ZyXEL Communications 2WG manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation ZyXEL Communications 2WG. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel ZyXEL Communications 2WG ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation ZyXEL Communications 2WG décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation ZyXEL Communications 2WG devrait contenir:
- informations sur les caractéristiques techniques du dispositif ZyXEL Communications 2WG
- nom du fabricant et année de fabrication ZyXEL Communications 2WG
- instructions d'utilisation, de réglage et d’entretien de l'équipement ZyXEL Communications 2WG
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage ZyXEL Communications 2WG ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles ZyXEL Communications 2WG et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service ZyXEL Communications en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées ZyXEL Communications 2WG, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif ZyXEL Communications 2WG, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation ZyXEL Communications 2WG. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    ZyW ALL 2WG Security Appliance Support Notes V ersion 4.03 Sep. 2007[...]

  • Page 2

    ZyW ALL 2WG Support Notes 2 INDEX Application Notes ...................................................................................................... 9 Mobility Internet Access ........................................................................................9 Utilize 3G and W ireless for the Internet Access .............................[...]

  • Page 3

    ZyW ALL 2WG Support Notes 3 T o filter non-work r elated and unp roductive web surfing to mitigate spywar e and phishing threats ................................................................. 209 Centralized Management ...................................................................................216 Using V antage CNM for Management .......[...]

  • Page 4

    ZyW ALL 2WG Support Notes 4 gateway behind ZyW ALL? ..................................................................... 226 A28. How do I setup my ZyW ALL for r outing IPSec packets over NA T? ......................................................................................................... 227 A29. What is STP (Spanning T ree Protocol) /R[...]

  • Page 5

    ZyW ALL 2WG Support Notes 5 D02. In addition to r egistration, what can I do with myZyXEL.com? 235 D03. Is there anything changed on myZ yXEL.com because of the launch of ZyNOS v4.00? Which ZyW ALL models can be r egistered via myZyXEL.com? ................................................................................. 236 D04. What’ s the diff[...]

  • Page 6

    ZyW ALL 2WG Support Notes 6 E15. How many URL keywords does Z yW ALL support? .................... 240 E16. How do I keep database of Content Filtering service updated? . 241 E17. What is BlueCoat Filter list? .......................................................... 241 E18. How many ratings does the BlueCoat database con tain? ............ 241 E[...]

  • Page 7

    ZyW ALL 2WG Support Notes 7 What do I need to know? ......................................................................... 250 F18. Does ZyW ALL support dynamic secure gatew ay IP? .................. 251 F19. What VPN gateway that has been tested with ZyW ALL successfully? .........................................................................[...]

  • Page 8

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 8 G16. W ill Self-signed certificate be erased if I reset to default configuration file? .................................................................................... 259 G17. Will certificates stor ed in ZyXE L appliance be erased if I res et to d[...]

  • Page 9

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 9 Application Notes Mobility Internet Access Y ou may have the experienced a need of Internet acce ss in a location where wired connection is dif ficult to deploy , e.g. in countryside or mountain. Or you are just in a public env ironmen t without Interne[...]

  • Page 10

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 10 Utilize 3G and Wireless for the Internet Access Following we will show you how to configure it step-by-step. Utilize 3G card to g et Internet access 1). Plug the 3G card to ZyWALL 2WG's card slot before powering on the ZyWALL 2WG device. 2). Login[...]

  • Page 11

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 3). Then the 3G wireless card will be dialed up automatically w hen WAN1 is not available. If you check the "Nailed-up" option as shown in t he figure above, the system wil l automatically dial up the 3G Internet access even if WAN1 is availa[...]

  • Page 12

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 12 4) If dialed up successfully, you can see the GUI home page as shown below. You will get the "WAN2 connection is up" and "3G card's signal strength" messages in t he latest alerts.[...]

  • Page 13

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 13 Utilize the em bedded wireless card to provide LAN users a ccess 1). Go to GUI menu Network > WIRELESS CARD , enable it and configure the other parameters like 802.11 mode (four modes available: 802.11b only, 802.11g only, 802.11b +g, 802.11a only),[...]

  • Page 14

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 14 To configure the security and the MAC filter, go to Wireless Card > Security or Wireless Card > MAC Filter to further configure it. For example, we would like to provide the wireless access clien ts with preset MAC address filtering list. Further[...]

  • Page 15

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 15[...]

  • Page 16

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 16[...]

  • Page 17

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 17 After you have configured the Security and MAC filter profiles, you can choose them in the main page of wireless card setting as shown[...]

  • Page 18

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 18 Seamless Incorporation into your network Using T ransp arent (Bridge Mode) Firewall If user wants to insert a firewall into current network, IP set ting of hosts and server s may need to change. Following example illustrates an example of current deplo[...]

  • Page 19

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 19 Deploying a transparent mode firewa ll doesn’t require any changes of settings on the original network topology . It works as bridge/switch; therefore, all the hosts can comm unicate with each other as without firewall in between. At the same time, t[...]

  • Page 20

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 20 User can configure ZyW ALL to act as a router mode firewall or bridge (transpa rent) firewall. The default is router mode firewall. S tep1. Before changing ZyW ALL to bridge mode, if admin wants to m ake the ZyW ALL ’ s LAN PC be able to get DHCP IP [...]

  • Page 21

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 21 assign a management IP for ZyW ALL. The Gateway IP Address is used as next-hop of default route. ZyW ALL will restart after applying th e change. (Note: Here we suggest admin to dedicate an IP address to Z yW ALL itself at the same subnet as original o[...]

  • Page 22

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 22 S tep3. Aft er reboo ting, login ZyW ALL ’ s GUI by accessing ZyW ALL ’ s management IP address. (Accessing ZyW ALL by the PC with a st atic IP address configur ed in the same subnet or with an IP from DHCP server (refer to step1 for the pre-config[...]

  • Page 23

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 23[...]

  • Page 24

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 24 Internet Connection A typical Internet access applicati on of the ZyWALL is shown below. This section guides you how to configure ZyWALL to gain the Internet access. ZyW ALL S tep1. First of all, Select Home menu and click Internet Access W izard to co[...]

  • Page 25

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 25 Following picture is an exam ple while PPPoE is selected. Once the required information is co rrectly configured, click on the “ Finish ” button to apply the setting and then you have finished configuring Internet Access on W AN link. DHCP server/c[...]

  • Page 26

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 26 2. When choosing DHCP setting as a ‘Server ’, the LAN will automatically assign IP , subnet, gateway and DNS to the associated clients. 3. When choosing DHCP setting as a ‘Relay’, the LAN will forward the DHCP request to another DHCP server . U[...]

  • Page 27

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 27 • How NA T works If we define the local IP addre sses as the Internal Local Addre sses (ILA) and the global IP addresses as the Inside Global Address (IGA), see the following figure. The term 'inside' refers to the set of networks that are [...]

  • Page 28

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 28 5. Server In Server mode, the ZyW ALL maps multiple inside serv ers to one global IP address. This allows us to specify multiple servers of dif ferent types behind th e NA T for outside access. Note, if you want to map each server to one unique IGA ple[...]

  • Page 29

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 29 Step 1. Applying NAT in WAN Interface You can choose the NAT mapping types to either SUA Only or Full Feature in WAN setup. NETWORK -> WAN or ADVANCED -> NAT -> NAT Overview[...]

  • Page 30

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 30 Key Settings Field Options Description Full Featur e Set to 'Full Feature' if there a re multiple IP addresses given by ISP and can assigned to your clients. Routing Set to 'Routring' if you clients use Internet IP addresses and thu[...]

