ZyXEL Communications 35 Series manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications 35 Series, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications 35 Series one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications 35 Series. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of ZyXEL Communications 35 Series should contain:
- informations concerning technical data of ZyXEL Communications 35 Series
- name of the manufacturer and a year of construction of the ZyXEL Communications 35 Series item
- rules of operation, control and maintenance of the ZyXEL Communications 35 Series item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications 35 Series alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications 35 Series, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications 35 Series.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications 35 Series item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    ZyW ALL 5/35/70 Series Internet Security Appliance User ’ s Guide V ersion 4.00 12/2005[...]

  • Page 2

    ZyWALL 5/35/70 Series User’s Guide Copyright 2 Copyright Copyright © 2005 by ZyXEL Communications Corpo ration. The contents of this publication may not be reprod uced in any part or as a whole, tr anscribed, stored in a retrieval system, tran slated into any language, or transmitted in any form or by any means, el ectronic, mech anical , magnet[...]

  • Page 3

    ZyWALL 5/35/70 Series User’s Guide 3 Federal Communications Commission (F CC) Interference Statement Federal Communications Commission (FCC) Interference S t atement This device complies with Part 15 of FCC rul es. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept[...]

  • Page 4

    ZyWALL 5/35/70 Series User’s Guide Federal Com munications Commission ( FCC) Interf erence Statem ent 4[...]

  • Page 5

    ZyWALL 5/35/70 Series User’s Guide 5 Safety Warnings Safety W arnings For your safety , be sure to read and fo llow all warning notices and instructions. • Do NOT open the device or un it. Opening or removi ng covers can expose you to dangerous high vo ltage points or othe r risks. ONL Y qualified service personn el can service the device. Plea[...]

  • Page 6

    ZyWALL 5/35/70 Series User’s Guide ZyXEL Limited Warranty 6 ZyXEL Limited W arranty ZyXEL warrants to the original en d user (purchaser) that this product is free from any defects in materials or workmansh ip for a period of up to tw o years from the date of purchase . During the warranty period, and upon proof of purchase, should the product hav[...]

  • Page 7

    ZyWALL 5/35/70 Series User’s Guide 7 Customer Suppo rt Customer Support Please have the following information r eady when you contact customer support. • Product model and serial number . • W arranty Information. • Date that you received your de vice. • Brief description of the problem and the steps yo u took to solve i t. METHOD LOCATION[...]

  • Page 8

    ZyWALL 5/35/70 Series User’s Guide Customer Support 8 POLAND info@pl.zyxel.com +48-22-5286603 www.pl.zyxel .com ZyXEL Communications ul.Emilli Plater 53 00-1 13 W arszawa Poland +48-22-5206701 RUSSIA http://zyxel.ru/support +7-095-542-89-29 www .zyxel.ru ZyXEL Russia Ostrovityanova 37a S tr . Moscow , 1 1727 9 Russia sales@zyxel.ru +7-095-542-89-[...]

  • Page 9

    ZyWALL 5/35/70 Series User’s Guide 9 Customer Suppo rt[...]

  • Page 10

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 10 T able of Content s Copyright .................................................. .......................................... ...................... 2 Federal Communications Commissi on (FCC) Interference S t atement ............... 3 Safety W arnings ....................................... ..[...]

  • Page 11

    ZyWALL 5/35/70 Series User’s Guide 11 Table of Contents 2.4.5 Show S tatistics: Line Chart ......... ................ ............. ................ ............. ..... 80 2.4.6 DHCP T able Sc reen ......... ............. ................ ............. ................ ............. ..81 2.4.7 VPN S tatus .................... ............. ......[...]

  • Page 12

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 12 Chapter 6 Bridge Screens ................................................... ........................................... ....... 122 6.1 Bridge Loop ..... ............. ................ ............. ................ ............. ................ .......... 122 6.2 S panning T ree Protocol [...]

  • Page 13

    ZyWALL 5/35/70 Series User’s Guide 13 Table of Contents 7.17 Configuring Advanced Modem Setup .................. ................ ................ .......... 159 Chapter 8 DMZ Screens .. .......................................... ..................................................... ....... 162 8.1 DMZ ... ............. ............. ............[...]

  • Page 14

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 14 9.16.4 IEEE 802.1x + Dyna mic WEP .............. ................ ............. ............ ....... 196 9.16.5 IEEE 802.1x + S tatic WEP ............. ................................................ ....... 197 9.16.6 IEEE 802.1x + No W EP .............. ...................................[...]

  • Page 15

    ZyWALL 5/35/70 Series User’s Guide 15 Table of Contents 1 1.3.3.2 Servic e ........ ................ ............. ................ ............. ................ ....... 217 1 1.3.3.3 Source Ad dres s .......... ............. ................ ............. ............. .......... 217 1 1.3.3.4 Destination Addr ess ... ................. ........[...]

  • Page 16

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 16 13.3.3 Signature Actions ........... ................ ............. ................ ................ .......... 248 13.3.4 Configuring IDP Signatures ........ ............. ............. ................ ............. ...249 13.3.5 Query View .... ............. ................ ............[...]

  • Page 17

    ZyWALL 5/35/70 Series User’s Guide 17 Table of Contents Chapter 16 Content Filtering Screens ............ ..................................................... .................. 27 8 16.1 Content Filtering Overview ............ .... ...... ................ ............. ............. ............. 278 16.1.1 Restrict Web Features ...............[...]

  • Page 18

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 18 Chapter 19 VPN Screens ....................................................... ........................................... ....... 308 19.1 VPN/IPSec Ov erview ........... ................ ............. ................ ............. ................ 308 19.2 IPSec Algorithms ..... .........[...]

  • Page 19

    ZyWALL 5/35/70 Series User’s Guide 19 Table of Contents 20.5.1 Certificate File Formats .. .......... ... ................ ............. ............. ................ 346 20.6 My Certificate Create ......................... ............. ................ ............. ............. ...347 20.7 My Certificate Details ............... .............[...]

  • Page 20

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 20 22.7 Port T riggering .... ... ............. ................ ............. ............. ................ ............. ...388 Chapter 23 St atic Route .... .................................................... ........................................... ....... 39 2 23.1 IP S tatic Route ..[...]

  • Page 21

    ZyWALL 5/35/70 Series User’s Guide 21 Table of Contents Chapter 26 DNS ................................................................................. ....................................... 418 26.1 DNS Overview .......... ............. ............. ................ ............. ................ ............. 418 26.2 DNS Server Address Assi[...]

  • Page 22

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 22 27.13 FTP ........................... ................ ............. ................ ............. ................ ....... 447 27.14 SNMP ..................... ................ ............. ................ ............. ................ .......... 448 27.14.1 Supported MIBs .............[...]

  • Page 23

    ZyWALL 5/35/70 Series User’s Guide 23 Table of Contents Chapter 30 Logs Screens ................................................................. ....................................... 472 30.1 Configuring View Log .......... ............. ................ ................ ............. ................ 472 30.2 Log Description Example ........ [...]

  • Page 24

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 24 32.4 Changing the System Passw ord ............. ................ ............. ................ .......... 506 32.5 Resetting the ZyWALL .. ............. ................ ................ ............. ................ .......507 Chapter 33 SMT Menu 1 - General Setup .......................[...]

  • Page 25

    ZyWALL 5/35/70 Series User’s Guide 25 Table of Contents 37.3 TCP/IP Setup ... ................ ............. ................. ................ ............. ................ ...536 37.3.1 IP Address ..... ...... ....... ............. ................ ............. ............. ................ ...537 37.3.2 IP Alias Setup ...... ... ...........[...]

  • Page 26

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 26 42.2 NA T S etup ............ ................ ............. ................ ............. ................ ............. ...564 42.2.1 Address Mapping Sets ................ .......... ................ ............. ............ .......565 42.2.1.1 SUA Address Mapp ing Set .................[...]

  • Page 27

    ZyWALL 5/35/70 Series User’s Guide 27 Table of Contents 46.2 System S tatus ...... ............ ................. ................ ............. ................ ............. ...600 46.3 System Informat ion and Console Port S peed ................ ................ ............. ...602 46.3.1 System Inform ation ..... ................ ...........[...]

  • Page 28

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 28 Chapter 48 System Maintenance Menus 8 to 10 ............................................................ ....... 628 48.1 Command Interpreter Mode .......... ............. ............. ................ ............. .......... 628 48.1.1 Command Syntax ... ................. ................[...]

  • Page 29

    ZyWALL 5/35/70 Series User’s Guide 29 Table of Contents Hardware Installation .................................................... ....................................... 672 Appendix C Removing and Installing a Fuse ........................................................................ 676 Appendix D Setting up Your Computer’s IP Address ...[...]

  • Page 30

    ZyWALL 5/35/70 Series User’s Guide Table of Contents 30 Appendix S Log Descriptions ........................... ..................................................... .................. 774 Index ............................................... ........................................... ............................ 798[...]

  • Page 31

    ZyWALL 5/35/70 Series User’s Guide 31 Table of Contents[...]

  • Page 32

    ZyWALL 5/35/70 Series User’s Guide List of Fi gures 32 List of Figures Figure 1 Secure Internet Acce ss via Cable, DSL or Wireless Modem ............................. ... 62 Figure 2 VPN Application ............. ............. ................ ................ ............. ................ ............. 63 Figure 3 ZyW ALL 70 Front Panel .......[...]

  • Page 33

    ZyWALL 5/35/70 Series User’s Guide 33 List of Figures Figure 39 WLAN Port Role Ex ample ........ ............. ................ ............. ................ ............. ... 1 18 Figure 40 LAN Port Roles ..... ............. ................ ............. ................ ............. ................ ....... 1 19 Figure 41 Port Roles Change C[...]

  • Page 34

    ZyWALL 5/35/70 Series User’s Guide List of Fi gures 34 Figure 82 Wireless Card: WP A- PSK ............... ................................ ................. ............ ....... 194 Figure 83 Wireless Card: WP A ....................... ............. ............. ................ ............. ............. 195 Figure 84 Wireless Card: 802.1x + D[...]

  • Page 35

    ZyWALL 5/35/70 Series User’s Guide 35 List of Figures Figure 125 Anti-S pam: General .................... ............. ................ ................ ............. ............. 270 Figure 126 Anti-S pam: External DB ...... .......... ....... ............. ................ ............. ................ ... 272 Figure 127 Anti-S pam: Lists ..[...]

  • Page 36

    ZyWALL 5/35/70 Series User’s Guide List of Fi gures 36 Figure 168 T rusted Remote Hosts ........ ................. ................ ............. ................ ................ 360 Figure 169 Remote Host Certificates ........... ... ............. ............. ................ ............. ............. 361 Figure 170 Certificate Details ....[...]

  • Page 37

    ZyWALL 5/35/70 Series User’s Guide 37 List of Figures Figure 21 1 Login Screen (Internet Explorer) ... ... ............. ............. ................ ............. .......... 439 Figure 212 Login Screen (Netsca pe) .............. ................ ............. ............. ................ .......... 439 Figure 213 Replace Certificate ........[...]

  • Page 38

    ZyWALL 5/35/70 Series User’s Guide List of Fi gures 38 Figure 254 Firmware Upload In Process ...... ... .......... ............. ............. ................ ............. ... 495 Figure 255 Network T emporarily Disconnect ed . .... ............. ................ ............. ............ ....... 496 Figure 256 Firmware Upload Error ..... ....[...]

  • Page 39

    ZyWALL 5/35/70 Series User’s Guide 39 List of Figures Figure 297 Menu 6.3: Route Failover .............. ... ............. ................ ............. ............. .......... 542 Figure 298 Menu 7.1: Wireless Setup ............. ............. ............. ............. ................ ............. 544 Figure 299 Menu 7.1.1: WLAN MAC Addres[...]

  • Page 40

    ZyWALL 5/35/70 Series User’s Guide List of Fi gures 40 Figure 339 Menu 21.2: Firewall Setup ............ ............. ............. ................ ............. ............. 583 Figure 340 Outgoing Packet F iltering Process ... ................. ................ ............. ................ ... 584 Figure 341 Filter Rule Proce ss ........ .[...]

  • Page 41

    ZyWALL 5/35/70 Series User’s Guide 41 List of Figures Figure 382 Example Xmodem Up load ...... ............. ................ ............. ................ ............. ... 625 Figure 383 Menu 24.7.2 As Seen Using the Cons ole Port ............................. ............ ....... 626 Figure 384 Example Xmodem Up load ...... ............. ....[...]

  • Page 42

    ZyWALL 5/35/70 Series User’s Guide List of Fi gures 42 Figure 425 Windows XP: Advanced TCP/ IP Prop erties .. ............. ............. ................ .......... 685 Figure 426 Windows XP: Internet P rotocol (TCP /IP) Properties .................. ................ ....... 686 Figure 427 Macintosh OS 8/9: Apple Menu .... ... ................. [...]

  • Page 43

    ZyWALL 5/35/70 Series User’s Guide 43 List of Figures Figure 468 Headquarters Network Policy Edit ... ................. ............ ................. ................ ... 735 Figure 469 Branch Office Network Policy Edit .................... ............ ............. ................ ....... 736 Figure 470 VPN Rule Configured .... ............. [...]

  • Page 44

    ZyWALL 5/35/70 Series User’s Guide List of Tables 44 List of T ables T able 1 Model S pecific Features .............. ................ ................ ............. ................ ............. 54 T able 2 Front Panel LED s . ................ ................ ............. ................ ................. ............ ....... 64 T able 3 Web[...]

  • Page 45

    ZyWALL 5/35/70 Series User’s Guide 45 List of Tables T able 39 WAN: Ethernet Encapsulation ................ ............. ................ ................ ................ 144 T able 40 WAN: PPPoE Encap s ulatio n ........... ................................ ................. ............ ....... 148 T able 41 WAN: PP TP Encapsulation ..........[...]

  • Page 46

    ZyWALL 5/35/70 Series User’s Guide List of Tables 46 T able 82 Common Computer Virus T ypes ........ ................. ................ ............. ................ ... 258 T able 83 Anti-Virus: General .................... ................ ............. ................ ................ ............. 262 T able 84 Anti-Virus: Update ..........[...]

  • Page 47

    ZyWALL 5/35/70 Series User’s Guide 47 List of Tables T able 125 N A T Mapping T ypes ... ............. ................ ............. ................ ................ ............. 378 T able 126 N A T Overview ...... ............. ................ ............. ................ ............. ................ ....... 379 T able 127 N A T Address[...]

  • Page 48

    ZyWALL 5/35/70 Series User’s Guide List of Tables 48 T able 168 Web Site Hits Report ........... ............. ................. ............ ................. ................ ... 480 T able 169 P rotocol/ Port Report ............... ................ ................ ............. ................ ............. 481 T able 170 H ost IP Address Re[...]

  • Page 49

    ZyWALL 5/35/70 Series User’s Guide 49 List of Tables T able 21 1 Remote Node Network Layer Options Menu Fields ................... ................ ....... 556 T able 212 Menu 1 1.1.5: Traf fic Redirect Setup . ................. ............ ................. ............ ....... 559 T able 213 Menu 12. 1: E dit IP S tatic Route .... ............[...]

  • Page 50

    ZyWALL 5/35/70 Series User’s Guide List of Tables 50 T able 254 Clas ses of IP Addresses ............... .......... ................ ............. ............. ................ 694 T able 255 A llowed IP Address Range By Class .... ................ ................ ................ ............. 695 T able 256 “Natural” Mas ks ..............[...]

  • Page 51

    ZyWALL 5/35/70 Series User’s Guide 51 List of Tables T able 297 A S Logs ................... ................ ............. ................ ............. ................ ............. .. .7 9 2 T able 298 S yslog Logs ................... ............. ................ ............. ................ ................ .......... 7 94 T able 299 RF[...]

  • Page 52

    ZyWALL 5/35/70 Series User’s Guide Preface 52 Preface Congratulations on you r purchase of the ZyW ALL. Note: Register your product online to receive e-mail notices of firmware upgrade s and information at www .zyxel.com for global products, or a t www .us.zyxel.com for North American products. Y our ZyW ALL is easy to install and configure. Abou[...]

  • Page 53

    ZyWALL 5/35/70 Series User’s Guide 53 Preface Synt ax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose ” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font. Command and arrow keys are [...]

  • Page 54

    ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 54 C HAPTER 1 Getting to Know Y our ZyW ALL This chapter introduces the main feat ures and applications of the ZyW ALL. 1.1 ZyW ALL Internet Security Appliance Overview The ZyW ALL is loaded with security features including VPN, firewall, content filtering, anti- spam, IDP [...]

  • Page 55

    ZyWALL 5/35/70 Series User’s Guide 55 Chapter 1 Getting to Know Your ZyWALL T able Key: An O in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at th e time of writing, although it may be subject to change. 1.2.1 Physical Features LAN Port The 10/100 Mbps auto-nego tiating Etherne[...]

  • Page 56

    ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 56 Time and Date The ZyW ALL allows you to get the current time and da te from an external server when you turn on your ZyW ALL. Y ou can also set the tim e manua lly . The Real T ime Chip (R TC) keeps track of the time and date. Reset Button Use the reset button to re stor[...]

  • Page 57

    ZyWALL 5/35/70 Series User’s Guide 57 Chapter 1 Getting to Know Your ZyWALL Bandwid t h Management Bandwidth manage ment allows you to allo cate network resource s according to defin ed policies. This policy-based ba nd width allocation helps your netw ork to better handle real-time applications such as V oice-over-IP (V oIP). IPSec VPN Cap a bil[...]

  • Page 58

    ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 58 Content Filtering The ZyW ALL can block web features such as ActiveX controls, Java applets and cookies, as well as disable web proxies. The ZyW ALL can block or allow access to web sites that you specify . The ZyW ALL can also bloc k access to web sites containing keywo[...]

  • Page 59

    ZyWALL 5/35/70 Series User’s Guide 59 Chapter 1 Getting to Know Your ZyWALL IEEE 802.1x for Network Security The ZyW ALL supports the IEEE 802.1x standard th at works with the IEEE 802.1 1 to enhance user authentication. W ith the local user profile, the ZyW ALL allows you to configure up 32 user profiles without a networ k authentication server [...]

  • Page 60

    ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 60 Dynamic DNS Support W ith Dynamic DNS (Domain Name System) support, you can have a static hostname alia s for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. Y ou must register for this service with a Dynamic D[...]

  • Page 61

    ZyWALL 5/35/70 Series User’s Guide 61 Chapter 1 Getting to Know Your ZyWALL T raffic Redirect T raffic Redirect forwards W AN traffic to a backup gateway on the LAN when the ZyW ALL cannot connect to the Internet, thus acting as an auxiliary backup whe n your regular W AN connection fails. Port Forwarding Use this feature to forward incoming serv[...]

  • Page 62

    ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 62 1.3 Applications for the ZyW ALL Here are some examples of what you can do with y our ZyW ALL. 1.3.1 Secure Broadband Internet A ccess via Cable or DSL Modem Y ou can connect a cable modem, DSL or wi reless modem to the ZyW ALL for broadband Internet access via Ethernet [...]

  • Page 63

    ZyWALL 5/35/70 Series User’s Guide 63 Chapter 1 Getting to Know Your ZyWALL Figure 2 VPN Application 1.3.3 Front Panel LEDs Figure 3 ZyW ALL 70 Front Panel Figure 4 ZyW ALL 35 Front Panel Figure 5 ZyW ALL 5 Front Pa nel[...]

  • Page 64

    ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyW ALL 64 The following table describes the LEDs. Table 2 Front Panel LEDs LED COLOR ST ATUS DESCRIPTION PWR Off The ZyW ALL is turned off. Green On The ZyWALL is turned on. Red On The power to the ZyWALL is too low . SYS Green Off The ZyW ALL is not ready or has fail ed. On The Z[...]

  • Page 65

    ZyWALL 5/35/70 Series User’s Guide 65 Chapter 1 Getting to Know Your ZyWALL[...]

  • Page 66

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 66 C HAPTER 2 Introducing the W eb Configurator This chapter describes how to access the Zy W ALL we b configurator and p rovides an overview of its screens. 2.1 W eb Configurator Overview The web configurator is an HTML-based mana gement interface that allows easy Zy[...]

  • Page 67

    ZyWALL 5/35/70 Series User’s Guide 67 Chapter 2 Introducing the Web Configurator Figure 6 Change Password Screen 6 Click Apply in the Replace Certificate scre en to create a certificate using your ZyW ALL ’ s MAC address that will be specific to this device. Note: If you do not replace th e default certificate here or in the CERT IFICA TES scre[...]

  • Page 68

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 68 2.3.1 Procedure T o Use The Reset Button Make sure the SYS LED is on (not blinking ) before you begin this proc edure. 1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyW ALL res[...]

  • Page 69

    ZyWALL 5/35/70 Series User’s Guide 69 Chapter 2 Introducing the Web Configurator Note: Follow the instruction s you see in the HOME screen or click the icon. The screen varies according to the device mode you select in the MAINTENANCE Devic e Mode screen. 2.4.1 Router Mode The following screen displays when the ZyW ALL is set to router mode. The [...]

  • Page 70

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 70 The following table describes the labels in this screen. Table 3 Web Configurator HOME Scr een in Router Mode LABEL DESCRIPTION Wizards for W AN 1 (W AN) and VPN Quick Setup Internet Access Click Internet Ac cess to use the initial configurat ion wizard. This confi[...]

  • Page 71

    ZyWALL 5/35/70 Series User’s Guide 71 Chapter 2 Introducing the Web Configurator 2.4.2 Bridge Mode The following screen displays when the ZyW A LL is set to bridge mode. While in bridge mode, the ZyW ALL cannot get an IP address from a DHCP server . The LAN , W AN, DMZ and WLAN interfaces all have the same (static) IP a ddress and subnet mask. Y [...]

  • Page 72

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 72 Figure 10 Web Configurator HO ME Screen in Bridge Mode The following table describes the labels in this screen. Table 4 Web Configurator HOME Scr een in Bridg e Mode LABEL DESCRIPTION Wizards for VPN Quick Setup VPN Click VPN to create VPN policies. Device Informat[...]

  • Page 73

    ZyWALL 5/35/70 Series User’s Guide 73 Chapter 2 Introducing the Web Configurator Firmware V ersion This is the ZyNOS Firmware ve rsion an d the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Firewall This displays wheth er or not[...]

  • Page 74

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 74 2.4.3 Navigation Panel After you enter the password, use the sub-menus on the navigation panel to configure ZyW ALL features. The following table lists the fe atures available for each device mode. Not all ZyW ALLs have all features listed in this table. RSTP Path [...]

  • Page 75

    ZyWALL 5/35/70 Series User’s Guide 75 Chapter 2 Introducing the Web Configurator T able Key: An O in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at th e time of writing, although it may be subject to change. The following table describes the sub-menus. DNS O Remote Management [...]

  • Page 76

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 76 WA N General This screen al lows you to configure load balancing, route priority and traffic redirect properties. Route (ZyW ALL 5 only) This screen allows you to configure route priority . WA N ( Z yWA L L 5 only) Use this screen to configure the W AN port for in [...]

  • Page 77

    ZyWALL 5/35/70 Series User’s Guide 77 Chapter 2 Introducing the Web Configurator IDP General Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions. Signature Use these screens to view signatures by attack type or search for signatures by signatu re name, ID, severity , target operating system[...]

  • Page 78

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 78 NA T NA T Overview Use this screen to enable NA T . Address Mapping Use this screen to configure network address translation mapping rules. Port Forwarding Use this screen to configure servers behind the ZyWALL. Port T riggering Use this screen to change your ZyW A[...]

  • Page 79

    ZyWALL 5/35/70 Series User’s Guide 79 Chapter 2 Introducing the Web Configurator 2.4.4 System S t atistics Click Show St a t i s t i c s in the HOME screen. Read-only information here includes port status and packet specific statistics. Also provided is "Up T ime" and "poll interval(s)". The Poll Interval(s) field is configura[...]

  • Page 80

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 80 2.4.5 Show St atistics: Line Chart Click the icon in the Show S tatistics screen. This screen shows you the line chart of each port’ s throughpu t statistics. Figure 12 Home : Show Statistics: Line Chart S tatus For the LAN and DMZ ports, this displa ys the port [...]

  • Page 81

    ZyWALL 5/35/70 Series User’s Guide 81 Chapter 2 Introducing the Web Configurator The following table describes the labels in this screen. 2.4.6 DHCP T able Screen DHCP (Dynamic Host Configuration Protocol , RFC 2131 and RFC 2132) allows indiv idual clients to obtain TCP/IP configuration at start-up from a server . Y ou can configure the ZyW ALL a[...]

  • Page 82

    ZyWALL 5/35/70 Series User’s Guide Chapter 2 Introdu cing the Web Configur ator 82 The following table describes the labels in this screen. 2.4.7 VPN St atus Click VPN S tatus in the HOME screen when the ZyW ALL is set to router mode. Read-only information here includes encapsulation mode an d security protocol. The Poll Interval(s ) field is con[...]

  • Page 83

    ZyWALL 5/35/70 Series User’s Guide 83 Chapter 2 Introducing the Web Configurator Figure 14 Home : VPN S tatus The following table describes the labels in this screen. Table 10 Home : VPN Status LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy . Local Network Th[...]

  • Page 84

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 84 C HAPTER 3 W izard Setup This chapter provides information on the Wizard Setup screens in the web configurator . The Internet access wizard is only applicable when the ZyW ALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help yo u configure W A[...]

  • Page 85

    ZyWALL 5/35/70 Series User’s Guide 85 Chapter 3 Wizard Setup Figure 15 ISP Parameters : Et hernet Encap sulation The following table describes the labels in this screen. Table 11 ISP Parameters : Ethe rnet Encaps ulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Y ou must choose the Ethernet option when the W AN port is u[...]

  • Page 86

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 86 3.2.1.2 PPPoE Encap sulation Point-to-Point Protocol ov er Ethernet (PPPoE) function s as a dial-up connection. PPPoE is an IETF (Internet Engineering T ask Force) standard specifying ho w a host personal compute r interacts with a broadba nd mode m (for example xDSL, cable, wire less,[...]

  • Page 87

    ZyWALL 5/35/70 Series User’s Guide 87 Chapter 3 Wizard Setup 3.2.1.3 PPTP Encap su lation Point-to-Point T unneling Protocol (PP TP) is a networ k protocol that enables transfe rs of data from a remote client to a private server , crea ting a V irtual Private Network (VPN) usin g TCP/ IP-based networks. PP TP supports on-demand, multi-protocol, a[...]

  • Page 88

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 88 Figure 17 ISP Parameters: PPTP Encap sulation The following table describes the labels in this screen. Table 13 ISP Parameters : PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down li st box. T o configure a PPTP client, [...]

  • Page 89

    ZyWALL 5/35/70 Series User’s Guide 89 Chapter 3 Wizard Setup 3.2.2 Internet Access Wizard: Second Screen Click Next to go to the screen where you can regi ster your ZyW ALL and activate the free content filtering, anti-spam, anti-virus and IDP trial applications. Otherwise, click Skip to display the congratulations screen and click Clos e to comp[...]

  • Page 90

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 90 Figure 19 Internet Access Setu p Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 18 on page 89 ), the following screen displays. Note: If you want to activate a standard service with your iCard’ s PIN number (license key), us[...]

  • Page 91

    ZyWALL 5/35/70 Series User’s Guide 91 Chapter 3 Wizard Setup The following table describes the labels in this screen. After you fill in the fields and click Next , the following screen shows indicating the registration is in progress. W ait for the registration progress to finish. Figure 21 Internet Access Wizard: Registration in Progress Click C[...]

  • Page 92

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 92 Figure 22 Internet Access Wizard: S tatus The following screen appears if the registration was not suc cessful. Click Return to go back to the Device Registration screen and check your settings. Figure 23 Internet Access Wizard: Registration Failed If the ZyW ALL has been registered, t[...]

  • Page 93

    ZyWALL 5/35/70 Series User’s Guide 93 Chapter 3 Wizard Setup Figure 25 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key . If you want to set the rule to use a certificate, please go to the VPN screens for configuration. Click VPN W izard in the [...]

