Français dropdown-ico

ZyXEL Communications 10~100 Series manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

Aller à la page of

Les manuels d’utilisation similaires

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation ZyXEL Communications 10~100 Series. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel ZyXEL Communications 10~100 Series ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation ZyXEL Communications 10~100 Series décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation ZyXEL Communications 10~100 Series devrait contenir:
- informations sur les caractéristiques techniques du dispositif ZyXEL Communications 10~100 Series
- nom du fabricant et année de fabrication ZyXEL Communications 10~100 Series
- instructions d'utilisation, de réglage et d’entretien de l'équipement ZyXEL Communications 10~100 Series
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage ZyXEL Communications 10~100 Series ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles ZyXEL Communications 10~100 Series et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service ZyXEL Communications en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées ZyXEL Communications 10~100 Series, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif ZyXEL Communications 10~100 Series, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation ZyXEL Communications 10~100 Series. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    ZyW ALL 10~100 Series Internet Security Gateway Reference Guide Versions 3.52, 3.60 and 3.61 March 2003[...]

  • Page 2

    ZyWALL 10~100 Series Internet Security Gateway ii Copyright Copyright Copyright © 2003 by Zy XEL Communications Corporation. The contents of this publi cation may not be reproduced i n any part or a s a whole, transcribed, st ored in a retrieval system, translated into any langu age, or tr ansmitted in any form or by any means, electronic, mechani[...]

  • Page 3

    ZyWALL 10~100 Series Internet Security Gateway FCC iii Federal Communications Commission (FCC) Interference S tatement This device complies with Part 15 of FCC rules. Operation is subject to the following two cond itions: This device m ay not cause harm ful interference. This device must accept any interference received, including interference that[...]

  • Page 4

    ZyWALL 10~100 Series Internet Security Gateway iv Information for Canadian Users Information for Canadian Users The Industry Canada label identifies certified equipmen t. This certification means that the equipment meets certain telecommunications network pr otective, op eration, and safety requ irements. The Industry Canada does not guarantee that[...]

  • Page 5

    ZyWALL 10~100 Series Internet Security Gateway Warranty v ZyXEL Limited W arranty ZyXEL warrants to the original end us er (purchaser) that this product is free from any defects in materials or workmanshi p for a peri od of up t o two years from the date of purchase . During the warrant y period, a nd upon proof of purchase, should the prod uct hav[...]

  • Page 6

    ZyWALL 10~100 Series Internet Security Gateway vi Customer Support Customer Support When you contact your cu stomer support r epresenta tive please have t he followi ng inform ation ready: Please have th e following i nformation re a dy when you cont act customer support. • Product model and serial num ber. • Information in Menu 24.2.1 – Syst[...]

  • Page 7

    ZyWALL 10~100 Series Internet Security Gateway Table of Contents vii T able of Content s Copyright...................................................................................................................... ................................ii Federal Communications Commission (FCC) Interfer en ce S tatemen t................................[...]

  • Page 8

    ZyWALL 10~100 Series Internet Security Gateway viii Table of Contents Index ............................................................................................................................................................ A[...]

  • Page 9

    ZyWALL 10~100 Series Internet Security Gateway List of Diagrams ix List of Diagrams Diagram 2-1 Id eal Se tup ........................................................................................................ ........................ 2-1 Diagram 2-2 “T riangl e Route” Pr oblem ..............................................................[...]

  • Page 10

    ZyWALL 10~100 Series Internet Security Gateway x List of Charts List of Chart s Chart 8-1 Classes of IP Addresses .............................................................................................. .................... 8-1 Chart 8-2 Allowed IP Ad dress Range By Class .......................................................................[...]

  • Page 11

    ZyWALL 10~100 Series Internet Security Gateway List of Charts xi Chart 13-1 1 Sample IPSec Logs Du ring Packet T ransmission .................................................................. 13-15 Chart 13-12 RFC-2408 IS AKMP Payload T ypes ...................................................................................... .1 3 - 1 6 Chart 13-1[...]

  • Page 12

    ZyWALL 10~100 Series Internet Security Gateway xii Preface Preface About Y our ZyW A LL Congratulations on your pur chase of the ZyWALL Security Gateway. About This User's Manual This manual i s designed to provide background inf ormation on some of the Zy WALL’s features. It also includes commands for use with the co mmand interpreter. This[...]

