Go to page of
Similar user manuals
-
Network Card
ZyXEL Communications zyxel fiber-based
30 pages 0.24 mb -
Network Card
ZyXEL Communications ZyXEL ZyAIR G-500
13 pages 0.65 mb -
Network Card
ZyXEL Communications G-1000
192 pages 6.15 mb -
Network Card
ZyXEL Communications IEEE802.11b
39 pages 0.82 mb -
Network Card
ZyXEL Communications B-320
6 pages 0.27 mb -
Network Card
ZyXEL Communications ZyXEL ZyWALL IDP 10
21 pages 0.83 mb -
Network Card
ZyXEL Communications ZyXEL ZyWALL USG-1000
61 pages 4.61 mb -
Network Card
ZyXEL Communications B-3000
2 pages 0.13 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications 2 Plus, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications 2 Plus one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications 2 Plus. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of ZyXEL Communications 2 Plus should contain:
- informations concerning technical data of ZyXEL Communications 2 Plus
- name of the manufacturer and a year of construction of the ZyXEL Communications 2 Plus item
- rules of operation, control and maintenance of the ZyXEL Communications 2 Plus item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications 2 Plus alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications 2 Plus, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications 2 Plus.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications 2 Plus item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
www .zyxel.com ZyW ALL 2 Plus Internet Security Appliance User ’ s Guide V ersion 4.03 12/2007 Edition 1[...]
-
Page 2
[...]
-
Page 3
About This User's Guide ZyWALL 2 Plus User’s Guide 3 About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyW ALL using the web configurator or System Manag ement T erminal (SMT). Y ou should have at least a basic knowledge of TCP/IP netw orking concepts and to pology . Related Document [...]
-
Page 4
Document Conventions ZyWALL 2 Plus User’s Guide 4 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User ’ s Guide. 1 W arnings tell you about things that could harm you or your device. " Notes tell you other important informati on (for example, other things you may need to configure or helpful tip[...]
-
Page 5
Document Conventions ZyWALL 2 Plus User’s Guide 5 Icons Used in Figures Figures in this User ’ s Guide may use the followi ng generic icons. The ZyW ALL icon is not a n exact representation of your device. ZyW ALL Computer Notebook computer Server DSLAM Firewall T elephone Switch Router[...]
-
Page 6
Safety Warnings ZyWALL 2 Plus User’s Guide 6 Safety Warnings 1 For your safety , be sure to read and follow all warni ng notices and instructions. • Do NOT use this product near water , for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store thin gs on the de[...]
-
Page 7
Contents Overview ZyWALL 2 Plus User’s Guide 7 Contents Overview Introduction and Registration ....................................................... ........................................ 45 Getting to Know Y our ZyWALL .... ................ ............. ................. ............ ................. ............ ....... 4 7 Introducing th[...]
-
Page 8
Contents Overview ZyWALL 2 Plus User’s Guide 8 SMT ............................................ ............................................................................... ............ 465 Introducing the SMT .................... ............. ................ ............. ................ ............. ................ ..... 467 SMT Menu 1 [...]
-
Page 9
Table of Contents ZyWALL 2 Plus User’s Guide 9 Table of Contents About This User's Guide ...................... .................................................................................. .. 3 Document Conventions.................................................................. ......................................... .4 Safety Warn[...]
-
Page 10
Table of Contents ZyWALL 2 Plus User’s Guide 10 2.4.6 Port St atistics .......................... ............. ............. ................ ............. ............. ......... .... 64 2.4.7 DHCP T able Screen .. ............. ............. ............. ................ ............. ............. ............. 65 2.4.8 VPN S tatus ...... ..[...]
-
Page 11
Table of Contents ZyWALL 2 Plus User’s Guide 11 Chapter 5 Registration ........................................... ........................................................................ ........ 127 5.1 myZyXEL.com overview ..... ............. ................ ............. ................ ............. ................ ........ 12 7 5.1.1 Con[...]
-
Page 12
Table of Contents ZyWALL 2 Plus User’s Guide 12 8.5 DNS Server Address A ssignment ........... ............. ............. ............ ................. ............ ..... 153 8.6 WAN MAC Address ............ ............. ............. ............. ................ ............. ............. .............. 154 8.7 W AN .............. ........[...]
-
Page 13
Table of Contents ZyWALL 2 Plus User’s Guide 13 1 1.3.2 From VPN Pac ket Direction ................. ................ ................ ............. ................ ..... 196 1 1.3.3 From VPN T o VPN Packet Direction . .......... ............. ............ ............. ................ ..... 198 1 1.4 Security Cons iderations ....... ..........[...]
-
Page 14
Table of Contents ZyWALL 2 Plus User’s Guide 14 Chapter 14 IPSec VPN .............................................. ........................................................................ ........ 253 14.1 IPSec VPN Ov erview ... ............. ................ ............. ................ ............. ............. .............. 253 14.1.1 I[...]
-
Page 15
Table of Contents ZyWALL 2 Plus User’s Guide 15 15.3 V erifying a Certificat e ..... ............. ............. ................ ............. ............. ................ ......... ..... 296 15.3.1 Checking the Fingerprint of a Certificate on Y our Computer ................. ................ . 296 15.4 Configuration Summary .............. ...[...]
-
Page 16
Table of Contents ZyWALL 2 Plus User’s Guide 16 17.3 NA T Overv iew Screen ...... ............. ............. ................ ............. ................ ............. ........... 3 36 17.4 NA T A ddress Mapping .............. ................ ............. ................ ............. ................ ........... 3 37 17.4.1 What NA T Does[...]
-
Page 17
Table of Contents ZyWALL 2 Plus User’s Guide 17 20.1 DNS Overview ... ................ ............. ............. ............. ................ ............. ............. ....... .... 365 20.2 DNS Server Address Assign ment .............. ............. ............. ............. ................ ............. . 365 20.3 DNS Servers ..........[...]
-
Page 18
Table of Contents ZyWALL 2 Plus User’s Guide 18 21.14.2 SNMP T raps .... ............. ................ ............. ............. ................ ............. ............ ..... 393 21.14.3 REMOTE MANAGEMENT : SNMP ............... ................ ................ ................ ........ 393 21.15 DNS .... ............. ............. ......[...]
-
Page 19
Table of Contents ZyWALL 2 Plus User’s Guide 19 Part V : Logs and Maintenan ce .................................. .......................... 417 Chapter 25 Logs Screens ............................................................................................. ........................... 419 25.1 Configuring V iew Log . ............. ..........[...]
-
Page 20
Table of Contents ZyWALL 2 Plus User’s Guide 20 Chapter 27 Introducing the SMT ............................................................ ................................................ .4 6 7 27.1 Introduction to the SMT ................. ................ ................ ............. ................ ............. ....... .4 6 7 27.2 Access[...]
-
Page 21
Table of Contents ZyWALL 2 Plus User’s Guide 21 31.4 Configuring the PPPoE Client .... ................ ............. ................ ............. ................ ........... 499 31.5 Basic Setup Complete ...... ............. ................ ............. ............. ............. ............. .............. 500 Chapter 32 DMZ Setup ......[...]
-
Page 22
Table of Contents ZyWALL 2 Plus User’s Guide 22 36.4.2 Example 2: Inte rnet Access with a Default Server ......... ................ ............. ........... 532 36.4.3 Example 3: Multiple Pu blic IP Addresses With I nside Servers ...................... ........ 532 36.4.4 Example 4: NA T Unfriend ly Application Programs ... ................ ....[...]
-
Page 23
Table of Contents ZyWALL 2 Plus User’s Guide 23 40.4.2 Syslog Logging .. ............. ............ ................. ............. ................ ............. ................ . 56 3 40.4.3 Call-T riggering Packet .......... ................ ............. ................ ............. ............. ........... 566 40.5 Diagnostic ...........[...]
-
Page 24
Table of Contents ZyWALL 2 Plus User’s Guide 24 42.2.2 Call History ..................... ............ ............. ................. ............ ............. ................ ... .. 590 42.3 T ime and Date Se tting ...... ................ ............. ............. ............. ............. ................ .......... .5 9 1 Chapter 43 Rem[...]
-
Page 25
Table of Contents ZyWALL 2 Plus User’s Guide 25 Index....................................................... ................................................................... ............. 679[...]
-
Page 26
Table of Contents ZyWALL 2 Plus User’s Guide 26[...]
-
Page 27
List of Figures ZyWALL 2 Plus User’s Guide 27 List of Figures Figure 1 Secure Internet Access via Cable, DS L or Wireless Modem ............... ................. ................ ... 48 Figure 2 VPN Application ...................... ............. ................ ............. ................ ............. ......... .............. ... 48 Figure[...]
-
Page 28
List of Figure s ZyWALL 2 Plus User’s Guide 28 Figure 39 SECURITY > FIREWALL > Rule Summary: Allow ....... ............. ............. ............. ............ ....... 96 Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN T o LAN ............... ................ ....... 96 Figure 41 T utorial Example: Using NA T with S tat[...]
-
Page 29
List of Figures ZyWALL 2 Plus User’s Guide 29 Figure 82 SECURITY > CO NTENT FIL TE R > Policy ... ............. ................ ................ ............. .............. 123 Figure 83 SECURITY > CONTENT FIL TER > Policy > In sert ......... ............. ............. ................ ........... 124 Figure 84 SECURITY > CO [...]
-
Page 30
List of Figure s ZyWALL 2 Plus User’s Guide 30 Figure 125 Default Block Tr affic From W AN to DMZ Ex ample .............. ............. ................ ............. . 193 Figure 126 From LAN to VPN Example ... ............. ... ............. ............. ................ ............. ............. .... .... 195 Figure 127 Block DMZ to VPN Tr [...]
-
Page 31
List of Figures ZyWALL 2 Plus User’s Guide 31 Figure 168 VPN: Example ..... ................ ............. ................ ............. ................ ............. ........... ............ . 253 Figure 169 VPN: IKE SA and IPS ec SA ......... ................ ............. ................ ................ ............. ....... .... 254 Figur[...]
-
Page 32
List of Figure s ZyWALL 2 Plus User’s Guide 32 Figure 21 1 SECURITY > CE RTIFICA TES > Directory Se rvers .... ............. ............. ............. ................ . 320 Figure 212 SECURITY > CERTIFICA T ES > Directory Se rver > Add ........... ............. ................ ........... 321 Figure 213 SECURITY > AUTH SERVE[...]
-
Page 33
List of Figures ZyWALL 2 Plus User’s Guide 33 Figure 254 ADV A NCED > REMOTE MGMT > SSH .................. ............. ................ ................ ............. . 387 Figure 255 SSH Example 1: S tore Host Key ... ...... ....... ............. ................ ............. ............. ............ ... .. 388 Figure 256 SSH Example [...]
-
Page 34
List of Figure s ZyWALL 2 Plus User’s Guide 34 Figure 297 MAINTENANCE > Diagnostics ....... ... .......... ............. ............. ............. ............. ................ .4 6 3 Figure 298 Initial Screen . ............. ................. ............ ................. ............. ............ ................ ....... ........... 4 6[...]
-
Page 35
List of Figures ZyWALL 2 Plus User’s Guide 35 Figure 340 Menu 12. 1: Edit IP S tatic Route ................... ................ ................ ............. ................ ... ..... 520 Figure 341 Menu 4: Applying NA T for Internet Access . ................ ............. ................ ............. ............. . 52 2 Figure 342 Menu 1 1.[...]
-
Page 36
List of Figure s ZyWALL 2 Plus User’s Guide 36 Figure 383 Menu 24: System Maintenance .. ......... ... ............. ................. ............ ............. ............. ...... .. 559 Figure 384 Menu 24.1: System Main tenance: S tatus ..................... ............. ............. ................ ........... 560 Figure 385 Menu 24.2: Sy[...]
-
Page 37
List of Figures ZyWALL 2 Plus User’s Guide 37 Figure 426 W all-mounting Example ....... ............. ................ ................ ............. ................ ............. ... ..... 618 Figure 427 Masonry Plug and M4 T a p Screw ..... ... .......... ............. ............. ............. ................ ............. .6 1 8 Figure 42[...]
-
Page 38
List of Figure s ZyWALL 2 Plus User’s Guide 38 Figure 469 Certificate Import Wizard 3 ............ ...... ................ ............. ............. ............. ............. .. ......... 660 Figure 470 Root Certificate S tore ....... ............. ................ ............. ................ ............. ............... .... ........ 660[...]
-
Page 39
List of Tables ZyWALL 2 Plus User’s Guide 39 List of Tables T a ble 1 Front Panel LEDs .. ................ ............. ................ ............. ................ ............. ............ .......... ....... 49 T a ble 2 T itle Bar: Web Configurator Icons ......... ............. ................ ............. ................ .............[...]
-
Page 40
List of Tables ZyWALL 2 Plus User’s Guide 40 T a ble 39 NETWORK > DMZ > S tatic DHCP ... ............. ................ ............. ................ ................ ........... 1 75 T a ble 40 NETWORK > DMZ > IP Alias ................ ................ ............. ................ ............. ................ .. ... 176 T a ble [...]
-
Page 41
List of Tables ZyWALL 2 Plus User’s Guide 41 T a ble 82 SECURITY > CERTIFICA TES > My Certificates > Create ........ ............. ............. ................ . 307 T a ble 83 SECURITY > CERTIFICA TES > T r usted CAs .............. ............. ................ ............. ............... 31 1 T a ble 84 SECURITY > CERTIFI[...]
-
Page 42
List of Tables ZyWALL 2 Plus User’s Guide 42 T a ble 125 ADV ANCED > REMOTE MGMT > SNMP ........... ................. ............ ................. ................ . 394 T a ble 126 ADV ANCED > REMOTE MGMT > DNS ........ ............. ................ ................ ............. ........... 395 T a ble 127 ADV ANCED > REMOTE M[...]
-
Page 43
List of Tables ZyWALL 2 Plus User’s Guide 43 T a ble 168 MAINTENANCE > Diagnos tics ............ ................ ................. ............ ................. ............ .... .4 6 3 T a ble 169 Main Menu Commands ........... ................ ................. ............. ................ ............. ........... ...... 468 T a ble 170[...]
-
Page 44
List of Tables ZyWALL 2 Plus User’s Guide 44 T a ble 21 1 System Maintenance Menu Diagnostic ....... ................ ................ ................ ................ ........ 568 T a ble 212 Filename Conventions ...................... ............. ............. ............. ............. ................ ..... ......... 572 T a ble 213 Gener[...]
-
Page 45
45 P ART I Introduction and Registration Getting to Know Y our ZyW ALL (47) Introducing the W eb Configurator (51) W izard Setup (69) T utorials (89) Registration (127)[...]
-
Page 46
46[...]
-
Page 47
ZyWALL 2 Plus User’s Guide 47 C HAPTER 1 Getting to Know Your ZyWALL This chapter introduces the main feat ures and applications of the ZyW ALL. 1.1 ZyW ALL Internet Security Appliance Overview The ZyW ALL is loaded with security features including VPN, firewall, content filtering and certificates. The ZyW ALL’ s De-Militarized Zone (DMZ) incre[...]
-
Page 48
Chapter 1 Getting to Know Your ZyWALL ZyWALL 2 Plus User’s Guide 48 Figure 1 Secure Internet Access via Cable, DSL or Wire less Modem 1.2.2 VPN Application ZyW ALL VPN is an ideal cost-effective way to co nnect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites. Figu[...]
-
Page 49
Chapter 1 Getting to Know Your ZyWALL ZyWALL 2 Plus User’s Guide 49 1.4 Good Habit s for Managing the ZyW ALL Do the following things regularly to make the ZyW ALL mo re secure and to manage the ZyW ALL more effectively . • Change the password. Use a password that’ s not easy to guess and that consists of different types of characters, such a[...]
-
Page 50
Chapter 1 Getting to Know Your ZyWALL ZyWALL 2 Plus User’s Guide 50 W AN 10/100 Off The W AN connection is not ready , or has failed. Green On The ZyW ALL has a successful 10Mb ps W AN connection. Flashing The 10M W AN is sending or recei ving packets. Orange On The ZyW ALL has a successful 100Mbps WA N connection. Flashing The 100M WAN is sendin[...]
-
Page 51
ZyWALL 2 Plus User’s Guide 51 C HAPTER 2 Introducing the Web Configurator This chapter describes how to access the Zy W ALL web configurator and provides an overview of its screens. 2.1 W eb Configurator Overview The web configurator is an HTML-based mana gement interface that allows easy ZyW ALL setup and management via Internet browser . Use In[...]
-
Page 52
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 52 5 Y ou should see a screen asking you to change your password (highly recommended) as shown next. T ype a new password (and retype it to co nfirm) and click Apply or click Ignore . Figure 4 Change Password Screen 6 Click Apply in the Replace Certificate scre en to create a [...]
-
Page 53
Chapter 2 Introducing the Web Configurator ZyWALL 2 Plus User’s Guide 53 2.3 Resetting the ZyW ALL If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyW ALL. Uploading this configuration f ile replaces the current configur at[...]
-
Page 54
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 54 2.4 Navigating the ZyW ALL W eb Configurator The following summarizes how to navigate the web configurator from the HOME scree n. This guide uses the ZyW ALL 70 screenshots as an example . The screens may vary slightly for different ZyW ALL models. Figure 7 HOME Screen As i[...]
-
Page 55
Chapter 2 Introducing the Web Configurator ZyWALL 2 Plus User’s Guide 55 2.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENA[...]
-
Page 56
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 56 Firmware V ersion This is the ZyNOS Firmware vers ion and the date created. ZyNOS is ZyXEL's proprietary Network Operating System desi gn. Click the field label to go to the screen where you can upload a new firmware file. Up Time This field d isplays how long the ZyW [...]
-
Page 57
Chapter 2 Introducing the Web Configurator ZyWALL 2 Plus User’s Guide 57 2.4.4 HOME Screen: Bridge Mode The following screen displays when the ZyW ALL is set to bridge mode. In bridge mode, the ZyW ALL functions as a transparent firewall (als o kn own as a bridge firewall). The ZyW ALL bridges traffic traveling between the ZyW ALL' s interfa[...]
-
Page 58
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 58 Y ou can use the firewall and VPN in bridge mo de. See the user ’ s guide for a list of other features that are available in bridge mode. Figure 9 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen. T able 4 Web Configurato[...]
-
Page 59
Chapter 2 Introducing the Web Configurator ZyWALL 2 Plus User’s Guide 59 System T ime This field disp lays your ZyW ALL’s present date (in yyyy-mm-dd format) and time (in hh:mm:ss format) along with the difference from the Greenwich Mean T ime (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving[...]
-
Page 60
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 60 2.4.5 Navigation Panel After you enter the password, use the sub-menus on the navigation panel to configure ZyW ALL features. The following table lists the fe atures available for each device mode. Not all ZyW ALLs have all features listed in this table. Port S tatus For th[...]
-
Page 61
Chapter 2 Introducing the Web Configurator ZyWALL 2 Plus User’s Guide 61 T able Key: A Y in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at the tim e of writing, although it may be subject to change. The following table describes the sub-menus. WLAN Y Firewall Y Y Content Filte[...]
-
Page 62
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 62 WA N Route This screen allows you to configure route priori ty . WA N Use this scre en to configure the W A N port for internet access. Tr a f f i c Redirect Use this screen to configure your traffic redirect properties and parameters. Dial Backup Use this screen to configu[...]
-
Page 63
Chapter 2 Introducing the Web Configurator ZyWALL 2 Plus User’s Guide 63 AUTH SERVER Local User Database Use this screen to configure t he loca l user account(s) on the ZyW ALL . RADIUS Configure this screen to use an external server to authenticate wireless and/or VPN users. ADV ANCED NA T NA T Overview Use this screen to enable NA T . Address M[...]
-
Page 64
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 64 2.4.6 Port St atistics Click Port St a t i s t i c s in the HOME screen. Read-only information here includes po rt status and packet specific statistics. The Poll Interval(s) field is configurable. Figure 10 HOME > Show S tatistics The following table describes the label[...]
-
Page 65
Chapter 2 Introducing the Web Configurator ZyWALL 2 Plus User’s Guide 65 2.4.7 DHCP T able Screen DHCP (Dynamic Host Configuration Protocol , RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a se rver . Y ou can configure the ZyW ALL as a DHCP server or disable it. When configured as a server, the Z[...]
-
Page 66
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 66 2.4.8 VPN St atus Click VPN in the HOME sc reen when the ZyW ALL is se t to router mode. This screen displays read-only information ab out the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of secu rity settings [...]
-
Page 67
Chapter 2 Introducing the Web Configurator ZyWALL 2 Plus User’s Guide 67 2.4.9 Bandwi dth Moni tor Click Bandwidth in the HOME screen to display the bandwidth monitor . This screen displays the device’ s bandwidth usage and allotments. Figure 13 Home > Bandwidth Monitor The following table describes the labels in this screen. Encapsulation T[...]
-
Page 68
Chapter 2 Introducing the Web Configur ator ZyWALL 2 Plus User’s Guide 68 Automati c Refresh Interval Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics. Refresh Click this button to update the screen’s statistics i[...]
-
Page 69
ZyWALL 2 Plus User’s Guide 69 C HAPTER 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator . The Internet access wizard is only applicable when the ZyW ALL is in router mode. 3.1 Wizard Setup Overview The web confi gurator's setup wizards help you configure Intern et and VPN connection setting[...]
-
Page 70
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 70 3.2 Internet Access The Internet access wizard screen has three vari ations depending on what encapsulation type you use. Refer to information prov ided by your ISP to know what to enter in each field. Leave a field blank if you don’ t have that information. 3.2.1 ISP Parameters The ZyW ALL o[...]
-
Page 71
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 71 3.2.1.2 PPPoE Encap sulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering T ask Force) standard specifying ho w a host personal compute r interacts with a broadband modem (for example DSL, cable , wireless, etc.) to achi[...]
-
Page 72
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 72 Figure 16 ISP Parameters: PPPoE Encapsulation The following table describes the labels in this screen. T able 12 ISP Parameters: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet fo[...]
-
Page 73
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 73 3.2.1.3 PPTP Encap sulation Point-to-Point T u nneling Protocol (PP TP) is a network protocol tha t enables transfers of data from a remote client to a private server , crea ting a V irtual Private Network (VPN) using TCP/ IP-based networks. PP TP supports on-demand, multi-protocol, and virtual[...]
-
Page 74
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 74 Figure 17 ISP Parameters: PPTP Encap sulation The following table describes the labels in this screen. T able 13 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. T o co nfigure a PPTP client, you must [...]
-
Page 75
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 75 3.2.2 Internet Access Wizard: Second Screen Click Next to go to the screen whe re you can regi ster your ZyW ALL and activate the free content filtering trial application. Other w ise, click Skip to display the congratulations screen and click Close to complete the Internet access setup. Figure[...]
-
Page 76
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 76 Figure 19 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 18 on page 75 ), the following screen displays. Use this screen to register the ZyW ALL with myZyXEL.com. Y ou must register your ZyW ALL before you can act[...]
-
Page 77
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 77 Figure 20 Internet Access Wizard: Registration The following table describes the labels in this screen. After you fill in the fields and click Next , the following screen shows indicating the registration is in progress. W ait for the registration progress to finish. T able 14 Internet Access W[...]
-
Page 78
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 78 Figure 21 Internet Access Wizard: Registration in Progress Click Close to leave the wizard s creen when th e registration and activation are done. Figure 22 Internet Access Wizard: S tatus The following screen appears if the registration was not suc cessful. Click Return to go back to the Devic[...]
-
Page 79
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 79 Figure 24 Internet Access Wizard : Registered Device Figure 25 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the W izard Setup W[...]
-
Page 80
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 80 Figure 26 VPN Wizard: Gate way Setting The following table describes the labels in this screen. 3.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec rou ters at either end of a VPN tu nnel. T able 15 VPN Wizard: Gatew[...]