  • Page 31

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 31 Step 3. Using Multiple Global IP addresses for clients and serv ers (One-to-One, Many- to-One, Se rver Set mapping types) In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two very busy internal FTP servers and also an internal ge[...]

  • Page 32

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 32 Rule 2 Setup: Selecting One- to -One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2 (200.1.1.2). Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3. Rule 4 Setup: Select Server type to map our web server and mail serv[...]

  • Page 33

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 33 Now we configure all other incoming traffic to go to our web se rver and mail server in " Port Mapping" page, Please note that if you turn on ZyWALL's firewall function, the n you should add a firewall rule from WAN to LAN to forward the[...]

  • Page 34

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 34 Application for Non NAT Friendly Support Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. In this case it is better to use Many One-to-O ne or One-to-One NAT mapping types, th[...]

  • Page 35

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 35 Optimize network performance & availability Using Bandwidth Ma nagement Why Bandwidth Manag ement (BWM)? Nowadays, we have many dif ferent traf fic types for In ternet applications. Some traf fic may consume high bandwidth, such as FTP (File Transf[...]

  • Page 36

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 36 How Bandwidth Management in ZyW ALL? ZyW ALL achieves BWM by classifying packets, and c ontrol when to send out the classified packets. Bandwidth Management of ZyXEL appliances operates on the IP layer . The m ajor step to configure BWM is defining fil[...]

  • Page 37

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 37 Go to ADV ANCED->BW MGMT ->Summary , activat e bandwidth m anagement on the interface you would like to manage. W e enable the BWM fu nction on W AN interface in this example. Enter the total speed for this interface that you wa nt to allocate us[...]

  • Page 38

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 38 Key Settings: Class Name Give this class a name, for exam ple, 'App' Bandwidth Budget Configure the speed you would like to allocate to this class Priority Enter a number between 0 and 7 to set the prio rity of this class. The higher the numb[...]

  • Page 39

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 39 Source IP Address Enter the IP address of source that meats this class. Note tha t for traff ic from 'LAN to W AN' , since BWM is before NA T , you shoul d use the IP address before NA T processing. Source Subnet Mask Enter the destination su[...]

  • Page 40

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 40 S tep1. Activate Bandwidth Management on th e interface on which you want to c ontrol. In this exam ple, it is LAN. Assign 2048Kbps to LAN interface. S tep2. Go to “Class Setup” and select LAN from the drop-down list of In terface. Click on Root Cl[...]

  • Page 41

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 41 S tep3. Add another service and allocate 800kbps for FT P and destined to FTP Client B. Select the Service as FTP from drop-down list. Input Client B’ s IP address as Des tination IP Address.[...]

  • Page 42

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 42 S tep4. Add another service and alloca te 800kbps for IPTV user and destined to Media traf fic to IPTV user . Select the Service as Custom from drop-down list and set Protocol IP as 17 (UDP). Input IPTV user ’ s IP address as Destination IP Address. [...]

  • Page 43

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 43 Secure Connections across the Internet Site-to-Site VPN (Intranet) Scenario A site-to-site VPN protects the netw ork resources on your protected networks from unauthorized use by users on an unprotected network, such as the public Internet. Site-to-sit[...]

  • Page 44

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 44 1) Configure the static Public IP address to W AN interface through Network-> W AN-> W AN IP Address Assignment 2) Enter the W AN IP address as My Address in Gateway Policy 3) On peer VPN gateway , use the same IP address as Remote Gateway Addres[...]

  • Page 45

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 45 address is assigned to ZyW ALL ’ s W AN interface, ZyW ALL will upda tes the related record in DDNS server . Therefore the peer VPN gateway can resolve ZyW ALL ’ s IP address to make a VPN tunnel. In following example, local VPN gateway (ZyW A LL) [...]

  • Page 46

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 46 4) Configure the DDNS entry under DNS-> DDNS and bind it to a W AN interface. 5) Under Gateway Policy menu, select the DDNS entry from drop-down list and use it as My Domain Name. 6) Configure the DDNS entry in Remote Gateway Address on peer VPN gat[...]

  • Page 47

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 47 placed behind the NA T router . For example, the NA T router has a dif ferent interface (e.g. leased line, ISDN) which are not supported by IPSec gateway . Th is example gives some guideline for configuring ZyW ALL behind NA T router . 1) UDP 500 (IKE)[...]

  • Page 48

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 48 when peer VPN entity also support N A T Traversa l function. If yes, the IPSec traf fic will be encapsulated in UDP packet to avoi d traversal problem on NA T routers. 4) Under VPN->Gateway Policy-> Gate way Policy Information configure the priva[...]

  • Page 49

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 49 The configuration goal is to achieve following two: 1) Setup VPN rule to allow PC1 to access De pt.1 through the tunnel between GW 1 & GW2 2) Setup VPN rule to allow PC2 to access De pt.2 through the tunnel between GW 1 & GW2 PC1 PC2 GW2 GW1 De[...]

  • Page 50

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 50 6) Extended Authentication (xAuth) can be enabled or not depending on your appl ication. For detailed info, you can refer to XXX. 7) Under “IKE Proposal”, select the Encryption and Authentication Algorithm. Note the configuration must be consist on[...]

  • Page 51

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 51 10) Click on the icon to add a new “Network Po licy” over the configured Gateway Policy . 11) Activate the profile and name this policy as “PC1-t o-Dept1” in this exam ple. Enable “Nailed-Up” option if you need the functionality that will a[...]

  • Page 52

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 52 14) Under “Remote Network”, choose “Single” and input “192.168.1.101” for PC1 in this example. 15) Under “IPSec Proposal”, select the Encryption and Authentication Algorithm. Note the configuration must be consist on both ZyW ALLs (GW1 [...]

  • Page 53

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 53 18) Follow the same procedures as step 10~16 to add 2 nd Network Policy , PC2-to-Dept2. Finish Using Certificate for Device Authentication IKE must authenticate the identities of the systems using the Dif fie-Hellman algorithm. This process is known as[...]

  • Page 54

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 54 DNS, E-mail, Subject Name and Any . Depending how certificates are generated, it ca n be classified into three methods: 1) Using Self-signed Certifi cates (both entities must be ZyXEL IPSec gateway) 2) Online Enroll Certificate s 3) Offline Enroll Cer [...]

  • Page 55

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 55 The factory default self-signe d certificates are the same on all ZyW ALL models. It is not secure to use the default self-signed certif icate. T o make the self -signed certificate unique fo r this device, you should replace the factory default certif[...]

  • Page 56

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 56 2) Or mark the certificate in PEM (Base-64) Encoded Format and then copy to a test editor (e.g. Notepad) and then save to you local computer in PEM (Base-64) Encoded Format. Then import the certific ate to the other ZyW ALL VPN gateway . Go to the othe[...]

  • Page 57

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 57 When you configure VPN rule with certificate, select Certificate under VPN-> Gateway Policy. Select My Certificate from the drop-down lis t. When (My) certificate is s elected, ZyWALL will show what is the Local I D Type and Content in my certifi ca[...]

  • Page 58

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 58 servers, and finally get a certificate for further usage. ZyWAL L supports both SCEP and CMP protocols as methods of online enrollment. Both SCEP and CMP online enrollme nt protocols provide secure mechanisms to transmit ZyWALL's certification req[...]

  • Page 59

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 59 Step 2. Create certificate reque st and enroll certificate reque st on ZyWALL A 1. Input a name, for this Certificat e so you can identify this Cer tificate later. 2. In Subject Information, give this certificate a Common Name by either Host IP Address[...]