  • Page 13

    ZyWALL 10~100 Series Internet Security Gateway Preface xiii Synt ax Conventions • “Enter” means for you t o type one or more charact ers and press the carriage return. “Select” or “Choose” means for you t o use one of the predefined c hoices. • The SMT menu titles and labels are in Bold Times New Roman font. • The choices of a m e[...]

  • Page 14

    [...]

  • Page 15

    General Information I Part I: General Information This part prov ides background information abo ut setting up your computer ’s IP address, triangle route, how functions are related, wireless LAN, 802. 1x, PPPoE, PPTP and IP subnetting.[...]

  • Page 16

    [...]

  • Page 17

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-1 Chapter 1 Setting up Your Computer’s IP Address All computers must have a 1 0M or 100M Et he rnet adapter card and TCP/IP installed. Windows 95/ 98/Me/NT/2 000/XP, Maci ntosh OS 7 a nd later operating sy stems and all versio ns of UNIX/LINU X include the [...]

  • Page 18

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-2 The Network window Configuration ta b displays a list of i nstalled com ponents. You need a network adapter, the T CP/IP prot ocol and C lient for Microsoft Networks. If yo u need th e adap ter: a. In the Network window, click Add . b. Select Ad a p t e r and[...]

  • Page 19

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-3 1. Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically . -If you have a static IP address, select Specify an IP address and type your informatio n into the IP Address and Subne t Mask fields. 2. Click the DNS [...]

  • Page 20

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-4 3. Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gate ways. -If you have a gateway IP address, type it in the Ne w ga te way fie ld and click Add . 4. Click OK to save and close the TCP/IP Properties wind [...]

  • Page 21

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-5 1. For Windows XP, click start , Control Panel . In Windows 2000/NT, click Start , Settings , Control Panel . 2. For Windows XP, click Network Connections . For Windows 2000/NT, click Network and Dial-up Connections . 3. Right-click Local Are a Connection a[...]

  • Page 22

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-6 4. Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties . 5. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically .[...]

  • Page 23

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-7 6. -If you do not know your gateway's IP address, remove any previously installed gate ways in the IP Settin gs tab and click OK . Do one or more of the following if you want to configure additional IP addres ses: -In the IP Settings tab, in IP address[...]

  • Page 24

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-8 7. In the Internet Protocol TCP/IP Properties window (the Gene ral t ab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the follow ing DNS[...]

  • Page 25

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-9 1. Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel . 2. Select Ethernet built-in from the Connect v ia list. 3. For dynamically assigned settings, sel ect Using DHCP Server from the Configure: list.[...]

  • Page 26

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-10 4. For statically assigned settings, do the follo wing: -From the Configure box, select Manually . -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. 5. C[...]

  • Page 27

    ZyWALL 10~100 Series Internet Security Gateway Setting Up Y our Computer ’s IP Address 1-1 1 2. Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. 3. For dynamically assigned settings, sel ect Using DHCP from the Configure list. 4. For statically assigne[...]

  • Page 28

    [...]

  • Page 29

    ZyWALL 10~100 Series Internet Security Gateway T riangle Route 2-1 Chapter 2 Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Intern et. In an ideal network top ology, all i ncoming and outgoing net work traffic pas ses through t he ZyWALL to protect your LAN against attacks. Diag[...]

  • Page 30

    ZyWALL 10~100 Series Internet Security Gateway Triangle Route 2-2 Diagram 2-2 “Triangle Route” Problem The “T riangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logi cal sections over the same Ethernet interface. Your ZyWALL sup[...]

  • Page 31

    ZyWALL 10~100 Series Internet Security Gateway T riangle Route 2-3 Gateways on the W AN Side A second sol ution to the “triangle r oute” proble m is to put all of your network g ateways on t he WAN si de as the following fig ure shows. This en sures that all incoming netwo rk traffic p asses through your ZyWALL to your LAN. Therefo re your LAN [...]

  • Page 32

    [...]