-
Page 81
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 81 T wo active SAs cannot have the local and remote IP address(es) both the same. T wo active SAs can have the same local or remote IP address, but not bo th. Y ou can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time. Figure 27 VPN Wi[...]
-
Page 82
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 82 3.5 VPN Wizard IKE T unnel Setting (IKE Phase 1) Use this screen to specify the authentication, encryption and othe r settings needed to negotiate a phase 1 IKE SA. Figure 28 VPN Wizard: IKE Tunnel Setting Remote Network Remote IP addresses must be static and correspond to the remote IPSec rout[...]
-
Page 83
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 83 The following table describes the labels in this screen. 3.6 VPN Wizard IPSec Setting (IKE Phase 2) Use this screen to specify the authentication, encryption and othe r settings needed to negotiate a phase 2 IPSec SA. T able 17 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode S[...]
-
Page 84
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 84 Figure 29 VPN Wizard: IPSec Setting The following table describes the labels in this screen. T able 18 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tu n n e l is compatible with NA T , Tr a n s p o r t is not. T unnel mod e encapsulates the entire IP packet to transmit it secu[...]
-
Page 85
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 85 3.7 VPN Wizard S t atus Summary This read-only screen shows the status of the current VPN settin g. Use the summary table to check whether what you have configured is correct. Figure 30 VPN Wizard: VPN S tatus Perfect Forward Secret (PFS) Perfect Forward Secret (PFS) is disabled ( None ) by def[...]
-
Page 86
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 86 The following table describes the labels in this screen. T able 19 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This i s the name of this VPN gateway policy . Gateway Policy Setting My ZyW A LL This is the W AN IP address or t he do main name of your ZyWALL in router mo[...]
-
Page 87
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 87 3.8 VPN Wizard Setup Complete Congratulations! Y ou have successfully set up the VPN rule for your ZyW ALL. If you already had VPN rules config ured, the wi zard adds the new VPN rule after the last existing VPN rule. Figure 31 VPN Wizard Setup Co mplete IPSec Protocol ESP or AH are the securit[...]
-
Page 88
Chapter 3 Wizard Setup ZyWALL 2 Plus User’s Guide 88[...]
-
Page 89
ZyWALL 2 Plus User’s Guide 89 C HAPTER 4 Tutorials This chapter describes • how to apply security settings to VPN traf fic. • how to set up your ZyW ALL if you hav e more than one fixed (static) IP address from your ISP . • how to allocate bandwid th and apply prior ities to traf fic that flows out through the ZyW ALL’ s W AN port. 4.1 Se[...]
-
Page 90
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 90 Figure 32 Firewall Rule for VPN 4.1.2 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server . Y ou would also have to configure a correspon ding rule on device B . 1 Click Security > VPN to open the following screen[...]
-
Page 91
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 91 Figure 34 SECURITY > VPN > VPN Rules (I KE)> Add Gateway Policy 3 Click the Add Network Policy icon.[...]
-
Page 92
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 92 Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply . Y ou may notice that the example does not specify th e port numbe[...]
-
Page 93
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 93 Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.1.3 Configuring the Firewall Rules Suppose you have sever al VPN tunnels but you only want to allow de vice B ’ s network to access the FTP server . Y ou also only want FTP traf fic to go to the FTP server , so you want to[...]
-
Page 94
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 94 1 Click Security > Fir ewall > Rule Summary . 2 Select VPN to LAN as the packet direction and click Refresh . 3 Click the insert icon. Figure 37 SECURITY > FIREW ALL > Rule Summary 4 Configure the rule as follows and click Apply . The source addres ses are the VPN rule’ s remote netw[...]
-
Page 95
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 95 Figure 38 SECURITY > FIREW ALL > Rule Summary > Edit: Allow 5 The rule displays in the summary list of VPN to LAN firewall rules.[...]
-
Page 96
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 96 Figure 39 SECURITY > FIREW ALL > Rule Summary: Allow 4.1.3.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to bl ock all VPN to LAN traf fic. This blocks any other types of access from VPN tunnels to the LA N FTP server . This mean s that you[...]
-
Page 97
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 97 4.2 Using NA T with Multiple Public IP Addresses This section shows you examples of how to set up your ZyW ALL if you have more than one fixed (static) IP address from your ISP . 4.2.1 Example Parameters and Scenario The following table shows the public IP addresses from your ISP and your ZyW ALL?[...]
-
Page 98
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 98 4.2.2 Configuring the W AN Connection with a St atic IP Address The following table shows the information your ISP gave you for Internet connection. Follow the steps below to configure your ZyW ALL for Internet access using PPPoE in this example. Figure 42 T utoria l Example: WAN Connection with a[...]
-
Page 99
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 99 Figure 43 T utorial Example: W AN Screen 6 Click ADV ANCED > DNS . 7 The System screen displays. Click the Insert button to configure the IP address of the DNS server th e ZyW ALL can quer y to resolve domain names. Figure 44 T utorial Example: DNS > System 8 Select Public DNS Server and ent[...]
-
Page 100
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 100 Figure 45 T utorial Example: DNS > System Edit-1 9 Enter the rule number (2) where you want to put the second record and click the Insert button to configure the sec ond DNS serv er ’ s IP address as follows. Click Apply . " T o resolve a domain name, theZyW ALL checks it against the na[...]
-
Page 101
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 101 Figure 47 T utorial Example: DNS > System: Done 11 Go to the Home screen to check your W AN connection status. Make sure the status is not down. Figure 48 T utorial Example: S tatus 4.2.3 Public IP Address Mapping T o have the local computers and servers use specific W AN IP addres ses, you ne[...]
-
Page 102
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 102 " The one-to-one NA T addr ess mapping rules are for both incoming and outgoing connections. The ZyW ALL forwards tr affic that is initiated from either the LAN or the W A N to the destinat ion IP address. " The many-to-one or many-to-many NA T address mapping rules are for outgoing con[...]
-
Page 103
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 103 Figure 50 T utorial Example: NA T > NA T Overview 3 Click the Address Mapping tab. 4 Click the first rule’ s Edit icon ( ) in the Modify column to display the Addr ess Mapping Rule screen. Figure 51 T utorial Example: NA T > Address Mapping 5 Map a public IP address to the web server . Se[...]
-
Page 104
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 104 Figure 52 T utorial Example: NA T Address Mapping Edit: One- to-One (1) 6 Click the second rule’ s Edit icon ( ) . 7 Map a public IP address to the mail server . Select the One-to-One type and enter 192.168.1.13 as the local start IP address and 1.2.3.6 as the global start IP address. Click App[...]
-
Page 105
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 105 10 After the configurations, the Addr ess Mapping screen looks as shown. Y ou still have one IP address (1.2.3.7) that can be assigne d to another internal server when you expand your network. Figure 55 T utorial Example: NA T Address Mapping Done " T o allow traffic from t he W A N to be fo[...]
-
Page 106
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 106 Figure 56 T utorial Example: Forwarding Incoming FTP T raffic to a Loca l Computer 1 Click ADV ANCED > NA T > Address Mappi ng . 2 Click the forth rule’ s Edit icon ( ) to configure a server rule. Figure 57 T utoria l Example: NA T Ad dress Mapp ing Edit: Se rver 3 Click the Port Forwardi[...]
-
Page 107
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 107 Figure 58 T utorial Example: NA T Port Forwarding 4.2.5 Allow W AN-to-LAN T raffic through the Firewall By default, the ZyW ALL blocks any traffic i n itiated from the W AN to the LAN. T o have the ZyW ALL forward traffic initiated from the W AN to a local computer or server on the LAN, you need [...]
-
Page 108
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 108 Figure 60 T utorial Example: Firewall Default Rule 3 Go to the Rule Summary screen. 4 Select W AN to LAN as the packet direction and click Refr esh . 5 Click the insert icon to create a new firewall rule. Figure 61 T utorial Example: Firewall Rule: WAN to LAN 6 Configure a firewall rule to allow [...]
-
Page 109
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 109 Figure 62 T utorial Example: Firewall Rule: WAN t o LAN Addres s Edit for Web Server 7 Select HTTP(TCP:80) and HTTPS(TCP:443) in the A vailable Services box on the left, and click >> to add them to the Selected Service(s) box on the right. Click Apply .[...]
-
Page 110
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 0 Figure 63 T utorial Example: Firewall Rule: WAN t o LAN Service Edit for Web Server 8 Click the insert icon to configure a firewall rule to allow traf fic from the W AN to the mail server . Enter a descriptive name (W -L_Mail for example). Select Any in the Destination Address(es) box and click [...]
-
Page 111
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 111 Figure 64 T utorial Example: Firewall Rule: WAN t o LAN Addres s Edit for Ma il Server 9 Select Any(All) in the A vailable Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply . Figure 65 T utorial Example: Firewall Rule: WAN to LAN Servi[...]
-
Page 112
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 2 10 Click the insert icon to configure a firewall ru le to allow FTP traf fic from the W AN to the FTP server . Enter a descriptive name (W -L_FTP for example). Select Any in the Destination Address(es) box and click Delete . Select Single Addr ess as the destination address type. Enter 192.168 .[...]
-
Page 113
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 3 Figure 67 T utorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server 12 When you are done, the Rule Summary screen looks as shown. Figure 68 T utorial Example: Firewall Rule Summary[...]
-
Page 114
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 4 4.2.6 T esting the Connections 1 Open the web browser on one of the local co mputers and enter any web site’ s URL in the address bar . If you can access the web site, your W AN connection and NA T address mapping are configured successfully . If you cannot access it, make sure you entered the[...]
-
Page 115
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 5 Figure 69 T utorial Example: NA T Address Mapping Done: Game Playing " T o allow traffic from t he W A N to be forwarded throu gh the ZyXEL Device, you must also create a firewall rule. Refe r to Section 4.2.5 on page 107 for more information. 4.4 How to Manage the ZyW ALL’ s Bandwid th T[...]
-
Page 116
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 6 Figure 70 T utorial Example: Bandwidth Managemen t The following table shows t h e example information you confi gure in the bandwidth management screens. 4.4.2 Configuring Bandwid th Management Rules Follow the steps below to set up bandwidt h management rules for different traf fic. 1 Click AD[...]
-
Page 117
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 7 Figure 71 T utorial Example: Bandwidth Managemen t Summary 7 Click the Class Setup tab. 8 Select the WA N interface and click the Add Sub-Class button to create a rule for V oIP traffic. Figure 72 T utorial Example: Bandwidth Management Class Setup 9 Enter a descriptive name (W AN_V oIP for exam[...]
-
Page 118
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 8 Figure 73 T utorial Example: Bandwidth Management Class Setup: V o IP 12 Click the Add Sub-Class button to create a rule for FTP traf fic as follows. Click Apply . Figure 74 T utorial Example: Bandwidth Management Class Setup: FTP 13 Click the Add Sub-Class button to create a rule for WWW traf f[...]
-
Page 119
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 11 9 Figure 75 T utorial Example: Bandwidth Management Class Setup: WWW 14 When you are finished, the Class Setup screen looks as shown. Figure 76 T utorial Example: Bandwid th Management Class Setup Done 15 Use the Monitor screen to view the bandwidth usage and allotments for the W AN interface.[...]
-
Page 120
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 120 Figure 77 T utorial Example: Bandwidth Managemen t Monitor 4.5 Configuring Content Filtering Y ou can use the ZyW ALL’ s content filtering polici es to apply specific content filtering settings to specific users. Y ou can even filter certain thin gs at certain times. For example, you decide to [...]
-
Page 121
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 121 1 Click SECURITY > CONTENT FIL TER . 2 Enable the content filter and exte rnal database content filtering. 3 Click Apply . Figure 78 SECURITY > CONTENT FIL TER > General 4.5.2 Block Categories of Web Content Here is how to block access to web pa ges by category of conte nt. 1 Click SECUR[...]
-
Page 122
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 122 Figure 79 SECURITY > CONTENT FIL TER > Policy 2 Select Active . 3 Select the categories to block. 4 Click Apply . Figure 80 SECURITY > CONTENT FIL TER > Policy > External Database (Default)[...]
-
Page 123
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 123 4.5.3 Assign Bob’ s Computer a Sp ecific IP Address Y ou will configure a content filtering policy for traf fic from Bob’ s computer ’ s IP address. Do the following to have the Zy W ALL always give Bob’ s computer the same IP address (192.168.1.33 in this example). 1 Click HOME > DHCP[...]
-
Page 124
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 124 5 Click Apply . Figure 83 SECURITY > CONTENT FIL TER > Policy > Insert 4.5.5 Set the Content Filter Schedule Y o u want to let Bob access arts and entertainmen t web pa ges, but only during lunch. So you configure a schedu le to only apply th e Bob policy from 12:00 to 13:00. For the res[...]
-
Page 125
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 125 Figure 85 SECURITY > CONTENT FIL TER > Policy > Schedule (Bob) 4.5.6 Block Categories of Web Content for Bob Now you select the categories of we b pages to block Bob from accessing. 1 Click SECURITY > CONTENT FIL TER > Policy and then the Bob policy’ s external database icon. Fig[...]
-
Page 126
Chapter 4 Tutorials ZyWALL 2 Plus User’s Guide 126 4 Click Apply . Figure 87 SECURITY > CONTENT FIL TER > Policy > External Database (Bob)[...]
-
Page 127
ZyWALL 2 Plus User’s Guide 127 C HAPTER 5 Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL ’ s online services center wh ere you can register your Zy W ALL and manage subscription services available for the ZyW ALL. " Y ou need to create an account before y ou can register y our device and activate the services at myZyXEL.com. Y [...]
-
Page 128
Chapter 5 Registration ZyWALL 2 Plus User’s Guide 128 5.2 Registration Use this screen to register your ZyW ALL with myZyXEL.com and activate the content filtering service. Click REGISTRA TION in the navigation panel to open the screen as shown next. Figure 88 REGISTRA TION The following table describes the labels in this screen. T able 20 REGIST[...]
-
Page 129
Chapter 5 Registration ZyWALL 2 Plus User’s Guide 129 " If the ZyW ALL is register ed already , this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 89 REGISTRA TION: Registered Device 5.3 Service After you activate a trial, you can also use the[...]
-
Page 130
Chapter 5 Registration ZyWALL 2 Plus User’s Guide 130 Figure 90 REGISTRA TION > Service The following table describes the labels in this screen. T able 21 REGISTRATION > Service LABEL DESCRIPTION Service Manage ment Service This field displays the service name ava ilable on the ZyW A LL. S tatus This field displays whether a servi ce is act[...]
-
Page 131
131 P ART II Network LAN Screens (133) Bridge Screens (145) W AN Screens (151) DMZ Screens (171) W ireless LAN (181)[...]
-
Page 132
132[...]
-
Page 133
ZyWALL 2 Plus User’s Guide 133 C HAPTER 6 LAN Screens This chapter describes how to configure LAN settin gs. This chapter is on ly applicable when the ZyW ALL is in router mode. 6.1 LAN, W AN and the ZyW ALL A network is a shared commun ication system to which ma ny computers are attached. The Local Area Network (LAN) includes the comp ut ers and[...]
-
Page 134
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 134 Where you obtain your netwo rk number depends on your particular situation. If the ISP or your network administrator assigns yo u a bloc k of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not expl icitly give you an IP netwo[...]
-
Page 135
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 135 6.3 DHCP The ZyW ALL can use DHCP (Dynamic Host Configuration Pro tocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS serve rs to the computers on your LAN. Y ou can alternatively have the ZyW ALL r[...]
-
Page 136
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 136 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assi gned to the permanent group of all IP hosts (including gateways). All hosts must join the 22 4.0 .0.1 group in orde r to participate in IGMP . The address 2[...]
-
Page 137
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 137 Figure 92 NETWORK > LAN The following table describes the labels in this screen. T able 22 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address T ype the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively , click the ri ght mouse butto[...]
-
Page 138
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 138 Multicast Select IGMP V -1 or IGMP V -2 or None . IGMP (Internet Group Multicast Proto col) is a network-layer protocol u sed to establis h membership in a Mu lticast group - it is not used to carry user data. IGMP versio n 2 (RFC 2236) is an improvement over version 1 (RFC 1 1 12) but IGMP ver[...]
-
Page 139
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 139 6.8 LAN St atic DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of hexadec im[...]
-
Page 140
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 140 The following table describes the labels in this screen. 6.9 LAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL has a single LAN in terface. Even though more than o ne of ports 1~4 may be in the LAN po[...]
-
Page 141
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 141 Figure 95 NETWORK > LAN > IP Alias The following table describes the labels in this screen. T able 24 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure anoth er LAN network for the ZyWALL. IP Address Enter the IP address of your ZyW AL[...]
-
Page 142
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 142 6.10 LAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL can be part of the LAN, DMZ or WLAN interface. " Do the following if you ar e configuring from a comput er connected to a LAN, DMZ or WLAN port and c hanging [...]
-
Page 143
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 143 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 97 Port Roles Change Complete Apply Click Apply to save your cha nges ba ck to the ZyWALL. Reset Click Reset to[...]
-
Page 144
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide 144[...]
-
Page 145
ZyWALL 2 Plus User’s Guide 145 C HAPTER 7 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyW ALL is in bridge mode. 7.1 Bridge Loop The ZyW ALL ca n act as a bridge between a switch a nd a wired LAN or between two rou ters. Be careful to avoid bridge lo ops when you en able bridgin[...]
-
Page 146
Chapter 7 Bridge Sc reens ZyWALL 2 Plus User’s Guide 146 7.2 Sp anning T ree Protocol (STP) STP detects and breaks network loops and provide s backup links betw een switches, brid ges or routers. It allows a bridge to interact with o ther STP-compliant bridges in your networ k to ensure that only one route exists be tween any two stations on the [...]
-
Page 147
Chapter 7 Bridge Screens ZyWALL 2 Plus User’s Guide 147 Once a stable network topology has been esta blished, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) tr ansmitted from the root bridge. If a bridge does not ge t a Hello BPDU after a predefined interval (Max Age), th e bridge assume s that the link to the root bridge is down[...]
-
Page 148
Chapter 7 Bridge Sc reens ZyWALL 2 Plus User’s Guide 148 Figure 99 NETWORK > Bridge The following table describes the labels in this screen. T able 28 NETWORK > Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address T ype the IP addre ss of your ZyW ALL in dotted decimal not ation. Use an IP address in the same subnet as the network to[...]
-
Page 149
Chapter 7 Bridge Screens ZyWALL 2 Plus User’s Guide 149 7.4 Bridge Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL can be part of the LAN, DMZ or WLAN interface. T o change your ZyW ALL’ s port role se ttings, click NETWORK > BRIDGE > Port Roles . The screen appear[...]
-
Page 150
Chapter 7 Bridge Sc reens ZyWALL 2 Plus User’s Guide 150 Figure 100 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 101[...]
-
Page 151
ZyWALL 2 Plus User’s Guide 151 C HAPTER 8 WAN Screens This chapter describes how to configure W AN settings. 8.1 W AN Overview • Use the Route scree n to configure route priority for the ZyW ALL. • Use the WA N screen to configure the W AN port for Internet access on the ZyW ALL. • Use the T raffic Redirect screen to configure an alternativ[...]
-
Page 152
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 152 Figure 102 NETWORK > W AN Route The following table describes the labels in this screen. T able 30 NETWORK > WAN Route LABEL DESCRIPTION Route Priority WA N T raffic R edirect Dial Backup The default WAN con nection is "1' as your broadband connection via the WAN port should alw[...]
-
Page 153
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 153 8.4 W AN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are is olated from the Internet, for instance, only between your two branch of fices, you can as sign any IP addresses to the hosts without problems. However , the Internet Assigned Nu[...]
-
Page 154
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 154 3 Y ou can manually enter the IP addresses of other DNS servers. These servers can be public or priv ate. A DNS server cou ld even be behind a re mote IPSec router (see Section 20.5.1 on page 366 ). 8.6 W AN MAC Address Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. Th[...]
-
Page 155
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 155 Figure 103 NETWORK > W AN > WAN (Ethernet Encap sulation) The following table describes the labels in this screen. T able 32 NETWORK > W AN > WAN (Ether net Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Y ou must choose the Ethernet opt ion when [...]
-
Page 156
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 156 Relogin Every(min) (T elia Login only) The T elia server logs the ZyW ALL out if the ZyWALL does not log in periodically . T ype the number of minutes from 1 to 59 (30 default) for the ZyW A LL to wait between logins. W AN IP Address Assignment Get automatically from ISP Select this option If y[...]
-
Page 157
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 157 8.7.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PP PoE option is for a dial-up connection u[...]
-
Page 158
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 158 Figure 104 NETWORK > W AN > W AN (PPPoE Encapsulation) The following table describes the labels in this screen. T able 33 NETWORK > WAN > W AN (PPPoE Encap s ulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up conn ection usi[...]
-
Page 159
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 159 Authentication Ty p e Use the drop-down list box to select an au thentication protocol for o utgoing calls. Options are: CHAP/P AP - Y our ZyWALL accepts either CHAP or P AP when requested by this remote node . CHAP - Y our ZyWALL accept s CHAP only . PA P - Y our ZyWALL accept s P AP only . N[...]
-
Page 160
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 160 8.7.3 PPTP Encap sulation Point-to-Point T unneling Protocol (PP TP) is a ne twork protocol that enables secure transfer of data from a remote client to a private server , creating a V irtual Private Network (VPN) using TCP/IP-based networks. PP TP supports on-demand, multi-proto col and virtua[...]
-
Page 161
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 161 Figure 105 NETWORK > W AN > W AN (PPTP Encapsulation) The following table describes the labels in this screen. T able 34 NETWORK > WAN > W AN (PPTP E ncapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Po int-to-Point Tunneling Protocol (PPTP) is a netw[...]
-
Page 162
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 162 Authentication Ty p e Use the drop-down li st box to select an authenticatio n protocol for outgoing calls. Options are: CHAP/P AP - Y our ZyW ALL accepts either CHAP or P AP when requested by this remote node. CHAP - Y our ZyWALL accepts CHAP only . PA P - Y our ZyW ALL accepts P AP only . Nai[...]
-
Page 163
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 163 8.8 T raffic Redirect T raffic redirect forwards W AN traffic to a backup gateway when the ZyW ALL cannot connect to the Internet through its norm al gateway . Conne ct the backup gateway on the W AN so that the ZyW ALL still provides fire wall protection for the LAN. RIP V ersion The RIP V er[...]
-
Page 164
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 164 Figure 106 T raffic Redirect W AN Setup IP alias allows you to avoid triangle route security issues when th e backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the ZyW ALL itself as the gateway for each LAN network. Put the [...]
-
Page 165
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 165 The following table describes the labels in this screen. 8.10 Configuring Dial Backup Click NETWORK > WA N > Dial Backup to display the Dial Backup screen. Use this screen to configure the ba ckup W AN di al-up connection. T able 35 NETWORK > WAN > T raffic Redirect LABEL DESCRIPTI[...]
-
Page 166
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 166 Figure 109 NETWORK > W AN > Dial Backup The following table describes the labels in this screen. T able 36 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name T ype the login name [...]
-
Page 167
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 167 Primary/ Secondary Phone Numb er T ype the first (primary) phone number from the ISP for this remo te node. If th e Primary Phone number is busy or does not answer , your Z yW ALL dials the Secondary Phone nu mber if avai lable. Some areas re quire diali ng the pound sign # before the phone nu[...]
-
Page 168
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 168 8.1 1 Advanced Modem Setup 8.1 1.1 A T Command Strings For regular telephone lines, the default Dial st ring tells the modem that the line uses tone dialing. ATDT is the command for a switc h that requ ires tone dialing. If your switch requires pulse dialing, change th e string to ATDP . For IS[...]
-
Page 169
Chapter 8 WAN Screen s ZyWALL 2 Plus User’s Guide 169 8.1 1.3 Response Strings The response strings tell the ZyW ALL the ta gs, or labels, immediately prec eding the various call parameters sent from the W AN de vice. The r esponse strings h ave not been standardized; please consult the documentation of your W AN device to find the correct tags .[...]
