ZyXEL Communications 5 Series manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation ZyXEL Communications 5 Series. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel ZyXEL Communications 5 Series ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation ZyXEL Communications 5 Series décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation ZyXEL Communications 5 Series devrait contenir:
- informations sur les caractéristiques techniques du dispositif ZyXEL Communications 5 Series
- nom du fabricant et année de fabrication ZyXEL Communications 5 Series
- instructions d'utilisation, de réglage et d’entretien de l'équipement ZyXEL Communications 5 Series
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage ZyXEL Communications 5 Series ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles ZyXEL Communications 5 Series et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service ZyXEL Communications en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées ZyXEL Communications 5 Series, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif ZyXEL Communications 5 Series, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation ZyXEL Communications 5 Series. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    www .zyxel.com ZyW ALL 5/35/70 Series Internet Security Appliance User ’ s Guide V ersion 4.04 03/2008 Edition 1 DEFAULT LOGIN IP Address http://1 92 .168.1.1 Password 1234[...]

  • Page 2

    [...]

  • Page 3

    About This User's Guide ZyWALL 5/35/70 Series User’s Guide 3 About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyW ALL using the web configurator or System Manag eme nt T erminal (SMT). Y ou should have at least a basic knowledge of TCP/IP netw ork ing concepts and topo logy . Related[...]

  • Page 4

    Document Conventions ZyWALL 5/35/70 Series User’s Guide 4 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User ’ s Guide. 1 W arnings tell you about things that could harm you or your device. " Notes tell you other important informati on (for example, other things you may need to configure or hel[...]

  • Page 5

    Document Conventions ZyWALL 5/35/70 Series User’s Guide 5 Icons Used in Figures Figures in this User ’ s Guide may use the followi ng generic icons. The ZyW ALL icon is not an exact representation of your device. ZyW ALL Computer No te book computer Server Firewall T elephone Switch Router[...]

  • Page 6

    Safety Warnings ZyWALL 5/35/70 Series User’s Guide 6 Safety Warnings 1 For your safety , be sure to read and follow all warni ng notices and instructions. • Do NOT use this product near water , for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store thin gs o[...]

  • Page 7

    Safety Warnings ZyWALL 5/35/70 Series User’s Guide 7 This product is recyclable . Dispose of it properly .[...]

  • Page 8

    Safety Warnings ZyWALL 5/35/70 Series User’s Guide 8[...]

  • Page 9

    Contents Overview ZyWALL 5/35/70 Series User’s Guide 9 Contents Overview Introduction .......................................... ........................................................................ .......... 49 Getting to Know Y our ZyW ALL ........ ................ ................ ................ ................ ................... .....[...]

  • Page 10

    Contents Overview ZyWALL 5/35/70 Series User’s Guide 10 Report s, Logs and Maintenance ........................................................................ ................. 537 Reports Screens ............. ................. ................ ................ ................ ............. ................ .... ....... 539 Logs Screens . ....[...]

  • Page 11

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 11 Table of Contents About This User's Guide ..................................................... ................................................... .. 3 Document Conventions.................................................................. ......................................... .4 Sa[...]

  • Page 12

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 12 3.2 Accessing the ZyW ALL Web Configurator ................... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... 61 3.3 Resetting the ZyWALL .. ... ............. ... ... ... .... ... ... ... .... ... ... ... ............. ... .... ... ... ... .... ... ... ... ... .... .[...]

  • Page 13

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 13 5.1.5 Using the Dynamic VPN Rule for More VPN T unnels ............ .... ... ... ... .... ... ... ... ... .... .. 1 19 5.2 Security Settings for VPN Traf fic .. ... ... ... .... ............. ... ... ... .... ... ... ... ... .... ... ............. ... ... ... .... .. 1 19 5.2.1 IDP for From [...]

  • Page 14

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 14 8.1 Overview ... ... .... ... ... ... .... ... ... ............. ... ... .... ... ... ... .... ... ............. ... ... ... .... ... ... ... .... ....... .......... 161 8.1.1 What Y ou Can Do in the Bridge Screens ...................... ................ ................... ........ 1 61 8.1[...]

  • Page 15

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 15 Chapter 1 1 WLAN Screens ...................................... ............................................................................. ... 219 1 1.1 Overview ................. ................. ................ ............. ................ ................ ................ .. ......[...]

  • Page 16

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 16 13.7 The Firewall Thresholds Screen ... ................ ................ .................... ................ .............. 264 13.8 The Firewall Services Screen ................. ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... ................ .... . 266 13.8.1 The Fir[...]

  • Page 17

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 17 16.1.1 What Y ou Can Do in the Antispam Sc reens ......... .......... .......... ......... .......... .......... . 3 13 16.1.2 What Y ou Need to Know About Antispam ............ ................ ................. ................. 314 16.2 The General Screen ... ... .......... ............ .[...]

  • Page 18

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 18 19.1 1 T elecommuter VPN/IPSec Exam ples ........... ... ............. .... ... ... ... ... .... ............. ... ... ... ... .... . 382 19.1 1.1 T elecommuters Sharing One VPN R ule Example .. ......... ................ ............. ........ 3 83 19.1 1.2 T elecommuters Using Un ique VPN [...]

  • Page 19

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 19 Chapter 22 Network Address T ranslation (NA T) .............................................. ...................................... 435 22.1 Overview ................. ................. ................ ................ ................ ............. ................ .. ......... 435 22.1.1[...]

  • Page 20

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 20 25.2 The Summary Screen .......... ................ ................. ............. ... ... ... ... .... ... ... ... .... ... ... ... ... .... . 4 67 25.2.1 Maximize Bandwidth Us age Example .................. ................ ................. ................ . 470 25.2.2 Reserving Bandwid[...]

  • Page 21

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 21 27.9 The SNMP Screen ....... .......... ................ ................ ............. ................ ................ .......... .5 1 0 27.9.1 Configuring the SNMP Screen ....... ...... .......... ................ ................ ............. ........... 512 27.10 The DNS Screen ......[...]

  • Page 22

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 22 31.2.4 System Reports S pec ific ations .......... ................ ................ ................ ................ ..... 545 31.3 The IDP Screen ................. ................ ................. ............. ... ... ... ... .... ... ... ... .... ... ... ... ... . .... 545 31.4 The An[...]

  • Page 23

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 23 34.3 Navigating the SMT Int erface ........ ................ ................ .................... ................ .............. 606 34.3.1 Main Menu . ................ ................ ................. ................ ................ ................ ........... 6 07 34.3.2 SMT Menus O[...]

  • Page 24

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 24 39.1 Configuring DMZ Setup ....... ................ .................... ................ ................ ................ ........ 6 45 39.2 DMZ Port Filter Setup . ................ ................ ................ ................... ................. ............... .. 645 39.3 TCP/IP S[...]

  • Page 25

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 25 44.3 Configuring a Server behi nd NA T .................. ... .... ... ............. ... ... ... .... ... ... ............. ... ... .... . 681 44.4 General NA T Examples .... ............. ............. ................ ................ ................ ............. ........ 6 8 3 44.4.1 In[...]

  • Page 26

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 26 48.3.2 Console Port S peed ............. ................ ................ ................ ................. ................ . 716 48.4 Log and T rac e ... ............. ................ ................ ................ ................ ................. ........... ...... 717 48.4.1 View[...]

  • Page 27

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 27 50.2.1 Budget Management .. ................ ................. ................ ............. ................ .............. 740 50.2.2 Call History ..................... ................ ............. ................ ................ ................ ......... .. 741 50.3 T ime and Date S[...]

  • Page 28

    Table of Contents ZyWALL 5/35/70 Series User’s Guide 28 Appendix C Wireless LANs ............................................................ ...................................... 787 Appendix D Windows 98 SE/Me Requirements for Anti-V irus Message Display ................. 801 Appendix E Legal Information .......................................[...]

  • Page 29

    List of Figures ZyWALL 5/35/70 Series User’s Guide 29 List of Figures Figure 1 Secure Internet Access via Cable, DS L or Wireless Modem ... ................ ................... ............. 52 Figure 2 VPN Application ...... ................ ................... ................. ................ ................ ............ .......... ....... 5[...]

  • Page 30

    List of Figure s ZyWALL 5/35/70 Series User’s Guide 30 Figure 39 VPN Wizard Se tup Complete ............. ... ... .... ... ... ... .... ... ... ... ............. ... .... ... ... ... .... ... ... ... ... . .... 104 Figure 40 Anti-S pam Wizard: Email Server Location Setting ............ ................ ................. ................ . 105 Fig[...]

  • Page 31

    List of Figures ZyWALL 5/35/70 Series User’s Guide 31 Figure 82 LAN and WAN ............ ................. ................ ................ ................ ................ ........... ............. 149 Figure 83 NETWORK > LAN .............. ................ ................ ................ ................ ................. ........ ......[...]

  • Page 32

    List of Figure s ZyWALL 5/35/70 Series User’s Guide 32 Figure 125 WLAN Port Role Example ............ ................ ................ ................... ................. ............ ..... 226 Figure 126 NETWORK > WLAN > Port Roles ......... ............. ............. ................ ................. ................ . 22 7 Figure 12[...]

  • Page 33

    List of Figures ZyWALL 5/35/70 Series User’s Guide 33 Figure 168 SECURITY > IDP > Signature: Query View ............ ................ ................ ................... ........ 2 85 Figure 169 SECURITY > IDP > Signature: Query by Partial Name .......... ................ ................ ........... 287 Figure 170 SECURITY > IDP [...]

  • Page 34

    List of Figure s ZyWALL 5/35/70 Series User’s Guide 34 Figure 21 1 SECURITY > VPN > VPN R ules (IKE) > Edit Network Policy ............. ................ .............. 368 Figure 212 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding ..... ... .... . 373 Figure 213 SECURITY > VPN > VPN Rules (IKE)[...]

  • Page 35

    List of Figures ZyWALL 5/35/70 Series User’s Guide 35 Figure 254 Multiple Serv ers Behind NA T Example ............ ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... .............. 44 2 Figure 255 Port T ranslation Example .............. ......... ................. ............. ................ ................ ...... ........ [...]

  • Page 36

    List of Figure s ZyWALL 5/35/70 Series User’s Guide 36 Figure 297 SSL Client Aut hentication ................. ................ ................ ................ ................. ........ ......... 502 Figure 298 Secure Web Configurator Login Screen . ....... ................ ................ ............. ................ ........ 5 0 2 Figure [...]

  • Page 37

    List of Figures ZyWALL 5/35/70 Series User’s Guide 37 Figure 340 MAINTENANCE > General Setup .............. ... ................ ............. ................ ................ ........ 5 8 6 Figure 341 MAINTENANCE > Password ................ ............. ................. ................ ............. ................ . 587 Figure 342 MA[...]

  • Page 38

    List of Figure s ZyWALL 5/35/70 Series User’s Guide 38 Figure 383 Menu 4: Internet Acce ss Setup (Ethernet) ....... ................ ................ ................. ................ . 64 0 Figure 384 Internet Access Setup (PPTP) ......... ................... ................. ................ ................ .......... .... 6 42 Figure 385 In[...]

  • Page 39

    List of Figures ZyWALL 5/35/70 Series User’s Guide 39 Figure 426 Example 3: Menu 1 1.1.2 ................ ... .......... ................ ................ ................ ............. ... ........ 687 Figure 427 Example 3: Menu 15.1 .1.1 .. ................ ............. ................ ................ ................. ........... ...... 687[...]

  • Page 40

    List of Figure s ZyWALL 5/35/70 Series User’s Guide 40 Figure 469 Restore Using FTP Session Example .... .... ............. ................ ................ ............. .............. 73 2 Figure 470 System Maintenance: Restore Conf iguration ... ................ ................ ................. ................ . 732 Figure 471 System Maint[...]

  • Page 41

    List of Tables ZyWALL 5/35/70 Series User’s Guide 41 List of Tables T a ble 1 ZyW ALL Model S p ecific Features ............... ................. ................ ................... ................ .... ...... 52 T a ble 2 Front Panel Lights ................. ................ ................ ................ ................ ..................[...]

  • Page 42

    List of Tables ZyWALL 5/35/70 Series User’s Guide 42 T a ble 39 Load Balancing: Weighted Round Robin .. .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... . 18 0 T a ble 40 Load Balancing: S pillover ....... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ................ ... ........[...]

  • Page 43

    List of Tables ZyWALL 5/35/70 Series User’s Guide 43 T a ble 82 SECURITY > ID P > Signature: Query View ........... ................. ................ ................ .............. 285 T a ble 83 SECURITY > ID P > Anomaly .... .................... ................ ................ ................ ................ .... .... 290 T a [...]

  • Page 44

    List of Tables ZyWALL 5/35/70 Series User’s Guide 44 T a ble 125 SECURITY > CERTIFICA TES > D irectory Servers .............. ................ ................... ........... 4 25 T a ble 126 SECURITY > CERTIFICA TES > D irectory Server > Add ........... ................... .................... . 426 T a ble 127 SECURITY > AUTH [...]

  • Page 45

    List of Tables ZyWALL 5/35/70 Series User’s Guide 45 T a ble 168 REPORTS > Anti-S pam .... ................ ................ ................ .................... ................ ........ ...... 549 T a ble 169 REPORTS > E-mail Report ......... ................ ................ ................ ................ ................ ... ..... 5[...]

  • Page 46

    List of Tables ZyWALL 5/35/70 Series User’s Guide 46 T a ble 21 1 Menu 1: General Setup (Bridge Mode) .......... ................... .................... ................ .............. 6 14 T a ble 212 Menu 1.1: Configure Dynamic DNS ........ ................. ................... ................ ................... ..... 615 T a ble 213 Menu 1.[...]

  • Page 47

    List of Tables ZyWALL 5/35/70 Series User’s Guide 47 T a ble 254 System Maintenance Menu Syslog Parameters ............... .................... ................ .............. 718 T a ble 255 System Maintenance Menu Diagnostic ... .................... ................... ................ .................... . 72 4 T a ble 256 Filename Convention[...]

  • Page 48

    List of Tables ZyWALL 5/35/70 Series User’s Guide 48[...]

  • Page 49

    49 P ART I Introduction Getting to Know Y our ZyW ALL (51) Hardware Installation (55) Introducing the W eb Configurator (61) W izard Setup (87) T utorials (109) Registration Screens (141)[...]

  • Page 50

    50[...]

  • Page 51

    ZyWALL 5/35/70 Series User’s Guide 51 C HAPTER 1 Getting to Know Your ZyWALL This chapter introduces the main feat ures and applications of the ZyW ALL. 1.1 ZyW ALL Internet Security Appliance Overview The ZyW ALL is loaded with security features including VPN, firewall, content filtering, anti- spam, IDP (Intrusion Detection and Prevention), ant[...]

  • Page 52

    Chapter 1 Getting to Know Your ZyWA LL ZyWALL 5/35/70 Series User’s Guide 52 " See Chapter 55 on page 769 for a complete list of features. T able Key: A Y in a model’ s column shows th at the model has the spec ifie d feature. The information in this table was correct at the tim e of writing, although it may be subject to change. 1.3 Appli[...]

  • Page 53

    Chapter 1 Getting to Know Your ZyWALL ZyWALL 5/35/70 Series User’s Guide 53 1.3.2 VPN Application ZyW ALL VPN is an ideal cost-effective way to securely connect branch offices, business partners and telecommuters over the Internet w ithout the need (and e xpense) for leased lines between sites. Figure 2 VPN Application 1.3.3 3G W AN Application ([...]

  • Page 54

    Chapter 1 Getting to Know Your ZyWA LL ZyWALL 5/35/70 Series User’s Guide 54 1.4 W ays to Manage the ZyW ALL Use any of the following meth ods to manage the ZyW ALL. • W eb Configurator . This is recommended for everyday management of the ZyW ALL using a (s upported) we b browser . • Command Line Interface. Line commands are mostly used for t[...]

  • Page 55

    ZyWALL 5/35/70 Series User’s Guide 55 C HAPTER 2 Hardware Installation The ZyW ALL can be placed on a desktop or ra ck-mou nte d on a standa rd EIA rack. Use the brackets in a rack-m ounted installation. 2.1 General Inst allation Instructions Read all the safety warnings in the beginning of this User's Guide before you begin and make sure yo[...]

  • Page 56

    Chapter 2 Har d war e Insta llation ZyWALL 5/35/70 Series User’s Guide 56 Figure 4 Attaching Rubber Feet " Do not block the ventila tion holes. Leave spac e between ZyW ALLs when stacking. 2.3 Rack-mounted Inst allation Requirement s The ZyW ALL can be mounted on an EIA standard size, 19-inch ra ck or in a wiring closet with other equipment.[...]

  • Page 57

    Chapter 2 Hardware In stallation ZyWALL 5/35/70 Series User’s Guide 57 2.4 Rack-Mounted Inst allation 1 Align one bracket with the holes on one si de of the ZyW ALL and secure it with the bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion. Figure 5 Attaching Mou nting Brackets and Screws 3 Afte[...]

  • Page 58

    Chapter 2 Har d war e Insta llation ZyWALL 5/35/70 Series User’s Guide 58 2.5 3G Card, WLAN Card and ZyW ALL T urbo Card Inst allation " Do not insert or remove a ca rd with the ZyW ALL turned on. Make sure the ZyW ALL is off before inserting or removing an 802.1 1b/g-compliant wireless LAN PCMCIA or CardBus card, 3G card or ZyW ALL T u rbo [...]

  • Page 59

    Chapter 2 Hardware In stallation ZyWALL 5/35/70 Series User’s Guide 59 2.6 Front Panel Light s Figure 8 ZyW ALL 70 Front Panel Figure 9 ZyW ALL 35 Front Panel Figure 10 ZyW ALL 5 Front Panel The following table describes the lights. T able 2 Front Panel Lights LED COLOR STATUS DESCRIPTION PWR Off The ZyW ALL is turned off. Green On The ZyW ALL is[...]

  • Page 60

    Chapter 2 Har d war e Insta llation ZyWALL 5/35/70 Series User’s Guide 60 W AN1/2 10/ 100 or W AN 10/100 Off The W AN connection is not ready , or has failed. Green On The ZyW ALL has a successful 10 Mbps W AN connectio n. Flashing The 10M W AN is sending or receiving pac kets. Orange On The ZyW ALL ha s a successful 100 Mbps W AN connection. Fla[...]

  • Page 61

    ZyWALL 5/35/70 Series User’s Guide 61 C HAPTER 3 Introducing the Web Configurator This chapter describes how to access the Zy W ALL web configurator an d provides an overview of its screens. 3.1 W eb Configurator Overview The web configurator is an HTML-based mana gement interface that allows easy ZyW ALL setup and management via Internet browser[...]

  • Page 62

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 62 5 Y ou should see a screen asking you to change your password (highly recommended) as shown next. T ype a new password (and retype it to confirm) and click Apply or click Ignore . Figure 1 1 Change Password Screen 6 Click Apply in the Replace Certificate scre en to c[...]

  • Page 63

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 63 3.3 Resetting the ZyW ALL If you forget your password or cannot access the web configurator , you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyW ALL. Uploading this configuration f ile replac es the current c[...]

  • Page 64

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 64 3.4 Navigating the ZyW ALL Web Configurator The following summarizes how to navigate the web configurator from the HOME scree n. This guide uses the ZyW ALL 70 screenshots as an example . The screens may vary slightly for different ZyW ALL models. Figure 14 HOME Scre[...]

  • Page 65

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 65 3.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the [...]

  • Page 66

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 66 System Name This is the System Name you enter in th e MAINTENANCE > General screen. It is for identification purpos es. Click the field label to go to the screen where you can specify a name for this ZyWA L L. Model This is the model name of your ZyW ALL. Bootbase[...]

  • Page 67

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 67 S tatus For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. Ethernet port con nections can be in half-duplex or full-duplex mode. Full- duplex refers to a device's ability to send and receive simu ltaneously , while half- duplex ind[...]

  • Page 68

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 68 Virus Detected This displays how ma ny virus-infected files the ZyW A LL has dete cted since it last started up. It also displays the percentage of virus-infected files out of the total number of files that the ZyW ALL has sc ann ed (since it last started up). N/A di[...]

  • Page 69

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 69 Last Connection Up T ime This displays how long the 3G connection has bee n up. Tx Bytes This displays the total number of data frames transmitted. Rx Bytes This displays the total number of data frames received. 3G Card Manufacturer This displays the manufacturer of[...]

  • Page 70

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 70 Disable budget control Th is fie ld displays if you have enabled budget con trol but insert a 3G card with a different user account from the one for which you configured budget control. Select this option to disable budget control. If you want to enable and configure[...]

  • Page 71

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 71 3.4.4 HOME Screen: Bridge Mode The following screen displays when the ZyW ALL is set to bridge mode. In bridge mode, the ZyW ALL functions as a transparent firewall (als o kn ow n as a bridge firewall). The ZyW ALL bridges traffic traveling between the ZyW ALL' [...]

  • Page 72

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 72 Bootbase Ve r s i o n This is the bootb ase version and the date created. Firmware Ve r s i o n This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System desi gn. Click the field label to go to the screen wher[...]

  • Page 73

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 73 Bridge Hello Ti m e This is the interval of BPDUs (Bridge Prot ocol Data Units) from the root bridge. Bridge Max Age This is the predefined interval th at a bri dge waits to get a Hello message (BPDU) from the root bridge. Forward Delay This is the forward delay inte[...]

  • Page 74

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 74 3.4.5 Navigation Panel After you enter the password, use the sub-menus on the navigation panel to configure ZyW ALL features. The following table lists the fe atures available for each device mode. Not all ZyW ALLs have all features listed in this table. Sp a m M a i[...]

  • Page 75

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 75 T able Key: A Y in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at the tim e of writing, although it may be subject to change. The following table describes the sub-menus. WA N Y DMZ Y Bridge Y WLA[...]

  • Page 76

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 76 LAN LAN Use this screen to confi gure LAN DHCP and TCP/IP settings. S tatic DHCP Use this screen to assign fixed IP addresses on the LAN. IP Alias Use this screen to partition your LAN interface into subnets. Port Roles (ZyW ALL 5 and ZyW AL L 35) Use this screen to [...]

  • Page 77

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 77 FIREW A LL Default Rule Use this screen to activate/deactivate the firewall and the di rection of network traffic to which to apply the rule Rule Summary This screen shows a summary of the firewall rules, and allows you to edit/add a firewall rule. Anti-Probing Use t[...]

  • Page 78

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 78 CERTIFICA TES My Certificates Use this screen to view a summary list of certificates and ma nage certificates and cert ifi cation requests. Tr u s t e d C A s Use this screen to view and manage the list of the trusted CAs. Tr u s t e d Remote Hosts Use this screen to[...]

  • Page 79

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 79 REMOTE MGMT WWW Use this screen to configure through which interface ( s) and from which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL. SSH Use this screen to configure through which inte rface(s) and from which IP address(es) users can use Secure S[...]

  • Page 80

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 80 3.4.6 Port St atistics Click Port St a t i s t i c s in the HOME screen. R ead-only information here includes port s tatus and packet specific statistics. The Poll Interval(s) field is configurable. Not all items described are available on a ll models. Figure 17 HOME[...]

  • Page 81

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 81 3.4.7 Show St atistics: Line Chart Click the icon in the Show S tatistics screen. This screen shows you a line chart of e ach port’ s throughput statistics. Figure 18 HOME > Show Statistics > Line Chart S t atus For the W AN interface(s) and the Dial Backup p[...]

  • Page 82

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 82 The following table describes the labels in this screen. 3.4.8 DHCP T able DHCP (Dynamic Host Configuration Protocol , RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a se rver . Y ou can configure the ZyW ALL as a DHC[...]

  • Page 83

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 83 3.4.9 VPN St atus Click VPN in the HOME screen. This sc reen displays read -only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. [...]

  • Page 84

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 84 3.4.10 Bandwid th Monitor Click Bandwidth in the HOME screen to display the bandwidth monitor . This screen displays the device’ s bandwidth usage and allotments. Figure 21 Home > Bandwidth Monitor The following table describes the labels in this screen. IPSec A[...]

  • Page 85

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 85 Automati c Refresh Interval Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics. Refresh Click this button to update the screen’s stati[...]

  • Page 86

    Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 86[...]

  • Page 87

    ZyWALL 5/35/70 Series User’s Guide 87 C HAPTER 4 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator . The Internet access wizard is only applicable when the ZyW ALL is in router mode. 4.1 Wizard Setup Overview The web confi gurator's setup wizards help you configure Intern et and VPN co nn ecti[...]

  • Page 88

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 88 4.2 Internet Access The Internet access wizard screen has three vari ations depending on what encapsulation type you use. Refer to information prov ided by your ISP to know what to enter in each field. Leave a field blank if you don’ t have that information. 4.2.1 ISP Parameters The Z[...]

  • Page 89

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 89 4.2.1.2 PPPoE Encap sulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering T a sk Force) standard specifying ho w a host personal computer interacts with a broadband modem (for example DSL, cable , wireless, etc.)[...]

  • Page 90

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 90 The following table describes the labels in this screen. 4.2.1.3 PPTP Encap sulation Point-to-Point T u nneling Protocol (PP TP) is a network protocol that enables transfers of data from a remote client to a private server , crea ting a V irtual Private Network (VPN) using T CP/ IP-base[...]

  • Page 91

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 91 Figure 25 ISP Parameters: PPTP Encap sulation The following table describes the labels in this screen. T able 15 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. T o co nfigure a PPTP client, y[...]

  • Page 92

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 92 4.2.2 Internet Access Wizard: Second Screen Click Next to go to the screen whe re you ca n regi ster your ZyW ALL and activate the free content filtering, anti-spam, anti-virus and IDP trial applications. Otherwise, click Skip to display the congratulations screen and click Clos e to co[...]

  • Page 93

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 93 Figure 27 Internet Access Setup Complete 4.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 26 on page 92 ), the following screen displays. Use this screen to register the ZyW ALL with myZyX EL.com. Y ou must register your ZyW ALL before yo[...]

  • Page 94

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 94 The following table describes the labels in this screen. After you fill in the fields and click Next , the following screen shows indicating the registration is in progress. W ait for the registration progress to finish. Figure 29 Internet Access Wizard: Registration in Progress 4.2.4 I[...]

  • Page 95

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 95 Figure 30 Internet Access Wizard: S tatus A screen similar to the following appears if the registra tion was not succes sful. Click Return to go back to the Device Registration screen and check your settings. Figure 31 Internet Access Wizard : Registration Failed 4.2.5 Internet Access W[...]

  • Page 96

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 96 Figure 33 Internet Access Wizard: Activated Services 4.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the W izard Setup W elcome screen ( Figure 22 on page 87 ) to op[...]

  • Page 97

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 97 4.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec rou ters at either end of a VPN tu nnel. T wo active SAs cannot have the local and remote IP address(es) both the same. T wo active SAs can have the same lo[...]

  • Page 98

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 98 Figure 35 VPN Wizard: Network Setting The following table describes the labels in this screen. T able 18 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, p acket s for th e tunnel trigger the Z yW AL L to buil d the tunnel[...]