  • Page 33

    ZyWALL 10~100 Series Internet Security Gateway The Big Picture 3-1 Chapter 3 The Big Picture The following figure giv es an overview of ho w filtering, the firewall, VPN and NAT are related. Diagram 3-1 Big Picture— Filtering, Firewall, VPN and NAT[...]

  • Page 34

    ZyWALL 10~100 Series Internet Security Gateway The Big Picture 3-2[...]

  • Page 35

    ZyWALL 10~100 Series Internet Security Gateway Wireless LAN and IEEE 802.1 1 4-1 Chapter 4 Wireless LAN and IEEE 802.11 A wireless LAN (WLA N) provides a flexi ble data commun ications system that y ou can use to access various services (navigating the Internet, em ail, prin ter services, etc.) without the use of a ca bled connection. In effect a w[...]

  • Page 36

    ZyWALL 10~100 Series Internet Security Gateway The Big Picture 4-2 The IEEE 802.11 specifies three di ffere nt transmission me thods for th e PHY, the layer responsible for transferring dat a between nodes. T wo of the m ethods use s pread spectrum RF signals, Dir ect Sequence Spread Spectrum (DSSS) an d Fre quency-Hopping Spread Spectrum (FHSS), i[...]

  • Page 37

    ZyWALL 10~100 Series Internet Security Gateway Wireless LAN and IEEE 802.1 1 4-3 Diagram 4-1 Peer-to-Peer Communication in an Ad -hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, m ultiple Access Points (APs) link the WLAN to the wired network and al low users to efficiently share network resources. The A ccess Points[...]

  • Page 38

    ZyWALL 10~100 Series Internet Security Gateway The Big Picture 4-4 could be any type of net work, it is almost invari ably an Ethernet LAN. Mo bile nodes ca n roam betwee n Access Points and seam less campus-wide coverage is possible. Diagram 4-2 ESS Provides Campus-Wide Coverage[...]

  • Page 39

    ZyWALL 10~100 Series Internet Security Gateway Wireless LAN with IEEE 802.1x 5-1 Chapter 5 Wireless LAN With IEEE 802.1x As wireless networks becom e popular for both portable com puting and c o rporate networ ks, security i s now a priority. Security Flaws wi th IEEE 802.1 1 Wireless networks based on the o riginal IEEE 802 .11 have a poor reputat[...]

  • Page 40

    ZyWALL 10~100 Series Internet Security Gateway Wireless LAN with IEEE 802.1x 5-2 • Support for RADIUS (Rem o te Au thentication Dial In User Service, RFC 2138, 2139) for centralized use r profile a nd accountin g managem ent on a ne twork RADI US server. • Support for EAP (Extensi ble Authentication Prot ocol, RFC 2486) that al lows additional [...]

  • Page 41

    ZyWALL 10~100 Series Internet Security Gateway PPPoE 6-1 Chapter 6 PPPoE PPPoE in Action An ADSL m odem bridges a PPP session over Ethernet (PPP ove r Ethernet, R FC 2516) f rom your PC to an ATM PVC (Pe rmanent Virt ual Circuit ), which connect s to a DSL Ac cess Concentrat or where the PPP session terminates (see the next figure). One PVC can sup[...]

  • Page 42

    ZyWALL 10~100 Series Internet Security Gateway 6-2 PPPoE How PPPoE W orks The PPPoE driver m akes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Et hernet frames to the Access Concen trator (AC). Bet ween the AC and an ISP, the AC is acting as a L2TP (Layer 2 T unneling Protocol) LAC (L2T P A[...]

  • Page 43

    ZyWALL 10~100 Series Internet Security Gateway PPTP 7-1 Chapter 7 PPTP What is PPTP? PPTP (Point -to-Point T unneling Prot ocol) is a Microsoft proprietary protocol (R FC 2637 f or PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT [...]

  • Page 44

    ZyWALL 10~100 Series Internet Security Gateway 7-2 PPTP PPTP Protocol Overview PPTP is very si milar to L2TP, since L2T P is based on both PPTP a nd L2F (C isco’s Layer 2 Forwardin g). Conceptually, there are three parties in PPTP, name ly the PNS (PPTP Network Serve r), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box tha[...]

