ZyXEL Communications 10~100 Series manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones ZyXEL Communications 10~100 Series. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica ZyXEL Communications 10~100 Series o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual ZyXEL Communications 10~100 Series se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales ZyXEL Communications 10~100 Series, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones ZyXEL Communications 10~100 Series debe contener:
- información acerca de las especificaciones técnicas del dispositivo ZyXEL Communications 10~100 Series
- nombre de fabricante y año de fabricación del dispositivo ZyXEL Communications 10~100 Series
- condiciones de uso, configuración y mantenimiento del dispositivo ZyXEL Communications 10~100 Series
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de ZyXEL Communications 10~100 Series no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de ZyXEL Communications 10~100 Series y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico ZyXEL Communications en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de ZyXEL Communications 10~100 Series, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo ZyXEL Communications 10~100 Series, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual ZyXEL Communications 10~100 Series. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    ZyW ALL 10~100 Series Internet Security Gateway Reference Guide Versions 3.52, 3.60 and 3.61 March 2003[...]

  • Página 2

    ZyWALL 10~100 Series Internet Security Gateway ii Copyright Copyright Copyright © 2003 by Zy XEL Communications Corporation. The contents of this publi cation may not be reproduced i n any part or a s a whole, transcribed, st ored in a retrieval system, translated into any langu age, or tr ansmitted in any form or by any means, electronic, mechani[...]

  • Página 3

    ZyWALL 10~100 Series Internet Security Gateway FCC iii Federal Communications Commission (FCC) Interference S tatement This device complies with Part 15 of FCC rules. Operation is subject to the following two cond itions: This device m ay not cause harm ful interference. This device must accept any interference received, including interference that[...]

  • Página 4

    ZyWALL 10~100 Series Internet Security Gateway iv Information for Canadian Users Information for Canadian Users The Industry Canada label identifies certified equipmen t. This certification means that the equipment meets certain telecommunications network pr otective, op eration, and safety requ irements. The Industry Canada does not guarantee that[...]

  • Página 5

    ZyWALL 10~100 Series Internet Security Gateway Warranty v ZyXEL Limited W arranty ZyXEL warrants to the original end us er (purchaser) that this product is free from any defects in materials or workmanshi p for a peri od of up t o two years from the date of purchase . During the warrant y period, a nd upon proof of purchase, should the prod uct hav[...]

  • Página 6

    ZyWALL 10~100 Series Internet Security Gateway vi Customer Support Customer Support When you contact your cu stomer support r epresenta tive please have t he followi ng inform ation ready: Please have th e following i nformation re a dy when you cont act customer support. • Product model and serial num ber. • Information in Menu 24.2.1 – Syst[...]

  • Página 7

    ZyWALL 10~100 Series Internet Security Gateway Table of Contents vii T able of Content s Copyright...................................................................................................................... ................................ii Federal Communications Commission (FCC) Interfer en ce S tatemen t................................[...]

  • Página 8

    ZyWALL 10~100 Series Internet Security Gateway viii Table of Contents Index ............................................................................................................................................................ A[...]

  • Página 9

    ZyWALL 10~100 Series Internet Security Gateway List of Diagrams ix List of Diagrams Diagram 2-1 Id eal Se tup ........................................................................................................ ........................ 2-1 Diagram 2-2 “T riangl e Route” Pr oblem ..............................................................[...]

  • Página 10

    ZyWALL 10~100 Series Internet Security Gateway x List of Charts List of Chart s Chart 8-1 Classes of IP Addresses .............................................................................................. .................... 8-1 Chart 8-2 Allowed IP Ad dress Range By Class .......................................................................[...]

  • Página 11

    ZyWALL 10~100 Series Internet Security Gateway List of Charts xi Chart 13-1 1 Sample IPSec Logs Du ring Packet T ransmission .................................................................. 13-15 Chart 13-12 RFC-2408 IS AKMP Payload T ypes ...................................................................................... .1 3 - 1 6 Chart 13-1[...]

  • Página 12

    ZyWALL 10~100 Series Internet Security Gateway xii Preface Preface About Y our ZyW A LL Congratulations on your pur chase of the ZyWALL Security Gateway. About This User's Manual This manual i s designed to provide background inf ormation on some of the Zy WALL’s features. It also includes commands for use with the co mmand interpreter. This[...]