  • Page 99

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 99 4.5 VPN Wizard IKE T unnel Setting (IKE Phase 1) Use this screen to specify the authentication, encryption and othe r settings needed to negotiate a phase 1 IKE SA. Figure 36 VPN Wizard: IKE Tunnel Setting S tarting IP Address When the Remote Network field is configured to Single , ente[...]

  • Page 100

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 100 The following table describes the labels in this screen. 4.6 VPN Wizard IPSec Setting (IKE Phase 2) Use this screen to specify the authentication, encryption and othe r settings needed to negotiate a phase 2 IPSec SA. T able 19 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiati[...]

  • Page 101

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 101 Figure 37 VPN Wizard: IPSec Setting The following table describes the labels in this screen. T able 20 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tu n n e l is comp a tib le with NA T , Tr a n s p o r t is not. T unnel mode encapsulates the entire IP pa cket to tran[...]

  • Page 102

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 102 4.7 VPN Wizard S t atus Summary This read-only screen shows the status of the current VPN settin g. Use the summary table to check whether what you have configured is correct. Figure 38 VPN Wizard: VPN S tatus Perfect Forward Secret (PFS) Perfect Forward Secrecy (PFS) is disabled ( Non[...]

  • Page 103

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 103 The following table describes the labels in this screen. T able 21 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This i s the name of this VPN gateway policy . Gateway Policy Setting My ZyW ALL This is the WAN IP address or t he domain name of your ZyW ALL in ro[...]

  • Page 104

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 104 4.8 VPN Wizard Setup Complete Congratulations! Y ou have successfully set up the VPN rule for your ZyW ALL. If you already had VPN rules config ured , the wi zard adds the new VPN rule after the last existing VPN rule. Figure 39 VPN Wizard Setup Co mple te 4.9 Anti-Sp am Wizard: Email [...]

  • Page 105

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 105 Figure 40 Anti-S pam Wizard: Email Server Location Setting The following table describes the labels in this screen. 4.10 Anti-S pa m Wizard: Direction Recommendations This screen displays recommended traffic flows to scan for spam base d on the locations of your e-mail servers. T able [...]

  • Page 106

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 106 Figure 41 Anti-S pam Wizard: Direction Recommendations • For e-mail servers on the LAN, DMZ, or WLAN th e ZyW A LL recommends checking traffic that comes from the W AN to the zone(s) where the e-mail server is located. This is to check for spam coming to the ZyW ALL’ s e-mail serve[...]

  • Page 107

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 107 Figure 42 Anti-S pam Wizard: Direct ion Configurat ion The following table describes the labels in this screen. T able 23 Anti-Spam Wiz ard: Direction C onfiguration LABEL DESCRIPTION Enable Anti-S pam Select this check box to check traffic for spam SMTP (TCP port 25 and POP3 (TCP port[...]

  • Page 108

    Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 108 4.12 Anti-S pa m Wizard: Setup Complete Congratulations! Y ou have successfully set up th e directions tha t the anti-spam feature checks for spam. This does not enable the anti-spam feature. Go to the SECURITY > ANTI-SP AM screens to enable anti-spam. Figure 43 Anti-S pam Wizard: S[...]

  • Page 109

    ZyWALL 5/35/70 Series User’s Guide 109 C HAPTER 5 Tutorials This chapter gives examples of how to configure some of your ZyW ALL’ s key features. See the related chapter on a feature for more details. 5.1 Dynamic VPN Rule Configuration Dynamic VPN rules allow VPN connections from IPSec routers with dynamic W AN IP addresses. This tutorial shows[...]

  • Page 110

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 0 5.1.1 Configure Bob’ s U ser Account This example includes extended authentication. Bob has to enter the correct username and password to use the ZyW ALL tunnel. This keeps others from using Bob’ s ZyW ALL if it is lost or stolen. ZyW ALL A needs to check the VPN tunnel requests tha [...]

  • Page 111

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 111 1 Click SEC URITY > VPN > VPN Rules (IKE) , and then the ad d gateway po licy ( ) icon to display the Edit Gateway Policy screen. Use this screen to configure the VPN gateway policy that identifies the ZyW ALLs. The company’ s ZyW ALL (A) and the telecomm uter ’ s ZyW ALL (B) ga[...]

  • Page 112

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 2 Figure 45 VPN Gateway Policy Edit Screens 2 After you click Apply , the A-B_Ga teways gateway policy displays as show n next. Click SECURITY > VPN and the A-B_Gateways ’ add network policy ( ) icon. The following figure shows ZyW ALL A ’ s screen. Remote Device (B) Company Device [...]

  • Page 113

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 3 Figure 46 SECURITY > VPN > Add Network Policy (ZyW ALL A) 3 Edit the VPN-Network Policy -Edit screen to configure network policies. A network policy identifies the devices behind the IPSec ro uters at either end of a VPN tunnel and specifies the authentication, encryption and other[...]

  • Page 114

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 4 Figure 47 VPN Network Policy Edit Screens Company Device (A) T elecommuter Device (B)[...]

  • Page 115

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 5 4 After you click Apply , the network po licy displa ys with the gateway policy . 5 In the ZyW ALL B, select "X-Y _Networks" in the Activating VPN Rule field to activate the VPN rule. The color of "X-Y_Net works" VPN policy changes to pink. Figure 48 Activate VPN Rule[...]

  • Page 116

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 6 Figure 49 T utorial: VPN Summary Screens Comp arison Example Y ou have configured the company’ s ZyW A LL (A) and the telecommuter ’ s ZyW ALL (B). 5.1.3 Configure Ze ro Config uration Mode on ZyW ALL B The ZyW ALL P1’ s zero configuration mode provides a simplified user mode for t[...]

  • Page 117

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 7 3 Select Zero Conf iguration Mode . 4 Click Apply . The system reboots automatically and restarts in zero configuration mode. 5.1.4 T esting Y our VPN Configuration T est the VPN configuration befo re giving the ZyW ALL P1 to Bob. 1 ZyW ALL A should already be connected to the Internet u[...]

  • Page 118

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 8 3 Open a web browser (like Internet Explorer) to connect to the ZyW ALL P1’ s LAN IP address (http://192.1 68.16 7.1 in this example). 4 The user mode screen for VPN authenti cation displays. Enter the user name "SalesManager" and passwo rd "Manager1234". Click Acti[...]

  • Page 119

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 9 When you can ping IP address 10.0.0.2 from th e computer with IP address 192.168.167.2 behind ZyW ALL B, you know the VPN tunnel works. 5.1.5 Using the Dynamic VPN Rule for More VPN T unnels Other remote users (like sales people and te lecommuters) using IPSec routers with dynamic W AN I[...]

  • Page 120

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 120 " The security settings appl y to VPN traffic going to or from the ZyW ALL’s VPN tunnels. They do not apply to other VPN traffic for which the ZyW ALL is not one of the gateways (VPN pass-through traf fic). Y ou can turn on content filtering for all of the ZyW ALL’ s VPN traffic [...]

  • Page 121

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 121 Figure 54 IDP Configuration for T raffic From VPN 5.2.2 IDP for T o VPN T raffic Example Y ou can also apply security settings to the To V P N packet direction to protect the remote networks from attacks, intrusions, viruses and spam originating from your own network. For example, you can[...]

  • Page 122

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 122 1 Click SECURITY > IDP > General . 2 Select the To V P N column’ s first check bo x (with the interface labe l) to select all of the To V P N packet direction s. 3 Click Apply . Figure 56 IDP Configuration for T o VPN T raffic 5.3 Firewall Rule for VPN Example The firewall provide[...]

  • Page 123

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 123 Figure 57 Firewall Rule for VPN 5.3.1 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network be hin d B access the FTP server . Y ou would also have to configure a corresponding rule on device B. 1 Click Security > VPN to open the followi[...]

  • Page 124

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 124 Figure 59 SECURITY > VPN > VPN Rules (I KE)> Add Gateway Policy 3 Click the Add Network Policy icon.[...]

  • Page 125

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 125 Figure 60 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply . Y ou may notice that the example does not specify th e p[...]

  • Page 126

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 126 Figure 61 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy[...]

  • Page 127

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 127 5.3.2 Configuring the Firewall Rules Suppose you have sever a l VPN tunnels but you only want to allow de vice B’ s network to access the FTP server . Y ou also only want FTP traf fic to go to the FTP server , so you want to block all other traffic types (like chat, e-mail, web and so o[...]

  • Page 128

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 128 Figure 63 SECURITY > FIREW ALL > Rule Summary > Edit: Allow 5 The rule displays in the summary list of VPN to LAN firewall rules.[...]

  • Page 129

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 129 Figure 64 SECURITY > FIREW ALL > Rule Summary: Allow 5.3.2.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to bl ock all VPN to LAN traf fic. This blocks any other types of access from VPN tunnels to the LA N FTP server . This mean s[...]

  • Page 130

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 130 Figure 65 SECURITY > FIREW ALL > Default Rule: Block From VPN T o LAN 5.4 How to Set up a 3G W AN Connection This section shows you how to configure an d set up a 3G W AN connection on the ZyW ALL. In this example, you have set u p W AN 1 and want the ZyW ALL to use both of the W AN[...]

  • Page 131

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 131 2 If you have a wireless card or T u rbo card in the ZyW ALL, remove it. 3 Slide the connector end of the 3G card into the slot. 4 Connect the ZyW ALL’ s power . 5.4.2 Configuring 3G W AN Settings Y ou should already have an activated user account a nd network access information from th[...]

  • Page 132

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 132 5.4.3 Checking W AN Connections 1 Go to the web configurator ’ s Home screen. 2 In the network status table, make sure the status for W AN 1 and WA N 2 is not Down and there is an IP address. If the W AN 2 connection is not up, make sure you have entered the correct information in the N[...]

  • Page 133

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 133 Figure 68 T utorial: NE TWORK > WAN > General 5.6 Configuring Content Filtering Y ou can use the ZyW ALL’ s content filtering pol icies to apply specific content filtering settings to specific users. Y ou ca n even filter certain things at certain times. For example, you decide to[...]

  • Page 134

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 134 Use the REGISTRA TION screens (see Chapter 6 on page 141 ) to create a myZyXEL.com account, register your device and activate the external content filtering service. 1 Click SECURITY > CONTENT FIL TER . 2 Enable the content filter and exte rnal database content filtering. 3 Click Apply[...]

  • Page 135

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 135 Figure 70 SECURITY > CONTENT FIL TER > Policy 2 Select Active . 3 Select the categories to block. 4 Click Apply . Figure 71 SECURITY > CONTENT FIL TER > Policy > External Database (Default)[...]

  • Page 136

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 136 5.6.3 Assign Bob’ s Computer a Specific IP Address Y ou will configure a content filtering policy for traf fic from Bob’ s computer ’ s IP address. Do the following to have the Zy W ALL always give Bob’ s computer the same IP address (192.168.1.33 in this example). 1 Click HOME &g[...]

  • Page 137

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 137 Figure 74 SECURITY > CONTENT FIL TER > Policy > Insert 5.6.5 Set the Content Filter Schedule Y ou want to let Bob access arts and entertainmen t web pages, but only during lunch. So you configure a schedu le to only apply the Bo b policy from 12:00 to 13:00. For the rest of the t[...]

  • Page 138

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 138 Figure 76 SECURITY > CONTENT FIL TER > Policy > Schedule (Bob) 5.6.6 Block Categories of Web Content for Bob Now you select the categories of we b pages to block Bob from access ing. 1 Click SECURITY > CONTENT FIL TER > Policy and then the Bob policy’ s external database [...]

  • Page 139

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 139 3 Select the categories to block. This is very similar to Section 5.6.2 on page 134 , except you do not select the arts and entertainment category . 4 Click Apply . Figure 78 SECURITY > CONTENT FIL TER > Policy > External Database (Bob)[...]

  • Page 140

    Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 140[...]

  • Page 141

    ZyWALL 5/35/70 Series User’s Guide 141 C HAPTER 6 Registration Screens 6.1 Overview The registration screens let you a ctivate and update your ac count with myZyXEL.com, allowing you access to subscription services required for the ZyW ALL’ s security features. 6.1.1 What Y ou Can Do in the Registration Screens • Use the Registration sc reen [...]

  • Page 142

    Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 142 IDP IDP allows the ZyW ALL to detect malicious or suspicious p ackets and respond immediately . Signatures This is the pattern of code us ed by a par ticular virus. The ZyW ALL compares files with a database of signatures to identif y possible viruses. The ID&P and anti-vir[...]

  • Page 143

    Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 143 Figure 79 REGISTRA TION > Registration The following table describes the labels in this screen. T able 25 REGISTRATION > Registration LABEL DESCRIPTION Device Registrati on If you select Existing myZyXEL.com account , only the User Name and Password fields are availab le.[...]

  • Page 144

    Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 144 " If the ZyW ALL is register ed already , this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 80 REGISTRA TION > Registration: Register ed Device 6.3 The Service Screen Af[...]

  • Page 145

    Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 145 Figure 81 REGISTRA TION > Service The following table describes the labels in this screen. T able 26 REGISTRATION > Service LABEL DESCRIPTION Service Manage ment Service This field displays the service name ava ila ble on the ZyW AL L. S tatus This field displays whether [...]

  • Page 146

    Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 146[...]

  • Page 147

    147 P ART II Network LAN Screens (149) Bridge Screens (161) W AN Screens (169) DMZ Screens (207) WLAN Screens (219) W ireless Screens (229)[...]

  • Page 148

    148[...]

  • Page 149

    ZyWALL 5/35/70 Series User’s Guide 149 C HAPTER 7 LAN Screens 7.1 Overview A network is a shared commun ication system to which ma ny computers are attached. The Local Area Network (LAN) includes the comp ut ers and networking de vices in your home or office that you connect to the ZyW ALL’ s LAN ports. The W id e Area Network (W AN) is another[...]

  • Page 150

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 150 • Use the IP Alias s creen ( Section 7.4 on page 156 ) to configure IP alias sett ings on the ZyW ALL’ s LAN ports. • Use the Port Roles s creen ( Section 7.5 on page 158 ) to configure LAN ports on the ZyW ALL. The Port Roles screen is available on the ZyW ALL 5 and ZyW ALL 35. 7[...]

  • Page 151

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 151 " Regardless of your particular situation, do not create an ar bitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation fo r Private Internets and RFC 1466, Guidelines for Managemen t of IP Addr[...]

  • Page 152

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 152 Multicast T raditionally , IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of host s on the network - not everybody and not just 1. IGMP (Internet Group M[...]

  • Page 153

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 153 Figure 83 NETWORK > LAN The following table describes the labels in this screen. T able 27 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address T ype the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively , click the ri ght mou[...]

  • Page 154

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 154 RIP V ersion The RIP V ersion fie ld co ntrols the format and th e broadcasting method of the RIP packet s that the ZyW ALL sends (it reco gnizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks[...]

  • Page 155

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 155 7.3 The LAN St atic DHCP Screen This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC addresses. T o change your ZyW ALL’ s static DHCP settings, click NETWORK > LAN > St a t i c D H C P . The screen appears as shown. Windows[...]

  • Page 156

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 156 Figure 84 NETWORK > LAN > S tatic DHCP The following table describes the labels in this screen. 7.4 The LAN IP Alias Screen IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. T able 28 NETWORK > LAN > Stati[...]

  • Page 157

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 157 The ZyW ALL has a single LAN in terface. Even though more than o ne of po rts 1~4 may be in the LAN port role, they are all still part of a si ngle physical Ethernet interface and all use the same IP address. The ZyW ALL supports three logical LAN interfa ces via its single physical LAN[...]

  • Page 158

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 158 The following table describes the labels in this screen. 7.5 The LAN Port Roles Screen Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL 5 and ZyW ALL 35 ports can be part of the LAN, DMZ or WLAN interface. The ZyW A LL 70 ha[...]

  • Page 159

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 159 The radio but tons correspond to Ethernet ports on the front panel of the ZyW ALL. On the ZyW ALL 70, ports 1 to 4 are all DMZ ports by default. On the ZyW ALL 5 or ZyW ALL 35, ports 1 to 4 are all LAN ports by default. " Y our changes are also reflected in the DMZ Port Roles and W[...]

  • Page 160

    Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 160[...]

  • Page 161

    ZyWALL 5/35/70 Series User’s Guide 161 C HAPTER 8 Bridge Screens 8.1 Overview The ZyW ALL ca n ac t as a bridge between a switch and a wired LAN or between two routers. This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyW ALL is in bridge mode. In bridge mode, the ZyW ALL functions as a tr ansparen[...]

  • Page 162

    Chapter 8 Brid ge Scre en s ZyWALL 5/35/70 Series User’s Guide 162 8.1.2 What Y ou Need T o Know About Bridging Bridge Loop Be careful to avoid bridge lo ops when you en able bridging in the ZyW ALL. Bridge loops cause broadcast traffic to circ le the network endlessly , resulting in possible throughput degradation and disru ption of communicatio[...]

  • Page 163

    Chapter 8 Bridge Screens ZyWALL 5/35/70 Series User’s Guide 163 8.2 The Bridge Screen Select Bridge and click Apply in the MAINTENANCE > Device Mode screen to have the ZyW ALL function as a bridge. Y ou can use the firewall and VPN in bridge mo de. See the user ’ s guide for a list of other features that are available in bridge mode. Click N[...]

  • Page 164

    Chapter 8 Brid ge Scre en s ZyWALL 5/35/70 Series User’s Guide 164 8.3 The Bridge Port Roles Screen Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL 5 and ZyW ALL 35 ports can be part of the LAN, DMZ or WLAN interface. The ZyW A LL 70 has a se parate (ded icated) LAN port, so ports 1~[...]

  • Page 165

    Chapter 8 Bridge Screens ZyWALL 5/35/70 Series User’s Guide 165 The radio but tons correspond to Ethernet ports on the front panel of the ZyW ALL. On the ZyW ALL 70, ports 1 to 4 are all DMZ ports by default. On the ZyW ALL 5 or ZyW ALL 35, ports 1 to 4 are all LAN ports by default. Figure 93 NETWORK > Bridge > Port Roles The following tabl[...]

  • Page 166

    Chapter 8 Brid ge Scre en s ZyWALL 5/35/70 Series User’s Guide 166 8.4 Bridge T echnical Reference STP T erminology The root bridge is the base of the spanning tr ee. Path cost is the co st of transmitting a frame from the root bridge to that port . It is assigned according to the speed of the link to which a port is attached. The slower the medi[...]

  • Page 167

    Chapter 8 Bridge Screens ZyWALL 5/35/70 Series User’s Guide 167 STP Port St ates STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly fro m blocking state to forwarding state so as to eliminate transient loops. T able 34 STP Port States PORT ST ATE DESCRIPTION Disabled STP is disab[...]

  • Page 168

    Chapter 8 Brid ge Scre en s ZyWALL 5/35/70 Series User’s Guide 168[...]

  • Page 169

    ZyWALL 5/35/70 Series User’s Guide 169 C HAPTER 9 WAN Screens 9.1 Overview This chapter discusses the ZyW ALL’ s WA N screens. Use these screens to configure your ZyW ALL for Internet ac ces s. A W AN (W ide Area Network) connection is an outside conn ection to another network or the Internet. It connects your priv ate networks (such as a LAN ([...]

  • Page 170

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 170 9.1.1 What Y ou Can Do in the W AN Screens • Use the Gene ral screen ( Section 9.2 on page 172 ) to configure load balancing, route priority , and connection test settings for the ZyW ALL. • Use the W AN 1 and 2 screens ( Section 9.3 on page 18 2 ) to configure the W AN1 and W AN2 i[...]

  • Page 171

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 171 Y ou can use policy routing to specify the W AN interface that specific services go through. An ISP may give traf fic from certai n (more expens ive) connections priority over the traf fic from other accounts. Y ou co uld route delay in tolerant traffic (like voice over IP calls) throu[...]

  • Page 172

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 172 Lets say that you have the W AN operation mo de set to active/passive, me aning the ZyW ALL uses the second highest priority W AN interface as a back up. The W AN 1 route has a metric of "2", the W AN 2 route has a metric of "3", the traf fic-redirect route has a met[...]

  • Page 173

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 173 Figure 97 Incorrec t WAN IP 1 LAN user A wants to download a file from a re mote server on the Internet. The ZyW ALL is using active/active load balancing and sends the request to a n update serve r ( B ) through W AN 1. 2 Update server B sends a file list to LAN user A . The download [...]

  • Page 174

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 174 Figure 98 NETWORK > W AN > General[...]

  • Page 175

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 175 The following table describes the labels in this screen. T able 35 NETWORK > WAN > General LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fail over) op eration mode to have the ZyWALL use the second highest priority WAN interface as a back up. This m[...]

  • Page 176

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 176 Check Fail To l e r a n c e T ype how ma ny W AN connection chec ks can fail (1-10) before the connection is considered "down" (not co nnected). The ZyW ALL still checks a "down" connection to detect if it reconnects. Check W AN1/2 Connectivity Select the check box t[...]

  • Page 177

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 177 9.2.2 Configuring Load Balancing T o configure load balanc ing on the ZyW ALL, click NETWORK > WA N in the navigation panel. The WA N G e n e r a l screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyW ALL. The WA N G e n e r [...]

  • Page 178

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 178 Since W AN 2 has a smaller load balancing index (meaning that it is less utilized than W AN 1), the ZyW ALL will send the subsequent new session traffic through W AN 2. Example 2 This example uses the same network scenario as in Figure 99 on page 177 , but uses both the outbound and inb[...]

  • Page 179

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 179 The following table describes the re lated fields in this screen. 9.2.4 W eighted Round Robin Round Robin routes traffic on a rotating ba sis an d is activated only when a W AN interface has more traf fic than the configured availabl e bandwidth. On the ZyW ALL with two W AN interfaces[...]

  • Page 180

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 180 Figure 101 Weig hted Round Robin Algorithm Example T o load balance using the weight ed round robin m ethod, select W eighted Round Robin in the Load Balancing Algorithm field. Figure 102 Load Balancing: W eighted Round Robin The following table describes the re lated fields in this scr[...]

  • Page 181

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 181 In cases where the primary W AN interface use s an unlimite d access In ternet connection and the secondary W AN uses a per-use timed access plan, the ZyW ALL will only use the secondary W A N interface when the traffic load reaches the upper threshold on the primary W AN interface. Th[...]

  • Page 182

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 182 9.3 The W AN1 and W AN2 Screen T o change your ZyW ALL's W AN ISP , IP and MAC settings, clic k NETWORK > WA N and then the WA N > WA N 1 or W AN 2 (on a ZyW ALL with two W AN Ethernet interfaces). The screen dif fe rs by the encapsulation. " The W AN 1 and W AN 2 IP add[...]

  • Page 183

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 183 " Regardless of your particular situation, do not create an ar bitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocati on for Private Internets and RFC 1466, Guideli nes for Management of IP Add[...]

  • Page 184

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 184 Figure 105 NETWORK > W AN > WAN (Ethernet Encap sulation) The following table describes the labels in this screen. T able 42 NETWORK > W AN > W AN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Y ou must choose the Ethernet option[...]

  • Page 185

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 185 Login Server IP Address T ype the authentication server IP ad dress here if your ISP gave you one. This field is not a vailable for T elia Login. Login Server (T elia Login on ly) T ype the domain name of the T elia login server, for example login1.telia.com. Relogin Every(min) (T elia[...]

  • Page 186

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 186 9.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PP PoE option is for a dial-up conne[...]

  • Page 187

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 187 Figure 106 NETWORK > W AN > W AN (PPPoE Encapsulation) The following table describes the labels in this screen. T able 43 NETWORK > W AN > WAN (PPPoE Encap sulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPPoE for a dial-up connection usi[...]

  • Page 188

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 188 Nailed-Up Select Nailed-Up if you do not wan t the connection to time out. Idle T imeout This value specifies the time in seconds that elapses before the ZyW ALL automatically disconnects from the PPPoE server . W AN IP Address Assignment Get automatically from ISP Select this option If[...]

  • Page 189

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 189 9.3.3 PPTP Encap sulation Point-to-Point T unneling Protocol (PP TP) is a ne twork protocol that enables secure transfer of data from a remote client to a private server , creating a V irtual Private Network (VPN) using TCP/IP-based networks. PP TP supports on-deman d, multi-protocol a[...]

  • Page 190

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 190 Figure 107 NETWORK > W AN > W AN (PPTP Encapsulation) The following table describes the labels in this screen. T able 44 NETWORK > W AN > WAN (PP TP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Se t the encapsulation method to PPTP . The [...]

  • Page 191

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 191 Authentication Ty p e The ZyW AL L supports P AP (Password Authen tication Protocol) and CHAP (Challenge Handshake Authenticatio n Protoc ol). CHAP is more secure than P AP; however , P AP is readily availa ble on more platforms. Use the drop-down li st box to select an authentication [...]

  • Page 192

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 192 9.4 The 3G (W AN2) Screen Use this screen to configure your 3G (W AN2) settings. After you insert a 3G card in the ZyW A LL 5, the 3G connection becomes W AN 2. Refer to Section 55.1 on page 773 for the type of 3G cards that you can use in the ZyW ALL along with the correspondin g suppo[...]

  • Page 193

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 193 " The actual data rate you obt ain varies depending t he 3G card you use, the signal strength to the service prov ider ’s base station, and so on. If the signal strength of a 3G network is too lo w , the 3G card may switch to an available 2.5G or 2.75G networ k. Refer to Section[...]

  • Page 194

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 194 Figure 108 NETWORK > W AN > 3G (W AN 2) The following table describes the labels in this screen. T able 45 NETWORK > WAN > 3G (W AN 2) LABEL DESCRIPTION Enable Select this option to enable WAN 2. 3G Card Configuration The fields below display only when you enable W AN 2. 3G [...]

  • Page 195

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 195 Network T ype Select the type of the network ( UMTS/HSDP A only , GPRS/EDGE only , GSM all or WCDMA all ) to which you want the card to connect. See T able 49 on page 204 for more information. Otherwise, select Automatically to have the ca rd connect to an available network using the d[...]

  • Page 196

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 196 Idle T imeout This value specifies the time in seconds that elapses before the ZyW ALL automatically disconnects from the ISP . W AN IP Address Assignment Get automatically from ISP Select this option If your ISP did not as sign you a fixed IP address. This is the default selection. Use[...]

  • Page 197

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 197 9.5 The T raffic Redirect Screen T raffic redirect forwards W AN traffic to a backup gateway when the ZyW ALL cannot connect to the Internet through its normal gate way . Connect the backup gateway on the W AN so that the ZyW A LL still provides firewall protection for the LAN. Figure [...]

  • Page 198

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 198 Figure 1 10 Traf fic Redirect LAN Setup 9.6 Configuring the T raffic Redirect Screen T o change your ZyW ALL’ s traffic redirect settings, click NETWORK > WA N > T raffic Redirect . The screen appears as shown. " For the ZyW ALL 5, if t he traffic redirect featur e does not[...]