  • Page 45

    ZyWALL 10~100 Series Internet Security Gateway PPTP 7-3 Diagram 7-3 Example Message Exchange bet w een PC and an ANT PPP Data Connection The PPP frames are tunneled betwee n the PNS and PAC over GRE (General Ro uting Encapsulation, RFC 1701, 1702). The indiv idual calls within a tunnel are distingu ished using the Call ID field in the GRE header.[...]

  • Page 46

    [...]

  • Page 47

    ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-1 Chapter 8 IP Subnetting IP Addressing Routers “route” base d on the network num ber. The rout er that delivers the data packet to the correct destination hos t uses the host ID. IP Classes An IP address is made up of four octets (ei ght bits), written in dotted deci mal notation, [...]

  • Page 48

    ZyWALL 10~100 Series Internet Security Gateway 8-2 IP Subnetting  A class “B” address (1 6 host bit s) can have 2 16 –2 or 65534 hosts. A class “A” address (24 host bits) can have 2 24 –2 hosts (app roxima tely 16 m illion hosts ). Since the first octet of a class “A” IP addre ss must c ontain a “0”, the first octet of a clas[...]

  • Page 49

    ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-3 With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of ho st ID. With subnetting, some of the ho st ID bits are converted into netwo rk number bits. By convention, subn et masks a[...]

  • Page 50

    ZyWALL 10~100 Series Internet Security Gateway 8-4 IP Subnetting The first three octets of the a ddress make up the networ k number (cl ass “C”). You wa nt to have two separat e networks. Divide the network 19 2.168.1.0 i nto two se parate subnet s by con verting one o f the host ID bits of the IP address to a networ k number bit. The “bor ro[...]

  • Page 51

    ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-5 192.168.1.0 with mask 255.255.255 .128 is the subnet its elf, and 192.168.1.1 27 with mask 255.255.255.12 8 is the directed broadcast addre ss for the first subnet. Theref ore, the lowest IP address t hat can be assigned to an actual host for the first subn et is 192.168.1.1 and the h[...]

  • Page 52

    ZyWALL 10~100 Series Internet Security Gateway 8-6 IP Subnetting Subnet Address: 192. 168.1.128 Lo west Ho st ID: 192.168.1.129 Broadcast Address: 192.168. 1.191 Hig hest Host ID: 192.168.1.190 Chart 8-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VA L UE IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.0 0000001. 11 0 00000 Subnet Mask [...]

  • Page 53

    ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-7 Chart 8-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 1 255.255.255.128 (/25) 2 126 2 255.255.255.192 (/26) 4 62 3 255.255.255.224 (/27) 8 30 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.252 (/30) 64 2 [...]

  • Page 54

    ZyWALL 10~100 Series Internet Security Gateway 8-8 IP Subnetting Chart 8-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 9 255.255.255.128 (/25) 512 126 10 255.255.255.192 (/26) 1024 62 11 255.255.255.224 (/27) 2048 30 12 255.255.255.240 (/28) 4096 14 13 255.255.255.248 (/29) 8192 6 14 255.255.25[...]

  • Page 55

    Command and Log Information II Part II: Command and Log Information This part prov ides information on the command interp reter interface, firewall and NetBIOS commands and logs and password prot ection.[...]

  • Page 56

    [...]

  • Page 57

    ZyWALL 10~100 Series Internet Security Gateway Command Interpreter 9-1 Chapter 9 Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system m a intenance m enu. Enter 8 to go t o Menu 24.8 - Comm and Interpreter Mode . See the included disk or zyxel.c o m for m ore detaile d info[...]

  • Page 58

    [...]

  • Page 59

    ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-1 Chapter 10 Firewall Commands The following descri bes the firewall comm ands. See the Command Interpreter appendix fo r information on the command structure. Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION F F i i r r e e w w a a l l l l S S e e t t - - U U p p config[...]

  • Page 60

    ZyWALL 10~100 Series Internet Security Gateway 10-2 Firewall Commands Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config display firewall attack This command sho ws all of the attack response settings. config display firewall e-mail This command sho ws all of the e-mail settings. config display firewall ? This command shows all of t[...]

  • Page 61

    ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-3 Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config edit firewall e-mail hour <0-23> This command sets the hour when the firewall log is sent through e- mail if the ZyWALL is set to send it on an hourly, daily or weekly basis. config edit firewall e-mail minu[...]

