDNS host you
want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 DDNS Edit Host (see the next figure).
511
Chapter 33 SMT Menu 1 - General Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 272 Menu 1.1.1: DDNS Edit Host
Menu 1.1.1 - DDNS Edit Host
Hostname= ZyWALL
DDNS Type= DynamicDNS
Enable Wildcard Option= Yes
Enable Off Line Option= N/A
Bind WAN= 1
HA= Yes
IP Address Update Policy:
Let DDNS Server Auto Detect= Yes
Use User-Defined= N/A
Use WAN IP Address= N/A
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this screen.
Table 188 Menu 1.1.1: DDNS Edit Host
FIELD
DESCRIPTION
Host Name
Enter your host name in this field.
DDNS Type
Press [SPACE BAR] and then [ENTER] to select DynamicDNS if you have the
Dynamic DNS service.
Select StaticDNS if you have the Static DNS service.
Select CustomDNS if you have the Custom DNS service.
Enable
Wildcard
Option
Your ZyWALL supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to
select Yes or No. This field is N/A when you choose DDNS client as your service
provider.
Enable Off Line This field is only available when CustomDNS is selected in the DDNS Type field.
Option
Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, http://
www.dyndns.org/ traffic is redirected to a URL that you have previously specified
(see www.dyndns.org for details).
Bind WAN
Enter the WAN port to use for updating the IP address of the domain name.
HA
Press [SPACE BAR] and then [ENTER] to select Yes to enable the high availability
(HA) feature.
If the WAN port specified in the Bind WAN field does not have a connection, the
ZyWALL will attempt to use the IP address of another WAN port to update the domain
name.
When the WAN ports are in the active/passive operating mode, the ZyWALL will
update the domain name with the IP address of whichever WAN port has a
connection, regardless of the setting in the Bind WAN field.
Clear this check box and the ZyWALL will not update the domain name with an IP
address if the WAN port specified in the Bind WAN field does not have a connection.
Note: If you enable high availability, DDNS can also function when the
ZyWALL uses the dial backup port. DDNS does not function
when the ZyWALL uses traffic redirect.
Refer to Section 26.10.2 on page 428 for detailed information.
Chapter 33 SMT Menu 1 - General Setup
512
ZyWALL 5/35/70 Series User’s Guide
Table 188 Menu 1.1.1: DDNS Edit Host (continued)
FIELD
DESCRIPTION
IP Address
Update Policy:
You can select Yes in either the Let DDNS Server Auto Detect field (recommended)
or the Use User-Defined field, but not both.
With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No,
the DDNS server automatically updates the IP address of the host name(s) with the
ZyWALL’s WAN IP address.
DDNS does not work with a private IP address. When both fields are set to No, the
ZyWALL must have a public WAN IP address in order for DDNS to work.
Let DDNS
Server Auto
Detect
Only select this option when there are one or more NAT routers between the ZyWALL
and the DDNS server. Press [SPACE BAR] to select Yes and then press [ENTER] to
have the DDNS server automatically detect and use the IP address of the NAT router
that has a public IP address.
Note: The DDNS server may not be able to detect the proper IP
address if there is an HTTP proxy server between the ZyWALL
and the DDNS server.
Use UserDefined
Press [SPACE BAR] to select Yes and then press [ENTER] to update the IP address
of the host name(s) to the IP address specified below.
Only select Yes if the ZyWALL uses or is behind a static public IP address.
Use WAN IP
Address
Enter the static public IP address if you select Yes in the Use User-Defined field.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to
save your configuration, or press [ESC] at any time to cancel.
The IP address updates when you reconfigure menu 1 or perform DHCP client renewal.
513
Chapter 33 SMT Menu 1 - General Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 34
WAN and Dial Backup Setup
This chapter describes how to configure the WAN using menu 2 and dial-backup using menus
2.1 and 11.1.
34.1 Introduction to WAN and Dial Backup Setup
This chapter explains how to configure settings for your WAN port and how to configure the
ZyWALL for a dial backup connection.
34.2 WAN Setup
From the main menu, enter 2 to open menu 2.
Figure 273 MAC Address Cloning in WAN Setup
Menu 2 - WAN Setup
WAN 1 MAC Address:
Assigned By= Factory default
IP Address= N/A
WAN 2 MAC Address:
Assigned By= Factory default
IP Address= N/A
Dial-Backup:
Active= No
Port Speed= 115200
AT Command String:
Init= at&fs0=0
Edit Advanced Setup= No
Press ENTER to Confirm or ESC to Cancel:
Chapter 34 WAN and Dial Backup Setup
514
ZyWALL 5/35/70 Series User’s Guide
The following table describes the fields in this screen.
Table 189 MAC Address Cloning in WAN Setup
FIELD
DESCRIPTION
(WAN 1/2) MAC
Address
Assigned By
Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a
MAC Address. Choose Factory Default to select the factory assigned default MAC
Address. Choose IP address attached on LAN to use the MAC Address of that
computer whose IP you give in the following field.
IP Address
This field is applicable only if you choose the IP address attached on LAN method
in the Assigned By field. Enter the IP address of the computer on the LAN whose
MAC you are cloning.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to
save your configuration, or press [ESC] at any time to cancel.
34.3 Dial Backup
The Dial Backup port can be used in reserve, as a traditional dial-up connection should the
broadband connection to the WAN port fail. To set up the auxiliary port (Dial Backup) for use
in the event that the regular WAN connection is dropped, first make sure you have set up the
switch and port connection (see the Quick Start Guide), then configure
1 Menu 2 - WAN Setup,
2 Menu 2.1 - Advanced WAN Setup and
3 Menu 11.1 - Remote Node Profile (Backup ISP) as shown next
Refer also to the section about traffic redirect for information on an alternate backup WAN
connection.
34.4 Configuring Dial Backup in Menu 2
From the main menu, enter 2 to open menu 2.
515
Chapter 34 WAN and Dial Backup Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 274
Menu 2: Dial Backup Setup
Menu 2 - WAN Setup
WAN 1 MAC Address:
Assigned By= Factory default
IP Address= N/A
WAN 2 MAC Address:
Assigned By= Factory default
IP Address= N/A
Dial-Backup:
Active= No
Port Speed= 115200
AT Command String:
Init= at&fs0=0
Edit Advanced Setup= Yes
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this menu.
Table 190 Menu 2: Dial Backup Setup
FIELD
DESCRIPTION
Dial-Backup:
Active
Use this field to turn the dial-backup feature on (Yes) or off (No).
Port Speed
Press [SPACE BAR] and then press [ENTER] to select the speed of the connection
between the Dial Backup port and the external device.
Available speeds are:
9600, 19200, 38400, 57600, 115200 or 230400 bps.
AT Command
String:
Init
Enter the AT command string to initialize the WAN device. Consult the manual of your
WAN device connected to your Dial Backup port for specific AT commands.
Edit Advanced
Setup
To edit the advanced setup for the Dial Backup port, move the cursor to this field;
press the [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 2.1 Advanced Setup.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to
save your configuration, or press [ESC] at any time to cancel.
34.5 Advanced WAN Setup
Note: Consult the manual of your WAN device connected to your Dial Backup port for
specific AT commands.
Chapter 34 WAN and Dial Backup Setup
516
ZyWALL 5/35/70 Series User’s Guide
To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced
Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press
[ENTER].
Figure 275 Menu 2.1: Advanced WAN Setup
Menu 2.1 - Advanced WAN Setup
AT Command Strings:
Dial= atdt
Drop= ~~+++~~ath
Answer= ata
Drop DTR When Hang Up= Yes
Call Control:
Dial Timeout(sec)= 60
Retry Count= 0
Retry Interval(sec)= N/A
Drop Timeout(sec)= 20
Call Back Delay(sec)= 15
AT Response Strings:
CLID= NMBR =
Called Id=
Speed= CONNECT
Press ENTER to Confirm or ESC to Cancel:
The following table describes fields in this menu.
Table 191 Advanced WAN Port Setup: AT Commands Fields
FIELD
DESCRIPTION
AT Command
Strings:
Dial
Enter the AT Command string to make a call.
Drop
Enter the AT Command string to drop a call. “~” represents a one second wait,
e.g., “~~~+++~~ath” can be used if your modem has a slow response time.
Answer
Enter the AT Command string to answer a call.
Drop DTR When
Hang Up
Press the [SPACE BAR] to choose either Yes or No. When Yes is selected (the
default), the DTR (Data Terminal Ready) signal is dropped after the “AT
Command String: Drop” is sent out.
AT Response
Strings:
517
CLID (Calling Line
Identification)
Enter the keyword that precedes the CLID (Calling Line Identification) in the AT
response string. This lets the ZyWALL capture the CLID in the AT response
string that comes from the WAN device. CLID is required for CLID
authentication.
Called Id
Enter the keyword preceding the dialed number.
Speed
Enter the keyword preceding the connection speed.
Chapter 34 WAN and Dial Backup Setup
ZyWALL 5/35/70 Series User’s Guide
Table 192 Advanced WAN Port Setup: Call Control Parameters
FIELD
DESCRIPTION
Call Control
Dial Timeout (sec)
Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing
call before timing out (stopping). The ZyWALL times out and stops if it cannot set
up an outgoing call within the timeout value.
Retry Count
Enter a number of times for the ZyWALL to retry a busy or no-answer phone
number before blacklisting the number.
Retry Interval (sec)
Enter a number of seconds for the ZyWALL to wait before trying another call after
a call has failed. This applies before a phone number is blacklisted.
Drop Timeout (sec)
Enter a number of seconds for the ZyWALL to wait before dropping the DTR
signal if it does not receive a positive disconnect confirmation.
Call Back Delay
(sec)
Enter a number of seconds for the ZyWALL to wait between dropping a callback
request call and dialing the co-responding callback call.
34.6 Remote Node Profile (Backup ISP)
On a ZyWALL with multiple WAN ports, enter 3 in Menu 11 - Remote Node Setup to open
Menu 11.3 - Remote Node Profile (Backup ISP) (shown below) and configure the setup for
your Dial Backup port connection.
On a ZyWALL with a single WAN port, enter 2 in Menu 11 - Remote Node Setup to open
Menu 11.2 - Remote Node Profile (Backup ISP) and configure the setup for your Dial
Backup port connection.
Chapter 34 WAN and Dial Backup Setup
518
ZyWALL 5/35/70 Series User’s Guide
Figure 276
Menu 11.3: Remote Node Profile (Backup ISP)
Menu 11.3 - Remote Node Profile (Backup ISP)
Rem Node Name=
Active= No
Edit PPP Options= No
Outgoing:
My Login= ChangeMe
My Password= ********
Retype to Confirm= ********
Authen= CHAP/PAP
Pri Phone #= 0
Sec Phone #=
Edit IP= No
Edit Script Options= No
Telco Option:
Allocated Budget(min)= 0
Period(hr)= 0
Schedules=
Always On= No
Session Options:
Edit Filter Sets= No
Idle Timeout(sec)= 100
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this menu.