  • Page 94

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 94 The following table describes the labels in this screen. 3.4 VPN Wizard Network Setting T wo active SAs cannot have the local and remote IP address(es) both the same. T wo ac tive SAs can have the same local or remote IP address, but not bo th. Y ou can configure multiple SAs between t[...]

  • Page 95

    ZyWALL 5/35/70 Series User’s Guide 95 Chapter 3 Wizard Setup Figure 27 VPN Wizard: Network Setting The following table describes the labels in this screen. Table 16 VPN Wizard : Netwo rk Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clea[...]

  • Page 96

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 96 3.5 VPN Wizard IKE T unnel Setting (IKE Phase 1) Figure 28 VPN Wizard: IKE Tunnel Setting Remote Network Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Select Single for a single IP addres s. Select Range IP for a spec[...]

  • Page 97

    ZyWALL 5/35/70 Series User’s Guide 97 Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 17 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotia tion Mode Select Main Mode for identity protecti on. Select Aggress ive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.[...]

  • Page 98

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 98 3.6 VPN Wizard IPSec Setting (IKE Phase 2) Figure 29 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 18 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encaps ulation Mode Tu n n e l is compatible wi th NA T , T ran sport is not. T unnel mode encaps[...]

  • Page 99

    ZyWALL 5/35/70 Series User’s Guide 99 Chapter 3 Wizard Setup 3.7 VPN Wizard S t atus Summary This read-only screen shows the status of the current VPN settin g. Use the summary table to check whether what you have configured is correct. SA Life T ime (Seconds) Define the l ength of time before an IKE SA automat ically renegotia tes in this field.[...]

  • Page 100

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 100 Figure 30 VPN Wizard: VPN S tatus The following table describes the labels in this screen. Table 19 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy . Gateway Policy Setting My ZyW ALL This is the W AN IP address or the [...]

  • Page 101

    ZyWALL 5/35/70 Series User’s Guide 101 Chapter 3 Wizard Setup Name This is the name of this VPN network policy . Network Policy Setting Local Network S tarting IP Address This is a (static) IP address on the LAN behind your ZyW ALL. Ending IP Address/ Subnet Mask When the local network is configured for a single IP ad dress, this field is N/A. Wh[...]

  • Page 102

    ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wi zard Setup 102 3.8 VPN Wizard Setup Complete Congratulations! Y ou have successfully set up th e V PN rule after any existing rule(s) for your ZyW ALL. Figure 31 VPN Wizard Setup Co mplete[...]

  • Page 103

    ZyWALL 5/35/70 Series User’s Guide 103 Chapter 3 Wizard Setup[...]

  • Page 104

    ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 104 C HAPTER 4 Registration 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL ’ s online services center wh ere you can register your ZyW ALL and manage subscription services available for the ZyW ALL. Note: Y ou need to create an account before you can register your device and activate the[...]

  • Page 105

    ZyWALL 5/35/70 Series User’s Guide 105 Chapter 4 Registr ation Y ou will get automatic e-mail not ification of new signature releases from mySecurityZone after you activate the IDP/Anti-virus service. Y o u can also check for new signature or virus updates at http://mysecurity .zyxel.com . See the chapters about content filtering, anti-virus, ant[...]

  • Page 106

    ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 106 The following table describes the labels in this screen. Note: If the ZyW ALL is registered already , this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription st atus. T able 20 Registration LABEL DESCRIPTI[...]

  • Page 107

    ZyWALL 5/35/70 Series User’s Guide 107 Chapter 4 Registr ation Figure 33 Registrat ion : Registered Device 4.3 Service After you activate a trial, you can also use the Service screen to register and enter your iCard’ s PIN number (license key). Click REGISTRA T ION , Service to open the screen as shown next. Note: If you restore the ZyW ALL to [...]

  • Page 108

    ZyWALL 5/35/70 Series User’s Guide Chapter 4 Regist ration 108 The following table describes the labels in this screen. T able 21 Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. S tatus This field displays whether a service is activated ( Active ) or not ( Inactive ). Registrat io[...]

  • Page 109

    ZyWALL 5/35/70 Series User’s Guide 109 Chapter 4 Registr ation[...]

  • Page 110

    ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 110 C HAPTER 5 LAN Screens This chapter describes how to configure LAN settin gs. This chapter is on ly applicable when the ZyW ALL is in router mode. The LAN Port Roles screen is available on the ZyW ALL 5 and ZyW ALL 35. 5.1 LAN Overview Local Area Network (LAN) is a shared communic atio[...]

  • Page 111

    ZyWALL 5/35/70 Series User’s Guide 111 Chapter 5 LAN Screens These parameters should work fo r the majority of installations . If your ISP gives yo u explicit DNS server address(es), read the embedde d web c onfigurator help re garding what fields need to be configured. 5.3.2 IP Address and Subnet Mask Similar to the way houses on a street share [...]

  • Page 112

    ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 112 Both RIP-2B and RIP-2M send routing data in RIP -2 fo rmat; the dif ference being that RIP- 2B uses subnet broadcasting while RI P-2M uses multicasting. Multicasting can reduce the load on non-router machines since they gene rally do not listen to the RIP multicast address and so will [...]

  • Page 113

    ZyWALL 5/35/70 Series User’s Guide 113 Chapter 5 LAN Screens Figure 35 LAN The following table describes the labels in this screen. T able 22 LAN LABEL DESCRIPTION LAN TCP/IP IP Address T ype the IP address of your ZyWALL in do tted decimal notation. 192.168.1.1 is the factory default. Alternatively , click the ri ght mouse button to copy and/or [...]

  • Page 114

    ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 114 Multicast Select IGMP V - 1 or IGMP V -2 or None . IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1 1 12) but IGM[...]

  • Page 115

    ZyWALL 5/35/70 Series User’s Guide 115 Chapter 5 LAN Screens 5.6 LAN St atic DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of he[...]

  • Page 116

    ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 116 5.7 LAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL supports th ree logical LAN interfaces via its single physical Ethernet interface with the ZyW ALL itself as the gateway for ea ch LAN ne[...]

  • Page 117

    ZyWALL 5/35/70 Series User’s Guide 117 Chapter 5 LAN Screens Figure 38 LAN IP Alias The following table describes the labels in this screen. T able 24 LAN IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyW ALL in dotted decimal notation.[...]

  • Page 118

    ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 118 5.8 LAN Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage. The WLAN port role allows the ZyW[...]

  • Page 119

    ZyWALL 5/35/70 Series User’s Guide 119 Chapter 5 LAN Screens T o change your ZyW ALL ’ s port role settings, click NETWORK , LAN and then the Port Roles tab. The screen appears as shown. The radio buttons on the left correspon d to Ethernet ports on the front panel of the ZyW ALL. Ports 1 to 4 are all LAN ports by default. The radio buttons on [...]

  • Page 120

    ZyWALL 5/35/70 Series User’s Guide Chapter 5 LAN Screen s 120 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 41 Port Roles Change Complete Apply Click Apply to save your changes back to the ZyWALL. Reset Click R[...]

  • Page 121

    ZyWALL 5/35/70 Series User’s Guide 121 Chapter 5 LAN Screens[...]

  • Page 122

    ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 122 C HAPTER 6 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyW ALL is in bridge mode. 6.1 Bridge Loop The ZyW ALL can act as a bridge between a switch and a wired LAN o r between two routers. Be careful to avoid bridge[...]

  • Page 123

    ZyWALL 5/35/70 Series User’s Guide 123 Chapter 6 Bridge Screens 6.2.1 Rapid STP The ZyW ALL uses IEEE 802.1w RSTP (Rapid Spanning T ree Protocol) that allow faster convergence of the spanning tree (while al so being backwards comp atible with STP-only aware bridges). Using RSTP topology change in formation does not have to propagate to the root b[...]

  • Page 124

    ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 124 Once a stable network topology has been esta blished, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) tr ansmitted from the root bridge. If a bridge does not ge t a Hello BPDU after a predefined interval (Max Age), th e bridge assume s that the link to the root bridg[...]

  • Page 125

    ZyWALL 5/35/70 Series User’s Guide 125 Chapter 6 Bridge Screens Figure 43 Bridge The following table describes the labels in this screen. T able 28 Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address T ype the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifi es the network number portio n of an [...]

  • Page 126

    ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 126 6.4 Bridge Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage. The WLAN port role allows t[...]

  • Page 127

    ZyWALL 5/35/70 Series User’s Guide 127 Chapter 6 Bridge Screens Figure 44 WLAN Port Role Example T o change your ZyW ALL ’ s port role settings, click NETWORK , BRIDGE and then the Port Roles tab. The screen appears as shown. The radio buttons on the left correspon d to Ethernet ports on the front panel of the ZyW ALL. Ports 1 to 4 are all DMZ [...]

  • Page 128

    ZyWALL 5/35/70 Series User’s Guide Chapter 6 Bridge Sc reens 128 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 46 Port Roles Change Complete WLAN When you have the wireless card set to WLAN , you can sele ct a [...]

  • Page 129

    ZyWALL 5/35/70 Series User’s Guide 129 Chapter 6 Bridge Screens[...]

  • Page 130

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 130 C HAPTER 7 W AN Screens This chapter describes how to configure W AN settings. Multiple W AN and load balancing are not available on the ZyW ALL 5. 7.1 W AN Overview • Use the W AN Ge neral screen to configure load balanc ing, route priority and traf fic redirect properties for the Zy[...]

  • Page 131

    ZyWALL 5/35/70 Series User’s Guide 131 Chapter 7 WAN Screens Y ou can select through which W AN port you wa nt to send out traffic from UPnP-enabled applications (see Chapter 28 on page 456 ). The ZyW ALL's DDNS lets you select whic h W AN interface you want to use for each individual domain name. The DDNS high ava ilability feature lets you[...]

  • Page 132

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 132 7.4.1.1 Example 1 The following figure depicts an example where both the W AN ports on the ZyW ALL are connected to the Internet. The con figured available outbound bandwidths for W AN 1 and W AN 2 are 512K and 256K respectively . Figure 47 Least Load First Examp le If the outbound band[...]

  • Page 133

    ZyWALL 5/35/70 Series User’s Guide 133 Chapter 7 WAN Screens 7.4.2 W eighted Round Robin Similar to the Round Robin (RR) algorithm, the W eighted Round Robin (WRR) algorithm set s the ZyW ALL to send traf fic through each W AN interface in turn. In addition, the W AN interfaces are assigned weights. An interface with a larger weight gets more of [...]

  • Page 134

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 134 Figure 49 S pillover Algorithm Example 7.5 TCP/IP Priority (Metric) The metric represents the "cost of transmissi on". A router determines the best route for transmission by choosing a path with the lowest "cost". RI P routing u ses hop count as the measurement of co[...]

  • Page 135

    ZyWALL 5/35/70 Series User’s Guide 135 Chapter 7 WAN Screens Figure 50 W AN General[...]

  • Page 136

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 136 The following table describes the labels in this screen. Table 32 WAN Gene ral LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fai l over) o peration mode to have the ZyWALL use the second highest priority W AN port as a back up. This means that the ZyW ALL [...]

  • Page 137

    ZyWALL 5/35/70 Series User’s Guide 137 Chapter 7 WAN Screens 7.7 Configuring Load Balancing T o configure load balanc ing on the ZyW ALL, click NETWORK , WA N in the navigation panel. The WA N G e n e r a l screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyW ALL. The WA N G e n e r a l sc[...]

  • Page 138

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 138 7.7.1 Least Load First T o configure Least Load First, select Least Load First in the Load Balancing Algorithm field. Figure 51 Load Balancing: Least Lo ad First The following table describes the re lated fields in this screen. Table 33 Load Balancing: Least Lo ad First LABEL DESCRIPTIO[...]

  • Page 139

    ZyWALL 5/35/70 Series User’s Guide 139 Chapter 7 WAN Screens 7.7.2 W e ighted Round Robin T o load balance using the weight ed roun d robin method, s elect W eighted Round Robin in the Load Balancing Algorithm field. Figure 52 Load Balancing: W eighted Round Robin The following table describes the re lated fields in this screen. 7.7.3 Spillover T[...]

  • Page 140

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 140 Figure 53 Load Balancing: S pillover The following table describes the re lated fields in this screen. 7.8 W AN Route Click NETWORK , WA N to open the Route screen. Use this screen to configure route priority . Table 35 Load Balancing: S pillover LABEL DESCRIPTION Active/Active Mode Sel[...]

  • Page 141

    ZyWALL 5/35/70 Series User’s Guide 141 Chapter 7 WAN Screens Figure 54 W A N Route The following table describes the labels in this screen. Table 36 WAN Rout e LABEL DESCRIPTION Route Priority WA N T raffic Redirect Dial Backup The default WAN connection is "1' as your broadband connecti on via the WAN port should always be your p refer[...]

  • Page 142

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 142 7.9 W AN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are is olated from the Internet, for instance, only between your two branch of fices, you can assign any IP addresses to the hosts without problems. However , the Internet Assig[...]

  • Page 143

    ZyWALL 5/35/70 Series User’s Guide 143 Chapter 7 WAN Screens 1 The ISP tells you the DNS server addresses, usua lly in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server field s. 2 If your ISP dynamically assigns the DNS serve r IP addresses (along with the ZyW A L[...]

  • Page 144

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 144 Figure 55 W A N: Ethernet Encap sulation The following table describes the labels in this screen. Table 39 WAN: Ethernet Encapsula tion LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Y ou must choose the Etherne t option when the W AN port is used as a regular Ethern[...]

  • Page 145

    ZyWALL 5/35/70 Series User’s Guide 145 Chapter 7 WAN Screens Retype to Confirm T ype your password again to make sure that you have entered is correctly . Login Server IP Address T ype the a uthentication se rver IP a ddress here if your ISP gave you one. This field is not available for T elia Login. Login Server (T elia Login only) T ype the dom[...]

  • Page 146

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 146 7.12.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PP PoE option is for a dial-up conn[...]

  • Page 147

    ZyWALL 5/35/70 Series User’s Guide 147 Chapter 7 WAN Screens Operationally , PPPoE saves significant effort for bo th you and the ISP or carrier , as it requires no specific configuration of the broa dband modem at the customer site. By implementing PPPoE directly on the ZyW ALL (rather than individual computers), the computers on the LAN do not [...]

  • Page 148

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 148 The following table describes the labels in this screen. Table 40 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPo[...]

  • Page 149

    ZyWALL 5/35/70 Series User’s Guide 149 Chapter 7 WAN Screens RIP Direction RIP (Routing Information Protocol) allows a router to exchange routi ng information with other routers. The RIP Direction field control s the sending and receiving of RIP packet s. Choose Both , None , I n Only or Out On ly . When set to Both or Out Only , the ZyWALL will [...]

  • Page 150

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 150 7.12.3 PPTP Encap sulation Point-to-Point T unneling Protocol (PP TP) is a ne twork protocol that enables secure transfer of data from a remote client to a private server , creating a V irtual Private Network (VPN) using TCP/IP-based networks. PP TP supp orts on-demand, multi-proto col [...]

  • Page 151

    ZyWALL 5/35/70 Series User’s Guide 151 Chapter 7 WAN Screens The following table describes the labels in this screen. Table 41 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point T unn eling Protocol (PPT P) is a network protocol that enables secure transfer of data from a remote client to a p[...]

  • Page 152

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 152 Enable NA T (Network Address T ranslation) Network Address T ranslation (NA T) allows the translation of an Internet protocol address used within one network (for exampl e a pr ivate IP address used in a local network) to a different IP address known within another network (for example [...]

  • Page 153

    ZyWALL 5/35/70 Series User’s Guide 153 Chapter 7 WAN Screens 7.13 T raffic Redirect T raffic redirect forwards W AN traffic to a backup gateway when the ZyW ALL canno t connect to the Internet through its norm al gateway . Connect the backup gateway on the W AN so that the ZyW ALL still provides firewall protection. Figure 58 T raffic Redirec t W[...]

  • Page 154

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 154 Figure 59 T raffic Redirect LAN Setup 7.14 Configuring T raffic Redirect T o change your ZyW ALL ’ s traffic redirect settings, click NETWORK , WA N and then the T raffic Redirect tab. The screen appears as shown. Not all fields are available on all models. Figure 60 T raffic Redirect[...]

  • Page 155

    ZyWALL 5/35/70 Series User’s Guide 155 Chapter 7 WAN Screens 7.15 Configuring Dial Backup Click NETWORK , WA N and then the Dial Backup tab to display the Dial Backup screen. Use this sc reen to config ure the back up W AN dial -up connectio n. Fail T olerance T ype how many W AN connection checks can fail (1 to 10) before the connection is consi[...]

  • Page 156

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 156 Figure 61 Dial Backup[...]

  • Page 157

    ZyWALL 5/35/70 Series User’s Guide 157 Chapter 7 WAN Screens The following table describes the labels in this screen. Table 43 Dial Ba ckup LABEL DESCRIPTION Dial Backup Setu p Enable Dial Backup Select th is check box to turn on dial backup. Basic Settings Login Name T ype the login name a ssigned by your ISP . Password T ype the password assign[...]

  • Page 158

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 158 Enable RIP Select this check box to turn on RIP (Rout in g Information Protocol), which allows a router to exchange routing in formatio n with other routers. RIP V ersion Th e RIP V ersion fi eld controls the format and the broadcasting method of the RIP packets that the ZyW ALL sends ([...]

  • Page 159

    ZyWALL 5/35/70 Series User’s Guide 159 Chapter 7 WAN Screens 7.16 Advanced Modem Setup 7.16.1 A T Command Strings For regular telephone lines, the default Dial st ring tells the modem that the line uses tone dialing. ATDT is the command for a switch that requ ires tone dialing. If your switch requires pulse dialing, change th e string to ATDP . F[...]

  • Page 160

    ZyWALL 5/35/70 Series User’s Guide Chapter 7 WAN Screens 160 Figure 62 Advanced Setup The following table describes the labels in this screen. Table 44 Advanced Setu p LABEL DESCRIPTION A T Command St r i n g s Dial T ype the A T Command string to make a call. Drop T ype the A T Command string to drop a ca ll. "~" represents a one secon[...]

  • Page 161

    ZyWALL 5/35/70 Series User’s Guide 161 Chapter 7 WAN Screens Dial T imeout (sec) T ype a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (sto pping). Retry Count T y pe a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting th e number . Retry Interval (sec) T ype a numb[...]

  • Page 162

    ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 162 C HAPTER 8 DMZ Screens This chapter describes how to configure the ZyW ALL ’ s DMZ. 8.1 DMZ The DeMilitarized Zone (DMZ) pr ovides a way for public servers (W eb, e-mail, FTP , etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks [...]

  • Page 163

    ZyWALL 5/35/70 Series User’s Guide 163 Chapter 8 DMZ Screens Figure 63 DMZ The following table describes the labels in this screen. Table 45 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address T ype the IP address of your ZyWALL ’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, W AN, WLAN and DMZ are on separate subne[...]

  • Page 164

    ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 164 RIP V ersion The RIP V ersion fiel d controls the format and the broadcasting me thod of the RIP packets that the ZyW ALL sends (it recognizes both formats when receiving). RIP- 1 is universally supported but RIP-2 carries more informa tion. RIP-1 is probably adequate for most networks[...]

  • Page 165

    ZyWALL 5/35/70 Series User’s Guide 165 Chapter 8 DMZ Screens 8.3 DMZ S t atic DHCP This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of h[...]

  • Page 166

    ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 166 Figure 64 DMZ S tatic DHCP The following table describes the labels in this screen. T able 46 DMZ S tatic DHCP LABEL DESCRIPTION # This is the index number of th e St atic IP table entry (row). MAC Address T ype the MAC address of a computer on your DMZ. IP Address T ype the IP address[...]

  • Page 167

    ZyWALL 5/35/70 Series User’s Guide 167 Chapter 8 DMZ Screens 8.4 DMZ IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL supports three logical DMZ interface s via its single physical Ethernet interface with the ZyW ALL itself as the gateway for ea ch DMZ net[...]

  • Page 168

    ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 168 8.5 DMZ Public IP Address Example The following figure shows a simple network set up with public IP addresses on the W AN and DMZ and private IP addresses on the LAN. Lowe r case letters represent public IP addresses (like a.b.c.d for example). The LAN port and co nnected computers (A [...]

  • Page 169

    ZyWALL 5/35/70 Series User’s Guide 169 Chapter 8 DMZ Screens Figure 66 DMZ Public Addr ess Example 8.6 DMZ Private and Public IP Address Example The following figure shows a network setup with bot h private and public IP ad dresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected [...]

  • Page 170

    ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 170 Figure 67 DMZ Private and Public Address Example 8.7 DMZ Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireles[...]

  • Page 171

    ZyWALL 5/35/70 Series User’s Guide 171 Chapter 8 DMZ Screens Figure 68 WLAN Port Role Example Note: Do the following if you are configuring fro m a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1. A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet[...]

  • Page 172

    ZyWALL 5/35/70 Series User’s Guide Chapter 8 DMZ Scree ns 172 Figure 69 DMZ: Port Roles The following table describes the labels in this screen. Table 48 DMZ: Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use th e port as p art of the LAN. The port will use the LAN IP address and MAC address. DMZ Select a port’s DMZ rad[...]

  • Page 173

    ZyWALL 5/35/70 Series User’s Guide 173 Chapter 8 DMZ Screens[...]

  • Page 174

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 174 C HAPTER 9 W ireless LAN This chapter discusses how to conf igure wireless LAN on the ZyW ALL. 9.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-p eer network or as complex as a number of computers with[...]

  • Page 175

    ZyWALL 5/35/70 Series User’s Guide 175 Chapter 9 Wireless LAN Figure 70 WLAN The following table describes the labels in this screen. T able 49 WLAN LABEL DESCRIPTION WLAN TCP/I P IP Address T ype the IP address of your ZyWALL ’s WL AN interface in dotted decimal notation. Alternatively , click the right mouse button to copy and/or paste the IP[...]

  • Page 176

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 176 RIP V ersion The RIP V ers ion field controls the format and t he broadcasting method of the RIP packets that the ZyW ALL sends (it reco gnizes both formats when receiv ing). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most network[...]

  • Page 177

    ZyWALL 5/35/70 Series User’s Guide 177 Chapter 9 Wireless LAN 9.3 WLAN S t atic DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs o[...]

  • Page 178

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 178 Figure 71 WLAN S tatic DHCP The following table describes the labels in this screen. 9.4 WLAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL supports three logical WLAN interfaces via its sin[...]

  • Page 179

    ZyWALL 5/35/70 Series User’s Guide 179 Chapter 9 Wireless LAN When you use IP alias, you can also configur e firewall rules to control access between the WLAN's logical networks (subnets). Note: Make sure that the subnet s of the logical networks do not overlap . T o change your ZyW ALL ’ s IP alias settings, click NETWORK , WLAN and then [...]

  • Page 180

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 180 9.5 WLAN Port Roles Use the Port R oles screen to set ports as LAN , DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW ALL ’ s wireless LAN coverage. The WLAN port role allows the Z[...]

  • Page 181

    ZyWALL 5/35/70 Series User’s Guide 181 Chapter 9 Wireless LAN Note: Do the following if you are configuring fro m a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1. A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as t he ZyW ALL's LAN, DMZ[...]

  • Page 182

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 182 After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 75 WLAN Port Roles Change Complete 9.6 Wireless Security W ireless security is vital to your network [...]

  • Page 183

    ZyWALL 5/35/70 Series User’s Guide 183 Chapter 9 Wireless LAN Figure 76 ZyW ALL Wireless Security Levels If you do not enable any wireless security on your ZyW ALL, your network is acc essible to any wireless networki ng device that is within range. Use the ZyW ALL web configurator to set up yo ur wireless LAN security settings. Refer to the chap[...]

  • Page 184

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 184 9.6.3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices ( Allow Association ) or exclude them from accessing the AP ( Deny Association ). 9.6.4 Hide ZyW ALL Identity If you hide the ESSID, then the ZyW ALL cannot be seen when a [...]

  • Page 185

    ZyWALL 5/35/70 Series User’s Guide 185 Chapter 9 Wireless LAN 9.9 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key manageme nt. Authentication can be done using the local user database inte rnal to the ZyW ALL (authenticat e up to 32 users) or an extern[...]

  • Page 186

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 186 Sent by the RADIUS server to indicate th at it has started or stopped accounting. In order to ensure network security , the access point and the RADIUS server use a shared secret key, which is a password, they both know . The key is not sent ov er the network. In addition to the share[...]

  • Page 187

    ZyWALL 5/35/70 Series User’s Guide 187 Chapter 9 Wireless LAN If this feature is enabled, it is not necessary to configure a defau lt encryption key in the Wir eless Card screen (see Section 9.16.4 on p age 196 ). Y ou may still configure and store keys here, but they will not be u sed while dynamic WEP is enabled. T o use dynamic WEP , enable an[...]

  • Page 188

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 188 TKIP regularly changes and rotates the encryp tion keys so that the same encryption key is never used twice. The RADIUS server distribut es a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and mana gement system, using the pair-wise key to dynamically gene r[...]

  • Page 189

    ZyWALL 5/35/70 Series User’s Guide 189 Chapter 9 Wireless LAN Figure 78 WP A-PSK Authentication 9.13 Introduction to RADIUS The ZyW ALL can use an external RADIUS serv er to authenticate an unlimited number of users. RADIUS is based on a client-sever mo del that supports authe n tication and accounting, where access point is the client and the se[...]

  • Page 190

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 190 Figure 79 WP A with R ADIUS Application Example 9.15 Wireless Client WP A Supplicant s A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WP A. At the time of writing, the mo st widely availa ble supplicants are the[...]

  • Page 191

    ZyWALL 5/35/70 Series User’s Guide 191 Chapter 9 Wireless LAN Figure 80 Wirel ess Card: No Security The following table describes the labels in this screen. T able 54 Wireless Card: No Security LABEL DESCRIPTION Enable Wireless Card The wireless LAN is turned off by defaul t, before you enable the wireless LAN you should configure some security b[...]

  • Page 192

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 192 9.16.1 S t atic WEP Stat ic WEP provides a mechanism for encrypting data using encryption keys. Both the AP an d the wireless stations must use the same WEP key to encrypt and decrypt data. Y our ZyW ALL allows you to configure up to fou r 64-bit or 128-bit WEP keys, but on ly one key[...]

  • Page 193

    ZyWALL 5/35/70 Series User’s Guide 193 Chapter 9 Wireless LAN Figure 81 Wireless Card: S tatic WEP The following table describes the wireless LAN security labels in this screen. 9.16.2 WP A-PSK Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select WP A-PSK from the Security list. T able 55 Wireless Card: St atic WEP [...]

  • Page 194

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 194 Figure 82 Wireless Card: WP A-PSK The following wireless LAN security fiel ds become available when you select WP A-PSK in the Security drop down list-bo x. T able 56 Wireless Card: WP A-PSK LABEL DESCRIPTION Security Select WP A-PSK from the drop-down list. Pre-Shared Key The encryp [...]

  • Page 195

    ZyWALL 5/35/70 Series User’s Guide 195 Chapter 9 Wireless LAN 9.16.3 WP A Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select WP A from the Security list. Figure 83 Wireless Card: WP A The following wireless LAN security fiel ds become available when you select WP A in the Security drop down list-b ox. T able 57 Wi[...]

  • Page 196

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 196 9.16.4 IEEE 802.1x + Dynamic WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select 802.1x + Dy namic WEP from the Security list. Figure 84 Wireless Card: 802.1x + Dynamic WEP The following wireless LAN security fiel ds become available when you select[...]

  • Page 197

    ZyWALL 5/35/70 Series User’s Guide 197 Chapter 9 Wireless LAN 9.16.5 IEEE 802.1x + St atic WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select 802.1x + S tatic WEP from the Security list. Figure 85 Wireless Card: 802.1x + S tatic WEP The following wireless LAN security fiel ds become available when you select 8[...]