  • Page 62

    ZyWALL 10~100 Series Internet Security Gateway 10-4 Firewall Commands Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack minute-low <0-255> This command sets the threshold of half-op en sessions where the ZyWALL stops del eting half-opened sessions. config edit firewall attack max-incomplete-high <0-255[...]

  • Page 63

    ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-5 Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> connection-timeout <seconds> This command sets how long Z yWALL waits for a TCP session to be established befor e dropping the session. Config edit firewall set <set #> [...]

  • Page 64

    ZyWALL 10~100 Series Internet Security Gateway 10-6 Firewall Commands Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> rule <rule #> alert <yes | no> This command sets whether or not the ZyWALL sends an alert e-mail when a DOS attack or a violation of a particular rule occurs. config edi[...]

  • Page 65

    ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-7 Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> rule <rule #> TCP destport- single <port #> This command sets a rule to have the ZyWALL check for TCP traffic with this destination address. You may repeat this command [...]

  • Page 66

    ZyWALL 10~100 Series Internet Security Gateway 10-8 Firewall Commands Chart 10-1 Fire w all Commands FUNCTION COMMAND DESCRIPTION config delete firewall set <set #> rule <rule #> This command removes the specified rul e in a firewall configuration set.[...]

  • Page 67

    ZyWALL 10~100 Series Internet Security Gateway NetBIOS Filter Commands 11-1 Chapter 11 NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the comm and structure. Introduction NetBIOS (Network Basic Input/Output System ) are TCP or UDP b roadcast pa c k ets that[...]

  • Page 68

    ZyWALL 10~100 Series Internet Security Gateway 11-2 NetBIOS Filter Commands This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. Diagram 11-1 NetBIOS Display Filter Settings Command Without DM Z Example Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS [...]

  • Page 69

    ZyWALL 10~100 Series Internet Security Gateway NetBIOS Filter Commands 11-3 Chart 11-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to DMZ This field displays whether NetBIOS packets are blocked o r forwarded from the WAN to the DMZ. Forward DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded from the DMZ[...]

  • Page 70

    ZyWALL 10~100 Series Internet Security Gateway 11-4 NetBIOS Filter Commands <on|off> = For types 0 and 1 , use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6 , use on to bloc k NetBIOS packets from being sent t hrough a V PN connection. Use off to allow NetBIOS packets [...]

  • Page 71

    ZyWALL 10~100 Series Internet Security Gateway Boot Commands 12-1 Chapter 12 Boot Commands The BootMod ule AT comm an ds execute from within the router’s bootu p software, whe n debug mode i s selected before the m ain router firm ware (ZyNOS) is started. When you st art up your ZyWA LL, you are given a choi ce to go into debug m ode by pressi ng[...]

  • Page 72

    ZyWALL 10~100 Series Internet Security Gateway 12-2 Boot Commands Diagram 12-2 Boot Module Comm ands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show cu[...]

  • Page 73

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-1 Chapter 13 Log Descriptions Chart 13-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be crea ted per host. Chart 13-2 System Maintena[...]

  • Page 74

    ZyWALL 10~100 Series Internet Security Gateway 13-2 Log Descriptions Chart 13-2 System Maintenanc e Logs TELNET Login Fail Someone has failed to log on to the router via telnet. FTP Login Successfully Someone has logged on to the router via ftp. FTP Login Fail Someone has failed to log on to the router via ftp. NAT Session Table is Full! The maximu[...]

  • Page 75

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-3 Chart 13-5 Attack Log s LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The fir[...]

  • Page 76

    ZyWALL 10~100 Series Internet Security Gateway 13-4 Log Descriptions Chart 13-5 Attack Log s LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a TCP syn flood attack. ports scan TCP The firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop att[...]

  • Page 77

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-5 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default policy: TCP (set:%d) TCP access matched the default po licy of the listed ACL set and the ZyWALL blocked or for warded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access ma[...]

  • Page 78

    ZyWALL 10~100 Series Internet Security Gateway 13-6 Log Descriptions Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: IGMP (set:%d, rule:%d) IGMP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration. Firewall rule match: ESP (set:%d, rule:%d) ESP access matched the[...]