Table 193 Menu 11.3: Remote Node Profile (Backup ISP)
FIELD
DESCRIPTION
Rem Node
Name
Enter a descriptive name for the remote node. This field can be up to eight characters.
Active
Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or
No to disable the remote node.
Outgoing
519
My Login
Enter the login name assigned by your ISP for this remote node.
My Password
Enter the password assigned by your ISP for this remote node.
Retype to
Confirm
Enter your password again to make sure that you have entered is correctly.
Authen
This field sets the authentication protocol used for outgoing calls.
Options for this field are:
CHAP/PAP - Your ZyWALL will accept either CHAP or PAP when requested by this
remote node.
CHAP - accept CHAP only.
PAP - accept PAP only.
Pri Phone #
Sec Phone #
Enter the first (primary) phone number from the ISP for this remote node. If the
Primary Phone number is busy or does not answer, your ZyWALL dials the
Secondary Phone number if available. Some areas require dialing the pound sign #
before the phone number for local calls. Include a # symbol at the beginning of the
phone numbers as required.
Edit PPP
Options
Move the cursor to this field and use the space bar to select [Yes] and press [Enter] to
edit the PPP options for this remote node. This brings you to Menu 11.3.1 - Remote
Node PPP Options (see Section 34.7 on page 520).
Chapter 34 WAN and Dial Backup Setup
ZyWALL 5/35/70 Series User’s Guide
Table 193 Menu 11.3: Remote Node Profile (Backup ISP) (continued)
FIELD
DESCRIPTION
Edit IP
This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press
[ENTER] to go to Menu 11.3.2 - Remote Node Network Layer Options. See Section
34.8 on page 521 for more information.
Edit Script
Options
Press [SPACE BAR] to select Yes and press [ENTER] to edit the AT script for the dial
backup remote node (Menu 11.3.3 - Remote Node Script). See Section 34.9 on
page 523 for more information.
Telco Option
Allocated
Budget
Enter the maximum number of minutes that this remote node may be called within the
time period configured in the Period field. The default for this field is 0 meaning there
is no budget control and no time limit for accessing this remote node.
Period(hr) Enter the time period (in hours) for how often the budget should be reset. For
example, to allow calls to this remote node for a maximum of 10 minutes every hour,
set the Allocated Budget to 10 (minutes) and the Period to 1 (hour).
Schedules
You can apply up to four schedule sets here. For more details please refer to Chapter
51 on page 648.
Always On
Press [SPACE BAR] to select Yes to set this connection to be on all the time,
regardless of whether or not there is any traffic. Select No to have this connection act
as a dial-up connection.
Session
Options
Edit Filter sets
This field leads to another “hidden” menu. Use [SPACE BAR] to select Yes and press
[ENTER] to open menu 11.3.4 to edit the filter sets. See Section 34.10 on page 525
for more details.
Idle Timeout
Enter the number of seconds of idle time (when there is no traffic from the ZyWALL to
the remote node) that can elapse before the ZyWALL automatically disconnects the
PPP connection. This option only applies when the ZyWALL initiates the call.
Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to
save your configuration, or press [ESC] at any time to cancel.
34.7 Editing PPP Options
The ZyWALL’s dial back-up feature uses PPP. To edit the remote node PPP Options, move the
cursor to the Edit PPP Options field in Menu 11.3 - Remote Node Profile (Backup ISP),
and use the space bar to select Yes. Press [Enter] to open Menu 11.3.1 - Remote Node PPP
Options as shown next.
Chapter 34 WAN and Dial Backup Setup
520
ZyWALL 5/35/70 Series User’s Guide
Figure 277 Menu 11.3.1: Remote Node PPP Options
Menu 11.3.1 - Remote Node PPP Options
Encapsulation= Standard PPP
Compression= No
Enter here to CONFIRM or ESC to CANCEL:
This table describes the Remote Node PPP Options Menu, and contains instructions on how to
configure the PPP options fields.
Table 194 Menu 11.3.1: Remote Node PPP Options
FIELD
DESCRIPTION
Encapsulation
Press [SPACE BAR] and then [ENTER] to select CISCO PPP if your Dial Backup
WAN device uses Cisco PPP encapsulation, otherwise select Standard PPP.
Compression
Press [SPACE BAR] and then [ENTER] to select Yes to enable or No to disable Stac
compression.
Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to
save your configuration, or press [ESC] at any time to cancel.
34.8 Editing TCP/IP Options
Move the cursor to the Edit IP field in menu 11.3, then press [SPACE BAR] to select Yes.
Press [ENTER] to open Menu 11.3.2 - Remote Node Network Layer Options. Not all fields
are available on all models.
521
Chapter 34 WAN and Dial Backup Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 278 Menu 11.3.2: Remote Node Network Layer Options
Menu 11.3.2 - Remote Node Network Layer Options
IP Address Assignment= Static
Rem IP Addr= 0.0.0.0
Rem Subnet Mask= 0.0.0.0
My WAN Addr= 0.0.0.0
Network Address Translation= SUA Only
NAT Lookup Set= 255
Metric= 15
Private= No
RIP Direction= None
Version= N/A
Multicast= None
Enter here to CONFIRM or ESC to CANCEL:
The following table describes the fields in this menu.
Table 195 Menu 11.3.2: Remote Node Network Layer Options
FIELD
DESCRIPTION
IP Address
Assignment
If your ISP did not assign you a fixed IP address, press [SPACE BAR] and then
[ENTER] to select Dynamic, otherwise select Static and enter the IP address and
subnet mask in the following fields.
Rem IP
Address
Enter the (fixed) IP address assigned to you by your ISP (static IP address assignment
is selected in the previous field).
Rem Subnet
Mask
Enter the subnet mask associated with your static IP.
My WAN
Addr
Leave the field set to 0.0.0.0 to have the ISP or other remote router dynamically
(automatically) assign your WAN IP address if you do not know it. Enter your WAN IP
address here if you know it (static).
This is the address assigned to your local ZyWALL, not the remote router.
Network
Address
Translation
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network (for example a private IP address used in a local
network) to a different IP address known within another network (for example a public IP
address used on the Internet).
Press [SPACE BAR] and then [ENTER] to select either Full Feature, None or SUA
Only.
Choose None to disable NAT.
Choose SUA Only if you have a single public IP address. SUA (Single User Account) is
a subset of NAT that supports two types of mapping: Many-to-One and Server.
Choose Full Feature if you have multiple public IP addresses. Full Feature mapping
types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload,
Many- One-to-One and Server. When you select Full Feature you must configure at
least one address mapping set.
See Chapter 22 on page 374 for a full discussion on this feature.
Chapter 34 WAN and Dial Backup Setup
522
ZyWALL 5/35/70 Series User’s Guide
Table 195 Menu 11.3.2: Remote Node Network Layer Options
FIELD
DESCRIPTION
NAT Lookup
Set
If you select SUA Only in the Network Address Translation field, it displays 255 and
indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1.
If you select Full Feature or None in the Network Address Translation field, it
displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1
for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the
Backup port.
Refer to Section 42.2 on page 564 for more information.
Metric
Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes. The
smaller the number, the higher priority the route has.
Private
This parameter determines if the ZyWALL will include the route to this remote node in its
RIP broadcasts. If set to Yes, this route is kept private and not included in RIP
broadcasts. If No, the route to this remote node will be propagated to other hosts
through RIP broadcasts.
RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP Direction from Both, None,
In Only, Out Only and None.
Version
Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1, RIP-2B
and RIP-2M.
Multicast
IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish
membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMPv1) and version 2 (IGMP-v2). Press the [SPACE BAR] to enable IP Multicasting or
select None to disable it. See Chapter 5 on page 110 for more information on this
feature.
Once you have completed filling in Menu 11.3.2 Remote Node Network Layer Options, press
[ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu
11.3, or press [ESC] at any time to cancel.
34.9 Editing Login Script
For some remote gateways, text login is required before PPP negotiation is started. The
ZyWALL provides a script facility for this purpose. The script has six programmable sets;
each set is composed of an ‘Expect’ string and a ‘Send’ string. After matching a message from
the server to the ‘Expect’ field, the ZyWALL returns the set’s ‘Send’ string to the server.
For instance, a typical login sequence starts with the server printing a banner, a login prompt
for you to enter the user name and a password prompt to enter the password:
Welcome to Acme, Inc.
Login: myLogin
Password:
To handle the first prompt, you specify “ogin: ” as the ‘Expect’ string and “myLogin” as
the ‘Send’ string in set 1. The reason for leaving out the leading “L” is to avoid having to know
exactly whether it is upper or lower case. Similarly, you specify “word: ” as the ‘Expect’
string and your password as the ‘Send’ string for the second prompt in set 2.
523
Chapter 34 WAN and Dial Backup Setup
ZyWALL 5/35/70 Series User’s Guide
You can use two variables, $USERNAME and $PASSWORD (all UPPER case), to represent the
actual user name and password in the script, so they will not show in the clear. They are
replaced with the outgoing login name and password in the remote node when the ZyWALL
sees them in a ‘Send’ string. Please note that both variables must been entered exactly as
shown. No other characters may appear before or after, either, i.e., they must be used alone in
response to login and password prompts.
Please note that the ordering of the sets is significant, i.e., starting from set 1, the ZyWALL
will wait until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest
of the script. When both the ‘Expect’ and the ‘Send’ fields of the current set are empty, the
ZyWALL will terminate the script processing and start PPP negotiation. This implies two
things: first, the sets must be contiguous; the sets after an empty one are ignored. Second, the
last set should match the final message sent by the server. For instance, if the server prints:
login successful.
Starting PPP...
after you enter the password, then you should create a third set to match the final “PPP...”
but without a “Send” string. Otherwise, the ZyWALL will start PPP prematurely right after
sending your password to the server.
If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout” in
menu 2 (default 60 seconds), the ZyWALL will timeout and drop the line. To debug a script,
go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of
messages and prompts from the server differs from what you expect.
Figure 279 Menu 11.3.3: Remote Node Script
Menu 11.3.3 - Remote Node Script
Active= No
Set 1:
Expect=
Send=
Set 2:
Expect=
Send=
Set 3:
Expect=
Send=
Set 4:
Expect=
Send=
Set 5:
Expect=
Send=
Set 6:
Expect=
Send=
Enter here to CONFIRM or ESC to CANCEL:
Chapter 34 WAN and Dial Backup Setup
524
ZyWALL 5/35/70 Series User’s Guide
The following table describes the fields in this menu.