  • Page 198

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 198 9.16.6 IEEE 802.1x + No WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select 802.1x + No WEP from the Security list. Figure 86 Wireless Card: 802.1x + No WEP ReAuthentication T imer (Seconds) S peci fy how often wireless stations have to resend user [...]

  • Page 199

    ZyWALL 5/35/70 Series User’s Guide 199 Chapter 9 Wireless LAN The following wireless LAN security fiel ds become available when you select 802.1x + No WEP in the Security drop down list-box. 9.16.7 No Access 80 2.1x + S t atic WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select No Access 802.1x + S tatic WEP to[...]

  • Page 200

    ZyWALL 5/35/70 Series User’s Guide Chapter 9 Wireles s LAN 200 The following wireless LAN security fiel ds become available when you select No Acce ss 802.1x + S tatic WEP in the Security drop down list-box. 9.16.8 No Access 802.1x + No WEP Click the NETWORK and WIRELESS CAR D to display the Wire l es s Card screen. Select No Access 802.1x + No W[...]

  • Page 201

    ZyWALL 5/35/70 Series User’s Guide 201 Chapter 9 Wireless LAN Figure 88 Wireless Card: MAC Address Filter The following table describes the labels in this menu. T able 62 Wireless Card: MAC Address Filter LABEL DESCRIPTION Active Select or clear the check box to e nable or disable MAC address filte ring. Enable MAC address filtering to have the r[...]

  • Page 202

    ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 202 C HAPTER 10 Firewalls This chapter gives some back ground information on firewa lls and introduces the ZyW ALL firewall. 10.1 Firewall Overview Originally , the term firewall referred to a construction techni que designed to prevent the spread of fire from one room to another . The ne tw[...]

  • Page 203

    ZyWALL 5/35/70 Series User’s Guide 203 Chapter 10 Firewalls 1 Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the applicatio n gateway is the only host whose name must be made known to outside systems. 2 Robust authentication and logging pre-authenticates application traffic before[...]

  • Page 204

    ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 204 Figure 89 ZyW ALL Firewall Application 10.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks w ith a connection to the Internet. Their goal is not to st eal in formation, but to disabl e a device or netwo rk so users no longer have access to network re[...]

  • Page 205

    ZyWALL 5/35/70 Series User’s Guide 205 Chapter 10 Firewalls 10.4.2 T ypes of DoS Atta cks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data. 4 IP Spoofing. •" Ping of Death "[...]

  • Page 206

    ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 206 response. While the targeted system waits for the ACK that follows the SYN-ACK, it queu es up all outstanding SYN-ACK responses on what is known as a backlog queu e. SYN-ACKs are moved off the queue only when an ACK comes b ack or when an internal timer (which is set at relatively long i[...]

  • Page 207

    ZyWALL 5/35/70 Series User’s Guide 207 Chapter 10 Firewalls Figure 92 Smurf Attack 10.4.2.1 ICMP V ulnerability ICMP is an error -reporting protocol that works in concert with IP . The following ICMP types trigger an alert: 10.4.2.2 Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal. T a[...]

  • Page 208

    ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 208 All SMTP commands are illegal except for tho se displayed in the following tables. 10.4.2.3 T raceroute T raceroute is a utility used to determine th e path a packet takes between two endpoints. Sometimes when a packet filter firewall is conf igured incorrectly an at tacker can tracerout[...]

  • Page 209

    ZyWALL 5/35/70 Series User’s Guide 209 Chapter 10 Firewalls Figure 93 S tateful Inspection The previous figure shows the ZyW ALL ’ s de fault firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a T elnet session from within the LAN and responses to this request are allowe d. However other T elnet [...]

  • Page 210

    ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 210 temporary entries might be modified, in order to permit only packets that are valid for the current state o f the conn ection. 8 Any additional inbound or outb ound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound acc[...]

  • Page 211

    ZyWALL 5/35/70 Series User’s Guide 211 Chapter 10 Firewalls If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the In ternet. Assuming that this is an acceptable part of the security policy (as is the case w ith the default policy), the connection will be allowed. A cache entry is[...]

  • Page 212

    ZyWALL 5/35/70 Series User’s Guide Chapter 10 Firewalls 212 Any protocol that operates in this way must be supported on a case-by-case bas is. Y ou can use the web configurat or’ s Custom Services feature to do this. 10.6 Guidelines For Enhancing Security With Y our Firewall 1 Change the default password via SMT or web configurator. 2 Think abo[...]

  • Page 213

    ZyWALL 5/35/70 Series User’s Guide 213 Chapter 10 Firewalls 10.7.2 Firewall • The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, appl icable to all protocols, that understands data in the packet is intended for other laye rs, from the network layer (IP hea[...]

  • Page 214

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 214 C HAPTER 11 Firewall Screens This chapter shows you how to configure your ZyW ALL firewall. 1 1.1 Access Methods The web configurator is, by far , the most co mprehensive firewall configuration tool your ZyW ALL has to offer . For this reason, it is recommended that you config u[...]

  • Page 215

    ZyWALL 5/35/70 Series User’s Guide 215 Chapter 11 Fi rewall Screens • WLAN to W AN By default, the ZyW ALL ’ s stateful pa cket insp ection drops packets travel ing in the following directions: •W A N t o L A N • W AN to W AN/ZyW ALL This prevents computers on the W AN from using the ZyW ALL as a gateway to communicate with other computer[...]

  • Page 216

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 216 1 1.3 Rule Logic Overview Note: S tudy these point s carefully before configuring rules. 1 1.3.1 Rule Checklist 1 Stat e the intent of the rule. For example, Th is restricts all IRC acce ss from the LAN to the Internet. Or , This allows a remote Lotus Note s server to synchroniz[...]

  • Page 217

    ZyWALL 5/35/70 Series User’s Guide 217 Chapter 11 Fi rewall Screens 1 1.3.3 .2 Service Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. See Section 1 1.1 1.2 on page 233 for more information on predefined services. 1 1.3.3.3 Source Address What is the connection’ s source [...]

  • Page 218

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 218 Figure 94 LAN to W AN Traf fic 1 1.4.2 W A N T o LAN Rules The default rule for W AN to LAN traffic bloc ks all incoming connections (W AN to LAN). If you wish to allow certain W AN users to have access to your LAN, you will need to create custom rules to allow it. See the follo[...]

  • Page 219

    ZyWALL 5/35/70 Series User’s Guide 219 Chapter 11 Fi rewall Screens 1 1.6 Firewall Default Rule (Router Mode) Click SECURITY , FIREW ALL to open the Default Rule screen. Enable (or activate) the firewall by selecting the Enable Fir e wall check box. Use this screen to configure general firewall sett ings when the ZyW ALL is set to router mode. Fi[...]

  • Page 220

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 220 1 1.7 Firewall Default Rule (Bridge Mode) Click SECURITY , FIREW ALL to open the Default Rule screen. Enable (or activate) the firewall by selecting the Enable Fir e wall check box. Use this screen to configure gene ral firewall settings when the ZyW ALL is set to bridge mode. P[...]

  • Page 221

    ZyWALL 5/35/70 Series User’s Guide 221 Chapter 11 Fi rewall Screens Figure 97 Default Rule (Bri dge Mode) The following table describes the labels in this screen. T able 68 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the fi rewall. The ZyW ALL performs access control and protects against Denial o[...]

  • Page 222

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 222 1 1.8 Firewall Rule Summary Click SECURITY , FIREW ALL , then the Rule Summary tab to open the screen. This screen displays a list of the co nfigured firewall rules. Note: The ordering of your rule s is very import ant as rules are applie d in turn. Figure 98 Rule Summary The fo[...]

  • Page 223

    ZyWALL 5/35/70 Series User’s Guide 223 Chapter 11 Fi rewall Screens 1 1.8.1 Firewall Edit Rule Follow these directions to create a new rule. 1 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your ne w rule becomes nu mber 6 and the previous rule 6 (if there is one) becomes rule 7. [...]

  • Page 224

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 224 Figure 99 Firewall Edit Rule[...]

  • Page 225

    ZyWALL 5/35/70 Series User’s Guide 225 Chapter 11 Fi rewall Screens The following table describes the labels in this screen. T able 70 Firewall Edit Rule LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. S paces are allowed. Edit Source/ Destinatio[...]

  • Page 226

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 226 1 1.9 Anti-Probing If an outside user attempts to probe an unsupp orted port on your ZyW ALL, an ICMP response packet is automatically return ed. This allows the outside user to know the ZyW ALL exists. The ZyW ALL supports anti-probing, which prev ents the ICMP response packet [...]

  • Page 227

    ZyWALL 5/35/70 Series User’s Guide 227 Chapter 11 Fi rewall Screens 1 1.10 Firewall Threshold In the Threshold screen, shown later , you m ay choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyW ALL uses th resholds to determine when to drop sessions that do not become fully established. These thresholds apply glob[...]

  • Page 228

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 228 When the rate of new connection a ttempts rises above a threshold ( one-minute high ), the ZyW ALL starts deleting half-open se ssions as required to accommo date new connection requests. The ZyW ALL con tinues to delete half-open session s as necessary , until the rate of new c[...]

  • Page 229

    ZyWALL 5/35/70 Series User’s Guide 229 Chapter 11 Fi rewall Screens Figure 101 Firewall Threshold The following table describes the labels in this screen. T able 72 Firewall Threshold LABEL DESCRIPTION Disable DoS Attack Protection on Select the check box of an interface to which the ZyWALL does not apply the thresholds. This disables DoS pr otec[...]

  • Page 230

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 230 1 1.1 1 Service Click SECURITY , FIREW ALL , then the Service tab to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyW ALL. Maximum Incomplete High This is the number of exist[...]

  • Page 231

    ZyWALL 5/35/70 Series User’s Guide 231 Chapter 11 Fi rewall Screens Figure 102 Firewall Service The following table describes the labels in this screen. T able 73 Firewall Service LABEL DESCRIPTION Custom Service This table shows all configured custom services. # This is the index number of the custom service. Service Name This is the name of the[...]

  • Page 232

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 232 1 1.1 1.1 Firewall Edit Custom Service Configure customized ports for serv ices not predefined by the ZyW ALL (see Section 1 1.1 1.2 on page 233 for a list of predefined services) . For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IA NA (I[...]

  • Page 233

    ZyWALL 5/35/70 Series User’s Guide 233 Chapter 11 Fi rewall Screens 1 1.1 1.2 Predefined Services The Pr edefined Services table in the Service screen displays all predefined services that the ZyW ALL already supports. Next to the name of the service, two fields appear in bracke ts. The first field indicates the IP protocol type (TCP , UDP , or I[...]

  • Page 234

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 234 IMAP(TCP/UDP:143) Internet Message Access Protocol (IMAP) is us ed to access mail stored on a remo te mail server over a TCP/IP connection using port 143. IMAP has shorter response times than POP3. IMAPS(TCP/UDP:993) IMAP over TLS/SSL (IMAPS) is a secure protocol (that encrypts [...]

  • Page 235

    ZyWALL 5/35/70 Series User’s Guide 235 Chapter 11 Fi rewall Screens 1 1.12 Example Firewall Rule The following Internet firewa ll rule example allows a hypot hetical My Service connection from the Internet. 1 In the Service screen, click Add to open th e Edit Custom Service screen. SIP-V2(UDP:5060) The Session Initiation Protocol (SIP) is an appl[...]

  • Page 236

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 236 Figure 104 Service 2 Configure it as follows and click Apply . Figure 105 Edit Custom Service Example 3 Click the Rule Summary tab. Select WA N t o L A N from the Packet Dir ection drop- down list bo x. 4 In the Rule Summary screen, type the index number for where you want to pu[...]

  • Page 237

    ZyWALL 5/35/70 Series User’s Guide 237 Chapter 11 Fi rewall Screens Figure 106 Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete . 8 Configure the destination address screen as follows and click Add . Figure 107 Rule Edit Example 9 In the Edit Rule screen, use the arrows betw[...]

  • Page 238

    ZyWALL 5/35/70 Series User’s Guide Chapter 11 Fi rewall Sc reens 238 Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box. Figure 108 My Service Rule Configuration[...]

  • Page 239

    ZyWALL 5/35/70 Series User’s Guide 239 Chapter 11 Fi rewall Screens Figure 109 My Service Example Rule Summary Rule 1: Allows a My Service conn ection from the W AN to IP addresses 10.0.0.10 through 10.0.0.1 5 on the LAN.[...]

  • Page 240

    ZyWALL 5/35/70 Series User’s Guide Chapter 12 Intrusion Detectio n and Prevention (IDP) 240 C HAPTER 12 Intrusion Detection and Prevention (IDP) This chapter introduces some ba ckground information o n IDP . Sk ip to the next chapter to see how to configure IDP on yo ur ZyW ALL. 12.1 Introduction to IDP An IDP system can detect malicious or suspi[...]

  • Page 241

    ZyWALL 5/35/70 Series User’s Guide 241 Chapter 12 Intrusion Detection and Pr evention (IDP) Firewalls are usually deployed at the n etwork edge. However , many attacks (inadvertently) are launched from within an or ganization. V irtua l private networks (VP N), removable storage devices and wireless networks ma y all provide access to the interna[...]

  • Page 242

    ZyWALL 5/35/70 Series User’s Guide Chapter 12 Intrusion Detectio n and Prevention (IDP) 242 12.1.5 Example Intrusions The following are some examples of intrusions. 12.1.5.1 SQL Slammer Worm W32.SQLExp.W orm is a worm that targ ets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 37 6 [...]

  • Page 243

    ZyWALL 5/35/70 Series User’s Guide 243 Chapter 12 Intrusion Detection and Pr evention (IDP) 12.1.5.4 MyDoom MyDoom W32.Mydoom.A @mm (also known as W32.Novar g.A) is a mass-mailing worm that arrives as an attachment with an bat, cmd, exe, pif, scr , or zip file extension. When a computer is infected, the worm sets up a bac k door into the sy stem [...]

  • Page 244

    ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 244 C HAPTER 13 Configuring IDP This chapter shows you how to configure IDP on the ZyW ALL. 13.1 Overview T o use IDP on the ZyW ALL, you need to insert the ZyW ALL T urbo Card into the rear panel slot of the ZyW ALL. See the ZyW ALL T urbo Card guide for details. Note: The ZyW ALL has[...]

  • Page 245

    ZyWALL 5/35/70 Series User’s Guide 245 Chapter 13 Configuring IDP Figure 1 1 1 Applying IDP to Interf aces 13.2 General Setup Use this scr een to enable IDP on the ZyW ALL and choose what inte rface(s) you wan t to protect from intrusions. Click IDP from the navigation panel. General is the first screen as shown in the following figure.[...]

  • Page 246

    ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 246 Figure 1 12 IDP: General The following table describes the labels in this screen. 13.3 IDP Signatures The rules that define how to id entify and respond to intrusions are called “signatures”. Click IDP in the navigation panel and then click the Signatures tab to see the ZyW ALL[...]

  • Page 247

    ZyWALL 5/35/70 Series User’s Guide 247 Chapter 13 Configuring IDP T o see signatures lis ted by intrusion type supp orted by the ZyW ALL, sele ct that type from the Attack T ype list box. Figure 1 13 Attack T ypes The following table descr ibes each attack type. Table 77 Attack Types T YPE DESCRIPTION DoS/DDoS The goal of Denial of Service (DoS) [...]

  • Page 248

    ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 248 13.3.2 Intrusion Severity Intrusions are assigned a severity level based on the following table. The intrusion severity level then determines the default signature action. 13.3.3 Signature Actions Y ou can enable/disable individual signatures. Y ou can log and/or have an alert sent[...]

  • Page 249

    ZyWALL 5/35/70 Series User’s Guide 249 Chapter 13 Configuring IDP Figure 1 14 Signature Actions The following table describes signature actions. 13.3.4 Configuring IDP Signatures Click IDP in th e navigation pane l and then click the Signatur es tab to see the ZyW ALL ’ s “group view” signature screen where you can vi ew signatures by atta [...]

  • Page 250

    ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 250 Figure 1 15 IDP: Signatures The following table describes the labels in this screen. T able 80 IDP Signatures: Group V iew LABEL DESCRIPTION Signature Groups Attack T ype Select the type of signatures you want to view from the list box. See Section 13.3.1 on page 246 for informatio[...]

  • Page 251

    ZyWALL 5/35/70 Series User’s Guide 251 Chapter 13 Configuring IDP 13.3.5 Query View Click IDP in th e navigation pane l and then click the Signatur es tab to see the ZyW ALL ’ s “group view” signature screen, then click the Switch to query view link to go to this ‘query view” screen. In this screen you can search for signatures based on[...]

  • Page 252

    ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 252 Note: A partial name may be searched but a complete ID number must be entered before a match can be found. For exa mple, a search by name for “w” (in the first example) finds all intrusions that cont ain this letter in the name field. However a search by ID for “1” would re[...]

  • Page 253

    ZyWALL 5/35/70 Series User’s Guide 253 Chapter 13 Configuring IDP Figure 1 17 Signature Query by Comple te ID 13.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Sear ch By Attributes . 2 Select the Severity , Ty p e , Platform , Ac tive , Log , Alert and/or Action items. [...]

  • Page 254

    ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 254 Figure 1 18 Signature Query by Attribute. 13.4 Up date The ZyW ALL comes with built-in signatures cr eated by the ZyXEL Security Response T e am (ZSR T). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or sched ule new signature d[...]

  • Page 255

    ZyWALL 5/35/70 Series User’s Guide 255 Chapter 13 Configuring IDP 13.4.2 Configuring IDP Up date When scheduling signatu re updates, you shou ld choose a day and time when your network is least busy so as to minimize disru ption to your network. Y our custom signatu re configurations are not over-written when you download new signatures. File-bas[...]

  • Page 256

    ZyWALL 5/35/70 Series User’s Guide Chapter 13 Configuring IDP 256 The following table describes the labels in this screen. Table 81 Signatures Update LABEL DESCRIPTION Signature Information Current Patt ern Ve r s i o n This field displays the signatures vers ion numb er currently used by the ZyWALL. This number is defined by the ZyXEL Security R[...]

  • Page 257

    ZyWALL 5/35/70 Series User’s Guide 257 Chapter 13 Configuring IDP 13.5 Backup and Restore Y ou can change the pre-defined Active , Log , Alert and/or Action settings of individual signatures. Figure 120 IDP: Backup & Restore Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. Click Backup a[...]

  • Page 258

    ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 258 C HAPTER 14 Anti-V irus This chapter introduces and shows you how to configure th e anti-virus sca nner . 14.1 Anti-V irus Overview A computer virus is a small program designed to corrupt and/or alter the operati on of other legitimate programs. A worm is a self-replicating virus that r[...]

  • Page 259

    ZyWALL 5/35/70 Series User’s Guide 259 Chapter 14 Anti-Virus 2 The virus spreads to other files and programs on the computer . 3 The infected files are uninten tionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially .[...]

  • Page 260

    ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 260 14.2.1 How the ZyW ALL Anti-V irus Scanner W orks The ZyW ALL checks traffic going to the inte rface(s) you specify for signature matches. Figure 121 ZyW ALL Anti-virus Example The following describes the virus scanning process on the ZyW ALL. 1 The ZyW ALL first identifies SMTP , POP3,[...]

  • Page 261

    ZyWALL 5/35/70 Series User’s Guide 261 Chapter 14 Anti-Virus 1 The ZyW ALL anti-virus scanner canno t detect po lymorphic viruses. 2 The ZyW ALL does not scan th e following file/traffic types: • Simultaneou s downloads of a file using multiple connections. For example, w hen you use FlashGet to download sections of a file simultaneously . • [...]

  • Page 262

    ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 262 The following table describes the labels in this screen. 14.4 Signature Up date The ZyW ALL comes with built-in signatures cr eated by the ZyXEL Security Response T e am (ZSR T). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or sched[...]

  • Page 263

    ZyWALL 5/35/70 Series User’s Guide 263 Chapter 14 Anti-Virus Note: Y ou should have already registered the ZyW ALL at myZyXEL.com (http:// www .myzyxel.com/myzyxel/) and also have ei ther activa ted the trial license or standard license (iCard). If your license has expired, you will have t o renew it before updates are allowed. 14.4.1 mySecurity [...]

  • Page 264

    ZyWALL 5/35/70 Series User’s Guide Chapter 14 Anti-Virus 264 Figure 123 Anti-Virus: Up date The following table describes the labels in this screen. Table 84 Anti-V irus: Update LABEL DESCRIPTION Signature Information Current Patt ern Ve r s i o n This field displays the signatures vers ion numb er currently used by the ZyWALL. This number is def[...]

  • Page 265

    ZyWALL 5/35/70 Series User’s Guide 265 Chapter 14 Anti-Virus Update Now Cl ick this button to begin downloading signatures from the Update Server immediately . Auto Update Sel ect the check box to configure a sched ule for automati c signature updates. The Hourly , Daily and Weekly fields display when the check box is selected. The ZyW ALL then a[...]

  • Page 266

    ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 266 C HAPTER 15 Anti-S p am This chapter covers how to use the ZyW ALL ’ s anti-spam feature to deal with junk e-mail (spam). 15.1 Anti-S p am Overview The ZyW ALL ’ s anti-spam featur e identifies unsolicited commer cial or ju nk e-mail (spam). Y ou can set the ZyW ALL to mark or disca[...]

  • Page 267

    ZyWALL 5/35/70 Series User’s Guide 267 Chapter 15 Anti-Spa m 15.1.1.1 Sp amBulk Engine The e-mail fingerprint ID that the ZyW ALL gene rates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam exte rnal database maintain s a [...]

  • Page 268

    ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 268 15.1.1.4 Sp amT ricks Engine The SpamT ricks engine checks for the tactics th at spammers use to minimize the expense of sending lots of e-mail and tactics that they use to bypass spam filters. Use of relays, image-only e-mails, manipulati on of mail formats and HTML obfuscation are com[...]

  • Page 269

    ZyWALL 5/35/70 Series User’s Guide 269 Chapter 15 Anti-Spa m The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analys is to dete ct phishing. 15.1.4 Whitelist Configure whitelist entries to identify legitim ate e-mail . The whitelist entries have the ZyW ALL classify any e-mail tha[...]

  • Page 270

    ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 270 15.1.7 MIME Headers MIME (Multipurpose Internet Ma il Extensions) allows varied me di a types to be used in e- mail. MIME headers describe an e-mail’ s cont ent encoding and type. For e xample, it may show which program generated the e-mail and what type of text is used in the e-mail [...]

  • Page 271

    ZyWALL 5/35/70 Series User’s Guide 271 Chapter 15 Anti-Spa m The following table describes the labels in this screen. 15.3 Anti-S p am External DB Screen Click SECURITY , ANTI-SP AM , External DB to display the Anti-Spam External DB screen. Use this screen to enable or disable th e use of the anti-spam external database. Y ou can also configure t[...]

  • Page 272

    ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 272 Figure 126 Anti-S pam: Externa l DB The following table describes the labels in this screen. Table 86 Anti-Spam: External DB LABEL DESCRIPTION External Database Enable External Database Enable the anti -spam external databas e feature to have the ZyWALL calculate a digest of an e-mail a[...]

  • Page 273

    ZyWALL 5/35/70 Series User’s Guide 273 Chapter 15 Anti-Spa m 15.4 Anti-S p am List s Screen Click SECURITY , ANTI-SP A M , Lists to display the Anti-Spam Lists screen. Configure the whitelist to identify legitimate e- mail. Configure the blac klist to id entify spam e-mail. Y ou can cre ate whitelist or blacklist entr ies based on the sender ’ [...]

  • Page 274

    ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 274 Figure 127 Anti-S pam: Lists The following table describes the labels in this screen. Table 87 Anti-S pam: List s LABEL DESCRIPTION Resource Usage Whitelist & Blacklist S torage Sp ace in Use This bar displays the percentage of the ZyWALL ’s anti-spam whitelist and blacklist stora[...]

  • Page 275

    ZyWALL 5/35/70 Series User’s Guide 275 Chapter 15 Anti-Spa m 15.5 Anti-S p am Rule Edit Screen Click SECURITY , ANTI-SP AM , Lists to display the Anti-Spam Lists screen. T o create a new anti-spam whitelist or blacklist entry , type the i ndex number wh ere you want to put the entry . and click Insert to display the ANTI-SP AM Rule Edit s creen. [...]

  • Page 276

    ZyWALL 5/35/70 Series User’s Guide Chapter 15 Anti-S pam 276 The following table describes the labels in this screen. Table 88 Anti-Spam Rule Edit LABEL DESCRIPTION Rule Edit Active T u rn this entry on to have the ZyWA LL use it as part of the whitelist or blacklist. Y ou must also turn on the use of the corresponding list (in the Anti-Sp am Cus[...]

  • Page 277

    ZyWALL 5/35/70 Series User’s Guide 277 Chapter 15 Anti-Spa m Apply Click Apply to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. Table 88 Anti-Spam Rule Edit LABEL DESCRIPTION[...]

  • Page 278

    ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 278 C HAPTER 16 Content Filtering Screens This chapter provides an over view of content filtering. 16.1 Content Filtering Overview Content filtering all ows you to block certain we b features, such as Cookies, and/or restrict specific websites. W ith content f iltering, you c[...]

  • Page 279

    ZyWALL 5/35/70 Series User’s Guide 279 Chapter 16 Content Filterin g Screens Figure 129 Content Filter : General The following table describes the labels in this screen. T able 89 Content Filter : General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the conten t filter . Restrict Web Features Select th e c[...]

  • Page 280

    ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 280 16.3 Content Filtering with an External Dat abase When you register for and en able external database conten t filtering, your ZyW ALL accesses an external database that has millions of web sites categorized based on content. Y ou can have the ZyW ALL block, block and/or [...]

  • Page 281

    ZyWALL 5/35/70 Series User’s Guide 281 Chapter 16 Content Filterin g Screens Figure 130 Content Filtering Looku p Procedure 1 A computer behind the ZyW ALL tries to access a web site. 2 The ZyW ALL looks up the web site in its cach e. If an attempt to access the web site was made in the past, a record of that web site’ s category will be in the[...]

  • Page 282

    ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 282 Figure 131 Content Filter : Categories The following table describes the labels in this screen. Table 90 Content Filter: Categ ories LABEL DESCRIPTION Auto Category Setup Enable External Database Content Filtering Enable external database content filtering to have the ZyW[...]

  • Page 283

    ZyWALL 5/35/70 Series User’s Guide 283 Chapter 16 Content Filterin g Screens Unrated W eb Pages Select Block to prevent users from accessing web pages that the external databa se content filteri ng has not catego rized. When the external data base content filtering blocks access to a web page, it displays the denied access message that you config[...]

  • Page 284

    ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 284 Alcohol/T obacco Selecting this category exclud es pages that promote or offer the sale alcohol/tobacco products, or provide th e means to create them. It also includes pages that gl orify , tout, or otherwise encourage the consumption of alcohol/tobacco. It does not incl[...]

  • Page 285

    ZyWALL 5/35/70 Series User’s Guide 285 Chapter 16 Content Filterin g Screens Education Selecting this category exclude s pages that offer educational information, distance learning and trade school in formation or programs. It also includes pages th at are sponsored b y schools, educatio nal facilities, faculty , or alumni groups. Cultural Instit[...]

  • Page 286

    ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 286 News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the da y . It also includes radio stations and magazin es. It does not include pages that can be rated in othe r categories. Persona[...]

  • Page 287

    ZyWALL 5/35/70 Series User’s Guide 287 Chapter 16 Content Filterin g Screens Humor/Jokes Selecting this cate gory excludes p ages that primarily focus on comedy , jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing hu morous Adult/Mature content also have an Adult/Matu re category rati ng. S treami[...]

  • Page 288

    ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 288 16.5 Content Filter Customization Click SECURITY , CONTENT FIL TER , then the Customization tab to display the CONTENT FIL TER Customization screen. Y ou can create a list of good (allowed) we b site addresses and a list of bad (blocked) web site addresses. Y ou can also [...]

  • Page 289

    ZyWALL 5/35/70 Series User’s Guide 289 Chapter 16 Content Filterin g Screens The following table describes the labels in this screen. Table 91 Content Filter: Customization LABEL DESCRIPTION Web Site List Customization Enable Web site customization Select this check box to allow trusted web sites and block forbidden web sites. Content filter list[...]