  • Page 60

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 60 After pressing the Apply button, ZyWALL would create the certification request and send it to the CA server for enrollment. It may take one minutes to complete the whole p rocess. After CA server agrees to issue the corresponding certificate, you will [...]

  • Page 61

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 61 1. Input a name, for this Certificat e so you can identify this Cer tificate later. 2. In Subject Information, give this certificate a Common Name by either Host IP Address, Host Domain Name or E-Mail address. Organizational Unit, Organization, Coun tr[...]

  • Page 62

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 62 After pressing the Apply button, ZyWALL would create the certification request and send it to the CA server for enrollment. After CA server agrees to issue the correspondi ng certificate, ZyWALL will receive it automatically, and you will find a newly [...]

  • Page 63

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 63 13. You can check detailed settings by clicking Advanced button.[...]

  • Page 64

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 64 Step 5. Using Certifica e in VPN on ZyWALL B t 1. Activate the rule 2. Give this VPN rule a name " toZyWALL_A " 3. Select Key Management to " IKE " 4. Select Negotiation Mode to " Main " 5. Edit Local: Address Type=" [...]

  • Page 65

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 65 13. You can check detailed settings by clicking Advanced button.[...]

  • Page 66

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 66 Offline Enroll Certificates In this guide, we describe how ZyW ALL devices, both ZyW ALL A and ZyW ALL B as IPSec/VPN tunnel end points, authenticate each other through PKI. W e use CA (Certificate Authority) service provided by W indows 2000 server in[...]

  • Page 67

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 67 LAN 1 ZyW AL L A ZyW AL L B LAN 2 10.1.133.0/24 LAN: 10.1.133.1 WAN: 192.168.1.35 LAN: 192.168.2.1 WAN: 192.168.1.36 192.168.2.0/24 t Step 1. Create Certifi cate Reques on ZyWALL A 1. Go to VPN -> My Certificates -> Click Create but ton.[...]

  • Page 68

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 68 2. Input a name, for this Certific ate so you can identify this Certificate later. In Subject Inf ormation, give this certificate a Common Name by either Host IP Address, Host Domai n Name or E-Mail address. Organizational Unit, Organization, Country a[...]

  • Page 69

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 69 5. In My Certificat es tab, you can get a new entry in grey color. This is the Certific ate Request you just created. Click Details to export the request. Step 2. Enroll Certificate Request 1. Copy the content of Certificate in PEM Encoded Format, by s[...]

  • Page 70

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 70 In this support note, we utilize certificate enrollment service from Microsof t Window s 2000 CA server . The enrollment procedure of your CA server may be different, you ma y need to check your CA service provider for details. For how to setup Windows[...]

  • Page 71

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 71 3, Select Request a Certificate , then press Next> button.[...]

  • Page 72

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 72 4. Choose Advanced r equest , the press Next> button.[...]

  • Page 73

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 73 5. Choose " Submit a c ertificate request using a base64... ", then press Next> button.[...]

  • Page 74

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 74 6. Right click your mouse, then paste the certif icate request y ou get in step 2.1 .[...]

  • Page 75

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 75 7. Click " Download CA cer tification path " 8. A file download would pop out, press Save button, and choose the local folder you would like to store th e certification path.[...]

  • Page 76

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 76 9. Double click the saved file, Select Certificates , right click the Certificate, choose All Tasks-> Export... 10. Certificate Export Wizard would be popped up, then press Next> .[...]

  • Page 77

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 77 11. Choose DER encoded binary X.509(.CE R) , then press Nxet> , 12. Specify the path to sto re your exported Certificate.[...]

  • Page 78

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 78 13. Click Finish . 14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button. 15. Click Browse... button to find the location you st ored ZyWALL's certificate the n press Apply button.[...]

  • Page 79

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 79 16. After a while, if you see the gray entry turns to a black o ne, then it means the import of ZyWALL's certificate is successful. 17. Repeat the same procedure from 9 to 13, to export CA's cert ificate. Note that you may get more than one C[...]

  • Page 80

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 80 After import CA's certificate, you will get this display. t Step 3. Create Certifi cate Reques on ZyWALL_B 1. Go to VPN -> My Certificates -> Click Create but ton.[...]

  • Page 81

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 81 2. Input a name, for this Certific ate so you can identify this Certificate later. In Subject Inf ormation, give this certificate a Common Name by either Host IP Address, Host Domai n Name or E-Mail address. Organizational Unit, Organization, Country a[...]

  • Page 82

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 82 3. Wait for 1-2 minutes until " Request Generation Successful " displays. During this period, ZyWALL is working on creation of private, public key pair, and certificat e request. 4. After creating certificate re quest, ZyWALL woul d return Su[...]

  • Page 83

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 83 Step 4. Enroll Certificate Request on ZyWALLB 1. Copy the content of Certificate in PEM Encoded Format, by se lecting all of the content, then right click your mouse, and select Copy . Keep your copy in clipboard for later paste. In this support note, [...]

  • Page 84

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 84 3, Select Request a Certificate , then press Next> button.[...]

  • Page 85

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 85 4. Choose Advanced r equest , the press Next> button.[...]

  • Page 86

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 86 5. Choose " Submit a c ertificate request using a base64... ", then press Next> button.[...]

  • Page 87

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 87 6. Right click your mouse, then paste the certif icate request y ou get in step 4.1.[...]

  • Page 88

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 88 7. Click " Download CA cer tification path " 8. A file download would pop out, press Save button, and choose the local folder you would like to store th e certification path.[...]

  • Page 89

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 89 9. Double click the saved file, Select Certificates , right click the Certificate, choose All Tasks-> Export... 10. Certificate Export Wizard would be popped up, then press Next> .[...]

  • Page 90

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 90 11. Choose DER encoded binary X.509(.CE R) , then press Nxet> ,[...]

  • Page 91

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 91 12. Specify the path to sto re your exported Certificate.[...]

  • Page 92

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 92 13. Click Finish . 14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button. 15. Click Browse... button to find the location you st ored ZyWALL's certificate the n press Apply button.[...]

  • Page 93

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 93 16. After a while, if you see the gray entry turns to a black o ne, then it means the import of ZyWALL's certificate is successful. 17. Repeat the same procedure from 9 to 13, to export CA's cert ificate. Note that you may get more than one C[...]

  • Page 94

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 94 18. After import CA's certificate, you will get this display. Step 5. Using Certifica e in VPN on ZyWALL A t 1. Activate the rule 2. Give this VPN rule a name " toZyWALL_B " 3. Select Key Management to " IKE " 4. Select Negotia[...]

  • Page 95

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 95 9. Peer ID type= " ANY ". 10. Secure Gateway Address= " 192.168.1.36 " 11. Encapsulation Mode=" Tunnel " 12. Leave other options as default.[...]

  • Page 96

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 96 13. You can check detailed settings by clicking Advanced button.[...]

  • Page 97

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 97 Step 6. Using Certificate in VPN on ZyWALL B 1. Activate the rule 2. Give this VPN rule a name " toZyWALL_A " 3. Select Key Management to " IKE " 4. Select Negotiation Mode to " Main " 5. Edit Local: Address Type=" Su[...]

  • Page 98

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 98 13. You can check detailed settings by clicking Advanced button.[...]

  • Page 99

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 99 Using Pre-Shared Key for Device Authentication The IKE protocol also provides primary authenticati on - ver i fying the identity of the remote system before negotiating the encryption algorithm and keys. T wo kinds of authentication methods are support[...]