-
Page 170
Chapter 8 WAN Screens ZyWALL 2 Plus User’s Guide 170 Drop DTR When Hang Up Select this check box to have the ZyWALL drop the DTR (Data T erminal Read y) signal after the "A T Command S tring: Drop" is sent out. A T Response St r i n g s CLID T ype the keyword that precedes the CLID (Calling Line Iden tification) in th e A T response str[...]
-
Page 171
ZyWALL 2 Plus User’s Guide 171 C HAPTER 9 DMZ Screens This chapter describes how to configure the ZyW ALL’ s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) pr ovides a way for public servers (W eb, e-mail, FTP , etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of[...]
-
Page 172
Chapter 9 DMZ Scre ens ZyWALL 2 Plus User’s Guide 172 Figure 1 1 1 NETWORK > DMZ The following table describes the labels in this screen. T able 38 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address T ype the IP address of your Z yW ALL’s DMZ port in d otted decimal notation. Note: Make sure the IP addresses of the LAN, W AN, WLAN and [...]
-
Page 173
Chapter 9 DMZ Screens ZyWALL 2 Plus User’s Guide 173 Multicast Select IGMP V -1 or IGMP V -2 or None . IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to estab lish membership in a Multicast group - it is not used to carry user data. IGMP ve rsion 2 (RFC 2236) is an improvement over version 1 (RFC 1 1 12) but IGMP versio[...]
-
Page 174
Chapter 9 DMZ Scre ens ZyWALL 2 Plus User’s Guide 174 9.3 DMZ S t atic DHCP This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of hexadec [...]
-
Page 175
Chapter 9 DMZ Screens ZyWALL 2 Plus User’s Guide 175 The following table describes the labels in this screen. 9.4 DMZ IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL has a single DMZ interface. Eve n though more than on e of ports 1~4 may be in the DMZ po[...]
-
Page 176
Chapter 9 DMZ Scre ens ZyWALL 2 Plus User’s Guide 176 Figure 1 13 NETWORK > DMZ > IP Alias The following table describes the labels in this screen. T able 40 NETWORK > D MZ > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure anoth er DMZ network for the ZyW AL L. IP Address Enter the IP address of your [...]
-
Page 177
Chapter 9 DMZ Screens ZyWALL 2 Plus User’s Guide 177 9.5 DMZ Public IP Address Example The following figure shows a simple network set up with public IP addresses on the W AN and DMZ and private IP addresses on the LAN. Lowe r case letters represent public IP addresses (like a.b.c.d for example). The LAN port and co nnected computers (A th rough [...]
-
Page 178
Chapter 9 DMZ Scre ens ZyWALL 2 Plus User’s Guide 178 Figure 1 15 DMZ Private and Pu blic Address Exa mple 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL can be part of the LAN, DMZ or WLAN interface. " Do the following if you ar e configuring from a comput e[...]
-
Page 179
Chapter 9 DMZ Screens ZyWALL 2 Plus User’s Guide 179 Figure 1 16 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. T able 41 NETWORK > D MZ > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. T he port will use the ZyW ALL’s LAN IP address and MA[...]
-
Page 180
Chapter 9 DMZ Scre ens ZyWALL 2 Plus User’s Guide 180[...]
-
Page 181
ZyWALL 2 Plus User’s Guide 181 C HAPTER 10 Wireless LAN This chapter discusses how to conf igure wireless LAN on the ZyW ALL. 10.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-p eer network or as complex as a number of computers with wireless LAN adapters communic[...]
-
Page 182
Chapter 10 Wire less LAN ZyWALL 2 Plus User’s Guide 182 Figure 1 17 NETWORK > WLAN The following table describes the labels in this screen. T able 42 NETWORK > WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address T ype the IP addres s of your ZyWALL’ s WLAN interface in do tted decimal notation. Alternatively , click the right mouse butto n to c[...]
-
Page 183
Chapter 10 Wireless L AN ZyWALL 2 Plus User’s Guide 183 Multicast Select IGMP V -1 or IGMP V -2 or None . IGMP (Internet Group Multicast Proto col) is a network-layer protocol u sed to establis h membership in a Mu lticast group - it is not used to carry user data. IGMP versio n 2 (RFC 2236) is an improvement over version 1 (RFC 1 1 12) but IGMP [...]
-
Page 184
Chapter 10 Wire less LAN ZyWALL 2 Plus User’s Guide 184 10.3 WLAN S tatic DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of hexa[...]
-
Page 185
Chapter 10 Wireless L AN ZyWALL 2 Plus User’s Guide 185 The following table describes the labels in this screen. 10.4 WLAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL has a si ngle WLAN interface. Even though more than one of ports 1~4 may be in the W[...]
-
Page 186
Chapter 10 Wire less LAN ZyWALL 2 Plus User’s Guide 186 Figure 1 19 NETWORK > WLAN > IP Alias The following table describes the labels in this screen. T able 44 NETWORK > W LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure anoth er WLAN network for the ZyWALL. IP Address Enter the IP address of yo[...]
-
Page 187
Chapter 10 Wireless L AN ZyWALL 2 Plus User’s Guide 187 10.5 WLAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL can be part of the LAN, DMZ or WLAN interface. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW A LL’ s wireless LAN coverage. T[...]
-
Page 188
Chapter 10 Wire less LAN ZyWALL 2 Plus User’s Guide 188 Figure 121 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 122 NE[...]
-
Page 189
189 P ART III Security Firewall (191) Content Filtering Screens (223) Content Filtering Reports (245) IPSec VPN (253) Certificates (295) Authentication Server (323)[...]
-
Page 190
190[...]
-
Page 191
ZyWALL 2 Plus User’s Guide 191 C HAPTER 11 Firewall This chapter shows you how to co nfigure your ZyW ALL’ s firewall. 1 1.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted n[...]
-
Page 192
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 192 Y our customized rules take precedence and override the ZyW ALL’ s default settings. The ZyW ALL checks the source IP address, destinatio n IP address and IP protocol type of network traffic against the firewall rules (in the order yo u list them). When the traffic matches a rule, the ZyW ALL t[...]
-
Page 193
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 193 Packets have a source and a destination. The pack et direction matrix in the lower part of the screen sets what the ZyW ALL does with packets tr aveling in a specific direction t h at do not match any of the firewall rules. T o set the ZyW ALL to by default silently bl ock traffic from the W AN f[...]
-
Page 194
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 194 By default, the ZyW ALL allows packets traveling in the following directions.: By default, the ZyW ALL drops packets tr aveling in the following directions. • LAN to LAN These rules spe cify which co mputers on the LAN can manage the ZyW ALL (remote management) and co mmunicate between networks[...]
-
Page 195
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 195 See Chapter 4 on pa ge 89 for information about packets trav eling to or from the VPN tunnels. 1 1.3.1 T o VPN Packet Direction The ZyW ALL can apply firewall rules to traffi c before encrypting it to se nd through a VPN tunnel. To V P N means traffic that comes in through th e selected “from?[...]
-
Page 196
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 196 In order to do this, you would con figure the SECURITY > FIREW ALL > Default Rule screen as follows . Figure 127 Block DMZ to VPN T raffic by Default Example 1 1.3.2 From VPN Packet Direction Y ou can also apply firewall rules to traffic th at comes in through the ZyW ALL’ s VPN tunnels. [...]
-
Page 197
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 197 Figure 128 From VPN to LAN Example In order to do this, you would con figure the SECURITY > FIREW ALL > Default Rule screen as follows . Figure 129 Block VPN to LAN T raffic by Default Example[...]
-
Page 198
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 198 1 1.3.3 From VPN T o VPN Packet Direction From VPN T o VPN firewall rules apply to traffic th at comes in through one of the ZyW ALL’ s VPN tunnels and terminates at th e ZyW ALL (like for remote management) or goes out through another of the ZyW ALL’ s VPN tunnels (this is called hu b-and-sp[...]
-
Page 199
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 199 Figure 131 Block VPN to VPN T raffic by Default Example 1 1.4 Security Considerations " Incorrectly configuri ng the firewall may block valid access or introduce security risks to the ZyW ALL and your protected network. Use caution when creating or deleting firewall rules and test your rules[...]
-
Page 200
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 200 Once these questions have been answered, adding rules is simply a matter of entering the information into the correct fields in the web configurator screens. 1 1.5 Firewall Rules Example Suppose that your comp any decides to block all of the LAN users from using IRC (Internet Relay Chat) through [...]
-
Page 201
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 201 Now you configure a LAN to W AN firewall rule th at allows IRC traffic from the IP address of the CEO’ s computer (192.168.1.7 for example) to go to any destination address. Y ou do not need to specify a sche dule since you want th e firewall rule to always be in effect. The following figure sh[...]
-
Page 202
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 202 Allowing asymmetrical routes may let traffic from the W AN go directly to the LAN without passing through the ZyW ALL. A better solution is to use IP alias to put the ZyW ALL and the backup gateway on sepa rate subnets. 1 1.6.1 Asymmetrical Routes and IP Alias Y ou can use IP alias instead of all[...]
-
Page 203
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 203 Figure 135 SECURITY > FIREW ALL > Defa ult Rule (R outer Mod e) The following table describes the labels in this screen. T able 48 SECURITY > FIR EW ALL > Default Rule (R outer Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL’ s firewal l rules storage s[...]
-
Page 204
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 204 1 1.8 Firewall Default Rule (Bridge Mode) Click SECURITY > FIREW ALL to open the Default Rule screen. Use this screen to configure ge neral firewall settings when the ZyW ALL is set to bridge mode. See Section 1 1.1 on page 191 for more informatio n about the firewall. From, T o The firewall r[...]
-
Page 205
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 205 Figure 136 SECURITY > FIREW ALL > Default Rule (Bridge Mode) The following table describes the labels in this screen. T able 49 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL’ s firewal l rules storage space t[...]
-
Page 206
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 206 1 1.9 Firewall Rule Summary Click SECURITY > FIREW ALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. From, T o The firewall rules are grouped by the di recti on of packet travel. This displays the number of rules for each packet direction. [...]
-
Page 207
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 207 " The ordering of your rules is very important as rule s are applied in the order that they are listed. See Section 1 1.1 on page 191 for more informatio n about the firewall. • When the ZyW ALL is in brid ge mode, enable the default W AN to LAN firewall rule for the BOOTP_CLIENT service t[...]
-
Page 208
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 208 1 1.9.1 Firewall Edit Rule In the Rule Summary screen, click the edit icon or the insert icon to display the Fire wall Edit Rule screen. Use this screen to create or edit a firewall rule . Refer to the following table for information on the labels. See Section 1 1.1 on page 191 for more informati[...]
-
Page 209
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 209 Figure 138 SECURITY > FIREW ALL > Rule Summary > Edit[...]
-
Page 210
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 210 The following table describes the labels in this screen. T able 51 SECURITY > FIR EWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. S paces are allowed. Edit So[...]
-
Page 211
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 21 1 1 1.10 Anti-Probing Click SECURITY > FIREW ALL > Anti-Pro bing to open the follo wing screen. Configure this screen to help keep the ZyW ALL hidden fro m probing attempts. Y o u can specify which of the ZyW ALL’ s interfaces will respond to Ping re quests and whether or not the ZyW ALL i[...]
-
Page 212
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 212 The following table describes the labels in this screen. 1 1.1 1 Firewall Thresholds For DoS attacks, the ZyW ALL uses thre sholds to determine when to start dropping sessions that do not become fully estab lished (half-open sessions). These thresholds apply globally to all sessions. For TCP , ha[...]
-
Page 213
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 213 1 1.1 1.1 Threshold V alues If everything is working properly , you probably do not need to ch ange the threshold settings as the default threshold values should work for mo st small of fices. Tune these parameters when you believe the ZyW A LL has been receiving DoS a ttacks that are not recorde[...]
-
Page 214
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 214 The following table describes the labels in this screen. T able 53 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Protec tion on Select the check boxes of any interfaces (or all VPN tunnels) for which you want the ZyW ALL to not use the Denial of Serv ice protection th[...]
-
Page 215
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 215 1 1.13 Service Click SECURITY > FIREW ALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyW ALL. See Section 1 1.1 on page 191 for more informatio n about the firewall. Figur[...]
-
Page 216
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 216 1 1.13.1 Firewall Ed it Custom Service Click SECURITY > FIREW ALL > Service > Add to display the followi ng screen. Use this screen to configure a custom service entry not is not predefined in the ZyW ALL. See Appendix D on page 653 the use r ’ s guide appendices for a list of commonly[...]
-
Page 217
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 217 1 1.14 My Service Firewall Rule Example The following Internet firewa ll rule example allows a hypot hetical My Service connection from the Internet. 1 In the Service screen, click Add to open th e Edit Custom Service screen. Figure 144 My Service Firewall Rule Example: Service 2 Configure it as [...]
-
Page 218
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 218 4 Click the insert icon at the top of the row to create the new fire wall rule before the others. Figure 146 My Service Firewall Rule Example: Rule Summary 5 The Edit Rule screen displays. Enter the name of the firewall rule. 6 Select Any in the Destination Address(es) box and th en click Delete [...]
-
Page 219
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 219 " Custom services show up with an * before their names in the Services list boxes and the Rule Summary screen’ s Service T ype list box.[...]
-
Page 220
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 220 Figure 148 My Service Firewall Rule Example: Edit Rule: Service Configuration Rule 1 allows a My Service connection from the W AN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.[...]
-
Page 221
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 221 Figure 149 My Service Firewall Rule Exam ple: Rule Summa ry: Completed[...]
-
Page 222
Chapter 11 Firewall ZyWALL 2 Plus User’s Guide 222[...]
-
Page 223
ZyWALL 2 Plus User’s Guide 223 C HAPTER 12 Content Filtering Screens This chapter provides an over view of content filtering. 12.1 Content Filtering Overview Content filtering all ows you to block certain web features, such as Cookies, and/or block access to specific websites. W ith cont ent filtering, you can do the following: 12.1.1 Restrict We[...]
-
Page 224
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 224 Figure 150 Content Filtering Looku p Procedure 1 A computer behind the ZyW ALL tries to access a web site. 2 The ZyW ALL looks up the web site in its cache. If an attempt to access the web site wa s made in the past, a record of that web site ’ s category will be in the ZyW ALL[...]
-
Page 225
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 225 Figure 151 SECURITY > CONTENT FIL TER > General The following table describes the labels in this screen. T able 56 SECURITY > CONTENT FILT ER > Gene ral LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enabl e the content fi lter . Cont [...]
-
Page 226
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 226 Matched Web Pages Se lect Block to prevent users from accessing web pages that match the categories that you select belo w . When external database c o ntent filter ing blocks access to a web p age, it displays the denied access message that you config ured in the CONTENT FIL TER[...]
-
Page 227
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 227 12.4 Content Filter Policy Click SECURITY > CONTENT FIL TER > Policy to display the following screen. This screen lists groups of content filtering settings called policies. Co ntent filtering policies allow you to have dif ferent content filtering settin gs for different [...]
-
Page 228
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 228 Figure 152 SECURITY > CONTENT FIL TER > Policy The following table describes the labels in this screen. T able 57 SECURITY > CONTENT FIL TER > Policy LABEL DESCRIPTION Content Filter S torage S pace in Use This bar displays the percentage of the ZyWALL’ s conte nt f[...]
-
Page 229
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 229 12.5 Content Filter Policy: General Click SECURITY > CONTENT FIL TER > Policy and use the Insert button or a po licy’ s general icon to dis pla y the following screen. Use this screen to restrict web features and edit the source (user) addresses or ranges of addresses to[...]
-
Page 230
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 230 12.6 Content Filter Policy: External Dat abase Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s external database icon to display th e followin g screen. Use this screen to edit which content categories the content filter policy blocks. Restrict Web Features[...]
-
Page 231
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 231 Figure 154 SECURITY > CONTENT FIL TER > Policy > External Dat abase The following table describes the labels in this screen. T able 59 SECURITY > CONTENT FIL TER > Policy > External Database LABEL DESCRIPTION Policy Name This is the name of the content filter p[...]
-
Page 232
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 232 Sex Education Selecting this category exclud es pages that provide grap hic information (sometimes graphic) on reproduction, sexual development, safe sex practices, sexuality , bi rth control, and sexual development. It also includes pages that offer tips for be tter sex as well [...]
-
Page 233
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 233 Hacking Selecting this category excludes pages that distribute, promote, or provide hacking tools and/or informati on which may help gain unauthorized access to computer systems a nd/or computerized communication systems. Hacking encom p a sses instructions on illegal or questio[...]
-
Page 234
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 234 Government/Legal Selecting this category excl udes pages sponsored b y or which provide information on government, government agencie s and government services such a s taxation and emergency servi ces. It also includes pages that discuss or explain laws of various governmental e[...]
-
Page 235
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 235 Reference Selecting this category excludes pages containing personal, professional, or educational refer ence, inclu ding online dictionaries, maps, census, almanacs, library catalogues, genealogy-related pages and scientific information. Open Image/Media Search Selecting this c[...]
-
Page 236
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 236 Society/Lifestyle Selecting this category excludes pages providing information on matters of daily life. This does not include pages rela ting to entertainment, sports, jobs, sex or p ages promoting alternative lifestyles such a s homosexuality . Personal homepages fall within th[...]
-
Page 237
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 237 12.7 Content Filter Policy: Customization Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s customization icon to display the following screen. Use this screen to select good (allowed) web site addresses for this policy and bad (blocked) web site addresses. [...]
-
Page 238
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 238 Figure 155 SECURITY > CONTENT FIL TER > Policy > Customization The following table describes the labels in this screen. T able 60 SECURITY > C ONTENT FIL T ER > Policy > Customization LABEL DESCRIPTION Policy Name This is the name of the content filter policy th[...]
-
Page 239
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 239 12.8 Content Filter Policy: Schedule Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s schedule icon to display the following screen. Use this screen to set for which da ys and times the policy applies. Available T rusted Object This list displays the truste[...]
-
Page 240
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 240 Figure 156 SECURITY > CONTENT FIL T ER > Policy > Schedule The following table describes the labels in this screen. 12.9 Content Filter Object Click SECURITY > CONTENT FIL TER > Object to display the following screen. Use this screen to a list of allowed web site a[...]
-
Page 241
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 241 " T o use this screens settings in cont ent filtering, y ou must use the SECURITY > CONTENT FIL TER > Policy > Customization screen to set individual policies to add or remove specific site s or keywords for in dividual policies. Figure 157 SECURITY > CONTENT FI[...]
-
Page 242
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 242 12.10 Customizing Keyword Blocking URL Checking Y ou can use commands to set ho w much of a website’ s URL the content filter is to check for keyword blocking. See the appendices for info rmation on how to access and use the command interpreter . 12.10.1 Domain Name or IP Addre[...]
-
Page 243
Chapter 12 Content Filtering Scree ns ZyWALL 2 Plus User’s Guide 243 12.10.2 Full Path URL Checking Full path URL checking has the ZyW ALL c heck the cha racters that come before the last slash in the URL. For example, with th e URL www .zyxel.com.tw/news/pres sroom.php , full path URL checking searches for keywords within www .zyxel.com.tw/news/[...]
-
Page 244
Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide 244 Figure 158 SECURITY > CONTENT FIL TER > Cache The following table describes the labels in this screen. T able 63 SECURITY > CONTENT FIL TER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL T ype the maximum time to live (TTL) (1 to 720 hours). This sets how long [...]
-
Page 245
ZyWALL 2 Plus User’s Guide 245 C HAPTER 13 Content Filtering Reports This chapter describes how to view content filtering reports after yo u have activated the category-based content filtering subscription service. See Chapter 5 on pa ge 127 on how to create a myZyXEL.com account, register your device and activate the subscr iption services using[...]
-
Page 246
Chapter 13 Content Filtering Reports ZyWALL 2 Plus User’s Guide 246 Figure 159 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyW ALL’ s model name and/or MAC address under Registered ZyXEL Pr oducts . Y ou can change the descriptive name for your ZyW ALL using the Rename button in the Service Management screen (see Figure 161 on pa[...]
-
Page 247
Chapter 13 Content Filtering Reports ZyWALL 2 Plus User’s Guide 247 Figure 161 myZyXEL.com: Service Manage ment 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 161 on page 247 ). T ype your myZyXEL.com account password in the Password field. 6[...]
-
Page 248
Chapter 13 Content Filtering Reports ZyWALL 2 Plus User’s Guide 248 Figure 163 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single Use r Reports to view the corresponding reports. Figure 164 Blue Coat: Report Ho me 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Ta k e n fiel[...]
-
Page 249
Chapter 13 Content Filtering Reports ZyWALL 2 Plus User’s Guide 249 Figure 165 Global Report Screen Example 11 Y ou can click a ca tegory in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.[...]
-
Page 250
Chapter 13 Content Filtering Reports ZyWALL 2 Plus User’s Guide 250 Figure 166 Requested URLs Example 13.3 W eb Site Submission Y ou may find that a web site has not be en accura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed. Use the following procedure to submit the web si[...]
-
Page 251
Chapter 13 Content Filtering Reports ZyWALL 2 Plus User’s Guide 251 Figure 167 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Sub mit to ha ve the web site reviewed.[...]
-
Page 252
Chapter 13 Content Filtering Reports ZyWALL 2 Plus User’s Guide 252[...]
-
Page 253
ZyWALL 2 Plus User’s Guide 253 C HAPTER 14 IPSec VPN This chapter explains how to set up and ma intain IPSec VPNs in the ZyW ALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyW ALL. 14.1 IPSec VPN Overview A virtual private network (VPN) provides secu re communications between sites without [...]
-
Page 254
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 254 A VPN tunnel is usually established in tw o phases. Each phase establishes a security association (SA), a contract indicating what secu rity parameters the ZyW ALL and the remote IPSec router will use. The first phase establish es an Internet Key Exchange (IKE) SA between the ZyW ALL and remote [...]
-
Page 255
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 255 Y ou can usually provide a static IP address or a domain name for the ZyW ALL. Sometimes, your ZyW ALL might also of fer another alternative, such as using the IP address of a port or interface. Y ou can usually provide a static IP address or a domain name for the remote IPSec router as well. So[...]
-
Page 256
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 256 Figure 172 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. T able 64 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settin gs for creating VPN tunnels fo r secure connection to other computers or netwo[...]
-
Page 257
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 257 14.3 IKE SA Setup This section provides more details about IKE SAs. 14.3.1 IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm, au thentication algorithm, and Diffie-Hellman (DH) key group that the Zy W ALL and remote IPSec router use in the IKE SA. In main mode, thi[...]
-
Page 258
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 258 " Both routers must use the same encryption algorithm , authentication algorithm, and DH key group. See the field descriptions for information abou t specific encryption algorithms, authentication algorithms, and DH ke y groups. See Section 14.3.1.1 on page 258 for more information about DH[...]
-
Page 259
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 259 " The ZyW ALL and the remote IPSec router must use th e same pre-shared key . Router identity consists of ID type and ID content. The ID ty pe can be IP ad dress, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is o[...]
-
Page 260
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 260 • Instead of using the pre -shared key , the ZyW ALL and remote IPSec router check each other ’ s certificates. • The local ID type and ID content come from the certificate. On th e ZyW ALL, you simply select which certificate to use. • If you set the peer ID type to Any , the ZyW ALL au[...]
-
Page 261
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 261 Step 2: The remote IPSec router selects an acce ptable proposal and sends it back to the ZyW ALL. It also finishes the Diffie-Hellman key exchange, authenticates the ZyW ALL, and sends its (unencry pted) identity to the Zy W ALL for authentication. Step 3: The ZyW ALL authenticates the remote I [...]
-
Page 262
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 262 14.4.1 SA Life T ime SAs have a lifetime that specifi es how long the SA lasts until it times out. When an SA times out, the ZyW ALL automatically renegotiates the SA in the following situations: • There is traf fic when the SA life time expires • The IPSec SA is configured on the ZyW ALL as[...]