  • Page 199

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 199 9.7 The Dial Backup Screen Click NETWORK > WA N > Dial Backup to display the Dial Backup screen. Use this screen to configure the ba ckup W AN dial-up conn ection. Not all fields are available on all models. Figure 1 12 NETWORK > WAN > Dial Backup[...]

  • Page 200

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 200 The following table describes the labels in this screen. T able 47 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name T ype the log in name assigned by your ISP . Password T ype[...]

  • Page 201

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 201 9.7.1 The Advanced Modem Setup Screen Click the Edit button in the Dial Backup screen to display the Advanced Setup screen. Use this screen to configure your advanced m odem setup settings for th e Dial Backup screen. RIP V ersion The RIP V ersion fie ld controls the format and the bro[...]

  • Page 202

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 202 A T Command Strings For regular telephone lines, the default Dial st ring tells the modem that the line uses tone dialing. ATDT is the command for a switc h that requ ires tone dialing. If your switch requires pulse dialing, change th e string to ATDP . For ISDN lines, there are many mo[...]

  • Page 203

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 203 Figure 1 13 NETWORK > WAN > Dial Backup > Edit The following table describes the labels in this screen. T able 48 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION A T Command St r i n g s Dial T ype the A T Command string to make a call. Drop T ype the A T Command[...]

  • Page 204

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 204 9.8 W AN T echnical Reference 3G Comp arison T able See the following table for a comparison between 2G , 2.5G , 2.75G and 3G wireless technologies. Retry Interval (sec) T ype a number of seconds for the ZyWALL to wait before trying another cal l after a call has failed. This applies be[...]

  • Page 205

    Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 205 A. The I nternational T elecommunica tion Union (ITU) is an inter national organization within which governments and the private sector coordinate global telecom netw orks and services.[...]

  • Page 206

    Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 206[...]

  • Page 207

    ZyWALL 5/35/70 Series User’s Guide 207 C HAPTER 10 DMZ Screens 10.1 Overview The DeMilitarized Zone (DMZ) pr ovides a way for public servers (W eb, e-mail, FTP , etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of D eath). These public servers can also still b[...]

  • Page 208

    Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 208 10.1.2 What Y ou Need T o Know About DMZ DMZ and Security It is highly recommended that you connect a ll of your public servers to the DMZ port(s). It is also highly recommended that you keep all sensitive inform ation off of the public servers connected to the DMZ port. S tore se ns[...]

  • Page 209

    Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 209 Figure 1 15 DMZ Public Address Ex ample 10.1.4 DMZ Private and Pu blic IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and conne[...]

  • Page 210

    Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 210 Figure 1 16 DMZ Private and Pu blic Address Exam ple 10.2 The DMZ Screen Use this screen to configure TCP/IP , DHCP , IP/MAC binding and Ne tBIOS settings on the DMZ. The DMZ and the connected computers can have private or public IP addresses. When the DMZ uses public IP addresses, t[...]

  • Page 211

    Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 21 1 Figure 1 17 NETWORK > DMZ The following table describes the labels in this screen. T able 50 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address T ype the IP address of your ZyWALL’ s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, W AN, WLA[...]

  • Page 212

    Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 212 RIP V ersion The RIP V ersion field contro ls the format and the broadcasti ng method of the RIP packet s that the ZyW ALL sends (it recognizes both formats when receiving). RIP-1 is universally supported bu t RIP-2 carries mo re information. RIP-1 is probably adequate for most netwo[...]

  • Page 213

    Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 213 10.3 The S t atic DHCP Screen This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. T o change your ZyW ALL’ s static DHCP settings on the DMZ, click NETWORK > DMZ > St a t i c D H C P . The screen appears as show[...]

  • Page 214

    Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 214 Figure 1 18 NETWORK > DMZ > S tatic DHCP The following table describes the labels in this screen. 10.4 The IP Alias Screen Configure IP alias settings to partition a physical network into di fferent logical networks over the same Ethernet interface. See Section 7.4 on page 1 56[...]

  • Page 215

    Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 215 T o change your ZyW ALL’ s IP alias settings, click NETWORK > DM Z > IP Alias . The screen appears as shown. Figure 1 19 NETWORK > DMZ > IP Alias The following table describes the labels in this screen. T able 52 NETWORK > DMZ > IP Alias LABEL DESCRIPTION Enable IP [...]

  • Page 216

    Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 216 10.5 The DMZ Port Roles Screen Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . See Section 7.5 on page 1 58 for more information on port roles. T o change your ZyW ALL’ s port role se ttings, click NETWORK > DMZ > Port Roles . The screen[...]

  • Page 217

    Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 217[...]

  • Page 218

    Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 218[...]

  • Page 219

    ZyWALL 5/35/70 Series User’s Guide 219 C HAPTER 11 WLAN Screens 1 1.1 Overview A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-p eer network or as complex as a number of computers with wireless LAN adapters communicating through a ccess points which bridge network traffic to the wired LAN. T [...]

  • Page 220

    Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 220 • Use the Port Roles screen ( Section 11 .5 on page 226 ) to set a port to be part of the WLAN and connect an Access Point (AP) to th e WLAN interface to extend the ZyW ALL’ s wireless LAN coverage. 1 1.1.2 What Y ou Need to Know About WLAN DHCP See Section 7.1.2 on page 150 for [...]

  • Page 221

    Chapter 11 WLAN Screens ZyWALL 5/35/70 Series User’s Guide 221 Figure 122 NETWORK > WLAN The following table describes the labels in this screen. T able 54 NETWORK > WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address T ype the IP address of your Z yW ALL’s WLAN interface in dotted decimal notation. Alternatively , click the right mouse butto n[...]

  • Page 222

    Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 222 RIP V ersion The RIP V ersion fie ld co ntrols the format and th e broadcasting method of the RIP packet s that the ZyW ALL sends (it reco gnizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most netwo[...]

  • Page 223

    Chapter 11 WLAN Screens ZyWALL 5/35/70 Series User’s Guide 223 1 1.3 WLAN St atic DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. T o change your ZyW ALL’ s WLAN static DHCP settings, click NETWORK > WLAN > St a t i c D H C P . The screen appears as shown. Window[...]

  • Page 224

    Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 224 Figure 123 NETWORK > WLAN > S tatic DHCP The following table describes the labels in this screen. 1 1.4 WLAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. See Section 7.4 on page 1 56 for more in[...]

  • Page 225

    Chapter 11 WLAN Screens ZyWALL 5/35/70 Series User’s Guide 225 T o change your ZyW ALL’ s IP alias settings, click NETWORK > WLAN > IP Alias . The screen appears as shown. Figure 124 NETWORK > WLAN > IP Alias The following table describes the labels in this screen. T able 56 NETWORK > WLAN > IP Alias LABEL DESCRIPTION Enable I[...]

  • Page 226

    Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 226 1 1.5 WLAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW A LL’ s wireless LAN coverage. The WLAN port role allows the ZyW A LL’ s firewall to treat tr[...]

  • Page 227

    Chapter 11 WLAN Screens ZyWALL 5/35/70 Series User’s Guide 227 Figure 126 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure[...]

  • Page 228

    Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 228[...]

  • Page 229

    ZyWALL 5/35/70 Series User’s Guide 229 C HAPTER 12 Wireless Screens 12.1 Overview In this section you can enable your wireless card and configure wireless security . Y ou can configure th e ZyW ALL to use data encryption and user authentica tion methods to help protect data transmitted on your network and to ensure only devices w ith permission t[...]

  • Page 230

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 230 The figure below shows the p ossible wireless security levels on your ZyW ALL. Figure 129 ZyW ALL Wireless Security Levels If you do not enable any wireless security on your ZyW ALL, your network is accessible to any wireless networki ng device that is within range. ESSID ESSID [...]

  • Page 231

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 231 • An optional network RADIUS server for re mote user authentic ation and accounting. EAP Authentication EAP (Extensible Authentication Protocol) is an au thentication protocol that runs on top of the IEEE 802.1x transport mechanism in order t o su pport multiple types of us er [...]

  • Page 232

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 232 Finding Out More • See Section 12.4 on page 244 for t echnical details on wireless security . 12.2 Wireless Card The wireless card provides wirel ess functionality to your ZyW ALL. " T urn the ZyW ALL off before you install or remove the wireless LAN card. See the product[...]

  • Page 233

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 233 The following table describes the labels in this screen. T able 58 WIRELESS > Wi-Fi > Wirele ss Card: No Security LABEL DESCRIPTION Enable Wireless Card The wireless LAN thro ugh a wireless LAN card is turned off by default, before you enable the wireless LAN you should con[...]

  • Page 234

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 234 12.2.1 S tatic WEP Stat ic WEP provides a mechanism for encrypting data using encryption k eys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Y o ur ZyW ALL allows you to configure up to fou r 64-bit or 128-bit WEP keys, but only on[...]

  • Page 235

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 235 Figure 131 WIRELESS > Wi-Fi > Wirele ss Card: S tatic WEP The following table describes the wireless LAN security labels in this screen. 12.2.2 WP A-PSK Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select WP A-PSK from the Se curity[...]

  • Page 236

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 236 Figure 132 WIRELESS > Wi-Fi > Wireless Card: WP A-PSK The following wireless LAN security fiel ds become available when you select WP A-PSK in the Security drop down list-bo x. T able 60 WIRELESS > Wi-Fi > Wi reless Card: WPA-PSK LABEL DESCRIPTION Security Select WP [...]

  • Page 237

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 237 12.2.3 WP A Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select WP A from the Security list. Figure 133 WIRELESS > Wi-Fi > Wireless Card: WP A The following wireless LAN security fiel ds become available when you select WP A in the [...]

  • Page 238

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 238 12.2.4 IEEE 802.1x + Dynamic WEP Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select 802.1x + Dy namic WEP from the Security list. Figure 134 WIRELESS > Wi-Fi > Wireless Card: 802.1x + Dynamic WEP The following wireless LAN securit[...]

  • Page 239

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 239 12.2.5 IEEE 802.1x + St atic WEP Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select 802.1x + S tatic WEP from the Security list. Figure 135 WIRELESS > Wi-Fi > Wireless Card: 802.1x + S tatic WEP The following wireless LAN security [...]

  • Page 240

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 240 12.2.6 IEEE 802.1x + No WEP Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select 802.1x + No WEP from the Security list. Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter a ny 5 characters (ASCII string) or 10[...]

  • Page 241

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 241 Figure 136 WIRELESS > Wi-Fi > Wireless Card: 802.1x + No WEP The following wireless LAN security fiel ds become available when you select 802.1x + No WEP in the Security drop down list-box. 12.2.7 No Access 802.1x + St atic WEP Click WIRELESS > Wi -Fi > W ir eless Car[...]

  • Page 242

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 242 Figure 137 WIRELESS > Wi-Fi > Wireless Card: No Access 802.1x + S tatic WEP The following wireless LAN security fiel ds become available when you select No Acce ss 802.1x + S tatic WEP in the Security drop down list-box. 12.2.8 No Access 802.1x + No WEP Click the NETWORK &[...]

  • Page 243

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 243 12.3 MAC Filter The MAC filter screen allows you to config ure the ZyW ALL to give exclusive access to specific devices ( Allow Association ) or exclude specific de vices from accessing the ZyW ALL ( Deny Association ). Y ou need to know the MAC addresses of the devic es to confi[...]

  • Page 244

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 244 12.4 T echnical Reference IRADIUS RADIUS user is a simple package exchange in which your ZyW ALL acts as a message relay between the wireless station and the network RADIUS server . See RFC 2138 and RFC 2139 for more on RADIUS. T ypes of RADIUS Messages The following types of RA[...]

  • Page 245

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 245 Figure 139 EAP Authentication The details below provide a general descrip tion of how IEEE 802.1x EAP authentication works. • The wireless sta tion sends a start message to the ZyW ALL. • The ZyW ALL sends a reques t identity message to the wireless station for identity infor[...]

  • Page 246

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 246 The Message Integrity Check (MIC ) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not ma[...]

  • Page 247

    Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 247 2 The RADIUS server then checks the user's iden tification against its database and grants or denies network access accordingly . 3 The RADIUS server distributes a Pairwise Mast er Key (PMK) key to th e AP th at then sets up a key hierarchy and management sy st em, using the[...]

  • Page 248

    Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 248[...]

  • Page 249

    249 P ART III Security Firewall Screens (251) Intrusion Detection and Prev ention (IDP) Screens (277) Anti-V irus Screens (299) Anti-Spam Screens (313) Content Filtering Screens (327) Content Filtering Reports (349) IPSec VPN (357) Certificates (399) Authentication Server Screens (427)[...]

  • Page 250

    250[...]

  • Page 251

    ZyWALL 5/35/70 Series User’s Guide 251 C HAPTER 13 Firewall Screens This chapter shows you how to co nfigure your ZyW ALL’ s firewall. 13.1 Overview A firewall is a system that enforces an access- control policy between two networks. It is generally a mechan is m used to protect a trusted n etwork from an untrusted ne twork. The ZyW ALL physica[...]

  • Page 252

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 252 13.1.1 What Y ou Can Do Using the Firewall Screens • Use the Default Rule screens ( Section 13.4 on page 256 ) to configure general firewall settings when the ZyW ALL is set to router mode or bridge mode. • Use the Rule Summary screens ( Section 13.5 on page 259 ) to config[...]

  • Page 253

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 253 Figure 143 Blocking All LAN to W AN IRC Traf fic Example Y our firewall would have the following configuration. • The first row blocks LAN access to the IRC service on the W AN. • The second row is the firewall’ s default policy that allows all traf fic from the LAN to go to[...]

  • Page 254

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 254 Figure 144 Limited LAN to W AN IRC Traf fic Example Y our firewall would have the following configuration. • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the W AN. • The second row blocks LAN access to the IRC servic e on the [...]

  • Page 255

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 255 Figure 145 SECURITY > FIREW ALL > Defa ult Rule (R outer Mode) The following table describes the labels in this screen. T able 69 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION 0-100% This ba r displays the percentage of the Z yWALL’ s firewal l r[...]

  • Page 256

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 256 13.4 The Firewall Default Rule (Bridge Mode) Screen Click SECURITY > FIREW ALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyW ALL is in Bridge mode. From, T o The firewall rules are grouped by the dire ction of packet tra[...]

  • Page 257

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 257 Figure 146 SECURITY > FIREW ALL > Default Rule (Bridge Mode) The following table describes the labels in this screen. T able 70 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION 0-100% This ba r displays the percentage of the Z yWALL’ s firewal l rul[...]

  • Page 258

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 258 From, T o The firewall rules are grouped by the dire ction of packet travel. The nu mber of rules for each packet direction displays. Click Edit to go to a summary screen of the rules for that packet direction. Here are some example descriptions of the directions of travel. Fro[...]

  • Page 259

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 259 13.5 The Firewall Rule Summar y Screen Click SECURITY > FIREW ALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. " The ordering of your rules is very important as rule s are applied in the order that they are listed. See[...]

  • Page 260

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 260 13.5.1 The Firewall Edit Rule Screen In the Rule Summary screen, click the edit icon or the insert icon to display the Fire wall Edit Rule screen. Use this screen to create or edit a firewall rule . Refer to the following table for information on the labels. See Section 13.1 on[...]

  • Page 261

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 261 Figure 148 SECURITY > FIREW ALL > Rule Summary > Edit[...]

  • Page 262

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 262 The following table describes the labels in this screen. T able 72 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. S paces ar[...]

  • Page 263

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 263 13.6 The Anti-Probing Screen Click SECURITY > FIREW ALL > Anti-Pro bing to open the follo wing screen. Configure this screen to help keep the ZyW ALL hidden fro m probing attempts. Y o u can specify which of the ZyW ALL’ s interfaces will respond to Ping re quests and whet[...]

  • Page 264

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 264 The following table describes the labels in this screen. 13.7 The Firewall Thresholds Screen For DoS attacks, the ZyW ALL uses thre sholds to determine when to start dropping sessions that do not become fully estab lished (half-open sessions). These thresholds apply globally to[...]

  • Page 265

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 265 The following table describes the labels in this screen. T able 74 SECURITY > FIREW ALL > Threshold LABEL DESCRIPTION Disable DoS Attack Protec tion on Select the check boxes of any interfaces (or all VPN tunnel s) for which you want the ZyW ALL to not use the Denial of Serv[...]

  • Page 266

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 266 13.8 The Firewall Services Screen Click SECURITY > FIREW ALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyW ALL. Figure 151 SECURITY > FIREW ALL >[...]

  • Page 267

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 267 13.8.1 The Firewall Edit Custom Service Screen Click SECURITY > FIREW ALL > Service > Add to display the followi ng screen. Use this screen to configure a custom service entry not is not predefined in the ZyW ALL. See Appendix B on pa ge 783 for a list of commonly used se[...]

  • Page 268

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 268 13.8.2 My Service Firewall Rule Example The following Internet firewa ll rule example allows a hypot hetical My Service connection from the Internet. 1 In the Service screen, click Add to open th e Edit Custom Service screen. Figure 153 My Service Firewall Rule Example: Service[...]

  • Page 269

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 269 Figure 155 My Service Firewall Rule Example: Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and th en click Delete . 8 Configure the destination address fields as follows and click Add . Figure 156 My Service Firewall Rule Examp[...]

  • Page 270

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 270 Figure 157 My Service Firewall Rule Ex ample: Rule Configuration[...]

  • Page 271

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 271 Rule 1 allows a My Service connection from the W AN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 158 My Service Firewall Rule Example: Rule Summary 13.9 T echnical Reference This technical reference cont ains the following sections: • Packet Direction Examples [...]

  • Page 272

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 272 By default, the ZyW ALL drops packets tr aveling in the following directions. See Chapter 5 on page 109 for information about packets traveling to or from the VPN tunnels. T o VPN Packet Direction The ZyW ALL can apply firewall rules to traffi c before encrypting it to se nd th[...]

  • Page 273

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 273 Figure 159 From LAN to VPN Example From VPN Packe t Direction Y ou can also apply firewall rules to traffic th at comes in through the ZyW ALL’ s VPN tunnels. The ZyW ALL de crypts the VPN traffic an d then applies the firewall rules. From VPN means traffic that came into the Zy[...]

  • Page 274

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 274 From VPN T o VPN Packet Direction From VPN T o VPN firewall rules apply to traffic th at comes in through one of the ZyW ALL’ s VPN tunnels and terminates at th e ZyW ALL (like for remote management) or goes out through another of the ZyW ALL’ s VPN tunnels (this is called [...]

  • Page 275

    Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 275 3 The reply from the W AN goes to the ZyW ALL. 4 The ZyW ALL then sends it to the computer on the LAN in Subnet 1 . Figure 162 Using IP Alias to Solve the T riangle Route Problem DoS Thresholds For TCP , half-open means tha t the session has not reache d the established state-the [...]

  • Page 276

    Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 276 1 The maximum number of opened sessions. 2 The minimum capacity of server backlog in your LAN network. 3 The CPU power of servers in your LAN netwo r k. 4 Network bandwidth. 5 T ype of traf fic for certain servers. Reduce the threshold values if your network is slower than aver[...]

  • Page 277

    ZyWALL 5/35/70 Series User’s Guide 277 C HAPTER 14 Intrusion Detection and Prevention (IDP) Screens 14.1 Overview An IDP system can detect malicious or suspic io us packets and respond instantaneously . It can detect anomalies based on violations of prot ocol standards (RFCs – Requests for Comments) or traffic flows and abnormal flows such as p[...]

  • Page 278

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 278 • Use the Update s creen ( Section 14.5 on page 29 1 ) to immediately download or schedule new signature downloads. • Use the Backup & Restore screen ( Section 14.6 on page 293 ) to back up IDP signatures with your custom configured setting[...]

  • Page 279

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 279 Finding out More See Section 14.7 on page 294 for more detailed information on IDP . 14.1.3 Before Y ou Begin T o use IDP on the ZyW ALL, you need to insert the ZyW ALL T urbo Card into the rear panel slot of the ZyW ALL. See the ZyW ALL Turbo Card[...]

  • Page 280

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 280 The following table describes the labels in this screen. T able 77 SECURITY > IDP > General Setup LABEL DESCRIPTION General Setup Enable Intrusion Detection and Protec tion Select this check box to enable IDP on the ZyW ALL . When this check [...]

  • Page 281

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 281 14.3 The Signatures Screen The rules that define how to id entify and respond to intrusions are called “signatures”. Click SECURITY > IDP > Signatures to se e the ZyW ALL’ s signatures. 14.3.1 Att ack T ypes Click SECURITY > IDP >[...]

  • Page 282

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 282 14.3.2 Intrusion Severity Intrusions are assigned a severity level based on the following table. The intrusion severity level then determines the default signature action. 14.3.3 Signature Actions Y ou can enable/disable individual signatures. Y ou[...]

  • Page 283

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 283 14.3.4 Configuring The IDP Signatures Screen Click SECURITY > IDP > Signature to see the ZyW ALL’ s “group view” signature scre en where you can view signatures by attack type. T o searc h for signatures based on othe r criteria such as[...]

  • Page 284

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 284 14.3.5 The Query V iew Screen Click SECURITY > IDP > Signature to see the ZyW ALL’ s “gro up view” signature screen, then click the Switch to query view li nk to go to this ‘query view” screen. Use this screen to search for signatur[...]

  • Page 285

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 285 Figure 168 SECURITY > IDP > Signature: Query View The following table describes th e fields in this screen. T able 82 SECURITY > IDP > Signature: Query Vi ew LABEL DESCRIPTION Back to group view Click this button to go to the IDP group [...]

  • Page 286

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 286 Configure Signatures The resul ts display in a table showing the criteria as selected in th e search. Click a column’s header to sort the entries by that attribute. Go T o Navigate between signatures found. This field is available onl y if th ere[...]

  • Page 287

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 287 14.3.5.1 Query Example 1 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Sear ch . 2 Select By Name or By ID from the list box. 3 Enter a name (complete or partial) or compl ete ID to display al[...]

  • Page 288

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 288 Figure 170 SECURITY > IDP > Signature: Query by Complete ID 14.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Sear ch By Attributes . 2 Select the Severity , Ty p e [...]

  • Page 289

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 289 Figure 171 Signature Query by Attribute. 14.4 The Anomaly Screen This section introduces ADP (Anomaly Detection and Prevention). An ADP system protects against anomalies based on violations of prot oc ol standards (RFCs – Requests for Comments) a[...]

  • Page 290

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 290 Figure 172 SECURITY > IDP > Anomaly The following table describes the labels in this screen. T able 83 SECURITY > IDP > Anomaly LABEL DESCRIPTION Protoc ol Anomaly HTTP Inspection/TCP Decoder/UDP Decoder/ICMP Decoder Name Thi s is the n[...]

  • Page 291

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 291 14.5 The Up date Screen The ZyW ALL comes with built-in signatures. These are updated as ne w intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads. " Y ou should have already registered the ZyW A[...]

  • Page 292

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 292 14.5.2 Configuring The IDP Up date Screen When scheduling signatu re updates, you should choose a day and time when your network is least busy so as to minimize disru ption to your network. Y our custom signature configurations are not over-written[...]

  • Page 293

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 293 14.6 The Backup and Restore Screen Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. • Restore previously saved IDP signatures (with your custom configured settings). • Revert to the factor[...]

  • Page 294

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 294 Figure 174 SECURITY > IDP > Backup & Restore T o back up IDP signatures, click Backup and then choose a location and filename for the IDP configuration set. T o restore previously saved IDP signatures, ty pe in the location where the prev[...]

  • Page 295

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 295 IDS and IDP An Intrusion Detection System (IDS) can detect suspicious activity , but does not take action against attacks. On the other hand an IDP is a proactive defense mechanisms designed to detect malicious packets within normal network traffic[...]

  • Page 296

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 296 SQL Slammer Worm W32.SQLExp.W orm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 b ytes to UDP port 1434, the SQL Server Resolution Servi ce Port. The worm h[...]

  • Page 297

    Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 297 W32/MyDoom-A is a worm that is spread by email. When the infected attachment is launched, the worm gathers e-mail addresses from address books and from file s with the following extensions: W AB, TXT , HTM, SHT , PHP , ASP , DBX, TBB, ADB and PL. W[...]

  • Page 298

    Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 298[...]

  • Page 299

    ZyWALL 5/35/70 Series User’s Guide 299 C HAPTER 15 Anti-Virus Screens 15.1 Overview This section shows you how to configure the ZyW ALL to scan files tr ansmitted through the enabled interfaces into your network. As a network-based anti-virus scanner, the ZyW ALL helps stop threats at the network edge be fore they reach the local host computers. [...]

  • Page 300

    Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 300 15.1.2 What Y ou Need to Know A bout Antivirus Vir u s A computer virus is a small program designed to corrupt and/or alter the operati on of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself. The ef fect of a virus[...]

  • Page 301

    Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 301 • Simultaneous downloads of a file using mu ltiple connections. For example, when you use FlashGet to download sectio ns of a file simultaneously . • Encrypted traffic (such as on a VPN) or password-protected files. • T raffic throug h custom (non-standard) ports. • ZIP[...]

  • Page 302

    Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 302 Figure 176 SECURITY > ANTI-VIRUS > General The following table describes the labels in this screen. T able 85 SECURITY > ANTI-VIRUS > General LABEL DESCRIPTION General Setup Enable Anti -Virus S elect this check box to check traf fic for viruses. Enable ZIP F ile Sca[...]

  • Page 303

    Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 303 15.3 The Signature Screen Click SECURITY > ANTI-VIRUS > Signature to display this screen. Use this screen to locate signatures and manage how the ZyW ALL uses them. Servi ce This field displays the services for which the ZyWALL can scan traf fic for viruses. Select a serv[...]

  • Page 304

    Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 304 Figure 177 SECURITY > ANTI-VIRUS > Signature: Query V i ew The following table describes the labels in this screen. T able 86 SECURITY > ANTI-VIRUS > Signature : Query View LABEL DESCRIPTION Query Signatures Select the criteria on wh ich to perform the search. Signat[...]

  • Page 305

    Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 305 15.3.1 Signature Search Example This example shows a search for signatures that are enabled, set to generate logs and alerts, send W indows messages and destroy the infected portion of the file. Figure 178 Query Example Sear ch Criteria Configure Signatures The sign ature searc[...]

  • Page 306

    Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 306 Figure 179 Query Example Sear ch Results 15.4 The Up date Screen The ZyW ALL comes with built-in signatures cr eated by the ZyXEL Security Response T eam (ZSR T). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or sched ule new[...]

  • Page 307

    Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 307 15.4.1 mySecurityZone mySecurityZone is a we b portal that provides all security-relate d information such as intrusion and anti-virus information fo r ZyXEL security products. Y ou should have already registered your ZyW ALL on myZyXEL.com at: http://www .myzyxel.com/myzyxel/.[...]

  • Page 308

    Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 308 The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information Current Pattern Ve r s i o n This fi eld di splays the signature s version number currently used by the ZyW ALL. This number is defined by the ZyXEL Security Response T e am (ZSRT) w[...]