Table 196 Menu 11.3.3: Remote Node Script
FIELD
DESCRIPTION
Active
Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or
No to disable them.
Set 1-6:
Expect
Enter an Expect string to match. After matching the Expect string, the ZyWALL returns
the string in the Send field.
Set 1-6:
Send
Enter a string to send out after the Expect string is matched.
34.10 Remote Node Filter
Move the cursor to the field Edit Filter Sets in menu 11.3, and then press [SPACE BAR] to
set the value to Yes. Press [ENTER] to open Menu 11.3.4 - Remote Node Filter.
Use menu 11.3.4 to specify the filter set(s) to apply to the incoming and outgoing traffic
between this remote node and the ZyWALL to prevent certain packets from triggering calls.
You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each
filter field. Note that spaces are accepted in this field. Please refer to Chapter 44 on page 584
for more information on defining the filters.
Figure 280 Menu 11.3.4: Remote Node Filter
Menu 11.3.4 - Remote Node Filter
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Call Filter Sets:
protocol filters=
device filters=
Enter here to CONFIRM or ESC to CANCEL:
525
Chapter 34 WAN and Dial Backup Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 35
LAN Setup
This chapter describes how to configure the LAN using Menu 3 - LAN Setup.
35.1 Introduction to LAN Setup
This chapter describes how to configure the ZyWALL for LAN and wireless LAN
connections.
35.2 Accessing the LAN Menus
From the main menu, enter 3 to open Menu 3 - LAN Setup.
Figure 281 Menu 3: LAN Setup
Menu 3 - LAN Setup
1. LAN Port Filter Setup
2. TCP/IP and DHCP Setup
Enter Menu Selection Number:
35.3 LAN Port Filter Setup
This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You
seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain
packets, reduce traffic and prevent security breaches.
Chapter 35 LAN Setup
526
ZyWALL 5/35/70 Series User’s Guide
Figure 282 Menu 3.1: LAN Port Filter Setup
Menu 3.1 - LAN Port Filter Setup
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Press ENTER to Confirm or ESC to Cancel:
35.4 TCP/IP and DHCP Ethernet Setup Menu
From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155)
and DHCP Ethernet setup.
Figure 283 Menu 3: TCP/IP and DHCP Setup
Menu 3 - LAN Setup
1. LAN Port Filter Setup
2. TCP/IP and DHCP Setup
Enter Menu Selection Number:
From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The
screen now displays Menu 3.2 - TCP/IP and DHCP Ethernet Setup, as shown next. Not all
fields are available on all models.
527
Chapter 35 LAN Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 284 Menu 3.2: TCP/IP and DHCP Ethernet Setup
Menu 3.2 - TCP/IP and DHCP Ethernet Setup
DHCP= Server
Client IP Pool:
Starting Address= 192.168.1.33
Size of Client IP Pool= 128
TCP/IP Setup:
IP Address= 192.168.1.1
IP Subnet Mask= 255.255.255.0
RIP Direction= Both
Version= RIP-1
Multicast= None
Edit IP Alias= No
DHCP Server Address= N/A
Press ENTER to Confirm or ESC to Cancel:
Follow the instructions in the next table on how to configure the DHCP fields.
Table 197 Menu 3.2: DHCP Ethernet Setup Fields
FIELD
DESCRIPTION
DHCP
This field enables/disables the DHCP server.
If set to Server, your ZyWALL will act as a DHCP server.
If set to None, the DHCP server will be disabled.
If set to Relay, the ZyWALL acts as a surrogate DHCP server and relays requests
and responses between the remote server and the clients.
When set to Server, the following items need to be set:
Client IP Pool:
Starting Address
This field specifies the first of the contiguous addresses in the IP address pool.
Size of Client IP
Pool
This field specifies the size, or count of the IP address pool.
Chapter 35 LAN Setup
528
ZyWALL 5/35/70 Series User’s Guide
Table 197 Menu 3.2: DHCP Ethernet Setup Fields
FIELD
DESCRIPTION
First DNS Server
Second DNS
Server
Third DNS Server
The ZyWALL passes a DNS (Domain Name System) server IP address (in the order
you specify here) to the DHCP clients.
Select From ISP if your ISP dynamically assigns DNS server information (and the
ZyWALL's WAN IP address). The IP Address field below displays the (read-only)
DNS server IP address that the ISP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS
server's IP address in the IP Address field below. If you chose User-Defined, but
leave the IP address set to 0.0.0.0, User-Defined changes to None after you save
your changes. If you set a second choice to User-Defined, and enter the same IP
address, the second User-Defined changes to None after you save your changes.
Select DNS Relay to have the ZyWALL act as a DNS proxy. The ZyWALL's LAN IP
address displays in the IP Address field below (read-only). The ZyWALL tells the
DHCP clients on the LAN that the ZyWALL itself is the DNS server. When a
computer on the LAN sends a DNS query to the ZyWALL, the ZyWALL forwards the
query to the ZyWALL's system DNS server (configured in menu 1) and relays the
response back to the computer. You can only select DNS Relay for one of the three
servers; if you select DNS Relay for a second or third DNS server, that choice
changes to None after you save your changes.
Select None if you do not want to configure DNS servers. If you do not configure a
DNS server, you must know the IP address of a machine in order to access it.
DHCP Server
Address
If Relay is selected in the DHCP field above, then type the IP address of the actual,
remote DHCP server here.
Use the instructions in the following table to configure TCP/IP parameters for the LAN port.
Note: LAN and DMZ IP addresses must be on separate subnets.
Table 198 Menu 3.2: LAN TCP/IP Setup Fields
FIELD
DESCRIPTION
TCP/IP Setup:
IP Address
Enter the IP address of your ZyWALL in dotted decimal notation
IP Subnet Mask
Your ZyWALL will automatically calculate the subnet mask based on the IP
address that you assign. Unless you are implementing subnetting, use the subnet
mask computed by the ZyWALL.
RIP Direction
Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are:
Both, In Only, Out Only or None.
Version
Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are:
RIP-1, RIP-2B or RIP-2M.
Multicast
IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to
establish membership in a Multicast group. The ZyWALL supports both IGMP
version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] and then
[ENTER] to enable IP Multicasting or select None (default) to disable it.
Edit IP Alias
The ZyWALL supports three logical LAN interfaces via its single physical Ethernet
interface with the ZyWALL itself as the gateway for each LAN network. Press
[SPACE BAR] to select Yes and then press [ENTER] to display menu 3.2.1
When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to
save your configuration, or press [ESC] at any time to cancel.
529
Chapter 35 LAN Setup
ZyWALL 5/35/70 Series User’s Guide
35.4.1 IP Alias Setup
IP alias allows you to partition a physical network into different logical networks over the
same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single
physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network.
You must use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias
field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and
third network.
Press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown next.
Figure 285 Menu 3.2.1: IP Alias Setup
Menu 3.2.1 - IP Alias Setup
IP Alias 1= Yes
IP Address= 192.168.2.1
IP Subnet Mask= 255.255.255.0
RIP Direction= None
Version= RIP-1
Incoming protocol filters=
Outgoing protocol filters=
IP Alias 2= No
IP Address= N/A
IP Subnet Mask= N/A
RIP Direction= N/A
Version= N/A
Incoming protocol filters= N/A
Outgoing protocol filters= N/A
Enter here to CONFIRM or ESC to CANCEL:
Use the instructions in the following table to configure IP alias parameters.
Table 199 Menu 3.2.1: IP Alias Setup
FIELD
DESCRIPTION
IP Alias 1, 2
Choose Yes to configure the LAN network for the ZyWALL.
IP Address
Enter the IP address of your ZyWALL in dotted decimal notation.
IP Subnet Mask
Your ZyWALL will automatically calculate the subnet mask based on the IP address
that you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyWALL.
RIP Direction
Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are
Both, In Only, Out Only or None.
Version
Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are
RIP-1, RIP-2B or RIP-2M.
Incoming
Protocol Filters
Enter the filter set(s) you wish to apply to the incoming traffic between this node and
the ZyWALL.
Chapter 35 LAN Setup
530
ZyWALL 5/35/70 Series User’s Guide
Table 199 Menu 3.2.1: IP Alias Setup (continued)
FIELD
DESCRIPTION
Outgoing
Protocol Filters
Enter the filter set(s) you wish to apply to the outgoing traffic between this node and
the ZyWALL.
When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to
save your configuration, or press [ESC] at any time to cancel.
531
Chapter 35 LAN Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 36
Internet Access
This chapter shows you how to configure your ZyWALL for Internet access.
36.1 Introduction to Internet Access Setup
Use information from your ISP along with the instructions in this chapter to set up your
ZyWALL to access the Internet. There are three different menu 4 screens depending on
whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to
determine what encapsulation type you should use.
Note: This menu configures WAN 1 on a ZyWALL with multiple WAN ports. Configure
the WAN 2 port in Menu 11.2 - Remote Node Profile or in the WAN WAN 2
screen via the web configurator.
36.2 Ethernet Encapsulation
If you choose Ethernet in menu 4 you will see the next menu.
Figure 286 Menu 4: Internet Access Setup (Ethernet)
Menu 4 - Internet Access Setup
ISP's Name= WAN_1
Encapsulation= Ethernet
Service Type= Standard
My Login= N/A
My Password= N/A
Retype to Confirm= N/A
Login Server= N/A
Relogin Every (min)= N/A
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address= N/A
Network Address Translation= SUA Only
Press ENTER to Confirm or ESC to Cancel:
Chapter 36 Internet Access
532
ZyWALL 5/35/70 Series User’s Guide
The following table describes the fields in this menu.
Table 200 Menu 4: Internet Access Setup (Ethernet)
FIELD
DESCRIPTION
ISP’s Name
This is the descriptive name of your ISP for identification purposes.
Encapsulation
Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The
encapsulation method influences your choices for the IP Address field.
Service Type
Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba
(RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager
authentication method), RR-Telstra or Telia Login. Choose a RoadRunner flavor if
your ISP is Time Warner's RoadRunner; otherwise choose Standard.
Note: DSL users must choose the Standard option only. The My Login, My
Password and Login Server fields are not applicable in this case.
My Login
Enter the login name given to you by your ISP.
My Password
Type your password again for confirmation.
Retype to
Confirm
Enter your password again to make sure that you have entered is correctly.
Login Server
The ZyWALL will find the RoadRunner Server IP if this field is left blank. If it does not,
then you must enter the authentication server IP address.
Relogin Every
(min)
This field is available when you select Telia Login in the Service Type field.
The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Type the number of minutes from 1 to 59 (30 recommended) for the ZyWALL to wait
between logins.