  • Page 290

    ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 290 16.6 Customizing Keyword Blocking URL Checking Y ou can use commands to set ho w much of a website’ s URL the content filter is to check for keyword blocking. See the appendices for info rmation on how to access and use the command interpreter . 16.6.1 Domain Name or IP[...]

  • Page 291

    ZyWALL 5/35/70 Series User’s Guide 291 Chapter 16 Content Filterin g Screens Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the k eyword bloc king search to include the URL's complete filename. 16.7 Content Filtering Cache Click SECURITY , CONTENT FIL TER , then the Cache tab to display the [...]

  • Page 292

    ZyWALL 5/35/70 Series User’s Guide Chapter 16 Content Filtering Screens 292 The following table describes the labels in this screen. Table 92 Content Filter: Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL T ype the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyW ALL is to allow an entry to remain in the URL cache befo[...]

  • Page 293

    ZyWALL 5/35/70 Series User’s Guide 293 Chapter 16 Content Filterin g Screens[...]

  • Page 294

    ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 294 C HAPTER 17 Content Filtering Report s This chapter describes how to view content filtering reports after yo u have activated the category-based content filtering subscription service. See Chapter 4 on pa ge 104 on how to create a myZyXEL.com account, register your device[...]

  • Page 295

    ZyWALL 5/35/70 Series User’s Guide 295 Chapter 17 Content Filtering Reports Figure 134 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyW ALL ’ s model name and/or MAC address under Registered ZyXEL Pr oducts . Y ou can change the descriptive name for your ZyW ALL using the Rename button in the Service Management screen (see Figure [...]

  • Page 296

    ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 296 Figure 136 myZyXEL.com: Service Manage ment 5 Enter your ZyXEL device's MAC address (in lowe r case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 136 on page 29 6 ). T ype your myZyXEL.co m account password in the Passwo[...]

  • Page 297

    ZyWALL 5/35/70 Series User’s Guide 297 Chapter 17 Content Filtering Reports Figure 138 Content Filtering Reports M ain Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 139 Blue Coat: Report Ho me 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Ta k [...]

  • Page 298

    ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 298 Figure 140 Global Report Screen Example 11 Y ou can clic k a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.[...]

  • Page 299

    ZyWALL 5/35/70 Series User’s Guide 299 Chapter 17 Content Filtering Reports Figure 141 Requested URLs Example 17.3 W eb Site Submission Y ou may find that a web site has not been accura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed. Use the following procedure to submit the[...]

  • Page 300

    ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports 300 Figure 142 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Submit to have the web site reviewed.[...]

  • Page 301

    ZyWALL 5/35/70 Series User’s Guide 301 Chapter 17 Content Filtering Reports[...]

  • Page 302

    ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 302 C HAPTER 18 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 18.1 VPN Overview A VPN (V irtual Private Network) provides sec ure communications between sites without the expense of leased site-to-site lines. A secure VP N is a combination of tunneling,[...]

  • Page 303

    ZyWALL 5/35/70 Series User’s Guide 303 Chapter 18 Introdu ction to IPSec Figure 143 Encryption an d Decryption 18.1.3.2 Dat a Confidentiality The IPSec sender can encrypt packets befo re transmitting them across a network. 18.1.3.3 Dat a Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not bee[...]

  • Page 304

    ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 304 18.2 IPSec Architecture The overall IPSec architect ure is shown as follows. Figure 144 IPSec Architecture 18.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) an d AH (Authentication Header) protocol (RFC 2402 ) describe the packe t formats a[...]

  • Page 305

    ZyWALL 5/35/70 Series User’s Guide 305 Chapter 18 Introdu ction to IPSec Figure 145 T ransport and T unnel Mode IPSec Encapsulation 18.3.1 T ransport Mode Tr a n s p o r t mode is used to protect upper layer prot ocols and only af fects the da ta in the IP packet. In Tr a n s p o r t mode, the IP packet contains the security protocol ( AH or ESP [...]

  • Page 306

    ZyWALL 5/35/70 Series User’s Guide Chapter 18 Introd uction to IPSec 306 NA T is incompatible with the AH protocol in both Tr a n s p o r t and T unnel mode. An IPSec VPN using the AH protocol digitally sig ns the outbound packet, both data p ayload and headers, with a hash value appe nded to the pack et. When using AH protoc ol, packet contents [...]

  • Page 307

    ZyWALL 5/35/70 Series User’s Guide 307 Chapter 18 Introdu ction to IPSec[...]

  • Page 308

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 308 C HAPTER 19 VPN Screens This chapter introduces the VPN W eb Configurator . See Chapter 30 on page 472 for information on viewing logs and Appendix S on page 774 for IPSec log descriptions. 19.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN co[...]

  • Page 309

    ZyWALL 5/35/70 Series User’s Guide 309 Chapter 19 VPN Screens 19.3 My ZyW ALL My ZyW ALL identifies the W AN IP address or domain name of the ZyW ALL (if it has one) or leave the field set to 0.0. 0.0 when the ZyW ALL is in router mode. This field displays the ZyW ALL ’ s IP address when the ZyW ALL is in bridge mode. The ZyW ALL has to rebuild[...]

  • Page 310

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 310 If the remote secure gateway has a static W AN IP address, enter it in the Remote Gateway Address field. Y ou may alternatively enter the remo te secure gateway’ s domain name (if it has one). Y ou can also enter a remote secure gateway’ s domain name in the Remote Gateway Address [...]

  • Page 311

    ZyWALL 5/35/70 Series User’s Guide 311 Chapter 19 VPN Screens Figure 146 NA T Router Between IPSec Routers Normally you cannot set up a VPN connecti on with a NA T router between the two IPSec routers because the NA T router c hanges the header of th e IPSec packet. In the previous figure, IPSec router A sends an IPSec packet in an attempt to ini[...]

  • Page 312

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 312 between three encryption algor ithms (DES, 3DES and AES ), tw o authentication algorithms (MD5 and SHA1) and two ke y groups (DH1 and DH2) when you configure a VPN rule (see Section 19.12 on page 32 4 ). The ID type and content act as an extra level of identification for incoming SAs. [...]

  • Page 313

    ZyWALL 5/35/70 Series User’s Guide 313 Chapter 19 VPN Screens The two ZyW ALLs in this ex ample cannot complete their negotiation because ZyW ALL B’ s Local ID type is IP , but ZyW ALL A ’ s Peer ID type is set to E-mail . An ID mismatched message displays in the IPSec log. 19.8 IKE Phases There are two phases to every IKE (Internet Key Excha[...]

  • Page 314

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 314 • Choose an authentication algorithm. • Choose a Dif fie-Hellman public-key cry ptography key group ( DH1 or DH2 ) . • Set the IKE SA lifetime. This field allows you to determin e how l ong an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime[...]

  • Page 315

    ZyWALL 5/35/70 Series User’s Guide 315 Chapter 19 VPN Screens 19.8.3 Diffie-Hellm an (DH) Ke y Group s Diffie-Hellman (DH) is a publi c -key cryptography protocol tha t allows two parties to establish a shared secret over an unsecured communications channel. Diff ie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 -[...]

  • Page 316

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 316 19.10 VPN Rules (IKE) Click VPN to display the VPN Rules (IKE) screen. This i s a read-only menu of yo ur IPSec rule (tunnel). T o add an IPSe c rule (or gateway policy), click the add gateway policy ( ) icon. Edit an IPSec rule by clicking the edit ( ) icon to configure the associated[...]

  • Page 317

    ZyWALL 5/35/70 Series User’s Guide 317 Chapter 19 VPN Screens Figure 149 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 150 IPSec Fields Summary Note: Local and remote network IP addresses must be st atic. The following table describes the ic ons used in the VPN screens. Table 100 VPN screen Icons [...]

  • Page 318

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 318 Note: The Recycle Bin gateway policy is a virtu al placeholder for any netwo rk policy(ies) without an associated gateway policy . When there is a network policy in the Recycle Bin , the Recycle Bin gateway po licy automatically displays in this screen. See Section 19.13 on p age 328 f[...]

  • Page 319

    ZyWALL 5/35/70 Series User’s Guide 319 Chapter 19 VPN Screens Figure 151 VPN Rules (IKE): Gate way Policy: Edit[...]

  • Page 320

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 320 The following table describes the labels in this screen. Table 101 VPN Rules (IKE): Gate way Policy: Edit LABEL DESCRIPTION Property Name T ype up to 32 characters to identify this VPN gateway policy . Y ou may use any character , including spaces, but the ZyW ALL drops trailing spaces[...]

  • Page 321

    ZyWALL 5/35/70 Series User’s Guide 321 Chapter 19 VPN Screens Remote Gateway Address T ype the WAN IP address or the domain na me (up to 31 characters) of the IPSec router with which you're making the VPN connecti on. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. In order to have more than one active rule[...]

  • Page 322

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 322 Peer ID T ype Select from the following when you set Authentication Key to Pre-shared Key . •S e l e c t IP to identi fy the remote IPSec router by its IP address. •S e l e c t DNS to identify the remote IPSe c router by a domain name. •S e l e c t E-mail to identify the remote I[...]

  • Page 323

    ZyWALL 5/35/70 Series User’s Guide 323 Chapter 19 VPN Screens Server Mode Select Server Mode to have this ZyWALL authent icate extended authentication clients that request this VPN connection. Y ou must also configure the extende d authentication clients’ usernames and passwords in the authentication server ’s local user database or a RADIUS [...]

  • Page 324

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 324 19.12 VPN Rules (IKE): Network Policy Edit Click VPN and the add network policy ( ) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Use this screen to configure a network policy . Enable Multiple Proposals Select this check box to allow the ZyWA LL to[...]

  • Page 325

    ZyWALL 5/35/70 Series User’s Guide 325 Chapter 19 VPN Screens Figure 152 VPN Rules (IKE): Network Policy Edit[...]

  • Page 326

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 326 The following table describes the labels in this screen. Table 102 VPN Rules (IKE): Ne twork Policy Edit LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clear the Active check box to turn the network policy of[...]

  • Page 327

    ZyWALL 5/35/70 Series User’s Guide 327 Chapter 19 VPN Screens S tarting IP Address When the Address T ype field i s configured to Single Address , enter a (st atic) IP address on the LAN behind your ZyW ALL. When the Address T ype field is configured to Range Address , enter the beginning (static) IP address, in a range of computers on th e LAN b[...]

  • Page 328

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 328 19.13 VPN Rules (IKE): Network Policy Move Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. Use this screen to associa te a network policy to a gateway rule. Authentication Algorithm MD5 (Message Digest 5) an d SHA1 (Secu[...]

  • Page 329

    ZyWALL 5/35/70 Series User’s Guide 329 Chapter 19 VPN Screens Figure 153 VPN Rules (IKE): Network Policy Move The following table describes the labels in this screen. 19.14 VPN Rules (Manual) Refer to Figure 150 o n page 317 for a graphical representation of the fields in the web configurator . Click VPN and the VPN Ru les (Manual) tab to open th[...]

  • Page 330

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 330 Y ou may want to configure a VPN rule that u ses manual key management if you are havin g problems with IKE key management. Refer to T able 100 on page 317 for descriptions of the ic ons used in this screen. Figure 154 VPN Rules (Manual) The following table describes the labels in this[...]

  • Page 331

    ZyWALL 5/35/70 Series User’s Guide 331 Chapter 19 VPN Screens 19.15 VPN Rules (Manual): Edit Manual key managemen t is useful if you have pro blems with IKE key management . 19.15.1 Security Pa rameter Index (SPI) An SPI is used to distinguish dif ferent SAs te rminating at the same de stination and using the same IPSec protocol. This data allows[...]

  • Page 332

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 332 Figure 155 VPN Rules (Manual): Edit The following table describes the labels in this screen. T able 105 VPN Rules (Manual) Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy . Name T ype up to 32 characters to identify this VPN policy . Y ou may us[...]

  • Page 333

    ZyWALL 5/35/70 Series User’s Guide 333 Chapter 19 VPN Screens Local Network Local IP add resses must be static and correspond to the remote IPSec router's configured remote IP addresses. T wo ac tive SAs cannot have the local and remo te IP address(es) both the same. T wo active SAs can have the same local or remo te IP address, but not b ot[...]

  • Page 334

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 334 My ZyW ALL Wh en the ZyW ALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0 . For a ZyW ALL with multiple WAN port s, the following applies if the My ZyW ALL field is configured as 0.0.0.0 : • When the WAN port operatio[...]

  • Page 335

    ZyWALL 5/35/70 Series User’s Guide 335 Chapter 19 VPN Screens 19.16 VPN SA Monitor In the web configurator , click VPN and the SA Monitor tab. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of se cu rity settings related to a specific VPN tunnel. This screen displays active VPN connections. [...]

  • Page 336

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 336 19.17 VPN Global Setting Click VPN , then the Global Setting tab to open the VPN Global Setting screen. Use this screen to change your ZyW ALL ’ s global settings. Figure 157 VPN: Global Setting The following table describes the labels in this screen. IPSec Algorithm Thi s field disp[...]

  • Page 337

    ZyWALL 5/35/70 Series User’s Guide 337 Chapter 19 VPN Screens 19.18 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyW ALL at headquarters. The telecommut ers use IPSec routers with dynamic W AN IP addresses. The ZyW ALL at headquarters has a static public IP address. 1[...]

  • Page 338

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 338 Figure 158 T elecommuters Sharing One VPN Rule Example 19.18.2 T elecommuters Usin g Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic W AN IP addresses (use Dynamic DNS to do this)[...]

  • Page 339

    ZyWALL 5/35/70 Series User’s Guide 339 Chapter 19 VPN Screens Figure 159 T elecommuters Using Uniq ue VPN Rules Example T able 109 T elecommuters Using Unique VPN Rules Example T ELECOMMUTERS HEADQUARTERS All T e lecommuter Rules: All Headquarters Rules: My ZyW ALL 0.0.0.0 My ZyW ALL: bigcompanyhq.com Remote Gateway Address: bigcompanyhq.com Loca[...]

  • Page 340

    ZyWALL 5/35/70 Series User’s Guide Chapter 19 VPN Screens 340 19.19 VPN and Remote Management If a VPN tunnel uses T elnet, FTP , WWW , SNMP , DNS or ICMP , then you should configure remote management ( REMOTE MGMT ) to allow access for that service. Local IP Address: 192.168.4.1 5 Remote Gateway Address: telecommuterc .dydns.org Remote Address 1[...]

  • Page 341

    ZyWALL 5/35/70 Series User’s Guide 341 Chapter 19 VPN Screens[...]

  • Page 342

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 342 C HAPTER 20 Certificates This chapter gives background in formation about public-key certificates and explains how to use them. 20.1 Certificates Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users. Certificates are based on public-priva te key p[...]

  • Page 343

    ZyWALL 5/35/70 Series User’s Guide 343 Chapter 20 Certificates Certification authorities maintain directory ser vers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled exp iration is called a CRL (Certificate Revocation List). The ZyW ALL can check a peer ’ s certificate aga[...]

  • Page 344

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 344 20.4 My Certificates Click SECURITY , CER TIFICA TES , My Certificates to open the My Certificates screen. This is the ZyW ALL ’ s summary list of certific ates and certification requests. Certificates display in black and certification requests display in gray . Figure 161 My Certi[...]

  • Page 345

    ZyWALL 5/35/70 Series User’s Guide 345 Chapter 20 Certificates Ty p e This field displays wha t kind of certificate this is. REQ represents a certification request an d is not yet a valid certificate. Send a certification request to a certification authority , which then issues a certific ate. Use the My Certificate Import screen to import the ce[...]

  • Page 346

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 346 20.5 My Certificate Import Click SECURITY , CER TIFICA TES , My Certificates and then Import to open the My Certificate I mport screen. Follow the instructions in this screen to save an existing certificate to the ZyW ALL. Note: Y ou can only import a certificate that matches a corres[...]

  • Page 347

    ZyWALL 5/35/70 Series User’s Guide 347 Chapter 20 Certificates Figure 162 My Certificat e Import The following table describes the labels in this screen. 20.6 My Certificate Create Click SECURITY , CER TIFICA TES , My Certificates and then Cr eate to open the My Certificate Cr eate screen. Use this screen to have the ZyW ALL create a self-signed [...]

  • Page 348

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 348 Figure 163 My Certificate Cr eate The following table describes the labels in this screen. T able 1 12 My Certificate Create LABEL DESCRIPTION Certificate Name T ype up to 31 ASCII characters (not incl uding sp aces) to identif y this certifi cate. Subject Information Use these fields[...]

  • Page 349

    ZyWALL 5/35/70 Series User’s Guide 349 Chapter 20 Certificates Country T ype up to 127 characte rs to identify the nation where the ce rtificate owner is located. Y ou may use any character , including spaces, but the ZyW ALL drops trailing sp aces. Key Length Select a number from the drop-down list box to determine how many bits the key should u[...]

  • Page 350

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 350 After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyW ALL is generating the self-signed cert ificate or certification request. After the ZyW ALL successfully enrolls a certifi cate or generates a certifica tion request or a self-signed cert[...]

  • Page 351

    ZyWALL 5/35/70 Series User’s Guide 351 Chapter 20 Certificates Figure 164 My Certificate Details[...]

  • Page 352

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 352 The following table describes the labels in this screen. Table 113 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certifica te. Y ou may use any chara[...]

  • Page 353

    ZyWALL 5/35/70 Series User’s Guide 353 Chapter 20 Certificates 20.8 T rusted CAs Click SECURITY , CER TIFICA TES , Tr u s t e d C A s to open the Tr u s t e d C A s scree n. This screen displays a summary list of certificates of the certification authorities that you have set the ZyW ALL to accept as trusted. The ZyW ALL accepts any valid certifi[...]

  • Page 354

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 354 Figure 165 T rusted CAs The following table describes the labels in this screen. Table 114 T rusted CAs LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW AL L ’s PKI storage space that is currently in use. The bar turns from green to red when t[...]

  • Page 355

    ZyWALL 5/35/70 Series User’s Guide 355 Chapter 20 Certificates 20.9 T rusted CA Import Click SECURITY , CER TIFICA TES , Tr u s t e d C A s to open the Tr u s t e d C A s scree n and then click Import to open the T rusted CA Import screen. Follow the instructions in this screen to save a trusted certification authority’ s certificate to the ZyW[...]

  • Page 356

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 356 The following table describes the labels in this screen. 20.10 T rusted CA Det ails Click SECURITY , CER TIFICA TES , Tr u s t e d C A s to open the Tr u s t e d C A s scree n. Click the details icon to open the T r usted CA Details screen. Use this screen to view in-depth information[...]

  • Page 357

    ZyWALL 5/35/70 Series User’s Guide 357 Chapter 20 Certificates Figure 167 T rusted CA Details The following table describes the labels in this screen. Table 116 T rusted CA Details LABEL DESCRIPTION Name This field displays the iden tifying name of this certificate. If you w ant to change the name, type up to 31 characters to identify this key ce[...]

  • Page 358

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 358 Certification Path Click the Refresh button to have this read-only text box displa y the end entity’s certificate and a list of cert ification authority certificat es that shows the hierarchy of certification authorities that validate th e end entity’s certificate. If the issuing [...]

  • Page 359

    ZyWALL 5/35/70 Series User’s Guide 359 Chapter 20 Certificates 20.1 1 T rusted Remote Host s Click SECURITY , CER TIFICA TES , T rusted Remote Hosts to open the T rusted Remote Hosts screen. This screen displays a list of the cer tificates of peers that you trust but which are not signed by one of the certification authorities on the Tr u s t e d[...]

  • Page 360

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 360 Figure 168 T rusted Remote Hosts The following table describes the labels in this screen. Table 117 T rusted Remote Hosts LABEL DESCRIPTION PKI S torage S pace in Use This bar displays th e percentage of the ZyW ALL ’s PKI storage space that is currently in use. The bar turns from g[...]

  • Page 361

    ZyWALL 5/35/70 Series User’s Guide 361 Chapter 20 Certificates 20.12 V erifying a T rusted Remote Host’ s Certificate Certificates issued by certific ation authorities have the certificat ion authority’ s signature for you to check. Self-sig ned certificates only have th e signature of the host itself. This means that you must be very careful[...]

  • Page 362

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 362 Figure 170 Certificate Details V erify (over the phone for example) that the remote host has the sa me information in the Thumbprint Algorithm and Thumbprint fields. 20.13 T rusted Remote Host s Import Click SECURITY , C ER TIFICA TES , T rusted Remote Hosts to open the T rusted Remot[...]

  • Page 363

    ZyWALL 5/35/70 Series User’s Guide 363 Chapter 20 Certificates Figure 171 T rusted Remote Host Import The following table describes the labels in this screen. 20.14 T rusted Remote Host Certificate Det ails Click SECURITY , CER TIFICA TES , T rusted Remote Hosts to open the T rusted Remote Hosts screen. Click the details icon to open the T rusted[...]

  • Page 364

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 364 Figure 172 T rusted Remote Host Details The following table describes the labels in this screen. Table 119 T rusted Remote Host Details LABEL DESCRIPTION Name This field displays the iden tifying name of this certificate. If you want to change the name, type up to 31 characters to id [...]

  • Page 365

    ZyWALL 5/35/70 Series User’s Guide 365 Chapter 20 Certificates Certificate Information These read -only fields display detail ed in formation about the certificate. Ty p e This field displ ays general information abo ut the certificate. With truste d remote host certificates, this field alw ays displays CA-signed. The ZyWALL is the Certification [...]

  • Page 366

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 366 20.15 Directory Servers Click SECURITY , CER TIFICA TES , Dir ectory Servers to open the Directory Servers screen. This screen displays a summary list of di rectory servers (that contain lists of valid and revoked certificates) that have bee n saved into the ZyW ALL. If you decide to [...]

  • Page 367

    ZyWALL 5/35/70 Series User’s Guide 367 Chapter 20 Certificates The following table describes the labels in this screen. 20.16 Directory Server Add or Edit Click SECURITY , CER TIFICA TES , Dir ectory Servers to open the Directory Servers screen. Click Add (or the details icon) to open the Directory Server Add screen. Use this screen to configure [...]

  • Page 368

    ZyWALL 5/35/70 Series User’s Guide Chapter 20 Certificates 368 The following table describes the labels in this screen. T able 121 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name T ype up to 31 ASCII characters (spaces are not permitted) to identify this directory server . Access Protocol Use th e drop-down list box to selec[...]

  • Page 369

    ZyWALL 5/35/70 Series User’s Guide 369 Chapter 20 Certificates[...]

  • Page 370

    ZyWALL 5/35/70 Series User’s Guide Chapter 21 Authenticat ion Server 370 C HAPTER 21 Authentication Server This chapter discusses how to configure th e ZyW ALL ’ s authentication server feature. 21.1 Authentication Server Overview A ZyW ALL set to be a VPN extended authenti cation server can use either the local user database internal to the Zy[...]

  • Page 371

    ZyWALL 5/35/70 Series User’s Guide 371 Chapter 21 Au thentication Server Figure 175 Local User Da tabase[...]

  • Page 372

    ZyWALL 5/35/70 Series User’s Guide Chapter 21 Authenticat ion Server 372 The following table describes the labels in this screen. 21.3 RADIUS Use RADIUS to authenticat e users using an external se rver . Click SECURITY , AUTH SER VER , then the RADIUS tab to open the RADIUS screen. Use this screen to set up your ZyW ALL ’ s RADIUS server settin[...]

  • Page 373

    ZyWALL 5/35/70 Series User’s Guide 373 Chapter 21 Au thentication Server The following table describes the labels in this screen. T able 123 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication serve r . Clear the check b ox to enable u ser authentication using[...]

  • Page 374

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 374 C HAPTER 22 Network Address T ranslation (NA T) This chapter discusses how to configure NA T on the ZyW ALL. 22.1 NA T Overview NA T (Network Address Translation - NA T , RFC 1631) is the trans lation of the IP address of a host in a packet. For example, the sourc[...]

  • Page 375

    ZyWALL 5/35/70 Series User’s Guide 375 Chapter 22 Network Addr ess Translation (NAT) 22.1.2 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the inside global address) before forwarding the packet to the W AN side. When the response comes back, [...]

  • Page 376

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 376 Figure 177 How NA T Works 22.1.4 NA T Application The following figure illustrates a possible NA T application, wher e three inside LANs (logical LANs using IP Alias) behind the ZyW ALL can communicate with three distinct W AN networks. More examples follow at the[...]

  • Page 377

    ZyWALL 5/35/70 Series User’s Guide 377 Chapter 22 Network Addr ess Translation (NAT) 22.1.5 Port Restricted Cone NA T At the time of writing ZyW ALL ZyNOS version 4. 00 uses port restricted cone NA T . Port restricted cone NA T maps all outgoing packets fro m an internal IP address and port to a single IP address and port on the external network.[...]

  • Page 378

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 378 • Server : This type allows you to specify insi de servers of different services behind the NA T to be accessible to the outside world a lthough, it is highly recommended that you use the DMZ port for these servers instead. Note: Port numbers do not change for O[...]

  • Page 379

    ZyWALL 5/35/70 Series User’s Guide 379 Chapter 22 Network Addr ess Translation (NAT) 22.3 NA T Overview Click ADV ANCED , NA T to open the NA T Over view screen. Not all fields are available on all models. Figure 180 NA T Overview The following table describes the labels in this screen. T able 126 NA T Overview LABEL DESCRIPTION Global Settings M[...]

  • Page 380

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 380 22.4 NA T Address Mapping Ordering your rules is important because the Zy W ALL applies the rules in the order that you specify . When a rule matche s the current pack et, the ZyW ALL takes the corresponding action and the remaining rules are ignored. If there are[...]

  • Page 381

    ZyWALL 5/35/70 Series User’s Guide 381 Chapter 22 Network Addr ess Translation (NAT) Figure 181 NA T Address Mapping The following table describes the labels in this screen. T able 127 NA T Addres s Mapping LABEL DESCRIPTION SUA Address Mapping Rules This read-only table displays the default address mapp ing rules. Full Feature Address Mapping Ru[...]

  • Page 382

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 382 22.4.1 NA T Address Mapping Edit Click the Edit button to display the NA T Addr ess Mapping Edit screen. Use this screen to edit an address mapping rule. Figure 182 NA T Address Mapping Edit Global S tart IP This refers to the Inside Global IP Address (IGA), that [...]

  • Page 383

    ZyWALL 5/35/70 Series User’s Guide 383 Chapter 22 Network Addr ess Translation (NAT) The following table describes the labels in this screen. 22.5 Port Forwarding A port forwarding set is a list of inside (behind NA T on the LAN) servers, for ex ample, web or FTP , that you can make v isible to the outside world even though NA T makes your whole [...]

  • Page 384

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 384 22.5.1 Default Server IP Address In addition to the servers for specified services, NA T supports a default server IP address. A default server receives packets from ports that are not specifie d in this screen. Note: If you do not assign a Default Serve r IP addr[...]

  • Page 385

    ZyWALL 5/35/70 Series User’s Guide 385 Chapter 22 Network Addr ess Translation (NAT) Figure 183 Multiple Servers Behind NA T Example 22.5.4 NA T and Multiple W AN The ZyW ALL has two W AN ports. Y ou can configure port fo rwarding and trigger port rule sets for the first W AN port and separate sets of rules for the second W AN port. 22.5.5 Port T[...]

  • Page 386

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 386 Figure 184 Port T ranslation Example 22.6 Port Forwarding Note: If you do not assign a Default Serve r IP address, the ZyW ALL discards all packet s received for port s that are not specified here or in th e remote management setup. Click ADV ANCED , NA T and Port[...]

  • Page 387

    ZyWALL 5/35/70 Series User’s Guide 387 Chapter 22 Network Addr ess Translation (NAT) Figure 185 Port Forwarding The following table describes the labels in this screen. T able 130 Port Fo rwarding LABEL DESCRIPTION W AN Interface Select the WAN port for which you want to view or con figure address mapping ru les. Default Server In addition to the[...]