  • Page 309

    Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 309 15.5 The Backup and Restore Screen Click ANTI-VIRUS > Backup & Restore . The screen displays as shown next. Y ou can change the pre-defined Active , Log , Alert , Send W indows Message and/or Destroy File settings of individual signatures. Figure 181 SECURITY > ANTI-V[...]

  • Page 310

    Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 310 15.6 T echnical Reference T ypes of Computer Viruses The following table describes some of the common computer viruses. Computer Virus Infection and Prevention The following describes a simple life cycle of a computer virus. 1 A computer gets a copy of a virus from a sour ce suc[...]

  • Page 311

    Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 31 1 A network-based anti-virus (NA V) scanner is often deployed as a dedicated security device (such as your ZyW ALL) on the networ k ed ge. NA V scanners inspect real-time data traffic (such as E-mail messages or web) that tends to bypass HA V scanners. The following lists some o[...]

  • Page 312

    Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 312[...]

  • Page 313

    ZyWALL 5/35/70 Series User’s Guide 313 C HAPTER 16 Anti-Spam Screens 16.1 Overview The ZyW A LL’ s anti-spam featur e identifies un solicited commercial or junk e-mail (spam). Y ou can set the ZyW ALL to mark or discar d spam. The ZyW ALL can use an anti-spam external database to help identify spam. Use the whitelist to identify legitimate e-ma[...]

  • Page 314

    Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 314 16.1.2 What Y ou Need to Know A bout Antisp am MIME Headers MIME (Multipurpose Internet Ma il Extensions) allows varied me di a types to be used in e- mail. MIME headers describe an e-mail’ s cont ent enco ding and type. For exam ple, it may show which program generated the[...]

  • Page 315

    Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 315 Sp amBulk Engine The e-mail fingerprint ID that the ZyW ALL gene rates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam exte rnal database maintain s a d[...]

  • Page 316

    Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 316 The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analys is to dete ct phishing. Click SECURITY > ANTI-SP AM to open the Anti-Spam General screen. The following screen appears. Figure 183 SECURITY > ANTI-[...]

  • Page 317

    Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 317 From, T o Select the directi ons of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column. Y ou could for example have the ZyW ALL check packet s traveling[...]

  • Page 318

    Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 318 16.3 The External DB Screen Click SECURITY > ANTI-SP AM > External DB to display the Anti-Spam External DB screen. Use this sc reen to enable or di sable the use of the anti-spam external database. Y ou can also configure the spam threshold and what to do wh en no valid[...]

  • Page 319

    Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 319 Figure 184 SECURITY > ANTI-SP AM > External DB The following table describes the labels in this screen. T able 89 SECURITY > ANTI-SP AM > External DB LABEL DESCRIPTION External Database Enable External Database Enable the anti-spam external database feature to have t[...]

  • Page 320

    Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 320 16.4 The List s Screen Click SECURITY > ANTI-SP A M > Lists to display the Anti-Spam Lists screen. Configure the whitelist to identify legitimate e- mail. Configure the blac klist to id entify spam e-mail. Y ou can create whitelist or blacklist entr ies based on the sen[...]

  • Page 321

    Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 321 Figure 185 SECURITY > ANTI-SP AM > Lists The following table describes the labels in this screen. T able 90 SECURITY > ANTI-SPAM > Lists LABEL DESCRIPTION Resource Usage Whitelist & Blacklist S torage S pace in Use This bar displays the percentage of the ZyWALL?[...]

  • Page 322

    Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 322 16.5 Anti-S p am Lists Edit Screen Click SECURITY > ANTI-SP AM > Lists to display the Anti-Spam Lists screen. Use this screen to configure an anti-spam whitelist entry to identify legitimate e-mail or a blacklist entry to identify spam e-mail. Y ou can create entr ies b[...]

  • Page 323

    Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 323 The following table describes the labels in this screen. T able 91 SECURITY > ANTI-SP AM > Lists > Edit LABEL DESCRIPTION Rule Edit Active Turn this entry on to have the ZyW ALL use it as part of the wh itelist or blacklist. Y o u must also turn on the use of the corres[...]

  • Page 324

    Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 324 16.6 T echnical Reference The anti-spam external database uses the following spam detec tion engines in checking each e-mail. • SpamBulk: This engine identifies e-mail that ha s been sent in bulk or is similar to e-mail that is sent in bulk. • SpamRepute: This engine chec[...]

  • Page 325

    Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 325 S p amContent Engine The SpamContent engine examines the e-mail’ s content to decide if it would generally be considered offensive. The vocabu lary design, format and layout are considered as part of thousands of checks on message attr i butes that include the following. •T [...]

  • Page 326

    Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 326[...]

  • Page 327

    ZyWALL 5/35/70 Series User’s Guide 327 C HAPTER 17 Content Filtering Screens 17.1 Overview Content filtering all ows you to block certain web features, such as co okies, and/or block access to specific websites. W ith cont ent filtering, you can do the following: • Restrict web features. The ZyW ALL can block web features such as ActiveX contro[...]

  • Page 328

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 328 Figure 187 Content Filtering Looku p Pro cedure 1 A computer behind the ZyW ALL tries to access a web site . 2 The ZyW ALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site ’ s category will be in th[...]

  • Page 329

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 329 Use the REGISTRA TION screens (see Chapter 6 on page 141 ) to create a myZyXEL.com account, register your device and activate the external content filtering service. Figure 188 SECURITY > CONTENT FIL TER > General The following table describes the labels in this scr[...]

  • Page 330

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 330 Matched Web Pages Se lect Block to prevent users from accessing web pages that match the categories that you select belo w . When external database c o ntent filter ing blocks access to a web page, it displays the denied access message that you config ured in the CONTENT [...]

  • Page 331

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 331 17.3 The Policy Screen Click SECURITY > CONTENT FIL TE R > Policy to display the follow ing screen. Use this screen to configure content filtering policies on your ZyW A LL. Y ou may find that a web site has not been accura tely categorized or that a web site’ s c[...]

  • Page 332

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 332 The following table describes the labels in this screen. 17.4 Content Filter Policy: General Click SECURITY > CONTENT FIL TER > Policy and use the Inser t button or a policy’ s general icon to dis pla y the following screen. Use this screen to restrict web feature[...]

  • Page 333

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 333 Figure 190 SECURITY > CONTENT FIL TER > Policy > General The following table describes the labels in this screen. T able 94 SECURITY > CONTENT FIL TER > Policy > General LABEL DESCRIPTION Active Select this option to turn on the content filter policy . P[...]

  • Page 334

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 334 17.5 Content Filter Policy: External Dat abase Click SECURITY > CONTENT FIL TER > Policy a nd then a policy’ s external database icon to display th e followin g screen. Use this screen to edit which content categories the content filter policy blocks. Figure 191 S[...]

  • Page 335

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 335 The following table describes the labels in this screen. T able 95 SECURITY > CONTENT FIL T ER > Policy > External Database LABEL DESCRIPTION Policy Name This is the name of the content filter policy that you are configuring. Active Select this option to apply ca[...]

  • Page 336

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 336 Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool (including lotteries) online. It also includes pages that provide informa tion, assistance, recommendations, or training on placing bets or participat ing in game[...]

  • Page 337

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 337 Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty , or alumni groups. Cultural/Charitable O[...]

  • Page 338

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 338 S pyware/Malware Sou rces Selecting this category exclu des pages which distribute spyware and other malware. S pyware is defined as software which takes control of your computer , modifies computer se ttings, collects or reports personal information, or misrepresents its[...]

  • Page 339

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 339 Religion Selecting this category excludes pages that promote and provide information on conventional or unconvention al religious or quasi- religious subjects, as well as chu rches, synagogues, or other houses o f worship. It does not include pages containing altern ative[...]

  • Page 340

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 340 T ravel Selecting this category excl udes p age s that promote or provide opportunity for travel plan ning , including finding and makin g travel reservations, vehicle ren tals, descri ptions of travel d estinations, or promotions for hotels or casinos. V eh icles Selecti[...]

  • Page 341

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 341 17.6 Content Filter Policy: Customization Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s customization icon to display the following screen. Use this screen to select good (allowed) web site addresses for this policy and bad (blocked) web site addr[...]

  • Page 342

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 342 The following table describes the labels in this screen. 17.7 Content Filter Policy: Schedule Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s schedule icon to display the following screen. Use this screen to set for which da ys and times the policy [...]

  • Page 343

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 343 Figure 193 SECURITY > CONTENT FIL T ER > Policy > Schedule The following table describes the labels in this screen. 17.8 Content Filter Object Click SECURITY > CONTENT FIL TER > Object to display the following screen. T able 97 SECURITY > CONTENT FIL T E[...]

  • Page 344

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 344 Use this screen to configure a list of allowed web site addresses for this policy and a list of blocked web site addresses. Y ou can also block web sites based on whether the web site’ s address contains a keyword. Use this screen to add or remove specific sites or keyw[...]

  • Page 345

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 345 The following table describes the labels in this screen. T able 98 SECURITY > CONTENT FIL TER > Object LABEL DESCRIPTION T rusted Web Sites T hese are sites that you want to allow access to, regardless of th eir content rating, can be allowed by adding them to this [...]

  • Page 346

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 346 17.9 Content Filtering Cache Click SECURITY > CONTENT FIL TER > Cache to display th e CONTENT FIL TER Cache screen. Use this screen to view and co nfigure your ZyW ALL’ s URL caching. Y ou can also configure how long a categorized web site address remains in the c[...]

  • Page 347

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 347[...]

  • Page 348

    Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 348[...]

  • Page 349

    ZyWALL 5/35/70 Series User’s Guide 349 C HAPTER 18 Content Filtering Reports 18.1 Overview This chapter describes how to view content filtering reports after yo u have activated the category-based content filtering subscription service. See Chapter 6 on pa ge 141 on how to create a myZyXEL.com account, register your device and activate the subscr[...]

  • Page 350

    Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 350 Figure 196 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyW ALL’ s model name and/or MAC address under Registered ZyXEL Pr oducts . Y ou can change the descriptive name for your ZyW ALL using the Rename button in the Service Management screen (see Figure 1[...]

  • Page 351

    Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 351 Figure 198 myZyXEL.com: Service Manage ment 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 198 on page 351 ). T ype your myZyXEL.com account password in the Password [...]

  • Page 352

    Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 352 Figure 200 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single Use r Reports to view the corresponding reports. Figure 201 Blue Coat: Report Ho me 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Ta k [...]

  • Page 353

    Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 353 Figure 202 Global Report Screen Example 11 Y ou can click a ca tegory in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.[...]

  • Page 354

    Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 354 Figure 203 Requested URLs Example 18.4 W eb Site Submission Y ou may find that a web site has not been accura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed. Use the following procedure to submit the[...]

  • Page 355

    Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 355 Figure 204 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Submit to have the web site reviewed.[...]

  • Page 356

    Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 356[...]

  • Page 357

    ZyWALL 5/35/70 Series User’s Guide 357 C HAPTER 19 IPSec VPN 19.1 Overview A virtual private network (VPN) provides secu re communications between sites without the expense of leased site-to-site lines. A secure VP N is a combination of tunneling, encryption, authentication, access control and a uditing. It is used to transpor t traffic over the [...]

  • Page 358

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 358 • Use the VPN Global Setting screen (see Section 1 9.1 0 on page 379 ) to change settings that apply to all of your VPN tunnels. 19.1.2 What Y ou Need to Know About IPSec VPN An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a[...]

  • Page 359

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 359 Figure 207 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 208 IPSec Fields Summa ry Negotiation Mode It takes several steps to establish an IKE SA. The negotiation mode dete rmines the number of steps to use. There are two negotiation mode[...]

  • Page 360

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 360 Y ou can usually provide a static IP address or a domain name for the ZyW ALL. Sometimes, your ZyW ALL might also offer another alternative, suc h as using the IP address of a port or interface. Y ou can usually provide a static IP address or a domain name for the remote IPSec router as [...]

  • Page 361

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 361 19.3 The VPN Rules (IKE) Gateway Policy Edit Screen In the VPN Rule (IKE) screen, click the add gateway polic y ( ) icon or the edit ( ) icon to display the VPN-Gatew ay Policy -Edit screen. Gateway Policies The first row of each VPN rule represents the gateway policy . The gateway polic[...]

  • Page 362

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 362 Use this screen to configure a VPN gateway po licy . The gateway policy identifies the IPSec routers at either end of a VPN tunnel ( My ZyW ALL and Remote Gateway ) and specifies the authentication, encryption and other settings nee ded to negotiate a phase 1 IKE SA. Figure 210 SECURITY [...]

  • Page 363

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 363 The following table describes the labels in this screen. T able 101 SECURITY > VPN > VPN Rules (I KE) > Edit Gateway Policy LABEL DESCRIPTION Property Name T ype up to 32 characters to iden tify this VPN gateway policy . Y ou may use any character , including spaces, but the ZyW[...]

  • Page 364

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 364 Fall back to Primary Rem ote Gateway when possible Select this to have the ZyW ALL ch ang e back to using the primary remote gateway if the connection becomes avai lable again. Fall Back Check Interval* Set how often the ZyW ALL should check the connection to the primary remote gateway w[...]

  • Page 365

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 365 Peer ID T ype Select from th e fo llowing when you set Authentication Key to Pre-shared Key . Select IP to identify the remote IPSe c router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router b y an e-mail[...]

  • Page 366

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 366 Server Mode Select Server Mode to have this ZyW ALL authent icate extended au thentication clients that request this VPN connecti on. Y ou must also configure the e xtended authentication cl ients’ usernames and passwords in the authentication server ’s lo cal user database or a RADI[...]

  • Page 367

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 367 19.4 The Network Policy Edit Screen Click SECURITY > VPN and the add network po licy ( ) icon or a networ k policy’ s edit icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit s creen. Use this screen to configure a network policy . A ne twork policy identifies[...]

  • Page 368

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 368 Figure 21 1 SECURITY > VPN > VP N Rules (I KE) > Edit Network Policy[...]

  • Page 369

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 369 The following table describes the labels in this screen. T able 102 SECURITY > VPN > VPN Rules (I KE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selecte d, packets for the tunnel trigger the ZyWALL to build the tunnel . Clear th e Active check box [...]

  • Page 370

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 370 Port Forwarding Rules If you are configuring a Many-to-One rule, click this button to go to a screen where you can configure port forwarding for yo ur VPN tunnels. The VPN network policy port forwarding rules let the ZyWALL forward traf fic coming in through the VPN tunnel to the appropr[...]

  • Page 371

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 371 Ending IP Address/ Subnet Mask When the Address T ype field is configured to Single Ad dress , this fiel d is N/A. When the Addres s T ype field is configu red to Range Address , enter the end (static) IP address, in a range of comp uters on the LAN behind your ZyW ALL. When the Addres s[...]

  • Page 372

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 372 19.5 The Network Policy Ed it: Port Forwarding Screen Click SECURITY > VPN and the add network policy ( ) icon in th e VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Then, under Virtual Addr ess Mapping Rule , select Many-to-One as the Ty p e and click the Port[...]

  • Page 373

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 373 Figure 212 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > P ort Forwarding The following table describes the labels in this screen. T able 103 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding LABEL DESCRIPTION Default Server In ad[...]

  • Page 374

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 374 19.6 The Network Policy Move Screen Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. A VPN (V irtual Private Network) tunnel gives yo u a secure connection to another computer or network. Each VPN tunnel uses a single gatew[...]

  • Page 375

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 375 19.7 The VPN Rules (Manual) Screen Refer to Figure 208 o n page 359 for a graphical representa tion of the fields in the web configurator . Click SECURITY > VPN > VPN Rules (Manual) to open the VPN Rules (Manual) screen. Use this screen to manage the ZyW ALL’ s list of VPN rules [...]

  • Page 376

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 376 19.8 The VPN Rules (Manual): Edit Screen Click the Add button or the edit icon on the VPN Rules (Manual) screen to open the following screen. Use this screen to configure VPN rul e s that use manual keys. Manual key management is useful if yo u have pr oblems with IKE key managemen t. Se[...]

  • Page 377

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 377 The following table describes the labels in this screen. T able 106 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy . Name T ype up to 32 characte rs to identify this VPN policy . Y ou may use any cha[...]

  • Page 378

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 378 Ending IP Address/Subnet Mask When the Addres s T ype field is configu r ed to Single Address , this field is N/A. When the Addres s T ype field is configu r ed to Rang e Address , enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router . [...]

  • Page 379

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 379 19.9 The VPN SA Monitor Screen In the web configurator , click SECURIT Y > VPN > SA Monitor . Use this sc reen to display and manage activ e VPN connections. A Security Association (SA) is the group of se cu rity settings related to a specific VPN tunnel. This screen displays activ[...]

  • Page 380

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 380 Local and Remote IP Address Co nflict Resolution Normally , you do not configure your local VPN po licy rule’ s IP addresses to overlap with the remote VPN policy rule’ s IP addresses . For ex ample, you usually would not configure both with 192.168.1.0. However , overlapping local a[...]

  • Page 381

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 381 Figure 218 Overlap in IP Alias and VPN Remote Networks In this case, if you want to send packets from ne twork A to an overlapped IP (ex. 10.1.2.241) that is in the IP alias ne twork M, you h ave to set Local and Remote IP Address Conflict Resolution to The Local Network . Figure 219 SEC[...]

  • Page 382

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 382 19.1 1 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyW ALL at headquarters. The telecommut ers use IPSec routers with dynamic W AN IP addresses. The ZyW ALL at headquarters has a static public IP address. Ga[...]

  • Page 383

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 383 19.1 1.1 T elecommuters Shar ing One VPN Rule Example See the following figure and table for an exampl e configuration that allows multiple telecommuters ( A , B and C in the figure) to use one VPN rule to simultaneously access a ZyW ALL at headquarters ( HQ in the figure). The telecommu[...]

  • Page 384

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 384 See the following table and figure for an ex ample where three telecommuters each use a different VPN rule for a VPN connection with a ZyW ALL located at he adquarters. The ZyW ALL at headquarters (HQ in the figure) identifies each inco ming SA by its ID type and content and uses the app[...]

  • Page 385

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 385 19.12 VPN and Remote Management Y ou can allow someone to use a service (like T elnet or HTTP) through a VPN tunnel to manage the ZyW ALL. One of the ZyW ALL’ s port s must be part of the VPN rule’ s local network. This can be the ZyW ALL’ s LAN port if you do not want to allow rem[...]

  • Page 386

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 386 Figure 223 VPN T opo lo gies Hub-and-spoke VPN reduces the number of VPN conn ections that you have to set up an d maintain in the network. Small of fice or tele commuter IPSec routers that support a limited number of VPN tunnels are also able to use VP N to connect to more networks. Hub[...]

  • Page 387

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 387 Figure 224 Hub-and-sp oke VPN Example 19.13.2 Hub-and-spoke E xample VPN Rule Addresses The VPN rules for this hub-and-spoke exampl e would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192. 168.167.0/255.255.255.0 • Remote IP a[...]

  • Page 388

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 388 • The hub router must have at least one separ a te VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub- and-spoke netw orks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. • If you want to [...]

  • Page 389

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 389 Diffie-Hellman (DH) Key Exchange The ZyW ALL and the remote IPSe c router use a DH key exchange to establish a shared secret, which is used to generate encryp tion keys for IKE SA and IPSec SA. In main m od e, th e DH key exchange is done in step s 3 and 4, as illustrated below . Figure [...]

  • Page 390

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 390 The ZyW ALL and the remote IPSec router each has its own identity , so each one must store two sets of information, one for itself and one for the other router . Local ID type and ID content refers to the ID type and ID content that applies to the router itself, and peer ID type and ID c[...]

  • Page 391

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 391 " Y ou must set up the certificates fo r the ZyW ALL and remote IPSec router before you can use certif icates in IKE SA. See Chapter 20 on page 399 for more information about certificates. Extended Authentication Extended authentication is often used when multiple IPSec router s use[...]

  • Page 392

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 392 VPN, NA T, and NA T T r aversal In the following example, there is another router ( A ) between router X and router Y . Figure 228 VPN/NA T Example If router A does NA T , it might change the IP addre sses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, th[...]

  • Page 393

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 393 Y ou can configure a remote network as 0.0.0.0 (any) when: • Forwarding all outgoing traf fic to the remote gateway . • The remote network's addres ses are unknown or there are many remote networks using one VPN rule (see Section 19.1 1.1 on page 383 for an example of telecommut[...]

  • Page 394

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 394 Figure 229 Virtual Mapping of Loca l and Remote Network IP Ad dresses Computers on ne twork X use IP addresses 192.168.1.2 to 192.168.1.4 to access local network devices and IP addresses 172.21.2.2 to 172.21 .2.27 to ac cess the remote network devices. Computers on network Y use IP addre[...]

  • Page 395

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 395 In tunnel mode, the ZyW ALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contai ns the IP addre ss of the ZyW ALL or remote IPSec router , whicheve r is the destination. • Inside header: T[...]

  • Page 396

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 396 Additional IPSec VPN T opics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SA s or both. Relationships between the topics are also highlighted. SA Life Time SAs have a lifetime that specifi es how long the SA lasts until it times out. When an SA time[...]

  • Page 397

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 397 Figure 231 IPSec High Availability When setting up an IPSec high availabili ty VPN tunnel , the remote IPSec router: • Must have multiple W AN connections • Only needs one corr esponding IPSec rule • Should only have IPSec high availability se ttings in its correspondi ng IPSec rul[...]

  • Page 398

    Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 398[...]

  • Page 399

    ZyWALL 5/35/70 Series User’s Guide 399 C HAPTER 20 Certificates 20.1 Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users. Certificates are based on public-priva te key pairs. A certificate contains the certificate owner ’ s identity and public key . Certificates provide a way to exchange public keys fo r u[...]

  • Page 400

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 400 The ZyW ALL uses certific ates base d on publ ic-key cryptology to authenticate users attempting to establish a connection. The method u sed to secure the data that you send through an established connection depends on the type of connection. For ex ample, a VPN tunnel might use the t[...]

  • Page 401

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 401 Figure 233 Certificate Details 4 Use a secure method to verify that the certificate owner ha s the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS [...]

  • Page 402

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 402 Figure 234 SECURITY > CERTIFICA T ES > My Certificates The following table describes the labels in this screen. T able 1 13 SECUR ITY > CERTIFICA TES > My Certificates LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’s PKI stor[...]

  • Page 403

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 403 20.2.1 The My Certificate Det ails Screen Click SECURITY > CER TIFICA TES > My Certificates to open the My Certificates screen (see Figure 234 on page 402 ). Click the details icon to open the My Certificate Details screen. Y ou can use this screen to view in -depth certificate [...]

  • Page 404

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 404 Figure 235 SECURITY > CERTIFICA TES > My Certificates > D etails The following table describes the labels in this screen. T able 1 14 SECUR ITY > CERTIFICA TES > My Certificates > Details LABEL DESCRIPTION Name T his field displays the identifying name of this ce rti[...]

  • Page 405

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 405 Issuer This field displays identifying in fo rmation about the certificate’s issuing certification authority , such as Common Name , Organizati onal Unit, Organization and Coun try . With self-signed certificates, th is is the same as the Subject Name field. Signature Algorithm T hi[...]

  • Page 406

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 406 20.3 The My Certificate Export Screen Click SECURITY > CERTIFICA TES > My Certific ates and then a certific ate’ s export icon to open the My Certificate Export screen. Follow the instructions in this screen to choose the file format to use for saving the certificate fro m the[...]

  • Page 407

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 407 20.4 The My Certificate Import Screen Y ou can only import a certificate that matche s a corresponding certification re quest that was generated by the ZyW ALL (the certification requ est contains the private key). The certificate you import replaces the corresponding request in the M[...]

  • Page 408

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 408 Figure 237 SECURITY > CERTIFICA TES > My Certificates > Import The following table describes the labels in this screen. When you import a binary PKCS#12 format certificate, another screen displays for y ou to enter the password. Figure 238 SECURITY > CERTIFICA TES > My [...]

  • Page 409

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 409 20.5 The My Certificate Create Screen Click SECURITY > CER TIFICA TES > My Certificates > Create to open the My Certificate Cr eate screen. Use this screen to have the ZyW ALL create a self-signed certificate, enroll a certificate with a certificatio n authority or generate a[...]

  • Page 410

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 410 Figure 240 SECURITY > CERTIFICA TES > My Cert ificates > Create (Advan ced) The following table describes the labels in this screen. T able 1 18 SECUR ITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name T ype up to 31 ASCII characters (no[...]

  • Page 411

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 41 1 Common Name Select a radio button to identify th e certificate’s owner by IP address, domain name or e-mail address. T y pe the IP address (in dotted decimal notation), domain name or e-mail address in the field provide d. The domain name or e- mail address can be up to 31 ASCII ch[...]

  • Page 412

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 412 Subject Alternative Name Select a radio button to identify the cert ifica te’s owner by IP address, domain name or e-mail address. T y pe the IP address (in dotted decimal notation), domain name or e-mail address in the field provide d. The domain name or e- mail address can be up t[...]

  • Page 413

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 413 • After you click Apply in the My Certificate Cr eate screen, you see a screen that tells you the ZyW ALL is generating the self-sig ned certificate or certification request. • After the ZyW ALL succes sfully enrolls a certifi cate or generates a certification request or a self-si[...]

  • Page 414

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 414 Figure 241 SECURITY > CERTIFICA T ES > T rusted CAs The following table describes the labels in this screen. T able 1 19 SECURITY > CERTIFICA TES > Trusted CAs LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’s PKI storage spac[...]

  • Page 415

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 415 20.7 The T rusted CA Det a ils Screen Click SECURITY > CER TIFICA TES > T rus ted CAs to open the T rusted CAs screen. Click the details icon to open the T rusted CA Details screen. Use this screen to view in-depth information about the certification authority’ s certif icate,[...]

  • Page 416

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 416 Figure 242 SECURITY > CERTIFICA T ES > T rusted CAs > Details The following table describes the labels in this screen. T able 120 SECURITY > CERTIFICA TES > T rus ted CAs > Details LABEL DESCRIPTION Name This field displ ays the identifying name of this certificate. [...]

  • Page 417

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 417 Certification Path Click the Refresh button to have this read-only text box display th e end entity’s certificat e and a list of cert ification authority certificat es that shows the hierarchy of certification author ities that validate the end entity’ s certificate. If the issuin[...]

  • Page 418

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 418 20.8 The T rusted CA Import Screen Click SECURITY > CER TIFICA TES > T rus ted CAs to open the T rusted CAs screen and then click Import to open the T rusted CA Import screen. Follow the instructions in this screen to save a trusted certification authority ’ s certificat e fro[...]

  • Page 419

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 419 Figure 243 SECURITY > CERTIFICA T ES > T rusted CAs > Import The following table describes the labels in this screen. 20.9 The T rusted Remote Hosts Screen Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen. This screen disp[...]

  • Page 420

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 420 Figure 244 SECURITY > CERTIFICA TES > Tr usted Remote Hosts The following table describes the labels in this screen. T able 122 SECURITY > CERTIFICA TES > T rus ted Remote Hosts LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’[...]

  • Page 421

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 421 20.10 The T rusted Remote Host s Import Screen Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen and then click Import to open the T rusted Remote Host Import screen. Y ou may have peers with certificates that you want to trust, but[...]