IP Address
Assignment
If your ISP did not assign you a fixed IP address, press [SPACE BAR] and then
[ENTER] to select Dynamic, otherwise select Static and enter the IP address and
subnet mask in the following fields.
IP Address
Enter the (fixed) IP address assigned to you by your ISP (static IP address
assignment is selected in the previous field).
IP Subnet Mask
Enter the subnet mask associated with your static IP.
Gateway IP
Address
Enter the gateway IP address associated with your static IP.
Network
Address
Translation
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network (for example a private IP address used in a local
network) to a different IP address known within another network (for example a
public IP address used on the Internet).
Choose None to disable NAT.
Choose SUA Only if you have a single public IP address. SUA (Single User Account)
is a subset of NAT that supports two types of mapping: Many-to-One and Server.
Choose Full Feature if you have multiple public IP addresses. Full Feature mapping
types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload,
Many- One-to-One and Server. When you select Full Feature you must configure at
least one address mapping set!
Please see Chapter 22 on page 374 for a more detailed discussion on the Network
Address Translation feature.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to
save your configuration, or press [ESC] at any time to cancel.
533
Chapter 36 Internet Access
ZyWALL 5/35/70 Series User’s Guide
36.3 Configuring the PPTP Client
Note: The ZyWALL supports only one PPTP server connection at any given time.
To configure a PPTP client, you must configure the My Login and Password fields for a PPP
connection and the PPTP parameters for a PPTP connection.
After configuring My Login and Password for PPP connection, press [SPACE BAR] and
then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose
PPTP as your encapsulation option. This brings up the following screen.
Figure 287 Internet Access Setup (PPTP)
Menu 4 - Internet Access Setup
ISP's Name= WAN_1
Encapsulation= PPTP
Service Type= N/A
My Login=
My Password= ********
Retype to Confirm= ********
Idle Timeout= 100
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address= N/A
Network Address Translation= SUA Only
Press ENTER to Confirm or ESC to Cancel:
The following table contains instructions about the new fields when you choose PPTP in the
Encapsulation field in menu 4.
Table 201 New Fields in Menu 4 (PPTP) Screen
FIELD
DESCRIPTION
Encapsulation
Press [SPACE BAR] and then press [ENTER] to choose PPTP. The encapsulation
method influences your choices for the IP Address field.
Idle Timeout
This value specifies the time, in seconds, that elapses before the ZyWALL
automatically disconnects from the PPTP server.
36.4 Configuring the PPPoE Client
If you enable PPPoE in menu 4, you will see the next screen. For more information on PPPoE,
please see Appendix F on page 702.
Chapter 36 Internet Access
534
ZyWALL 5/35/70 Series User’s Guide
Figure 288 Internet Access Setup (PPPoE)
Menu 4 - Internet Access Setup
ISP's Name= WAN_1
Encapsulation= PPPoE
Service Type= N/A
My Login=
My Password= ********
Retype to Confirm= ********
Idle Timeout= 100
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address= N/A
Network Address Translation= SUA Only
Press ENTER to Confirm or ESC to Cancel:
The following table contains instructions about the new fields when you choose PPPoE in the
Encapsulation field in menu 4.
Table 202 New Fields in Menu 4 (PPPoE) screen
FIELD
DESCRIPTION
Encapsulation
Press [SPACE BAR] and then press [ENTER] to choose PPPoE. The encapsulation
method influences your choices in the IP Address field.
Idle Timeout
This value specifies the time in seconds that elapses before the ZyWALL
automatically disconnects from the PPPoE server.
If you need a PPPoE service name to identify and reach the PPPoE server, please go to menu
11 and enter the PPPoE service name provided to you in the Service Name field.
36.5 Basic Setup Complete
Well done! You have successfully connected, installed and set up your ZyWALL to operate on
your network as well as access the Internet.
Note: When the firewall is activated, the default policy allows all communications to
the Internet that originate from the LAN, and blocks all traffic to the LAN that
originates from the Internet.
You may deactivate the firewall in menu 21.2 or via the ZyWALL embedded web
configurator. You may also define additional firewall rules or modify existing ones but please
exercise extreme caution in doing so. See the chapters on firewall for more information on the
firewall.
535
Chapter 36 Internet Access
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 37
DMZ Setup
This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup.
37.1 Configuring DMZ Setup
From the main menu, enter 5 to open Menu 5 – DMZ Setup.
Figure 289
Menu 5: DMZ Setup
Menu 5 - DMZ Setup
1. DMZ Port Filter Setup
2. TCP/IP and DHCP Setup
Enter Menu Selection Number:
37.2 DMZ Port Filter Setup
This menu allows you to specify the filter sets that you wish to apply to your public server(s)
traffic.
Figure 290 Menu 5.1: DMZ Port Filter Setup
Menu 5.1 - DMZ Port Filter Setup
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Press ENTER to Confirm or ESC to Cancel:
37.3 TCP/IP Setup
For more detailed information about RIP setup, IP Multicast and IP alias, please refer to
Chapter 5 on page 110.
Chapter 37 DMZ Setup
536
ZyWALL 5/35/70 Series User’s Guide
37.3.1 IP Address
From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155).
Figure 291 Menu 5: DMZ Setup
Menu 5 - DMZ Setup
1. DMZ Port Filter Setup
2. TCP/IP and DHCP Setup
Enter Menu Selection Number:
From menu 5, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER].
The screen now displays Menu 5.2 - TCP/IP and DHCP Ethernet Setup, as shown next.
Figure 292 Menu 5.2: TCP/IP and DHCP Ethernet Setup
Menu 5.2 - TCP/IP and DHCP Ethernet Setup
DHCP= None
Client IP Pool:
Starting Address= N/A
Size of Client IP Pool= N/A
TCP/IP Setup:
IP Address= 10.10.2.1
IP Subnet Mask= 255.255.255.0
RIP Direction= None
Version= N/A
Multicast= IGMP-v2
Edit IP Alias= No
DHCP Server Address= N/A
Press ENTER to Confirm or ESC to Cancel:
The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and
DHCP Ethernet Setup. Each public server will need a unique IP address. Refer to Section
35.4 on page 527 for information on how to configure these fields.
Note: DMZ, WLAN and LAN IP addresses must be on separate subnets. You must
also configure NAT for the DMZ port (see Chapter 42 on page 562) in menus
15.1 and 15.2.
537
Chapter 37 DMZ Setup
ZyWALL 5/35/70 Series User’s Guide
37.3.2 IP Alias Setup
You must use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias
field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and
third network.
Pressing [ENTER] opens Menu 5.2.1 - IP Alias Setup, as shown next.
Figure 293 Menu 5.2.1: IP Alias Setup
Menu 5.2.1 - IP Alias Setup
IP Alias 1= No
IP Address= N/A
IP Subnet Mask= N/A
RIP Direction= N/A
Version= N/A
Incoming protocol filters=
Outgoing protocol filters=
IP Alias 2= No
IP Address= N/A
IP Subnet Mask= N/A
RIP Direction= N/A
Version= N/A
Incoming protocol filters=
Outgoing protocol filters=
N/A
N/A
N/A
N/A
Enter here to CONFIRM or ESC to CANCEL:
Refer to Table 199 on page 530 for instructions on configuring IP alias parameters.
Chapter 37 DMZ Setup
538
ZyWALL 5/35/70 Series User’s Guide
539
Chapter 37 DMZ Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 38
Route Setup
This chapter describes how to configure the ZyWALL's traffic redirect. This chapter applies to
the ZyWALL 35 and ZyWALL 70.
38.1 Configuring Route Setup
From the main menu, enter 6 to open Menu 6 - Route Setup.
Figure 294 Menu 6: Route Setup
Menu 6 - Route Setup
1. Route Assessment
2. Traffic Redirect
3. Route Failover
Enter Menu Selection Number:
38.2 Route Assessment
This menu allows you to configure traffic redirect properties.
Figure 295 Menu 6.1: Route Assessment
Menu 6.1 - Route Assessment
Probing WAN 1 Check Point= Yes
Use Default Gateway as Check Point= Yes
Check Point= N/A
Probing WAN 2 Check Point= Yes
Use Default Gateway as Check Point= Yes
Check Point= N/A
Probing Traffic Redirection Check Point= No
Use Default Gateway as Check Point= N/A
Check Point= N/A
Press ENTER to Confirm or ESC to Cancel:
Chapter 38 Route Setup
540
ZyWALL 5/35/70 Series User’s Guide
The following table describes the fields in this menu.
Table 203 Menu 6.1: Route Assessment
FIELD
DESCRIPTION
Probing WAN 1/2
Check Point
Press [SPACE BAR] and then press [ENTER] to choose Yes to test your
ZyWALL's WAN accessibility.
If you do not select No in the Use Default Gateway as Check Point field and
enter a domain name or IP address of a reliable nearby computer (for example,
your ISP's DNS server address) in the Check Point field, the ZyWALL will use
the default gateway IP address.
Probing Traffic
Redirection Check
Point
Press [SPACE BAR] and then press [ENTER] to choose Yes to test your
ZyWALL's traffic redirect connection.
If you do not select No in the Use Default Gateway as Check Point field and
enter a domain name or IP address of a reliable nearby computer (for example,
your ISP's DNS server address) in the Check Point field, the ZyWALL will use
the default gateway IP address.
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to
save your configuration, or press [ESC] at any time to cancel.
38.3 Traffic Redirect
To configure the parameters for traffic redirect, enter 2 in Menu 6 - Route Setup to open
Menu 6.2 - Traffic Redirect as shown next.
Figure 296 Menu 6.2: Traffic Redirect
Menu 6.2 - Traffic Redirect
Active= No
Configuration:
Backup Gateway IP Address= 0.0.0.0
Metric= 14
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this menu.
Table 204 Menu 6.2: Traffic Redirect
541
FIELD
DESCRIPTION
Active
Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic
redirect setup. The default is No.
Backup Gateway IP
Address
Enter the IP address of your backup gateway in dotted decimal notation.
The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's
Internet connection terminates.
Chapter 38 Route Setup
ZyWALL 5/35/70 Series User’s Guide
Table 204 Menu 6.2: Traffic Redirect
FIELD
DESCRIPTION
Metric
This field sets this route's priority among the routes the ZyWALL uses.
Enter a number from 1 to 15 to set this route's priority among the ZyWALL's
routes (see Section 7.5 on page 134) The smaller the number, the higher
priority the route has.
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to
save your configuration, or press [ESC] at any time to cancel.
38.4 Route Failover
This menu allows you to configure how the ZyWALL uses the route assessment ping check
function.
Figure 297 Menu 6.3: Route Failover
Menu 6.3 - Route Failover
Period= 5
Timeout=: 3
Fail Tolerance= 3
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this menu.