  • Página 13

    ZyWALL 10~100 Series Internet Security Gateway Preface xiii Synt ax Conventions • “Enter” means for you t o type one or more charact ers and press the carriage return. “Select” or “Choose” means for you t o use one of the predefined c hoices. • The SMT menu titles and labels are in Bold Times New Roman font. • The choices of a m e[...]

  • Página 14

    [...]

  • Página 15

    General Information I Part I: General Information This part prov ides background information abo ut setting up your computer ’s IP address, triangle route, how functions are related, wireless LAN, 802. 1x, PPPoE, PPTP and IP subnetting.[...]

  • Página 16

    [...]

  • Página 17

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-1 Chapter 1 Setting up Your Computer’s IP Address All computers must have a 1 0M or 100M Et he rnet adapter card and TCP/IP installed. Windows 95/ 98/Me/NT/2 000/XP, Maci ntosh OS 7 a nd later operating sy stems and all versio ns of UNIX/LINU X include the [...]

  • Página 18

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-2 The Network window Configuration ta b displays a list of i nstalled com ponents. You need a network adapter, the T CP/IP prot ocol and C lient for Microsoft Networks. If yo u need th e adap ter: a. In the Network window, click Add . b. Select Ad a p t e r and[...]

  • Página 19

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-3 1. Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically . -If you have a static IP address, select Specify an IP address and type your informatio n into the IP Address and Subne t Mask fields. 2. Click the DNS [...]

  • Página 20

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-4 3. Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gate ways. -If you have a gateway IP address, type it in the Ne w ga te way fie ld and click Add . 4. Click OK to save and close the TCP/IP Properties wind [...]

  • Página 21

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-5 1. For Windows XP, click start , Control Panel . In Windows 2000/NT, click Start , Settings , Control Panel . 2. For Windows XP, click Network Connections . For Windows 2000/NT, click Network and Dial-up Connections . 3. Right-click Local Are a Connection a[...]

  • Página 22

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-6 4. Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties . 5. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically .[...]

  • Página 23

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-7 6. -If you do not know your gateway's IP address, remove any previously installed gate ways in the IP Settin gs tab and click OK . Do one or more of the following if you want to configure additional IP addres ses: -In the IP Settings tab, in IP address[...]

  • Página 24

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-8 7. In the Internet Protocol TCP/IP Properties window (the Gene ral t ab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the follow ing DNS[...]

  • Página 25

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-9 1. Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel . 2. Select Ethernet built-in from the Connect v ia list. 3. For dynamically assigned settings, sel ect Using DHCP Server from the Configure: list.[...]

  • Página 26

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-10 4. For statically assigned settings, do the follo wing: -From the Configure box, select Manually . -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. 5. C[...]

  • Página 27

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-1 1 2. Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. 3. For dynamically assigned settings, sel ect Using DHCP from the Configure list. 4. For statically assigne[...]

  • Página 28

    [...]

  • Página 29

    ZyWALL 10~100 Series Internet Security Gateway T riangle Route 2-1 Chapter 2 Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Intern et. In an ideal network top ology, all i ncoming and outgoing net work traffic pas ses through t he ZyWALL to protect your LAN against attacks. Diag[...]

  • Página 30

    ZyWALL 10~100 Series Internet Security Gateway Triangle Route 2-2 Diagram 2-2 “Triangle Route” Problem The “T riangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logi cal sections over the same Ethernet interface. Your ZyWALL sup[...]

  • Página 31

    ZyWALL 10~100 Series Internet Security Gateway T riangle Route 2-3 Gateways on the W AN Side A second sol ution to the “triangle r oute” proble m is to put all of your network g ateways on t he WAN si de as the following fig ure shows. This en sures that all incoming netwo rk traffic p asses through your ZyWALL to your LAN. Therefo re your LAN [...]

  • Página 32

    [...]

  • Página 33

    ZyWALL 10~100 Series Internet Security Gateway The Big Picture 3-1 Chapter 3 The Big Picture The following figure giv es an overview of ho w filtering, the firewall, VPN and NAT are related. Diagram 3-1 Big Picture— Filtering, Firewall, VPN and NAT[...]