  • Page 100

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 100 Pre- Shared Key must be identica l on bot h e ntities Local ID Type & Content on L ocal ZyWAL L must be identical as Peer I D Type & Cont ent on Peer VP N ga teway Configuration on Peer VP N g atewa y Config uration on Lo cal ZyWALL Peer I D T[...]

  • Page 101

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 101 As the figure shown below, each branch office have a VPN tunnel to headquarter, thus PCs in branch offices can access systems in headquarter via the tunnel. Through VPN r outing, ZyWALL series now provide you a solution to let PCs in branch offices ta[...]

  • Page 102

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 102 2. check Activ e check box and give a name to this policy. 3. Give this VPN rule a name, Br anch_A . 4. Select Key Management to IKE and Negotiation Mode to Main . 5. In Local section, select Address Type to Range Address , set I P Address Start to 19[...]

  • Page 103

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 103 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure th at parameters you set in this menu match with all the parameters w ith the correspondent VPN rule in headquarter.[...]

  • Page 104

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 104 2. Setup VPN in branch office B Be very careful about the remote IP address in branch office B, because for systems behind branch office B want to systems behind branch office A and headquarter, we have to specify these two segments in Remote section.[...]

  • Page 105

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 105[...]

  • Page 106

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 106 Note that since Branch B's LAN is also included in remote polic y, please go to ZyWALL's SMT menu 24.8 CI command mode, and issue this command, " ipsec swSkipOverlapIp on " , so that local management traffic from Branch B's LA[...]

  • Page 107

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 107[...]

  • Page 108

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 108 2. The correspondent rule for Branch_B[...]

  • Page 109

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 109[...]

  • Page 110

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 0 NA T over IPSec on ZyNOS Network T opology The above is an IPSec VPN application running in tunnel mode. In the network topology shown, both the local area networks (LAN) are a ssigned with the sam e network IP/network mask 172.168.1.0/24. Without a [...]

  • Page 111

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 111 change at least one of the LAN IP addresses in or der to prevent the routi ng problem. Unfortunately, changing the entire network settin g takes extra effort in configur ation, which is never preferable. The feature enhancement named “NAT over IP Se[...]

  • Page 112

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 2 ZyWALL 2 (Remote) STEP 2: Create the Gateway Policy (Pha se 1) on the ZyWALL 1 and ZyWALL 2 Click Security > VPN > Add Gateway Policy in or der to add a new IPSec VPN Gateway Policy. Assign “My Address” on ZyWALL 1 with IP address 172.16.4.[...]

  • Page 113

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 3 Gateway Policy on ZyWALL 1 Click “Apply” in order to complete the settings. Repeat the steps for ZyWALL 2.[...]

  • Page 114

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 4 Gateway Policy on ZyWALL 2 Gateway Policy on ZyWALL 2 STEP 3: Create the Network Policy (Pha se 2) on the ZyWALL 1 and ZyWALL 2 After completing the settings f or the “Gateway Policy”, click “Add Ne twork Policy” to add a network[...]

  • Page 115

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 5 policy. Check the “Active” checkbox in the “Virtual Address Mapping Rule” bl ock to enable NAT over IPSec. You can decide the amount of IP addresses for NAT (Network Address Translation) from the “Type” drop-down menu. In this example, we[...]

  • Page 116

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 6 On ZyWALL 1, the remote network will be changed to 172.1 6.3.0. Click “Apply” in order to complete the setting. Repeat the steps for ZyWALL 2 in order to configure Network Policy.[...]

  • Page 117

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 7 On ZyWALL 2, the Virtual IP Addresses starts from 172.16.3.1 to 172.16.3.254. STEP 4: Establish the IPSec VPN Tunnel Connection[...]

  • Page 118

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 8 Click Security > VPN > Connect in order to establish the IPSec VPN Tunnel connection. Once the IPSec works correctly, you will see the message as it appears in the following screensho t, and click “Return” to back to VPN page. You can also [...]

  • Page 119

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 11 9 1) Ping the local gateway. 2) Ping the IPSec Remote Gateway 3) Ping the remote host with virtual IP addr ess that’s located on the remote network. Never lost your VPN connection (IPSec High Availa bility) 1. Setup ZyWALL VPN with high availability[...]

  • Page 120

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 120 The VPN high availability is design for securing VPN connection . Normally we will deploy the ZyWALL2 Plus as branch office or SOHO gateway and build up the VPN tunn el to central office. The design for IPSec HA is based on the redundant gateway optio[...]

  • Page 121

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 121 3. Give a name for your policy, for example “ Dual_GW_VPN ” 4. My IP Addr is the WAN IP of ZyWALL . In this exam ple, you should type 220.123.23.7 IP address on My ZyW ALL text box. 5. Primary Remote Gateway IP Address is the Central office's[...]

  • Page 122

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 122[...]

  • Page 123

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 123 Access control and security VPN connecti on (Security policy enforcement IPSec) Setup ZyW ALL VPN with access control - Firewall Setup ZyW ALL VPN with web filtering rule – Content Filter Normally, the traffic transmitted between VPN tunne l is trea[...]

  • Page 124

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 124 3. For example, the remote VPN policy is 192.168.2.0/24 and we want to block the traffic from 192.168.2.33 to access local LAN subnet 192.168.1.0/24. The default VPN to LAN traffic is permit and we have to change the VPN to LAN access control rule in [...]

  • Page 125

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 125 4. Click the Insert button to insert a new rule. 5. Edit the source and destination address as 192.168.2.33 and 192.168.1.0/255.255.255.0[...]

  • Page 126

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 126 6. The service type is Any to block all kind of traffi c from 192.168.2.33 to access LAN subnet and Action for Matched Packets is Drop and then click apply to save and activ ate the configuration.[...]

  • Page 127

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 127 7. We can see a new rule had been configured and showed in th e rule summary page. This will achieve our goal to block all traffic fr om VPN remote host 192.168.2.33 to access the LAN subnet.[...]

  • Page 128

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 128 How to configure Web filtering ru le over VPN – Content Filter 1. The switch to enable the content filtering over VPN traffic is available in Content Filter general configuration page. Th e content filtering over VPN can only be enabled after the co[...]

  • Page 129

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 129[...]

  • Page 130

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 130 ZyW ALL vs 3rd Party VPN Gateway SonicW ALL with ZyW ALL VPN T unneling 1. Setup ZyWALL VPN 2. Setup SonicWALL VPN This page guides us to setup a VPN connect ion between the ZyWALL a nd SonicWALL router. As the figure shown below, the tunnel between P[...]

  • Page 131

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 131 11. Go to SECURITY->VPN->Press Add button 12. Give a name for your policy, for example “ ToSonicWALL ” 13. My IP Addr is the WAN IP of ZyWALL . In this example, you should type 172.22.3.89 IP address on My ZyW ALL text box. 14. Secure Gatewa[...]

  • Page 132

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 132 16. Select Negotiation Mode to Main mode , Encryption Algorithm to DES , Authentication Algorithm to MD5 , Key Group to DH1 , and then press Apply button on this page. 17. You will see an IKE rule on your VPN page, press L/R button to edit your IPSec [...]

  • Page 133

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 133 18. Check Active check box and give a name to this policy. 19. On Gateway Policy Information, you should choose ToSonicWALL IKE policy for your IPSec rule.[...]

  • Page 134

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 134 20. On Local Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your local site LAN IP addre sses. In this example, you should type 192.168.1.0 on Starting IP Address field and then type 255.255.[...]

  • Page 135

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 135 23. When you finished doing your settings, you will see the following page. 2. Setup SonicWALL VPN (We choose SonicWALL TZ150 device in this example.) 1. Using a web browser, login SonicWALL by giving th e LAN IP address of SonicWALL in URL field. Go [...]