Table 205 Menu 6.3: Route Failover
FIELD
DESCRIPTION
Period
Type the number of seconds for the ZyWALL to wait between checks to see if it
can connect to the WAN IP address (in the Check Point field of menu 6.1) or the
default gateway. Allow more time if your destination IP address handles lots of
traffic.
Timeout
Type the number of seconds for your ZyWALL to wait for a ping response from the
IP address in the Check Point field of menu 6.1 before it times out. The WAN
connection is considered "down" after the ZyWALL times out the number of times
specified in the Fail Tolerance field. Use a higher value in this field if your network
is busy or congested.
Fail Tolerance
Type the number of times your ZyWALL may attempt and fail to connect to the
Internet before traffic is forwarded to the backup gateway.
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to
save your configuration, or press [ESC] at any time to cancel.
Chapter 38 Route Setup
542
ZyWALL 5/35/70 Series User’s Guide
543
Chapter 38 Route Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 39
Wireless Setup
Use menu 7 to set up your ZyWALL as the wireless access point.
39.1 Wireless LAN Setup
Note: If you are configuring the ZyWALL from a computer connected to the wireless
LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your
wireless connection when you press [ENTER] to confirm. You must then
change the wireless settings of your computer to match the ZyWALL’s new
settings.
From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure the Wireless LAN
setup. To edit the wireless LAN configuration, enter 1 to open Menu 7.1 - Wireless Setup as
shown next.
Figure 298 Menu 7.1: Wireless Setup
Menu 7.1 - Wireless Setup
Enable Wireless LAN= No
Bridge Channel= WLAN
ESSID= ZyXEL
Hide ESSID= No
Channel ID= CH06 2437MHz
RTS Threshold= 2432
Frag. Threshold= 2432
WEP= Disable
Default Key= N/A
Key1= N/A
Key2= N/A
Key3= N/A
Key4= N/A
Edit MAC Address Filter= No
Press ENTER to Confirm or ESC to Cancel:
Note: The settings of all client stations on the wireless LAN must match those of the
ZyWALL.
Chapter 39 Wireless Setup
544
ZyWALL 5/35/70 Series User’s Guide
Follow the instructions in the next table on how to configure the wireless LAN parameters.
Table 206 Menu 7.1: Wireless Setup
FIELD
DESCRIPTION
Enable
Press [SPACE BAR] to select Yes to turn on the wireless LAN. The wireless LAN is off
Wireless LAN by default. Configure wireless LAN security features such as Mac filters and 802.1X
before you turn on the wireless LAN.
Bridge
Channel
Select LAN to use the wireless card as part of the LAN.
Select DMZ to use the wireless card as part of the DMZ.
Select WLAN to use the wireless card as part of the WLAN.
The ZyWALL restarts after you change the wireless card setting.
Note: If you set the wireless card to be part of the LAN or DMZ, you can
still use wireless access, but not the WLAN interface in the
firewall. The firewall will treat the wireless card as part of the LAN
or DMZ respectively.
ESSID
(Extended Service Set IDentification) The ESSID identifies the AP to which the wireless
stations associate. Wireless stations associating to the Access Point must have the
same ESSID. Enter a descriptive name (up to 32 characters) for the wireless LAN.
Hide ESSID
Press [SPACE BAR] to select Yes to hide the ESSID in the outgoing beacon frame so a
station cannot obtain the ESSID through passive scanning.
Channel ID
This allows you to set the operating frequency/channel depending on your particular
region. Use the [SPACE BAR] to select a channel.
RTS
Threshold
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake.
Data with its frame size larger than this value will perform the RTS/CTS handshake.
Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size
turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS
handshake. Enter a value between 0 and 2432.
Frag.
Threshold
The threshold (number of bytes) for the fragmentation boundary for directed messages.
It is the maximum data fragment size that can be sent. Enter a value between 256 and
2432.
WEP
Select Disable to allow wireless stations to communicate with the access points without
any data encryption.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
Default Key
Enter the key number (1 to 4) in this field. Only one key can be enabled at any one time.
This key must be the same on the ZyWALL and the wireless stations to communicate.
Key 1 to Key
4
The WEP keys are used to encrypt data. Both the ZyWALL and the wireless stations
must use the same WEP key for data transmission.
If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 ASCII
characters or 10 hexadecimal characters ("0-9", "A-F").
If you chose 128-bit WEP in the WEP Encryption field, then enter 13 ASCII characters
or 26 hexadecimal characters ("0-9", "A-F").
Note: Enter “0x” before the key to denote a hexadecimal key. Don’t
enter “0x” before the key to denote an ASCII key.
Edit MAC
Press [SPACE BAR] to select Yes and then press [ENTER] to display menu 7.1.1.
Address Filter
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to
save your configuration, or press [ESC] at any time to cancel.
545
Chapter 39 Wireless Setup
ZyWALL 5/35/70 Series User’s Guide
39.1.1 MAC Address Filter Setup
Your ZyWALL checks the MAC address of the wireless station device against a list of allowed
or denied MAC addresses. However, intruders could fake allowed MAC addresses so MACbased authentication is less secure than EAP authentication.
Follow the steps below to create the MAC address table on your ZyWALL.
1 From the main menu, enter 7 to open Menu 7 - WLAN Setup.
2 Enter 1 to display Menu 7.1 - Wireless Setup.
3 In the Edit MAC Address Filter field, press [SPACE BAR] to select Yes and press
[ENTER]. Menu 7.1.1 - WLAN MAC Address Filter displays as shown next.
Figure 299 Menu 7.1.1: WLAN MAC Address Filter
Menu 7.1.1 - WLAN MAC Address Filter
Active= No
Filter Action= Allowed Association
MAC Address Filter
Address 1= 00:00:00:00:00:00
Address 2= 00:00:00:00:00:00
Address 3= 00:00:00:00:00:00
Address 4= 00:00:00:00:00:00
Address 5= 00:00:00:00:00:00
Address 6= 00:00:00:00:00:00
Address 7= 00:00:00:00:00:00
Address 8= 00:00:00:00:00:00
Address 9= 00:00:00:00:00:00
Address 10= 00:00:00:00:00:00
Address 11= 00:00:00:00:00:00
Address 12= 00:00:00:00:00:00
Enter here to CONFIRM or ESC to CANCEL:
The following table describes the fields in this menu.
Table 207 Menu 7.1.1: WLAN MAC Address Filter
FIELD
DESCRIPTION
Active
To enable MAC address filtering, press [SPACE BAR] to select Yes and press
[ENTER].
Filter Action
Define the filter action for the list of MAC addresses in the MAC address filter table.
To deny access to the ZyWALL, press [SPACE BAR] to select Deny Association
and press [ENTER]. MAC addresses not listed will be allowed to access the router.
The default action, Allowed Association, permits association with the ZyWALL.
MAC addresses not listed will be denied access to the router.
MAC Address
Filter
Chapter 39 Wireless Setup
546
ZyWALL 5/35/70 Series User’s Guide
Table 207 Menu 7.1.1: WLAN MAC Address Filter
FIELD
DESCRIPTION
Address 1..12
Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers
that are allowed or denied access to the ZyWALL in these address fields.
When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to
save your configuration, or press [ESC] at any time to cancel.
39.2 TCP/IP Setup
For more detailed information about RIP setup, IP Multicast and IP alias, please refer to
Chapter 5 on page 110.
39.2.1 IP Address
From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP (RFC
1155).
Figure 300 Menu 7: WLAN Setup
Menu 7 - WLAN Setup
1. Wireless Setup
2. TCP/IP and DHCP Setup
Enter Menu Selection Number:
From menu 7, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER].
The screen now displays Menu 7.2 - TCP/IP and DHCP Ethernet Setup, as shown next.
547
Chapter 39 Wireless Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 301 Menu 7.2: TCP/IP and DHCP Ethernet Setup
Menu 7.2 - TCP/IP and DHCP Ethernet Setup
DHCP= None
Client IP Pool:
Starting Address= N/A
Size of Client IP Pool= N/A
TCP/IP Setup:
IP Address= 0.0.0.0
IP Subnet Mask= 0.0.0.0
RIP Direction= None
Version= N/A
Multicast= IGMP-v2
Edit IP Alias= No
DHCP Server Address= N/A
Press ENTER to Confirm or ESC to Cancel:
The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and
DHCP Ethernet Setup. Each public server will need a unique IP address. Refer to Section
35.4 on page 527 for information on how to configure these fields.
Note: DMZ, WLAN and LAN IP addresses must be on separate subnets. You must
also configure NAT for the WLAN port (see Chapter 42 on page 562) in menus
15.1 and 15.2.
39.2.2 IP Alias Setup
You must use menu 7.2 to configure the first network. Move the cursor to the Edit IP Alias
field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and
third network.
Pressing [ENTER] opens Menu 7.2.1 - IP Alias Setup, as shown next.
Chapter 39 Wireless Setup
548
ZyWALL 5/35/70 Series User’s Guide
Figure 302 Menu 7.2.1: IP Alias Setup
Menu 7.2.1 - IP Alias Setup
IP Alias 1= No
IP Address= N/A
IP Subnet Mask= N/A
RIP Direction= N/A
Version= N/A
IP Alias 2= No
IP Address= N/A
IP Subnet Mask= N/A
RIP Direction= N/A
Version= N/A
Enter here to CONFIRM or ESC to CANCEL:
Refer to Table 199 on page 530 for instructions on configuring IP alias parameters.
549
Chapter 39 Wireless Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 40
Remote Node Setup
This chapter shows you how to configure a remote node.
40.1 Introduction to Remote Node Setup
A remote node is required for placing calls to a remote gateway. A remote node represents
both the remote gateway and the network behind it across a WAN connection. Note that when
you use menu 4 to set up Internet access, you are actually configuring a remote node. The
following describes how to configure Menu 11.x (where x is 1 or 2) - Remote Node Profile,
Menu 11.x.2 - Remote Node Network Layer Options and Menu 11.x.4 - Remote Node
Filter.
40.2 Remote Node Setup
From the main menu, select menu option 11 to open Menu 11 - Remote Node Setup (shown
below).
On a ZyWALL with multiple WAN ports, enter 1 or 2 to open Menu 11.x - Remote Node
Profile and configure the setup for your first or second WAN port. Enter 3 to open Menu 11.3
Remote Node Profile (Backup ISP) and configure the setup for your Dial Backup port
connection (see Chapter 34 on page 514).
On a ZyWALL with a single WAN port, enter 1 to open Menu 11.1 - Remote Node Profile
and configure the setup for your WAN port. Enter 2 to open Menu 11.2 Remote Node Profile
(Backup ISP) and configure the setup for your Dial Backup port connection.