  • Page 388

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 388 22.7 Port T riggering Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA T to forward a service (coming in from the server on the W AN) t[...]

  • Page 389

    ZyWALL 5/35/70 Series User’s Guide 389 Chapter 22 Network Addr ess Translation (NAT) 4 The ZyW ALL forwards the traffic to Jane’ s computer IP address. 5 Only Jane can connect to the Real Audio server until th e connection is closed or times out. The ZyW ALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP ([...]

  • Page 390

    ZyWALL 5/35/70 Series User’s Guide Chapter 22 Network Address Translation (NAT) 390 Tr i g g e r The trigger port is a port (or a range of ports ) that causes (or triggers) the ZyW ALL to record the IP address of the LAN computer th at sent the traffic to a server on the W AN. St a r t P o r t T ype a port numbe r or the starting port number in a[...]

  • Page 391

    ZyWALL 5/35/70 Series User’s Guide 391 Chapter 22 Network Addr ess Translation (NAT)[...]

  • Page 392

    ZyWALL 5/35/70 Series User’s Guide Chapter 23 St atic Route 392 C HAPTER 23 S t atic Route This chapter shows you how to config ure static routes for your ZyW ALL. 23.1 IP S t atic Route Each remote node specifies only the network to which the gateway is di rectly connected, and the ZyW ALL has no knowled ge of the networks beyond. For in stance,[...]

  • Page 393

    ZyWALL 5/35/70 Series User’s Guide 393 Chapter 23 Static Route Note: The default route is disabled af ter you change the st atic W AN IP address to a dynamic W AN IP address. Figure 189 IP S tatic Route The following table describes the labels in this screen. T able 132 IP S tatic Route LABEL DESCRIPTION # This is the number of an individual stat[...]

  • Page 394

    ZyWALL 5/35/70 Series User’s Guide Chapter 23 St atic Route 394 23.2.1 IP St atic Route Edit Select a static route index numb er and click Edit . The screen shown next appears. Use this screen to configure the required information for a static route. Figure 190 IP S tatic Route Edit The following table describes the labels in this screen. Active [...]

  • Page 395

    ZyWALL 5/35/70 Series User’s Guide 395 Chapter 23 Static Route Gateway IP Address Enter the IP addre ss of the gateway . The gateway i s a router or switch on the same network segment as the device's LAN or WAN port. The gateway h elps forward packet s to their destinations. Metric Metric represents the “cost” of transmi ssion for routin[...]

  • Page 396

    ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 396 C HAPTER 24 Policy Route This chapter covers setting and ap plying policies used for IP routing. This chapter applies to the ZyW ALL 35 and ZyW ALL 70. 24.1 Policy Route T raditionally , routing is based on the destination address only and the ZyW ALL takes the shortest path to forwar[...]

  • Page 397

    ZyWALL 5/35/70 Series User’s Guide 397 Chapter 24 Policy Route IPPR follows the existing packet filtering fac ility of RAS in style and in implementation. 24.4 IP Routing Policy Setup Click ADV ANCED , POLICY ROUTE to open the Policy Route Summary screen (some of the screen’ s blank rows are not shown). Figure 191 Policy Route Summary[...]

  • Page 398

    ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 398 The following table describes the labels in this screen. 24.5 Policy Route Edit Click POLICY ROUTE to op e n t h e Policy Route Summary screen. Then clic k the edit icon to open the Edit IP Policy Route screen. T able 134 Policy Route Summary LABEL DESCRIPTION # This is the number of [...]

  • Page 399

    ZyWALL 5/35/70 Series User’s Guide 399 Chapter 24 Policy Route Figure 192 Edit IP Policy Route The following table describes the labels in this screen. Table 135 Edit IP Policy Route LABEL DESCRIPTION Criteria Active Select the check box to activate the policy . Rule Index This is the index number of the policy route. IP Protocol Select Predef in[...]

  • Page 400

    ZyWALL 5/35/70 Series User’s Guide Chapter 24 Policy Route 400 Packet Length T ype a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length. Length Comparison Choose from Equal , Not Equal , Less , Greater , Les s or Equal or Greater or Equal . Source Interface Use the check box to select LAN [...]

  • Page 401

    ZyWALL 5/35/70 Series User’s Guide 401 Chapter 24 Policy Route[...]

  • Page 402

    ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 402 C HAPTER 25 Bandwid th Management This chapter describes the functions and conf iguration of bandwidth management with multiple levels of sub-classes. 25.1 Bandwid th Management Overview Bandwidth management allo ws you to allocate an interface’ s outgoing capacity to specif[...]

  • Page 403

    ZyWALL 5/35/70 Series User’s Guide 403 Chapter 25 Bandwidth Ma nagement 25.3 Proportional Bandwid th Allocation Bandwidth management allo ws you to define ho w much bandwidth each class gets; however , the actual bandwidth a llotted to each clas s de creases or increases in proportion to actual available bandwidth. 25.4 Application-based Bandwid [...]

  • Page 404

    ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 404 25.6 Application and Subnet-based Bandwid th Management Y ou could also create bandwidth clas ses based on a combination of a subnet and an application. The following exam ple table shows bandwidth alloca tions for application specific traffic from separate LAN subnets. 25.7 S[...]

  • Page 405

    ZyWALL 5/35/70 Series User’s Guide 405 Chapter 25 Bandwidth Ma nagement When you enable maxim ize bandwidth usag e, the ZyW ALL first makes sure that each bandwidth class gets up to its band width allotment. Next, the ZyW ALL divides up an interface’ s available bandwidth (bandwidth that is un budgeted or unused by the classes) depending on how[...]

  • Page 406

    ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 406 25.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwid th The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets. Suppose that all of the classes except for th e administration class need more bandwidth. ?[...]

  • Page 407

    ZyWALL 5/35/70 Series User’s Guide 407 Chapter 25 Bandwidth Ma nagement 25.8 Bandwid th Borrowing Bandwidth borrowing allows a sub -class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to bo rrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a [...]

  • Page 408

    ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 408 • The Bill class cannot bo rrow unused bandwi dth from the Root class because the Sales class has bandwidth borrowing disabl ed. • The Amy class cannot borrow unused bandwi dth from the Sales USA class because the Amy class has bandwid th borrowing di sabled. • The Resea[...]

  • Page 409

    ZyWALL 5/35/70 Series User’s Guide 409 Chapter 25 Bandwidth Ma nagement Figure 194 Bandwidth Ma nagement: Summary The following table describes the labels in this screen. T able 141 Bandwidth Managemen t: Summary LABEL DESCRIPTION Class These read-only labe ls represent the physica l interfaces. Select an interface’s check box to enable ba ndwi[...]

  • Page 410

    ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 410 25.1 1 Configuring Class Setup The Class Setup screen displays the configured band wi dth classes by individual interface. Select an interface and click the buttons to pe rform the actions describe d next. Click “+” to expand the class tree or click “-“ to collapse th [...]

  • Page 411

    ZyWALL 5/35/70 Series User’s Guide 411 Chapter 25 Bandwidth Ma nagement 25.1 1.1 Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Setup scree n. Y ou must use the Summary screen to en able bandwidth manage ment on an interface before you can confi gure classes for that interface. T o add a child class, cli[...]

  • Page 412

    ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 412 Figure 196 Bandwidth Management: Edit Class The following table describes the labels in this screen. Table 143 Bandwidth Management: Edit Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or en ter a descriptive name of up to 20 alphanumeric ch[...]

  • Page 413

    ZyWALL 5/35/70 Series User’s Guide 413 Chapter 25 Bandwidth Ma nagement Enable Bandwidth Filter Select Enable Bandwid th Filter to have the ZyW ALL use this bandwidth filter when it performs bandwidth management. Y ou must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only avai lable when you e[...]

  • Page 414

    ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 414 25.1 1.2 Bandwidth Management S tatistics Use the Bandwidth Management S tatistics screen to view network performance information. Click the S tatistics button in the Class Setup screen to open the St a t i s t i c s screen. Apply Click Apply to save your change s back to the [...]

  • Page 415

    ZyWALL 5/35/70 Series User’s Guide 415 Chapter 25 Bandwidth Ma nagement Figure 197 Bandwidth Mana gement: S tatistics The following table describes the labels in this screen. 25.12 Configuring Monitor T o view the device’ s bandwidth usage and allotmen ts, click ADV ANCED , BW MGMT , then the Monitor tab. The screen appears as shown. Table 145 [...]

  • Page 416

    ZyWALL 5/35/70 Series User’s Guide Chapter 25 Bandwidth Management 416 Figure 198 Bandwidth Ma nagement: Monitor The following table describes the labels in this screen. T able 146 Bandwidth Managemen t: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class [...]

  • Page 417

    ZyWALL 5/35/70 Series User’s Guide 417 Chapter 25 Bandwidth Ma nagement[...]

  • Page 418

    ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 41 8 C HAPTER 26 DNS This chapter shows you how to configure the DNS screens. 26.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely impo rtant because without it, you must know the IP address of a machine[...]

  • Page 419

    ZyWALL 5/35/70 Series User’s Guide 419 Chapter 26 DNS 26.4 Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. An FQDN consists of a hos t and doma in name and includes the top-level domain. For example, www .zyxel.com.tw is a fully qualif ie d domain name, where “www” is the host,[...]

  • Page 420

    ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 0 Figure 199 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. 26.6 System Screen T o configure your ZyW ALL ’ s DNS address and name server record[...]

  • Page 421

    ZyWALL 5/35/70 Series User’s Guide 421 Chapter 26 DNS Figure 200 System DNS The following table describes the labels in this screen. Table 147 System DNS LABEL DESCRIPTION Address Record An address record specifie s the mapping of a fully qualified do main name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the t[...]

  • Page 422

    ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 2 26.6.1 Adding an Address Record Click Add in the System screen to add an address record. Figure 201 System DNS: Add Ad dress Record Name Server Record A name server record contains a DNS server ’s IP address. The ZyWALL can query the DNS server to resolve domain names for features like VPN,[...]

  • Page 423

    ZyWALL 5/35/70 Series User’s Guide 423 Chapter 26 DNS The following table describes the labels in this screen. 26.6.2 Inserting a Name Server record Click Inser t in the System screen to insert a name server record. Figure 202 System DNS: Insert Name Server Record Table 148 System DNS: Add Address Record LABEL DESCRIPTION FQDN T ype a fully quali[...]

  • Page 424

    ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 4 The following table describes the labels in this screen. 26.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyW ALL receives a positive or negati ve response for a DNS query , it records the response in the DNS cache. A positive r[...]

  • Page 425

    ZyWALL 5/35/70 Series User’s Guide 425 Chapter 26 DNS 26.8 Configure DNS Cache T o configure your ZyW ALL ’ s DNS caching, click ADV ANCED , DNS , then the Cache tab. The screen appears as shown. Figure 203 DNS Cache The following table describes the labels in this screen. Table 150 DNS Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS[...]

  • Page 426

    ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 6 26.9 Configuring DNS DHCP Click ADV ANCED , DNS and then the DHCP tab to open the DNS DHC P screen shown next. Use this screen to configure the DNS serv er information that th e ZyW ALL sends to its LAN, DMZ or WLAN DHCP clients. DNS Cache Entry Flush Click this button to clear the cache manu[...]

  • Page 427

    ZyWALL 5/35/70 Series User’s Guide 427 Chapter 26 DNS Figure 204 DNS DHCP The following table describes the labels in this screen. Table 151 DNS DHCP LABEL DESCRIPTION DNS Servers Assigned by DHCP Server The ZyW ALL passes a DNS (Domain Name System) server IP address to the DHCP clients. Selected Interface Select an interface from th e drop-down [...]

  • Page 428

    ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 42 8 26.10 Dynamic DNS Dynamic DNS allows you to update your curre nt dynamic IP address with one or many dynamic DNS services so that anyone can c ont act you (in NetMeeting, CU-SeeMe, etc.). Y ou can also access your FTP server or W eb site on your own computer using a domain name (for instance [...]

  • Page 429

    ZyWALL 5/35/70 Series User’s Guide 429 Chapter 26 DNS Figure 205 DDNS The following table describes the labels in this screen. Table 152 DDNS LABEL DESCRIPTION Account Setup Active Select this check bo x to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider . Username Enter your user name. Y ou can use up to 3[...]

  • Page 430

    ZyWALL 5/35/70 Series User’s Guide Chapter 26 DNS 43 0 W AN Interface Select the W AN port to use for updati ng the IP address of the domain name. IP Address Update Policy Select Use W AN IP Address to have the ZyWALL update the doma in name with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static[...]

  • Page 431

    ZyWALL 5/35/70 Series User’s Guide 431 Chapter 26 DNS[...]

  • Page 432

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 432 C HAPTER 27 Remote Management This chapter provides information on the Remote Management screens. 27.1 Remote Management Overview Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers. Note: When you [...]

  • Page 433

    ZyWALL 5/35/70 Series User’s Guide 433 Chapter 27 Remote Manag ement 1 A filter in SMT menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service. 2 Y ou have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Addr ess field does not match the client IP address. I[...]

  • Page 434

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 434 Figure 206 HTTPS Implement ation Note: If you disable HTTP Se rver Access ( Disable ) in the REMOTE MGMT WWW screen, then the ZyW ALL blocks all HTTP connection attempts. 27.3 WWW Click ADV ANCED , REMOTE MGMT to open the WWW screen. Use this screen to change your ZyW ALL ’ s [...]

  • Page 435

    ZyWALL 5/35/70 Series User’s Guide 435 Chapter 27 Remote Manag ement Figure 207 WWW The following table describes the labels in this screen. T able 153 WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself. The ZyW ALL is the SSL server and must always au thenticate itself to the [...]

  • Page 436

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 436 27.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW ALL, then in your browser enter “https://ZyW ALL IP Address/” as the web site address where “Z yW ALL IP Address” is the IP address or domain name of the ZyW ALL you wish to access. 27.4.1 Inte[...]

  • Page 437

    ZyWALL 5/35/70 Series User’s Guide 437 Chapter 27 Remote Manag ement 27.4.2 Net scape Navigator W arning Messages When you attempt to access the ZyW ALL HTTPS server , a W ebsite Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that th e certificate is fro[...]

  • Page 438

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 438 27.4.3 A voiding the Browser W arn ing Messages The following describes the main reasons that your browser displays warnings about the ZyW ALL ’ s HTTPS server certificate and what you can do to avoid seeing the warni ngs. • The issuing certificate authority of the ZyW ALL ?[...]

  • Page 439

    ZyWALL 5/35/70 Series User’s Guide 439 Chapter 27 Remote Manag ement Figure 21 1 Login Screen (I nternet Explorer) Figure 212 Login Screen (Netsca pe) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyW ALL models.[...]

  • Page 440

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 440 Figure 213 Replace Certificate Click Apply in the Replace Certificate scre en to create a certificate using your ZyW ALL ’ s MAC address that will be spec ific to this device. Click CER TIFICA TES to open the My Certificates screen. Y ou will see informat ion similar to that s[...]

  • Page 441

    ZyWALL 5/35/70 Series User’s Guide 441 Chapter 27 Remote Manag ement Figure 215 Common ZyW ALL Certificate 27.5 SSH Unlike T elnet or FTP , which transmit data in clear text, SSH (Secure Shell) is a secure communication protoc ol that combines authenticatio n and data encryption to provide secure encrypted communication bet ween two hosts over an[...]

  • Page 442

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 442 Figure 217 How SSH Works 1 Host Identification The SSH client s ends a conn ection request to the SSH server . The server identifies itself with a host key . The client encrypts a rand omly generated session key with the host key and server key and sends the result back to the s[...]

  • Page 443

    ZyWALL 5/35/70 Series User’s Guide 443 Chapter 27 Remote Manag ement 27.7.1 Requirement s for Using SSH Y ou must install an SSH client pr ogram on a client computer (W indows or Linux operating system) that is used to conn ect to the ZyW A LL over SSH. 27.8 Configuring SSH Click ADV ANCED , REMOTE MGMT and then the SSH tab to chang e your ZyW AL[...]

  • Page 444

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 444 27.9 Secure T elnet Using SSH Exampl es This section shows two examples using a comm and interface and a graphical interface SSH client program to remotely access the ZyW ALL. The configuration and connection steps are similar for most SSH client pr ograms. Refer to your SSH cli[...]

  • Page 445

    ZyWALL 5/35/70 Series User’s Guide 445 Chapter 27 Remote Manag ement Figure 220 SSH Example 2: T est 2 Enter “ ssh –1 192.168.1.1 ”. This command forces your computer to connect to the ZyW ALL using SSH version 1. If this is the first time you are connecting to the ZyW ALL using SSH, a message displays promptin g you to save the host inform[...]

  • Page 446

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 446 Figure 222 Secure FTP: Firmware Upload Example 27.1 1 T elnet Y ou can configure your ZyW ALL for remote T elnet acce ss as shown next. Figure 223 T elnet Configuration on a TCP/IP N etwork 27.12 Configuring TELNET Click ADV ANCED , REMOTE MGMT and then the TELNET tab to configu[...]

  • Page 447

    ZyWALL 5/35/70 Series User’s Guide 447 Chapter 27 Remote Manag ement Figure 224 Te l n e t The following table describes the labels in this screen. 27.13 FTP Y ou can upload and download the ZyW ALL ’ s fi rmware and configuration files using FTP , please see the chapter on firmware and configuration file maintena nce for details. T o use this [...]

  • Page 448

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 448 Figure 225 FTP The following table describes the labels in this screen. 27.14 SNMP Simple Network Management Protocol is a protocol used for exchanging man agement information between network devices. SNMP is a member of the TCP/IP pro tocol suite. Y our ZyW ALL supports SNMP ag[...]

  • Page 449

    ZyWALL 5/35/70 Series User’s Guide 449 Chapter 27 Remote Manag ement Figure 226 SNMP Managemen t Model An SNMP managed network consis ts of two main types of comp onent: agen ts and a man ager . An agent is a management software module th at resi des in a managed device (the ZyW ALL). An agent translates the local management info rmation from the[...]

  • Page 450

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 450 27.14.1 Supported MIBs The ZyW ALL support s MIB II that is defined in RF C-1213 and RFC-121 5. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 27.14.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when [...]

  • Page 451

    ZyWALL 5/35/70 Series User’s Guide 451 Chapter 27 Remote Manag ement Figure 227 SNMP The following table describes the labels in this screen. T able 158 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community , which is the password for the incoming Get and GetNext requests from the management station. The default is publi[...]

  • Page 452

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 452 27.15 DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 7 on page 130 for more information. Click ADV ANCED , REMOTE MGMT and then the DNS tab to change your Zy W ALL ’ s DNS settings. Use this screen to set [...]

  • Page 453

    ZyWALL 5/35/70 Series User’s Guide 453 Chapter 27 Remote Manag ement If you allow your ZyW ALL to be managed b y the V antage CNM server , then you should n ot do any configuratio ns directly to the ZyW A LL (using either the we b configurator, SMT menus or commands) with out notifyi ng the V antage CNM administrator . 27.17 Configuring CNM V ant[...]

  • Page 454

    ZyWALL 5/35/70 Series User’s Guide Chapter 27 Remo te Management 454 Last Registration T ime This fi eld displays the last date (year-mo nth-date) and time (hours-minutes- seconds) that the ZyW ALL registered with the V antage CNM server . It displays all zeroes if it has not yet r egistered with the V antage CNM server . Refresh Click Refresh to[...]

  • Page 455

    ZyWALL 5/35/70 Series User’s Guide 455 Chapter 27 Remote Manag ement[...]

  • Page 456

    ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 456 C HAPTER 28 UPnP This chapter introduces the Universal Plug and Pl ay feature. This chapter is only applicable when the ZyW ALL is in router mode. 28.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-t[...]

  • Page 457

    ZyWALL 5/35/70 Series User’s Guide 457 Chapter 28 UPnP All UPnP-enabled devices may communicate freely with eac h other without additional configuration. Disable UPnP if this is not your intention. 28.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from th e Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL&ap[...]

  • Page 458

    ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 458 28.3 Displaying UPnP Port Mapping Click UPnP and then Ports to display the UPnP Ports screen. Use this s creen to view the NA T port mapping rules that UPnP creates on the ZyW ALL. Not all fields are available on all models. Figure 231 UPnP Ports Allow users to make configuration changes thro[...]

  • Page 459

    ZyWALL 5/35/70 Series User’s Guide 459 Chapter 28 UPnP The following table describes the labels in this screen. 28.4 Inst alling UPnP in Windows Example This section shows ho w to install UPnP in W indows Me and W indows XP . T able 162 UPnP Ports LABEL DESCRIPTION Reserve UPnP NA T rules in flash after system bootup Select this check box to have[...]

  • Page 460

    ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 460 28.4.1 Inst alling UPnP in Windows Me Follow the steps below to in stall UPnP in W indows Me. 1 Click St a r t , Settings and Contr ol Panel . Double-click Add/Remove Programs . 2 Click on the Win d o ws S et u p ta b and select Communication in the Components selection box. Click Details . 3[...]

  • Page 461

    ZyWALL 5/35/70 Series User’s Guide 461 Chapter 28 UPnP 28.4.2 Inst alling UPnP in Windows XP Follow the steps below to install UPnP in W indows XP . 28.5 Using UPnP in Windows XP Example This section shows yo u how to use the UPnP feature in W indows XP . Y ou must already hav e UPnP installed in W indows XP and UPnP activated on the ZyXEL device[...]

  • Page 462

    ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 462 28.5.1 Auto-discover Y our UPnP-enabled Network Device 1 Click St a r t and Contro l Panel . Double- click Network Connections . An icon displays under Internet Gateway . 2 Right-click the icon and select Properties . 3 In the Internet Connection Properties window , click Settings to see the [...]

  • Page 463

    ZyWALL 5/35/70 Series User’s Guide 463 Chapter 28 UPnP Note: When the UPnP-enabled device is disconnect ed from your computer , all port mappings will be deleted automatically . 28.5.2 We b Configurator Easy Access W ith UPnP , you can acce ss the web-based configur ator on the ZyXEL device without finding out the IP address of the ZyXEL device f[...]

  • Page 464

    ZyWALL 5/35/70 Series User’s Guide Chapter 28 UPnP 464 Follow the steps below to access the web configurator . 1 Click St a r t and then Contr ol Panel . 2 Double-click Network Connections . 3 Select My Network Places under Other Places . 4 An icon with the d escription for each UPnP-enabled device displays under Local Network . 5 Right-click the[...]

  • Page 465

    ZyWALL 5/35/70 Series User’s Guide 465 Chapter 28 UPnP 6 Right-click the icon for your ZyXEL device and select Properties . A properties window displays with basic information about the ZyXEL device.[...]

  • Page 466

    ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 466 C HAPTER 29 ALG Screen This chapter covers how to use the ZyW ALL ’ s ALG featu re to allow ce rtain applications to pass through the ZyW ALL. 29.1 ALG Introduction The ZyW ALL can function as an Application Laye r Gateway (ALG) to allow certain NA T un- friendly applications (such a[...]

  • Page 467

    ZyWALL 5/35/70 Series User’s Guide 467 Chapte r 29 ALG Screen If the primary W AN connection fa ils, t he client needs to re-i nitialize the conn ection through the secondary W AN port to have th e connection go thro ugh the secondary W AN port. When the ZyW ALL uses both of the W AN ports at the same time, you can configure routing policies to s[...]

  • Page 468

    ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 468 Figure 232 H.323 ALG Examp le • W ith multiple W AN IP addresses on the Zy W ALL, you can configure different firewall and port forwarding rules to allow incoming calls from each W AN IP address to go to a specific IP address on the LAN (or DMZ). Us e policy routing to ha ve the H.32[...]

  • Page 469

    ZyWALL 5/35/70 Series User’s Guide 469 Chapte r 29 ALG Screen Figure 234 H.323 Calls from the W AN with Multiple Outgoing Calls • The H.323 ALG operat es on TCP packets with a port 1720 destination. • The ZyW ALL allows H.323 au dio connections. • The ZyW ALL can also apply bandwidth management to traf fic that goes through the H.323 ALG . [...]

  • Page 470

    ZyWALL 5/35/70 Series User’s Guide Chapter 29 AL G Screen 470 The following example shows SIP s ignaling and audio sessions between SIP clients A and B and the SIP server (1). Figure 235 SIP ALG Example 29.5.3 SIP Signaling Session Ti meout Most SIP clients have an “ expire” mechanism indicating the lifetime of signaling sessions. The SIP use[...]

  • Page 471

    ZyWALL 5/35/70 Series User’s Guide 471 Chapte r 29 ALG Screen Figure 236 ALG The following table describes the labels in this screen. Table 163 ALG LABEL DESCRIPTION Enable FTP ALG Select this check box to allow FTP sessions to pass through the ZyW ALL. FTP (File T ransfer Program) is a program that enable s fa st transfer of files, including lar[...]

  • Page 472

    ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 472 C HAPTER 30 Logs Screens This chapter contains inform ation about configuring genera l log settings and viewing the ZyW ALL ’ s logs. Refer to Appendix S on page 774 for example log messa ge explanations. 30.1 Configuring V iew Log The web confi gurator allows you to look at all of[...]

  • Page 473

    ZyWALL 5/35/70 Series User’s Guide 473 Chapter 3 0 Logs Scr eens The following table describes the labels in this screen. 30.2 Log Description Example The following is an example of how a log di splays in the command line interpreter and a description of the sample log. Refer to the ap pendices for more log message descriptions and details on usi[...]

  • Page 474

    ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 474 30.2.1 Certificate Not T rusted Log Note myZyXEL.com and the update server use certif icate signed by V eriSign to identify themselves. If th e ZyW ALL does n ot have a CA certificate signed by V eriSign as a trusted CA, the ZyW ALL will not trust the certificate from myZyXEL.com and[...]

  • Page 475

    ZyWALL 5/35/70 Series User’s Guide 475 Chapter 3 0 Logs Scr eens Figure 239 myZyXEL.com: Certificate Download 30.3 Configuring Log Settings T o change your ZyW ALL ’ s log settings, click LOGS , then the Log Settings tab. The screen appears as shown. Use the Log Settings screen to configure to where the Zy W ALL is to send logs; the schedule fo[...]

  • Page 476

    ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 476 Figure 240 Log Settings[...]

  • Page 477

    ZyWALL 5/35/70 Series User’s Guide 477 Chapter 3 0 Logs Scr eens The following table describes the labels in this screen. T able 166 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP addre ss of the mail server for the e-mail addresses specified below . If this field is left blank, logs and alert messa[...]

  • Page 478

    ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 478 30.4 Configuring Report s The Reports p age displays which co mputers on the LAN send and receive the most traffic, what kinds of traffic are used the most and whic h web sites are visited the most often. Use the Reports screen to have the ZyW ALL record and di splay the following ne[...]

  • Page 479

    ZyWALL 5/35/70 Series User’s Guide 479 Chapter 3 0 Logs Scr eens Figure 241 Report s Note: Enabling the ZyW ALL ’s reporting function decreases th e overall throughput by about 1 Mbps. The following table describes the labels in this screen. Note: All of the recorded report s data is erased when you turn of f the ZyW ALL. T able 167 Reports LAB[...]

  • Page 480

    ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 480 30.4.1 V iewing We b Site Hit s In the Reports screen, select W eb Site Hits from the Report T ype drop-dow n list box to have the ZyW ALL record and display which web sites have bee n visited the most often and how many times they have been visited. Figure 242 Web Site Hit s Report [...]

  • Page 481

    ZyWALL 5/35/70 Series User’s Guide 481 Chapter 3 0 Logs Scr eens Figure 243 Protocol/Port Report Example The following table describes the labels in this screen. T able 169 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or servic e ports for which the most traffic has gone through the ZyWALL. The protocols o[...]

  • Page 482

    ZyWALL 5/35/70 Series User’s Guide Chapter 30 Logs Scre ens 482 30.4.3 V iewing Host IP Address In the Reports screen, select Host IP Address from the Report T ype drop-down list box to have the ZyW ALL record and display the LA N, DMZ or WLAN IP addre sses that the most traffic has been sent to and/or from and how much traffic has been sent to a[...]