  • Página 34

    ZyWALL 10~100 Series Internet Security Gateway The Big Picture 3-2[...]

  • Página 35

    ZyWALL 10~100 Series Internet Security Gateway Wireless LAN and IEEE 802.1 1 4-1 Chapter 4 Wireless LAN and IEEE 802.11 A wireless LAN (WLA N) provides a flexi ble data commun ications system that y ou can use to access various services (navigating the Internet, em ail, prin ter services, etc.) without the use of a ca bled connection. In effect a w[...]

  • Página 36

    ZyWALL 10~100 Series Internet Security Gateway The Big Picture 4-2 The IEEE 802.11 specifies three di ffere nt transmission me thods for th e PHY, the layer responsible for transferring dat a between nodes. T wo of the m ethods use s pread spectrum RF signals, Dir ect Sequence Spread Spectrum (DSSS) an d Fre quency-Hopping Spread Spectrum (FHSS), i[...]

  • Página 37

    ZyWALL 10~100 Series Internet Security Gateway Wireless LAN and IEEE 802.1 1 4-3 Diagram 4-1 Peer-to-Peer Communication in an Ad -hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, m ultiple Access Points (APs) link the WLAN to the wired network and al low users to efficiently share network resources. The A ccess Points[...]

  • Página 38

    ZyWALL 10~100 Series Internet Security Gateway The Big Picture 4-4 could be any type of net work, it is almost invari ably an Ethernet LAN. Mo bile nodes ca n roam betwee n Access Points and seam less campus-wide coverage is possible. Diagram 4-2 ESS Provides Campus-Wide Coverage[...]

  • Página 39

    ZyWALL 10~100 Series Internet Security Gateway Wireless LAN with IEEE 802.1x 5-1 Chapter 5 Wireless LAN With IEEE 802.1x As wireless networks becom e popular for both portable com puting and c o rporate networ ks, security i s now a priority. Security Flaws wi th IEEE 802.1 1 Wireless networks based on the o riginal IEEE 802 .11 have a poor reputat[...]

  • Página 40

    ZyWALL 10~100 Series Internet Security Gateway Wireless LAN with IEEE 802.1x 5-2 • Support for RADIUS (Rem o te Au thentication Dial In User Service, RFC 2138, 2139) for centralized use r profile a nd accountin g managem ent on a ne twork RADI US server. • Support for EAP (Extensi ble Authentication Prot ocol, RFC 2486) that al lows additional [...]

  • Página 41

    ZyWALL 10~100 Series Internet Security Gateway PPPoE 6-1 Chapter 6 PPPoE PPPoE in Action An ADSL m odem bridges a PPP session over Ethernet (PPP ove r Ethernet, R FC 2516) f rom your PC to an ATM PVC (Pe rmanent Virt ual Circuit ), which connect s to a DSL Ac cess Concentrat or where the PPP session terminates (see the next figure). One PVC can sup[...]

  • Página 42

    ZyWALL 10~100 Series Internet Security Gateway 6-2 PPPoE How PPPoE W orks The PPPoE driver m akes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Et hernet frames to the Access Concen trator (AC). Bet ween the AC and an ISP, the AC is acting as a L2TP (Layer 2 T unneling Protocol) LAC (L2T P A[...]

  • Página 43

    ZyWALL 10~100 Series Internet Security Gateway PPTP 7-1 Chapter 7 PPTP What is PPTP? PPTP (Point -to-Point T unneling Prot ocol) is a Microsoft proprietary protocol (R FC 2637 f or PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT [...]

  • Página 44

    ZyWALL 10~100 Series Internet Security Gateway 7-2 PPTP PPTP Protocol Overview PPTP is very si milar to L2TP, since L2T P is based on both PPTP a nd L2F (C isco’s Layer 2 Forwardin g). Conceptually, there are three parties in PPTP, name ly the PNS (PPTP Network Serve r), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box tha[...]