Chapter 40 Remote Node Setup
550
ZyWALL 5/35/70 Series User’s Guide
Figure 303 Menu 11: Remote Node Setup
Menu 11 - Remote Node Setup
1. WAN_1 (ISP, SUA)
2. WAN_2 (ISP, NAT)
3. -Dial (BACKUP_ISP, SUA)
Enter Node # to Edit:
40.3 Remote Node Profile Setup
The following explains how to configure the remote node profile menu. Not all fields are
available on all models.
40.3.1 Ethernet Encapsulation
There are three variations of menu 11.x depending on whether you choose Ethernet
Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the
Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.x screen
you see is for Ethernet encapsulation shown next.
Figure 304 Menu 11.1: Remote Node Profile for Ethernet Encapsulation
Menu 11.1 - Remote Node Profile
Rem Node Name= WAN_1
Active= Yes
Route= IP
Encapsulation= Ethernet
Service Type= Standard
Edit IP= No
Session Options:
Schedules=
Edit Filter Sets= No
Outgoing:
My Login= N/A
My Password= N/A
Retype to Confirm= N/A
Server= N/A
Relogin Every (min)= N/A
Press ENTER to Confirm or ESC to Cancel:
551
Chapter 40 Remote Node Setup
ZyWALL 5/35/70 Series User’s Guide
The following table describes the fields in this menu.
Table 208 Menu 11.1: Remote Node Profile for Ethernet Encapsulation
FIELD
DESCRIPTION
Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight
characters.
Active
Press [SPACE BAR] and then [ENTER] to select Yes (activate remote node) or No
(deactivate remote node).
Encapsulation
Ethernet is the default encapsulation. Press [SPACE BAR] and then [ENTER] to
change to PPPoE or PPTP encapsulation.
Service Type
Press [SPACE BAR] and then [ENTER] to select from Standard, RR-Toshiba
(RoadRunner Toshiba authentication method), RR-Manager (RoadRunner
Manager authentication method), RR-Telstra or Telia Login. Choose one of the
RoadRunner methods if your ISP is Time Warner's RoadRunner; otherwise choose
Standard.
Outgoing
My Login
This field is applicable for PPPoE encapsulation only. Enter the login name
assigned by your ISP when the ZyWALL calls this remote node. Some ISPs append
this field to the Service Name field above (e.g., [email protected]) to access the PPPoE
server.
My Password
Enter the password assigned by your ISP when the ZyWALL calls this remote node.
Valid for PPPoE encapsulation only.
Retype to
Confirm
Type your password again to make sure that you have entered it correctly.
Server
This field is valid only when RoadRunner is selected in the Service Type field. The
ZyWALL will find the RoadRunner Server IP automatically if this field is left blank. If
it does not, then you must enter the authentication server IP address here.
Relogin Every
(min)
This field is available when you select Telia Login in the Service Type field.
The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Type the number of minutes from 1 to 59 (30 recommended) for the ZyWALL to wait
between logins.
Route
This field refers to the protocol that will be routed by your ZyWALL – IP is the only
option for the ZyWALL.
Edit IP
This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press
[ENTER] to go to Menu 11.x.2 - Remote Node Network Layer Options.
Session Options
Schedules
You can apply up to four schedule sets here. For more details please refer to
Chapter 51 on page 648.
Edit Filter Sets
This field leads to another “hidden” menu. Use [SPACE BAR] to select Yes and
press [ENTER] to open menu 11.x.4 to edit the filter sets. See Section 40.5 on page
557 for more details.
Edit Traffic
Redirect
Press [SPACE BAR] to select Yes or No.
Select No (default) if you do not want to configure this feature. Select Yes and press
[ENTER] to configure Menu 11.1.5 - Traffic Redirect Setup.
Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to
save your configuration, or press [ESC] at any time to cancel.
Chapter 40 Remote Node Setup
552
ZyWALL 5/35/70 Series User’s Guide
40.3.2 PPPoE Encapsulation
The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use
PPPoE encapsulation when you’re using the ZyWALL with a DSL modem as the WAN
device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please
see Appendix F on page 702 for more information on PPPoE.
Figure 305 Menu 11.1: Remote Node Profile for PPPoE Encapsulation
Menu 11.1 - Remote Node Profile
Rem Node Name= ChangeMe
Active= Yes
Route= IP
Encapsulation= PPPoE
Service Type= Standard
Service Name=
Outgoing:
My Login=
My Password= ********
Retype to Confirm= ********
Authen= CHAP/PAP
Edit IP= No
Telco Option:
Allocated Budget(min)= 0
Period(hr)= 0
Schedules=
Nailed-Up Connection= No
Session Options:
Edit Filter Sets= No
Idle Timeout(sec)= 100
Press ENTER to Confirm or ESC to Cancel:
40.3.2.1 Outgoing Authentication Protocol
Generally speaking, you should employ the strongest authentication protocol possible, for
obvious reasons. However, some vendor’s implementation includes a specific authentication
protocol in the user profile. It will disconnect if the negotiated protocol is different from that in
the user profile, even when the negotiated protocol is stronger than specified. If you encounter
a case where the peer disconnects right after a successful authentication, please make sure that
you specify the correct authentication protocol when connecting to such an implementation.
40.3.2.2 Nailed-Up Connection
A nailed-up connection is a dial-up line where the connection is always up regardless of traffic
demand. The ZyWALL does two things when you specify a nailed-up connection. The first is
that idle timeout is disabled. The second is that the ZyWALL will try to bring up the
connection when turned on and whenever the connection is down. A nailed-up connection can
be very expensive for obvious reasons.
Do not specify a nailed-up connection unless your telephone company offers flat-rate service
or you need a constant connection and the cost is of no concern.
The following table describes the fields not already described in Table 208 on page 552.
553
Chapter 40 Remote Node Setup
ZyWALL 5/35/70 Series User’s Guide
40.3.2.3 Metric
See Section 7.5 on page 134 for details on the Metric field.
Table 209 Fields in Menu 11.1 (PPPoE Encapsulation Specific)
FIELD
DESCRIPTION
Service Name
If you are using PPPoE encapsulation, then type the name of your PPPoE service
here. Only valid with PPPoE encapsulation.
Authen
This field sets the authentication protocol used for outgoing calls.
Options for this field are:
CHAP/PAP - Your ZyWALL will accept either CHAP or PAP when requested by this
remote node.
CHAP - accept CHAP only.
PAP - accept PAP only.
Telco Option
Allocated
Budget
The field sets a ceiling for outgoing call time for this remote node. The default for this
field is 0 meaning no budget control.
Period(hr)
This field is the time period that the budget should be reset. For example, if we are
allowed to call this remote node for a maximum of 10 minutes every hour, then the
Allocated Budget is (10 minutes) and the Period(hr) is 1 (hour).
Schedules
You can apply up to four schedule sets here. For more details please refer to Chapter
51 on page 648.
Nailed-Up
Connection
This field specifies if you want to make the connection to this remote node a nailed-up
connection. More details are given earlier in this section.
Session
Options
Idle Timeout
Type the length of idle time (when there is no traffic from the ZyWALL to the remote
node) in seconds that can elapse before the ZyWALL automatically disconnects the
PPPoE connection. This option only applies when the ZyWALL initiates the call.
40.3.3 PPTP Encapsulation
If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen.
Please see Appendix G on page 704 for information on PPTP.
Chapter 40 Remote Node Setup
554
ZyWALL 5/35/70 Series User’s Guide
Figure 306 Menu 11.1: Remote Node Profile for PPTP Encapsulation
Menu 11.1 - Remote Node Profile
Rem Node Name= ChangeMe
Active= Yes
Route= IP
Encapsulation= PPTP
Service Type= Standard
Edit IP= No
Telco Option:
Allocated Budget(min)= 0
Period(hr)= 0
Schedules=
Nailed-Up Connection= No
Outgoing:
My Login=
My Password= ********
Retype to Confirm= ********
Authen= CHAP/PAP
PPTP:
My IP Addr= 10.0.0.140
My IP Mask= 255.255.255.0
Server IP Addr= 10.0.0.138
Connection ID/Name=
Session Options:
Edit Filter Sets= No
Idle Timeout(sec)= 100
Press ENTER to Confirm or ESC to Cancel:
The next table shows how to configure fields in menu 11.1 not previously discussed.
Table 210 Menu 11.1: Remote Node Profile for PPTP Encapsulation
FIELD
DESCRIPTION
Encapsulation
Press [SPACE BAR] and then [ENTER] to select PPTP. You must also go to menu
11.3 to check the IP Address setting once you have selected the encapsulation
method.
My IP Addr
Enter the IP address of the WAN Ethernet port.
My IP Mask
Enter the subnet mask of the WAN Ethernet port.
Server IP Addr
Enter the IP address of the ANT modem.
Connection ID/
Name
Enter the connection ID or connection name in the ANT. It must follow the “c:id” and
“n:name” format.
This field is optional and depends on the requirements of your DSL modem.
Schedules
You can apply up to four schedule sets here. For more details refer to Chapter 51
on page 648.
Nailed-Up
Connections
Press [SPACE BAR] and then [ENTER] to select Yes if you want to make the
connection to this remote node a nailed-up connection.
40.4 Edit IP
Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes.
Press [ENTER] to open Menu 11.1.2 - Remote Node Network Layer Options. Not all fields
are available on all models.
555
Chapter 40 Remote Node Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 307 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation
Menu 11.1.2 - Remote Node Network Layer Options
IP Address Assignment= Dynamic
Rem IP Addr= N/A
Rem Subnet Mask= N/A
My WAN Addr= N/A
Network Address Translation= SUA Only
NAT Lookup Set= 255
Metric= 1
Private= No
RIP Direction= None
Version= N/A
Multicast= None
Enter here to CONFIRM or ESC to CANCEL:
This menu displays the My WAN Addr field for PPPoE and PPTP encapsulations and
Gateway IP Addr field for Ethernet encapsulation. The following table describes the fields
in this menu.
Table 211 Remote Node Network Layer Options Menu Fields
FIELD
DESCRIPTION
IP Address
Assignment
If your ISP did not assign you an explicit IP address, press [SPACE BAR] and then
[ENTER] to select Dynamic; otherwise select Static and enter the IP address &
subnet mask in the following fields.
(Rem) IP
Address
If you have a static IP Assignment, enter the IP address assigned to you by your ISP.
(Rem) IP
Subnet Mask
If you have a static IP Assignment, enter the subnet mask assigned to you.
Gateway IP
Addr
This field is applicable to Ethernet encapsulation only. Enter the gateway IP address
assigned to you if you are using a static IP address.
My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only. Some
implementations, especially the UNIX derivatives, require the WAN link to have a
separate IP network number from the LAN and each end must have a unique address
within the WAN network number. If this is the case, enter the IP address assigned to
the WAN port of your ZyWALL.