-
Page 263
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 263 Figure 177 IPSec High Availability When setting up an IPSec high availabili ty VPN tunnel , the remote IPSec router: • Must have multiple W AN connections • Only needs one corr esponding IPSec rule • Should only have IPSec high availability settin gs in its corresponding IPSec rule if your[...]
-
Page 264
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 264 14.5 VPN Rules (IKE) Gateway Policy Edit In the VPN Rule (IKE) screen, click the add gateway polic y ( ) icon or the edit ( ) icon to display the VPN-Gatew ay Policy -Edit screen. Use this screen to configure a VPN gateway po licy . The gateway policy identifies the IPSec routers at either end o[...]
-
Page 265
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 265 Figure 178 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy[...]
-
Page 266
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 266 The following table describes the labels in this screen. T able 67 SECURITY > VPN > VPN Rules (I KE) > Edit Gateway Policy LABEL DESCRIPTION Property Name T ype up to 32 characters to iden tify this VPN gateway polic y . Y ou may use any character , including spaces, but the ZyW ALL dro[...]
-
Page 267
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 267 Fall back to Primary Rem ote Gateway when possible Select this to have the ZyW ALL ch ang e back to using the primary remote gateway if the connection becomes avai lable again. Fall Back Check Interval* Set how often the ZyWALL should check the connection to th e primary remote gateway while con[...]
-
Page 268
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 268 Peer ID T ype Select from th e following when you set Authentication Key to Pre-shared Key . Select IP to identify the remote IPSe c router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec ro uter by an e-ma il address[...]
-
Page 269
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 269 Server Mode Select Server Mode to have this ZyWALL authent icate extended authentication clients that request this VPN connecti on. Y ou must also configure the extended auth entication clients’ usernames a nd passwords in the authentication server ’s lo cal user database or a RADIUS server [...]
-
Page 270
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 270 14.6 IPSec SA Overview Once the ZyW ALL a nd remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the network s. " The IPSec SA stays connected even if the underlying IKE SA is not available anymore. This se[...]
-
Page 271
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 271 In most cases you should use vi rtual address mapping (see Section 14.6.2 on page 271 ) to avoid overlapping local and remote network IP addresses. See Section 14.14 on page 286 for how the ZyW ALL handles ov erlapping local and remote network IP addresses. 14.6.2 V irtual Address Mapping V irtu[...]
-
Page 272
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 272 14.6.3 Active Protocol The active protocol controls the format of each packet. It a lso spec ifies how much of each packet is protected by the en cryption and authentication algor ithms. IPSec VPN includes two active protocols, AH (Authentication Header , RFC 2402) and ESP (Encapsulating Securit[...]
-
Page 273
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 273 In transport mode, the encapsulation depends on the active protocol. W ith AH, the ZyW ALL includes part of the original IP header when it encapsulates the pack et. W ith ESP, however , the ZyW ALL does not include the IP header wh en it encapsulates the packet, so it is not possible to verify t[...]
-
Page 274
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 274 Figure 181 SECURITY > VPN > VPN Rules (I KE) > Edit Network Policy[...]
-
Page 275
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 275 The following table describes the labels in this screen. T able 68 SECURITY > VPN > VPN Rules (I KE) > Edit N etwork Policy LABEL DESCRIPTION Active If the Active check box is selecte d, packets for the tunnel trigger the ZyWALL to build the tunnel . Clear th e Active che ck box to turn[...]
-
Page 276
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 276 Port Forwarding Rules If you are configuring a Many-to-One rule, click this button to go to a screen where you can configure port forwarding for your VPN tunnels. The VPN network policy port forwarding rules let the ZyWALL forward traf fic coming in through the VPN tunnel to the appropriate IP a[...]
-
Page 277
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 277 Ending IP Address/ Subnet Mask When the Address T ype field is configured to Single Address , this field is N/A. When the Addres s T ype field is configured to Range Address , enter the end (static) IP address, in a range of comp uters on the LAN behind your ZyW A LL. When the Addres s T ype fie[...]
-
Page 278
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 278 14.8 Network Policy Port Forwarding Click SECURITY > VPN and the add network policy ( ) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Then, under Virtual Addr ess Mapping Rule , select Many-to-One as the Ty p e and click the Port Forwarding Rules button to[...]
-
Page 279
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 279 Figure 182 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > P ort Forwarding The following table describes the labels in this screen. T able 69 SECURITY > VPN > VPN Rules (IKE) > Ed it Netw ork Policy > Port Forwar ding LABEL DESCRIPTION Default Server In addition[...]
-
Page 280
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 280 14.9 Network Policy Move Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. A VPN (V irtual Private Network) tunnel gives yo u a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one o[...]
-
Page 281
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 281 14.10 IPSec SA Using Manual Keys Y ou might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly , for example, for troubleshootin g. Y ou should only do this as a temporary solution, however , because it is not as secure as a regular IPSec SA . In IPSec SAs using[...]
-
Page 282
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 282 Figure 184 SECURITY > VPN > VPN Rules (Manual) The following table describes the labels in this screen. T able 71 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION # This is the VPN policy index number . Name This field displays the identification name for this VPN policy . Activ[...]
-
Page 283
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 283 14.12 VPN Rules (Manual) Edit Click the edit icon on the VPN Rules (Manual) screen to open the fo llowing screen. Use this screen to configure VPN rules that use manual ke ys. Manual key management is useful if you have problems with IKE ke y management . See Section 14.10 on page 281 for more i[...]
-
Page 284
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 284 Local Netwo rk S pecify the IP addresses of the devices behind the ZyWALL that can use the VPN tunnel. The local IP addresses must corre spond to the remote IPSec router's configured remote IP addresses. T wo active SAs cannot have the local and remote IP address(es) both the sa me. T wo ac[...]
-
Page 285
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 285 14.13 VPN SA Monitor In the web configurator , click SECURITY > VPN > SA Monitor . Use this screen to display and manage activ e VPN connections. A Security Association (SA) is the group of se cu rity settings related to a specific VPN tunnel. This screen displays active VPN connections. U[...]
-
Page 286
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 286 Figure 186 SECURITY > VPN > SA Monitor The following table describes the labels in this screen. 14.14 VPN Global Setting Click SECURITY > VPN > Global Setting to open the VPN Global Setting screen. U se this screen to change settings that appl y to all of your VPN tunnels. 14.14.1 Lo[...]
-
Page 287
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 287 Figure 187 Overlap in a Dynamic VPN Rule • Setting Local and Remote IP Ad dr ess Conflict Resolution to The Local Networ k has the ZyW ALL check if a packet’ s destina tion is also at the local network before forwarding the packet. If it is, the ZyW ALL sends the traffic to the local network[...]
-
Page 288
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 288 Figure 189 SECURITY > VPN > Global Setting The following table describes the labels in this screen. T able 74 SECURITY > VPN > Global Setting LABEL DESCRIPTION Output Idle Timer The ZyW A LL disconnects a VPN tunnel if the remote IPSec router does not reply for this number of seconds[...]
-
Page 289
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 289 14.15 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyW ALL at headquarters. The telecommut ers use IPSec routers with dynamic W AN IP addresses. The ZyW ALL a t headquarters has a static public IP address. 14.15.1 T [...]
-
Page 290
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 290 14.15.2 T elecommuters Usin g Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic W AN IP addresses (use Dynamic DNS to do this). W ith aggressive negotiation mode (see Section 14.3.1.4 on page[...]
-
Page 291
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 291 14.16 VPN and Remote Management Y o u can allow someone to use a service (like T elnet or HTTP) through a VPN tunnel to manage the ZyW ALL. One of the ZyW ALL’ s port s must be part of the VPN rule’ s local network. This can be the ZyW ALL’ s LAN port if you do not want to allow remote man[...]
-
Page 292
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 292 Figure 192 VPN for Remote Manag ement Example 14.17 Hub-and-spoke VPN Hub-and-spoke VPN connects VPN tunnels to form one secure network. Figure 193 on page 29 2 shows some example network topolo gies. In the first (fully-meshed) approach, there is a VPN connection between ever y pair of routers.[...]
-
Page 293
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 293 14.17.1 Hub-and-spoke VPN Exampl e The following figure shows a basic hub-and-sp oke VPN. Branch office A uses one VPN rule to access both the headquarters (H Q) network an d bra nch office B’ s network. Branch office B uses one VPN rule to access both the headquarters and branch office A ’ [...]
-
Page 294
Chapter 14 IPSec VPN ZyWALL 2 Plus User’s Guide 294 14.17.3 Hub-and-spoke VPN Re quirement s and Suggestions Consider the following when im plementing a hub-and-spoke VPN. The local IP addresses configured in the VPN rules cannot overlap The hub router must have at least one separat e VPN rule for each spoke. In the local IP address, specify the [...]
-
Page 295
ZyWALL 2 Plus User’s Guide 295 C HAPTER 15 Certificates This chapter gives background in formation about public-key certificates and explains how to use them. 15.1 Certificates Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users. Certificates are based on public-priva te key pairs. A certificate contains the[...]
-
Page 296
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 296 Certification authorities maintain directory ser vers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled exp iration is called a CRL (Certificate Revocation List). The ZyW ALL can check a peer ’ s certificate against a d[...]
-
Page 297
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 297 Figure 196 Certificate Details 4 Use a secure method to verify that the certificate owner ha s the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connecti[...]
-
Page 298
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 298 15.5 My Certificates Click SECURITY > CER TIFICA TES > My Ce rtificates to open the My Certificates screen. This is the ZyW ALL’ s summary list of certificates and certification requests. Certificates dis play in black and cer tification requests display in gray . Figure 198 SECURITY [...]
-
Page 299
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 299 Subject This field displays identi fying informa t ion about the certificate’s owner , such as CN (Common Name), OU (Organiza tional Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. Issuer This field d[...]
-
Page 300
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 300 15.6 My Certificate Det ails Click SECURITY > CER TIFICA TES > My Certificates to open the My Certificates screen (see Figure 198 on page 298 ). Click the details icon to open the My Certificate Details screen. Y ou can use this screen to view in -depth certificate inform ation and chan[...]
-
Page 301
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 301 T ype This field displa ys general informati on about the certificat e. CA-signed mea ns that a Certification Authority signed the certificate . Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate was[...]
-
Page 302
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 302 15.7 My Certificate Export Click SECURITY > CER TI FICA TES > My Certificates and then a certificate’ s export icon to open the My Certificate Export screen. Follow the instructions in this screen to choose the file format to use for saving the ce rtificate from the ZyW ALL to a compu[...]
-
Page 303
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 303 The following table describes the labels in this screen. 15.8 My Certificate Import Click SECURITY > CER TIFICA TES > My Ce rtificates and then Import to open the My Certificate I mport screen. Follow the instructions in this screen to save an existing certificate from a computer to the[...]
-
Page 304
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 304 • Binary PKCS#12: This is a format for transfe rring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file’ s password is not connected to your certificate’ s public or private passwords. Exporting a PKCS #12 file c[...]
-
Page 305
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 305 Figure 202 SECURITY > CERTIFICA TES > My Ce rtificates > Import: PKCS#12 The following table describes the labels in this screen. 15.9 My Certificate Create Click SECURITY > CER TIFICA TES > My Certificates > Create to open the My Certificate Cr eate screen. Use this screen [...]
-
Page 306
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 306 Figure 203 SECURITY > CERTIFICA TES > My Ce rtificates > Crea te (Basic)[...]
-
Page 307
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 307 Figure 204 SECURITY > CERTIFICA TES > My Cert ificates > Crea te (Advanced) The following table describes the labels in this screen. T able 82 SECURITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name T ype up to 31 ASCII characters (not includi n[...]
-
Page 308
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 308 Common Name Select a radio button to identify th e certificate’s owner by IP address, domain name or e-mail address. T y pe the IP address (in dotted decimal notation), domain name or e-mail address in the field provide d. The domain name or e- mail address can be up to 31 ASCII char acters[...]
-
Page 309
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 309 Subject Alternative Name Select a radio button to identify the cert ifica te’s owner by IP address, domain name or e-mail address. T y pe the IP address (in dotted decimal notation), domain name or e-mail address in the field provide d. The domain name or e- mail address can be up to 31 ASC[...]
-
Page 310
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 310 After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyW ALL is generating the self-signed cert ificate or certification request. After the ZyW ALL successfully enrolls a certifi cate or generates a certification request or a self-signed certificate, [...]
-
Page 311
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 31 1 Figure 205 SECURITY > CERTIFICA TES > T rusted CAs The following table describes the labels in this screen. T able 83 SECURITY > CERTIFICA TES > Trusted CAs LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’s PKI storage space that is [...]
-
Page 312
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 312 15.1 1 T rusted CA Det ails Click SECURITY > CER TIFICA TES > T rusted CAs to open the T rusted CAs screen. Click the details icon to open the T rusted CA Details screen. Use this screen to view in-depth information about the certification authority’ s certif icate, change the c ertif[...]
-
Page 313
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 313 The following table describes the labels in this screen. T able 84 SECURITY > C ERTIFICA TES > T rusted CAs > D etails LABEL DESCRIPTION Name This field displ ays the identifying name o f this certificate. If you want to chang e the name, type up to 31 characters to i dentify this ke[...]
-
Page 314
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 314 15.12 T rusted CA Import Click SECURITY > CER TIFICA TES > T rusted CAs to open the T rusted CAs screen an d then click Import to open the T rusted CA Import screen. Follow the instruct ions in this screen to save a trusted certification authority ’ s certificate from a computer to th[...]
-
Page 315
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 315 Figure 207 SECURITY > CERTIFICA TES > T rusted CAs > Import The following table describes the labels in this screen. 15.13 T rusted Remote Host s Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen. This screen displays a list of th [...]
-
Page 316
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 316 The following table describes the labels in this screen. 15.14 T rusted Remote Host Certificate Det ails Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen. Click the details icon to open the T rusted Remote Host Details screen. Y ou can use[...]
-
Page 317
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 317 Figure 209 SECURITY > CERTIFICA TES > Trusted Remote Hosts > Det ails The following table describes the labels in this screen. T able 87 SECURITY > C ERTIFICA TES > T rusted Remote H osts > Details LABEL DESCRIPTION Name This field displays the identifyin g name of this cert[...]
-
Page 318
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 318 V ersion This field displays the X.509 version number . Serial Number This field displays the certificat e’s identification n umber given by the device that created the certificate. Subject Thi s field displays i nformation th at i dentifies the own er of the certificate, such as Common Nam[...]
-
Page 319
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 319 15.15 T rusted Remote Host s Import Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen and then click Import to open the T rusted Remote Host Import screen. Y ou may have peers with certificates that you want to trust, but the certificates w[...]
-
Page 320
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 320 15.16 Directory Servers Click SECURITY > CER TIFICA TES > Dire c tory Servers to open the Dir ec tory Servers screen. This screen displays a summary list of di rectory servers (that contain lists of valid and revoked certificates) that have bee n saved into the ZyW ALL. If you decide to[...]
-
Page 321
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 321 15.17 Directory Server Add or Edit Click SECURITY > CER TIFICA TES > Dir ector y Servers to open the Directory Servers screen. Click Add (or the details icon) to open the Directory Server Add screen. Use this screen to configure information about a di rectory server that the ZyW ALL can[...]
-
Page 322
Chapter 15 Certificates ZyWALL 2 Plus User’s Guide 322 Server Port This field displays the d efault server port number o f the protocol that you select in the Access Protoc ol field. Y ou may change the server port number if need ed, however you must use the same server port number that the directory server uses. 389 is the default server port nu[...]
-
Page 323
ZyWALL 2 Plus User’s Guide 323 C HAPTER 16 Authentication Server This chapter discusses how to configure the ZyW ALL’ s authentication server feature. 16.1 Authentication Server Overview A ZyW ALL set to be a VPN extended authenti cation server can us e either the local user database internal to the ZyW ALL or an extern al RADIUS (Remote Authen[...]
-
Page 324
Chapter 16 Authen tication Serv er ZyWALL 2 Plus User’s Guide 324 Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access po[...]
-
Page 325
Chapter 16 Authentication Server ZyWALL 2 Plus User’s Guide 325 Figure 213 SECURITY > AUTH SERVER > Local User Database The following table describes the labels in this screen. T able 91 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check b ox to enable the user profile. User Name Enter the user nam[...]
-
Page 326
Chapter 16 Authen tication Serv er ZyWALL 2 Plus User’s Guide 326 16.3 RADIUS Click SECURITY > AUTH SER VER > RADIUS to open the RADIUS screen. Configure this screen to use an external RA DIUS server to authenticate users. Figure 214 SECURITY > AUTH SERVER > RADIUS The following table describes the labels in this screen. T able 92 SEC[...]
-
Page 327
Chapter 16 Authentication Server ZyWALL 2 Plus User’s Guide 327 Key Enter a p asswo rd (up to 31 alphanume ri c characters) as the key to be sh ared between the external accounting server and the ZyWALL. The key is not sent over the network . This key must be the same on the external accounting serve r and ZyWALL. Apply Click Apply to save your c[...]
-
Page 328
Chapter 16 Authen tication Serv er ZyWALL 2 Plus User’s Guide 328[...]
-
Page 329
329 P ART IV Advanced Network Address T ranslation (NA T) (331) S tatic Route (347) Bandwidth Management (3 51) DNS (365) Remote Management (377) UPnP (399) ALG Screen (41 1)[...]
-
Page 330
330[...]
-
Page 331
ZyWALL 2 Plus User’s Guide 331 C HAPTER 17 Network Address Translation (NAT) This chapter discusses how to configure NA T on the ZyW ALL. 17.1 NA T Overview NA T (Network Address Translation - NA T , RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outg oing packet, used within one networ[...]
-
Page 332
Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 332 " NA T never changes the IP addr ess (either local or globa l) of an outside host. 17.1.2 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the inside global addres[...]
-
Page 333
Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 333 Figure 215 How NA T Works 17.1.4 NA T Application The following figure illustrates a possible NA T application, wher e three inside LANs (logical LANs using IP alias) behind the ZyW ALL can communicate with three distinct W AN networks. More examples follow at the end[...]
-
Page 334
Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 334 17.1.5 Port Restricted Cone NA T ZyW ALL ZyNOS version 4.00 and later uses port restricted cone NA T . Port restricted cone NA T maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network. In the follow ing exam[...]
-
Page 335
Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 335 • Server : This type allows you to specify insi de servers of different services behind the NA T to be accessible to the outside world a lt hough, it is highly recommended that you use the DMZ port for these servers instead. " Port numbers do not change for One[...]
-
Page 336
Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 336 Selecting SUA means (latent) multiple W AN-to-LAN an d W AN-to-DMZ address translation. That means that computers on your DMZ with public IP addresses will still have to under go NA T mapping if you ’re using SUA NA T mapping. If this is not your intention, then select[...]
-
Page 337
Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 337 17.4 NA T Address Mapping Click ADV A NCED > NA T > Address Mapping to open the following screen. 17.4.1 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the i[...]
-
Page 338
Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 338 Figure 219 ADV ANCED > NA T > Address Mapping The following table describes the labels in this screen. T able 96 ADVANCED > NAT > Address Mapping LABEL DESCRIPTI ON SUA Add ress Mapping Rules This read-only table displays the default address mapping rules. Fu[...]
-
Page 339
Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 339 17.4.2 NA T Address Mapping Edit Click the edit icon to display the NA T Addr ess Mapping Edit screen. Use this screen to edit an address mapping rule. See Section 17.1 on page 331 for information on NA T and address mapping. Figure 220 ADV ANCED > NA T > Addres[...]
-
Page 340
Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 340 The following table describes the labels in this screen. 17.5 Port Forwarding A port forwarding set is a list of inside (behind NA T on the LAN) servers, for example, web or FTP , that you can make visible to the o utside world even though NA T makes your whole inside ne[...]
-
Page 341
Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 341 " If you do not assign a De fault Server IP address, the ZyW ALL discards all packet s received for ports that are not specified here or in the remote management setup. 17.5.2 Port Forwarding: Services and Port Numbers Use the Port Forwarding screen to forward in[...]
-
Page 342
Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 342 The following example has two web servers on a L A N. Server A uses IP address 192.168.1.33 and server B uses 192.168.1.34. Both servers use port 80. The letters a.b.c.d repres ent the W AN port’ s IP address. The ZyW ALL translates port 8080 of traffic received on the[...]
-
Page 343
Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 343 Figure 223 ADV ANCED > NA T > Port Forwarding The following table describes the labels in this screen. T able 98 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NA T supports a default se[...]
-
Page 344
Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 344 17.7 Port T riggering Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA T to forward a service (coming in from the server on the W AN) to the I[...]
-
Page 345
Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 345 Figure 225 ADV ANCED > NA T > Port T riggering The following table describes the labels in this screen. T able 99 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION # This is the rule index number (read-only). Name T ype a unique name (up to 15 characte rs[...]
-
Page 346
Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 346[...]
-
Page 347
ZyWALL 2 Plus User’s Guide 347 C HAPTER 18 Static Route This chapter shows you how to config ure static routes for your ZyW ALL. 18.1 IP S t atic Route The ZyW ALL usually uses the de fault gateway to route outbound traffic from local computers to the Internet. T o have the ZyW ALL send data to devices not reachable through the default gateway , [...]
-
Page 348
Chapter 18 Static Rou te ZyWALL 2 Plus User’s Guide 348 18.2 IP S t atic Route Click ADV A NCED > ST A TIC ROUTE to open the IP S tatic Route screen (some of the screen’ s blank rows are not shown). The first static route entry is f o r the default W AN route. Y ou cannot mo dify or delete a static default route. The default route is disabl [...]
-
Page 349
Chapter 18 Static Route ZyWALL 2 Plus User’s Guide 349 18.2.1 IP St atic Route Edit Click the edit icon in the IP S tatic Route screen. The screen shown next appears. Use this screen to configure the required information for a static route. Figure 228 ADV ANCED > ST A TIC ROUTE > IP S tatic Route > Edit The following table describes the [...]
-
Page 350
Chapter 18 Static Rou te ZyWALL 2 Plus User’s Guide 350[...]
-
Page 351
ZyWALL 2 Plus User’s Guide 351 C HAPTER 19 Bandwidth Management This chapter describes the functions and conf iguration of bandwidth management with multiple levels of sub-classes. 19.1 Bandwid th Management Overview Bandwidth management allo ws you to allocate an interface’ s outgoing capacity to specific types of traffic. It can also help you[...]
-
Page 352
Chapter 19 Bandwid th Manageme nt ZyWALL 2 Plus User’s Guide 352 19.3 Proportional Bandwid th Allocation Bandwidth management allo ws you to define ho w much bandwidth each class gets; however , the actual bandwidth a llotted to each clas s de creases or increases in proportion to actual available bandwidth. 19.4 Application-based Bandwid th Mana[...]
-
Page 353
Chapter 19 Bandwidth Management ZyWALL 2 Plus User’s Guide 353 19.7 Scheduler The scheduler divides up an interface’ s bandwidth among the bandwidth classes. The ZyW ALL has two types of scheduler: fairness-based and priority-bas ed. 19.7.1 Priority-based Scheduler W ith the priority-based scheduler , the ZyW A LL forwards traffic from bandwidt[...]
-
Page 354
Chapter 19 Bandwid th Manageme nt ZyWALL 2 Plus User’s Guide 354 2 Do not enable the interface’ s Maximize Bandwidth Usage option. 3 Do not enable bandwidth borrowi ng on the sub-classes that ha ve the root class as their parent (see Section 19.8 on page 355 ). 19.7.5 Maximize Ba ndwid th Usage Exam ple Here is an example of a ZyW ALL tha t has[...]
-
Page 355
Chapter 19 Bandwidth Management ZyWALL 2 Plus User’s Guide 355 19.7.5.2 Fairness-based Allot ment of Unused and Unbudgeted Bandwid th The following table shows the amount of bandwidth that each class gets. Suppose that all of the classes except for th e administration class need more bandwidth. • Each class gets up to its budg eted bandwidth. T[...]