  • Page 422

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 422 20.1 1 The T rusted Remote Host Certificate Det ails Screen Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen. Click the details icon to open the T rusted Remote Host Details screen. Y ou can use this screen to view in-dep th inform[...]

  • Page 423

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 423 The following table describes the labels in this screen. T able 124 SECURITY > CERTIFICA TES > T rus ted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certi ficate. If you want to change the name, ty pe up to 31 charac ters t o[...]

  • Page 424

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 424 20.12 The Directory Servers Screen Click SECURITY > CER TIFICA TES > Directory Servers to open the Dire c tory Servers screen. This screen displays a summary list of di rectory servers (that contain lists of valid and revoked certificates) that have bee n saved into the ZyW ALL.[...]

  • Page 425

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 425 The following table describes the labels in this screen. 20.13 The Directory Server Add or Edit Screen Click SECURITY > CER TIFICA TES > Directory Servers to open the Directory Servers screen. Click Add (or the details icon) to open the Directory Server Add screen. Use this scre[...]

  • Page 426

    Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 426 The following table describes the labels in this screen. T able 126 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name T ype up to 31 ASCII characters (spa ces are not permitted) to identify this directory server . Access Protoco[...]

  • Page 427

    ZyWALL 5/35/70 Series User’s Guide 427 C HAPTER 21 Authentication Server Screens 21.1 Overview This chapter discusses how to configure the ZyW ALL’ s authentication server feature. A ZyW ALL set to be a VPN extended authenti cation server can us e either the local user database internal to the ZyW ALL or an extern al RADIUS server for an unlimi[...]

  • Page 428

    Chapter 21 Authenticati on Server Scre ens ZyWALL 5/35/70 Series User’s Guide 428 21.2 The Local User Dat abase Screen Click SECURITY > AUTH SER VER to open the Local User Data base screen. The loca l user database is a list of user profiles stored on the ZyW ALL. The ZyW ALL can use this list of user profiles to authenticate users. Use th is [...]

  • Page 429

    Chapter 21 Authentication Server Scre ens ZyWALL 5/35/70 Series User’s Guide 429 Figure 249 SECURITY > AUTH SERVER > Local User Database[...]

  • Page 430

    Chapter 21 Authenticati on Server Scre ens ZyWALL 5/35/70 Series User’s Guide 430 The following table describes the labels in this screen. 21.3 The RADIUS Screen Click SECURITY > AUTH SER VER > RADIUS to open the RADIUS screen. Configure this screen to use an external RA DIUS server to authenticate users. Figure 250 SECURITY > AUTH SERVE[...]

  • Page 431

    Chapter 21 Authentication Server Scre ens ZyWALL 5/35/70 Series User’s Guide 431 Key Enter a password (up to 31 alphanumeri c characters) as the key to be shared between the external auth entic ation server and the ZyWALL. The key is not sent over the network . This key must be the same on the external authenticatio n server and ZyW A LL . Accoun[...]

  • Page 432

    Chapter 21 Authenticati on Server Scre ens ZyWALL 5/35/70 Series User’s Guide 432[...]

  • Page 433

    433 P ART IV Advanced Network Address T ranslation (NA T) (435) Static Route Screens (451) Policy Route Screens (457) Bandwidth Management Screens (465) DNS Screens (479) Remote Management Screens (491) UPnP Screens (519) Custom Application Screen (529) ALG Screen (531)[...]

  • Page 434

    434[...]

  • Page 435

    ZyWALL 5/35/70 Series User’s Guide 435 C HAPTER 22 Network Address Translation (NAT) 22.1 Overview NA T (Network Address Translation - NA T , RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outg oing packet, used within one network is changed to a different IP address known w ithin anoth[...]

  • Page 436

    Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 436 The following table summarizes the NA T mapping types. " Port numbers do not change for One-to-One and Many -One-to-One NA T mapping types. SUA (Single User Account) V ersus NA T SUA (Single User Account) is a ZyNOS implemen tation of a subset of NA T that su[...]

  • Page 437

    Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 437 Figure 251 ADV ANCED > NA T > NA T Overview The following table describes the labels in this screen. T able 130 ADVANCED > NAT > NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent Sessions This read-only field disp lays the highest number[...]

  • Page 438

    Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 438 22.3 The NA T Address Mapping Screen Click ADV ANCED > NA T > Address Mapping to open the following screen. Use this screen to change your ZyW ALL’ s ad dress mapping settings. Not all fields are available on all models. Ordering your rules is important be[...]

  • Page 439

    Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 439 Figure 252 ADV ANCED > NA T > Address Mapping The following table describes the labels in this screen. T able 131 ADVANCED > NAT > Address Mapping LABEL DESCRIPTI ON SUA Add ress Mapping Rules This read-only table displays the default address mapping[...]

  • Page 440

    Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 440 22.3.1 NA T Address Mapping Edit Click the edit icon to display the NA T Address Mapping Edit screen. Use this screen to edit an address mapping rule. See Section 22.1 on pa ge 435 for information on NA T and address mapping. Figure 253 ADV ANCED > NA T > Ad[...]

  • Page 441

    Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 441 The following table describes the labels in this screen. 22.4 The Port Forwarding Screen A port forwarding set is a list of inside (behind NA T on the LAN) servers, for example, web or FTP , that you can make visible to the o utside world even though NA T makes [...]

  • Page 442

    Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 442 " If you do not assign a Default Server IP address, the Zy W ALL discards all packet s received for ports that are not specified here or in the remote management setup. 22.4.2 Port Forwarding: Services and Port Numbers The ZyW ALL provides the add itional saf[...]

  • Page 443

    Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 443 22.4.5 Port T ranslation The ZyW ALL can translate the destination port num ber or a range of port numbers of packets coming from the W AN to another destination port number or range of port numbers on the local network. When you use po rt forwarding w ithout po[...]

  • Page 444

    Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 444 " The last port forwarding ru le is reserved for Roadrunn er services. The rule is activated only when you set the W AN Encapsulation to Ethernet and the Service T ype to something other than St andard . Figure 256 ADV ANCED > NA T > Port Forwarding The[...]

  • Page 445

    Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 445 22.5 The Port T riggering Screen Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA T to forward a service (coming in from the server o[...]

  • Page 446

    Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 446 2 Port 7070 is a “trigger” port and causes th e ZyW ALL to record Jane’ s computer IP address. The ZyW ALL associates Jane's c omput er IP address with the "incoming" port range of 6970-7170. 3 The Real Audio server resp on ds using a port num[...]

  • Page 447

    Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 447 22.6 T echnical Reference This technical reference cont ains the following sections: • Inside/outside and Global/local • What NA T Does • How NA T W orks • NA T Application • Port Restricted Cone NA T Inside/out side and Global/local Inside/outside den[...]

  • Page 448

    Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 448 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the inside global address) before forwarding the packet to the W AN side. When the respon se comes back, NA T tr[...]

  • Page 449

    Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 449 NA T Application The following figure illustrates a possible NA T application, wher e three inside LANs (logical LANs using IP Alias) behind the ZyW A LL can communicate with three distinct W AN networks. More examples follow at the end of this chapter . Figure [...]

  • Page 450

    Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 450 Figure 261 Port Restricted Cone NA T Example[...]

  • Page 451

    ZyWALL 5/35/70 Series User’s Guide 451 C HAPTER 23 Static Route Screens 23.1 Overview This chapter shows you how to config ure static routes for your ZyW ALL. The ZyW ALL usually uses the de fault gateway to route outbound traf fic from local computers to the Internet. T o have the ZyW ALL send data to devices not reachable through the default ga[...]

  • Page 452

    Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 452 • Use the IP S tatic Route Edit screen ( Sectio n 23.2.1 on page 454 ) to configure the required information for a static route. 23.2 The IP S t atic Route Screen Click ADV ANCED > ST A TIC ROUTE to open th e IP S tatic Route screen (some of the screen’ s blank rows are[...]

  • Page 453

    Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 453 Figure 263 ADV ANCED > ST A TIC ROUTE > IP S tatic Route The following table describes the labels in this screen. T able 135 ADVANCED > STATIC ROUT E > IP S tatic Route LABEL DESCRIPTION # This is the number of an indivi dual static route. Name This is the name tha[...]

  • Page 454

    Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 454 23.2.1 The IP S tatic Route Edit Screen Click the edit icon in the IP S tatic Route screen. The screen shown next appears. Use this screen to configure the required information for a static route. Figure 264 ADV ANCED > ST A TIC ROUTE > IP S tatic Route > Edit The fol[...]

  • Page 455

    Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 455 Priva te This parameter determines if the ZyW ALL will include this route to a remote node in its RIP broadcasts. Select this check b ox to keep this route private and not incl uded in RIP broadcasts. Clear this check box to propagate this ro ute to othe r hosts through RIP br[...]

  • Page 456

    Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 456[...]

  • Page 457

    ZyWALL 5/35/70 Series User’s Guide 457 C HAPTER 24 Policy Route Screens 24.1 Overview This chapter covers setting and appl ying policies used for IP routing. T raditionally , routing is based on the destination address only and the ZyW ALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) prov ides a mechanism t o override the[...]

  • Page 458

    Chapter 24 Policy Ro ut e Scre e ns ZyWALL 5/35/70 Series User’s Guide 458 Routing Policy Individual routing policies are used as part of the ove rall IPPR proce ss. A policy defines the matching criteria and the action to take when a packet meets th e crit eria. The action is taken only when all the criteria are met. The criteria include the sou[...]

  • Page 459

    Chapter 24 Policy Route Screens ZyWALL 5/35/70 Series User’s Guide 459 Figure 265 ADV ANCED > POLICY ROUTE > Policy Route Summary The following table describes the labels in this screen. T able 137 ADVANCED > POLICY ROUTE > P olicy Route Summary LABEL DESCRIPTION # This is the numb er of an indivi dual policy route. Activ e This field[...]

  • Page 460

    Chapter 24 Policy Ro ut e Scre e ns ZyWALL 5/35/70 Series User’s Guide 460 24.2.1 The Policy Route Edit Screen Click ADV ANCED > POLICY ROUTE to open the Policy Route Summary screen. Then click the edit icon to open the Edit IP Policy Route screen. W AN 2 refers to either the physical W AN 2 port on the ZyW ALL with multiple W AN ports or the [...]

  • Page 461

    Chapter 24 Policy Route Screens ZyWALL 5/35/70 Series User’s Guide 461 Figure 266 ADV ANCED > POLICY ROUTE > Edit The following table describes the labels in this screen. T able 138 ADV ANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Activ e Select the check box to activate the policy . Rule Index This is the index number of th[...]

  • Page 462

    Chapter 24 Policy Ro ut e Scre e ns ZyWALL 5/35/70 Series User’s Guide 462 Length Comparison Choose from Equal , Not Equal , Less , Greater , Less or Equal or Greater or Equal . Applicati on Select a predefined appli cation ( FTP , H.323 or SIP ) for the policy rule. If you do not want to use a predefined applicati on, select Custom . Y ou can al[...]

  • Page 463

    Chapter 24 Policy Route Screens ZyWALL 5/35/70 Series User’s Guide 463 Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway . Th e gateway is an immediate neighbor of your ZyW ALL that will forward the packet to the destination. The g ateway must be a router on the same segment a[...]

  • Page 464

    Chapter 24 Policy Ro ut e Scre e ns ZyWALL 5/35/70 Series User’s Guide 464[...]

  • Page 465

    ZyWALL 5/35/70 Series User’s Guide 465 C HAPTER 25 Bandwidth Management Screens 25.1 Overview Bandwidth management allo ws you to allocate an interface’ s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyW ALL forwards certain types of traffic, such as V oice-over-IP (V oIP), with minimum delay . Bandwid[...]

  • Page 466

    Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 466 Proportional Bandwid th Allocation Bandwidth management allo ws you to define ho w much bandwidth each class gets; however , the actual bandwidth a llotted to each class de creases or increases in proportion to actual available bandwidth. Application-based Bandwid th [...]

  • Page 467

    Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 467 25.1.4 Over Allotment of Ban dw id th Example It is possible to set the bandwidth manageme nt speed for an interfa ce high er tha n the interface’ s actual transmission speed. H igher prio rity traffic get s to use up to its allocated bandwidth, even if it takes up a[...]

  • Page 468

    Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 468 Y ou can configure up to one bandwidth filter per bandwidth class. Y ou can also configure bandwidth classes without bandwidth filters. However , it is recommended that you configure sub-classes with filters for any classes that you configure without filters. The ZyW [...]

  • Page 469

    Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 469 The following table describes the labels in this screen. T able 141 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only label s represent the physical inte rfaces. Select an interfa ce’s check box to enable bandwidth management on that interfac[...]

  • Page 470

    Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 470 25.2.1 Maximize Ba ndwid th Usage Exam ple Here is an example of a ZyW ALL tha t has maxi mize bandwidth usage enabled on an interface. The following table shows each bandwidth class’ s bandwidth budget. The classes are set up based on subnets. The interface is set [...]

  • Page 471

    Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 471 25.2.1.2 Fairness-based Allot ment of Unused and Unbudgeted Bandwid th The following table shows the amount of bandwidth that each class gets. Suppose that all of the classes except for th e administration class need more bandwidth. • Each class gets up to its budg e[...]

  • Page 472

    Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 472 Figure 269 ADV ANCED > BW MGMT > Class Setup The following table describes the labels in this screen. T able 145 ADVANCED > BW MGMT > Class S etup LABEL DESCRIPTION Interface Select an in terface for which you w ant to set up bandwidth management classes. [...]

  • Page 473

    Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 473 25.4 Bandwid th Manager Class Configuration Configure a bandwidth management class in the Class Setup scree n. Y ou must use the Summary screen to en able bandwidth management on an interface before you can configure classes for that interface. Bandwid th Borrowing Ban[...]

  • Page 474

    Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 474 Figure 270 ADV ANCED > BW MGMT > Cla ss Setup > Add Sub-Class The following table describes the labels in this screen. T able 146 ADV ANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-gen erat[...]

  • Page 475

    Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 475 Enable Bandwi dth Filter Select Enable Bandwid th Filter to have the ZyW ALL use this bandwidth filter when it performs bandwidth management. Y ou must ente r a value in at least one of the following fields (other than the Subnet Mask fields which are only available wh[...]

  • Page 476

    Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 476 25.4.1 Bandwid th Borrowing Example Here is an example of bandw idth manageme nt with classes configured for bandwidth borrowing. The classes are set up based on de partments and individuals within certain departmen ts. Refer to the product specifications chapter to s[...]

  • Page 477

    Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 477 • The Research Software and Hardware class es can both borrow unused bandwidth from the Research class because the R esearch Software and Hardware classes both have bandwidth borrowing e nabled. • The Research Software and Hardware classe s can also borrow unused b[...]

  • Page 478

    Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 478 25.6 The Monitor Screen Click ADV ANCED > BW MGMT > Monitor to open the following screen. Use this screen to view the device’ s bandwidth usage and allotments. Figure 272 ADV ANCED > BW MGMT > Monitor The following table describes the labels in this scre[...]

  • Page 479

    ZyWALL 5/35/70 Series User’s Guide 479 C HAPTER 26 DNS Screens 26.1 Overview This chapter shows you how to configure the DNS screens. DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely impo rtant because without it, you must know the IP address of a machine before you [...]

  • Page 480

    Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 480 3 Y ou can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could ev en be behind a remote IPSec router (see Section on page 480 ). Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN[...]

  • Page 481

    Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 481 Figure 273 Private DNS Server Example " If you do not spec ify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computer s on the remote private network. DDNS DDNS (Dynamic DNS) allows you to update yo ur current dynamic IP addr[...]

  • Page 482

    Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 482 Figure 274 ADV ANCED > DNS > System DNS The following table describes the labels in this screen. LABEL DESCRIPTION Address Record An address record specifies the mapp ing of a fu lly qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and i[...]

  • Page 483

    Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 483 26.2.1 The Add Address Record Screen Click Add in the System screen to open this screen. Use th is screen to add an address record. An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. Configure address records about the ZyW ALL itself or[...]

  • Page 484

    Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 484 The following table describes the labels in this screen. 26.2.2 The Insert Name Server Record Screen Click Inser t in the System screen to open this screen. Use this screen to insert a name server record.A name server record contains a DNS server ’ s IP address. The ZyW ALL can que[...]

  • Page 485

    Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 485 The following table describes the labels in this screen. 26.3 The DNS Cache Screen DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyW ALL receives a positive or negati ve response for a DNS query , it records the response in the DNS[...]

  • Page 486

    Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 486 Figure 277 ADV ANCED > DNS > Cache The following table describes the labels in this screen. LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Resolutions Select the check box to record the positive DNS resolutions in the cache . Caching positive DNS resolutions helps speed u[...]

  • Page 487

    Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 487 26.4 The DHCP Screen Click ADV ANCED > DN S > DHCP to open the DNS DHCP screen shown next. Use th is screen to configure the DNS server information that the ZyW ALL sends to its LAN, DMZ or WLAN DHCP clients. Figure 278 ADV ANCED > DNS > DHCP The following table describes[...]

  • Page 488

    Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 488 26.5 The DDNS Screen First of all, you need to h ave registered a dynamic DNS account with www .dyndns.com. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provid er will give you a password or ke[...]

  • Page 489

    Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 489 High A vailability A DNS server maps a domain name to a port's IP address. If that W AN port loses its connection, high availability allo ws the router to substitute anot her port's IP address for the domain name mapping. 26.6 Configuring the Dynamic DNS Screen T o change y[...]

  • Page 490

    Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 490 Domain Name 1~5 Enter the host names in these fields. DDNS T ype Select the type of service that y ou are registered for from yo ur Dynamic DNS service provider if you have selected WWW .DynDNS.COM . Select Dynamic if you have the Dynamic DNS service. Select Static if you have the S [...]

  • Page 491

    ZyWALL 5/35/70 Series User’s Guide 491 C HAPTER 27 Remote Management Screens 27.1 Overview This chapter provides informa tion on the remote management screens. Remote management allows you to determine which services/proto cols can access which ZyW ALL interface (if any) from which comp uters. The following figure shows secu re and insecure manag[...]

  • Page 492

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 492 27.1.2 What Y ou Need T o Know About Remote Management Firewall Rules When you config ure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 13 on page 251 for details on config[...]

  • Page 493

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 493 27.2 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW ALL, then in your browser enter “https://ZyW ALL IP Address/” as the web site address where “Z yW ALL IP Address” is the IP address or domain name of the ZyW ALL you wish to acc[...]

  • Page 494

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 494 Figure 282 Security Certificate 1 (Net scape) Figure 283 Security Certificate 2 (Net scape) 27.2.3 A voiding the Browser W arn ing Messages The following describes the main reasons that your browser displays warnings about the ZyW ALL’ s HTTPS server certificate and w[...]

  • Page 495

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 495 6a Click REMOTE MGMT . W rite down the name of the certificate displayed in the Server Certificate field. 6b Click CERT IFICA TES . Find the certificate and check its Subject column. CN stands for certificate’ s common name (see Figure 286 on page 496 for an ex[...]

  • Page 496

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 496 Figure 286 Device-specific Certificate Click Ignor e in the Replace Certificate screen to use the common ZyW ALL certificate. Y ou will then see this information in the My Certificates screen. Figure 287 Common ZyW ALL Certificate 27.2.5 Enrolling and Importing SS L Cli[...]

  • Page 497

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 497 Figure 288 ZyW ALL T rusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your persona l certificate(s) and a password to inst all the personal certificate(s). 27.2.6 Inst alling the CA ’ s Certificate (Example) 1 Double c[...]

  • Page 498

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 498 Figure 289 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. 27.2.7 Inst alling Y our Pers onal Certificate(s) (Example) Y ou need a password in advance. The CA may is sue the passwo rd or you may have to specif[...]

  • Page 499

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 499 Figure 290 Personal Certificate Import Wizard 1 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br owse if you wish to import a dif ferent certific ate. Figure 291 Personal Certificate I[...]

  • Page 500

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 500 Figure 292 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificat e should be saved on your computer or select Place all certificates in the following stor e and choose a different location. Figure 293 Personal Certificate Import Wizard 4 [...]

  • Page 501

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 501 Figure 294 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the ce rtificate is correctly installed on your computer . Figure 295 Personal Certificate Import Wizard 6 27.2.8 Using a Certificate When Accessing the ZyW ALL (Example) [...]

  • Page 502

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 502 Figure 297 SSL Client Authentication 3 Y ou next see the web configurator login screen. Figure 298 Secure W eb Configurator Login Screen 27.2.9 Secure T elnet Using SSH Examples This section shows two examples using a comm and interface and a graphical interface SSH cli[...]

  • Page 503

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 503 Figure 299 SSH Example 1: S tore Host Key Enter the password to log in to the ZyW ALL. The SMT main menu displays next. 27.2.9.2 Example 2: Linux This section describes how to access the ZyW A LL using the OpenSSH client program that comes with most Linux di stri[...]

  • Page 504

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 504 3 The SMT main menu displays next. 27.2.9.3 Secure FTP Using SSH Exam ple This section shows an example on file tran sfer using the OpenSSH client program. The configuration and connection steps are similar fo r other SSH client programs. Refer to your SSH client progra[...]

  • Page 505

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 505 requires it to do so (select Authenticate Client Certificates in the REMOTE MGM T > WWW screen). Authenticate Client Certificates is optional and if selected means the SSL- client must send the ZyW ALL a certificate. Y ou must apply for a certificate for the b[...]

  • Page 506

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 506 Figure 304 ADV ANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. T able 149 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Serve r Certifica te Select the Server Certific ate that the ZyW AL L will use to identify itsel[...]

  • Page 507

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 507 27.5 The SSH Screen Y ou can use SSH (Secure SHell) to securely access the ZyW ALL’ s SMT or command line interface. Specify which interfaces allow SS H acces s and from whic h IP address the access can come. Unlike T elnet or FTP , which transmit data in pl ai[...]

  • Page 508

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 508 " It is recommended that y ou disable T elnet and FTP when you configure SSH for secure connections. Figure 306 ADV ANCED > REMOTE MGMT > SSH The following table describes the labels in this screen. 27.7 The T elnet Screen Y ou can use T e lnet to access the [...]

  • Page 509

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 509 " It is recommended that y ou disable T elnet and FTP when you configure SSH for secure connections. Figure 307 ADV ANCED > REMOTE MGMT > T e lnet The following table describes the labels in this screen. 27.8 The FTP Screen Y ou can use FTP (File T ran[...]

  • Page 510

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 510 " It is recommended that y ou disable T elnet and FTP when you configure SSH for secure connections. Figure 308 ADV ANCED > REMOTE MGMT > FTP The following table describes the labels in this screen. 27.9 The SNMP Screen Simple Network Management Protocol is a[...]

  • Page 511

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 51 1 Figure 309 SNMP Managemen t Model An SNMP managed network consis ts of two main types of comp onent : ag ents and a man age r . An agent is a management software module th at resi des in a managed device (the ZyW ALL). An agent translates the local management in[...]

  • Page 512

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 512 SNMP T raps The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: 27.9.1 Configuring the SNMP Screen T o change your ZyW ALL’ s SNMP settings, click ADV ANCED > REMOTE MGMT > SNMP . The screen appears as shown. Figure 310 [...]

  • Page 513

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 513 The following table describes the labels in this screen. 27.10 The DNS Screen Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 9 on page 169 for more information. Click ADV ANCED > REMOTE MGMT &[...]

  • Page 514

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 514 Figure 31 1 ADV ANC ED > REMOTE MGMT > DNS The following table describes the labels in this screen. 27.1 1 The CNM Screen V antage C NM (Centraliz ed Network Managemen t ) is a browser-based global managemen t solution that allows an administrator from any locatio[...]

  • Page 515

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 515 Figure 312 ADV ANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. T able 156 ADV ANCED > REMOTE MGMT > CNM LABEL DESCRIPTION Registration Information Registration S tatus This read only field displays Not Re gistered wh[...]

  • Page 516

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 516 27.13 Remote Management T echnical Reference How SSH W orks The following table summarizes how a secure c onnection is establishe d between two re mote hosts. Figure 313 How SSH Works 1 Host Identification The SSH client s ends a connection reque s t to the SSH server .[...]

  • Page 517

    Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 517 The client automatically saves any new server public keys. In subsequent connections, the server public key is checked ag ainst the saved version on the client computer . 2 Encryption Method Once the identification is verified, both the c lient and server must ag[...]

  • Page 518

    Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 518[...]

  • Page 519

    ZyWALL 5/35/70 Series User’s Guide 519 C HAPTER 28 UPnP Screens 28.1 Overview This chapter introduces the Universal Plug and Pl ay feature. This chapter is only applicable when the ZyW ALL is in router mode. Universal Plug and Play (UPnP) is a distributed, open networking s tandard that uses TCP/IP for simple peer-to-peer network connectiv ity be[...]

  • Page 520

    Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 520 Cautions with UPnP The automated nature of NA T traversal applications in establishing their own services and opening firewall ports ma y present network security issues. Network information and configuration may also be obtained and modifi ed by users in some network environments.[...]

  • Page 521

    Chapter 28 UPnP Screens ZyWALL 5/35/70 Series User’s Guide 521 28.2.1.1 Inst alling UPnP in Windows Me Follow the steps below to in stall UPnP in Wi ndows Me. 1 Click St a r t , Settings and Control Panel . Double-click Add/Remove Programs . 2 Click on the Win d ow s S e tu p tab and select Communication in the Components selection box. Click Det[...]

  • Page 522

    Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 522 28.2.1.2 Inst alling UPnP in Windows XP Follow the steps below to install UPnP in W indows XP . 28.2.2 Using UPnP in Windows XP Example This section shows yo u how to use the UPnP feature in W indows XP . Y ou must already hav e UPnP installed in W indows XP and UPnP ac tivated on [...]

  • Page 523

    Chapter 28 UPnP Screens ZyWALL 5/35/70 Series User’s Guide 523 28.2.2.1 Auto-discover Y our UPnP-enabled Network Device 1 Click St a r t and Control Panel . Double-click Network Connections . An icon disp lays under Internet Gateway . 2 Right-click the icon and select Properties . 3 In the Internet Connection Properties window , click Settings to[...]

  • Page 524

    Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 524 " When the UPnP-enabled device is disconn ected from your computer , all port mappings will be delet ed automatically . 28.2.2.2 W eb Configurator Easy Access W ith UPnP , you can access the web-based configur ator on the ZyXEL device without finding out the IP address of the [...]

  • Page 525

    Chapter 28 UPnP Screens ZyWALL 5/35/70 Series User’s Guide 525 Follow the steps below to access the web configurator . 1 Click St a r t and then Control Panel . 2 Double-click Network Connections . 3 Select My Network Places under Other Places . 4 An icon with the d escription for each UPnP-enabled device displays under Local Network . 5 Right-cl[...]

  • Page 526

    Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 526 28.3 The UPnP Screen Click ADV ANCED > UPnP to display the UPnP screen. Figure 314 ADV ANCED > UPnP The following table describes th e fields in this screen. 6 Right-click the icon for your ZyXEL device and select Properties . A properties window displays with basic informati[...]