  • Page 136

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 136 2. Click General tab, on Security Policy settings, give a name to this policy. In this example, type ToZyWALL on Name text box. IPSec Primary Gatew ay Name or Address is the ZyW ALL 's WAN IP Address (remote gateway IP address). In th is example,[...]

  • Page 137

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 137 4. Network IP Address and Subnet Mask are your remote site LAN IP addresses. In this exam ple, you should type 192.168.1.0 on Network text box and then type 255.255.255.0 on Subnet Mask text box, and then press OK button. 5. Click Proposals tab, on IK[...]

  • Page 138

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 138 6. When you finished doing your settings, you will see the following page. 7. When your VPN tunnel is up, you will see the following page.[...]

  • Page 139

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 139 NetScreen with ZyW ALL VPN T unneling 1. Setup ZyWALL VPN 2. Setup NetScreen VPN This page guides us to setup a VPN connect ion between the ZyWALL a nd NetScreen router. As the figure shown below, the tunnel between PC1 and PC2 ensures the packet flow[...]

  • Page 140

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 140 The IP addresses we use in this example are as shown below. PC 1 ZyWALL Netscreen PC2 192.168.2.33 WAN: 172.22.3.89 LAN: 192.168.2.1 WAN: 172.22.1.251 LAN: 192.168.1.1 192.168.1.36 1. Setup ZyWALL VPN 24. Using a web browser, login ZyWALL by giving th[...]

  • Page 141

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 141 6. In Authentication Key , enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode , Encryption Algorithm to DES , Authentication Algorithm to MD5 , Key Group to DH1, and then click Apply button on this pa[...]

  • Page 142

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 142 8. You will see an IKE rule on your VPN page, click L/R button to edit your IPSec rule. 9. Check Active check box and give a name to this policy. 10. On Gateway Policy Information, you should choose ToNetScreen IKE policy for your IPSec rule. 11. On L[...]

  • Page 143

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 143 type 192.168.2.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. 12. On Remote Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your remote site LAN [...]

  • Page 144

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 144 14. When you finished doing your settings, you will see the following page. 2. Setup NetScreen VPN (We choose NetScreen-5GT device in this example.) 3. Using a web browser, login NetScreen by giving th e LAN IP address of NetS creen in URL field. 4. C[...]

  • Page 145

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 145 Note: About the settings, you could reference to Ne tScreen user guide to get the d etail info. 5. If you set a static IP address for your WAN port, you should click Network -> Routing -> Routing Entries to edit your Gateway IP address. In this [...]

  • Page 146

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 146 6. On Security Level settings, you could set up phase 1 IKE rules. In this exampl e, select User Defined, and choose pre-g1-des-md5 rule . The pre-g1-des-md5 means Pre-Share Key, group1, DES for Encryption Algorithm and MD5 fo r Authentication Algorit[...]

  • Page 147

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 147 8. To edit your IPSec rule, click VPNs -> AutoKey IKE , and then press New button to edit your IPSec rules. 9. Give a name for your VPN, for example “ ToZyWALL IPSec ”. On Remote Gateway, choose Predefined option and select ToZyWALL rule. Then,[...]

  • Page 148

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 148 11. Check VPN Monitor check box, thus you can monitor your VP N tunnels. Then, press Return button, and press OK button on next pa ge to save your settings. 12. When you finished doing the settings, you will see an IPSec rule on the page. 13. On your [...]

  • Page 149

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 149 14. Give a name for your policy, for example “ ZyWALL & NetScreen ”. 15. On Source Address , you should set up Local LAN IP addresses. In this example, select New Address option, and type 192.168.1.0 / 255.255.255.0 on the text box. On Destina[...]

  • Page 150

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 150 17. When you finished doing the settings, you will see the policy rules on the page.[...]

  • Page 151

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 151 18. Move your policy rules to top, thus your device will check the rule at first. 19. Click VPNs -> Monitor Status, this page displays a table that lists all the VPN groups configured on the NetScreen device. Y ou could check the link states to kno[...]

  • Page 152

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 152 This page guides us to setup a VPN connection be tween the ZyWALL and a PC which uses Check Point software. As the figure shown below, the tunnel between PC1 and PC2 ensures the packet flows between them are secure. Because the packets go through the [...]

  • Page 153

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 153 3. Give a name for your policy, for example “ ToCheckPoint ” 4. My IP Addr is the WAN IP of ZyWALL . In this exam ple, you should type 172.22.1.236 IP address on My ZyW ALL text box. 5. Secure Gateway IP Addr is the remote PC’s I P address . In [...]

  • Page 154

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 154 7. Select Negotiation Mode to Main mode , Encryption Algorithm to DES , Authentication Algorithm to MD5 , Key Group to DH1 , and then press Apply button on this page. 8. After you press the Apply button, you will see an IKE rule on this pag e, press L[...]

  • Page 155

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 155 10. On Gateway Policy Information, you should choose ToCheckPoint IKE policy for your IPSec rule. 11. On Local Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your local site LAN IP addre sses[...]

  • Page 156

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 156 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1 , and then press Apply button on this page. 14. After you press the Apply button, you will see the fol[...]

  • Page 157

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 157 1. on your PC, clicking Start->Programmer->Check Point SmartConsole R60 -> Sm artDashboard 2. Enter your user name and password, then press OK button to use your Check Point. 3. On Network Objects, you must see a default check point object he[...]

  • Page 158

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 158 6. On General Properties , the IP Addrrss field is the WAN IP of your PC . In this example, you should type 172.22.2.58 IP address on the text box. On Check Point Products settings, check VPN check box here.[...]

  • Page 159

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 159 7. On Topology settings, you should see two interfaces of IP settings here if your PC has two network cards.[...]

  • Page 160

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 160 8. Selecting 172.22.2.58 interface , and press Edit button to check its settings. Clicking Topology screen, choose External (leads out to the internet) for the interface. Then, press OK button to save the settings. 9. Selecting 192.168.2.0 interface ,[...]

  • Page 161

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 161 II. Setup Interoperable Device 10. On the main menu, click Manage -> Network Objects .[...]

  • Page 162

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 162 11. You will see the network objects window, press new button and select Interoperable Device .[...]

  • Page 163

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 163 12. On General Properties settings, give a name and an IP addre ss for the Interoperable Device. In this example, the IP address is ZyWA LL’s WAN IP address. 13. On Topology settings, pressing Add button to add a new interface.[...]

  • Page 164

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 164 14. Giving a name for the interface, and assign the IP address/ subnet mask for the in terface. In this example, you should assign ZyWALL’s WAN port settings. 15. Clicking Topology screen, and choose External (leads out to the in ternet) for the int[...]

  • Page 165

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 165 17. Giving a name for the interface, and assign the IP address/ subnet mask for the in terface. In this example, you should assign ZyWALL’s LAN port settings. 18. Clicking Topology screen, choose Internal (leads to the local network) and Network def[...]

  • Page 166

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 166 19. Pressing OK button to save the settings.[...]

  • Page 167

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 167 III. Setup Networks[...]

  • Page 168

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 168 20. Selecting Networks object and click the right bu tton of your mouse, and choose New Network . 21. Give a name for your network policy, and set the network IP address to 192.168.1.0/24 . Then, press OK button to save the settings.[...]

  • Page 169

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 169 22. To add another network policy, and set the netw ork IP address 192.168.2.0/24 . Then, press OK button to save the settings. IV. Setup VPN Communities 23. Click VPN communities tab to do the settings. 24. On VPN communities, click New -> Site To[...]