-
Page 356
Chapter 19 Bandwid th Manageme nt ZyWALL 2 Plus User’s Guide 356 Refer to the product specifications in the appendix to se e how many class levels you can configure on your ZyW ALL. • The Administration class can borrow unused bandwidth from the Root cla ss because the Administration class has bandwidth bo rrowing enabled. • The Sales class c[...]
-
Page 357
Chapter 19 Bandwidth Management ZyWALL 2 Plus User’s Guide 357 If you use V o IP and NetMeeting at the same time, the device allocates up to 500 Kbps of bandwidth to each of them befo re it allocates any bandwidth to FTP . As a result, FTP can only use bandwidth when V oIP and NetMeeting do not use all of their allocated bandwidth. Suppose you tr[...]
-
Page 358
Chapter 19 Bandwid th Manageme nt ZyWALL 2 Plus User’s Guide 358 19.12 Configuring Class Setup The Class Setup screen displays the configured band wi dth classes by individual interface. Select an interface and click the buttons to pe rform th e actions described n ext. Click “+” to expand the class tree or click “-” to collapse th e clas[...]
-
Page 359
Chapter 19 Bandwidth Management ZyWALL 2 Plus User’s Guide 359 The following table describes the labels in this screen. 19.12.1 Bandwid th Manage r Class Configuration Configure a bandwidth management class in the Class Setup scree n. Y ou must use the Summary screen to en able bandwidth management on an interface before you can configure classes[...]
-
Page 360
Chapter 19 Bandwid th Manageme nt ZyWALL 2 Plus User’s Guide 360 Figure 232 ADV ANCED > BW MGMT > Cla ss Setup > Add Sub-Class The following table describes the labels in this screen. T able 1 10 ADV ANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated na me or ent[...]
-
Page 361
Chapter 19 Bandwidth Management ZyWALL 2 Plus User’s Guide 361 Servi ce This field simp lifies bandwidth class configuration by allowing you to select a predefined applica tion. When you se lect a predefined application, you do not configure the rest of the bandwidth filter fields (other than ena bling or disabling the filter ). FTP (File T ransf[...]
-
Page 362
Chapter 19 Bandwid th Manageme nt ZyWALL 2 Plus User’s Guide 362 19.12.2 Bandwid th Management St atistics Click ADV A NCED > BW MGMT > Class Setup > St a t i s t i c s to open the Bandwidth Management S tatistics screen. This screen displays the selected bandwidth class’ s bandwidth usage and allotments. Figure 233 ADV ANCED > BW M[...]
-
Page 363
Chapter 19 Bandwidth Management ZyWALL 2 Plus User’s Guide 363 The following table describes the labels in this screen. 19.13 Bandwid th Manager Monitor Click ADV A NCED > BW MGMT > Monitor to open the following screen. Use this screen to view the device’ s bandwidth usage and allotments. Figure 234 ADV ANCED > BW MGMT > Monitor T a[...]
-
Page 364
Chapter 19 Bandwid th Manageme nt ZyWALL 2 Plus User’s Guide 364 The following table describes the labels in this screen. T able 1 13 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list bo x to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwi[...]
-
Page 365
ZyWALL 2 Plus User’s Guide 365 C HAPTER 20 DNS This chapter shows you how to configure the DNS screens. 20.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely impo rtant because without it, you must know the IP address of a machine before you can access i[...]
-
Page 366
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 366 20.4 Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. An FQDN consists of a hos t and doma in name and includes the top-level domain. For example, www .zyxel.com.tw is a fully qualif ied domain name, where “www” is the host, “zyxel[...]
-
Page 367
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 367 Figure 235 Private DNS Server Example " If you do not spec ify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computer s on the remote private network. 20.6 System Screen Click ADV A NCED > DNS to display the following screen. Use this scree[...]
-
Page 368
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 368 The following table describes the labels in this screen. 20.6.1 Adding an Address Record Click Add in the System screen to open this screen. Use th is screen to add an address record. T able 1 14 ADV A NCED > DNS > System DNS LABEL DESCRIPTION Address Record An address record specifies the mapp [...]
-
Page 369
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 369 An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. Configure address records about the ZyW ALL itself or another device to keep a record of DNS names and ad dresses that people on your network may use frequently . If the ZyW ALL receives a DNS query for [...]
-
Page 370
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 370 Figure 238 ADV ANCED > DNS > Insert (Name Server Record) The following table describes the labels in this screen. T able 1 16 ADV ANCED > DNS > Insert (Name Server Record) LABEL DESCRIPTION Domain Zone This fiel d is optional. A domain zone is a fully qualifie d domain name without the hos[...]
-
Page 371
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 371 20.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyW ALL receives a positive or negati ve response for a DNS query , it records the response in the DNS cache. A positive respon se means that the Zy W ALL received the IP address for a dom[...]
-
Page 372
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 372 The following table describes the labels in this screen. 20.9 Configuring DNS DHCP Click ADV A NCED > DNS > DHCP to open the DNS DH CP screen shown next. Use this screen to configure the DNS server information that the ZyW ALL sends to its LAN, DMZ or WLAN DHCP clients. T able 1 17 ADV ANCED >[...]
-
Page 373
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 373 Figure 240 ADV ANCED > DN S > DHCP The following table describes the labels in this screen. T able 1 18 ADV A NCED > DNS > DHCP LABEL DESCRIPTION DNS Servers Assigned by DHCP Serve r The ZyW ALL passes a DNS (Domain Name System) server IP address to the DHCP clients. Selected Interface Sel[...]
-
Page 374
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 374 20.10 Dynamic DNS Dynamic DNS allows you to update your curre nt dynamic IP address with one or many dynamic DNS services so that anyone can c ont act you (in NetMeeting, CU-SeeMe, etc.). Y ou can also access your FTP server or W eb site on your own computer using a domain name (for instance myhost.dh[...]
-
Page 375
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 375 Figure 241 ADV ANCED > DN S > DDNS The following table describes the labels in this screen. T able 1 19 ADVANCED > DN S > DDNS LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS servi ce provider . Username[...]
-
Page 376
Chapter 20 DNS ZyWALL 2 Plus User’s Guide 376 IP Address Update Policy Select Use W AN IP Address to have the ZyW A LL update the domain name with the W AN port's IP ad dress. Select Use User-Defined and enter the IP address if you have a static IP address. Select Let DDNS Server Auto Detect only when there are one or more NA T routers betwe[...]
-
Page 377
ZyWALL 2 Plus User’s Guide 377 C HAPTER 21 Remote Management This chapter provides information on the Remote Management screens. 21.1 Remote Management Overview Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers. The following figure shows secu re and insecure manag[...]
-
Page 378
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 378 3 Te l n e t 4 HTTPS and HTTP 21.1.1 Remote Management Limit ations Remote management do es not work when: 1 Y o u have not enabled that service on th e interface in the corresponding remote management screen. 2 Y ou have disabled that service in one of the remote management screens. 3 [...]
-
Page 379
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 379 1 HTTPS connection requests from an SSL-aware we b browser go to port 443 (by default) on the ZyW ALL’ s WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyW ALL’ s WS (web server). Figure 243 HTTPS Implement ation " If you disabl[...]
-
Page 380
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 380 The following table describes the labels in this screen. 21.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW ALL, then in your browser enter “https://ZyW ALL IP Address/” as the web site address where “Z yW ALL IP Address” is the IP address or domain na[...]
-
Page 381
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 381 21.4.1 Internet Explorer W arning Messages When you attempt to access the ZyW ALL HT TPS server , a W indows dialog box pops up asking if you trust the server certificate. Click V iew Cert ificate if you want to verify that the certificate is from the ZyW ALL. Y o u see the following Se[...]
-
Page 382
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 382 Figure 246 Security Certificate 1 (Net scape) Figure 247 Security Certificate 2 (Net scape) 21.4.3 A voiding the Browser W arn ing Messages The following describes the main reasons that your browser displays warnings about the ZyW ALL’ s HTTPS server certificate and what you can do to[...]
-
Page 383
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 383 • Click CER TIFICA TES . Find the certificate and check its Subject column. CN stands for certificate’ s common name (see Figure 250 on page 38 4 for an example). Use this procedure to ha ve the ZyW ALL use a certificate with a common name that matches the ZyW ALL’ s actual IP add[...]
-
Page 384
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 384 Figure 249 Replace Certificate Click Apply in the Replace Certificate scre en to create a certificate using your ZyW ALL’ s MAC address that will be spec ific to this device. Click CER TIFICA TES to open the My Certificates scree n. Y ou will see information similar to that shown in t[...]
-
Page 385
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 385 21.5 SSH Y ou can use SSH (Secure SHell) to se curely access the ZyW ALL’ s SMT or command line interface. Specify which interfaces allow SS H acces s and from which IP address the access can come. Unlike T elnet or FTP , which transmit data in pl aintext (clear or unencrypted text), [...]
-
Page 386
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 386 The SSH client s ends a connection reque s t to the SSH server . The server identifies itself with a host key . The client encrypts a rand omly generated session ke y with the host key and server key and sends the result back to the server . The client automatically saves any new server[...]
-
Page 387
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 387 Figure 254 ADV ANCED > REMOTE MGMT > SSH The following table describes the labels in this screen. 21.9 Secure T elnet Us ing SSH Examples This section shows two examples using a comm and interface and a graphical interface SSH client program to remotely access the ZyW ALL. The con[...]
-
Page 388
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 388 Figure 255 SSH Example 1: S t ore Host Key Enter the password to log in to the ZyW ALL. The SMT main menu displays next. 21.9.2 Example 2: Linux This section describes how to access the ZyW A LL using the OpenSSH client program that comes with most Linux di stributions. 1 T est whether [...]
-
Page 389
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 389 Figure 257 SSH Example 2: Log in 3 The SMT main menu displays next. 21.10 Secure FTP Using SSH Example This section shows an example on file tran sfer using the OpenSSH client program. The configuration and connection steps are similar fo r other SSH client programs. Refer to your SSH c[...]
-
Page 390
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 390 21.1 1 T e lnet Y ou can use T elnet to access the ZyW ALL’ s SMT or command line interface. Specify which interfaces allow T elnet access and fro m which IP address the access ca n come. 21.12 Configuring TELNET Click ADV ANCED > REMOTE MGMT > TELNET to open the followi ng scre[...]
-
Page 391
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 391 21.13 FTP Y ou can use FTP (File T ransfer Protocol) to up load and download the ZyW ALL’ s firmware and configuration files, please see the User ’ s Gu ide chapter on firmware and configuration file maintenance for details. T o use this feature, your computer must have an FTP clien[...]
-
Page 392
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 392 21.14 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP pro tocol suite. Y our ZyW ALL supports SNMP agent fu nctionality , which allows a manager station to manage and monitor the ZyW[...]
-
Page 393
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 393 SNMP itself is a simple request/response prot ocol based on the manager/agent model. The manager issues a request and the agent retu rns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the ag ent. • GetNext - Allows t[...]
-
Page 394
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 394 Figure 262 ADV ANCED > REMOTE MGMT > SNMP The following table describes the labels in this screen. T able 125 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community , which is the password for the incoming Get and GetNext req[...]
-
Page 395
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 395 21.15 DNS DNS (Domain Name System) maps a domain name to its corresponding IP address and vice versa. Refer to Chapter 8 on page 151 for more information. Click ADV A NCED > REMOTE MGMT > DNS to change your ZyW ALL’ s DNS settings. Use this screen to set from which IP address th[...]
-
Page 396
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 396 21.17 Configuring CNM V antage CNM is disabled on the device by default. Click ADV ANCED > REMOTE MGMT > CNM to configure your devi ce’ s V antage CNM settings. Figure 264 ADV ANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. T able 127 ADV[...]
-
Page 397
Chapter 21 Remote Manag ement ZyWALL 2 Plus User’s Guide 397 21.17.1 Additional Configuration for V ant age CNM If you have NA T routers or firewalls between the ZyW ALL and the V antage CNM server , you must configure them to forward TCP ports 8080 (HTTP), 443 (HTTPS) and 20 and 21 (FTP). They must also forward UDP ports 1864 and 1865. Encryptio[...]
-
Page 398
Chapter 21 Remo te Management ZyWALL 2 Plus User’s Guide 398[...]
-
Page 399
ZyWALL 2 Plus User’s Guide 399 C HAPTER 22 UPnP This chapter introduces the Universal Plug and Pl ay feature. This chapter is only applicable when the ZyW ALL is in router mode. 22.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectiv[...]
-
Page 400
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 400 When a UPnP device joins a network, it announ ces its presence with a multicast mess age. For security reasons, th e ZyW ALL allows multicast messages on the LAN only . All UPnP-enabled devices may communicate freely with eac h other without additional configuration. Disable UPnP if this is not your [...]
-
Page 401
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 401 22.3 Displaying UPnP Port Mapping Click ADV ANCED > UPnP > Ports to display the UPnP Ports screen. Use this screen to view the NA T port mapping rules th at UPnP creates on the ZyW ALL. Figure 266 ADV ANCED > UPnP > Ports The following table describes the labels in this screen. Apply Clic[...]
-
Page 402
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 402 22.4 Inst alling UPnP in Windows Example This section shows ho w to install UPnP in W indows Me and W indows XP . Internal Client T his field displays the DNS host name or IP address of a client on the LAN. Multiple NA T clients can use a single port simultaneously if the internal client field is set[...]
-
Page 403
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 403 22.4.1 Inst alling UPnP in Windows Me Follow the steps below to in stall UPnP in Wi ndows Me. 1 Click St a r t , Settings and Control Panel . Double-click Add/Remove Programs . 2 Click on the Win d o ws S et u p tab and select Communication in the Components selection box. Click Details . 3 In the Co[...]
-
Page 404
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 404 22.4.2 Inst alling UPnP in Windows XP Follow the steps below to install UPnP in W indows XP . 22.5 Using UPnP in Windows XP Example This section shows yo u how to use the UPnP feature in W indows XP . Y ou must al ready have UPnP installed in W indows XP and UPnP activated on the ZyXEL device. Make s[...]
-
Page 405
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 405 22.5.1 Auto-discover Y our UPnP-enabled Network Device 1 Click St a r t and Control Panel . Double-click Network Connections . An icon disp lays under Inte rnet Gateway . 2 Right-click the icon and select Properties . 3 In the Internet Connection Properties window , click Settings to see the port map[...]
-
Page 406
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 406 " When the UPnP-enabled device is disconn ected from your computer , all port mappings will be delet ed automatically . 22.5.2 We b Configurator Easy Access W ith UPnP , you can access the web-based configur ator on the ZyXEL device without finding out the IP address of the ZyXEL device first. T[...]
-
Page 407
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 407 Follow the steps below to access the web configurator . 1 Click St a r t and then Control Panel . 2 Double-click Network Connections . 3 Select My Network Places under Other Places . 4 An icon with the d escription for each UPnP-enabled device displays under Local Network . 5 Right-click the icon for[...]
-
Page 408
Chapter 22 UPnP ZyWALL 2 Plus User’s Guide 408 6 Right-click the icon for your ZyXEL device and select Properties . A properties window displays with basic information about the ZyXEL device.[...]
-
Page 409
ZyWALL 2 Plus User’s Guide 409 C HAPTER 23 Custom Application This chapter covers how to set the ZyW ALL’ s to monitor custom po rt numbers for specific applications. 23.1 Custom Applicaton Use custom application to ha ve the ZyW ALL’ s ALG and content filtering features monitor traffic on custom ports, in addition to the default ports. By de[...]
-
Page 410
Chapter 23 Custom Application ZyWALL 2 Plus User’s Guide 410 Figure 267 ADV ANCED > Custom APP The following table describes the labels in this screen. T able 130 ADV ANCED > Custom APP LABEL DESCRIPTION Applic ation Select the application for wh ich you want the ZyWALL to monitor specific ports. Y ou can use the same application in more th[...]
-
Page 411
ZyWALL 2 Plus User’s Guide 41 1 C HAPTER 24 ALG Screen This chapter covers how to use the ZyW ALL’ s AL G feature to allow certain applications to pass through the ZyW ALL. 24.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP , H.323 or FTP) at the application layer . The ZyW ALL can function as an A[...]
-
Page 412
Chapter 24 ALG Screen ZyWALL 2 Plus User’s Guide 412 24.2 FTP File T ransfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running th e FTP server accepts commands from a sys tem running an FTP client. The servic e allows users to send commands to the server for uploading and [...]
-
Page 413
Chapter 24 ALG Scr een ZyWALL 2 Plus User’s Guide 413 • The ZyW ALL can also apply bandwid th management to traffic that goes th rough the H.323 ALG . 24.5 SIP The Session Initiation Protocol (SIP ) is an application-layer cont rol (si gnaling) protocol that handles the setting up, altering and tearing down of voice and multimed ia sessions ove[...]
-
Page 414
Chapter 24 ALG Screen ZyWALL 2 Plus User’s Guide 414 Figure 269 SIP ALG Example 24.5.3 SIP Signaling Session Ti meout Most SIP clients have an “ expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packe ts to the SIP server periodically and keeps the session alive in the ZyW ALL. If the SIP c[...]
-
Page 415
Chapter 24 ALG Scr een ZyWALL 2 Plus User’s Guide 415 Figure 270 ADV ANCED > ALG The following table describes the labels in this screen. T able 131 ADV ANCED > ALG LABEL DESCRIPTION Enable FT P ALG Select this check box to allow FTP sessi ons to pass through the ZyWALL. FTP (File T ransfer Program) is a program that enables fast transfer o[...]
-
Page 416
Chapter 24 ALG Screen ZyWALL 2 Plus User’s Guide 416[...]
-
Page 417
417 P ART V Logs and Maintenance Logs Screens (419) Maintenance (447)[...]
-
Page 418
418[...]
-
Page 419
ZyWALL 2 Plus User’s Guide 419 C HAPTER 25 Logs Screens This chapter contains inform ation about configuring genera l log settings and viewing the ZyW ALL’ s logs. Refer to Section 25.5 on page 430 for example log message explanations. 25.1 Configuring V iew Log The web confi gurator allows you to look at all of the ZyW ALL’ s logs in one loc[...]
-
Page 420
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 420 The following table describes the labels in this screen. 25.2 Log Description Example The following is an example of how a log di splays in the command line interpreter and a description of the sample log. Refer to the ap pendices for more log message descriptions and details on using the co[...]
-
Page 421
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 421 25.2.1 About the Cert ificate Not T rusted Log myZyXEL.com and the update server use cer tificates signed by V eriSign to identify themselves. If the ZyW ALL does not have a CA ce rtificate signed by V eriSign as a trusted CA, the ZyW ALL will not trust the certificate fro m myZyXEL.com and[...]
-
Page 422
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 422 Figure 273 myZyXEL.com: Certificate Download 25.3 Configuring Log Settings T o change your ZyW A LL’ s log settings, click LOGS > Log Settings . The screen appears as shown. Use the Log Settings screen to configure to where the Zy W ALL is to send logs; the schedule for when the ZyW ALL[...]
-
Page 423
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 423 Figure 274 LOGS > Log Settings[...]
-
Page 424
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 424 The following table describes the labels in this screen. T able 134 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below . If this field is left blank, logs and alert messa[...]
-
Page 425
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 425 25.4 Configuring Report s The Reports sc reen displays which comp uters on the LAN, DMZ or WLAN se nd and receive the most traffic, what kinds of traf fic are us ed the most and which we b sites are visited the most often. The ZyW ALL can record and di splay the following network usage deta[...]
-
Page 426
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 426 Figure 275 LOGS > Report s " Enabling the ZyW ALL’ s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. T able 135 LOGS > Reports LABEL DESCRIPTION Collect St a t i s t i c s Select the check box and clic[...]
-
Page 427
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 427 " All of the recorded reports dat a is erased when you turn off the ZyW ALL. 25.4.1 V iewing Web Site Hit s In the Reports sc reen, select W eb Site Hits from the Report T ype drop-down list box to hav e the ZyW ALL rec ord and display which web sites h ave been visited the most often [...]
-
Page 428
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 428 " Computers take turns using dynamical ly assigned LAN, DM Z or WLAN IP addresses. The ZyW ALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a diff erent computer . Figure 277 LOGS > Reports: Hos t IP Addres s Example The following[...]
-
Page 429
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 429 Figure 278 LOGS > Reports: Pro tocol/Por t Example The following table describes the labels in this screen. T able 138 LOGS > Reports: Protocol/ Port LABEL DESCRIPTION Protoc ol/Port This column lists the protocols or servic e ports for which the most traf fic has gone through the ZyW[...]
-
Page 430
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 430 25.4.4 System Report s Specifications The following table lists detailed specifications on the reports feature. 25.5 Log Descriptions This section provides descriptio ns of example log messages. T able 139 Report Specifications LABEL DESCRIPTION Number of web sites/p rotocols or ports/IP add[...]
-
Page 431
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 431 Time initialized by NTP server The router got the time and da te from the NTP se rver . Connect to Daytime server fail The router was n ot able to connect to the Daytime server . Connect to Time server fail The router was n ot able to connect to the Time server . Connect to NTP server fail [...]
-
Page 432
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 432 T able 141 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a NA T session exceeds the maximum number of NA T session table entries allowed to be created per host. setNetBIOSFilter: calloc error The router fail ed to alloca te m[...]
-
Page 433
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 433 F or type and code details, see T able 157 on page 443 . T able 143 TCP Rese t Logs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination ho st.) Exceed TCP MAX in[...]
-
Page 434
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 434 Packet without a NAT table entry blocked: ICMP The router blocked a packet that didn’t have a corresponding NA T table entry . Unsupported/out-of-order ICMP: ICMP The firewall does not sup port this kind of ICMP packets or the ICMP packets are out of order . Router reply ICMP packet: ICMP [...]
-
Page 435
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 435 For type and code details, see T able 157 on page 443 . T able 149 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted web list The web site is not in a trusted domain, and the router bloc[...]
-
Page 436
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 436 ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an IP spoofing attack on the W A N port. ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack on the W AN port. icmp echo : ICMP (type:%d, code:%d) The firewall dete cted an [...]
-
Page 437
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 437 T able 151 Remote Managem ent Logs LOG MESSAGE DESCRIPTION Remote Management: FTP denied Attempted use of FTP servic e was blocked according to remote management settings. Remote Management: TELNET denied Attempted us e of TELNET service wa s blocked according to remo te management settings[...]
-
Page 438
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 438 T able 153 IKE Logs LOG MESSAGE DESCRIPTION Active connection allowed exceeded The IKE process for a new co nnection failed b ecause the limi t of simultaneous phase 2 SAs has b een reached. Start Phase 2: Quick Mode Phase 2 Quick Mode has started. Verifying Remote ID failed: The connection [...]
-
Page 439
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 439 Remote IP <Remote IP> / <Remote IP> conflicts The security ga teway is set to “0.0.0.0” and the route r used the peer ’s “Local Address” a s the router ’s “Remote Address”. This informa tion conflicted with static rule #d; thus the connection is not a llowed. Pha[...]
-
Page 440
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 440 Rule [%d] Phase 2 authentication algorithm mismatch The listed ru le’s IKE phase 2 authentication al gorithm did not match between the router and the peer. Rule [%d] Phase 2 encapsulation mismatch The listed rule’s IKE phase 2 encapsulation did not match between the router a nd the peer.[...]
-
Page 441
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 441 T able 154 PKI Logs LOG MESSAGE DESCRIPTION Enrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certific ation autho rity server IP address and port. Enrollment failed The SCEP online certificate enrollment failed. The Destination f[...]
-
Page 442
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 442 T able 155 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the cert ificate and the search constraints. 2 Key usage mismatch between the cert ificate and the search co nstraints. 3 Certificat e was not valid in the time interval. 4 (Not used) [...]
-
Page 443
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 443 (L to L/ZW) LAN to LAN/ ZyW ALL ACL set for p ackets tr aveling from the LA N to the LAN or the ZyWALL. (W to W/ZW) W AN to WAN/ ZyW ALL ACL set for packets traveli ng from the W A N to the W AN or the ZyWALL. (D to D/ZW) DMZ to DMZ/ ZyW ALL ACL set for packets traveling from the DMZ to the[...]