  • Page 527

    Chapter 28 UPnP Screens ZyWALL 5/35/70 Series User’s Guide 527 28.4 The Port s Screen Click ADV ANCED > UPnP > Ports to display the UPnP Ports screen. Use this screen to view the NA T port mapping rules th at UPnP creates on the ZyW ALL. Figure 315 ADV ANCED > UPnP > Port s The following table describes the labels in this screen. Allo[...]

  • Page 528

    Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 528 # This is the index numb er of the UP nP-crea ted NA T mapping rule en try . Remote Host This fi eld displays the source IP address (on the WAN) of inbound IP p ackets. Since this is often a wildcard, the field may be blank. When the field is blank, th e ZyW ALL forwards all traffi[...]

  • Page 529

    ZyWALL 5/35/70 Series User’s Guide 529 C HAPTER 29 Custom Application Screen 29.1 Overview Use custom application to ha ve the ZyW ALL’ s ALG , anti-spam, anti-virus, and content filtering features monitor traf fic on custom ports, in addition to the default ports. 29.1.1 What Y ou Can Do in the Custom Application Screen Use the Custom App scre[...]

  • Page 530

    Chapter 29 Cust om Application Screen ZyWALL 5/35/70 Series User’s Guide 530 " Changes in the Custom APP screen do not apply to the firewall. Figure 316 ADV ANCED > Custom APP The following table describes the labels in this screen. T able 159 ADV ANCED > Custom APP LABEL DESCRIPTION Applic ation Select the application for wh ich you w[...]

  • Page 531

    ZyWALL 5/35/70 Series User’s Guide 531 C HAPTER 30 ALG Screen 30.1 Overview This chapter covers how to use the ZyW ALL’ s AL G feature to allow certain applications to pass through the ZyW ALL. An Application Layer Gateway (ALG) manages a specific protocol (such as SIP , H.323 or FTP) at the application layer . The ZyW ALL can function as an AL[...]

  • Page 532

    Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 532 ALG and the Firewall The ZyW ALL uses the dynamic port tha t the sessi on uses for data transfer in creating an implicit temporary firewall rule for the session’ s traffic. The firewall rule only allows the session’ s traffic to go thro ugh in the direction that th e ZyW ALL determi[...]

  • Page 533

    Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 533 • Y ou must configure the firewall and port fo rwarding to allow in coming (peer-to-peer) calls from the W AN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signalin g (1) and audio (2) sessions between H.323 devic es A and B. Figure 317 H.323 ALG E[...]

  • Page 534

    Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 534 Figure 319 H.323 Calls from the W AN with Multiple Outgoing Calls • The H.323 ALG operat es on TCP packets with a port 1720 destination. • The ZyW ALL allows H.323 audio con nections. • The ZyW ALL can also apply bandwid th management to traffic that goes th rough the H.323 ALG . [...]

  • Page 535

    Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 535 Figure 320 SIP ALG Example SIP Signaling Session T imeout Most SIP clients have an “ expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packe ts to the SIP server periodically and keeps the session alive in the ZyW ALL. If the SIP [...]

  • Page 536

    Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 536 Figure 321 ADV ANCED > ALG The following table describes the labels in this screen. T able 160 ADV ANCED > ALG LABEL DESCRIPTION Enable FT P ALG Select this check box to allow FTP sessi ons to pass through the ZyWALL. FTP (File T ransfer Program) is a program that enables fast tra[...]

  • Page 537

    537 P ART V Report s, Logs and Maintenance Reports Screens (539) Logs Screens (555) Maintenance Screens (585)[...]

  • Page 538

    538[...]

  • Page 539

    ZyWALL 5/35/70 Series User’s Guide 539 C HAPTER 31 Reports Screens 31.1 Overview The Reports screens display statistics about network usage and IDP , anti- virus and anti-spam statistics. Y ou can also configure how reports are emailed. 31.1.1 What Y ou Can Do in the Report s Screens •U s e t h e T raffic S tatistics screen ( Section 31.2 on pa[...]

  • Page 540

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 540 " The web site hit count may not be 10 0% accurate because sometimes when an individual web page loads, it may cont ain references to other web sites that also get counted as hits. Figure 322 REPORTS > T raffic S tatistics " Enabling the ZyW ALL’ s reporting function[...]

  • Page 541

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 541 " All of the recorded reports dat a is erased when you turn off the ZyW ALL. 31.2.1 V iewing Web Site Hit s In the Reports sc reen, select W eb Site Hits from the Report T y pe drop-down list box to have the ZyW ALL rec ord and display which web sites have bee n visited the mo[...]

  • Page 542

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 542 Figure 323 REPORTS > T raffic S tatistics: W eb Site Hits Example The following table describes the label in this screen. 31.2.2 V iewing Host IP Address In the Reports screen, select Host IP Address from the Report T ype drop-down list box to have the ZyW ALL record and displa [...]

  • Page 543

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 543 " Computers take turns using dynamical ly assigned LAN, DM Z or WLAN IP addresses. The ZyW ALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a diff erent computer . Figure 324 REPOR TS > T raffic S tatistics: Host IP Addr[...]

  • Page 544

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 544 Figure 325 REPOR TS > T raffic S tatistics: Protocol/Port Examp l e The following table describes the labels in this screen. T able 164 REPORTS > Traffic Stat istics: Protocol/ Port LABEL DESCRIPTION Protoc ol/Port This column lists the protocols or servic e ports for which t[...]

  • Page 545

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 545 31.2.4 System Report s Specifications The following table lists detailed specifications on the reports feature. 31.3 The IDP Screen Click REPOR TS > IDP to display the IDP screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 326 REPORTS > I[...]

  • Page 546

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 546 The following table describes the labels in this screen. The statistics display as follows when yo u display the top entries by source. T able 166 REPORTS > IDP LABEL DESCRIPTI ON Collect St a t i s t i c s Select this check box to have the ZyW ALL collect IDP statistics. The co[...]

  • Page 547

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 547 Figure 327 REPORTS > IDP > Source The statistics display as follows when you display the top entr ies by destination. Figure 328 REPORTS > IDP > Destination 31.4 The Anti-V irus Screen Click REPOR TS > Anti-V irus to display the Anti-V irus screen. This screen displa[...]

  • Page 548

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 548 The following table describes the labels in this screen. The statistics display as follows when yo u display the top entries by source. Figure 330 REPORTS > Anti-V irus > Source The statistics display as follows when you display the top entr ies by destination. T able 167 REP[...]

  • Page 549

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 549 Figure 331 REPORTS > Anti-V irus > Destination 31.5 The Anti-S p am Screen Click REPOR TS > Anti-Spam to display the Anti-Spam screen. This screen displays anti- spam statistics. Figure 332 REPORTS > Anti-S pam The following table describes the labels in this screen. T [...]

  • Page 550

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 550 The statistics display as follows when yo u display the top entries by source. Phishing Mail Detected This field displays the number of e-mails that the ZyWALL has classified as phishing. No Score Mail Detected This field displays the number of e-mails for which the ZyWALL did not [...]

  • Page 551

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 551 Figure 333 REPORTS > Anti-S pam > Source The statistics display as follows when you display the score distribution. Figure 334 REPORTS > Anti-S pam > Score Distribution 31.6 The E-mail Report Screen Y ou can configure the ZyW ALL to email a repo rt including the informa[...]

  • Page 552

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 552 Figure 335 REPORTS > E-mail Report The following table describes the labels in this screen. T able 169 REPORTS > E-mail Report LABEL DESCRIPTI ON General Setup Enable E-mail Report Select this to turn on the e-ma il repo rt feature. Y o u must then specify a valid e-mail serv[...]

  • Page 553

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 553 Send Report Now Click this to send the report e-mail immediately . Schedule Reporting Frequency Select the frequency of the report e-mail from the drop-down box. Options are None , Hourly , Daily and Weekly . If you select Daily or Weekly , specify a time of day for the ZyWALL to g[...]

  • Page 554

    Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 554[...]

  • Page 555

    ZyWALL 5/35/70 Series User’s Guide 555 C HAPTER 32 Logs Screens 32.1 Overview In the log screens you can configure general log settings and view the ZyW ALL’ s logs. The logs cover categories such as system maintena nce, system errors, access control, allowed or blocked web sites, blocked web features (such as ActiveX controls, java and cookies[...]

  • Page 556

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 556 Figure 336 LOGS > Vi ew Log The following table describes the labels in this screen. 32.2.1 Log Description Example The following is an example of how a log di splays in the command line interpreter and a description of the sample log. Refer to Section on page 561 for more log mess[...]

  • Page 557

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 557 5|06/08/2004 05:58:20 |172.21.4.187:137 |172.21.255.255:137 |ACCESS BLOCK Firewall default policy: UDP (W to W/ZW) 32.2.2 About the Cert ificate Not T rusted Log myZyXEL.com and the update server use cer tificates signed by V eriSign to identify themselves. If th e ZyW ALL does not [...]

  • Page 558

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 558 Figure 337 myZyXEL.com: Download Ce nter 3 Click the link in the Certificate Download screen. Figure 338 myZyXEL.com: Certificate Download 32.3 The Log Settings Screen T o change your ZyW A LL’ s log settings, click LOGS > Log Settings . The screen appears as shown. Use the Log S[...]

  • Page 559

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 559 Figure 339 LOGS > Log Settings The following table describes the labels in this screen. T able 172 LOGS > Log Settin gs LABEL DESCRIPTION E-mail Settings Mail Server Enter the server name or th e IP ad d re ss of the ma il serv er for the e-mail addresses specified below . If [...]

  • Page 560

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 560 Mail Subject T ype a title that you want to be in the su bject line of the log e-mail message that the ZyW A LL sends. Mail Sender Enter the e-mail address that you want to be in the from/sender line of the log e-mail message that the ZyW ALL sends. If you activate SMTP authentication[...]

  • Page 561

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 561 32.4 T echnical Reference Log Descriptions This section provides descrip tions of example log messages. The variables “%d”, “%x” and “%s” respectivel y refer to decimal numbers, hexadecimal numbers and strings (a list of up per/lower case letters or numbers). Activ e Som[...]

  • Page 562

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 562 Starting Connectivity Monitor S tarting Connectivity Monitor . Time initialized by Daytime Server The router got the time and date from the Daytime server . Time initialized by Time server The router got the time and date from the time server . Time initialized by NTP server The route[...]

  • Page 563

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 563 %s The myZyXEL.com service registration failed due to the error listed. If you are unable to register for services at myZYXEL.com, the error message displayed in this log may be useful when contacting customer support. Remote node is connecting. A remote user is connecting using PPP[...]

  • Page 564

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 564 Triangle route packet forwarded: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall allowe d a triangle route sessi on to pass through. Packet without a NAT table entry blocked: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The router blocked a packet that didn't have a corresponding[...]

  • Page 565

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 565 F or type and code details, see T able 192 on page 57 8 . Firewall session time out, sent TCP RST The router sent a TCP reset p acket when a dynamic firewal l session timed out. The default timeout values are as follows: ICMP idle timeout: 3 minutes UDP idle timeout: 3 minutes TCP c[...]

  • Page 566

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 566 T able 179 CDR Logs LOG MESSAGE DESCRIPTION board %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %s The router received the setup requ irements for a call. “cal l” is the reference (count) numbe r of the call. “dev” is the device type (3 is for dial-up, 6 is[...]

  • Page 567

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 567 3G SIM authentication failed because of no response from SIM card. SIM card authentication fa iled because the ZyW ALL received a SIM busy message three times when querying for the card status. 3G card has no response, card is restarted. The card was reset due to no response from th[...]

  • Page 568

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 568 For type and code details, see T able 192 on page 578 . T able 183 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted web list The web site is not in a tru sted domain, and th e rou[...]

  • Page 569

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 569 ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an IP spoofing attack on the W A N port. ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack on the W AN port. icmp echo : ICMP (type:%d, code:%d) The firewall dete[...]

  • Page 570

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 570 T able 185 Remote Ma nagement Logs LOG MESSAGE DESCRIPTION Remote Management: FTP denied Attempted use of FTP servic e was blocked according to remote management settings. Remote Management: TELNET denied Attempted use of T ELNET service was blocked according to remo te management set[...]

  • Page 571

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 571 T able 187 IPSec Logs LOG MESSAGE DESCRIPTION Discard REPLAY packet The router received and discarded a packet with an incorrect sequence number . Inbound packet authentication failed The router received a packet that has been altered. A third party may have altered or tampered with[...]

  • Page 572

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 572 No proposal chosen Phase 1 or phase 2 parameters don’t match. Please check all protocols / settings. Ex. One device being configured for 3DES and the other being configured for DES causes the connection to fail. Local / remote IPs of incoming request conflict with rule <%d> Th[...]

  • Page 573

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 573 ERROR !!! build_id(): Unable to obtain my DSS keys RCA encryption in phase 1 faile d becau se the ZyW ALL did not receive the DSS (Digital Signature S tandard) keys. Build Phase 1 ID The router h as started to build the phase 1 ID. Adjust TCP MSS to %d The ro uter automatically chan[...]

  • Page 574

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 574 Rule [%d] Tunnel built successfully The listed rule’s IPSec tunnel has been built successfully . Rule [%d] Peer's public key not found The listed rule’s IKE phase 1 peer ’s public key was not found. Rule [%d] Verify peer's signature failed The listed rule’s IKE phase[...]

  • Page 575

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 575 Enrollment failed The CMP online certificate enrol lment failed. The Destinatio n field records the certification authori ty server ’s IP address and port. Failed to resolve <CMP CA server url> The CMP online certificate enrollment failed because the certification authority [...]

  • Page 576

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 576 8 Certificate was not added to the cache. 9 Certificate decoding failed. 10 Certificate was not found (anywhere). 11 Certificate chain looped (did not fi nd tru sted root). 12 Certificate contains critical extension that wa s no t handled. 13 Certificate issuer was not valid (CA speci[...]

  • Page 577

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 577 User logout because of no authentication response from user. The router logge d out a user from which there was no authentication response. User logout because of idle timeout expired. The router logged out a us er whose idle ti meout period expired. User logout because of user requ[...]

  • Page 578

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 578 (D to WL) DMZ to WLAN ACL set for packets traveling from the DMZ to the WLAN. (WL to D) WLAN to DMZ ACL set for packets traveling from the WLAN to the DMZ. (WL to WL) WLAN to WLAN/ ZyW ALL ACL set for packets traveling from the WLAN to the WLAN or the ZyW ALL. T able 192 ICMP Notes TY[...]

  • Page 579

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 579 16 Information Reply 0 Information reply message T able 193 IDP Logs LOG MESSAGE DESCRIPTION The buffer size is too small! The buffer for holding IDP information such as the si gnature file version was too small to hold any more information. The format of the user config file is inc[...]

  • Page 580

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 580 SMTP Virus infected - %s! The device detected a virus in a SMTP connectio n. The format of %s is “ID” Virus ID number , virus name, fi lename. For example, ID:30001,CIH.Win95,/game.e xe. POP3 Virus infected - %s! The device detected a virus in a POP3 connection. The format of %s i[...]

  • Page 581

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 581 SMTP Block. The session is over maximun ZIP sessions - %s! %PACKET_DIRECTION% The number of zip files in SMTP connections has exceeded the maximum number that can be concurrently scanned. “%s” is the name of the zip f ile which has exceeded the limit. POP3 Block. The session is [...]

  • Page 582

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 582 Mail From:Email address Subject:Mail Subject! This is the source and subj ect of an e-mail for which the anti-spam external database query failed . Remove rating server [%Rating Server IP Address%] from server list! The listed server IP address has been removed from the list of anti- [...]

  • Page 583

    Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 583 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session " is terminated. A traf [...]

  • Page 584

    Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 584 The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob[...]

  • Page 585

    ZyWALL 5/35/70 Series User’s Guide 585 C HAPTER 33 Maintenance Screens 33.1 Overview This chapter displays informat ion on the maintenance screens. The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyW ALL. 33.1.1 What Y ou Can Do in the Maintenance Screens •U s e t h e Gene[...]

  • Page 586

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 586 • In W indows X P , click St a r t , My Computer , V iew system information and then click the Computer Na me tab. Note the entry in the Full computer name field and enter it as the ZyW ALL System Name . Click MAINTENANCE to open the General scre en. Us e this screen to confi[...]

  • Page 587

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 587 Figure 341 MAINTENANCE > Password The following table describes the labels in this screen. 33.4 The T ime and Date Screen The ZyW ALL’ s Real T ime Chip (R TC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current [...]

  • Page 588

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 588 When the ZyW ALL uses the NTP time server pools, it randomly selects one pool and tries to synchronize with a server in it. If the synchr onization fails, then the ZyW ALL goes through the rest of the list in order from the first one tried until either it is successful or all t[...]

  • Page 589

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 589 Manual Select this radio button to enter the time and da te manually . If you configure a new time and date, T ime Zone and Daylight Saving at the sa me time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it. New T i[...]

  • Page 590

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 590 33.4.1 T ime Server Synchronization Example Click the Synchr onize Now button to get the time and date from the predefined time server or the time server you specified in the T ime Server Add ress field. When the System Time and Date Synchr onization in Pr ocess screen appears,[...]

  • Page 591

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 591 Figure 345 Synchronization Fail 33.5 The Device Mode Screen Use this screen to configure y our ZyW ALL as a router or a bridge. In router mode, the ZyW ALL functions as a router . In bridge mode, the ZyW ALL functions as a tran sparent firewall (also known as a bridge firewall)[...]

  • Page 592

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 592 • If no association is found, the frame is fl ooded to all ports exce pt the inbound port. Broadcasts and multicasts also are flooded in this way . • If the associated port is the sa me as the incoming port, then the frame is dropped (filtered). T ransparent Firewalls A tra[...]

  • Page 593

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 593 Figure 346 MAINTENANCE > Device M ode (Router Mode) The following table describes the labels in this screen. 33.7 Configuring the Device Mode Screen (Bridge) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your Zy W ALL as a rout[...]

  • Page 594

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 594 In bridge mode, the Zy W ALL cannot ge t an IP address from a DHCP server . The LAN, W AN, DMZ and WLAN interfaces all have the same (sta tic) IP address and subnet ma sk. Y ou can configure the ZyW ALL's IP address in order to access the ZyW ALL for ma nagement. If you co[...]

  • Page 595

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 595 33.8 The F/W Upload Screen Find firmware at www .zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”. The uplo ad process uses HTTP (Hypertext T ransfer Protocol) and may take up to two minutes. Afte r a successful [...]

  • Page 596

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 596 1 Do not turn off the ZyW ALL whil e firmware upload is in progress! After you see the Firmware Upload in Pr ocess screen, wait two minutes before logging into the ZyW ALL again. Figure 349 Firmware Uplo ad In Process The ZyW ALL automatically restarts in this tim e causing a t[...]

  • Page 597

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 597 33.9 The Backup and Restore Screen See Section 49.5 on page 733 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restor e . Information related to fa ctory defaults, backup configuration, and restorin g configuration appears as s[...]

  • Page 598

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 598 After you see a “restore configuration successf ul” scree n, you must then wa it one minute before logging into the ZyW ALL again. Figure 353 Configuration Upload Successfu l The ZyW ALL automatically restarts in this tim e causing a temporary network disconnect. In some op[...]

  • Page 599

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 599 Figure 356 Reset W arning Message Y ou can also press the hardware RESET button to reset the fa ctory defau lts of your ZyW ALL. Refer to Section 3.3 on page 63 for more information on the RESET button. 33.10 The Rest art Screen System restart allows you t o reboot th e ZyW ALL[...]

  • Page 600

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 600 Figure 358 MAINTENANCE > Diagnostics The following table describes the labels in this screen. T able 206 MAINTENANCE > Diagnostics LABEL DESCRIPTION General Setup Enable Diagnostics Select this op tion to turn on the diagn osti cs feature. Perform Diagnostics when CPU uti[...]

  • Page 601

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 601 Send Report to Diagnosti c files are sent to the e -mail address specified in this field. If this field is left blank, diagnostic files will not be sent via e-mail. SMTP Authentication SMTP (Simple Ma il T ransfer Protocol) is the message-exchange standard for the Internet. SMT[...]

  • Page 602

    Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 602[...]

  • Page 603

    603 P ART VI SMT Introducing the SMT (605) SMT Menu 1 - General Setup (613) W AN and Dial Backup Setup (619) LAN Setup (633) Internet Access (639) DMZ Setup (645) Route Setup (649) W ireless Setup (653) Remote Node Setup (659) IP Static Route Setup (669) Network Address T ranslation (NA T) (673) Introducing the ZyW ALL Firewall (693) Filter Configu[...]

  • Page 604

    604[...]

  • Page 605

    ZyWALL 5/35/70 Series User’s Guide 605 C HAPTER 34 Introducing the SMT This chapter explains how to access the System Management T erminal and gives an overview of its menus. 34.1 Introduction to the SMT T he ZyW ALL’ s SMT (System Management T erminal) is a menu-driven interface that you can access from a terminal emulator through the cons ole[...]

  • Page 606

    Chapter 34 Introd ucing the SMT ZyWALL 5/35/70 Series User’s Guide 606 Figure 359 Initial Screen 34.2.2 Entering the Password The login screen appears after you press [ENTER] , prompting you to enter the password, as shown below . For your first login, en ter the default password “ 1234 ”. As you type the password, the screen displays an “ [...]

  • Page 607

    Chapter 34 Intro du cin g th e S MT ZyWALL 5/35/70 Series User’s Guide 607 34.3.1 Main Menu After you enter the passwor d, the SMT displays the ZyW ALL Main Menu , as shown next. This guide uses the ZyW A LL 70 menus as an example. The menus ma y vary slightly for different ZyW ALL models. Not all fields or menus are available on all models. Figu[...]

  • Page 608

    Chapter 34 Introd ucing the SMT ZyWALL 5/35/70 Series User’s Guide 608 Figure 362 Main Menu (Bridge Mod e) The following table describes the fields in this menu. Copyright (c) 1994 - 2007 ZyXEL Comm unications Corp. ZyWALL 70 Main Menu Getting Started Advanc ed Management 1. General Setup 21. Filter and Firewall Setup 22. SNMP Configuration 23. S[...]

  • Page 609

    Chapter 34 Intro du cin g th e S MT ZyWALL 5/35/70 Series User’s Guide 609 34.3.2 SMT Menus Overview The following table gi ves you an overview of your ZyW ALL’ s various SMT menus. 26 Schedule Setup Use this menu to schedule outgoing calls. 99 Exit Use this menu to exit (necessary for remote configuration). T able 208 Main Menu Summary NO . ME[...]

  • Page 610

    Chapter 34 Introd ucing the SMT ZyWALL 5/35/70 Series User’s Guide 610 34.4 Changing the System Password Change the system password by following the steps shown next. 1 Enter 23 in the main menu to open Menu 23 - System Password as shown next. 21 Filter and Firewall Setup 21.1 Filte r Set Co n f i g ur ation 21.1.x Filter Rules Summary 21.1.x.x G[...]

  • Page 611

    Chapter 34 Intro du cin g th e S MT ZyWALL 5/35/70 Series User’s Guide 61 1 Figure 363 Menu 23: System Password 2 T ype your existing passwo rd and press [ENTER] . 3 T ype your new system password and press [ENTER] . 4 Re-type your new system password for confirmation and press [ENTER] . Note that as you type a password, the screen displays an ?[...]

  • Page 612

    Chapter 34 Introd ucing the SMT ZyWALL 5/35/70 Series User’s Guide 612[...]

  • Page 613

    ZyWALL 5/35/70 Series User’s Guide 613 C HAPTER 35 SMT Menu 1 - General Setup Menu 1 - General Setup contains administra tive an d system-related information. 35.1 Introduction to General Setup Menu 1 - General Setup contains administra tive an d system-related information. 35.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 [...]

  • Page 614

    Chapter 35 SMT Menu 1 - General Set up ZyWALL 5/35/70 Series User’s Guide 614 Figure 365 Menu 1: General Setup (Bridge Mode) The following table describes the fiel ds not previously discussed (see T able 210 on page 613 ). Device Mode Press [SP ACE BAR] and th en [ENTER] to select Router Mo de . Edit Dynamic DNS Press [SP ACE BAR] and then [ENTER[...]

  • Page 615

    Chapter 35 SMT Menu 1 - General Setup ZyWALL 5/35/70 Series User’s Guide 615 35.2.1 Configuring Dynamic DNS T o configure Dynamic DNS, set the ZyW ALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SP A CE BAR] to select Ye s in the Edit Dynamic DNS field. Press [ENTER] to display Men[...]

  • Page 616

    Chapter 35 SMT Menu 1 - General Set up ZyWALL 5/35/70 Series User’s Guide 616 Figure 367 Menu 1.1.1: DDNS Host Summ ary The following table describes the fields in this screen. 5 Select Edit in the Select Command field; type the index number of the DDN S host you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 - DD[...]

  • Page 617

    Chapter 35 SMT Menu 1 - General Setup ZyWALL 5/35/70 Series User’s Guide 617 Figure 368 Menu 1.1.1: DDNS Edit Host The following table describes the fields in this screen. Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDN[...]

  • Page 618

    Chapter 35 SMT Menu 1 - General Set up ZyWALL 5/35/70 Series User’s Guide 618 The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. IP Address Update Policy: Y ou can select Ye s in ei ther the Let DDNS Se rver Auto Detect field (recom mended) or the Use User-Defined field, but not both. With the Let DDNS Server Auto [...]

  • Page 619

    ZyWALL 5/35/70 Series User’s Guide 619 C HAPTER 36 WAN and Dial Backup Setup This chapter describes how to configure the W AN using menu 2 and dial-backup using menu s 2.1 and 1 1.1. 36.1 Introduction to W AN and Dial Backup Setup This chapter explains how to configure settings for your, a dial back up connection using the SMT menus. 36.2 W AN Se[...]

  • Page 620

    Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 620 The following table describes the fields in this screen. 36.3 Dial Backup The Dial Backup port can be used in reser ve, as a traditional dial- up connection should the broadband connection to the W AN port fail. T o set up the au xiliary port (Dial Backup) for use in th[...]

  • Page 621

    Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 621 Figure 370 Menu 2: Dial Backup Setup The following table describes the fields in this menu. 36.3.2 Advanced W AN Setup " Consult the manual of y our W AN device connected to your Dial Backup port for specific A T commands. Menu 2 - WAN Setup WAN 1 MAC Address: Assign[...]

  • Page 622

    Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 622 T o edit the advanced setup for the Dial Backup port, move the cursor to the Edit Ad van ced Setup field in Menu 2 - W A N Setup , press the [SP ACE BAR] to sele ct Ye s and then press [ENTER]. Figure 371 Menu 2.1: Adva nced WAN Setup The following table describes field[...]

  • Page 623

    Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 623 36.3.3 Remote Node Profile (Backup ISP) Enter 3 in Menu 1 1 - Remote Node Setup to open Menu 1 1.3 - Remote Node Profile (Backup ISP) (shown below) and configure th e setup for your Dial Backup port connection. Not all fields are available on all models. Figure 372 Menu 1[...]