Note that this is the address assigned to your local ZyWALL, not the remote router.
Network
Address
Translation
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network (for example a private IP address used in a local
network) to a different IP address known within another network (for example a public
IP address used on the Internet).
Choose None to disable NAT.
Choose SUA Only if you have a single public IP address. SUA (Single User Account)
is a subset of NAT that supports two types of mapping: Many-to-One and Server.
Choose Full Feature if you have multiple public IP addresses. Full Feature mapping
types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload,
Many- One-to-One and Server. When you select Full Feature you must configure at
least one address mapping set.
See Chapter 22 on page 374 for a full discussion on this feature.
Chapter 40 Remote Node Setup
556
ZyWALL 5/35/70 Series User’s Guide
Table 211 Remote Node Network Layer Options Menu Fields (continued)
FIELD
DESCRIPTION
NAT Lookup
Set
If you select SUA Only in the Network Address Translation field, it displays 255 and
indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1.
If you select Full Feature or None in the Network Address Translation field, it
displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1
for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the
Backup port.
Refer to Section 42.2 on page 564 for more information.
Metric
Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes
(see Section 7.5 on page 134). The smaller the number, the higher priority the route
has.
Private
This field is valid only for PPTP/PPPoE encapsulation. This parameter determines if
the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to
Yes, this route is kept private and not included in RIP broadcast. If No, the route to this
remote node will be propagated to other hosts through RIP broadcasts.
RIP Direction
Press [SPACE BAR] and then [ENTER] to select the RIP direction from Both/ None/In
Only/Out Only. See Chapter 5 on page 110 for more information on RIP. The default
for RIP on the WAN side is None. It is recommended that you do not change this
setting.
Version
Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1/RIP-2B/
RIP-2M or None.
Multicast
IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish
membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMPv1) and version 2 (IGMP-v2). Press [SPACE BAR] to enable IP Multicasting or select
None to disable it. See Chapter 5 on page 110 for more information on this feature.
Once you have completed filling in Menu 11.3 Remote Node Network Layer Options, press [ENTER]
at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11, or press
[ESC] at any time to cancel.
40.5 Remote Node Filter
Move the cursor to the field Edit Filter Sets in menu 11.1, and then press [SPACE BAR] to
set the value to Yes. Press [ENTER] to open Menu 11.1.4 - Remote Node Filter.
Use menu 11.1.4 to specify the filter set(s) to apply to the incoming and outgoing traffic
between this remote node and the ZyWALL to prevent certain packets from triggering calls.
You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter
field. Note that spaces are accepted in this field. For more information on defining the filters,
please refer to Chapter 44 on page 584. For PPPoE or PPTP encapsulation, you have the
additional option of specifying remote node call filter sets.
557
Chapter 40 Remote Node Setup
ZyWALL 5/35/70 Series User’s Guide
Figure 308 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation)
Menu 11.1.4 - Remote Node Filter
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Enter here to CONFIRM or ESC to CANCEL:
Figure 309 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation)
Menu 11.1.4 - Remote Node Filter
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Call Filter Sets:
protocol filters=
device filters=
Enter here to CONFIRM or ESC to CANCEL:
40.6 Traffic Redirect
Configure parameters that determine when the ZyWALL will forward WAN traffic to the
backup gateway using Menu 11.1.5 - Traffic Redirect Setup. This section applies to the
ZyWALL 5.
Chapter 40 Remote Node Setup
558
ZyWALL 5/35/70 Series User’s Guide
Figure 310 Menu 11.1.5: Traffic Redirect Setup
Menu 11.1.5 - Traffic Redirect Setup
Active= Yes
Configuration:
Backup Gateway IP Address= 0.0.0.0
Metric= 14
Check WAN IP Address= 0.0.0.0
Fail Tolerance= 10
Period(sec)= 300
Timeout(sec)= 8
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this menu.
Table 212 Menu 11.1.5: Traffic Redirect Setup
FIELD
DESCRIPTION
Active
Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic
redirect setup. The default is No.
Configuration
Backup Gateway IP
Address
Enter the IP address of your backup gateway in dotted decimal notation.
The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's
Internet connection terminates.
Metric
This field sets this route's priority among the routes the ZyWALL uses.
Enter a number from 1 to 15 to set this route's priority among the ZyWALL's
routes (see Section 7.2 on page 130 in Chapter 7 on page 130) The smaller
the number, the higher priority the route has.
Check WAN IP
Address
Enter the IP address of a reliable nearby computer (for example, your ISP's
DNS server address) to test your ZyWALL's WAN accessibility.
The ZyWALL uses the default gateway IP address if you do not enter an IP
address here.
If you are using PPTP or PPPoE Encapsulation, enter "0.0.0.0" to configure
the ZyWALL to check the PVC (Permanent Virtual Circuit) or PPTP tunnel.
Fail Tolerance
Enter the number of times your ZyWALL may attempt and fail to connect to the
Internet before traffic is forwarded to the backup gateway. Two to five is
usually a good number.
Period(sec)
Enter the time interval (in seconds) between WAN connection checks. Five to
60 is usually a good number.
Timeout(sec)
Enter the number of seconds the ZyWALL waits for a ping response from the
IP Address in the Check WAN IP Address field before it times out. The
number in this field should be less than the number in the Period field. Three
to 50 is usually a good number.
The WAN connection is considered "down" after the ZyWALL times out the
number of times specified in the Fail Tolerance field.
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to
save your configuration, or press [ESC] at any time to cancel.
559
Chapter 40 Remote Node Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 41
IP Static Route Setup
This chapter shows you how to configure static routes with your ZyWALL.
41.1 IP Static Route Setup
Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP
static routes in menu 12.1.
Note: The first two static route entries are for default WAN1 and WAN2 routes on a
ZyWALL with multiple WAN ports; the first static route entry is for the default
WAN route on a ZyWALL with a single WAN port. You cannot modify or delete
a static default route. The name of the default static route is left blank unless
you configure a static WAN IP address.
The route name changes from “default” to “-default” after you change the static
WAN IP address to a dynamic WAN IP address, indicating the static route is
inactive.
Figure 311 Menu 12: IP Static Route Setup
Menu 12 - IP Static Route Setup
1. Reserved
2. Reserved
3. ________
4. ________
5. ________
6. ________
7. ________
8. ________
9. ________
10. ________
11. ________
12. ________
13. ________
14. ________
15. ________
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
________
________
________
________
________
________
________
________
________
________
________
________
________
________
________
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
________
________
________
________
________
________
________
________
________
________
________
________
________
________
________
46.
47.
48.
49.
50.
________
________
________
________
________
Enter selection number:
Now, enter the index number of the static route that you want to configure.
Chapter 41 IP Static Route Setup
560
ZyWALL 5/35/70 Series User’s Guide
Figure 312 Menu 12. 1: Edit IP Static Route
Menu 12.1 - Edit IP Static Route
Route #: 3
Route Name= ?
Active= No
Destination IP Address= ?
IP Subnet Mask= ?
Gateway IP Address= ?
Metric= 2
Private= No
Press ENTER to CONFIRM or ESC to CANCEL:
`The following table describes the IP Static Route Menu fields.
Table 213 Menu 12. 1: Edit IP Static Route
FIELD
DESCRIPTION
Route #
This is the index number of the static route that you chose in menu 12.
Route Name
Enter a descriptive name for this route. This is for identification purposes only.
Active
This field allows you to activate/deactivate this static route.
Destination IP
Address
This parameter specifies the IP network address of the final destination. Routing is
always based on network number. If you need to specify a route to a single host,
use a subnet mask of 255.255.255.255 in the subnet mask field to force the network
number to be identical to the host ID.
IP Subnet Mask
Enter the IP subnet mask for this destination.
Gateway IP
Address
Enter the IP address of the gateway. The gateway is an immediate neighbor of your
ZyWALL that will forward the packet to the destination. On the LAN, the gateway
must be a router on the same segment as your ZyWALL; over the WAN, the
gateway must be the IP address of one of the remote nodes.
Metric
Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes
(see Section 7.5 on page 134). The smaller the number, the higher priority the route
has.
Private
This parameter determines if the ZyWALL will include the route to this remote node
in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP
broadcast. If No, the route to this remote node will be propagated to other hosts
through RIP broadcasts.
Once you have completed filling in this menu, press [ENTER] at the message “Press ENTER to
Confirm…” to save your configuration, or press [ESC] to cancel.
561
Chapter 41 IP Static Route Setup
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 42
Network Address Translation
(NAT)
This chapter discusses how to configure NAT on the ZyWALL.
42.1 Using NAT
Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow
traffic from the WAN to be forwarded through the ZyWALL.
42.1.1 SUA (Single User Account) Versus NAT
SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two
types of mapping, Many-to-One and Server. See Section 42.2.1 on page 565 for a detailed
description of the NAT set for SUA. The ZyWALL also supports Full Feature NAT to map
multiple global IP addresses to multiple private LAN IP addresses of clients or servers using
mapping types.
Note: Choose SUA Only if you have just one public WAN IP address for your
ZyWALL.
Choose Full Feature if you have multiple public WAN IP addresses for your
ZyWALL.
42.1.2 Applying NAT
You apply NAT via menus 4 or 11.1.2 as displayed next. The next figure shows you how to
apply NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 Internet Access Setup.
Chapter 42 Network Address Translation (NAT)
562
ZyWALL 5/35/70 Series User’s Guide
Figure 313 Menu 4: Applying NAT for Internet Access
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
Encapsulation= Ethernet
Service Type= Standard
My Login= N/A
My Password= N/A
Retype to Confirm= N/A
Login Server= N/A
Relogin Every (min)= N/A
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address= N/A
Network Address Translation= SUA Only
Press ENTER to Confirm or ESC to Cancel:
The following figure shows how you apply NAT to the remote node in menu 11.1.
1 Enter 11 from the main menu.
2 Enter 1 to open Menu 11.1 - Remote Node Profile.
3 Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press
[ENTER] to bring up Menu 11.1.2 - Remote Node Network Layer Options.
Figure 314 Menu 11.1.2: Applying NAT to the Remote Node
Menu 11.1.2 - Remote Node Network Layer Options
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Addr= N/A
Network Address Translation= Full Feature
NAT Lookup Set= 1
Metric= 1
Private= N/A
RIP Direction= None
Version= N/A
Multicast= None
Enter here to CONFIRM or ESC to CANCEL:
563
Chapter 42 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
The following table describes the fields in this menu.