-
Page 444
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 444 0 T ime to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer in dicates the error 13 T imestamp 0 T imestamp requ est message 14 T imestamp Rep ly 0 T imestamp repl y message 15 Information Request 0 Information request me ssage 16 Information Reply [...]
-
Page 445
Chapter 2 5 Logs Scre ens ZyWALL 2 Plus User’s Guide 445 25.6 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session " is terminated. A traf fic[...]
-
Page 446
Chapter 25 Logs Scre ens ZyWALL 2 Plus User’s Guide 446 The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="[...]
-
Page 447
ZyWALL 2 Plus User’s Guide 447 C HAPTER 26 Maintenance This chapter displays informat ion on the maintenance screens. 26.1 Maintenance Overview The maintenanc e screens can help you view system informa tio n, upload new firmware, manage configuratio n and restart your ZyW ALL. 26.2 General Setup and System Name General Setup contains administrati[...]
-
Page 448
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 448 Figure 279 MAINTENANCE > General Setup The following table describes the labels in this screen. 26.3 Configuring Password Click MAINTENANCE > Password to open the following scre en. Use this screen to change the ZyW ALL’ s management password. T able 160 MAINTENANCE > General Setup [...]
-
Page 449
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 449 Figure 280 MAINTENANCE > Password The following table describes the labels in this screen. 26.4 T ime and Date The ZyW ALL’ s Real T ime Chip (R TC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an exter[...]
-
Page 450
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 450 Figure 281 MAINTENANCE > T ime and Date The following table describes the labels in this screen. T able 162 MAINTE NANCE > Time and Date LABEL DESCRIPTION Current T ime and Date Current T ime This field displays th e ZyW A LL’s present time. Current Date This field di splays the ZyWALL[...]
-
Page 451
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 451 T ime Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may ha ve to check with your ISP/network administrator or use trial and error to find a protocol that works. The main difference between them is the format. Daytime (R[...]
-
Page 452
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 452 26.5 Pre-defined NTP T ime Server Pools When you turn on the ZyW ALL for the first time, the date an d time start at 2000 -01-01 00:00:00. The ZyW ALL then atte mpts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.o rg or 2.pool.ntp.org NTP time server pools. [...]
-
Page 453
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 453 Figure 283 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Tim e an d Da t e screen. Figure 284 Synchronization Fail 26.6 Introduction T o T ransp arent Bridging A transparent bridge is invisibl e to the operatio n of[...]
-
Page 454
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 454 For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the brid ge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking[...]
-
Page 455
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 455 Figure 285 MAINTENANCE > Device M ode (Router Mode) The following table describes the labels in this screen. 26.9 Configuring Device Mode (Bridge) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your Zy W ALL as a router o r a bridge. T able 164[...]
-
Page 456
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 456 In bridge mode, the ZyW ALL functions as a tr ansparent firewall (also known as a bridge firewall). The ZyW ALL bridges traffic traveling between the ZyW ALL's interfaces and still filters and inspects packets. Y ou do not need to change the configuration of your existing network. In brid[...]
-
Page 457
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 457 26.10 F/W Upload Screen Find firmware at www .zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext T ransfer Protocol) and may take up to two minutes. Afte r a successful upload, th e s[...]
-
Page 458
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 458 The following table describes the labels in this screen. 1 Do not turn off the ZyW A LL whil e firmware upload is in progress! After you see the Firmware Upload in Pr ocess screen, wait two minutes before logging into the ZyW ALL again. Figure 288 Firmware Uplo ad In Proce ss The ZyW ALL autom[...]
-
Page 459
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 459 Figure 290 Firmware Upload Error 26.1 1 Backup and Restore See Section 41.5 on page 579 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restor e . Information related to fa ctory defaults, backup configuration, and restorin g configuration appe[...]
-
Page 460
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 460 26.1 1.1 Backup Configuration Backup configuration allows you to back up (save) the Zy W ALL’ s current configuration to a file on your computer . Once your ZyW ALL is configured an d functioning properly , it is highly recommended that you back up your co nfiguration file before mak ing con[...]
-
Page 461
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 461 If you uploaded the default co nfiguration file you may ne ed to change the IP address of your computer to be in the same subnet as that of the default de vice IP address (192. 168.1.1). See your Quick S tart Guide for details on how to set up your computer ’ s IP address. If the upload was [...]
-
Page 462
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 462 Figure 296 MAINTENANCE > Restart 26.13 Diagnostics Use the Diagnostics screen to have the ZyW ALL generate and send diagnostic files by e-mail and/or the console port. The diagnostics f iles contain the ZyW ALL’ s configuration and diagnostic information. Y ou may need to genera te this f[...]
-
Page 463
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 463 Figure 297 MAINTENANCE > Diagnostics The following table describes the labels in this screen. T able 168 MAINTENANCE > Diagnostics LABEL DESCRIPTION Enable Diagnostics Select this op tion to turn on the diagnostics feature. Perform Diagnostics Now Click this button to generate and send a[...]
-
Page 464
Chapter 26 Maintenance ZyWALL 2 Plus User’s Guide 464 Day for Diagnostics Use the drop down list box to select which day of the week to generate and send diagnostic files. T ime for Dia gnostics En ter the time of day in 24-hour format (for example 23 :00 equals 1 1:00 pm) to generate and send diagnostic files. Display on Console Select this opti[...]
-
Page 465
465 P ART VI SMT Introducing the SMT (467) SMT Menu 1 - General Setup (475) W AN and Dial Backup Setup (481) LAN Setup (491) Internet Access (497) DMZ Setup (501) Remote Node Setup (509) IP Static Route Setup (519) Network Address T ranslation (NA T) (521) Introducing the ZyW ALL Firewall (539) Filter Configuration (541) SNMP Configuration (557) Sy[...]
-
Page 466
466[...]
-
Page 467
ZyWALL 2 Plus User’s Guide 467 C HAPTER 27 Introducing the SMT This chapter explains how to access the System Management T erminal and gives an overview of its menus. 27.1 Introduction to the SMT T he ZyW ALL’ s SMT (System Management T erminal) is a menu-driven interface t hat you can access from a terminal emulator through the cons ole port o[...]
-
Page 468
Chapter 27 Introd ucing the SMT ZyWALL 2 Plus User’s Guide 468 Figure 298 Initial Screen 27.2.2 Entering the Password The login screen appears after you press [ENTER] , prompting you to enter the password, as shown below . For your first login, en ter the default password “ 1234 ”. As you type the password, the screen displays an “ X ” fo[...]
-
Page 469
Chapter 27 Introdu cing the SMT ZyWALL 2 Plus User’s Guide 469 27.3.1 Main Menu After you enter the passwor d, the SMT displays the ZyW ALL Main Menu , as sh own next. Figure 300 Main Menu (Route r Mode) Move t he curso r [ENTER] or [UP] / [DOWN] arrow keys Within a menu, press [ENTER] to move to the next field. Y ou can also use the [UP]/[DOWN] [...]
-
Page 470
Chapter 27 Introd ucing the SMT ZyWALL 2 Plus User’s Guide 470 Figure 301 Main Menu (Bridge Mode) The following table describes the fields in this menu. Copyright (c) 1994 - 200 7 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 22. SNMP Configuration 23. System [...]
-
Page 471
Chapter 27 Introdu cing the SMT ZyWALL 2 Plus User’s Guide 471 27.3.2 SMT Menus Overview The following table gi ves you an overview of your ZyW ALL’ s various SMT menus. T able 171 SMT Menus Overview MENUS SUB MENUS 1 General Setup 1.1 Configure Dynamic DNS 1.1.1 DDNS Host Summa ry 1.1.1 DDNS Edit Host 2 W AN Setup 2.1 Advanced W AN Setu p 3 LA[...]
-
Page 472
Chapter 27 Introd ucing the SMT ZyWALL 2 Plus User’s Guide 472 27.4 Changing the System Password Change the system password by following the steps shown next. 1 Enter 23 in the main menu to open Menu 23 - System Password as shown next. Figure 302 Menu 23: System Password 2 T ype your existing password and p ress [ENTER] . 3 T ype your new system [...]
-
Page 473
Chapter 27 Introdu cing the SMT ZyWALL 2 Plus User’s Guide 473 Note that as you type a password, the screen displays an “x” for each character you type. 27.5 Resetting the ZyW ALL See Section 2.3 on page 5 3 for directions on resetting the ZyW ALL.[...]
-
Page 474
Chapter 27 Introd ucing the SMT ZyWALL 2 Plus User’s Guide 474[...]
-
Page 475
ZyWALL 2 Plus User’s Guide 475 C HAPTER 28 SMT Menu 1 - General Setup Menu 1 - General Setup contains administra tive an d system-related information. 28.1 Introduction to General Setup Menu 1 - General Setup contains administra tive an d system-related information. 28.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - Genera[...]
-
Page 476
Chapter 28 SM T Menu 1 - General Setup ZyWALL 2 Plus User’s Guide 476 Figure 304 Menu 1: General Setup (Bridge Mode) The following table describes the fiel ds not previously discussed (see T able 172 on page 475 ). 28.2.1 Configuring Dynamic DNS T o configure Dynamic DNS, set the ZyW ALL to router mode in menu 1 or in the MAINTENANCE Device Mode [...]
-
Page 477
Chapter 28 SMT Menu 1 - Gene ral Setup ZyWALL 2 Plus User’s Guide 477 Figure 305 Menu 1.1: Configure Dynamic DNS Follow the instructions in the next tabl e to configure Dynamic DNS parameters. 28.2.1.1 Editing DDNS Host T o configure a DDNS host, follow the procedure below . 1 Configure your ZyW ALL as a router in menu 1 o r the MAINTENANCE Devic[...]
-
Page 478
Chapter 28 SM T Menu 1 - General Setup ZyWALL 2 Plus User’s Guide 478 Figure 306 Menu 1.1.1: DDNS Host Summ ary The following table describes the fields in this screen. 5 Select Edit in the Select Command fie ld; type the index nu mber of the DDNS hos t you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 - DDNS Edi[...]
-
Page 479
Chapter 28 SMT Menu 1 - Gene ral Setup ZyWALL 2 Plus User’s Guide 479 Figure 307 Menu 1.1.1: DDNS Edit Host The following table describes the fields in this screen. Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A IP Address Update Policy: Let DDNS Server Auto Detect= Yes U[...]
-
Page 480
Chapter 28 SM T Menu 1 - General Setup ZyWALL 2 Plus User’s Guide 480 The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. Use W AN IP Address Enter the static public IP address if yo u select Ye s in the Use Use r-Defined field. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm[...]
-
Page 481
ZyWALL 2 Plus User’s Guide 481 C HAPTER 29 WAN and Dial Backup Setup This chapter describes how to configure the W AN using menu 2 an d dial-backup using menus 2.1 and 1 1.1. 29.1 Introduction to W AN and Dial Backup Setup This chapter explains how to configure settings for your W AN port and how to configure the ZyW ALL for a dial backup connect[...]
-
Page 482
Chapter 29 WA N and Dial B ackup Setup ZyWALL 2 Plus User’s Guide 482 The following table describes the fields in this screen. 29.3 Dial Backup The Dial Backup port can be used in reser ve, as a traditional dial- up connection should the broadband connection to the W AN port fail. T o set up the au xiliary port (Dial Backup) for use in the event [...]
-
Page 483
Chapter 29 WAN and Dial Backup Setup ZyWALL 2 Plus User’s Guide 483 Figure 309 Menu 2: Dial Backup Setup The following table describes the fields in this menu. 29.5 Advanced W AN Setup " Consult the manual of y our W AN device connected to your Dial Backup port for specific A T commands. Menu 2 - WAN Setup MAC Address: Assigned By= Factory d[...]
-
Page 484
Chapter 29 WA N and Dial B ackup Setup ZyWALL 2 Plus User’s Guide 484 T o edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - W A N Setup , press the [SP ACE BAR] to select Ye s and then press [ENTER]. Figure 310 Menu 2.1: Adva nced WAN Setup The following table describes fields in this m[...]
-
Page 485
Chapter 29 WAN and Dial Backup Setup ZyWALL 2 Plus User’s Guide 485 29.6 Remote Node Profile (Backup ISP) On the ZyW ALL, enter 2 in Menu 1 1 - Remote Node Setup to open Menu 1 1.2 - Remote Node Pr ofile (Backup ISP) and configure the setup for your Dial Backup port connection. Figure 31 1 Menu 1 1.2: Remote Node Profile (Backup ISP) T able 180 A[...]
-
Page 486
Chapter 29 WA N and Dial B ackup Setup ZyWALL 2 Plus User’s Guide 486 The following table describes the fields in this menu. T able 181 Menu 1 1.3: Remote Nod e Profile (Backup ISP) FIELD DESCRIPTION Rem Node Name Enter a descriptiv e name for the remote node. This field can be up to eight characters. Activ e Press [SP ACE BAR] and then [ENTER] t[...]
-
Page 487
Chapter 29 WAN and Dial Backup Setup ZyWALL 2 Plus User’s Guide 487 29.7 Editing TCP/IP Options Move the cu rs or to the Edit IP field in menu 1 1.2, then press [SP ACE BAR] to se lect Ye s . Press [ENTER] to open Menu 1 1 .2.2 - Remote Node Network Layer Options . Figure 312 Menu 1 1.2.2: Remote Node Network Layer Options The following table des[...]
-
Page 488
Chapter 29 WA N and Dial B ackup Setup ZyWALL 2 Plus User’s Guide 488 29.8 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyW ALL provides a script facility for this purpose. The script has six programmable sets; each set is composed of an ‘Expe ct’ string an d a ‘Send’ string.[...]
-
Page 489
Chapter 29 WAN and Dial Backup Setup ZyWALL 2 Plus User’s Guide 489 after you enter the password, then yo u shoul d create a third set to match the final “ PPP... ” but without a “Send” string. Otherwise, the ZyW ALL will start PPP prematurely right after sending your password to the server . If there are errors in the script and it gets [...]
-
Page 490
Chapter 29 WA N and Dial B ackup Setup ZyWALL 2 Plus User’s Guide 490 Figure 314 Menu 1 1.2.4: Remote Node Filter Menu 11.2.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL:[...]
-
Page 491
ZyWALL 2 Plus User’s Guide 491 C HAPTER 30 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup . 30.1 Introduction to LAN Setup This chapter describes how to config ure the ZyW ALL for LAN connections. 30.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup . Figure 315 Menu 3: LAN Setup [...]
-
Page 492
Chapter 30 LAN Set up ZyWALL 2 Plus User’s Guide 492 Figure 316 Menu 3.1: LAN Port Filter Setu p 30.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1 155) and DHCP Ethernet setu p. Figure 317 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP S[...]
-
Page 493
Chapter 30 LAN Setup ZyWALL 2 Plus User’s Guide 493 Figure 318 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next tabl e on how to configure the DHCP fields. Menu 3.2 - TCP/IP an d DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool=[...]
-
Page 494
Chapter 30 LAN Set up ZyWALL 2 Plus User’s Guide 494 Use the instructions in the following table to configure TCP/IP parameters for the LAN port. " LAN and DMZ IP addresses mu st be on separate subnet s. First DNS Server Second DNS Serve r Third DN S Serve r The ZyW ALL passes a DNS (Domain Name System) server IP address (in the order you sp[...]
-
Page 495
Chapter 30 LAN Setup ZyWALL 2 Plus User’s Guide 495 30.4.1 IP Alias Setup IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL supports th ree logi cal LAN interfaces via its single physical Ethernet interface with the ZyW ALL itself as the gateway for each LAN network[...]
-
Page 496
Chapter 30 LAN Set up ZyWALL 2 Plus User’s Guide 496[...]
-
Page 497
ZyWALL 2 Plus User’s Guide 497 C HAPTER 31 Internet Access This chapter shows you how to config ure your ZyW ALL for Internet access. 31.1 Introduction to Internet Access Setup Use information from your ISP along with the in st ructions in this chapter to set up your ZyW ALL to access the Inte rnet. There are three different menu 4 screens depend[...]
-
Page 498
Chapter 31 Internet Access ZyWALL 2 Plus User’s Guide 498 The following table describes the fields in this menu. T able 187 Menu 4: Internet Acce ss Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of y our ISP for identification purposes. Encapsulation Press [SP ACE BAR] and then press [ENTER] to choose Ethernet . The[...]
-
Page 499
Chapter 31 Internet Access ZyWALL 2 Plus User’s Guide 499 31.3 Configuring the PPTP Client " The ZyW ALL supports only one PP TP serv er connection at any given time. T o configure a PP TP client, you must configure the My Login and Password fields for a PPP connection and the PP TP parame ters for a PP TP connection. After configuring My Lo[...]
-
Page 500
Chapter 31 Internet Access ZyWALL 2 Plus User’s Guide 500 Figure 322 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsula tion field in menu 4. If you need a PPPoE service name to identify and reach the P PPoE server , please go to menu 1 1 and enter the PPPoE service [...]
-
Page 501
ZyWALL 2 Plus User’s Guide 501 C HAPTER 32 DMZ Setup This chapter describes how to co nfigure the ZyW ALL’ s DMZ using Menu 5 - DMZ Setup . 32.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup . Figure 323 Menu 5: DMZ Setup 32.2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to[...]
-
Page 502
Chapter 32 DMZ Setup ZyWALL 2 Plus User’s Guide 502 32.3 TCP/IP Setup For more detailed information about RIP setup, IP multicast and IP alias, please refer to Chapter 6 on page 133 . 32.3.1 IP Address From the main menu, enter 5 to ope n Menu 5 - DMZ Setup to configure TCP/IP (RFC 1 155). Figure 325 Menu 5: DMZ Setup From menu 5, select th e sub[...]
-
Page 503
Chapter 32 DMZ Setup ZyWALL 2 Plus User’s Guide 503 " DMZ, WLAN and LAN IP addresses must be on sep a rate subnets. Y ou must also configure NA T for the DMZ port (see Chapter 36 on page 521 ) in menus 15.1 and 15.2. 32.3.2 IP Alias Setup Use menu 5.2 to config ure the first network. Move the cursor to the Edit IP Alias field, press [SP ACE [...]
-
Page 504
Chapter 32 DMZ Setup ZyWALL 2 Plus User’s Guide 504[...]
-
Page 505
ZyWALL 2 Plus User’s Guide 505 C HAPTER 33 Wireless Setup Use menu 7 to configure the IP address for ZyW ALL’ s WLAN interface, other TCP/IP and DHCP settings. 33.1 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 133 . 33.1.1 IP Address From the main menu, enter 7 to open [...]
-
Page 506
Chapter 33 Wire less Setup ZyWALL 2 Plus User’s Guide 506 Figure 329 Menu 7.2: TCP/IP and DHCP Ethernet Setup The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup . Each public server will need a unique IP address. Refer to Section 30.4 on page 492 for information on how to configure these fields.[...]
-
Page 507
Chapter 33 Wireless Setup ZyWALL 2 Plus User’s Guide 507 Figure 330 Menu 7.2.1: IP Alias Setup Refer to T able 186 on page 495 for instructions on config uring IP alias parameters. Menu 7.2.1 - IP Ali as Setup IP Alias 1= No IP Address= N/ A IP Subnet Mask = N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/ A IP Subnet Mask = N/A [...]
-
Page 508
Chapter 33 Wire less Setup ZyWALL 2 Plus User’s Guide 508[...]
-
Page 509
ZyWALL 2 Plus User’s Guide 509 C HAPTER 34 Remote Node Setup This chapter shows you how to configure a remote node. 34.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gatewa y . A remote node represents both the remote gateway an d the network behind it across a W AN connection. Note that when you use m[...]
-
Page 510
Chapter 34 Remot e Node Setup ZyWALL 2 Plus User’s Guide 510 34.3.1 Ethernet Encap sulation There are three variations of m enu 1 1.1 depend ing on whether you ch oose Ethernet Encap sulation , PPPoE Encap sulation or PPTP Encap sulation . Y ou must choose the Ethernet option when the W AN port is used as a regular Ethernet. The first menu 11 .1 [...]
-
Page 511
Chapter 34 Remote Node Setup ZyWALL 2 Plus User’s Guide 51 1 34.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). Y ou can only use PPPoE encapsulation when you’re using th e ZyW ALL with a DSL modem as the W AN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Serve[...]
-
Page 512
Chapter 34 Remot e Node Setup ZyWALL 2 Plus User’s Guide 512 Figure 333 Menu 1 1.1: Remote Node Prof ile for PPPoE Encapsulation 34.3.2.1 Outgoing Authentication Protocol Generally speaking, you sh ould employ the strongest authent ication protocol possible, for obvious reasons. However , some ve ndor ’ s impl ementation includes a specific aut[...]
-
Page 513
Chapter 34 Remote Node Setup ZyWALL 2 Plus User’s Guide 513 34.3.2.3 Metric See Section 8.2 on page 1 51 for details on the Metric field. 34.3.3 PPTP Encap sulation If you change the Encap sulation to PPTP in menu 1 1.1, then you will see the next screen. T able 191 Fields in Menu 11.1 (PPPo E E ncapsulation Specific) FIELD DESCRIPTION Service Na[...]
-
Page 514
Chapter 34 Remot e Node Setup ZyWALL 2 Plus User’s Guide 514 Figure 334 Menu 1 1.1: Remote Node Prof ile for PPTP Encapsulation The next table shows h o w to configure field s in menu 1 1.1 not previously discussed. 34.4 Edit IP Move the cu rs or to the Edit IP field in menu 1 1.1, then press [SP ACE BAR] to se lect Ye s . Press [ENTER] to open M[...]
-
Page 515
Chapter 34 Remote Node Setup ZyWALL 2 Plus User’s Guide 515 Figure 335 Menu 1 1.1.2: Remote Node Network Layer O ptions for Ethernet Encapsulation This menu displays the My W AN Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation. The following table describes the fields in this menu. Menu 11.1.2 - Re[...]
-
Page 516
Chapter 34 Remot e Node Setup ZyWALL 2 Plus User’s Guide 516 34.5 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.1, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1 .1.4 - Remote Node Filter . Use menu 1 1.1.4 to specify the filter set(s) to apply to the incoming and outgoing tra[...]
-
Page 517
Chapter 34 Remote Node Setup ZyWALL 2 Plus User’s Guide 517 Figure 337 Menu 1 1.1.4: Remote Node Filter (PPP oE or PPTP Encapsulation) 34.6 T raffic Redirect Configure parameters that determine when the ZyW ALL will forward W AN traffic to the backup gateway using Menu 1 1.1.5 - T raffic Redir e ct Setup . Figure 338 Menu 1 1.1.5: T raffic Redire[...]
-
Page 518
Chapter 34 Remot e Node Setup ZyWALL 2 Plus User’s Guide 518 Check W AN IP Address Enter the IP address of a reliab le nearb y computer (for example, your ISP's DNS server address) to test your ZyWALL's W AN accessibility . The ZyWALL uses the default gateway IP address if you do not enter an IP address here. If you are using PPTP or PP[...]
-
Page 519
ZyWALL 2 Plus User’s Guide 519 C HAPTER 35 IP Static Route Setup This chapter shows you how to config ure static routes with your ZyW ALL. 35.1 IP S t atic Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. " The first static route entry is for t he default W [...]
-
Page 520
Chapter 35 IP Static Rout e Setup ZyWALL 2 Plus User’s Guide 520 Figure 340 Menu 12. 1: Edit IP S tatic Route `The following table describes the IP Static Route Menu fields. Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CO[...]
-
Page 521
ZyWALL 2 Plus User’s Guide 521 C HAPTER 36 Network Address Translation (NAT) This chapter discusses how to configure NA T on the ZyW ALL. 36.1 Using NA T " Y ou must create a firewall rule in addi tion to setting up SUA/NA T , to allow traffic from the W AN to be forwarded through the ZyW ALL. 36.1.1 SUA (Single User Account) V ersus NA T SU[...]