  • Página 45

    ZyWALL 10~100 Series Internet Security Gateway PPTP 7-3 Diagram 7-3 Example Message Exchange bet w een PC and an ANT PPP Data Connection The PPP frames are tunneled betwee n the PNS and PAC over GRE (General Ro uting Encapsulation, RFC 1701, 1702). The indiv idual calls within a tunnel are distingu ished using the Call ID field in the GRE header.[...]

  • Página 46

    [...]

  • Página 47

    ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-1 Chapter 8 IP Subnetting IP Addressing Routers “route” base d on the network num ber. The rout er that delivers the data packet to the correct destination hos t uses the host ID. IP Classes An IP address is made up of four octets (ei ght bits), written in dotted deci mal notation, [...]

  • Página 48

    ZyWALL 10~100 Series Internet Security Gateway 8-2 IP Subnetting  A class “B” address (1 6 host bit s) can have 2 16 –2 or 65534 hosts. A class “A” address (24 host bits) can have 2 24 –2 hosts (app roxima tely 16 m illion hosts ). Since the first octet of a class “A” IP addre ss must c ontain a “0”, the first octet of a clas[...]

  • Página 49

    ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-3 With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of ho st ID. With subnetting, some of the ho st ID bits are converted into netwo rk number bits. By convention, subn et masks a[...]

  • Página 50

    ZyWALL 10~100 Series Internet Security Gateway 8-4 IP Subnetting The first three octets of the a ddress make up the networ k number (cl ass “C”). You wa nt to have two separat e networks. Divide the network 19 2.168.1.0 i nto two se parate subnet s by con verting one o f the host ID bits of the IP address to a networ k number bit. The “bor ro[...]

  • Página 51

    ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-5 192.168.1.0 with mask 255.255.255 .128 is the subnet its elf, and 192.168.1.1 27 with mask 255.255.255.12 8 is the directed broadcast addre ss for the first subnet. Theref ore, the lowest IP address t hat can be assigned to an actual host for the first subn et is 192.168.1.1 and the h[...]

  • Página 52

    ZyWALL 10~100 Series Internet Security Gateway 8-6 IP Subnetting Subnet Address: 192. 168.1.128 Lo west Ho st ID: 192.168.1.129 Broadcast Address: 192.168. 1.191 Hig hest Host ID: 192.168.1.190 Chart 8-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VA L UE IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.0 0000001. 11 0 00000 Subnet Mask [...]

  • Página 53

    ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-7 Chart 8-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 1 255.255.255.128 (/25) 2 126 2 255.255.255.192 (/26) 4 62 3 255.255.255.224 (/27) 8 30 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.252 (/30) 64 2 [...]

  • Página 54

    ZyWALL 10~100 Series Internet Security Gateway 8-8 IP Subnetting Chart 8-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 9 255.255.255.128 (/25) 512 126 10 255.255.255.192 (/26) 1024 62 11 255.255.255.224 (/27) 2048 30 12 255.255.255.240 (/28) 4096 14 13 255.255.255.248 (/29) 8192 6 14 255.255.25[...]

  • Página 55

    Command and Log Information II Part II: Command and Log Information This part prov ides information on the command interp reter interface, firewall and NetBIOS commands and logs and password prot ection.[...]

  • Página 56

    [...]

  • Página 57

    ZyWALL 10~100 Series Internet Security Gateway Command Interpreter 9-1 Chapter 9 Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system m a intenance m enu. Enter 8 to go t o Menu 24.8 - Comm and Interpreter Mode . See the included disk or zyxel.c o m for m ore detaile d info[...]

  • Página 58

    [...]

  • Página 59

    ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-1 Chapter 10 Firewall Commands The following descri bes the firewall comm ands. See the Command Interpreter appendix fo r information on the command structure. Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION F F i i r r e e w w a a l l l l S S e e t t - - U U p p config[...]

  • Página 60

    ZyWALL 10~100 Series Internet Security Gateway 10-2 Firewall Commands Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config display firewall attack This command sho ws all of the attack response settings. config display firewall e-mail This command sho ws all of the e-mail settings. config display firewall ? This command shows all of t[...]

  • Página 61

    ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-3 Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config edit firewall e-mail hour <0-23> This command sets the hour when the firewall log is sent through e- mail if the ZyWALL is set to send it on an hourly, daily or weekly basis. config edit firewall e-mail minu[...]