  • Page 170

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 170 26. On Center Gateways settings, press Add button to add a center gateway.[...]

  • Page 171

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 171 27. If you have already done the pr evious settings, you should see a cen tral gateway here. Select the gateway, and then press OK button. 28. On Satellite Gateways settings, press Add button to add a remote gateway.[...]

  • Page 172

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 172 29. If you have already done the pr evious settings, you should see a re mote gateway here. Select the gateway, and then press OK button. 30. On VPN Properties settings , select Encryption Algorithm to DES , Authentication Algorithm to MD5 on phase 1,[...]

  • Page 173

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 173 31. On Tunnel Management , leave the settings to default settings. 32. On VPN routing settings, choose To center, or through the center to other satellites, to inte rnet and other VPN targets option.[...]

  • Page 174

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 174 33. On Shared Secret settings, choose ToZyWALL option, and press Edit button 34. Enter the secret key in th e text box, and then press OK button. 35. On Advanced VPN Properties settings, choose Group 1 for Diffie-Hellman settings.[...]

  • Page 175

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 175 36. Press OK button to save your settings.[...]

  • Page 176

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 176 37. After you press OK button, you s hould see a new object here. IV. Setup Security 38. Click Security tab on the right side to do the security settings.[...]

  • Page 177

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 177 39. Press Add button to add a rule. 40. On the default rule, select the source field, and click right button of your mouse, and then choose Add… option to add your network objects. 41. Choosing Net_192.168.1.0 network object, and press OK button to [...]

  • Page 178

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 178 42. To use the same way to add another network object ( Net_192.168.2.0 ) on the source field. 43. On the destination field, please use the same way to add your network objects: N et_192.168.1.0 and Net_192.168.2.0 .[...]

  • Page 179

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 179 44. On the VPN field, click right button of your mouse, and choose Edit Cell… option to add your VPN communities. 45. On VPN Match Conditions, choose Only connections encrypted in specific VPN Communities option, and press Add button to add communit[...]

  • Page 180

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 180 47. Clicking OK button to save your settings. 48. On action field, click right bu tton of your mouse, and choose accept option for your rule.[...]

  • Page 181

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 181 49. On the track field, click right button of your mouse, and choose Log option for your rule. 50. If you finished the settings, you should see a rule as below.[...]

  • Page 182

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 182 51. Pressing add button to add anot her rule which could drop packets if it doesn’t match your VPN rule. V. Install Policy 52. On your main menu, click Policy -> In stall.. option to Install your policy. 53. Selecting your policy rule, and press [...]

  • Page 183

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 183 54. Waiting few seconds for the installation.[...]

  • Page 184

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 184 55. If you install the policy successfully, your VPN tunnel should work norm ally with your ZyWALL.[...]

  • Page 185

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 185 FortiNet with ZyW A LL VPN T unneling 1. Setup ZyWALL VPN 2. Setup FortiNet VPN This page guides us to setup a VPN connect ion between the ZyWALL a nd FortiNet router. As the figure shown below, the tunnel between PC1 and PC2 ensures the packet flows [...]

  • Page 186

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 186 The IP addresses we use in this example are as shown below. ZyWALL FortiNet WAN: 172.22.1.147 LAN: 192.168.2.0/24 WAN: 172.22.2.138 LAN: 192.168.1.0/24 1. Setup ZyWALL VPN 1. Using a web browser, login ZyWALL by giving th e LAN IP address of ZyWALL in[...]

  • Page 187

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 187 6. In Authentication Key , enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode , Encryption Algorithm to DES , Authentication Algorithm to MD5 , Key Group to DH1, and then click Apply button on this pa[...]

  • Page 188

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 188 8. After you press the Apply button, you will see an IKE rule on this page, click L/R button to edit your IPSec rule. 9. Check Active check box and give a name to this policy. 10. On Gateway Policy Information, you should choose ToFortiNEt IKE policy [...]

  • Page 189

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 189 12. On Remote Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your remote site LAN IP addr esses. In this example, you should type 192.168.1.0 on Starting IP Address field and then type 255.25[...]

  • Page 190

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 190 14. After you press the Apply button, you will see the following page. 2. Setup FortiNet VPN (We choose FortiGate-60 device in this example.) 1. Using a web browser, login FortiNet by giving th e LAN IP address of FortiNet in URL field. 2. To edit you[...]

  • Page 191

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 191 4. On P1 proposal settings, select Encryption to DES , Authentication to MD5, and DH Group to Group1 . Then, press “-” button to delete the second P1 proposal rules. 5. To uncheck the Nat-traversal check box. And then press OK button to save the s[...]

  • Page 192

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 192 6. After you press the OK button, you will see a Phase 1 rule on this pag e. 7. To edit your IPSec rule(phase 2), click VPN -> IPSec -> Phase 2 , and then press Create New button to edit your IPSec rules. 8. Give a name for your VPN, for example[...]

  • Page 193

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 193 9. On P2 Proposal settings, select Encryption to DES , and Authentication to SHA1 , and also press “-” button to delete the second P2 proposal rules. 10. To uncheck the Enable perfect forward secrecy(PFS) check box. And then, press OK button to sa[...]

  • Page 194

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 194 11. After you press the OK button, you will see your IPSec rule(Phase2) on this page. 12. On the main page, click Firewall -> Address , and then press Create New button to edit your address rules.[...]

  • Page 195

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 195 13. To define the IP source address of the Network behind FortiNet. Givi ng a name for your address rule, for example “ Fortinet network ”, and enter the IP Range/Subnet in the text box. In this example, you should enter 192.168.1.0/24 IP Range/Su[...]

  • Page 196

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 196 17. On the main page, click Firewall -> Policy , and then press Create N ew button to edit your policy rules. 18. On Interface/Zone settings, select the interface to internal (private) network, and select the interface to external (public) networ k[...]

  • Page 197

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 197 21. After you press the OK button, you will the policy rule on this page. 22. Click VPN -> IPSec -> Monitor , this page displays a table that lists all the VPN rules configured on the FortiNet device. Y ou could check the link stat es here to kn[...]

  • Page 198

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 198 Remote Access VPN Scenario The remote access VPN scenario is to provide a remo te users secure connections to access corpo rate network over a public networking infrastructure. VPN has become the logical solution for rem ote access connectivity . The [...]

  • Page 199

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 199 existing Internet Key Exchange (IKE) Protocol featur e. Xauth allows authentication methods to perform user authentication in a separate phase after the IK E authentication phase 1 exchange. The Xauth feature is an extension to the IKE feature, and do[...]

  • Page 200

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 200 Local User RADIUS When external “RADIUS” is selecte d, please input the Service IP addre ss of the external RADIUS server and the shared Key which must be configured on the RADIUS. The default (UDP) port number for RADIUS is 1812. If RADIUS server[...]

  • Page 201

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 201 1. Setup ZyW ALL VPN Client 2. Setup ZyW ALL This page guides us to setup a VPN connection between the VPN s oftware and ZyWALL router. There will be several devices we need to setup for this case. They are VPN so ftware and ZyWALL router. As the figu[...]

  • Page 202

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 202 Remote Party Identity a nd Addressing settings: 4. In ID Type option, please choose IP Address option, and enter the IP address of the remote PC (PC 2 in thi s case). 5. Check Connect us ing Secure Gateway Tunnel , please also select IP Address as ID [...]

  • Page 203

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 203 Pre-Share Key Sett ings: 6. Extend ZyWALL icon, you may see My Identity . 7. Click My Identity ; click the Pre-Shar ed Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in ZyWALL in the pop out win[...]