-
Page 522
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 522 Figure 341 Menu 4: Applying NA T for Internet Access The following figure shows how you apply NA T to the remote node in menu 1 1.1. 1 Enter 1 1 from the main menu. 2 Enter 1 to open Menu 1 1.1 - Remote Node Pr ofile . 3 Move the cu rs or to the Edit IP field, press [SP [...]
-
Page 523
Chapter 36 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 523 The following table describes the fields in this menu. 36.2 NA T Setup Use the address mapping sets me nus and submenus to create the mapping table used to assign global addresses to computers on the LAN, WLAN and DMZ. Set 255 is used for SUA. When you select Full Fea[...]
-
Page 524
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 524 Figure 344 Menu 15.1: Address Ma pping Sets 36.2.1.1 SUA Address Mapping Set Enter 255 to display th e next screen (see also Section 36.1.1 on page 521 ). The fields in this menu cannot be changed. Figure 345 Menu 15.1.255: SUA Addre ss Mapping Rules The following table [...]
-
Page 525
Chapter 36 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 525 36.2.1.2 User-Defined Address Mapping Sets Now look at option 1 in menu 15.1. Enter 1 to bring up this menu . Look at the differen ces from the previous menu. Note the extra Action and Select Rule fields mean yo u can configure rules in this screen. Note also that the[...]
-
Page 526
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 526 Figure 346 Menu 15.1.1: First Set " The T ype, Local and Global S tart/End IP s are configured in menu 15.1.1.1 (described later) and the values are displayed here. 36.2.1.3 Ordering Y our Rules Ordering your rules is important because the Zy W A LL applies the rule[...]
-
Page 527
Chapter 36 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 527 " Y ou must press [ENTER] at the bottom of the screen to save the whole set. Y ou must do this again if you make an y changes to the set – including deleting a rule. No changes to the set take place until this action is t aken. Selecting Edit in the Action fiel[...]
-
Page 528
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 528 36.3 Configuring a Server behind NA T " If you do not assign a De fault Server IP address, the ZyW ALL discards all packet s received for ports that are not specified here or in the remote management setup. Follow these steps to config ure a server behind NA T : 1 E[...]
-
Page 529
Chapter 36 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 529 Figure 349 15.2.1: NA T Server Configur ation The following table describes the fields in this screen. 4 Enter a port number in the St a r t P o r t field. T o forward only one port, enter it again in the End Port field. T o specify a range of ports, ente r the last p[...]
-
Page 530
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 530 Figure 350 Menu 15.2: NA T Server Setup Y ou assign the private network IP addresses. Th e NA T network appears as a single host on the Internet. A is the FTP/T elnet/SMTP server . Figure 351 Server Behind NA T Example 36.4 General NA T Examples The following are some ex[...]
-
Page 531
Chapter 36 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 531 Figure 352 NA T Exam ple 1 Figure 353 Menu 4: Internet Access & NA T Example From menu 4 sho wn abov e, simply choose the SUA Only option from the Network Address Tr a n s l a t i o n field. This is the Many-to-One mapping discussed in Section 36.4 on page 530 . T[...]
-
Page 532
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 532 36.4.2 Example 2: Inter net Access with a Default Server Figure 354 NA T Exam ple 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Default Server behind the NA T as shown in the next figure. [...]
-
Page 533
Chapter 36 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 533 2 Map the second IGA to our second inside FTP se rver for FTP traffic in both directions ( 1 : 1 mapping, giving both loca l and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 ( Many : 1 mapping). 4 Y ou also map your third IGA to the web server an[...]
-
Page 534
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 534 Figure 357 Example 3: Menu 1 1.1.2 The following figure shows how to configure the first rule. Figure 358 Example 3: Menu 15.1.1.1 Menu 11.1.2 - Remote Node Network La yer Options IP Address Assignment= Dyna mic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Ne[...]
-
Page 535
Chapter 36 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 535 Figure 359 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. 1 Enter 15 from the main menu. 2 Enter 2 to go to menu 15 .2 and configure it as sho wn in Figure 360 on page 535 . Figure 360 Example 3: Menu 15.2. Men[...]
-
Page 536
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 536 36.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NA T Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One ) N[...]
-
Page 537
Chapter 36 N etwork A ddress Trans lation (NAT ) ZyWALL 2 Plus User’s Guide 537 Figure 363 Example 4: Menu 15.1.1: Address Mapping Rules 36.5 T rigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA T t[...]
-
Page 538
Chapter 36 Network Addr ess Translation (NAT) ZyWALL 2 Plus User’s Guide 538 " Only one LAN computer can use a trigger por t (range) at a time. Enter 3 in menu 15 to d isplay Menu 15.3 - T rigger Port Setup and configure trigger port rules for the W AN port. Figure 364 Menu 15.3.1: T rigger Port Setup The following table describes the fields[...]
-
Page 539
ZyWALL 2 Plus User’s Guide 539 C HAPTER 37 Introducing the ZyWALL Firewall This chapter shows you how to ge t started with the ZyW ALL firewall. 37.1 Using ZyW ALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 365 Menu 21: Filter and Firewa ll Setup 37.1.1 A[...]
-
Page 540
Chapter 37 Intro ducing the ZyWALL Firewall ZyWALL 2 Plus User’s Guide 540 Figure 366 Menu 21.2: Fi rewall Setup " Configure the firewall ru les using the web confi gurator or CLI commands. Menu 21.2 - Firewall Se tup The firewall protects against Denial of S ervice (DoS) attacks when it is active. Your network is vulnerable to attack s when[...]
-
Page 541
ZyWALL 2 Plus User’s Guide 541 C HAPTER 38 Filter Configuration This chapter shows you how to create and apply filters. 38.1 Introduction to Filters Y our ZyW ALL uses filters to decide whether to a llow passage of a data packet and/or to make a call. There are two types of filter applications : data filtering and call filtering. Filters are subd[...]
-
Page 542
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 542 38.1.1 The Filter Structure of the ZyW ALL A filter set consists of one or more filter rules. Usually , you would group related rules, e.g., all the rules for NetBIOS, into a s ingle set and give it a descriptive name. The ZyW ALL allows you to configure up to twelve filte r sets with[...]
-
Page 543
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 543 Figure 368 Filter Rule Process Y ou can apply up to four filter sets to a particular port to block multiple types of packets. W ith each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.[...]
-
Page 544
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 544 38.2 Configuring a Filter Set The ZyW ALL includes filtering for NetBIOS over TCP/IP packets by default. T o configure another filter set, follow the procedure below . 1 Enter 21 in the main me nu to open menu 2 1. Figure 369 Menu 21: Filter and Firewa ll Setup 2 Enter 1 to bring up t[...]
-
Page 545
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 545 Figure 371 Menu 21.1.1: Filter Rules Summary This screen shows the summary of the existing rules in the filter set. The followi ng tables contain a brief description of the abbr eviations used in the previous menus. The protocol dependent filter rules abbreviation are listed as follow[...]
-
Page 546
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 546 Refer to the next section for inform ation on configurin g the filter rules. 38.2.1 Configuring a Filter Rule T o configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary an d press [ENTER] to open menu 21.1 .1.1 for the rule. T o speed up filtering, all rules in[...]
-
Page 547
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 547 The following table describes how to co nfigure your TCP/IP filter rule. T able 204 Menu 21.1.1.1: TC P/IP Filter Rule FIELD DESCRIPTION Activ e Press [SP ACE BAR] and then [ENTER] to select Ye s to activate the filter rule or No to deactiv ate it. IP Protocol Protocol refers to the u[...]
-
Page 548
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 548 The following figure illustrates th e logic flow of an IP filter . Figure 373 Executing an IP Filter[...]
-
Page 549
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 549 38.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generi c filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP , it is generally easier to us e the IP rules directly . For generic rules, the ZyW ALL treats a packe[...]
-
Page 550
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 550 38.3 Example Filter Let’ s look at an example to block outside users from accessing the ZyW ALL via T elnet. Please see our included disk for more example filters. Figure 375 T eln et Filter Example 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup . 2 Enter [...]
-
Page 551
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 551 Figure 376 Example Filter: Menu 21 .1.3.1 The port number for the T elnet service (TCP protocol) is 23 . See RFC 1060 for port numbers of well-known services. When you press [ENTER] to confirm, you will see the fo llowing screen. Note that there i s only one filter rule in this set. F[...]
-
Page 552
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 552 After you’ve created the filte r set, you must apply it. 1 Enter 1 1 from the main menu to go to menu 1 1. 2 Enter 1 or 2 to open Menu 1 1.x - Remote Node Pr ofile . 3 Go to the Edit Filter Sets field, press [SP ACE BAR] to select Ye s and press [ENTER] . 4 This brings you to menu 1[...]
-
Page 553
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 553 38.5.1.1 When T o Use Filtering 1 T o block/allow LAN packet s by their MAC addresses. 2 T o block/allow special IP packets which are neith er TCP nor UDP , nor ICMP packets. 3 T o block/allow bo th inbound (W AN to LAN) and outbound (LAN to W AN) traffic between the specific inside h[...]
-
Page 554
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 554 " If you do not activate the firewa ll, it is advisable to apply filters. 38.6.1 Applying LAN Filters LAN traffic filter sets may be useful to bloc k certain packets, reduce traffic and prevent security breaches. Go to menu 3. 1 (shown next) and enter the number(s) of the filter [...]
-
Page 555
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 555 38.6.3 Applying Re mote Node Filters Go to menu 1 1.1.4 (shown be low – note that call filter sets are only present for PPPoE encapsulation) and enter the numb er(s) of the filter set(s) as appropriate. Y ou can cascade up to four filter sets by entering their numbers separated by c[...]
-
Page 556
Chapter 38 Filter Configuration ZyWALL 2 Plus User’s Guide 556[...]
-
Page 557
ZyWALL 2 Plus User’s Guide 557 C HAPTER 39 SNMP Configuration This chapter explains SNMP configuratio n menu 22. 39.1 SNMP Configuration T o configure SNMP , enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get , Set and Tr a p fields is SNMP terminology for password. Figure 382 Menu 22: S[...]
-
Page 558
Chapter 39 SNMP Configuration ZyWALL 2 Plus User’s Guide 558 39.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: Destination T ype the IP add ress of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC[...]
-
Page 559
ZyWALL 2 Plus User’s Guide 559 C HAPTER 40 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 40.1 Introduction to System St atus This chapter covers the diagnostic tools that he lp you to maintain your ZyW ALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in [...]
-
Page 560
Chapter 40 System In formation & Diagnosis ZyWALL 2 Plus User’s Guide 560 3 There are three commands in Menu 24.1 - System Maintenance - S tatus . Entering 1 drops the W AN connection, 9 resets the co unters an d [ESC] takes you back to the previous screen. Figure 384 Menu 24.1: System Maintenance: S tatus The following table describes the fi[...]
-
Page 561
Chapter 40 System Information & Diagnosis ZyWALL 2 Plus User’s Guide 561 40.3 System Information and Console Port S peed This section describes your system and allows you to choose different console port speeds. T o get to the System Informa tion and Console Port Speed: 1 Enter 24 to go to Menu 24 - System Maintenance . 2 Enter 2 to open Menu[...]
-
Page 562
Chapter 40 System In formation & Diagnosis ZyWALL 2 Plus User’s Guide 562 The following table describes the fields in this screen. 40.3.2 Console Port Speed Y ou can change the speed of the console po rt through Menu 24.2.2 – Console Port Speed . Y our ZyW ALL supports 9600 (default), 19200, 38400, 57600, and 1 15200 bps for the console por[...]
-
Page 563
Chapter 40 System Information & Diagnosis ZyWALL 2 Plus User’s Guide 563 3 Select the first option from Menu 24.3 - System Maintenan c e - Log and T race to display the error lo g in the system. After the ZyW ALL finishes displaying, you will have the option to clear the error log. Figure 388 Menu 24.3: System Maintenan ce: Log and T race Exa[...]
-
Page 564
Chapter 40 System In formation & Diagnosis ZyWALL 2 Plus User’s Guide 564 Y ou need to configure the syslog parameters descr ibed in the following table to activate syslog then choose what you want to log. Y our ZyW ALL sends five types of syslog messages. Some examples (not all ZyW ALL specific) of these syslog messages with their message fo[...]
-
Page 565
Chapter 40 System Information & Diagnosis ZyWALL 2 Plus User’s Guide 565 2 Packet triggered 3 Filter log Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTR I, SYSLOG_NOTICE, S tring ); S tring = Packet trigger: Protocol=xx Dat a=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:A T ALK 6:IPNG) Dat a : We will send forty-eight[...]
-
Page 566
Chapter 40 System In formation & Diagnosis ZyWALL 2 Plus User’s Guide 566 4 PPP log 5 Firewall log 40.4.3 Call-T riggering Packet Call-T riggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equiva lent information is available in menu 24.1 in hex format. An example is shown next. PP[...]
-
Page 567
Chapter 40 System Information & Diagnosis ZyWALL 2 Plus User’s Guide 567 Figure 391 Call-T riggering Packet Example 40.5 Diagnostic The diagnostic facility allows you to test th e dif ferent aspects of your ZyW ALL to determine if it is working properly . Menu 24.4 all ows you to choose among various types of diagnost ic tests to evaluate you[...]
-
Page 568
Chapter 40 System In formation & Diagnosis ZyWALL 2 Plus User’s Guide 568 Figure 392 Menu 24.4: System Maintenance: Diagnostic 40.5.1 W AN DHCP DHCP functionality can be enabled on the LAN, DMZ, WLAN or W AN as shown in Figure 393 on page 568 . LAN DHC P has already been discussed . The ZyW ALL can act either as a W AN DHCP client ( IP Addres[...]
-
Page 569
Chapter 40 System Information & Diagnosis ZyWALL 2 Plus User’s Guide 569 W AN DHCP Re newal Enter 3 to renew your WAN DHCP settings. PPPoE/PP TP Setup Te s t Enter 4 to test the Intern et setup. Y ou can also test the Internet setup in Menu 4 - Internet Access . Please refer to Chapte r 31 on page 497 for more details. This feature is only av[...]
-
Page 570
Chapter 40 System In formation & Diagnosis ZyWALL 2 Plus User’s Guide 570[...]
-
Page 571
ZyWALL 2 Plus User’s Guide 571 C HAPTER 41 Firmware and Configuration File Maintenance This chapter tells you how t o back up and rest ore your configuration file as well as upload new firmware and a new configura tion file. 41.1 Introduction Use the instructions in this chapter to change the ZyW ALL’ s configuration file or upgrade its firmwar[...]
-
Page 572
Chapter 41 Firmware and Conf iguration File Main tenance ZyWALL 2 Plus User’s Guide 572 The following table is a summary . Please note that the internal filename refe rs to the filename on the ZyW ALL and the external file name refers to the filename not on the ZyW ALL, that is, on your computer , local network or FTP site and so the name (but no[...]
-
Page 573
Chapter 41 Firmw are and Co nfiguration File Maintenance ZyWALL 2 Plus User’s Guide 573 Figure 394 T elnet into Menu 24. 5 41.3.2 Using the FTP Command from the Comman d Line 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 Enter [...]
-
Page 574
Chapter 41 Firmware and Conf iguration File Main tenance ZyWALL 2 Plus User’s Guide 574 41.3.3 Example of FTP Comm ands from the Command Line Figure 395 FTP Session Example 41.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. 41.3.5 File Maintenance Over W AN TFTP , FTP and T e[...]
-
Page 575
Chapter 41 Firmw are and Co nfiguration File Maintenance ZyWALL 2 Plus User’s Guide 575 41.3.6 Backup Configuration Using TFTP The ZyW ALL supports the up/do wnloading of the firmware and the configuration file using TFTP (T rivial File T ransfer Protocol) over LA N. Although TFTP should work over W AN as well, it is not recommended. T o use TFTP[...]
-
Page 576
Chapter 41 Firmware and Conf iguration File Main tenance ZyWALL 2 Plus User’s Guide 576 Refer to Section 41.3.5 o n page 574 to read about configurations that disallow TFTP and FTP over W AN. 41.3.9 Backup V ia Console Port Back up configuration vi a console port by followi ng the HyperT ermin al procedure shown next. Procedures using other seria[...]
-
Page 577
Chapter 41 Firmw are and Co nfiguration File Maintenance ZyWALL 2 Plus User’s Guide 577 4 After a successful backup you will see the fo llowing screen. Press any key to return to the SMT menu. Figure 399 Successful Backup Co nfirmation Screen 41.4 Restore Configuration This section shows you how to restore a previ ously saved configuration. Note [...]
-
Page 578
Chapter 41 Firmware and Conf iguration File Main tenance ZyWALL 2 Plus User’s Guide 578 Figure 400 T elnet into Menu 24. 6 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234?[...]
-
Page 579
Chapter 41 Firmw are and Co nfiguration File Maintenance ZyWALL 2 Plus User’s Guide 579 41.4.3 Restore V ia Console Port Restore configuration via console port by fol lowing the HyperT erminal procedure shown next. Procedures using other serial communicat ions programs should be similar . 1 Display menu 24.6 and enter “y” at the following scr[...]
-
Page 580
Chapter 41 Firmware and Conf iguration File Main tenance ZyWALL 2 Plus User’s Guide 580 " W ARNING! Do not interrupt the fi le transfer process as this may PERMANENTL Y DAMAGE YOUR ZyW ALL. 41.5.1 Firmware File Upload FTP is the preferred method for uploading the firm ware and configuration. T o use this feature, your computer must ha ve an [...]
-
Page 581
Chapter 41 Firmw are and Co nfiguration File Maintenance ZyWALL 2 Plus User’s Guide 581 Figure 407 T elnet Into Menu 24.7.2 : System Maintenance T o upload the firmware and the configuration file, follow these examples 41.5.3 FTP File Upload Comman d from the DOS Prompt Example 1 Launch the FTP client on your computer . 2 Enter “open”, follow[...]
-
Page 582
Chapter 41 Firmware and Conf iguration File Main tenance ZyWALL 2 Plus User’s Guide 582 41.5.4 FTP Session Exampl e of Firmware File Upload Figure 408 FTP Session Example of Firmware File Upload More commands (found in GUI-based FTP clie nts) are listed earlier in this chapter . Refer to Section 41.3.5 on page 574 to read about configurations tha[...]
-
Page 583
Chapter 41 Firmw are and Co nfiguration File Maintenance ZyWALL 2 Plus User’s Guide 583 41.5.6 TFTP Upload Command Example The following is an example TFTP command: tftp [-i] host put firmware.bin ras Where “i” specifies binary image transfer mode (u se this mode when transferring binary files), “host” is the ZyW ALL’ s IP address , “[...]
-
Page 584
Chapter 41 Firmware and Conf iguration File Main tenance ZyWALL 2 Plus User’s Guide 584 Figure 410 Example Xmodem Upload After the firmware upload process has comple t ed, the ZyW ALL will automatically restart. 41.5.10 Uploading Configur ation File V ia Console Port 1 Select 2 from Menu 24.7 – System Maintenance – Upload Firmwar e to display[...]
-
Page 585
Chapter 41 Firmw are and Co nfiguration File Maintenance ZyWALL 2 Plus User’s Guide 585 41.5.1 1 Example Xmodem Configur ation Upload Using HyperT erminal Click T ransfer , then Send File to display the following screen. Figure 412 Example Xmodem Upload After the configuration upload process has co mpleted, restart the ZyW ALL by entering “atgo[...]
-
Page 586
Chapter 41 Firmware and Conf iguration File Main tenance ZyWALL 2 Plus User’s Guide 586[...]
-
Page 587
ZyWALL 2 Plus User’s Guide 587 C HAPTER 42 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24.10. 42.1 Command Interpreter Mode The Command Interpre ter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT , while a dding some low-level se tup and diagnostic funct[...]
-
Page 588
Chapter 42 System Maintenance Menu s 8 to 10 ZyWALL 2 Plus User’s Guide 588 42.1.1 Command Synt ax The command keywords are in courier n ew font. Enter the command keywords exactly as shown, do not abbreviate. The required fields in a command ar e enclosed in angle b rackets <> . The optional fields in a c ommand are enclosed in s quare bra[...]
-
Page 589
Chapter 4 2 System Ma intenance M enus 8 to 10 ZyWALL 2 Plus User’s Guide 589 42.2 Call Control Support The ZyW ALL provides two cal l control functions: budget management and call history . Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 1 1.1. The budget management func tion allows you [...]
-
Page 590
Chapter 42 System Maintenance Menu s 8 to 10 ZyWALL 2 Plus User’s Guide 590 The total budget is the time li mit on the accumulated time for ou tgoing calls to a remo te node. When this limit is reached, th e call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is re set. The defa[...]
-
Page 591
Chapter 4 2 System Ma intenance M enus 8 to 10 ZyWALL 2 Plus User’s Guide 591 The following table describes the fields in this screen. 42.3 T ime and Date Setting The ZyW ALL’ s Real T ime Chip (R TC ) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external [...]
-
Page 592
Chapter 42 System Maintenance Menu s 8 to 10 ZyWALL 2 Plus User’s Guide 592 Figure 419 Menu 24.10 System Maintenance : Time and Da te Setting The following table describes the fields in this screen. Menu 24.10 - System Maintenan ce - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed. net Current Time: 09 : 24[...]
-
Page 593
Chapter 4 2 System Ma intenance M enus 8 to 10 ZyWALL 2 Plus User’s Guide 593 S tart Date (mm- nth-week-hr) Configure the day and time when Daylight Saving Time st a rts if you selected Ye s in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving T ime starts in most p arts of the United [...]
-
Page 594
Chapter 42 System Maintenance Menu s 8 to 10 ZyWALL 2 Plus User’s Guide 594[...]
-
Page 595
ZyWALL 2 Plus User’s Guide 595 C HAPTER 43 Remote Management This chapter covers remote management found in SMT menu 24.1 1. 43.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers. " When you configure remote managem ent to allow management f[...]
-
Page 596
Chapter 43 Remo te Management ZyWALL 2 Plus User’s Guide 596 Figure 420 Menu 24.1 1 – Remote Managemen t Control The following table describes the fields in this screen. Menu 24.11 - Remote Manageme nt Control TELNET Server: Port = 23 Access = LAN Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = LAN+WAN+DMZ+WLAN Secure Client IP = 0.0.[...]
-
Page 597
Chapter 43 Remote Manag ement ZyWALL 2 Plus User’s Guide 597 43.1.1 Remote Management Limit ations Remote management over LAN or W AN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service. 2 Y ou have disabled that service in menu 24.1 1. 3 The IP address in the Secure Client I[...]
-
Page 598
Chapter 43 Remo te Management ZyWALL 2 Plus User’s Guide 598[...]
-
Page 599
ZyWALL 2 Plus User’s Guide 599 C HAPTER 44 Call Scheduling Call scheduling allows you to dictate when a re mote node sho uld be called and for how long. 44.1 Introduction to Call Scheduling The call scheduling feature allows the ZyW ALL to manage a remote node and dictate when a remote node should be called and for ho w long. This feature is simi[...]
-
Page 600
Chapter 44 Call Scheduling ZyWALL 2 Plus User’s Guide 600 " T o delete a schedule set, enter the set number and press [SP ACE BAR] and then [ENTER] or [DEL] in the Edit Name field. T o set up a schedule set, selec t the schedule se t you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. [...]
-
Page 601
Chapter 44 Call Scheduling ZyWALL 2 Plus User’s Guide 601 Once your schedule sets are conf igured , you must then apply them to the desired remote node(s). Enter 1 1 from the Main Menu and then enter the tar get remo te node index. Press [SP ACE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets field avail[...]
-
Page 602
Chapter 44 Call Scheduling ZyWALL 2 Plus User’s Guide 602 Figure 424 Applying Schedule Set(s ) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Ed it IP= No Service Type= Standard T elco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedule s= 1,2,3,4 M[...]
-
Page 603
603 P ART VII T roubleshooting and S pecifications T roubleshooting (605) Product Specification s (613)[...]
-
Page 604
604[...]