  • Page 624

    Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 624 The following table describes the fields in this menu. T able 219 Menu 1 1.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Name Enter a descriptiv e name fo r the remote node. This field can be up to eight characters. Activ e Press [SP ACE BAR] and then [[...]

  • Page 625

    Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 625 36.3.4 Editing TCP/IP Options Move the cu rs or to the Edit IP field in menu 1 1.3, then press [SP ACE BAR] to select Ye s . Press [ENTER] to open Menu 1 1.3.2 - Remote Node Network Layer Options . Not all fields are available on all models. Figure 373 Menu 1 1.3.2: Remot[...]

  • Page 626

    Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 626 36.3.5 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyW ALL provides a script facility for this purpose. The script has six programmable sets; each set is composed of an ‘Expe ct’ string an d a ‘Send?[...]

  • Page 627

    Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 627 T o handle the first prompt, you sp ecify “ ogin: ” as the ‘Expect’ string and “ myLogin ” as the ‘Send’ string in set 1. The reason for leaving out the leading “ L ” is to avoid having to know exactly whether it is upper or lowe r case. Similarly , yo[...]

  • Page 628

    Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 628 The following table describes the fields in this menu. 36.3.6 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.3, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1.3.4 - Remote Node Filter . Use menu 1 1.3[...]

  • Page 629

    Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 629 36.3.7 3G Modem Setup From the main menu, enter 2 to open menu 2 on the ZyW ALL that supports a 3G card. " It is not necessary to configure menu 2 with a Sierra Wireless AC595 3G card. Figure 376 3G Modem Setup in W AN Setup (ZyW ALL 5) The following table describes [...]

  • Page 630

    Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 630 36.3.8 Remote Node Profile (3G W AN) enter 2 in Menu 1 1 - Remote Node Setup to open Menu 1 1.2 - Remote Node Profile (3G W AN) (shown below) and configure the setup for your 3G connection. Figure 377 Menu 1 1.2: Remote Node Profile (3G WAN) The following table describe[...]

  • Page 631

    Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 631 Retype to Confirm Enter your password again to make sure that you have en tered is correctly . Authen This field sets the authentica ti on protocol used for outgoing calls. Options for this field are: CHAP / PA P - Y our ZyW ALL will accept either CHAP or PA P when reques[...]

  • Page 632

    Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 632[...]

  • Page 633

    ZyWALL 5/35/70 Series User’s Guide 633 C HAPTER 37 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup . 37.1 Introduction to LAN Setup This chapter describes how to configure the ZyW ALL for LAN and wireless LAN connections. 37.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup . Figur[...]

  • Page 634

    Chapter 37 LA N Set up ZyWALL 5/35/70 Series User’s Guide 634 Figure 379 Menu 3.1: LAN Port Filter Setu p 37.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1 155) and DHCP Ethernet setu p. Figure 380 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP a[...]

  • Page 635

    Chapter 37 LAN Setup ZyWALL 5/35/70 Series User’s Guide 635 Figure 381 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next tabl e on how to configure the DHCP fields. Use the instructions in the following table to configure TCP/IP parameters for the LAN port. " LAN and DMZ IP addresses mu st be on separate subnet s. [...]

  • Page 636

    Chapter 37 LA N Set up ZyWALL 5/35/70 Series User’s Guide 636 37.4.1 IP Alias Setup IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL supports th ree logical LAN interfaces via its single physical Ethernet interface with the ZyW ALL itself as the gateway for each LA[...]

  • Page 637

    Chapter 37 LAN Setup ZyWALL 5/35/70 Series User’s Guide 637 Use the instructions in the following ta ble to configure IP alias parameters. T able 226 Menu 3.2.1: IP Alias Set up FIELD DESCRIPTION IP Alias 1, 2 Choose Ye s to configure the LAN ne t wo r k fo r the ZyW ALL. IP Address Enter the IP address of your ZyWALL in dotted decimal nota ti on[...]

  • Page 638

    Chapter 37 LA N Set up ZyWALL 5/35/70 Series User’s Guide 638[...]

  • Page 639

    ZyWALL 5/35/70 Series User’s Guide 639 C HAPTER 38 Internet Access This chapter shows you how to config ure your ZyW ALL for Internet access. 38.1 Introduction to Internet Access Setup Use information from your ISP along with the in st ructions in this chapter to set up your ZyW ALL to access the Inte rnet. The re are three different menu 4 scree[...]

  • Page 640

    Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 640 Figure 383 Menu 4: Internet Access Setup (Ethernet) The following table describes the fields in this menu. Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= Etherne t Service Type= Standa rd My Login= N/A My Password= N/A Retype to Confirm= N /A Login Server= N/A[...]

  • Page 641

    Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 641 38.3 Configuring the PPTP Client " The ZyW ALL supports only one PP TP serv er connection at any given time. T o configure a PP TP client, you must configure the My Login and Password fields for a PPP connection and the PP TP parame ters for a PP TP connection. After configuri[...]

  • Page 642

    Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 642 Figure 384 Internet Access Setup (PPTP) The following table contains in structions about the new fiel ds wh en you choose PPTP in the Encapsula tion field in menu 4. 38.4 Configuring the PPPoE Client If you enable PPPoE in menu 4, you will see the next screen. Menu 4 - Internet Acc[...]

  • Page 643

    Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 643 Figure 385 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsula tion field in menu 4. If you need a PPPoE service name to identify and reach the P PPoE server , please go to menu 1 1 and enter the PPPoE [...]

  • Page 644

    Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 644[...]

  • Page 645

    ZyWALL 5/35/70 Series User’s Guide 645 C HAPTER 39 DMZ Setup This chapter describes how to co nfigure the ZyW ALL’ s DMZ using Menu 5 - DMZ Setup . 39.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup . Figure 386 Menu 5: DMZ Setup 39.2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you[...]

  • Page 646

    Chapter 39 DMZ Setu p ZyWALL 5/35/70 Series User’s Guide 646 39.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 7 on page 149 . 39.3.1 IP Address From the main menu, enter 5 to ope n Menu 5 - DMZ Setup to configure TCP/IP (RFC 1 155). Figure 388 Menu 5: DMZ Setup From menu 5, select[...]

  • Page 647

    Chapter 39 DMZ Setup ZyWALL 5/35/70 Series User’s Guide 647 " DMZ, WLAN and LAN IP addresses must be on sep a rate subnets. Y ou must also configure NA T for the DMZ port (see Chapter 44 on pa ge 673 ) in menus 15.1 and 15.2. 39.3.2 IP Alias Setup Use menu 5.2 to config ure the first network. Move the cursor to the Edit IP Alias field, press[...]

  • Page 648

    Chapter 39 DMZ Setu p ZyWALL 5/35/70 Series User’s Guide 648[...]

  • Page 649

    ZyWALL 5/35/70 Series User’s Guide 649 C HAPTER 40 Route Setup This chapter describes how to config ure the ZyW ALL's traffic redirect. 40.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup . Figure 391 Menu 6: Route Setup 40.2 Route Assessment This menu allows you to config ure traffic redirect properties. Fi[...]

  • Page 650

    Chapter 40 Route Setup ZyWALL 5/35/70 Series User’s Guide 650 The following table describes the fields in this menu. 40.3 T raffic Redirect T o configure the parameters for traffic redirect, enter 2 in Menu 6 - Route Setup to open Menu 6.2 - T raffic Redirect as shown next. Figure 393 Menu 6.2: T raffic Redir ect The following table describes the[...]

  • Page 651

    Chapter 40 Route Setup ZyWALL 5/35/70 Series User’s Guide 651 40.4 Route Failover This menu allows you to configure how the ZyW ALL uses the rout e assessment ping check function. Figure 394 Menu 6.3: Route Failover The following table describes the fields in this menu. Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER[...]

  • Page 652

    Chapter 40 Route Setup ZyWALL 5/35/70 Series User’s Guide 652[...]

  • Page 653

    ZyWALL 5/35/70 Series User’s Guide 653 C HAPTER 41 Wireless Setup Use menu 7 to set up your ZyW ALL as the wireless access point. 41.1 Wireless LAN Setup " If you are configuring t he ZyW ALL from a computer connected to the wireless LAN and you change the ZyW ALL’s ESSID or WEP settings, you will lose your wireless connection when you pre[...]

  • Page 654

    Chapter 41 Wire less Setup ZyWALL 5/35/70 Series User’s Guide 654 " The settings of all client stations on t he wireless LAN must match those of the ZyW ALL. Follow the instructions in the next table on how to configure the wireless LAN parameters. T able 233 Menu 7.1: Wireless Set up FIELD DESCRIPTION Enable Wireless LAN Press [SP ACE BAR] [...]

  • Page 655

    Chapter 41 Wireless Setup ZyWALL 5/35/70 Series User’s Guide 655 41.1.1 MAC Address Filter Setup Y our ZyW ALL checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses. However , intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication. Follow the [...]

  • Page 656

    Chapter 41 Wire less Setup ZyWALL 5/35/70 Series User’s Guide 656 The following table describes the fields in this menu. 41.2 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 7 on page 149 . 41.2.1 IP Address From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP ([...]

  • Page 657

    Chapter 41 Wireless Setup ZyWALL 5/35/70 Series User’s Guide 657 Figure 398 Menu 7.2: TCP/IP and DHCP Ethernet Setup The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup . Each public server will need a unique IP address. Refer to Section 37.4 on page 634 for information on how to configure these [...]

  • Page 658

    Chapter 41 Wire less Setup ZyWALL 5/35/70 Series User’s Guide 658 Figure 399 Menu 7.2.1: IP Alias Setup Refer to T able 226 on pa ge 637 for instructions on config uring IP alias parameters. Menu 7.2.1 - IP Ali as Setup IP Alias 1= No IP Address= N/ A IP Subnet Mask = N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/ A IP Subnet M[...]

  • Page 659

    ZyWALL 5/35/70 Series User’s Guide 659 C HAPTER 42 Remote Node Setup This chapter shows you how to configure a remote node. 42.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gatewa y . A remote node represents both the remote gateway an d the network behind it across a W AN connection. Note that when y[...]

  • Page 660

    Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 660 42.3 Remote Node Profile Setup The following explains how to configure the re mote node profile menu. Not all fields are available on all models. 42.3.1 Ethernet Encap sulation There are three variations of m enu 1 1.x depending on whether you choo se Ethernet Encap sulation , [...]

  • Page 661

    Chapter 42 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide 661 42.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). Y ou can only use PPPoE encapsulation when you’re using th e ZyW ALL with a DSL modem as the W AN device. If you change the Encapsulation to PPPoE, then you will see the next screen[...]

  • Page 662

    Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 662 Figure 402 Menu 1 1 .1: Remote Node Prof ile for PPPoE Encapsulation 42.3.2.1 Outgoing Authentication Protocol Generally speaking, you sh ould employ the strongest authent ication protocol possible, for obvious reasons. However , some ve ndor ’ s impl ementa tion includes a s[...]

  • Page 663

    Chapter 42 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide 663 42.3.2.3 Metric See Section on page 171 for details on the Metric field. 42.3.3 PPTP Encap sulation If you change the Encap sula tion to PPTP in menu 1 1.1, then you will see the next screen. T able 236 Fields in Menu 11.1 (PPPo E Encapsulation Specific) FIELD DESCRIPTION Service[...]

  • Page 664

    Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 664 Figure 403 Menu 1 1 .1: Remote Node Prof ile for PPTP Encapsulation The next table shows h o w to configure fields in menu 1 1.1 not previously discussed. 42.4 Edit IP Move the cu rs or to the Edit IP field in menu 1 1.1, then press [SP ACE BAR] to select Ye s . Press [ENTER] t[...]

  • Page 665

    Chapter 42 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide 665 Figure 404 Menu 1 1 .1.2: Remote Node Network Layer Options for Ethernet Encapsulation This menu displays the My W A N Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation. The following table describes the fields in this menu. Menu 11[...]

  • Page 666

    Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 666 42.5 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.1, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1.1.4 - Remote Node Filter . Use menu 1 1.1.4 to specify the filter set(s) to apply to the incoming and outg[...]

  • Page 667

    Chapter 42 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide 667 Figure 405 Menu 1 1.1.4: Remote Node Filter (Ethernet Encapsulation) Figure 406 Menu 1 1 .1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filte[...]

  • Page 668

    Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 668[...]

  • Page 669

    ZyWALL 5/35/70 Series User’s Guide 669 C HAPTER 43 IP Static Route Setup This chapter shows you how to config ure static routes with your ZyW ALL. 43.1 IP S t atic Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. " The first two static route entries are fo r[...]

  • Page 670

    Chapter 43 IP Static Rout e Setup ZyWALL 5/35/70 Series User’s Guide 670 Figure 407 Menu 12: IP S tatic Route Setup Now , enter the index number o f the static route that you want to configure. Figure 408 Menu 12. 1: Edit IP S tatic Route `The following table describes the IP Static Route Menu fields. Menu 12 - IP Static Route Setup 1. Reserved 1[...]

  • Page 671

    Chapter 43 IP Static Route Setup ZyWALL 5/35/70 Series User’s Guide 671 Destination IP Address This parameter specifies the IP network add ress of the final de stination. Routing is always based on network numb er . If you nee d to specify a route to a single host, use a subnet mask of 2 55.255.255.255 in the subnet mask field to force the networ[...]

  • Page 672

    Chapter 43 IP Static Rout e Setup ZyWALL 5/35/70 Series User’s Guide 672[...]

  • Page 673

    ZyWALL 5/35/70 Series User’s Guide 673 C HAPTER 44 Network Address Translation (NAT) This chapter discusses how to configure NA T on the ZyW ALL. 44.1 Using NA T " Y ou must create a firewall rule in addi tion to setting up SUA/NA T , to allow traffic from the W AN to be forwarded through the ZyWALL. 44.1.1 SUA (Single User Account) V ersus [...]

  • Page 674

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 674 Figure 409 Menu 4: Applying NA T for Internet Access The following figure shows how you apply NA T to the remote node in menu 1 1.1. 1 Enter 1 1 from the main menu. 2 Enter 1 to open Menu 1 1.1 - Remote Node Pr ofile . 3 Move the cu rs or to the Edit IP field, pre[...]

  • Page 675

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 675 The following table describes the fields in this menu. 44.2 NA T Setup Use the address mapping sets me nus and submenus to create the mapping table used to assign global addresses to computers on the LAN, DMZ and WLAN. Set 255 is used for SUA. When you select Fu[...]

  • Page 676

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 676 " Configure DMZ, WLAN and LAN IP addresses in NA T menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnet s. 44.2.1 Address Mapping Set s Enter 1 to bring up Menu 15.1 - Addr ess Mapping Sets . Figure 412 Menu 15.1: Address Ma pping Se[...]

  • Page 677

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 677 " Menu 15.1.255 is read-only . 44.2.1.2 User-Defined Address Mapping Sets Now look at option 1 in menu 15.1. Enter 1 to bring up this menu . Look at the differen ces from the previous menu. Note the extra Action and Select Rule fields mean yo u can configur[...]

  • Page 678

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 678 Figure 414 Menu 15.1.1: First Set " The T ype, Local and Global S tart/End IP s are configured in menu 15.1.1.1 (described later) and the values are displayed here. 44.2.1.3 Ordering Y our Rules Ordering your rules is important because the Zy W A LL applies t[...]

  • Page 679

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 679 Now if you delete rule 4, rules 5 to 7 will be pus hed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and o ld rule 7 becomes rule 6. " Y ou must press [ENTER] at the bottom of the screen to save the whole set. Y ou must do this ag[...]

  • Page 680

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 680 Figure 415 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set The following table describes the fields in this menu. Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Server Mapping Set= N/A Pres[...]

  • Page 681

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 681 44.3 Configuring a Server behind NA T " If you do not assign a Default Server IP address, the Zy W ALL discards all packet s received for ports that are not specified here or in the remote management setup. Follow these steps to config ure a server behind N[...]

  • Page 682

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 682 4 Select Edit Rule in the Select Command field; type the index number of the NA T server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.x.x - NA T Server Configuration (see the next figure). Figure 418 15.2.x.x: NA T Server Conf[...]

  • Page 683

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 683 Figure 419 Menu 15.2.1: NA T Server Setup Y ou assign the private network IP addresses. Th e NA T network a ppears as a single host on the Internet. A is the FTP/T elnet/SMTP server . Figure 420 Server Behind NA T Example 44.4 General NA T Examples The following[...]

  • Page 684

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 684 Figure 421 NA T Example 1 Figure 422 Menu 4: Internet Access & NA T Example From menu 4 sho wn abov e, simply choose the SUA Only option from the Network Address Tr a n s l a t i o n field. This is the Many-to-One mapping discussed in Section 44.4 on page 683 [...]

  • Page 685

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 685 44.4.2 Example 2: Inter net Access with a Default Server Figure 423 NA T Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NA T as shown in the nex[...]

  • Page 686

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 686 2 Map the second IGA to our second inside FTP se rver for FTP traffic in both directions ( 1 : 1 mapping, giving both loca l and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 ( Many : 1 mapping). 4 Y ou also map your third IGA to the web serve[...]

  • Page 687

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 687 Figure 426 Example 3: Menu 1 1.1.2 The following figure shows how to configure the first rule. Figure 427 Example 3: Menu 15.1.1.1 Menu 11.1.2 - Remote Node Net work Layer Options IP Address Assig nment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Add[...]

  • Page 688

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 688 Figure 428 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. 1 Enter 15 from the main menu. 2 Enter 2 to go to menu 15 .2. 3 (Enter 1 or 2 from menu 15.2 on a ZyW A LL with multiple W AN ports) configure the m[...]

  • Page 689

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 689 44.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NA T Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do no t change for Many-One-to-One (and One-[...]

  • Page 690

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 690 Figure 432 Example 4: Menu 15.1.1: Address Mapping Rules 44.5 T rigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA[...]

  • Page 691

    Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 691 " Only one LAN computer can use a trigger por t (range) at a time. Enter 3 in menu 15 to d isplay Menu 15.3 - T rigger Ports . For a ZyW ALL with multiple W AN interfaces, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - T rigger Port Setup[...]

  • Page 692

    Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 692 End Port Enter a port number or the ending por t number in a range of port numb ers. Press [ENTER] at the message “Press ENTER to Co nfirm ...” to save your con figuration, or press [ESC] at any time to cancel. T able 245 Menu 15.3.1: Trigger Port Setup (conti[...]

  • Page 693

    ZyWALL 5/35/70 Series User’s Guide 693 C HAPTER 45 Introducing the ZyWALL Firewall This chapter shows you how to ge t started with the ZyW ALL firewall. 45.1 Using ZyW ALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 434 Menu 21: Filter and Firewa ll Setup [...]

  • Page 694

    Chapter 45 Intr o du cin g th e Zy WALL Firew all ZyWALL 5/35/70 Series User’s Guide 694 Figure 435 Menu 21.2: Fi rewall Setup " Configure the firewall ru les using the web confi gurator or CLI commands. Menu 21.2 - Firewall Se tup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to [...]

  • Page 695

    ZyWALL 5/35/70 Series User’s Guide 695 C HAPTER 46 Filter Configuration This chapter shows you how to create and apply filters. 46.1 Introduction to Filters Y our ZyW ALL uses filters to decide whether to a llow passage of a data packet and/or to make a call. There are two types of filter applications : data filtering and call filtering. Filters [...]

  • Page 696

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 696 46.1.1 The Filter Structure of the ZyW ALL A filter set consists of one or more filter rules. Usually , you would group related rules, e.g., all the rules for NetBIOS, into a s ingle set and give it a descriptive name. The ZyW ALL allows you to configure up to twelve filte r s[...]

  • Page 697

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 697 Figure 437 Filter Rule Process Y ou can apply up to four filter sets to a particular port to block multiple types of packets. W ith each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.[...]

  • Page 698

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 698 46.2 Configuring a Filter Set The ZyW ALL includes filtering for NetBIOS over TCP/IP packets by default. T o configure another filter set, follow the procedure below . 1 Enter 21 in the main me nu to open menu 2 1. Figure 438 Menu 21: Filter and Firewa ll Setup 2 Enter 1 to br[...]

  • Page 699

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 699 The protocol dependent filter rules abbreviation are listed as follows: Refer to the next section for inform ation on configurin g the filter rules. 46.2.1 Configuring a Filter Rule T o configure a filter rule, type its number in Menu 21.1.x - Filter Rules Summary and press [E[...]

  • Page 700

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 700 46.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fiel ds in the IP and the upper layer protocol, for example, UDP and TCP headers. T o configure TCP/IP rules, select TCP/IP Filt[...]

  • Page 701

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 701 The following figure illustrates th e logic flow of an IP filter . Port # Comp Press [SP ACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value gi ve n in Destination: Port # . Options are None , Equal , Not Equal , [...]

  • Page 702

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 702 Figure 441 Executing an IP Filter 46.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generi c filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP , it is generally easier to us e the IP rules directly .[...]

  • Page 703

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 703 For generic rules, the ZyW ALL treats a packet as a byte stre am as opposed to an IP or IPX packet. Y ou specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyW ALL applie s th e Mask (bit-wise ANDing) to the data porti[...]

  • Page 704

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 704 46.3 Example Filter Here is an example to bloc k outside users from accessing the ZyW ALL via telnet. Figure 443 T eln et F ilter Exam pl e 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup . 2 Enter 1 to open Menu 21.1 - Filter Set Configuration. 3 Ent[...]

  • Page 705

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 705 Figure 444 Example Filter: Menu 21 .1.3.1 The port number for the telnet service (TCP protocol) is 23 . See RFC 1060 for port numbers of well-known services. When you press [ENTER] to confirm, you will see the fo llowing screen. Note that there i s only one filter rule in this[...]

  • Page 706

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 706 After you’ve created the filte r set, you must apply it. 1 Enter 1 1 from the main menu to go to menu 1 1. 2 Enter 1 or 2 to open Menu 1 1 .x - Remote Node Profile . 3 Go to the Edit Filter Sets field, press [SP ACE BAR] to select Ye s and press [ENTER] . 4 This brings you t[...]

  • Page 707

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 707 46.5.1.1 When T o Use Filtering 1 T o block/allow LAN packets by their MAC addresses. 2 T o block/allow special IP packet s which are neither TCP nor UDP , nor ICMP packets. 3 T o block/allow both inboun d (W AN to LAN) and outb ou nd (LAN to W AN) traffic between the specific[...]

  • Page 708

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 708 " If you do not activate the firewa ll, it is advisable to apply filters. 46.6.1 Applying LAN Filters LAN traffic filter sets may be useful to bloc k certain packets, reduce traffic and prevent security breaches. Go to menu 3. 1 (shown next) and enter the number(s) of the[...]

  • Page 709

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 709 46.6.3 Applying Re mote Node Filters Go to menu 1 1.1.4 (shown be low – note that call filter sets are only present for PPPoE encapsulation) and enter the numb er(s) of the filter set(s) as appropriate. Y ou can cascade up to four filter sets by entering their numbers separa[...]

  • Page 710

    Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 710[...]

  • Page 711

    ZyWALL 5/35/70 Series User’s Guide 71 1 C HAPTER 47 SNMP Configuration This chapter explains SNMP configuratio n menu 22. 47.1 SNMP Configuration T o configure SNMP , enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get , Set and Tr a p fields is SNMP terminology for password. Figure 450 M[...]

  • Page 712

    Chapter 47 SNMP Configuration ZyWALL 5/35/70 Series User’s Guide 712 47.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: Destination T ype the IP add ress of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm[...]

  • Page 713

    ZyWALL 5/35/70 Series User’s Guide 713 C HAPTER 48 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 48.1 Introduction to System St atus This chapter covers the diagnostic tools that he lp you to maintain your ZyW ALL. These tools include updates on system status, port status and log and trace capabilities. Select men[...]

  • Page 714

    Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 714 3 There are three commands in Menu 24.1 - System Maintenance - S tatus . Entering 1 or 2 drops the W AN1 or W AN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 452 Menu 24.1: System Maintenance: S tatus The following t[...]

  • Page 715

    Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 715 48.3 System Information and Console Port S peed This section describes your system and allows you to choose different console port speeds. T o get to the System Informa tion and Console Port Speed: 1 Enter 24 to go to Menu 24 - System Maintenance . 2 Enter 2 to o[...]

  • Page 716

    Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 716 Figure 454 Menu 24.2.1: System Ma intenance: Information The following table describes the fields in this screen. 48.3.2 Console Port Speed Y ou can change the speed of the console po rt through Menu 24.2.2 – Console Port Speed . Y our ZyW ALL supports 9600 (d[...]

  • Page 717

    Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 717 Figure 455 Menu 24.2.2: System Maintenance: Change Cons ole Port S pee d 48.4 Log and T race There are two logging facilities in the ZyW ALL. Th e first is the error logs and trace records that are stored locally . The second is the UNIX syslog facility for messa[...]

  • Page 718

    Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 718 Figure 457 Examples of Error and Information Messages 48.4.2 Syslog Logging The ZyW ALL uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server . Syslog an d accounting can be configured in Menu 24.3.2 - System Mainten[...]

  • Page 719

    Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 719 1 CDR 2 Packet triggered 3 Filter log CDR Message Format SdcmdSyslogSend( SYSLOG_ CDR, SYSLOG_INFO, S tring ); S tring = board xx line xx channel xx, call xx, str board = the hardware board ID line = the W AN ID in a board Channel = channel ID within the WAN call[...]

  • Page 720

    Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 720 4 PPP log Filter log Message F ormat SdcmdSyslogSend(SYSLOG_FILLOG , SYSLOG_NOTICE, S tring ); S tring = IP[Src=xx.xx.xx.xx Dst=xx.xx. xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R),[...]

  • Page 721

    Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 721 5 Firewall log 48.4.3 Call-T riggering Packet Call-T riggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equiva lent information is available in menu 24.1 in hex format. An example is shown next. Firew[...]

  • Page 722

    Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 722 Figure 459 Call-T riggering Packet Example 48.5 Diagnostic The diagnostic facility allows you to test th e dif ferent aspects of your ZyW ALL to determine if it is working properly . Menu 24.4 allows you to choose among various types of diagnostic tests to evalu[...]

  • Page 723

    Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 723 Figure 460 Menu 24.4: System Maintenance: Diagnostic (ZyW ALL 5) 48.5.1 W AN DHCP DHCP functionality can be enable d on the LAN or W AN as show n in Figure 461 on page 723 . LAN DHCP has already been discussed. The ZyW ALL can act either as a W AN DHCP client ( I[...]

  • Page 724

    Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 724 T able 255 System Maint enance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LA N, DMZ, WLAN or W AN. Enter its IP address in the Host IP Address field below . W AN DHCP Re lease Enter 2 to release your WAN [...]

  • Page 725

    ZyWALL 5/35/70 Series User’s Guide 725 C HAPTER 49 Firmware and Configuration File Maintenance This chapter tells you how t o back up and rest ore your configuration file as well as upload new firmware and a new configura tion file. 49.1 Introduction Use the instructions in this chapter to change the ZyW ALL’ s configuration file or upgrade its[...]