  • Page 483

    ZyWALL 5/35/70 Series User’s Guide 483 Chapter 3 0 Logs Scr eens 30.4.4 Report s Specifications The following table lists detailed specifications on the reports feature. T able 171 Report S pecifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: 20 Hit count limit: Up to 2 32 hits can be counted per web site. T[...]

  • Page 484

    ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 484 C HAPTER 31 Maintenance This chapter displays informat ion on the maintenance screens. 31.1 Maintenance Overview The maintenanc e screens can help you view system inform a tion, upload new firmware, manage configuratio n and restart your ZyW ALL. 31.2 General Setup 31.2.1 General Setup[...]

  • Page 485

    ZyWALL 5/35/70 Series User’s Guide 485 Chapter 31 Maintenance Figure 245 General Setup The following table describes the labels in this screen. 31.3 Configuring Password T o change your ZyW ALL ’ s password (recommended), click MAINTENANCE , then the Password tab. The screen appears as shown. This sc reen allows you to change the ZyW ALL ’ s [...]

  • Page 486

    ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 486 Figure 246 Password Setup The following table describes the labels in this screen. 31.4 T ime and Date The ZyW ALL ’ s Real T i me Chip (R TC) kee ps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an exter[...]

  • Page 487

    ZyWALL 5/35/70 Series User’s Guide 487 Chapter 31 Maintenance Figure 247 T ime and Date The following table describes the labels in this screen. Table 174 T ime and Date LABEL DESCRIPTION Current T ime and Date Current T ime This field displays the ZyWALL ’s present time . Current Date This field displays the ZyW ALL ’s present date. T ime an[...]

  • Page 488

    ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 488 Get from Time Server Select this radio button to have the Zy WALL get the time and date from the time server you specified below . T ime Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your [...]

  • Page 489

    ZyWALL 5/35/70 Series User’s Guide 489 Chapter 31 Maintenance 31.5 Pre-defined NTP T ime Servers List When you turn on the ZyW ALL for t he first time, the date an d time start at 20 00-01-01 00:00:00. The ZyW ALL then attempts to synchr onize with one of th e following pre-defined list of NTP time servers. The ZyW ALL continues to use the follow[...]

  • Page 490

    ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 490 When the System Time and Date Synchr onization in Process screen appears, wait up to one minute. Figure 248 Synchronization in Process Click the Return button to go back to the T ime and Date screen after the time and date is updated successfully . Figure 249 Synchronization is Success[...]

  • Page 491

    ZyWALL 5/35/70 Series User’s Guide 491 Chapter 31 Maintenance 31.6 Introduction T o T ransp arent Bridging A transparent bridge is invisibl e to the operatio n of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that po rt. A[...]

  • Page 492

    ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 492 3 As a transparent bridge does not modify the frames it forwards, it is ef fectively “stealth” as it is invisible to attackers. Bridging devices are most useful in complex envi ronments that require a rapid or new firewall deployment. A transparent, bridging firewall can also be go[...]

  • Page 493

    ZyWALL 5/35/70 Series User’s Guide 493 Chapter 31 Maintenance 31.9 Configuring Device Mode (Bridge) T o configure and have your ZyW ALL work as a rou ter or a bridge, click MAINTENANCE , then the Device Mo de tab. The following applies when the ZyW ALL is in bridge mode. Figure 252 Device Mode (Bridge Mode) The following table describes the label[...]

  • Page 494

    ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 494 31.10 F/W Upload Screen Find firmware at www .zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "z ywall.bin". The upload proces s uses HTTP (Hypertext T ransfer Protocol) and may take up to two minutes. Afte r a successful uplo[...]

  • Page 495

    ZyWALL 5/35/70 Series User’s Guide 495 Chapter 31 Maintenance Figure 253 Firmware Uplo ad The following table describes the labels in this screen. Note: Do not turn of f the ZyW ALL while firmware upload is in progress! After you see the Firmware Upload in Pr ocess screen, wait two minutes before logging into the ZyW ALL again. Figure 254 Firmwar[...]

  • Page 496

    ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 496 Figure 255 Network T emporarily Disconnected After two minutes, log in again an d check your new firmware version in the HOME screen. If the upload was not successful, the fo llowing screen will appear . Click Return to go back to the F/W Upload screen. Figure 256 Firmware Upload Error[...]

  • Page 497

    ZyWALL 5/35/70 Series User’s Guide 497 Chapter 31 Maintenance Figure 257 Backup and Restore 31.1 1.1 Backup Configuration Backup Configurat ion allows you to b ack up (save) the ZyW ALL ’ s current configuration to a file on your computer . Once your ZyW ALL is configured and functioning prop erly , it is highly recommended that you back up yo [...]

  • Page 498

    ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance 498 Note: Do not turn of f the ZyW ALL while configuration file upload is in progress. After you see a “restore configuration successf ul” scree n, you must then wait one minute before logging into the ZyW ALL again. Figure 258 Configuration Upload Successfu l The ZyW ALL automatically[...]

  • Page 499

    ZyWALL 5/35/70 Series User’s Guide 499 Chapter 31 Maintenance 31.1 1.3 Back to Factory Default s Pressing the Reset button in this section clears al l user-e ntered configuration information and returns the ZyW ALL to its factory defaults as shown on the screen. The following warning screen will appear . Figure 261 Reset W arning Message Y ou can[...]

  • Page 500

    ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 500 C HAPTER 32 Introducing the SMT This chapter explains how to access the System Management T erminal and gives an overview of its menus. 32.1 Introduction to the SMT T he ZyW ALL ’ s SMT (System Management T ermin al) is a menu-driven interface that you can access from a term[...]

  • Page 501

    ZyWALL 5/35/70 Series User’s Guide 501 Chapter 32 I ntroducing the S MT Figure 263 Initial Screen 32.2.2 Entering the Password The login screen appears after you press [ENTER] , prompting you to enter the password, as shown below . For your first login, en ter the default password “ 1234 ”. As you type the password, the screen displays an “[...]

  • Page 502

    ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 502 32.3.1 Main Menu After you enter the passwor d, the SMT displays the ZyW ALL Main Menu , as shown next. This guide uses the ZyW ALL 70 menus as an example. The menus ma y vary slightly for different ZyW ALL models. Not all fields or menus are available on all models. Move to a[...]

  • Page 503

    ZyWALL 5/35/70 Series User’s Guide 503 Chapter 32 I ntroducing the S MT Figure 265 Main Menu (Route r Mode) Figure 266 Main Menu (Bridge Mode) The following table describes the fields in this menu. Copyright (c) 1994 - 2005 ZyXEL Co mmunications Corp. ZyWALL 70 Main Menu Getting Started Ad vanced Management 1. General Setup 21. Filter and Firewal[...]

  • Page 504

    ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 504 32.3.2 SMT Menus Overview The following table gi ves you an overview o f your ZyW ALL ’ s various SMT menus. 3 LAN Setup Use this menu to apply L AN filters, configure L AN DHCP and TC P/IP settings. 4 Internet Access Setu p Configure your Internet access setu p (Internet ad[...]

  • Page 505

    ZyWALL 5/35/70 Series User’s Guide 505 Chapter 32 I ntroducing the S MT 6 Route Setup (for the ZyW ALL 35 and the ZyW ALL 70) 6.1 Route Assessment 6.2 T raffic Redirect 6.3 Route Failover 7 Wireless Setup 7.1 Wireless Setu p 7.1.1 WLAN MAC Address Filter 7.2 TCP/IP and DHCP Ethernet Setup 7.2.1 IP Alias Setup 1 1 Remote Node Setup 1 1.1 Re mote N[...]

  • Page 506

    ZyWALL 5/35/70 Series User’s Guide Chapter 32 Intro ducing the SMT 506 32.4 Changing the System Password Change the system password by following the steps shown next. 1 Enter 23 in the main menu to open Menu 23 - System Password as shown next. 24 System Maintenance 24.1 System S tatus 24.2 System Information and Console Port S peed 24.2.1 System [...]

  • Page 507

    ZyWALL 5/35/70 Series User’s Guide 507 Chapter 32 I ntroducing the S MT Figure 267 Menu 23: System Password 2 T ype your existing password and press [ENTER] . 3 T ype your new system password an d press [ENTER] . 4 Re-type your new system password for confirmation and press [ENTER] . Note that as you type a password, the screen displays an “x?[...]

  • Page 508

    ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 508 C HAPTER 33 SMT Menu 1 - General Setup Menu 1 - General Setup contains administra tive an d system-related information. 33.1 Introduction to General Setup Menu 1 - General Setup contains administra tive an d system-related information. 33.2 Configuring General Setup 1 En[...]

  • Page 509

    ZyWALL 5/35/70 Series User’s Guide 509 Chapter 33 SMT Menu 1 - Gene ral Setup Figure 269 Menu 1: General Setup (Bridge Mode) The following table describes the fiel ds not previously discussed (see T able 184 on page 508 ). Edit Dynamic DNS Press [SP ACE BAR] and then [ENTER] to select Ye s or No (default). Select Ye s to configure Menu 1.1: Confi[...]

  • Page 510

    ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 510 33.2.1 Configuring Dynamic DNS T o configure Dynamic DNS, set the ZyW ALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and pres s [SP ACE BAR] to select Ye s in the Edit Dynamic DNS field. Press [ENTER] to display Men[...]

  • Page 511

    ZyWALL 5/35/70 Series User’s Guide 511 Chapter 33 SMT Menu 1 - Gene ral Setup Figure 271 Menu 1.1.1: DDNS Host Summary The following table describes the fields in this screen. 5 Select Edit in the Select Command field; type the index number of the DDNS host you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 - DDNS[...]

  • Page 512

    ZyWALL 5/35/70 Series User’s Guide Chapter 33 SMT Menu 1 - General Setup 512 Figure 272 Menu 1.1.1: DDNS Edit Host The following table describes the fields in this screen. Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDN[...]

  • Page 513

    ZyWALL 5/35/70 Series User’s Guide 513 Chapter 33 SMT Menu 1 - Gene ral Setup The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. IP Address Update Policy: Y ou can select Ye s in either the Let DDNS Server Auto Detect field (recommended) or the Use User-Defined field, but not both. With the Let DDNS Server Auto Det[...]

  • Page 514

    ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 514 C HAPTER 34 W AN and Dial Backup Setup This chapter describes how to configure the W AN using menu 2 and dial-backup u sing menus 2.1 and 1 1.1. 34.1 Introduction to W AN and Dial Backup Setup This chapter explains how to configure settings for your W AN port and how to[...]

  • Page 515

    ZyWALL 5/35/70 Series User’s Guide 515 Chap ter 34 WAN and Dial Backup Setup The following table describes the fields in this screen. 34.3 Dial Backup The Dial Backup port can be used in reser ve, as a traditional dial- up connection should the broadband connection to the W AN port fail. T o set up the au xiliary port (Dial Backup) for use in the[...]

  • Page 516

    ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 516 Figure 274 Menu 2: Dial Backup Setup The following table describes the fields in this menu. 34.5 Advanced W AN Setup Note: Consult the manual of your W AN device c onnected to your Dial Backup port for specific A T commands. Menu 2 - WAN Setup WAN 1 MAC Address: Assigne[...]

  • Page 517

    ZyWALL 5/35/70 Series User’s Guide 517 Chap ter 34 WAN and Dial Backup Setup T o edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - W AN Setup , press the [SP ACE BAR] to se lect Ye s and then press [ENTER]. Figure 275 Menu 2.1: Adva nced WAN Setup The following table describes fields in[...]

  • Page 518

    ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 518 34.6 Remote Node Profile (Backup ISP) On a ZyW ALL with multiple W A N ports, enter 3 in Menu 1 1 - Remote Node Setup to open Menu 1 1.3 - Remote Node Pr ofile (Backup ISP) (shown below) and configure the setup for your Dial Backup p ort connection. On a ZyW ALL with a [...]

  • Page 519

    ZyWALL 5/35/70 Series User’s Guide 519 Chap ter 34 WAN and Dial Backup Setup Figure 276 Menu 1 1.3: Remote N ode Profile (Backup ISP) The following table describes the fields in this menu. Menu 11.3 - Remote Node Profile (Backup ISP) Rem Node Name= Edit PPP Options= No Active= No Edit IP= No Outgoing: Edit Script Options= No My Login= ChangeMe My[...]

  • Page 520

    ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 520 34.7 Editing PPP Options The ZyW ALL ’ s dial back-up feature uses PPP . T o edit the remote node PPP Options, move the cursor to the Edit PPP Options field in Menu 1 1.3 - Remote No de Profile (Backup ISP) , and use the space bar to select Ye s . Press [Enter] to ope[...]

  • Page 521

    ZyWALL 5/35/70 Series User’s Guide 521 Chap ter 34 WAN and Dial Backup Setup Figure 277 Menu 1 1.3.1: Remote Node PPP Options This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields. 34.8 Editing TCP/IP Options Move the cu rs or to the Edit IP field in menu 1 1.3, then press [SP [...]

  • Page 522

    ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 522 Figure 278 Menu 1 1.3.2: Remote Node Network Layer Op tions The following table describes the fields in this menu. Menu 11.3.2 - Remote Node Ne twork Layer Options IP Address Assignment= Sta tic Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network [...]

  • Page 523

    ZyWALL 5/35/70 Series User’s Guide 523 Chap ter 34 WAN and Dial Backup Setup 34.9 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyW ALL provides a script facility for this purpose. The script has six programmable sets; each set is composed of an ‘Expe ct’ string an d a ‘Send’ [...]

  • Page 524

    ZyWALL 5/35/70 Series User’s Guide Chapter 34 WA N and Dial B ackup Setup 524 Y ou c an use two varia bles, $USERNAME and $PASSWORD (all UPPER case), to re present the actual user name and password in the script, so they will not show in the clear . They are replaced with the outgoing login name and pa ssword in the remote node when the ZyW ALL s[...]

  • Page 525

    ZyWALL 5/35/70 Series User’s Guide 525 Chap ter 34 WAN and Dial Backup Setup The following table describes the fields in this menu. 34.10 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.3, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1.3.4 - Remote Node Filter . Use menu 1 1.3.4[...]

  • Page 526

    ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 526 C HAPTER 35 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup . 35.1 Introduction to LAN Setup This chapter describes how to configure the ZyW ALL for LAN and wireless LAN connections. 35.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu[...]

  • Page 527

    ZyWALL 5/35/70 Series User’s Guide 527 Chapter 35 LAN Setup Figure 282 Menu 3.1: LAN Port Filter Setu p 35.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1 155) and DHCP Ethernet setu p. Figure 283 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and[...]

  • Page 528

    ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 528 Figure 284 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next tabl e on how to configure the DHCP field s. Menu 3.2 - TCP/IP and DHCP Eth ernet Setup DHCP= Server TC P/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Clie[...]

  • Page 529

    ZyWALL 5/35/70 Series User’s Guide 529 Chapter 35 LAN Setup Use the instructions in the following table to configure TCP/IP parameters for the LAN port. Note: LAN and DMZ IP addresses must be on sep arate subnets. First DNS Server Second DNS Server Third DNS Server The ZyWALL p asses a DNS (Domain Name System) server IP address (in the order you [...]

  • Page 530

    ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Set up 530 35.4.1 IP Alias Setup IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL supports th ree logical LAN interfaces via its single physical Ethernet interface with the ZyW ALL itself as the gateway for ea ch LA[...]

  • Page 531

    ZyWALL 5/35/70 Series User’s Guide 531 Chapter 35 LAN Setup Outgoing Protocol Filters Enter the filter set(s) you wis h to apply to the outgoin g traffic between this node and the ZyWALL. When you have completed this menu, press [ENTER] at the p rompt [Press ENTER to C onfirm…] to save your configuration, or press [ESC] at any time to cancel. T[...]

  • Page 532

    ZyWALL 5/35/70 Series User’s Guide Chapter 36 In ternet Access 532 C HAPTER 36 Internet Access This chapter shows you how to config ure your ZyW ALL for Internet access. 36.1 Introduction to Internet Access Setup Use information from your ISP along with the in st ructions in this chapter to set up your ZyW ALL to access the Internet. There are th[...]

  • Page 533

    ZyWALL 5/35/70 Series User’s Guide 533 Chapter 36 Internet Access The following table describes the fields in this menu. T able 200 Menu 4: Internet Acce ss Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purpo ses. Encapsulation Press [SP ACE BAR] and then press [ENT ER] to choose Ether[...]

  • Page 534

    ZyWALL 5/35/70 Series User’s Guide Chapter 36 In ternet Access 534 36.3 Configuring the PPTP Client Note: The ZyW ALL supports only one PP TP server connection at any given time. T o configure a PP TP client, you must configure the My Login and Password fields for a PPP connection and the PP TP parame ters for a PP TP connection. After configurin[...]

  • Page 535

    ZyWALL 5/35/70 Series User’s Guide 535 Chapter 36 Internet Access Figure 288 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsula tion field in menu 4. If you need a PPPoE service name to identify and reach the P PPoE server , please go to menu 1 1 and enter the PPPoE [...]

  • Page 536

    ZyWALL 5/35/70 Series User’s Guide Chapter 37 DMZ Setup 536 C HAPTER 37 DMZ Setup This chapter describes how to co nfigure the ZyW ALL ’ s DMZ using Menu 5 - DMZ Setup . 37.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup . Figure 289 Menu 5: DMZ Setup 37.2 DMZ Port Filter Setup This menu allows you to specify th[...]

  • Page 537

    ZyWALL 5/35/70 Series User’s Guide 537 Chap ter 37 DMZ Setup 37.3.1 IP Address From the main menu, enter 5 to ope n Menu 5 - DMZ Setup to configure TCP/IP (RFC 1 155). Figure 291 Menu 5: DMZ Setup From menu 5, select th e submenu opt ion 2. TCP/IP and DHCP Setup and press [ENTER] . The screen now displays Menu 5.2 - TCP/IP and DHCP Ethernet Setup[...]

  • Page 538

    ZyWALL 5/35/70 Series User’s Guide Chapter 37 DMZ Setup 538 37.3.2 IP Alias Setup Y ou must use menu 5.2 to con figure the first network. Move the cursor to the Edit IP Alias field, press [SP ACE BAR] to choose Ye s and press [ENTER] to config ure the second and third network. Pressing [ENTER] opens Menu 5.2.1 - IP Alias Setup , as shown ne xt. F[...]

  • Page 539

    ZyWALL 5/35/70 Series User’s Guide 539 Chap ter 37 DMZ Setup[...]

  • Page 540

    ZyWALL 5/35/70 Series User’s Guide Chapter 38 Route Setup 540 C HAPTER 38 Route Setup This chapter describes how to configure the ZyW A LL's traffic redirect. This chapter applies to the ZyW ALL 35 and ZyW ALL 70. 38.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup . Figure 294 Menu 6: Route Setup 38.2 Route[...]

  • Page 541

    ZyWALL 5/35/70 Series User’s Guide 541 Chapter 38 Route Setup The following table describes the fields in this menu. 38.3 T raffic Redirect T o configure the parameters for traf fic redirect, enter 2 in Menu 6 - Route Setup to open Menu 6.2 - T raffic Redirect as shown next. Figure 296 Menu 6.2: T raffic Redirect The following table describes the[...]

  • Page 542

    ZyWALL 5/35/70 Series User’s Guide Chapter 38 Route Setup 542 38.4 Route Failover This menu allows you to configure how the ZyW ALL uses the rout e assessment ping check function. Figure 297 Menu 6.3: Route Failover The following table describes the fields in this menu. Metric This field sets this route's priori ty among the routes the ZyW A[...]

  • Page 543

    ZyWALL 5/35/70 Series User’s Guide 543 Chapter 38 Route Setup[...]

  • Page 544

    ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 544 C HAPTER 39 Wireless Setup Use menu 7 to set up your ZyW ALL as the wireless access point. 39.1 Wireless LAN Setup Note: If you are configuring the ZyW ALL from a computer connected to the wire less LAN and you change the ZyW ALL ’s ESSID or WEP settings, you will lose your wirel[...]

  • Page 545

    ZyWALL 5/35/70 Series User’s Guide 545 Chapter 39 Wireless Setup Follow the instructions in the next table on how to configure the wireless LAN parameters. T able 206 Menu 7. 1: Wireless Setup FIELD DESCRIPTION Enable Wireless LAN Press [SP ACE BAR] to select Ye s to turn on the wireless LAN. The wireless LAN is off by default. Configure wireless[...]

  • Page 546

    ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 546 39.1.1 MAC Address Filter Setup Y our ZyW ALL checks the MAC address of the wirele ss station device against a list of allowed or denied MAC addresses. However, intruders could fake allowed MAC addresses so MAC- based authentication is less secu re than EAP authentication. Follow t[...]

  • Page 547

    ZyWALL 5/35/70 Series User’s Guide 547 Chapter 39 Wireless Setup 39.2 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 5 on page 1 10 . 39.2.1 IP Address From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP (RFC 11 5 5 ) . Figure 300 Menu 7: WLAN Setup From menu [...]

  • Page 548

    ZyWALL 5/35/70 Series User’s Guide Chapter 39 Wi reless Setup 548 Figure 301 Menu 7.2: TCP/IP and DHCP Ethernet Setup The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup . Each public server will need a unique IP address. Refer to Section 35.4 on page 527 for information on how to configure these[...]

  • Page 549

    ZyWALL 5/35/70 Series User’s Guide 549 Chapter 39 Wireless Setup Figure 302 Menu 7.2.1: IP Alias Setup Refer to T able 199 on page 530 for instructions on config uring IP alias parameters. Menu 7.2.1 - IP Ali as Setup IP Alias 1= No IP Address= N/ A IP Subnet Mask = N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/ A IP Subnet Mas[...]

  • Page 550

    ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 550 C HAPTER 40 Remote Node Setup This chapter shows you how to configure a remote node. 40.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gatewa y . A remote node represents both the remote gateway an d the network behind it across a W A[...]

  • Page 551

    ZyWALL 5/35/70 Series User’s Guide 551 Chapter 40 Remote No de Setup Figure 303 Menu 1 1: Remote Node Setup 40.3 Remote Node Profile Setup The following explains how to configure the re mote node profile menu. Not all fields are available on all models. 40.3.1 Ethernet Encap sulation There are three variations of m enu 1 1.x depending on whethe r[...]

  • Page 552

    ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 552 The following table describes the fields in this menu. T able 208 Menu 1 1 .1: Remote Node Profile for Eth ernet Encapsulation FIELD DESCRIPTION Rem Node Name Enter a descriptiv e name for the remote node. This field can be up to eight characters. Active Press [SP ACE BAR] and t[...]

  • Page 553

    ZyWALL 5/35/70 Series User’s Guide 553 Chapter 40 Remote No de Setup 40.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). Y ou can only use PPPoE encapsulation when you’re using th e ZyW ALL with a DSL modem as the W AN device. If you change the Encapsulation to PPPoE, then you will see the next scree[...]

  • Page 554

    ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 554 40.3.2.3 Metric See Section 7.5 on page 1 34 for details on the Metric field. 40.3.3 PPTP Encap sulation If you change the Encap sulation to PPTP in menu 1 1.1, then you will see the next screen. Please see Appe ndix G on page 704 for information on PP TP . T able 209 Fields in [...]

  • Page 555

    ZyWALL 5/35/70 Series User’s Guide 555 Chapter 40 Remote No de Setup Figure 306 Menu 1 1.1: Remote Node Prof ile for P PTP Encaps ulation The next table shows h ow to configure field s in menu 1 1.1 not previously discussed. 40.4 Edit IP Move the cu rs or to the Edit IP field in menu 1 1.1, then press [SP ACE BAR] to select Ye s . Press [ENTER] t[...]

  • Page 556

    ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 556 Figure 307 Menu 1 1.1.2: Remote Node Network Layer O ptions for Ethernet Encapsulation This menu displays the My W AN Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation. The following table describes the fields in this menu. Menu 11[...]

  • Page 557

    ZyWALL 5/35/70 Series User’s Guide 557 Chapter 40 Remote No de Setup 40.5 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.1, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1.1.4 - Remote Node Filter . Use menu 1 1.1.4 to specify the filter set(s) to apply to the incoming and outgo[...]

  • Page 558

    ZyWALL 5/35/70 Series User’s Guide Chapter 40 Remot e Node Setup 558 Figure 308 Menu 1 1.1.4: Remote Node Filter (Ethernet Encap sulation) Figure 309 Menu 1 1.1.4: Remote Node Filter (PPP oE or PPTP Encapsulation) 40.6 T raffic Redirect Configure parameters that determine when the ZyW ALL will forward W AN traffic to the backup gateway using Menu[...]

  • Page 559

    ZyWALL 5/35/70 Series User’s Guide 559 Chapter 40 Remote No de Setup Figure 310 Menu 1 1.1.5: T raf fic Redirect Setup The following table describes the fields in this menu. Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 14 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 10 Period(sec)= 30[...]

  • Page 560

    ZyWALL 5/35/70 Series User’s Guide Chapter 41 IP Static Rout e Setup 560 C HAPTER 41 IP S t atic Route Setup This chapter shows you how to config ure static routes with your ZyW ALL. 41.1 IP S t atic Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. Note: The firs[...]

  • Page 561

    ZyWALL 5/35/70 Series User’s Guide 561 Chapter 41 IP Static Route Setup Figure 312 Menu 12. 1: Edit IP S tatic Route `The following table describes the IP Static Route Menu fields. Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTE[...]

  • Page 562

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 562 C HAPTER 42 Network Address T ranslation (NA T) This chapter discusses how to configure NA T on the ZyW ALL. 42.1 Using NA T Note: Y ou must create a firewall rule in ad dition to setting up SUA/NA T , to allow traffic from the W AN to be forwarded through the ZyW[...]

  • Page 563

    ZyWALL 5/35/70 Series User’s Guide 563 Chapter 42 Network Addr ess Translation (NAT) Figure 313 Menu 4: Applying NA T for Internet Access The following figure shows how you apply NA T to the remote node in menu 1 1.1. 1 Enter 1 1 from the main menu. 2 Enter 1 to open Menu 1 1.1 - Remote Node Profile . 3 Move the cu rs or to the Edit IP field, pre[...]

  • Page 564

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 564 The following table describes the fields in this menu. 42.2 NA T Setup Use the address mapping sets me nus and submenus to create the mapping table used to assign global addresses to computer s on the LAN and the DMZ. Set 255 is used for SUA. When you select Full [...]

  • Page 565

    ZyWALL 5/35/70 Series User’s Guide 565 Chapter 42 Network Addr ess Translation (NAT) 42.2.1 Address Mapping Set s Enter 1 to bring up Menu 15.1 - Addr ess Mapping Sets . Figure 316 Menu 15.1: Address Ma pping Sets 42.2.1.1 SUA Address Mapping Set Enter 255 to display th e next screen (see also Sect ion 42.1.1 on page 562 ). The fields in this men[...]

  • Page 566

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 566 Note: Menu 15.1.255 is read-only . 42.2.1.2 User-Defined Address Mapping Set s Now look at option 1 in menu 15.1. Enter 1 to bring up this menu. Lo ok at the dif ferences from the previous menu. Note the extra Action and Select Rule fields mean yo u can configure [...]

  • Page 567

    ZyWALL 5/35/70 Series User’s Guide 567 Chapter 42 Network Addr ess Translation (NAT) Figure 318 Menu 15.1.1: First Set Note: The T ype, Local and Global S tart/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here. 42.2.1.3 Ordering Y our Rules Ordering your rules is important because the Zy W ALL applies the[...]

  • Page 568

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 568 Note: Y ou must press [ENTER] at the bottom of the screen to save the whole set. Y ou must do this again if you make any changes to the set – including deleting a rule. No changes to the set t ake place until this action is t aken. Selecting Edit in the Action f[...]

  • Page 569

    ZyWALL 5/35/70 Series User’s Guide 569 Chapter 42 Network Addr ess Translation (NAT) 42.3 Configuring a Server behind NA T Note: If you do not assign a Default Serve r IP address, the ZyW ALL discards all packet s received for port s that are not specified here or in th e remote management setup. Follow these steps to config ure a server behind N[...]