  • Page 79

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-7 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT match: OSPF (set:%d, rule:%d) OSPF access did not match the listed firewall rule and the Z yWALL logged it. Firewall rule NOT match: (set:%d, rule:%d) Access did not match the listed firewall rule and the Z yWALL log[...]

  • Page 80

    ZyWALL 10~100 Series Internet Security Gateway 13-8 Log Descriptions Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP <set %d/rule %d> ICMP access matched the listed filter rule and the Z yWALL dropped the packet to block access. Filter match DROP <set %d/rule %d> Access matched the listed filter rule an d the ZyWALL dro[...]

  • Page 81

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-9 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP reset packets The firewall sent out TCP reset packets. Packet without a NAT table entry blocked The router blocked a packet that did not h ave a corresponding NAT table entry. Out of order TCP handshake packet blocke[...]

  • Page 82

    ZyWALL 10~100 Series Internet Security Gateway 13-10 Log Descriptions Chart 13-7 ACL Setting Notes ACL SET NUMBER DIRECTION DESCRIPTION 9 DMZ to DMZ/ZyWALL ACL set 9 for packets traveling from the DMZ to the DM or the ZyWALL. Chart 13-8 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachabl e 0 Net unreachable 1[...]

  • Page 83

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-11 Chart 13-8 ICMP Notes TYPE CODE DESCRIPTION 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply mess[...]

  • Page 84

    ZyWALL 10~100 Series Internet Security Gateway 13-12 Log Descriptions Diagram 13-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following f igure shows a typ ical log from the VPN connect ion pee r. Diagram 13-2 Example VPN Responder IPSec Log This menu is useful f or troubleshoot ing. A lo g index num ber, the date and tim e the log[...]

  • Page 85

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-13 The following table sh ows sample log messages during IKE key exchange. Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> The ZyWALL has started negotiation with the peer.[...]

  • Page 86

    ZyWALL 10~100 Series Internet Security Gateway 13-14 Log Descriptions Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Remote IP <IP start> / <IP end> conflicts If the security gateway is “0.0.0.0”, the ZyWALL will use the peer’s “Local Addr” as its “Remote Addr”. If a peer’s “Local Addr” range con[...]

  • Page 87

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-15 Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the loc al router. The log displays this router’s configu[...]

  • Page 88

    ZyWALL 10~100 Series Internet Security Gateway 13-16 Log Descriptions The following table shows RFC-2408 I SAKMP payload types that the log displays. Please r efer to the RFC for detailed information on each type. Chart 13-12 RFC-2408 ISAKMP Pay load T ypes LOG DISPLAY P AYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Excha[...]

  • Page 89

    ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-17 Log Commands Go to the command interpreter interface (the Comman d Interpret er Appendix explains how to access a nd use the commands). Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs[...]

  • Page 90

    ZyWALL 10~100 Series Internet Security Gateway 13-2 Log Descriptions Use the sys logs display [log category] comm and to show the logs in an individual ZyWALL log category. Use the sys logs clear command to erase all of the Zy W ALL’s logs. Log Command Example This example shows how to s et the ZyWALL to record the access logs and alerts and t he[...]

  • Page 91

    ZyWALL 10~100 Series Internet Security Gateway Brute-Force Password Gu essing Protection 14-1 Chapter 14 Brute-Force Password Guessing Protection The followin g describes t he commands for enabling, disabli ng and con figuring the brute-force password guessing pr otection m echanism for the password . See the Command Inte rpreter appendix for infor[...]

  • Page 92

    [...]

  • Page 93

    Index III Part III: Index This part prov ides an Index of key terms.[...]

  • Page 94

    [...]

  • Page 95

    ZyWALL 10~100 Series Internet Security Gateway Index A Index A Ad-hoc Configuration ...................................... 4-2 Alternative Subnet Mask Notation ................... 8-3 B Basic Service Set.............................................. 4-2 Big Picture ....................................................... 3-1 Bold Times font ........[...]

  • Page 96

    ZyWALL 10~100 Series Internet Security Gateway B Index Infrastructure Configuration ............................ 4-3 IP Addressing .................................................. 8-1 IP Classes ......................................................... 8-1 L Log Descriptions............................................ 13-1 N Network To pology Wit[...]