  • Page 726

    Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 726 The following table is a summary . Please note that the internal filename refe rs to the filename on the ZyW ALL and the external file name refers to the filename not on the ZyW ALL, that is, on your computer , local network or FTP site and so the name[...]

  • Page 727

    Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 727 Figure 462 T elnet into Menu 24. 5 49.3.2 Using the FTP Command from the Command L i ne 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space an d the IP address of yo ur ZyW ALL. 3 Press [ENTER] when prompted for a user[...]

  • Page 728

    Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 728 49.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. 49.3.5 File Maintenance Over W AN TFTP , FTP and T elnet over the W AN will not work when: 1 The firewall is active (turn the fir[...]

  • Page 729

    Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 729 4 Launch the TFTP client on your computer and connect to th e ZyW ALL. Set the transfer mode to binary before starting data transfer . 5 Use the TFTP cli ent (se e the examp le b elow) to transfer files between the ZyW ALL and the computer . The fil[...]

  • Page 730

    Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 730 Figure 464 System Maintenance: Backup Configuration 2 The following screen indicates that the Xmodem download has started. Figure 465 System Maintenance: S tarting Xmodem Download Screen 3 Run the HyperT erminal program by clicking Tr a n s f e r , the[...]

  • Page 731

    Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 731 FTP is the preferred method for restoring your current computer configuration to your ZyW ALL since FTP is faster . Please note that yo u must wait for the syst em to automatically restart after the file transfer is complete. " W ARNING! Do not[...]

  • Page 732

    Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 732 49.4.2 Restore Usin g FTP Session Example Figure 469 Restore Using FTP Session Example Refer to Section 49.3.5 o n page 728 to read about configurations that disallow TFTP and FTP over W AN. 49.4.3 Restore V ia Console Port Restore configuration via co[...]

  • Page 733

    Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 733 4 After a successful restoration you will see the following screen. Press any key to restart the ZyW ALL and return to the SMT menu. Figure 473 Successful Restoration Confirmati on Screen 49.5 Uploading Firmware and Configuration Files This section [...]

  • Page 734

    Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 734 Figure 474 T elnet Into Menu 24.7.1: Upload System Firmware 49.5.2 Configuration File Upload Y ou see the following screen when you telnet into menu 24.7.2. Figure 475 T elnet Into Menu 24.7.2 : System Maintenance T o upload the firmware and the config[...]

  • Page 735

    Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 735 49.5.3 FTP File Upload Comman d from the DOS Prompt Example 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space an d the IP address of yo ur ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password [...]

  • Page 736

    Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 736 2 Put the SMT in command interprete r (CI) mode by entering 8 in Menu 24 – System Maintenance . 3 Enter the command “ sys stdio 0 ” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “ command sy s stdio 5 ” t[...]

  • Page 737

    Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 737 Figure 477 Menu 24.7.1 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer . Follow the procedure as sh own pre viously for the HyperT ermina l program. The pr[...]

  • Page 738

    Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 738 Figure 479 Menu 24.7.2 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer . Follow the procedure as sh own pre viously for the HyperT ermina l program. The proce[...]

  • Page 739

    ZyWALL 5/35/70 Series User’s Guide 739 C HAPTER 50 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24.10. 50.1 Command Interpreter Mode The Command Interpre ter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT , while a dding some low-level se tup and diagnost[...]

  • Page 740

    Chapter 50 System Maintenance Menus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 740 50.2 Call Control Support The ZyW A LL provides two cal l control functions: budget management and call history . Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 1 1.1. The budget management func tion allow[...]

  • Page 741

    Chapter 5 0 System Ma intenance Me nus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 741 The total budget is the time li mit on the accumulated time for ou tgoing calls to a remo te node. When this limit is reached, th e call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is re set[...]

  • Page 742

    Chapter 50 System Maintenance Menus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 742 50.3 T ime and Date Setting The ZyW ALL’ s Real T ime Chip (R TC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on you r ZyW ALL. Menu 24.10 all[...]

  • Page 743

    Chapter 5 0 System Ma intenance Me nus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 743 Figure 486 Menu 24.10 System Maintenance : Time and Da te Setting The following table describes the fields in this screen. Menu 24.10 - System Maintenance - Ti me and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= 0.pool.ntp.org Current Time: 08[...]

  • Page 744

    Chapter 50 System Maintenance Menus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 744 S tart Date (mm- nth-week-hr) Configure the day and time when Daylight Savi ng Time start s if you selecte d Ye s in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time st arts in most part s of the U[...]

  • Page 745

    ZyWALL 5/35/70 Series User’s Guide 745 C HAPTER 51 Remote Management This chapter covers remote management found in SMT menu 24.1 1. 51.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers. " When you configure remote managem ent to allow mana[...]

  • Page 746

    Chapter 51 Remote Management ZyWALL 5/35/70 Series User’s Guide 746 Figure 487 Menu 24.1 1 – Remo te Ma na ge m ent Co ntr o l The following table describes the fields in this screen. Menu 24.11 - Remot e Management Control TELNET Server: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = LAN+WAN1+DMZ+WLAN+WAN2[...]

  • Page 747

    Chapter 51 Remote Management ZyWALL 5/35/70 Series User’s Guide 747 51.1.1 Remote Management Limit ations Remote management over LAN or W AN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service. 2 Y ou have disabled that service in menu 24.1 1. 3 The IP address in the Secure C[...]

  • Page 748

    Chapter 51 Remote Management ZyWALL 5/35/70 Series User’s Guide 748[...]

  • Page 749

    ZyWALL 5/35/70 Series User’s Guide 749 C HAPTER 52 IP Policy Routing This chapter covers setting and applyi ng policies used for IP routing. 52.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a si ngle policy , and whether a policy is ac tive or not. Each policy contains two lines. [...]

  • Page 750

    Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 750 52.2 IP Routing Policy Setup T o setup a routing policy , perform the following procedures: 1 T ype 25 in the main menu to open Men u 25 - IP Routing Policy Summary . Criteria/Action Thi s displays the details about to which packets the p olicy applies and how the policy has the [...]

  • Page 751

    Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 751 2 Select Edit in the Select Command field; type the inde x number of the rule you want to configure in th e Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 489 Menu 25.1: IP Routing Policy Setup The following table des[...]

  • Page 752

    Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 752 52.2.1 Applying Policy to Packet s T o apply the policy to packets received on the selected interface(s), go to Menu 25.1: IP Routing Policy Setup and press [SP ACE BAR] to select Ye s in the Edit policy to packets received fr om field. Press [ENTER] to display Menu 25.1.1 - IP R[...]

  • Page 753

    Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 753 Figure 490 Menu 25.1.1: IP Routing Policy Setup The following table describes the fields in this screen. 52.3 IP Policy Routing Example If a network has both Internet and remote node connections, you can route W eb packets to the Internet using one policy and route FTP packets to[...]

  • Page 754

    Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 754 Figure 491 Example of IP Policy Routing T o force W eb packets coming from clients with IP addres ses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the W AN port of the ZyW ALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Se[...]

  • Page 755

    Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 755 2 Select Ye s in the LAN fie ld in menu 25.1.1 to apply the policy to packets re ceived on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly . 4 Create another rule in menu 25.1 for this ru le to route packets from a ny host (IP=0.0.0[...]

  • Page 756

    Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 756[...]

  • Page 757

    ZyWALL 5/35/70 Series User’s Guide 757 C HAPTER 53 Call Scheduling Call scheduling allows you to dictate when a re mote node sho uld be called and for how long. 53.1 Introduction to Call Scheduling The call scheduling feature allows the ZyW ALL to manage a remote node and dictate when a remote node should be called and for ho w long. This feature[...]

  • Page 758

    Chapter 53 Call Scheduling ZyWALL 5/35/70 Series User’s Guide 758 " T o delete a schedule set, enter the set number and press [SP ACE BAR] and then [ENTER] or [DEL] in the Edit Name field. T o set up a schedule set, select the schedule se t you want to se tup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as show[...]

  • Page 759

    Chapter 53 Call Scheduling ZyWALL 5/35/70 Series User’s Guide 759 Once your schedule sets are conf igured , yo u must then apply them to the desired remote node(s). Enter 1 1 from the Main Menu and then enter the tar get remo te node index. Press [SP A CE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets f[...]

  • Page 760

    Chapter 53 Call Scheduling ZyWALL 5/35/70 Series User’s Guide 760 Figure 497 Applying Schedule Set(s ) to a Re mo te Nod e (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Ed it IP= No Service Type= Standard T elco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedule s[...]

  • Page 761

    761 P ART VII T roubleshooting and Product S p ecifications T roubleshooting (763) Product Specification s (769)[...]

  • Page 762

    762[...]

  • Page 763

    ZyWALL 5/35/70 Series User’s Guide 763 C HAPTER 54 Troubleshooting This chapter offers some sugg estions to solve problems you might encounter . The potential problems are divided into the following categories. • Power , Hardware Connections, and LEDs • ZyW ALL Access and Login • Internet Access • W ireless Router/A P T roubles hooting ?[...]

  • Page 764

    Chapter 54 Tro u blesh oo tin g ZyWALL 5/35/70 Series User’s Guide 764 54.2 ZyW ALL Access and Login V I forgot the LAN IP address for the ZyW ALL. 1 The default LAN IP address is 192.168.1.1 . 2 Use the console port to log in to the ZyW ALL. 3 If you changed the IP addre ss and have forgotten it, you might get the IP address o f the ZyW ALL by l[...]

  • Page 765

    Chapter 54 Troubleshooting ZyWALL 5/35/70 Series User’s Guide 765 • If there is a DHCP server on your netwo r k, make sure your computer is u sing a dynamic IP address. See Appendix D on pag e 795 . Y our ZyW ALL is a DHCP server by default. 6 Reset the device to its factory defaults, an d try to access the ZyW ALL with the default IP address. [...]

  • Page 766

    Chapter 54 Tro u blesh oo tin g ZyWALL 5/35/70 Series User’s Guide 766 See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator . Ignore the suggestions about your bro wser . V I cannot use FTP to upload / download the configuratio n file. / I cannot use FTP to upload new firmware. See the troublesho[...]

  • Page 767

    Chapter 54 Troubleshooting ZyWALL 5/35/70 Series User’s Guide 767 V I cannot access the Internet anymore. I had access to the Internet (with the ZyW ALL), but my Internet connection is not available anymore. 1 Check the hardware connections , and make su re the LEDs are be having as expected. Se e the Quick S tart Guide and Section 2.6 on page 59[...]

  • Page 768

    Chapter 54 Tro u blesh oo tin g ZyWALL 5/35/70 Series User’s Guide 768 5 Check that both the ZyW ALL an d your wireless station are using the same wireles s and wireless security settings. 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the ZyW ALL. 7 Make sure you allow the ZyW ALL to be remotely accessed throu[...]

  • Page 769

    ZyWALL 5/35/70 Series User’s Guide 769 C HAPTER 55 Product Specifications The following tables summarize the ZyW ALL’ s hardware and firmware fea tures. T able 268 Hardware Specifications Dimensions ZyW ALL 7 0: 355(L) x 200(D) x 55(H) mm ZyW ALL 5 and ZyWALL 35: 242.0(W) x 175.0(D) x 35.5 (H) mm Weight ZyW ALL 70: 2,600g ZyW ALL 5 and ZyWALL 3[...]

  • Page 770

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 770 T able 269 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192.168.1.1 Default Subnet Mask 255.255 .255.0 (24 bits) Default Password 1234 Default DHCP Pool 1 92.168.1.33 to 192.168.1.16 0 Device Management Use the web config urator to easi ly configure t he ri[...]

  • Page 771

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 771 Firewall Y o u can configure fire wall on the ZyXEL D evice for secure Internet access. When the fire wall is on, by default, all incoming traffic from the Internet to your network is blocke d unless it is initiated from your network. This means that probes from the outside [...]

  • Page 772

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 772 Comp atible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyW ALL at the time of writing. It also shows the secu rity features that each card supports. " Check the product page on the www . zyxel. com website for updates on ZyXE[...]

  • Page 773

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 773 55.1 Comp atible 3G Cards At the time of writing, you can use the following 3G wireless cards in the ZyW ALL 5. The table also shows you the 3G features su pported by the compatible 3G cards. T able 272 3G Featur es Supporte d By Compat ible 3G Cards 3G CA RD FEATURES SIERRA[...]

  • Page 774

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 774 Manual or au tomatic service provider selection via the web configurator YYY Signal strength u pdate even when data is transmitting YYY Network type update even when data is transmitting Roaming status update even when data is transmitting Dormant status update after the con[...]

  • Page 775

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 775 55.2 Power Adaptor Sp ecifications B u d g e t C o n t r o lYYYYY Bandwidth Management Y Y Y Y Y T able 274 3G Featur es Supported By Additional C ompatible 3 G Cards 3G CA RD FEATURES HUAWEI EC500 HUAWEI E220 OPTION GLOBET RO TTER HSDP A 7.2 READY NOVATEL MERLIN EX720 NOVAT[...]

  • Page 776

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 776 Cable Pin Assignment s In a serial communications connection, gene rally a computer is DTE (Data T erminal Equipment) and a modem is DCE (Data Circ uit-terminating Equipment). The ZyW ALL is DCE when you connect a computer to the co nsole port. The ZyW ALL is DTE when you co[...]

  • Page 777

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 777 T able 282 Ethernet Cable Pin Assignments W AN / LAN ETHERNET CABLE PIN LAYOUT Straight-through Crossover (Switch) (Adapter) (Switch ) (Switch) 1 IRD + 1 OTD + 1 IRD + 1 IRD + 2 IRD - 2 OTD - 2 IRD - 2 IRD - 3O T D + 3 IRD + 3 OTD + 3 OTD + 6 OTD - 6 IRD - 6 OTD - 6 OTD -[...]

  • Page 778

    Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 778[...]

  • Page 779

    779 P ART VIII Appendices and Index Removing and Installing a Fuse (781) Common Services (783) W ireless LANs (787) W indows 98 SE/Me Requirements for Anti-V irus Message Display (801) Legal Information (805) Customer Support (809) Index (815)[...]

  • Page 780

    780[...]

  • Page 781

    ZyWALL 5/35/70 Series User’s Guide 781 A PPENDIX A Removing and Inst alling a Fuse This appendix shows you how to remo ve and install fuses for the ZyW ALL. If you need to install a new fuse, follow the procedure below . " If you use a fuse other t han the included fuses, make sure it matches the fuse specifications in the pro duct specifica[...]

  • Page 782

    Appendix A Removing and Installing a Fuse ZyWALL 5/35/70 Series User’s Guide 782[...]

  • Page 783

    ZyWALL 5/35/70 Series User’s Guide 783 A PPENDIX B Common Services The following table l ists some commonly-used se rvices and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name : This is a short, descrip[...]

  • Page 784

    Appendix B Com mon Servic es ZyWALL 5/35/70 Series User’s Guide 784 FTP TCP TCP 20 21 File Tr ansfer Program, a program to enable fast transfer of files, including large fil es that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this proto c ol. HTTP TCP 80 Hyper T ext Transfer Protocol - a client/ server protocol for the world wid[...]

  • Page 785

    Appendix B Common Services ZyWALL 5/35/70 Series User’s Guide 785 RTE L NE T TCP 10 7 Remote T elnet. RTS P TCP/UDP 554 The Real T ime S t reaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 11 5 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standa[...]

  • Page 786

    Appendix B Com mon Servic es ZyWALL 5/35/70 Series User’s Guide 786[...]

  • Page 787

    ZyWALL 5/35/70 Series User’s Guide 787 A PPENDIX C W ireless LANs Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an inde pendent (Ad-hoc) WLAN that connects a se t of computers with wireless adapters (A, B, C). An y time two [...]

  • Page 788

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 788 Figure 500 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type o[...]

  • Page 789

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 789 Figure 501 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your g eographical area. Y ou may have a choice of channels (for your region) so you should use a channel different from an[...]

  • Page 790

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 790 Figure 502 RTS /C T S When station A sends data to the AP , it might not know that the station B is already using the channel. If these two stations se nd data at the same time, collis ions may occur when both sets of data arrive at the AP at the same time, r esulting in a loss of me[...]

  • Page 791

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 791 If the Fragmentation Threshold value is smaller than the RT S /C T S value (see previously) you set then the R TS (Request T o Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmen ted before they reach R TS/CTS size. Preamble T ype Preamble is used to s[...]

  • Page 792

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 792 W ireless security methods available on the Zy W ALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyW ALL identity . The following figure shows th e relative effectiveness of th ese wireless security methods available on[...]

  • Page 793

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 793 Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’ s network activity . RADIUS is a simple package exchange in whic h your AP acts as a message rela y between the wireless client and the[...]

  • Page 794

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 794 For EAP-TLS authentication type, you must firs t hav e a wired connection to the network an d obtain the certificate(s) from a certificate authorit y (CA). A certificate (als o called digital IDs) can be used to authenticate users and a CA issu es certificates and guar antees the ide[...]

  • Page 795

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 795 Dynamic WEP Key Exchange The AP maps a unique ke y that is generated w ith the RADIUS se rver . This key expires when the wireless connection times out, disconnects or reauthentic ation times out. A new WEP key is generated each time r eauthentication is performed. If this feature is[...]

  • Page 796

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 796 Encryption Both WP A and WP A2 improve data encryption by using T emporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IE EE 802.1x. WP A and WP A2 use Advanced Encryption S tandard (AES) in the Counter mode with Cipher block chaining Message authentication code P[...]

  • Page 797

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 797 Wireless Client WP A Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WP A. At the time of writing, the most widely available supplicant is the WP A patch for W indows XP , Funk Software's Odysse[...]

  • Page 798

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 798 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to [...]

  • Page 799

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 799 Antenna Overview An antenna couples RF signals onto air . A tran smitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air . The antenna also operates in reverse by capturing RF signals fro m the air . Positioning the antennas pro[...]

  • Page 800

    Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 800 Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point ap plication, position both antennas at the same height and in a direct line of si ght to each othe r to attain the best performance. For omni-dir[...]

  • Page 801

    ZyWALL 5/35/70 Series User’s Guide 801 A PPENDIX D W indows 98 SE/Me Requirement s for Anti-V irus Message Display W ith the anti-virus packet scan, when a virus is detected, an alert messa ge is displaye d on Miscrosoft W indows-based computers. For W indows 98 SE/Me, you must open the W inPopup window in order to view real-time alert messages. [...]

  • Page 802

    Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display ZyWALL 5/35/70 Series User’s Guide 802 Figure 506 WIndows 98 SE: Program T ask Bar 2 Click the S tart Menu Pr ograms tab an d click Advanced .. . Figure 507 Windows 98 SE: T ask Bar Properties 3 Double-click Programs and click St a r t U p . 4 Right-click in the St a r t U p [...]

  • Page 803

    Appendix D Windows 98 SE/Me Requirements for Anti-Viru s Message Display ZyWALL 5/35/70 Series User’s Guide 803 Figure 508 Windows 98 SE: S tartUp 5 A Cr eate Shortcut window displays. Enter “winpo pup” in the Command line field and click Next . Figure 509 Windows 98 SE: S tartup: Create Shortcut 6 Specify a name for the shortcut or accept th[...]

  • Page 804

    Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display ZyWALL 5/35/70 Series User’s Guide 804 Figure 510 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created in the St a r t U p pane. Restart the computer when prompted. Figure 51 1 Windows 98 SE: S tartup: Shortcut " The WinPopup window displays a[...]

  • Page 805

    ZyWALL 5/35/70 Series User’s Guide 805 A PPENDIX E Legal Information Copyright Copyright © 2008 by ZyXEL Communications Corporation. The contents of this publication may not be reprod uced in any part or as a whole, transcribed, stored in a retrieval system, tran slated into any language, or transmitted in any form or by any means, el ectronic, [...]

  • Page 806

    Appendix E Leg al In fo rm at ion ZyWALL 5/35/70 Series User’s Guide 806 This device has been tested and foun d to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. Thes e limits are designed to provide reasonable protection against harmful interference in a resi dential installation. This device generates,[...]

  • Page 807

    Appendix E Legal Information ZyWALL 5/35/70 Series User’s Guide 807 Vie wing Ce rtifi cations 1 Go to http://www .zyxel.com . 2 Select your product on the ZyXEL home pag e to go to that product's page. 3 Select the certification you wish to view from this page. ZyXEL Limited W arranty ZyXEL warrants to the original en d user (purchaser) that[...]

  • Page 808

    Appendix E Leg al In fo rm at ion ZyWALL 5/35/70 Series User’s Guide 808[...]

  • Page 809

    ZyWALL 5/35/70 Series User’s Guide 809 A PPENDIX F Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor . If you cannot contact yo ur vendor , then contac t a ZyXEL office for the region in which you bought the dev ice. Regional of fices are listed below (see also http:// www .zyxel.[...]

  • Page 810

    Appendix F Custo m er Supp o rt ZyWALL 5/35/70 Series User’s Guide 810 • Address: 1005F , ShengGao Internationa l T ower , No.137 XianXia Rd., Shanghai • W eb: http://www .zyxel.cn Cost a Rica • Support E-mail: soporte@zyxel.co.cr • Sales E-mail: sales@zyxel.co.cr • T elephone: +506-2017878 • Fax: +506-2 015098 • W eb: www .zyxel.co[...]

  • Page 811

    Appendix F Customer Support ZyWALL 5/35/70 Series User’s Guide 81 1 Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • T elephone: +49-2405-69 0 9-69 • Fax: +49-2405-6909-99 • W eb: www .zyxel.de • Re g u l ar M a il : ZyXEL Deut schland GmbH., A denauerstr . 20/A2 D-52146, W uerselen, Germany Hungary • Supp[...]

  • Page 812

    Appendix F Custo m er Supp o rt ZyWALL 5/35/70 Series User’s Guide 812 Malaysia • Support E-mail: support@zyxel.com.my • Sales E-mail: sales@zyxel.com.my • T elephone: +603-8076-9933 • Fax: +603-8076- 9833 • W eb: http://www .zyxel.com.my • Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F , Bandar Puchong Jaya,[...]

  • Page 813

    Appendix F Customer Support ZyWALL 5/35/70 Series User’s Guide 813 Singapore • Support E-mail: support@zyxel.com.sg • Sales E-mail: sales@zyxel.com.sg • T elephone: +65-6899-6678 • Fax: +65-6899-8887 • W eb: http://www .zyxel.com.sg • Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy #03-28, Sin g[...]

  • Page 814

    Appendix F Custo m er Supp o rt ZyWALL 5/35/70 Series User’s Guide 814 T urkey • Support E-mail: cso@zyxel.com.tr • T elephone: +90 212 222 5 5 22 • Fax: +90-212-220-2 526 • W eb: http:www .zyxel.com.tr • Address: Kaptanpasa Mahallesi Piyalep asa Bulvari Ortadogu Plaza N:14/13 K:6 Okmeydani/Sisli Istanbul/T urkey Ukraine • Support E-m[...]

  • Page 815

    Index ZyWALL 5/35/70 Series User’s Guide 815 Index Numerics 9600 baud 605 A access control 281 active protocol 394 AH 394 and encapsulation 394 ESP 394 Address Assignment 479 address assignment 182 ADP (Anomaly , Dete ction and Preventi on) 277 , 289 Advanced Encryption St andard See AES. AES 796 AH 394 and transport mode 395 ALG 531 RTP 532 SIP [...]

  • Page 816

    Index ZyWALL 5/35/70 Series User’s Guide 816 Bridge Protocol Data Unit. See BPDU. broadcast 152 BSS 787 budget 663 budget management 740 buffer overflow 281 C CA 399 , 794 call back delay 623 call control 740 call history 741 call scheduling 757 max number of schedule sets 757 PPPoE 759 precedence 757 setting up a schedule 758 call-triggering pac[...]

  • Page 817

    Index ZyWALL 5/35/70 Series User’s Guide 817 diagnostic 722 diagnostics 599 dial timeout 623 Diffie-Hellman key group 389 Perfect Forward Secrecy (PFS) 395 digest 314 disclaimer 805 DMZ IP alias setup 647 port filter setup 64 5 setup 645 TCP/IP setup 646 DNS 513 DNS Server For VPN Host 480 DNS server address assignment 183 domain name 716 Domain [...]

  • Page 818

    Index ZyWALL 5/35/70 Series User’s Guide 818 one minute high 265 one minute low 265 rules 251 rules for VPN 122 , 127 service type 266 SMT menus 693 stateful inspection 251 TCP maximum incomplete 265 three-way handshake 275 VPN 127 when to use 707 firmware file maintenance 725 upload 595 firmware upload 733 FTP 733 flow control 605 fragment ation[...]

  • Page 819

    Index ZyWALL 5/35/70 Series User’s Guide 819 IP address assignment 640 , 665 pool 151 , 154 , 212 , 222 , 635 private 150 IP alias 636 IP alias setup 636 DMZ 647 IP policy routing 457 , 749 IP protocol type 262 IP routing policy 749 IP st atic route 669 active 670 destination IP address 671 name 670 route number 670 IPSec 357 established in two p[...]

  • Page 820

    Index ZyWALL 5/35/70 Series User’s Guide 820 N nailed-up connectio n 662 , 664 NA T 150 , 43 5 , 441 , 44 2 , 626 , 641 , 665 , 666 , 70 6 and VPN 392 application 449 configuring 675 default server IP address 441 examples 683 in the SMT 673 inside global address 447 inside local address 447 Many to Many No Overload 435 Many to Many Overload 435 M[...]

  • Page 821

    Index ZyWALL 5/35/70 Series User’s Guide 821 product registration 807 protocol filter 637 incoming 637 outgoing 637 PSK 796 Q QoS 457 Quality of Service. See QoS. query view (IDP) 284 R RADIUS 231 , 244 , 792 and IKE SA 391 message types 244 , 79 3 messages 793 shared secret key 244 , 793 Rapid S panning Tree Protocol. See Rapid STP . Rapid STP 1[...]

  • Page 822

    Index ZyWALL 5/35/70 Series User’s Guide 822 scanner types 310 schedule 661 , 664 duration 758 searching for IDP signatures 284 secure FTP using SSH 504 secure T elnet using SSH 502 security associations. See VPN. security settings for VPN traf fic 11 9 server set 675 service set 230 , 233 service type 266 , 640 , 660 services 141 Session Initiat[...]

  • Page 823

    Index ZyWALL 5/35/70 Series User’s Guide 823 time 588 and date sett ing 742 Daylight Saving Time 589 resetting 588 synchronization with server 590 zone 589 , 744 T ime protocol 589 time protocol 589 Daytime 589 NTP 589 Ti m e 589 time sett ing 742 timeout system 492 TKIP 245 T o VPN traf fic 121 To S 457 trace 717 trademarks 805 traffic from VPN [...]

  • Page 824

    Index ZyWALL 5/35/70 Series User’s Guide 824 warranty 807 note 807 web attack 282 web configurator 61 web site hits 541 WEP encryption 239 , 242 whitelist 314 , 321 Wi-Fi Protected Access 79 5 Wi-Fi Protected Access. See WP A. Windows Internet Naming Service. See WINS. WinPopup windo w 801 WINS 152 , 154 WINS server 154 wireless channel 767 wirel[...]