  • Page 570

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 570 Figure 321 Menu 15.2.1: NA T Server Se ts 4 Select Edit Rule in the Sel ect Command field; type the index numbe r of the NA T server you want to configure in the Select Rule fiel d and press [ENTER] to open Menu 15.2.1.2 - NA T Server Con figuration (see the next [...]

  • Page 571

    ZyWALL 5/35/70 Series User’s Guide 571 Chapter 42 Network Addr ess Translation (NAT) Figure 322 15.2.1.2: NA T Server Confi guration The following table describes the fields in this screen. 5 Enter a port nu mber in the Sta r t P o r t field. T o forward only one port, enter it again in the End Port field. T o specify a range of ports, ente r the[...]

  • Page 572

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 572 Figure 323 Menu 15.2.1: NA T Server Se tup Y ou assign the private network IP addresses. Th e NA T network appears as a single host on the Internet. A is the FTP/T elnet/SMTP server . Figure 324 Server Behind NA T Example 42.4 General NA T Examples The following a[...]

  • Page 573

    ZyWALL 5/35/70 Series User’s Guide 573 Chapter 42 Network Addr ess Translation (NAT) Figure 325 NA T Exam ple 1 Figure 326 Menu 4: Internet Access & NA T Example From menu 4 sho wn abov e, simply choose the SUA Only option from the Network Address Tr a n s l a t i o n field. This is the Many-to-One mapping discussed in Section 42.4 on page 57[...]

  • Page 574

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 574 42.4.2 Example 2: Interne t Access with an Default Server Figure 327 NA T Exam ple 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NA T as sh own in the ne[...]

  • Page 575

    ZyWALL 5/35/70 Series User’s Guide 575 Chapter 42 Network Addr ess Translation (NAT) 1 Map the first IGA to the first inside FTP server for FTP t raffic in both directions ( 1 : 1 mapping, giving bo th local and glo bal IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions ( 1 : 1 mapping, giving b[...]

  • Page 576

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 576 Figure 330 Example 3: Menu 1 1.1.2 The following figure shows how to configure the first rule. Figure 331 Example 3: Menu 15.1.1.1 Menu 11.1.2 - Remote Node Network La yer Options IP Address Assignment= Dyna mic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr=[...]

  • Page 577

    ZyWALL 5/35/70 Series User’s Guide 577 Chapter 42 Network Addr ess Translation (NAT) Figure 332 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. 1 Enter 15 from the main menu. 2 Enter 2 to go to menu 15 .2. 3 (Enter 1 or 2 from menu 15.2 on a ZyW A LL with multiple W AN ports) configure the [...]

  • Page 578

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 578 42.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NA T Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not chan ge for Many-One-to-One (and One-to[...]

  • Page 579

    ZyWALL 5/35/70 Series User’s Guide 579 Chapter 42 Network Addr ess Translation (NAT) Figure 336 Example 4: Menu 15.1.1: Address Mapping Rules 42.5 T rigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in N[...]

  • Page 580

    ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT) 580 Note: Only one LAN computer can use a trigge r port (range) at a time. Enter 3 in menu 15 to d isplay Menu 15.3 - T rigger Ports . For a ZyW ALL with multiple W AN ports, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - T rigger Port Setup and con[...]

  • Page 581

    ZyWALL 5/35/70 Series User’s Guide 581 Chapter 42 Network Addr ess Translation (NAT)[...]

  • Page 582

    ZyWALL 5/35/70 Series User’s Guide Chapter 43 Introducing the ZyWALL F irewall 582 C HAPTER 43 Introducing the ZyW ALL Firewall This chapter shows you how to ge t started with the ZyW ALL firewall. 43.1 Using ZyW ALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Fi[...]

  • Page 583

    ZyWALL 5/35/70 Series User’s Guide 583 Chapter 43 Introduc ing the ZyWALL Firewall Figure 339 Menu 21.2: Fi rewall Setup Note: Configure the firewall rules using t he web configurator or CLI commands. Menu 21.2 - Firewall Se tup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attack s[...]

  • Page 584

    ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 584 C HAPTER 44 Filter Configuration This chapter shows you how to create and apply filters. 44.1 Introduction to Filters Y our ZyW ALL uses filte rs to decide whether to a llow passage of a data packet a nd/or to make a call. There are two types of filter applications : data filt[...]

  • Page 585

    ZyWALL 5/35/70 Series User’s Guide 585 Chapter 44 Filter Configuration 44.1.1 The Filter Structure of the ZyW AL L A filter set consists of one or more filter rules. Usually , you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyW ALL allows you to configure up to twelve filte r s[...]

  • Page 586

    ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 586 Figure 341 Filter Rule Process Y ou can apply up to four filter sets to a particular port to block multiple types of packets. W ith each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.[...]

  • Page 587

    ZyWALL 5/35/70 Series User’s Guide 587 Chapter 44 Filter Configuration 44.2 Configuring a Filter Set The ZyW ALL includes filtering for NetBIOS over TCP/IP packets by default. T o configure another filter set, follow the procedure below . 1 Enter 21 in the main me nu to open menu 2 1. Figure 342 Menu 21: Filter and Firewa ll Setup 2 Enter 1 to br[...]

  • Page 588

    ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 588 The protocol dependent filter rules abbreviation are listed as follows: Refer to the next section for inform ation on configurin g the filter rules. 44.2.1 Configuring a Filter Rule T o configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary an d press [[...]

  • Page 589

    ZyWALL 5/35/70 Series User’s Guide 589 Chapter 44 Filter Configuration T o speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the firs t rule that you create. When applying the filter sets to a port , separate menu fields are prov ided for [...]

  • Page 590

    ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 590 The following figure illustrates th e logic flow of an IP filter . Destination IP Addr Enter the destinati on IP Address of the packet you wish to filter . This field is igno red if it is 0.0.0. 0. IP Mask Enter the IP mask to apply to the Destination: IP Addr . Port # Enter t[...]

  • Page 591

    ZyWALL 5/35/70 Series User’s Guide 591 Chapter 44 Filter Configuration Figure 345 Executing an IP Filter 44.2.3 Configuring a Generic Filter Rule This section shows you how to configure a gen eri c filter rule. The purpose of generic rules is[...]

  • Page 592

    ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 592 to allow you to filter non-IP packets. For IP , it is generally easier to us e the IP rules directly . For generic rules, the ZyW ALL treats a packet as a byte stream as opposed to an IP or IPX packet. Y ou spe cify the portion of the packet to check with the Offset (from 0) a[...]

  • Page 593

    ZyWALL 5/35/70 Series User’s Guide 593 Chapter 44 Filter Configuration 44.3 Example Filter Let’ s look at an example to block outside us ers from accessing the ZyW ALL via telnet. Please see our included disk for more example filters. Figure 347 T elnet Filter Example 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup . 2[...]

  • Page 594

    ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 594 Figure 348 Example Filter: Menu 21 .1.3.1 The port number for the telnet service (TCP protocol) is 23 . See RFC 1060 for port numbers of well-known services. When you press [ENTER] to confirm, you will see the fo llowing screen. Note that there is only one filter rule in this [...]

  • Page 595

    ZyWALL 5/35/70 Series User’s Guide 595 Chapter 44 Filter Configuration M = N means an action can be taken immediately . The action is to drop the packet ( m = D ) if the action is matched and to fo rward the packet immediately ( n = F ) if the action is not matched no matter whe ther there are more rules to be checked (there aren’ t in this exa[...]

  • Page 596

    ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration 596 44.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyW ALL already has filters to prevent NetBIOS traffic fro m triggering calls, and block incoming telnet, FTP and HTTP connections. Note: If you do not activate the firew[...]

  • Page 597

    ZyWALL 5/35/70 Series User’s Guide 597 Chapter 44 Filter Configuration Figure 352 Filtering DMZ T raffic 44.6.3 Applying Re mote Node Filters Go to menu 1 1.1.4 (shown be low – note that call filter sets are only present for PPPoE encapsulation) and enter the numb er(s) of the filter set(s) as appropriate. Y ou can cascade up to four filter set[...]

  • Page 598

    ZyWALL 5/35/70 Series User’s Guide Chapter 45 SNMP Configuration 598 C HAPTER 45 SNMP Configuration This chapter explains SNMP configuratio n menu 22. 45.1 SNMP Configuration T o configure SNMP , enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get , Set and Tr a p fields is SNMP terminolo[...]

  • Page 599

    ZyWALL 5/35/70 Series User’s Guide 599 Chapter 45 SNMP Configu ration 45.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: Destination T ype the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm[...]

  • Page 600

    ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 600 C HAPTER 46 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 46.1 Introduction to System St atus This chapter covers the diagnostic tools that he lp you to maintain your ZyW ALL. These tools include updates on system status, port st[...]

  • Page 601

    ZyWALL 5/35/70 Series User’s Guide 601 Chapter 46 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - S tatus . Entering 1 drops the W AN conn ection, 9 resets the co unters and [ESC] takes you back to the previous screen. Figure 356 Menu 24.1: System Maintenance: S tatus The following table describes[...]

  • Page 602

    ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 602 46.3 System Information and Console Port S peed This section describes your system and allows you to choose different console port speeds. T o get to the System Informa tion and Console Port Speed: 1 Enter 24 to go to Menu 24 - System Maintenance . 2 Enter 2 to [...]

  • Page 603

    ZyWALL 5/35/70 Series User’s Guide 603 Chapter 46 System Information & Diagnosis Figure 358 Menu 24.2. 1: System Ma intenance: Informa tion The following table describes the fields in this screen. 46.3.2 Console Port Speed Y ou can change the speed of the console port through Menu 24.2.2 – Console Port Speed . Y our ZyW ALL supports 9600 (d[...]

  • Page 604

    ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 604 Figure 359 Menu 24.2.2: System Maintenance: Change Cons ole Port S peed 46.4 Log and T race There are two logging facilities in the ZyW ALL. Th e first is the error logs and trace records that are stored locally . The second is the UNIX syslog facility for messa[...]

  • Page 605

    ZyWALL 5/35/70 Series User’s Guide 605 Chapter 46 System Information & Diagnosis Figure 361 Examples of Error and Information Messages 46.4.2 Syslog Logging The ZyW ALL uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server . Syslog an d accounting can be configured in Menu 24.3.2 - System Maintena[...]

  • Page 606

    ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 606 Y our ZyW ALL sends five types of syslog messages . Some examples (not all ZyW ALL specific) of these syslog messages with their message formats are shown next: 1 CDR 2 Packet triggered 3 Filter log CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, St[...]

  • Page 607

    ZyWALL 5/35/70 Series User’s Guide 607 Chapter 46 System Information & Diagnosis 4 PPP log 5 Firewall log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and ru[...]

  • Page 608

    ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 608 46.4.3 Call-T riggering Packet Call-T riggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equiva lent information is available in menu 24.1 in hex format. An example is shown next. Figure 363 Call-T r[...]

  • Page 609

    ZyWALL 5/35/70 Series User’s Guide 609 Chapter 46 System Information & Diagnosis 1 From the main menu, select option 24 to open Menu 24 - System Maintenance . 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic . Figure 364 Menu 24.4: System Maintenance: Diagnostic 46.5.1 W AN DHCP DHCP fu[...]

  • Page 610

    ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Info rmation & Diagnosis 610 T able 229 System Maintenance Menu Diag nostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or W AN. Enter its IP address in the Host IP Address field below . W AN DHCP Release Ente r 2 to release your W AN DHCP settin[...]

  • Page 611

    ZyWALL 5/35/70 Series User’s Guide 611 Chapter 46 System Information & Diagnosis[...]

  • Page 612

    ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 612 C HAPTER 47 Firmware and Configuration File Maintenance This chapter tells you how t o back up and rest ore your configuration file as well as upload new firmware and a new configura tion file. 47.1 Introduction Use the instructions in this chapter to c[...]

  • Page 613

    ZyWALL 5/35/70 Series User’s Guide 613 Chapter 47 Firmw are and Configu ration File Maint enance The following table is a summary . Please note that the internal filename refe rs to the filename on the ZyW ALL and the external filename refers to the filename not on the ZyW ALL, that is, on your computer , local network or FTP site and so the name[...]

  • Page 614

    ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 614 Figure 366 T elnet into Menu 24.5 47.3.2 Using the FTP Command from the Comman d Line 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 [...]

  • Page 615

    ZyWALL 5/35/70 Series User’s Guide 615 Chapter 47 Firmw are and Configu ration File Maint enance 47.3.3 Example of FTP Comm ands from the Command Line Figure 367 FTP Session Example 47.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. 47.3.5 File Maintenance Over W AN TFTP , FT[...]

  • Page 616

    ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 616 4 The IP you entered in the Secured Client IP field in menu 24.1 1 does not match th e client IP . If it does not match, the Zy W ALL will disconnect the T elnet session immediately . 5 Y ou have an SMT console session running. 47.3.6 Backup Configurati[...]

  • Page 617

    ZyWALL 5/35/70 Series User’s Guide 617 Chapter 47 Firmw are and Configu ration File Maint enance 47.3.8 GUI-based TFTP Client s The following table describes some of the fiel ds that you may see in GUI-based TFTP clients. Refer to Section 47.3.5 o n page 615 to read about configurations that disallow TFTP and FTP over W AN. 47.3.9 Backup V ia Con[...]

  • Page 618

    ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 618 Figure 370 Backup Configuration Example T ype a location for storing the configuration file or click Br owse to look for one. Choose the Xmodem protocol. Then click Receive . 4 After a successful backup you will see the following screen. Pr ess any key [...]

  • Page 619

    ZyWALL 5/35/70 Series User’s Guide 619 Chapter 47 Firmw are and Configu ration File Maint enance Figure 372 T elnet into Menu 24.6 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is ?[...]

  • Page 620

    ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 620 47.4.2 Restore Usin g FTP Session Example Figure 373 Restore Using FTP Session Example Refer to Section 47.3.5 o n page 615 to read about configurations that disallow TFTP and FTP over W AN. 47.4.3 Restore V ia Console Port Restore configuration via con[...]

  • Page 621

    ZyWALL 5/35/70 Series User’s Guide 621 Chapter 47 Firmw are and Configu ration File Maint enance 4 After a successful restoration you will see the following screen. Press any key to restart the ZyW ALL and return to the SMT menu. Figure 377 Successful Restoration Confirmati on Screen 47.5 Uploading Firmware and Configuration Files This section sh[...]

  • Page 622

    ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 622 Figure 378 T elnet Into Menu 24.7.1: Upload System Firmware 47.5.2 Configuration File Upload Y ou see the following screen when you telnet into menu 24.7.2. Figure 379 T elnet Into Menu 24.7.2 : System Maintenance T o upload the firmware and the configu[...]

  • Page 623

    ZyWALL 5/35/70 Series User’s Guide 623 Chapter 47 Firmw are and Configu ration File Maint enance 47.5.3 FTP File Upload Comman d from the DOS Prompt Example 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as r[...]

  • Page 624

    ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 624 1 Use telnet from your computer to connect to the ZyW ALL and log in. Because TFTP does not have any security checks, the ZyW A LL records the IP address of the telnet client and accepts TFTP request s only from this address. 2 Put the SMT in command in[...]

  • Page 625

    ZyWALL 5/35/70 Series User’s Guide 625 Chapter 47 Firmw are and Configu ration File Maint enance Figure 381 Menu 24.7.1 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmode m protocol on your computer . Follow the procedure as sh own previously for the HyperT ermina l program. The proc[...]

  • Page 626

    ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firm ware and Configuration File Maintenance 626 Figure 383 Menu 24.7.2 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmode m protocol on your computer . Follow the procedure as sh own previously for the HyperT ermina l program. The proced[...]

  • Page 627

    ZyWALL 5/35/70 Series User’s Guide 627 Chapter 47 Firmw are and Configu ration File Maint enance[...]

  • Page 628

    ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 628 C HAPTER 48 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24.10 . 48.1 Command Interpreter Mode The Command Interpre ter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT , whi[...]

  • Page 629

    ZyWALL 5/35/70 Series User’s Guide 629 Chapter 48 System Maintenance Menus 8 to 10 The required fields in a co mmand are e nclosed in angle brack ets <> . The optional fields in a c ommand are enclosed in s quare brackets [] . The | symbol means “or”. For example, sys filter netbios config <type> <on|off> means that you must[...]

  • Page 630

    ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 630 48.2 Call Control Support The ZyW ALL provides two call control functio ns: budget management and call histo ry . Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 1 1.1. The budget management func tion allow[...]

  • Page 631

    ZyWALL 5/35/70 Series User’s Guide 631 Chapter 48 System Maintenance Menus 8 to 10 Figure 388 Budget Manage ment The total budget is the time li mit on the accumulated time for ou tgoing calls to a remo te node. When this limit is reached, th e call will be dropped and further outgoing calls to that remote node will be blocked. After each period,[...]

  • Page 632

    ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 632 Figure 389 Call History The following table describes the fields in this screen. 48.3 T ime and Date Setting The ZyW ALL ’ s Real T i me Chip (R TC) kee ps track of the time and date. There is also a software mechanism to set the time manually or get the current [...]

  • Page 633

    ZyWALL 5/35/70 Series User’s Guide 633 Chapter 48 System Maintenance Menus 8 to 10 Figure 390 Menu 24: System Maintenan ce Enter 10 to go to Menu 24.10 - System Maintena nce - Time and Date Setting to update the time and date settings of your ZyW ALL as shown in the following screen. Figure 391 Menu 24.10 System Maintenance : T ime and Date Setti[...]

  • Page 634

    ZyWALL 5/35/70 Series User’s Guide Chapter 48 System Maintenance Menus 8 to 10 634 T able 236 Menu 24 .10 System Maint enan ce: Time and Date Setting FIELD DESCRIPTION T ime Protocol Enter the time service pr otocol that your timeserver uses. Not all time servers support all protocols, so you may ha ve to check with your ISP/network administrator[...]

  • Page 635

    ZyWALL 5/35/70 Series User’s Guide 635 Chapter 48 System Maintenance Menus 8 to 10 End Date (mm- nth-week-hr) Configure the day and time when Dayli ght Saving Time ends if you selected Ye s in the Daylight Saving fi eld. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving T ime ends in the United St ates on the la[...]

  • Page 636

    ZyWALL 5/35/70 Series User’s Guide Chapter 49 Remo te Management 636 C HAPTER 49 Remote Management This chapter covers remote management found in SMT menu 24.1 1. 49.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers. Y ou may manage your ZyW ALL[...]

  • Page 637

    ZyWALL 5/35/70 Series User’s Guide 637 Chapter 49 Remote Manag ement Figure 392 Menu 24.1 1 – Remote Mana gement Contr ol The following table describes the fields in this screen. Menu 24.11 - Remote Manageme nt Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0 [...]

  • Page 638

    ZyWALL 5/35/70 Series User’s Guide Chapter 49 Remo te Management 638 49.1.1 Remote Management Limit ations Remote management over LAN or W AN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service. 2 Y ou have disabled that service in menu 24.1 1. 3 The IP address in the Secure [...]

  • Page 639

    ZyWALL 5/35/70 Series User’s Guide 639 Chapter 49 Remote Manag ement[...]

  • Page 640

    ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 640 C HAPTER 50 IP Policy Routing This chapter covers setting and ap plying policies used for IP routing. This chapter applies to the ZyW ALL 35 and ZyW ALL 70. 50.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a si ng[...]

  • Page 641

    ZyWALL 5/35/70 Series User’s Guide 641 Chapter 50 IP Policy Routing 50.2 IP Routing Policy Setup T o setup a routing policy , perform the following procedures: Criteria/Action This displays the details about to which packets the policy applies and how the policy has the Zy W ALL handle those packets. Refer to T able 239 on page 641 for detailed i[...]

  • Page 642

    ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 642 1 T ype 25 in the main menu to open Menu 25 - IP Routing Policy Summary . 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in th e Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figur[...]

  • Page 643

    ZyWALL 5/35/70 Series User’s Guide 643 Chapter 50 IP Policy Routing 50.2.1 Applying Policy to Packet s T o apply the policy to packets received on the selected interface (s), go to Menu 25.1: IP Routing Policy Setup and press [SP ACE BAR] to select Ye s in the Edit policy to packets received fr om field. Press [ENTER] to display Menu 25.1.1 - IP [...]

  • Page 644

    ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 644 Figure 395 Menu 25.1.1: IP Routing Policy Setup The following table describes the fields in this screen. 50.3 IP Policy Routing Example If a network has both Internet and remote node connections, you can route W eb packets to the Internet using one policy and route FTP packets to[...]

  • Page 645

    ZyWALL 5/35/70 Series User’s Guide 645 Chapter 50 IP Policy Routing Figure 396 Example of IP Policy Routing T o force W eb packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the W AN port of the ZyW ALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Set[...]

  • Page 646

    ZyWALL 5/35/70 Series User’s Guide Chapter 50 IP Policy Routing 646 4 Create another rule in menu 25 .1 for this rule to route pa ckets from any host (IP= 0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Figure 398 IP Routing Policy Example 2 5 Select Ye s in the LAN field in menu 25.1.1 to ap[...]

  • Page 647

    ZyWALL 5/35/70 Series User’s Guide 647 Chapter 50 IP Policy Routing[...]

  • Page 648

    ZyWALL 5/35/70 Series User’s Guide Chapter 51 Call Scheduling 648 C HAPTER 51 Call Scheduling Call scheduling allows you to dictate when a re mote node sho uld be called and for how long . 51.1 Introduction to Call Scheduling The call scheduling feature allows the ZyW ALL to manage a remote node and dictate when a remote node should be called and[...]

  • Page 649

    ZyWALL 5/35/70 Series User’s Guide 649 Chapter 51 Call Scheduling Figure 400 Schedule Set Setup If a connection has been already established, your ZyW ALL will not d rop it. Once the connection is droppe d manually or it times ou t, then that remote node can't be triggered up until the end of the Duration . Menu 26.1 - Schedule Set Setup Act[...]

  • Page 650

    ZyWALL 5/35/70 Series User’s Guide Chapter 51 Call Scheduling 650 Once your schedule sets are conf igured , you must then apply them to the desired remote node(s). Enter 1 1 from the Main Menu and then enter the tar get remo te node index. Press [SP ACE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets fie[...]

  • Page 651

    ZyWALL 5/35/70 Series User’s Guide 651 Chapter 51 Call Scheduling Figure 402 Applying Schedule Set(s ) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Ed it IP= No Service Type= Standard T elco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedule s= 1[...]

  • Page 652

    ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 652 C HAPTER 52 T roubleshooting This chapter covers potential pr oblems and possible remedies. After each problem descri ption, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. 52.1 Problems St arti[...]

  • Page 653

    ZyWALL 5/35/70 Series User’s Guide 653 Chapter 52 Trou bleshooting 52.3 Problems with the DMZ Interface 52.4 Problems with the W AN Interface Table 245 Troubleshooting th e DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access servers on the DMZ from the LAN. Check your Ethernet cable type and connections. Refer to the Qu ick S tart Guide for DMZ[...]

  • Page 654

    ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 654 52.5 Problems Accessing the ZyW ALL 52.5.1 Pop-up Windows, Ja vaScript s and Java Permissions In order to use the web configurator you need to allow: Table 247 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the ZyW ALL. The default password is “1234[...]

  • Page 655

    ZyWALL 5/35/70 Series User’s Guide 655 Chapter 52 Trou bleshooting • W eb browser pop-up windows fro m your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for other In ternet Explorer versions may va ry . 52.5.1.1 Internet Explorer Pop-up Blockers[...]

  • Page 656

    ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 656 Figure 404 Internet Options : Privacy 3 Click Apply to save this setting. 52.5.1.1.2 Enable pop-up Blockers with Exceptions Alternatively , if you only want to allow pop-up windows from your device, see the follo wing steps. 1 In Internet Explorer , select To o l s , Internet Opti[...]

  • Page 657

    ZyWALL 5/35/70 Series User’s Guide 657 Chapter 52 Trou bleshooting Figure 405 Internet Options : Privacy 3 T ype the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites .[...]

  • Page 658

    ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 658 Figure 406 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 52.5.1.2 JavaScript s If pages of the web configura tor do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer , [...]

  • Page 659

    ZyWALL 5/35/70 Series User’s Guide 659 Chapter 52 Trou bleshooting Figure 407 Internet Options : Security 2 Click the Custom Level... button. 3 Scroll down to Scripting . 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is sele cted (the default). 6 Click OK to clos [...]

  • Page 660

    ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 660 Figure 408 Security Settings - Java Scripting 52.5.1.3 Java Permissions 1 From Internet Explorer , click To o l s , I nternet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM . 4 Under Java permissions make sure that a safety lev[...]

  • Page 661

    ZyWALL 5/35/70 Series User’s Guide 661 Chapter 52 Trou bleshooting Figure 409 Security Settings - Java 52.5.1.3.1 JA V A (Sun) 1 From Internet Explorer , click To o l s , I nternet Options and then the Advance d tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to clos e the window .[...]

  • Page 662

    ZyWALL 5/35/70 Series User’s Guide Chapter 52 Trou bleshooting 662 Figure 410 Java (Sun) 52.6 Packet Flow The following is the packet ch eck flow on the ZyW ALL. LAN/DMZ/WLAN to W AN: LAN/DMZ Data and Call Filtering (in SMT menu 21) -> Firewall -> IDP -> Anti-V irus -> Anti-Spam -> Remote Node Data Filtering (in S MT menu 21) ->[...]

  • Page 663

    ZyWALL 5/35/70 Series User’s Guide 663 Chapter 52 Trou bleshooting[...]

  • Page 664

    ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 664 A PPENDIX A Product S pecifications See also the Introduction ch apter for a general overv iew of the key features. S pecification T ables Table 248 Device Specifications Default IP Address 192.168.1 .1 Default Subnet Mask 255.255 .255.0 (24 bits) Default Password 1234 DHC[...]

  • Page 665

    ZyWALL 5/35/70 Series User’s Guide 665 Appendix A Product Specifications Operatio n Humidit y 20% ~ 95% RH (non -condensing) S torag e Humidity 20% ~ 95% RH (non-condensing) Certific ations EMC: FCC Class B, CE-EMC Class B, C-T ick Class B, VCCI Class B Safety: CSA International, CE EN60950-1 MTBF (Mean T ime Between Failure s) (Bellcore model) Z[...]

  • Page 666

    ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 666 Anti-S pam S pam, Phishing d etection Configurable white and black lists SMTP , POP3 support External S pam dat abase Content Filtering W eb page blocking by URL keyword IKE + PKI support External database content filtering Java/ActiveX /Cookie/News blocking T raffic Manag[...]

  • Page 667

    ZyWALL 5/35/70 Series User’s Guide 667 Appendix A Product Specifications Other Protocol Support PPP (Point-to-Point Protocol ) link layer protocol. T ransparent bridging for unsupp orted network laye r protocols. DHCP Server/Client/Relay RIP I/RIP II ICMP SNMP v1 and v2c with MIB II sup port (RFC 1213) IP Multicasting IGMP v1 and v2 IGMP Proxy UP[...]

  • Page 668

    ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 668 Comp atible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyW ALL at the time of writing. It also shows the secu rity features that each card supports. Note: Check the product p age on the www .zyxel.com website for updates on ZyXE[...]

  • Page 669

    ZyWALL 5/35/70 Series User’s Guide 669 Appendix A Product Specifications Figure 41 1 WLAN Card Installation Cable Pin Assignment s In a serial communications connection, gene rally a computer is DTE (Data T erminal Equipment) and a modem is DCE (Data Circ uit-terminating Equipment). The ZyW ALL is DCE when you connect a computer to the co nsole p[...]

  • Page 670

    ZyWALL 5/35/70 Series User’s Guide Appendix A Prod uct Specificatio ns 670 Figure 413 Ethernet Cable Pin Assignment s Table 253 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M (Not on all models) Pin 1 = NON Pin 2 = DCE-TXD Pin 3 = DCE –RXD Pin 4 = DCE –DSR Pin 5 = GND Pin 6 [...]

  • Page 671

    ZyWALL 5/35/70 Series User’s Guide 671 Appendix A Product Specifications[...]