  • Page 204

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 204 Security Policy Settings: 9. Click Security Policy option to choose Main Mode as Phase 1 Negotiation Mode[...]

  • Page 205

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 205 10. Extend Security Policy icon, you will see two icons, Authentication (Phase 1) and Key Exchange (Phase 2) . 11. The settings shown in the following two figures for both Ph ases are our examples. You can choose any, but they should match whatever yo[...]

  • Page 206

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 206[...]

  • Page 207

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 207 2. Setup ZyWALL VPN 1. Using a web browser , login ZyW ALL by giving th e LAN IP address of ZyW ALL in URL field. Default LAN IP is 192.168.1.1 , default password to login web configurator is 1234 . 2. Go to SECURITY ->VPN->Press Add button 3. c[...]

  • Page 208

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 208 You can further adjust IKE Phase 1/Phase 2 parameters by pressi ng Advanced button.[...]

  • Page 209

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 209 Content Filter Application T o filter non-work related and unproductive web surfi ng to mitigate spyware and phishing threat s W eb browsing is one of the most common activity people do on daily bases. However there are lots of threats and traps that [...]

  • Page 210

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 210 1. Minimize Spywar e Attack As mentioned earlier, pornography websites are known to contain Spyware and Trojans, thus it is recommended to use ZyWALL 2 Plus to prevent users from access these ty pes of websites. Below is an example to illustrate how t[...]

  • Page 211

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 21 1 “ Violence/Hate/Racism ”, “ Gay/Lesbian ”, “ Gambling ”, “ Illegal/Questionable ”, “ Illegal Drugs ”, and “ Cult/Occult ” categories( most spyware comes from such kind of websites ) to be filtered while accessing a website whi[...]

  • Page 212

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 212 2. Proactively Prevent Phishing Phishing – T he act of sending an email to a user fal sely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering privat e inform ation that will be used for identity thef[...]

  • Page 213

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 213 2.1.2  Customize the Forbidden web sites which are known phishing w eb sites In addition to use external content filter server to do filtering policies, we can customize the filter policies as our own. Just as the settings in the CONTETN FILTER->[...]

  • Page 214

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 214 3. Prevent non-business web surfing Below is an example that demonstrates how to configure the ZyW ALL 2 Plus CF service to prevent employee from surfing websites that are not related to work. Setting up the ZyW ALL 2 Plus CF service to block the non-[...]

  • Page 215

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 215 3 . 2 Using external database content filtering If you have registered the CF service, you can en able external database content filtering in the CONTENT FILTER -> Categories page, with selecting the categories check box es to specify the types of [...]

  • Page 216

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 216 to www.zyxel.com with “ (W ebsite Blocking) ” message displayed at the moment. Centralized Management Using V ant age CNM for Management V a ntage CNM is a centralized network m anagement so lution that allows users to easily configure, manage and[...]

  • Page 217

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 217 T o manage your ZyW ALLs through V antage CNM, user needs to prepare V antage CNM server and 3rd party FTP/Syslog/T elnet servers. For the detailed in stallation & registration process (to myZyXEL.com), please refer to V antage CNM Support Note . [...]

  • Page 218

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 218 the following section, we will explain how to regi ster device m anually . Devices can be also added (imported) to V antage CNM through XML f iles. For detailed operation, please refer to V antage CNM Support Note . Please check CNM Refer ence Guide f[...]

  • Page 219

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 219 1. device type 2. device name 3. device's LAN MAC address The XML file can be used for mass deployment. User can assign a device owner or l eave it to the owner of folder AAA. Step 3. Input the MAC address of LAN interface of the device. Give thi[...]

  • Page 220

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 220 S tep 4. On the device, go to ADV ANCED->REMOTE MGMT ->CNM , enable V antage CNM and configure V antage CNM Server Address in the filed. If Encryption Algorithm is enabled, you must select the same algorithm and secret key on both device and V a[...]

  • Page 221

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 221 On V antage CNM, the device icon will turn green and the device status will chang e to “On” and the W AN IP of the device will be shown on the content screen. FA Q A. Product F AQ A01. What is the ZyW ALL Internet Access Sharing Router? The ZyW AL[...]

  • Page 222

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 222 A02. Will the Zy W ALL work wi th my Internet connection? The ZyWALL is designed to be compatible with most network envir onment (cable or xDSL modems). Most external Cable and xDSL modems u se an Ethernet port to connect to your computer so the ZyWAL[...]

  • Page 223

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 223 A08. How can I configure the ZyW ALL?  T elnet remote management- CLI command line  W eb browser- web server em bedded for easy configurations A09. What can we do w ith Zy W ALL? Browse the World Wide Web (WWW), send and receive individual e- ma[...]

  • Page 224

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 224 table. Therefore, to m ake a local server accessible to the outsider , the port nu mber and the internal IP address of the server must be configured in NA T menu. A14. What DHCP capability doe s the ZyW ALL support? The ZyW ALL supports DHCP client on[...]

  • Page 225

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 225 A20. My ZyW ALL can not get an IP address from the ISP to connect to the Internet, what can I do? Currently, there are various ways that ISPs control their users . That is, the WAN IP is provided only when the user is checked as an authorized user. Th[...]

  • Page 226

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 226 computer to be more easily accessed from various locat ions on the Internet. T o use the service, you must first apply an account from several free W eb servers such as WWW .DYNDNS.ORG . W ithout DDNS, we always tell the users to use the W A N IP of t[...]

  • Page 227

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 227 understand the ESP packet with protocol number 50, replace the source IP address of the IPSec gateway to the router's WAN IP address. However , NAT should not change the sou rce port of the UDP packets which are used for key managements. Because [...]

  • Page 228

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 228 B01. What is a network firewall? A firewall is a system or group of systems that enfo rces an access-control po licy between two networks. It may also be defined as a mechanism used to prot ect a trusted network from an un-trusted network. The firewal[...]

  • Page 229

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 229 B04. What kind of fire wall is the Zy WALL? 1. The ZyWALL's firewall inspects packets conten ts and IP headers. It is appli cable to all protocols, that understands data in the packet is intended for other layers, from network layer up to the app[...]

  • Page 230

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 230 B07. What is Ping of Death attack? Ping of Death uses a 'PING' utility to create an IP packet that exceed s the maximum 65535 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. System s[...]

  • Page 231

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 231 B12. What is IP Spoofing attack? Many DoS attacks also use IP Spoofing as part of th eir attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to m agni fy the effect of the DoS attack. IP Spoofing is a techniqu[...]

  • Page 232

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 232 The above figure indicates the " triangle route " topology. It works fine if you turn off firewall function on ZyWALL box. However, if you turn on firewall, your connecti on will be blocked by firewall because of the following reason. Step 1[...]

  • Page 233

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 233 (C) T o resolve this conflict, we add an option for users to allow/disallow such T riangle Route topology in both CI command and W eb configurat or . Y ou can issue this command, " sys firewall ignor e triangle all on ", to allow firewall by[...]

  • Page 234

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 234 • Destination IP Mask =w.x.y.z • Action Matched =Drop • Action No Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.z is your net mask. C. Security Service licenses F AQ C01. What is iCard? iCard is used for deliver[...]

  • Page 235

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 235 C06. What kind of iCard should I buy? It depends on the ZyW ALL m odel you have, the s ecurity service you desire and the license period you need. See the following table for those mappings. (H ere we highlight ZyW ALL 5/35/70 since they especially pr[...]