-
Page 605
ZyWALL 2 Plus User’s Guide 605 C HAPTER 45 Troubleshooting This chapter offers some sugg estions to solve problems you might encounter . The potential problems are divided into the following categories. • Power , Hardware Connections, and LEDs • ZyW ALL Access and Login • Internet Access • W ireless Router/A P T rou bleshooting • UPnP 4[...]
-
Page 606
Chapter 45 Trou bleshooting ZyWALL 2 Plus User’s Guide 606 45.2 ZyW ALL Access and Login V I forgot the IP address for the ZyW ALL. 1 The default IP address is 192.168.1.1 . 2 Use the console port to log in to the ZyW ALL. 3 If you changed the IP addre ss and have forgotten it, you might get the IP addre ss of the ZyW ALL by lookin g up the IP ad[...]
-
Page 607
Chapter 45 Trou bleshooting ZyWALL 2 Plus User’s Guide 607 6 If the problem continues, contact the network administrator or vendor , or try one of the advanced suggestio ns. Advanced Suggestions • Y ou may also need to clear your Internet browser’ s cache. In Internet Explorer , click To o l s and then Internet Options to open the Internet Op[...]
-
Page 608
Chapter 45 Trou bleshooting ZyWALL 2 Plus User’s Guide 608 See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator . Ignore the suggestions about your bro wser . V I cannot use the c onsole port to access the ZyW ALL. 1 Check to see if the ZyW ALL is connec ted to your co mputer's console po rt[...]
-
Page 609
Chapter 45 Trou bleshooting ZyWALL 2 Plus User’s Guide 609 The username and password apply to PPPoE and PPPoA encapsulation only . Make sure that you hav e entered the correct Service T ype , User Name and Password (be sure to use the correct casing). Refer to the W AN setup chapter (web configurator or SMT). 2 Disconnect all the cables from your[...]
-
Page 610
Chapter 45 Trou bleshooting ZyWALL 2 Plus User’s Guide 610 interfering with the wireless network (fo r example, microwaves, other wireless networks, and so on). 3 Reboot the ZyW ALL. 4 If the problem continues, contact the network administrator or vendor , or try one of the advanced suggestio ns. Advanced Suggestions • Check the settings for ba[...]
-
Page 611
Chapter 45 Trou bleshooting ZyWALL 2 Plus User’s Guide 61 1 Restart your computer . V I cannot open special applicat ions such as white board, file transfer and video when I use the MSN messenger . 1 W ait more than three minutes. 2 Restart the applications.[...]
-
Page 612
Chapter 45 Trou bleshooting ZyWALL 2 Plus User’s Guide 612[...]
-
Page 613
ZyWALL 2 Plus User’s Guide 613 C HAPTER 46 Product Specifications his chapter gives details about your Zy W ALL’ s hardware and firmware features. 46.1 General ZyW ALL Specifications The following tables summarize the ZyW ALL’ s hardware and firmware fea tures. T able 221 Hardware Specifications Dimensions (W x D x H) 181(W) x 128(D) x 36(H) [...]
-
Page 614
Chapter 46 Product Specifications ZyWALL 2 Plus User’s Guide 614 Device Management Use the web config urator to ea sily configure t he ri ch range of features on the ZyW ALL. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web config urator , an FTP or a TFTP tool to put it on the ZyWALL. Note: Only upl[...]
-
Page 615
Chapter 46 Product Specifications ZyWALL 2 Plus User’s Guide 615 46.2 Cable Pin Assignment s In a serial communications connection, gene rally a computer is DTE (Data T erminal Equipment) and a modem is DCE (Data Circ uit-terminating Equipment). The ZyW ALL is DCE when you connect a computer to the co nsole port. The ZyW ALL is DTE when you conne[...]
-
Page 616
Chapter 46 Product Specifications ZyWALL 2 Plus User’s Guide 616 Figure 425 Console/Dial Backup Ca ble DB-9 End Pin La yout T able 224 Console Cable Pi n Assignment s PIN DEFINITION RJ-4 5 END DB-9M (MALE) END DSR 1 6 DTR 2 4 TX 3 3 RTS 4 7 GND 5 5 RX 6 2 CTS 7 8 DCD 8 1 N/A 9 T able 225 Dial Backup Cable Pin Assignments PIN DEFINITION RJ-4 5 END[...]
-
Page 617
Chapter 46 Product Specifications ZyWALL 2 Plus User’s Guide 617 46.3 W all-mounting Instructions Complete the following step s to hang your ZyW ALL on a wall. " See T able 221 on page 613 for the size of screws to use and how far apart to place them. 1 Select a position free of obstructions on a sturdy wall. 2 Drill two holes for the screws[...]
-
Page 618
Chapter 46 Product Specifications ZyWALL 2 Plus User’s Guide 618 Figure 426 W all-mounting Example The following are dimension s of an M4 tap screw and maso nry plug used for wall mounting. All measurements are in millimeters (mm). Figure 427 Masonry Plug and M4 T ap Screw[...]
-
Page 619
619 P ART VIII Appendices and Index " The appendices provide general informatio n. Some details may not apply to your ZyW ALL. Setting up Y our Computer ’ s IP Address (621) Pop-up W indows, JavaScripts and Java Permissions (637) IP Addresses and Subnetting (645) Common Services (653) Importing Certificates (657) Legal Information (669) Cust[...]
-
Page 620
620[...]
-
Page 621
ZyWALL 2 Plus User’s Guide 621 A PPENDIX A Setting up Y our Computer ’ s IP Address All computers must have a 10M or 100M Et hernet adapter card and TCP/IP installed. W indows 95/98/Me/NT/2000/XP , Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on you[...]
-
Page 622
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 622 Figure 428 WIndows 95/98 /Me: Networ k: Configura tion Inst alling Components The Network window Configuration tab displays a list of installed components. Y ou need a network adapter , the TCP/IP protocol and Client for Microso ft Networks. If you need the adapter:[...]
-
Page 623
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 623 Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically . • If you have a static IP address[...]
-
Page 624
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 624 Figure 430 Windows 95/98/Me : TCP/IP Pr operties: DNS Configuration 4 Click the Gateway tab. • If you do not know you r gateway’ s IP addr ess, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click[...]
-
Page 625
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 625 Figure 431 Windows XP: S t art Menu 2 In the Control Panel , double-click Network Connections ( Network and Dial-up Connections in W indow s 2000/NT). Figure 432 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Pr operties .[...]
-
Page 626
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 626 Figure 433 Windows XP: Control Panel: Network Connections: Pro perties 4 Select Internet Protocol (TCP/IP) (under the Genera l tab in W in XP) and then click Properties . Figure 434 Windows XP: Local Area Conne ction Properties 5 The Internet Protocol TCP/IP Pr oper[...]
-
Page 627
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 627 Figure 435 Windows XP: Internet Protocol (TCP/IP) Propert ies 6 If you do not know your gateway's IP ad dress, remove any previously installed gateways in the IP Settings tab and click OK . Do one or more of the fo llowing if you want to configure additi onal I[...]
-
Page 628
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 628 Figure 436 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Pr operties window (the General tab in W indow s XP): • Click Obtain DNS server address automatically if yo u do not know your DNS server IP address(es). • If you know your DNS s[...]
-
Page 629
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 629 Figure 437 Windows XP: Internet Protocol (TCP/IP) Propert ies 8 Click OK to close the Internet Protocol (TCP/IP) Properties window . 9 Click Close ( OK in W indows 2000/NT) to close the Local Area Connection Properties window . 10 Close the Network Connections w ind[...]
-
Page 630
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 630 Figure 438 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 439 Macintosh O S 8/9: TC P/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the fol[...]
-
Page 631
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 631 • T ype your IP address in the IP Address box. • T ype your subnet mask in the Subnet mask box. • T ype the IP address of your ZyW ALL in the Router address bo x. 5 Close the TCP/IP Contr ol Panel . 6 Click Save if prompted, to save chan ges to your configurat[...]
-
Page 632
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 632 Figure 441 Macintosh O S X: Netw ork 4 For statically assigned settings, do the following: •F r o m t h e Configure box, select Manually . • T ype your IP address in the IP Address box. • T ype your subnet mask in the Subnet mask box. • T ype the IP address [...]
-
Page 633
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 633 " Make sure you are logged in as the root administrator . Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and[...]
-
Page 634
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 634 • If you have a dyna mic IP address, clic k Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click S tatically set IP Addresses and fill in the Address , Sub net mask , and Default Gateway [...]
-
Page 635
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 635 Figure 446 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 • If you have a static IP address, enter static in t he BOOTPROTO= field. T ype IPADDR = followed by the IP address (in do tted decimal notation) and type NETMASK = followed by the subnet mask. Th[...]
-
Page 636
Appendix A Setting up Your Computer’s IP Address ZyWALL 2 Plus User’s Guide 636 V erifying Settings Enter ifconfig in a terminal screen to ch eck your TCP/IP properties. Figure 450 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWadd r 00:50:BA:72:5B:44 inet addr:172.16.19.129 B cast:172.16.19.255 Ma[...]
-
Page 637
ZyWALL 2 Plus User’s Guide 637 A PPENDIX B Pop-up Windows, JavaScript s and Java Permissions In order to use the web configurator you need to allow: • W eb browser pop-up win dows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). " Internet Explorer 6 screens are used here. Screens for other[...]
-
Page 638
Appendix B Po p-up Wind ows, JavaS cripts and Ja va Permission s ZyWALL 2 Plus User’s Guide 638 2 Clear the Block pop-ups check box in the Pop-up Block e r section of the screen. This disables any web po p-up blockers you may have ena bled. Figure 452 Internet Options: Privacy 3 Click Apply to save this setting. Enable Pop-up Blockers with Except[...]
-
Page 639
Appendix B Pop-u p Windows, JavaScripts and Java Permissio ns ZyWALL 2 Plus User’s Guide 639 Figure 453 Internet Options: Privacy 3 T ype the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed site[...]
-
Page 640
Appendix B Po p-up Wind ows, JavaS cripts and Ja va Permission s ZyWALL 2 Plus User’s Guide 640 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScript s If pages of the web configura tor do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer , click T ools , [...]
-
Page 641
Appendix B Pop-u p Windows, JavaScripts and Java Permissio ns ZyWALL 2 Plus User’s Guide 641 Figure 456 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer , click To o l s , Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM . 4 Under Java permissions make sure t[...]
-
Page 642
Appendix B Po p-up Wind ows, JavaS cripts and Ja va Permission s ZyWALL 2 Plus User’s Guide 642 JA V A (Sun) 1 From Internet Explorer , click To o l s , Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is sele cted. 3 Click OK to clos e the window . Figure 458 Java (Sun) Mozilla Firefox M[...]
-
Page 643
Appendix B Pop-u p Windows, JavaScripts and Java Permissio ns ZyWALL 2 Plus User’s Guide 643 Figure 459 Mozilla Firefox: T ools > Options Click Content .to show the screen below . Select the check boxes as shown in the following screen. Figure 460 Mozilla Firefox Content Security[...]
-
Page 644
Appendix B Po p-up Wind ows, JavaS cripts and Ja va Permission s ZyWALL 2 Plus User’s Guide 644[...]
-
Page 645
ZyWALL 2 Plus User’s Guide 645 A PPENDIX C IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify ind ividual devices on a network. Every networking device (includin g computers, servers, routers, printe rs, etc.) ne eds an IP address to communicate across the network. These networking devices a [...]
-
Page 646
Appendix C IP Addresses a nd Subnetti ng ZyWALL 2 Plus User’s Guide 646 Figure 461 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the s ubnet mask. Subnet Masks A subnet mask is used to dete rmine which bits are part of th e network number , and which bits are part of th[...]
-
Page 647
Appendix C IP Addresses and Subnetting ZyWALL 2 Plus User’s Guide 647 Subnet masks are expressed in dotted decimal no tation just like IP addresses. The follow ing examples show the binary and decimal not ation for 8-bit, 16-bit, 24-bit an d 29-bit subnet masks. Network Size The size of the network number determines the maximum number of possible[...]
-
Page 648
Appendix C IP Addresses a nd Subnetti ng ZyWALL 2 Plus User’s Guide 648 Subnetting Y o u can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the c ompany network for security reasons. In this example, the compa[...]
-
Page 649
Appendix C IP Addresses and Subnetting ZyWALL 2 Plus User’s Guide 649 Figure 463 Subnetting Example: Af ter Subnetting In a 25-bit subnet the host ID has 7 bits , so each sub-network has a maximum of 2 7 – 2 or 126 possible hosts (a host ID of all zeroes is the subnet’ s address itself, all ones is the subnet’ s broadcast address). 192.168.[...]
-
Page 650
Appendix C IP Addresses a nd Subnetti ng ZyWALL 2 Plus User’s Guide 650 Example: Eight Subnet s Similarly , use a 27-bit mask to create eight subnets (000, 001, 010, 01 1, 100, 101, 1 10 and 111 ) . The following table shows IP address last octet values for each subnet. T able 232 Subnet 2 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BI T VA L U E IP[...]
-
Page 651
Appendix C IP Addresses and Subnetting ZyWALL 2 Plus User’s Guide 651 Subnet Planning The following table is a summary for su bnet planning on a network with a 24-bit network number . The following table is a summary for su bnet planning on a network with a 16-bit network number . 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 25[...]
-
Page 652
Appendix C IP Addresses a nd Subnetti ng ZyWALL 2 Plus User’s Guide 652 Configuring IP Addresses Where you obtain your netwo rk number depends on your particular situation. If the ISP or your network administrator assigns yo u a bloc k of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the [...]
-
Page 653
ZyWALL 2 Plus User’s Guide 653 A PPENDIX D Common Services The following table l ists some commonly-used se rvices and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site . • Name : This is a short, descrip tive n[...]
-
Page 654
Appendix D Common Services ZyWALL 2 Plus User’s Guide 654 T able 238 Commonly Used Serv ices NAME PROTOCOL P ORT(S) DESCRIPTION AH (IPSEC_TUNNEL) User-Defined 51 The IPSEC AH (Authentication Header) tunneling protocol uses this service. AIM/New-ICQ TCP 5190 AOL ’s Internet Messenger servi ce. It is also used as a listeni ng port by ICQ. AUTH TC[...]
-
Page 655
Appendix D Common Services ZyWALL 2 Plus User’s Guide 655 NNTP TCP 11 9 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. PING User-Defined 1 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. POP3 TCP 11 0 Post Office Protocol version[...]
-
Page 656
Appendix D Common Services ZyWALL 2 Plus User’s Guide 656 TELNET TCP 23 T elnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/ IP networks. Its primary function is to allow users to log into remote host systems. TFTP UDP 69 T r ivial File Transfer Protocol is an Internet file tr[...]
-
Page 657
ZyWALL 2 Plus User’s Guide 657 A PPENDIX E Importing Certificates This appendix shows importing certificat es examples using In ternet Ex plorer 5. Import ZyW ALL Certificates into Net scape Navigator In Netscape Navigator , you ca n permanently trust the ZyW ALL’ s server certificate by importing it into your operating system as a trusted cert[...]
-
Page 658
Appendix E Importin g Certificates ZyWALL 2 Plus User’s Guide 658 Figure 465 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 466 Certificate General Information befor e Import 3 Click Next to begin the Install Certificate wizard.[...]
-
Page 659
Appendix E Importi ng Certificates ZyWALL 2 Plus User’s Guide 659 Figure 467 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next . Figure 468 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.[...]
-
Page 660
Appendix E Importin g Certificates ZyWALL 2 Plus User’s Guide 660 Figure 469 Certificate Import Wizard 3 6 Click Ye s to add the ZyW ALL certifi cate to the root store. Figure 470 Root Certificate S tore[...]
-
Page 661
Appendix E Importi ng Certificates ZyWALL 2 Plus User’s Guide 661 Figure 471 Certificate General Information af ter Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyW ALL. Y ou must have imported at least one trusted CA to the ZyW ALL in order for th[...]
-
Page 662
Appendix E Importin g Certificates ZyWALL 2 Plus User’s Guide 662 Figure 472 ZyW ALL T rusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your persona l certificate(s) and a password to inst all the personal certificate(s). Inst allin g the CA ’s Certificate 1 Double click the CA ’ s trusted certificat[...]
-
Page 663
Appendix E Importi ng Certificates ZyWALL 2 Plus User’s Guide 663 Figure 473 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. Inst allin g Y our Personal Certificate(s) Y ou need a password in advance. The CA may is sue the password or you may hav e to specify it during the enrollment. D[...]
-
Page 664
Appendix E Importin g Certificates ZyWALL 2 Plus User’s Guide 664 Figure 474 Personal Certificate Import Wizard 1 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br ow se if you wish to import a different certificate. Figure 475 Personal Certificate Import Wizard 2 3 Ent[...]
-
Page 665
Appendix E Importi ng Certificates ZyWALL 2 Plus User’s Guide 665 Figure 476 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificat e should be saved on your computer or select Place all certificates in the following stor e and choose a different location. Figure 477 Personal Certificate Import Wizard 4 5 Click Fini[...]
-
Page 666
Appendix E Importin g Certificates ZyWALL 2 Plus User’s Guide 666 Figure 478 Personal Certificate Import Wizard 5 6 Y o u should see the following screen when the ce rtificate is correctly installed on your computer . Figure 479 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyW ALL Example Use the following procedure[...]
-
Page 667
Appendix E Importi ng Certificates ZyWALL 2 Plus User’s Guide 667 Figure 481 SSL Client Authentication 3 Y ou next see the ZyW ALL login screen. Figure 482 ZyW ALL Secure Login Screen[...]
-
Page 668
Appendix E Importin g Certificates ZyWALL 2 Plus User’s Guide 668[...]
-
Page 669
ZyWALL 2 Plus User’s Guide 669 A PPENDIX F Legal Information Copyright Copyright © 2007 by ZyXEL Communications Corporation. The contents of this publication may not be reprod uced in any part or as a whole, transcribed, stored in a retrieval system, tran slated into any language, or transmitted in any form or by any means, el ectronic, mechanic[...]
-
Page 670
Appendix F L egal Information ZyWALL 2 Plus User’s Guide 670 If this device does cause harmful inte rference to radio/television reception, which can be determined by turning th e device off and on, the user is enc ouraged to try to correct the interference by one or more of the following measures: 1 Reorient or relocate the receiving antenna. 2 [...]
-
Page 671
Appendix F Legal Information ZyWALL 2 Plus User’s Guide 671 ZyXEL) and the customer will be billed for part s and labor . All repaired or replaced products will be shipped by ZyXEL to th e corresponding return address, P o stage Paid. This warranty gives you specific legal rights, and yo u may also have othe r rights that vary from country to cou[...]
-
Page 672
Appendix F L egal Information ZyWALL 2 Plus User’s Guide 672[...]
-
Page 673
ZyWALL 2 Plus User’s Guide 673 A PPENDIX G Customer Support Please have the following information r eady when you contact customer support. Required Information • Product model and serial number . • W arranty Information. • Date that you received your de vice. • Brief description of the problem and the steps you took to solv e it. “+”[...]
-
Page 674
Appendix G Custo mer Support ZyWALL 2 Plus User’s Guide 674 • Re g u l a r Ma i l: ZyXEL C ommunications, Czech s.r .o., Modranská 621, 143 01 Praha 4 - Modrany , Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk • T elephone: +45-39-55-07-00 • Fax: +45-39-55-07-07 • W eb: www .zyxel.dk • Re[...]
-
Page 675
Appendix G Custome r Support ZyWALL 2 Plus User’s Guide 675 India • Support E-mail: support@zyxel.in • Sales E-mail: sales@zyxel.in • T elephone: +91-1 1-30888144 to +91-1 1-30888153 • Fax: +91-1 1-30888149, +91 -11-2 6810715 • W eb: http://www .zyxel.in • Re g u l a r Ma i l : India - ZyXEL T echnology Indi a Pvt Ltd. , I I - F l oo [...]
-
Page 676
Appendix G Custo mer Support ZyWALL 2 Plus User’s Guide 676 • Regular Mail: ZyXEL Communications Inc., 1 1 30 N. Miller St ., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no • T elephone: +47-22-80-61-80 • Fax: +47-22-80-61-81 • W eb: www .zyxel.no • Re g u l a r M a i l : ZyX[...]
-
Page 677
Appendix G Custome r Support ZyWALL 2 Plus User’s Guide 677 Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • T elephone: +46-31-744-7700 • Fax: +46-31-744-7701 • W eb: www .zyxel.se • Re g u l ar M a il : ZyXEL Communications A/S, Sjö porten 4, 41764 Götebor g, Sweden Thailand • Support E-mail: support@zy[...]
-
Page 678
Appendix G Custo mer Support ZyWALL 2 Plus User’s Guide 678[...]
-
Page 679
Index ZyWALL 2 Plus User’s Guide 679 Index Numerics 9600 baud 467 A active protocol 272 AH 272 and encapsulation 272 ESP 272 Address Assignment 365 address assignment 153 AH 272 and transport mode 273 ALG 41 1 RTP 412 SIP 413 STUN 413 allocated budget 486 , 513 alternative subnet mask notation 647 anti-probing 21 1 Application Layer Gateway . See[...]
-
Page 680
Index ZyWALL 2 Plus User’s Guide 680 CHAP 486 , 513 CNM 396 command interpreter mode 587 command line 573 commands FTP 573 computer names 136 , 138 configuration backup 460 , 572 TFTP 575 configuration information 462 configuration restore 460 , 577 via console port 584 connection ID/name 514 console port 467 , 561 configuration upload 584 data b[...]
-
Page 681
Index ZyWALL 2 Plus User’s Guide 681 ESSID 610 Ethernet encap sulation 70 , 497 , 510 extended authentication 26 0 F F/W version 562 factory defaults 461 factory-def ault configurat ion file 53 FCC interf erence statemen t 669 file backup console port 576 file maintenance over W AN 574 file upload console port 583 FTP 581 TFTP 582 Xmodem 583 file[...]
-
Page 682
Index ZyWALL 2 Plus User’s Guide 682 encryption algori thms 257 , 263 extended authentication 26 0 ID content 25 9 ID type 259 IP address, remote IPSec router 255 IP address, ZyXEL Device 255 local identity 259 main mode 254 , 260 NA T traversal 261 negotiation mode 254 passwor d 260 peer identity 259 pre-shared key 258 proposal 257 SA life time [...]
-
Page 683
Index ZyWALL 2 Plus User’s Guide 683 configuring 523 default server IP address 340 definitions 331 examples 530 how NA T works 332 in the SMT 521 inside global address 331 inside local address 331 Many to Many No Overload 334 Many to Many Overload 334 Many to One 334 mapping types 334 NA T un friendly applications 536 One to One 334 ordering rule[...]
-
Page 684
Index ZyWALL 2 Plus User’s Guide 684 limitations 378 , 597 secure FTP using SSH 389 secure telnet using SSH 387 SNMP 392 SSH 385 SSH implementation 386 system timeout 378 Te l n e t 390 WWW 379 remote node 509 filter 489 , 516 reports 425 host IP address 426 , 42 7 protocol/port 426 , 428 web site hits 426 , 427 required fields 469 reset button 5[...]
-
Page 685
Index ZyWALL 2 Plus User’s Guide 685 static route 347 , 519 stop bit 467 STP 146 BPDU 146 Hello BPDU 147 how it works 146 Max Age 147 port states 147 STUN 413 SUA 521 subnet 645 subnet mask 133 , 646 subnetting 648 subscription services 127 syntax conventions 4 syslog logging 563 system information 559 maintenance 559 name 447 , 475 status 559 ti[...]
-
Page 686
Index ZyWALL 2 Plus User’s Guide 686 network policy 80 , 256 , 273 overlap 271 pre-shared key 267 proposal 257 remote IPSec router 253 remote network 253 remote policy 270 security associations (SA) 254 security on traf fic 89 skip overlap 271 virtual address mapping 275 VPN. See also IKE SA, IPSec SA. VT100 terminal emulation 46 7 W WA N file ma[...]