  • Página 62

    ZyWALL 10~100 Series Internet Security Gateway 10-4 Firewall Commands Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack minute-low <0-255> This command sets the threshold of half-op en sessions where the ZyWALL stops del eting half-opened sessions. config edit firewall attack max-incomplete-high <0-255[...]

  • Página 63

    ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-5 Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> connection-timeout <seconds> This command sets how long Z yWALL waits for a TCP session to be established befor e dropping the session. Config edit firewall set <set #> [...]

  • Página 64

    ZyWALL 10~100 Series Internet Security Gateway 10-6 Firewall Commands Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> rule <rule #> alert <yes | no> This command sets whether or not the ZyWALL sends an alert e-mail when a DOS attack or a violation of a particular rule occurs. config edi[...]

  • Página 65

    ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-7 Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> rule <rule #> TCP destport- single <port #> This command sets a rule to have the ZyWALL check for TCP traffic with this destination address. You may repeat this command [...]

  • Página 66

    ZyWALL 10~100 Series Internet Security Gateway 10-8 Firewall Commands Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config delete firewall set <set #> rule <rule #> This command removes the specified rul e in a firewall configuration set.[...]

  • Página 67

    ZyWALL 10~100 Series Internet Security Gateway NetBIOS Filter Commands 11-1 Chapter 11 NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the comm and structure. Introduction NetBIOS (Network Basic Input/Output System ) are TCP or UDP b roadcast pa c k ets that[...]

  • Página 68

    ZyWALL 10~100 Series Internet Security Gateway 11-2 NetBIOS Filter Commands This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. Diagram 11-1 NetBIOS Display Filter Settings Command Without DM Z Example Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS [...]

  • Página 69

    ZyWALL 10~100 Series Internet Security Gateway NetBIOS Filter Commands 11-3 Chart 11-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to DMZ This field displays whether NetBIOS packets are blocked o r forwarded from the WAN to the DMZ. Forward DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded from the DMZ[...]

  • Página 70

    ZyWALL 10~100 Series Internet Security Gateway 11-4 NetBIOS Filter Commands <on|off> = For types 0 and 1 , use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6 , use on to bloc k NetBIOS packets from being sent t hrough a V PN connection. Use off to allow NetBIOS packets [...]

  • Página 71

    ZyWALL 10~100 Series Internet Security Gateway Boot Commands 12-1 Chapter 12 Boot Commands The BootMod ule AT comm an ds execute from within the router’s bootu p software, whe n debug mode i s selected before the m ain router firm ware (ZyNOS) is started. When you st art up your ZyWA LL, you are given a choi ce to go into debug m ode by pressi ng[...]

  • Página 72

    ZyWALL 10~100 Series Internet Security Gateway 12-2 Boot Commands Diagram 12-2 Boot Module Comm ands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show cu[...]

  • Página 73

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-1 Chapter 13 Log Descriptions Chart 13-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be crea ted per host. Chart 13-2 System Maintena[...]

  • Página 74

    ZyWALL 10~100 Series Internet Security Gateway 13-2 Log Descriptions Chart 13-2 System Maintenanc e Logs TELNET Login Fail Someone has failed to log on to the router via telnet. FTP Login Successfully Someone has logged on to the router via ftp. FTP Login Fail Someone has failed to log on to the router via ftp. NAT Session Table is Full! The maximu[...]

  • Página 75

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-3 Chart 13-5 Attack Log s LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The fir[...]

  • Página 76

    ZyWALL 10~100 Series Internet Security Gateway 13-4 Log Descriptions Chart 13-5 Attack Log s LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a TCP syn flood attack. ports scan TCP The firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop att[...]

  • Página 77

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-5 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default policy: TCP (set:%d) TCP access matched the default po licy of the listed ACL set and the ZyWALL blocked or for warded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access ma[...]

  • Página 78

    ZyWALL 10~100 Series Internet Security Gateway 13-6 Log Descriptions Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: IGMP (set:%d, rule:%d) IGMP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration. Firewall rule match: ESP (set:%d, rule:%d) ESP access matched the[...]