  • Page 236

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 236 In summary , myZyXEL.com delivers a convenient, central ized way to register all your ZyW ALL security appliances and security services. It eliminates th e hassle of registering indi vidual ZyW ALL appliances and upgrades to streamline the managem ent[...]

  • Page 237

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 237 D05. If I were new to my Zy XEL.com, what are the required fields when I register my ZyW ALL device on myZyXEL.com? The required fields include: user name, password, valid email address and country . D06. When using the new registration flow of myZyXE[...]

  • Page 238

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 238 D09. Who maint ains mySecurityZone & Up date Server? It’ s maintained by ZyXEL Security Response T eam (ZSR T) who manages backend support from the beginning of outbreak happen to attack sample collecti on, analyze it and output it as policy , a[...]

  • Page 239

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 239 E04. Can I decide whether to forw ard or drop the HTTP response if the query to BlueCoat dat a center is timed out? Yes, you can set the policy, drop or forward, when query is timed out. The default policy is block. E05. How to register for BlueCoat s[...]

  • Page 240

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 240 E10. Who needs ZyXEL Content Filtering? Is ZyXEL Content Filteri ng for small comp anies or for large corporations? All businesses can benefit from usi ng the ZyXEL Content Filtering solution ZyXEL Content Filtering helps organizations manage, monitor[...]

  • Page 241

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 241 E16. How do I keep database of C ontent Filtering service updated? From the current design, there is no local Conten t Filtering signature database sto red on the ZyW ALL devices. As a result, you don’t have to worry about the signatur e update of Z[...]

  • Page 242

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 242 BlueCoat uses expert Web content ra ters to train the ratings technology. Initially, category experts create a list of URLs that represent good c ontent for each category. The ratings technology then uses this in itial set of pages to recognize conten[...]

  • Page 243

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 243 · Sex Education · Violence/Hate/Racism · Weapons Potential Non-Productive Categories · Abortion · Arts/Entertainment · Auctions · Brokerage/Trading · Business & Economy · Chat/Instant Messaging · Computers/Internet · Cult/Occult · Cult[...]

  • Page 244

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 244 · Sports/Recreation/Hobbies · Streaming Media/MP3 · Travel · Vehicles · Web Advertisements · Web Communications · Web Hosting E24. How does the ZyXEL c ontent filtering handle dy namically generated sites? We use BlueCoat's Dynamic Real-Ti[...]

  • Page 245

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 245 E29. Which User Name & Password shoul d I input for Conten t Filtering report? The User Name is the smallest Ethernet MAC address of your device. To identify check the sticker in the bottom of the device as below, password is the password to login[...]

  • Page 246

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 246 policy , Gateway_1. In this case, this will be counted as two VPN tunnels. F02. What is VPN? A VPN gives users a secure link to access co rporate network over the Internet or other public or private networks without the expense of lease lines. A secur[...]

  • Page 247

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 247 company to carry the data traf fic over its Internet access lines, thus re ducing the need for som e installed lines. F04. What are most common VPN protocols? There are currently three major tunneling protocols for VPNs. They are Point-to-Point T unne[...]

  • Page 248

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 248 In this case, T ransport mode only pr otects the upper-layer protocols of IP payload (user data). T unneling mode protects the entire IP payload including user data. There is no restriction that the IPSec hosts and the security gateway m ust be separa[...]

  • Page 249

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 249 F1 1. What are Local ID and Peer ID? Local ID and Peer ID are used in IKE phase 1 ne gotiation. It’ s in FQDN(Fully Qualified Domain Name) format, IKE standard takes it as one type of Phase 1 ID. Phase 1 ID is identification for each VPN peer . The [...]

  • Page 250

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 250 F14. What VPN protocols are supported by ZyW ALL? All ZyW ALL series support ESP (protocol num ber 50) and AH (protocol number 51). F15. What types of encryp tion does ZyW ALL VPN support? ZyW ALL supports 56-bit DES and 168-bit 3DES. F16. What types [...]

  • Page 251

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 251 172.31.255.255 (these address ranges are reserved by inte rnet standard for private LAN numberings behind NA T devices). It is usually a static IP so that we can pre-c onfigure it in ZyW ALL for m aking VPN connections. If it is a dynamic IP given by [...]

  • Page 252

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 252 F21. Will ZyXEL support Secure Remote Management? Y es, we will support it and we are working on it currently . F22. Does ZyW ALL VPN support NetBIOS broadcast? Y es, the ZyW ALL does support NetBIOS broadcast over VPN. F23. Is the host behind NA T al[...]

  • Page 253

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 253 If firewall is turned on in ZyW ALL, you must forward IKE port in Internet in terface. If NA T are also enabled in ZyW ALL, NA T server is required for non-secure connections, NA T server is not required for secure connections a nd the physical privat[...]

  • Page 254

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 254 F28. Single, Range, Subnet, which typ es of IP address does ZyW ALL support in VPN/IPSec? All ZyW ALL series support single , range, and subnet configuration fo r VPN IPSec. In other words, you can specify a single PC, a range of PCs or even a network[...]

  • Page 255

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 255 cryptography as asymmetric. Symmetric cryptography , such as DES, 3DES, AES, is normally used for data transmission, since it requires less computation power than asymmetric cr yptography . The task of privately choosing a key before communicating, ho[...]

  • Page 256

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 256 Certificate Polic ies A Certification Practice S tatement. G05. What is a Certification Authority? A Certification Authority is a trusted third party that verifies the ident ity of an applicant registering for a digital certificate. Once a Certificati[...]

  • Page 257

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 257 describe the rules governing the dif f erent uses of these certificates. G09. How does a PKI ensure data confidentiality? Users' public keys are published in an accessible directory . A person wishing to send an encrypted message uses the recipie[...]

  • Page 258

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corporat ion. 258 When Bob clicks on the digital signature option on his e-mail application, special software applies a mathematical formula known as a hash function to the message, converting it to a fixed-length string of characters called a message digest. The diges[...]

  • Page 259

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 259 G12. Does ZyXEL provide CA service? No, ZyXEL doesn't maintain CA service for customers, customers need to find CA server (trusted 3rd party) in order to use PKI functionality on ZyW ALL. G13. What if customers don' t have access to CA servi[...]

  • Page 260

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 260 configuration to the local com puter . Then import them back to ZyXEL appliance. G19. If I export My Certifi cates from ZyXEL appliance, save them locally , and then import them back af ter resetting the configur ation file, can I reuse the imported M[...]

  • Page 261

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 261 b. Installation Speed and Simplicity: Installing a wireless LAN system ca n be fast and easy and can eliminate the need to pull cable through walls and ceilings. c. Installation Flexibility: Wireless technology allows the network to go where wire cann[...]

  • Page 262

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 262 at 1 1 Mbps or lower depending on range. The range at 54 Mbps is less than for 802.1 1b operating at 1 1 Mbps. H08. What is 802.1 1a? 802.1 1a the second revision of 802.1 1 that operate s in the unlicensed 5 GHz band and allows transmission rates of [...]

  • Page 263

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 263 2. Building Materials: metal door, aluminum studs. 3. Electrical devices: microwaves , m onitors, electric motors. Solution : 1.Minimizing the number of walls and ceilings 2.Antenna is positioned for best reception 3.Keep WLAN products away from el ec[...]

  • Page 264

    ZyW ALL 2WG Support Notes All contents c opyright (c) 2006 ZyXEL Comm unications Corp oration. 264 see the SSID. H17. What is 802.1x? IEEE 802.1x Port-Based Network Access Control is an IEEE (Institute of Elect rical and Electronics Engineers) standard, which specifies a standard mechanism for authen ticating, at the link layer (Layer 2), users&apo[...]