Table 214 Applying NAT in Menus 4 & 11.1.2
FIELD
DESCRIPTION
OPTIONS
Network
Address
Translation
When you select this option the SMT will use Address Mapping Set 1
(menu 15.1 - see Section 42.2.1 on page 565 for further discussion). You
can configure any of the mapping types described in Chapter 22 on page
374. Choose Full Feature if you have multiple public WAN IP addresses
for your ZyWALL.
When you select Full Feature you must configure at least one address
mapping set.
Full Feature
NAT is disabled when you select this option.
None
When you select this option the SMT will use Address Mapping Set 255
(menu 15.1 - see Section 42.2.1 on page 565). Choose SUA Only if you
have just one public WAN IP address for your ZyWALL.
SUA Only
42.2 NAT Setup
Use the address mapping sets menus and submenus to create the mapping table used to assign
global addresses to computers on the LAN and the DMZ. Set 255 is used for SUA. When you
select Full Feature in menu 4, menu 11.1.2 or menu 11.2.2, the SMT will use Set 1 for the
first WAN port and Set 2 for the second WAN port. When you select SUA Only, the SMT
will use the pre-configured Set 255 (read only).
The server set is a list of LAN and DMZ servers mapped to external ports. To use this set, a
server rule must be set up inside the NAT address mapping set. Please see the section on port
forwarding in Chapter 22 on page 374 for further information on these menus. To configure
NAT, enter 15 from the main menu to bring up the following screen.
Note: On a ZyWALL with two WAN ports, you can configure port forwarding and
trigger port rules for the first WAN port and separate sets of rules for the
second WAN port.
Figure 315 Menu 15: NAT Setup
Menu 15 - NAT Setup
1. Address Mapping Sets
2. Port Forwarding Setup
3. Trigger Port Setup
Enter Menu Selection Number:
Note: Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2.
DMZ, WLAN and LAN IP addresses must be on separate subnets.
Chapter 42 Network Address Translation (NAT)
564
ZyWALL 5/35/70 Series User’s Guide
42.2.1 Address Mapping Sets
Enter 1 to bring up Menu 15.1 - Address Mapping Sets.
Figure 316 Menu 15.1: Address Mapping Sets
Menu 15.1 - Address Mapping Sets
1. NAT_SET
2. example
255. SUA (read only)
Enter Menu Selection Number:
42.2.1.1 SUA Address Mapping Set
Enter 255 to display the next screen (see also Section 42.1.1 on page 562). The fields in this
menu cannot be changed.
Figure 317 Menu 15.1.255: SUA Address Mapping Rules
Menu 15.1.1 - Address Mapping Rules
Set Name= SUA
Idx
--1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Local Start IP
--------------0.0.0.0
Local End IP
Global Start IP Global End IP
Type
--------------- --------------- --------------- --255.255.255.255 0.0.0.0
M-1
0.0.0.0
Server
Press ENTER to Confirm or ESC to Cancel:
The following table explains the fields in this menu.
565
Chapter 42 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Note: Menu 15.1.255 is read-only.
Table 215 SUA Address Mapping Rules
FIELD
DESCRIPTION
Set Name
This is the name of the set you selected in menu 15.1 or enter the name of a new set
you want to create.
Idx
This is the index or rule number.
Local Start IP
Local Start IP is the starting local IP address (ILA).
Local End IP
Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the
start IP is 0.0.0.0 and the end IP is 255.255.255.255.
Global Start IP This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as
the Global Start IP.
Global End IP
This is the ending global IP address (IGA).
Type
These are the mapping types discussed above. Server allows us to specify multiple
servers of different types behind NAT to this machine. See later for some examples.
Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER
to Confirm…” to save your configuration, or press [ESC] to cancel.
42.2.1.2 User-Defined Address Mapping Sets
Now look at option 1 in menu 15.1. Enter 1 to bring up this menu. Look at the differences
from the previous menu. Note the extra Action and Select Rule fields mean you can configure
rules in this screen. Note also that the [?] in the Set Name field means that this is a required
field and you must enter a name for the set.
Note: The entire set will be deleted if you leave the Set Name field blank and press
[ENTER] at the bottom of the screen.
Chapter 42 Network Address Translation (NAT)
566
ZyWALL 5/35/70 Series User’s Guide
Figure 318 Menu 15.1.1: First Set
Menu 15.1.1 - Address Mapping Rules
Set Name= NAT_SET
Idx
--1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Local Start IP
Local End IP
Global Start IP Global End IP
Type
--------------- --------------- --------------- --------------- -0.0.0.0
255.255.255.255 0.0.0.0
M-1
0.0.0.0
Server
Action= None
Select Rule= N/A
Press ENTER to Confirm or ESC to Cancel:
Note: The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1
(described later) and the values are displayed here.
42.2.1.3 Ordering Your Rules
Ordering your rules is important because the ZyWALL applies the rules in the order that you
specify. When a rule matches the current packet, the ZyWALL takes the corresponding action
and the remaining rules are ignored. If there are any empty rules before your new configured
rule, your configured rule will be pushed up by that number of empty rules. For example, if
you have already configured rules 1 to 6 in your current set and now you configure rule
number 9. In the set summary screen, the new rule will be rule 7, not 9.
Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule
4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6.
Table 216 Fields in Menu 15.1.1
567
FIELD
DESCRIPTION
Set Name
Enter a name for this set of rules. This is a required field. If this field is left blank, the entire
set will be deleted.
Action
The default is Edit. Edit means you want to edit a selected rule (see following field). Insert
Before means to insert a rule before the rule selected. The rules after the selected rule will
then be moved down by one rule. Delete means to delete the selected rule and then all the
rules after the selected one will be advanced one rule. None disables the Select Rule
item.
Select
Rule
When you choose Edit, Insert Before or Delete in the previous field the cursor jumps to
this field to allow you to select the rule to apply the action in question.
Chapter 42 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Note: You must press [ENTER] at the bottom of the screen to save the whole set.
You must do this again if you make any changes to the set – including deleting
a rule. No changes to the set take place until this action is taken.
Selecting Edit in the Action field and then selecting a rule brings up the following menu,
Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and
configure the Type, Local and Global Start/End IPs.
Note: An IP End address must be numerically greater than its corresponding IP Start
address.
Figure 319 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set
Menu 15.1.1.1 Address Mapping Rule
Type= One-to-One
Local IP:
Start=
End = N/A
Global IP:
Start=
End = N/A
Server Mapping Set= N/A
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this menu.
Table 217 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set
FIELD
DESCRIPTION
Type
Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the
mapping types discussed in Chapter 22 on page 374. Server allows you to specify multiple
servers of different types behind NAT to this computer. See Section 42.4.3 on page 574 for
an example.
Local IP
Only local IP fields are N/A for server; Global IP fields MUST be set for Server.
Start
Enter the starting local IP address (ILA).
End
Enter the ending local IP address (ILA). If the rule is for all local IPs, then put the Start IP as
0.0.0.0 and the End IP as 255.255.255.255. This field is N/A for One-to-One and Server
types.
Global IP
Start
Enter the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the
Global IP Start. Note that Global IP Start can be set to 0.0.0.0 only if the types are Manyto-One or Server.
End
Enter the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One
and Server types.
Chapter 42 Network Address Translation (NAT)
568
ZyWALL 5/35/70 Series User’s Guide
Table 217 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set
FIELD
DESCRIPTION
Server
Mapping
Set
This field is available only when you select Server in the Type field.
Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER
to Confirm…” to save your configuration, or press [ESC] to cancel.
42.3 Configuring a Server behind NAT
Note: If you do not assign a Default Server IP address, the ZyWALL discards all
packets received for ports that are not specified here or in the remote
management setup.
Follow these steps to configure a server behind NAT:
1 Enter 15 in the main menu to go to Menu 15 - NAT Setup.
2 Enter 2 to open menu 15.2 (and configure the address mapping rules for the WAN port on
a ZyWALL with a single WAN port).
Figure 320 Menu 15.2: NAT Server Sets
Menu 15.2 - NAT Server Sets
1. Server Set 1
2. Server Set 2
Enter Set Number to Edit:
3 Enter 1 or 2 to go to Menu 15.2.x - NAT Server Setup and configure the address
mapping rules for the WAN 1 or WAN 2 port on a ZyWALL with multiple WAN ports.
569
Chapter 42 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Figure 321 Menu 15.2.1: NAT Server Sets
Menu 15.2.1 - NAT Server Setup
Default Server: 0.0.0.0
Rule Act.
Start Port
End Port
IP Address
-----------------------------------------------------001
No
0
0
0.0.0.0
002
No
0
0
0.0.0.0
003
No
0
0
0.0.0.0
004
No
0
0
0.0.0.0
005
No
0
0
0.0.0.0
006
No
0
0
0.0.0.0
007
No
0
0
0.0.0.0
008
No
0
0
0.0.0.0
009
No
0
0
0.0.0.0
010
No
0
0
0.0.0.0
Select Command= None
Select Rule= N/A
Press ENTER to Confirm or ESC to Cancel:
4 Select Edit Rule in the Select Command field; type the index number of the NAT server
you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.1.2
- NAT Server Configuration (see the next figure).
Chapter 42 Network Address Translation (NAT)
570
ZyWALL 5/35/70 Series User’s Guide
Figure 322 15.2.1.2: NAT Server Configuration
15.2.1.2 - NAT Server Configuration
Wan= 1
Index= 2
-----------------------------------------------Name= 1
Active= Yes
Start port= 21
End port= 25
IP Address= 192.168.1.33
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this screen.
Table 218 15.2.1.2: NAT Server Configuration
FIELD
DESCRIPTION
WAN
On a ZyWALL with two WAN ports, you can configure port forwarding and trigger port
rules for the first WAN port and separate sets of rules for the second WAN port.
This is the WAN port (server set) you select in menu 15.2.
Index
This is the index number of an individual port forwarding server entry.
Name
Enter a name to identify this port-forwarding rule.
Active
Press [SPACE BAR] and then [ENTER] to select Yes to enable the NAT server entry.
Start Port
End Port
Enter a port number in the Start Port field. To forward only one port, enter it again in
the End Port field. To specify a range of ports, enter the last port to be forwarded in
the End Port field.
IP Address
Enter the inside IP address of the server.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to
save your configuration, or press [ESC] at any time to cancel.
5 Enter a port number in the Start Port field. To forward only one port, enter it again in the
End Port field. To specify a range of ports, enter the last port to be forwarded in the End
Port field.
6 Enter the inside IP address of the server in the IP Address field. In the following figure,
you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at
192.168.1.33.
7 Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration
after you define all the servers or press [ESC] at any time to cancel.
571
Chapter 42 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide
Figure 323 Menu 15.2.1: NAT Server Setup
Menu 15.2.1 - NAT Server Setup
Default Server: 0.0.0.0
Rule Act.
Start Port
End Port
IP Address
---------------------