  • Página 79

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-7 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT match: OSPF (set:%d, rule:%d) OSPF access did not match the listed firewall rule and the Z yWALL logged it. Firewall rule NOT match: (set:%d, rule:%d) Access did not match the listed firewall rule and the Z yWALL log[...]

  • Página 80

    ZyWALL 10~100 Series Internet Security Gateway 13-8 Log Descriptions Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP <set %d/rule %d> ICMP access matched the listed filter rule and the Z yWALL dropped the packet to block access. Filter match DROP <set %d/rule %d> Access matched the listed filter rule an d the ZyWALL dro[...]

  • Página 81

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-9 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP reset packets The firewall sent out TCP reset packets. Packet without a NAT table entry blocked The router blocked a packet that did not h ave a corresponding NAT table entry. Out of order TCP handshake packet blocke[...]

  • Página 82

    ZyWALL 10~100 Series Internet Security Gateway 13-10 Log Descriptions Chart 13-7 ACL Setting Notes ACL SET NUMBER DIRECTION DESCRIPTION 9 DMZ to DMZ/ZyWALL ACL set 9 for packets traveling from the DMZ to the DM or the ZyWALL. Chart 13-8 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachabl e 0 Net unreachable 1[...]

  • Página 83

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-11 Chart 13-8 ICMP Notes TYPE CODE DESCRIPTION 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply mess[...]

  • Página 84

    ZyWALL 10~100 Series Internet Security Gateway 13-12 Log Descriptions Diagram 13-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following f igure shows a typ ical log from the VPN connect ion pee r. Diagram 13-2 Example VPN Responder IPSec Log This menu is useful f or troubleshoot ing. A lo g index num ber, the date and tim e the log[...]

  • Página 85

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-13 The following table sh ows sample log messages during IKE key exchange. Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> The ZyWALL has started negotiation with the peer.[...]

  • Página 86

    ZyWALL 10~100 Series Internet Security Gateway 13-14 Log Descriptions Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Remote IP <IP start> / <IP end> conflicts If the security gateway is “0.0.0.0”, the ZyWALL will use the peer’s “Local Addr” as its “Remote Addr”. If a peer’s “Local Addr” range con[...]

  • Página 87

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-15 Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the loc al router. The log displays this router’s configu[...]

  • Página 88

    ZyWALL 10~100 Series Internet Security Gateway 13-16 Log Descriptions The following table shows RFC-2408 I SAKMP payload types that the log displays. Please r efer to the RFC for detailed information on each type. Chart 13-12 RFC-2408 ISAKMP Pay load T ypes LOG DISPLAY P AYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Excha[...]

  • Página 89

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-17 Log Commands Go to the command interpreter interface (the Comman d Interpret er Appendix explains how to access a nd use the commands). Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs[...]

  • Página 90

    ZyWALL 10~100 Series Internet Security Gateway 13-2 Log Descriptions Use the sys logs display [log category] comm and to show the logs in an individual ZyWALL log category. Use the sys logs clear command to erase all of the Zy W ALL’s logs. Log Command Example This example shows how to s et the ZyWALL to record the access logs and alerts and t he[...]

  • Página 91

    ZyWALL 10~100 Series Internet Security Gateway Brute-Force Password Gu essing Protection 14-1 Chapter 14 Brute-Force Password Guessing Protection The followin g describes t he commands for enabling, disabli ng and con figuring the brute-force password guessing pr otection m echanism for the password . See the Command Inte rpreter appendix for infor[...]

  • Página 92

    [...]

  • Página 93

    Index III Part III: Index This part prov ides an Index of key terms.[...]

  • Página 94

    [...]

  • Página 95

    ZyWALL 10~100 Series Internet Security Gateway Index A Index A Ad-hoc Configuration ...................................... 4-2 Alternative Subnet Mask Notation ................... 8-3 B Basic Service Set.............................................. 4-2 Big Picture ....................................................... 3-1 Bold Times font ........[...]

  • Página 96

    ZyWALL 10~100 Series Internet Security Gateway B Index Infrastructure Configuration ............................ 4-3 IP Addressing .................................................. 8-1 IP Classes ......................................................... 8-1 L Log Descriptions............................................ 13-1 N Network To pology Wit[...]