  • Page 672

    ZyWALL 5/35/70 Series User’s Guide Appendix B Hardware Installation 672 A PPENDIX B Hardware Inst allation The ZyW ALL can be placed on a desktop or ra ck-mounted on a stan da rd EIA rack. Use the brackets in a rack-m ounted installation. General Inst allation Instructions Read all the safety warnings in the beginning of this User's Guide be[...]

  • Page 673

    ZyWALL 5/35/70 Series User’s Guide 673 Appendix B Hardware Installation Figure 414 Attaching Rubber Feet Note: Do not block the ventilation holes . Leave space betwee n ZyW ALLs when stacking. Rack-mounted Inst allation Requirement s The ZyW ALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment. Follo[...]

  • Page 674

    ZyWALL 5/35/70 Series User’s Guide Appendix B Hardware Installation 674 Figure 415 Attaching Mou nting Bracket s and Screws 3 After attaching both mounting brackets, pos ition the ZyW ALL in the rack by lining up the holes in the bracket s with the ap propri ate holes on the rack. Secure the ZyW ALL to the rack with the rack-mounting screws. Figu[...]

  • Page 675

    ZyWALL 5/35/70 Series User’s Guide 675 Appendix B Hardware Installation[...]

  • Page 676

    ZyWALL 5/35/70 Series User’s Guide Appendix C Removing and Installing a Fuse 676 A PPENDIX C Removing and Inst alling a Fuse This appendix shows you how to remo ve and install fuses for the ZyW ALL. If you need to install a new fuse, follow the procedure below . Note: If you use a fuse other than th e included fuses, make sure it matches the fuse[...]

  • Page 677

    ZyWALL 5/35/70 Series User’s Guide 677 Appendix C Removing and In stalling a Fuse[...]

  • Page 678

    ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 678 A PPENDIX D Setting up Y our Computer ’ s IP Address All computers must have a 10M or 100M Et hernet adapter card and TCP/IP installed. W indows 95/98/Me/NT/2000/XP , Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the so[...]

  • Page 679

    ZyWALL 5/35/70 Series User’s Guide 679 Appendix D Setting up Your Computer’s IP Address Figure 417 WIndows 95/98 /Me: Networ k: Configura tion Inst alling Components The Network window Configuration tab displays a list of installed components. Y ou need a network adapter , the TCP/IP protocol and Client for Microso ft Networks. If you need the [...]

  • Page 680

    ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 680 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK . 5 Restart your computer so the changes you made take ef fect. Configuring 1 In the Network window Configuration ta[...]

  • Page 681

    ZyWALL 5/35/70 Series User’s Guide 681 Appendix D Setting up Your Computer’s IP Address Figure 419 Windows 95/98/Me : TCP/IP Pr operties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’ s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and[...]

  • Page 682

    ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 682 Figure 420 Windows XP: S tart Menu 2 In the Control Panel , double-click Network Connections ( Network and Dial-up Connections in W i ndows 2000/NT). Figure 421 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Pr oper ties .[...]

  • Page 683

    ZyWALL 5/35/70 Series User’s Guide 683 Appendix D Setting up Your Computer’s IP Address Figure 422 Windows XP: Control Panel: Network Connections: Pro perties 4 Select Internet Protocol (TCP/IP) (under the Genera l tab in W in XP) and then click Properties . Figure 423 Windows XP: Local Area Conne ction Properties 5 The Internet Pr otocol TCP/I[...]

  • Page 684

    ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 684 • If you have a static IP address click Use the following IP Address and fill in the IP addr ess , Subnet mask , and Default gateway fields. • Click Advanced . Figure 424 Windows XP: Internet Protocol (TCP/IP) Propert ies 6 If you do not know your gatew[...]

  • Page 685

    ZyWALL 5/35/70 Series User’s Guide 685 Appendix D Setting up Your Computer’s IP Address Figure 425 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS se rver address automatically if you do not know your DNS server IP addre ss(es). • If you know your[...]

  • Page 686

    ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 686 Figure 426 Windows XP: Internet Protocol (TCP/IP) Propert ies 8 Click OK to close the Internet Protocol (TCP/IP) Pr operties window . 9 Click Close ( OK in W indows 2000/NT) to close the Local Area Connection Properties window . 10 Close the Network Connect[...]

  • Page 687

    ZyWALL 5/35/70 Series User’s Guide 687 Appendix D Setting up Your Computer’s IP Address Figure 427 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 428 Macintosh O S 8/9: TC P/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configur e: list.[...]

  • Page 688

    ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 688 4 For statically assigned settings, do the following: •F r o m t h e Configure box, select Manually . • T ype your IP address in the IP Address box. • T ype your subne t mask in the Subnet mask box. • T ype the IP a ddress of your Prestige in the Ro[...]

  • Page 689

    ZyWALL 5/35/70 Series User’s Guide 689 Appendix D Setting up Your Computer’s IP Address Figure 430 Macintosh O S X: Netw ork 4 For statically assigned settings, do the following: •F r o m t h e Configure box, select Manually . • T ype your IP address in the IP Address box. • T ype your subne t mask in the Subnet mask box. • T ype the IP[...]

  • Page 690

    ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 690 Note: Make sure you are logged in as the ro ot administrator . Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Se[...]

  • Page 691

    ZyWALL 5/35/70 Series User’s Guide 691 Appendix D Setting up Your Computer’s IP Address • If you hav e a dynamic IP address, clic k Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click S tatically set IP Addresses and fill in the Address , Subnet mask , and Default G[...]

  • Page 692

    ZyWALL 5/35/70 Series User’s Guide Appendix D Setting up Your Computer’s IP Addr ess 692 1 Assuming that you have only one network card on th e computer , locate the ifconfig- eth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor . • If you have a dy namic IP address, ent[...]

  • Page 693

    ZyWALL 5/35/70 Series User’s Guide 693 Appendix D Setting up Your Computer’s IP Address Figure 438 Red Hat 9.0: Restart Eth ernet Card V erifying Settings Enter ifconfig in a terminal screen to ch eck your TCP/IP properties. Figure 439 Red Hat 9.0: Checking TCP/IP Properties [root@localhost init.d]# network res tart Shutting down interface eth0[...]

  • Page 694

    ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 694 A PPENDIX E IP Subnetting IP Addressing Routers “route” based on the network number . The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (ei ght bits), wri tten in dotted decimal notation, [...]

  • Page 695

    ZyWALL 5/35/70 Series User’s Guide 695 Appendix E IP Subnettin g Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a valu e of 0 to 127. Similarly the first octet of a class “B” must begi n with “10”, therefore the first octet of a class “B” address has a va[...]

  • Page 696

    ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 696 Since the mask is always a continuous number of ones begin ning from the left, fo llowed by a continuous number of zeros for the remainder of the 32 bit mask, you can si mply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a[...]

  • Page 697

    ZyWALL 5/35/70 Series User’s Guide 697 Appendix E IP Subnettin g Note: In the following chart s, shaded/bolded last o ctet bit values indicate host ID bit s “borrowed” to form network ID bit s . The number of “borrowed” host ID bit s determines the number of sub nets y ou can have. Th e remaining number of host ID bits (af ter “borrowin[...]

  • Page 698

    ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 698 Example: Four Subnet s The above exampl e illustrated using a 25-bit subne t mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 0[...]

  • Page 699

    ZyWALL 5/35/70 Series User’s Guide 699 Appendix E IP Subnettin g Example Eight Subnet s Similarly use a 27-bit mask to create 8 subnets (001 , 010, 01 1, 100, 101, 1 10). The following table shows class C IP ad dress last octet values for each subnet. The following table is a summary for class “C” subnet planning. Table 264 Subnet 4 NETWORK N[...]

  • Page 700

    ZyWALL 5/35/70 Series User’s Guide Appendix E IP Subnetting 700 Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet ma sk also determines which bits are part of the network number and which are part of the host ID. A class “B” address has two host ID octets ava ilable for subnetting and a cla[...]

  • Page 701

    ZyWALL 5/35/70 Series User’s Guide 701 Appendix E IP Subnettin g[...]

  • Page 702

    ZyWALL 5/35/70 Series User’s Guide Appendix F PPPoE 702 A PPENDIX F PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP ov er Ethernet, RFC 2516) from your computer to an A TM PVC (Permanent V irt ual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see F igure 440 o n page 703 ). One[...]

  • Page 703

    ZyWALL 5/35/70 Series User’s Guide 703 Appendix F PPPoE Figure 440 Single-Compute r per Router Hardwa re Configuration How PPPoE W orks The PPPoE driver makes the Ethernet appea r as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an I[...]

  • Page 704

    ZyWALL 5/35/70 Series User’s Guide Appendix G PPT P 704 A PPENDIX G PPTP What is PPTP? PP TP (Point-to-Point T u nneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PP TP is informational only) to tunnel PPP frames. How can we transport PP P frames from a computer to a broadband modem over Ethernet? A solution is to build PP TP in[...]

  • Page 705

    ZyWALL 5/35/70 Series User’s Guide 705 Appendix G PPTP PPTP Protocol Overview PP TP is very simila r to L2TP , since L2TP is based on both PP TP and L2F (Cisco’ s Layer 2 Forwarding). Conceptually , the re are three pa rties in PP TP , namely the PNS (PP TP Network Server), the P AC (PP TP Access Concentrator) a nd the PP TP user . The PNS is t[...]

  • Page 706

    ZyWALL 5/35/70 Series User’s Guide Appendix G PPT P 706 Figure 444 Example Message Exchange between Computer and an ANT PPP Dat a Connection The PPP frames are tunneled between the PN S and P AC over GRE (General Routing Encapsulation, RFC 1701, 17 02). The individual calls within a tunnel are distinguished using the Call ID field in the GRE head[...]

  • Page 707

    ZyWALL 5/35/70 Series User’s Guide 707 Appendix G PPTP[...]

  • Page 708

    ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 708 A PPENDIX H Wireless LANs Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an inde pendent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A[...]

  • Page 709

    ZyWALL 5/35/70 Series User’s Guide 709 Appendix H Wire less LANs Figure 446 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type [...]

  • Page 710

    ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 710 Figure 447 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.1 1a/b/g wireless devices. Channels available depend on your ge ographical area. Y ou may have a choice of chann els (for your region) so you should use a dif ferent channel th an an adjacen[...]

  • Page 711

    ZyWALL 5/35/70 Series User’s Guide 711 Appendix H Wire less LANs Figure 448 RTS /C T S When station A sends data to the AP , it migh t no t know that the station B is already using the channel. If these two stations se nd data at the same time, collis ions may occur when both sets of data arrive at the AP at the same time, r esulting in a loss of[...]

  • Page 712

    ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 712 A large Fragmentation Thr eshold is recommended for networks not prone to interference while you should set a smaller thresh old for busy networks or ne tworks that are prone to interference. If the Fragmentation Threshold value is smaller than the RT S / C T S value (see previously)[...]

  • Page 713

    ZyWALL 5/35/70 Series User’s Guide 713 Appendix H Wire less LANs IEEE 802.1x In June 2001, the IEEE 802.1x st andard was designed to extend th e features of IEEE 802.1 1 to support extended authentication as well as providing additional accounting and control features. It is supported by W indows XP and a number of network devices. Some advantage[...]

  • Page 714

    ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 714 • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access- Request message. The following types of RADIUS messages are exchanged between the acces s point and[...]

  • Page 715

    ZyWALL 5/35/70 Series User’s Guide 715 Appendix H Wire less LANs 3 The wireless station replies with identity info rmation, including username and password. 4 The RADIUS server checks the user informa tion against its user profile database and determines whether or not to au thenticate the wireless station. T ypes of Authentication This section d[...]

  • Page 716

    ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 716 PEAP (Protected EAP) Like EAP-TTLS, server-side certific ate authentication is used to establish a secure connection, then use simple username and p assword methods thro ugh the secured co nnection to authenticate the clients, thus hiding client identity . However , PEAP only support[...]

  • Page 717

    ZyWALL 5/35/70 Series User’s Guide 717 Appendix H Wire less LANs Figure 450 WEP Authentication S teps Open system authentication in volves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP , which will then automatically accept and connect the wire less station to the network. In effect[...]

  • Page 718

    ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 718 Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security , certificate-based authen tications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are ofte n deployed in corp orate environments, but for public deployment, a simp le user name an[...]

  • Page 719

    ZyWALL 5/35/70 Series User’s Guide 719 Appendix H Wire less LANs The Message Integrity Check (MIC ) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match,[...]

  • Page 720

    ZyWALL 5/35/70 Series User’s Guide Appendix H Wireless LANs 720 In a network environment with multiple access points, wireless st ations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriat[...]

  • Page 721

    ZyWALL 5/35/70 Series User’s Guide 721 Appendix H Wire less LANs Requirement s for Roaming The following requirements must be met in order for wirele ss stations to roam between the coverage areas . 1 All the access points must be on the same subnet and configured wi th the same ESSID. 2 If IEEE 802.1x user auth entication is enabled and to be do[...]

  • Page 722

    ZyWALL 5/35/70 Series User’s Guide Appendix I Triangle Route 722 A PPENDIX I T riangle Route The Ideal Setup When the firewall is on, your ZyW ALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology , all incoming and outgoing network traf fic passes through the ZyW ALL to protect your LAN against attacks. Fig[...]

  • Page 723

    ZyWALL 5/35/70 Series User’s Guide 723 Appendix I Triangle Route Figure 453 “T riangle Route” Problem The “T riangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Y our ZyW ALL s[...]

  • Page 724

    ZyWALL 5/35/70 Series User’s Guide Appendix I Triangle Route 724 Figure 454 IP Alias Gateways on the W AN Side A second solution to the “triangle route” problem is to put all of your network gateways on the W AN side as the following figure shows. This en sures that all incoming netw ork traffic passes through your ZyW ALL to your LAN. The re[...]

  • Page 725

    ZyWALL 5/35/70 Series User’s Guide 725 Appendix I Triangle Route[...]

  • Page 726

    ZyWALL 5/35/70 Series User’s Guide Appendix J Windows 98 SE/Me Requirements for Anti-Viru s Message Display 726 A PPENDIX J Windows 98 SE/Me Requirement s for Anti-V irus Message Display W ith the anti-virus packet scan, when a virus is detected, an alert message is displayed on Miscrosoft W indows-bas ed computers. For W indows 98 SE/Me, you mus[...]

  • Page 727

    ZyWALL 5/35/70 Series User’s Guide 727 Appendix J Windows 98 SE/Me Requirements for Anti-Virus Message Disp lay Figure 457 WIndows 98 SE: Program T ask Bar 2 Click the S tart Menu Programs tab and click Advanced .. . Figure 458 Windows 98 SE: T ask Bar Properties 3 Double-click Programs and click St a r t U p . 4 Right-click in the St a r t U p p[...]

  • Page 728

    ZyWALL 5/35/70 Series User’s Guide Appendix J Windows 98 SE/Me Requirements for Anti-Viru s Message Display 728 Figure 459 Windows 98 SE: S tartUp 5 A Create Shortcut window disp lays. Enter “winpo pup” in the Command line field and click Next . Figure 460 Windows 98 SE: S tartup: Create Shortcut 6 Specify a name for the shortcut or accept th[...]

  • Page 729

    ZyWALL 5/35/70 Series User’s Guide 729 Appendix J Windows 98 SE/Me Requirements for Anti-Virus Message Disp lay Figure 461 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created in the St a r t U p pane. Restart the computer when prompted. Figure 462 Windows 98 SE: S tartup: Shortcut Note: The WinPopup window displa ys a[...]

  • Page 730

    ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 730 A PPENDIX K VPN Setup This appendix will help you to quickly crea te a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes • The private netw orks behind the IPSec rou ters must be on different subnets. Fo[...]

  • Page 731

    ZyWALL 5/35/70 Series User’s Guide 731 Appendix K VPN Setup The following pages show a ty pical configuration that build s a tunnel between two private networks. One network is the he adquarters (HQ) and the other is a branch of fice. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote S tarting I[...]

  • Page 732

    ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 732 Figure 464 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router .[...]

  • Page 733

    ZyWALL 5/35/70 Series User’s Guide 733 Appendix K VPN Setup Figure 465 Branch Office Gateway Policy Edit 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN p olicy . The IP address of the headquarters IPSec router .[...]

  • Page 734

    ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 734 Figure 466 Headquarte rs VPN Rule Figure 467 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply .[...]

  • Page 735

    ZyWALL 5/35/70 Series User’s Guide 735 Appendix K VPN Setup Figure 468 Headquarters Ne twork Policy Edit IP addresses on different subnets. Activate t he network policy .[...]

  • Page 736

    ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 736 Figure 469 Branch Office Network Policy Edit Dialing the VPN T unnel via Web Configurator T o test w hether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to ha ve the IPSec rout ers set up th e tunnel. IP addresses on different subnets.[...]

  • Page 737

    ZyWALL 5/35/70 Series User’s Guide 737 Appendix K VPN Setup Figure 470 VPN Rule Configured The following screen displays. Figure 471 VPN Dial This screen displays later if the I PSec routers can build the VPN tunnel. Figure 472 VPN T unnel Established[...]

  • Page 738

    ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 738 VPN T roubleshooting If the IPSec tunnel does not build properly , the pr oblem is likely a configuration error at one of the IPSec routers. Log into the web conf igurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly . VPN Log The system log can [...]

  • Page 739

    ZyWALL 5/35/70 Series User’s Guide 739 Appendix K VPN Setup Figure 473 VPN Log Example ras> sys log disp ike ipsec # .time source destination notes message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE Rule [ex-1] Tunnel built success fully 1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE The cookie pair is : 0xDAC0B43FB DE154F5 / 0xC5156C099C3F7DC[...]

  • Page 740

    ZyWALL 5/35/70 Series User’s Guide Appendix K VPN Setup 740 IPSec Debug If you are having difficulty building an IPSec tun nel to a non-ZyXEL IPSec router , advanced users may wish to examine the IPSec debug feature ( Menu 24.8 ). Note: If any of your VPN rules have an active networ k policy set to nailed-up, using the IPSec debug feature may cau[...]

  • Page 741

    ZyWALL 5/35/70 Series User’s Guide 741 Appendix K VPN Setup Use a VPN T unnel A VPN tunnel gives you a se cure connection to ano ther computer or network . The VPN St a t u s screen displays whether or n ot your VPN tunnel is co nnected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, we [...]

  • Page 742

    ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 742 A PPENDIX L Importing Certificates This appendix shows importing certificat es examples using In ternet Ex plorer 5. Import ZyW ALL Certificates into Net scape Navigator In Netscape Navigator , you can permanently trust the ZyW ALL ’ s server certificate by importing it in[...]

  • Page 743

    ZyWALL 5/35/70 Series User’s Guide 743 Appendix L Importing Certificates Figure 476 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 477 Certificate General Information befor e Import 3 Click Next to begin the Install Certificate wizard.[...]

  • Page 744

    ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 744 Figure 478 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next . Figure 479 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.[...]

  • Page 745

    ZyWALL 5/35/70 Series User’s Guide 745 Appendix L Importing Certificates Figure 480 Certificate Import Wizard 3 6 Click Ye s to add the ZyW ALL certifi cate to the root store. Figure 481 Root Certificate S tore[...]

  • Page 746

    ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 746 Figure 482 Certificate General Information af ter Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyW ALL. Y ou mus t have importe d at least one trusted CA to the ZyW ALL in ord[...]

  • Page 747

    ZyWALL 5/35/70 Series User’s Guide 747 Appendix L Importing Certificates Figure 483 ZyW ALL Trusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your persona l certificate(s) and a password to inst all the personal certificate(s). Inst alling the CA ’ s Certificate 1 Double click the CA ’ s trusted cert[...]

  • Page 748

    ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 748 Figure 484 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. Inst alling Y our Personal Certificate(s) Y ou need a pass word in advance. The CA may is sue the password or yo u may have to specify it during the enroll[...]

  • Page 749

    ZyWALL 5/35/70 Series User’s Guide 749 Appendix L Importing Certificates Figure 485 Personal Certificate Import Wizard 1 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br owse if you wish to import a different certificate. Figure 486 Personal Certificate Import Wizard 2[...]

  • Page 750

    ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 750 Figure 487 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificat e should be saved on your computer or select Place all certificates in the following stor e and choose a different location. Figure 488 Personal Certificate Import Wizard 4 5 Cli[...]

  • Page 751

    ZyWALL 5/35/70 Series User’s Guide 751 Appendix L Importing Certificates Figure 489 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the ce rtificate is correctly installed on your computer . Figure 490 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyW ALL Example Use the following pro[...]

  • Page 752

    ZyWALL 5/35/70 Series User’s Guide Appendix L Importing Certificates 752 Figure 492 SSL Client Authentication 3 Y ou next see the ZyW ALL login screen. Figure 493 ZyW ALL Secure Login Screen[...]

  • Page 753

    ZyWALL 5/35/70 Series User’s Guide 753 Appendix L Importing Certificates[...]

  • Page 754

    ZyWALL 5/35/70 Series User’s Guide Appendix M Comma nd Interpret er 754 A PPENDIX M Command Interpreter The following describes how to use the comman d interpreter . Enter 24 in the main menu to bring up the system maintena nce menu. Enter 8 to go to Menu 24.8 - Command Interpr eter Mode . See the included disk or zyxel.com for more detailed info[...]

  • Page 755

    ZyWALL 5/35/70 Series User’s Guide 755 Appendix M Command Interpreter[...]

  • Page 756

    ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 756 A PPENDIX N Firewall Commands The following des cribes th e firewall commands. See Appendix M on page 754 for information on the command structure. Table 271 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall Se t-Up config edit firewall active <yes | no> This command [...]

  • Page 757

    ZyWALL 5/35/70 Series User’s Guide 757 Appendix N Firewall Commands E-mail config edit firewall e-mail mail-server <ip address of mail server> This command sets the IP address to which the e-mail messages are sent. config edit firewall e-mail return-addr <e-mail address> This command sets the source e-mail add ress of the firewall e-m[...]

  • Page 758

    ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 758 config edit firewall attack minute-high <0-255> This command sets the threshold rate of new half-open sessions per minute where the ZyW ALL starts deleting old half-opene d sessions until it gets t hem down to the minute- low threshold. config edit firewall attack minute-lo[...]

  • Page 759

    ZyWALL 5/35/70 Series User’s Guide 759 Appendix N Firewall Commands Config edit firewall set <set #> tcp-idle-timeout <seconds> This command sets how long ZyWALL lets an inactive TCP connection remain open before considering it closed. Config edit firewall set <set #> log <yes | no> This command sets whether or not the ZyW[...]

  • Page 760

    ZyWALL 5/35/70 Series User’s Guide Appendix N Firewall Commands 760 config edit firewall set <set #> rule <rule #> destaddr- subnet <ip address> <subnet mask> This command sets a rule to have the ZyW ALL check for traffic with a p articular subnet destination (def ined by IP address and subnet mask). config edit firewall s[...]

  • Page 761

    ZyWALL 5/35/70 Series User’s Guide 761 Appendix N Firewall Commands[...]

  • Page 762

    ZyWALL 5/35/70 Series User’s Guide Appendix O Net BIOS Filter Command s 762 A PPENDIX O NetBIOS Filter Commands The following describes the NetB IOS packet filter commands. See Appendix M on page 754 for information on th e command structure. Introduction NetBIOS (Network Basic Input/Output System ) are TCP or UDP broadcast packets that enable a [...]

  • Page 763

    ZyWALL 5/35/70 Series User’s Guide 763 Appendix O NetBIOS Filter Commands The filter types and their defa ult settings are as follows. NetBIOS Filter Configuration Syntax:sys filter netbios config <ty pe> <on|off> where Table 272 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN and WAN This field displays whether N[...]

  • Page 764

    ZyWALL 5/35/70 Series User’s Guide Appendix O Net BIOS Filter Command s 764 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets. sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls.[...]

  • Page 765

    ZyWALL 5/35/70 Series User’s Guide 765 Appendix O NetBIOS Filter Commands[...]

  • Page 766

    ZyWALL 5/35/70 Series User’s Guide Appendix P Certificates Commands 766 A PPENDIX P Certificates Commands The following describes the certificate commands. See Appendix M on page 754 for information on the command structure. All of these commands start with certificates. Table 273 Certificates Commands COMMAND DESCRIPTION my_cert create create se[...]

  • Page 767

    ZyWALL 5/35/70 Series User’s Guide 767 Appendix P Certificates Commands create cmp_enroll <name> <CA addr> <CA cert> <auth key> <subject> [key size] Create a certificate request and enroll for a certificate immediately online using CMP protocol. <name> specifies a descriptive name for the enrolled certificate. [...]

  • Page 768

    ZyWALL 5/35/70 Series User’s Guide Appendix P Certificates Commands 768 replace_fact ory Create a certificate using your device MAC address that will be specific to this device. The factory default certificate is a common default certificate for al l ZyWALL models. ca_trusted import <name> Import the PEM-encoded certi ficate from stdin. <[...]

  • Page 769

    ZyWALL 5/35/70 Series User’s Guide 769 Appendix P Certificates Commands delete <name> Delete the specified trusted remote host certificate. <name> sp ecifies the name of the certificate to be dele ted. list List all trusted remote host certificate names and basic info rmation. rename <old name> <new name> Rename the specif[...]

  • Page 770

    ZyWALL 5/35/70 Series User’s Guide Appendix Q Brute-Force Passwo rd Guessing Protection 770 A PPENDIX Q Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-ti me that must ex pire before entering a fourth password after th ree incorrect passwords have been entered. The following describes[...]

  • Page 771

    ZyWALL 5/35/70 Series User’s Guide 771 Appendix Q Brute-Force Passwor d Guessing Protection[...]

  • Page 772

    ZyWALL 5/35/70 Series User’s Guide Appendix R Boot Commands 772 A PPENDIX R Boot Commands The BootModule A T commands execute from wi thin the router ’ s bootup software, when debug mode is selected before the main router firmware is start ed. When you start up your ZyW ALL, you are given a choice t o go into debug mode by pressing a key at th [...]

  • Page 773

    ZyWALL 5/35/70 Series User’s Guide 773 Appendix R Boot Comman ds Figure 495 Boot Module Commands AT just answer OK ATHE print help ATBAx change baud rate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debu g Flag (y=password) ATSE show the seed of passw ord generator ATTI(h,m,s) change system time to hour:min:sec or show c[...]

  • Page 774

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 774 A PPENDIX S Log Descriptions This appendix provides descrip tions of example log messages. Table 275 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on informati on from the time server . Time calibration failed[...]

  • Page 775

    ZyWALL 5/35/70 Series User’s Guide 775 Appendix S Log Descriptions Configuration Change: PC = 0x%x, Task ID = 0x%x The router is saving configuration changes. Successful SSH login Someone has logged on to the router ’s SSH server . SSH login failed Someone has failed to log on to the router ’s SSH server . Successful HTTPS login Someone has l[...]

  • Page 776

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 776 WAN connection is down. A WAN connection is down. Y ou cannot access the network through this interfa ce. Dial Backup starts Dial backup started working. Dial Backup ends Dia l backup stopped working. DHCP Server cannot assign the static IP %S (out of range). The LAN subnet, LAN a[...]

  • Page 777

    ZyWALL 5/35/70 Series User’s Guide 777 Appendix S Log Descriptions Table 278 TCP Reset Lo gs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was u nder a SYN flood attack (the TCP incomplete count is per desti nation host.) Exceed TCP MAX incomplete, sent TCP RST The router sent a TCP re[...]

  • Page 778

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 778 F or type and code details, see Ta b l e 294 on page 789 . Table 280 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d> ICMP access matched the default policy and was blocked or forwarded according to the user[...]

  • Page 779

    ZyWALL 5/35/70 Series User’s Guide 779 Appendix S Log Descriptions ppp:LCP Closing The PPP connection’s Link Control Protocol stage is closing. ppp:IPCP Closing The PPP connection’s Internet Protocol Control Proto col stage is closing. Table 283 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through Firewall UPnP packets can pass through the fir[...]

  • Page 780

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 780 For type and code details, see T abl e 294 on page 789 . Connecting to content filter server fail The connection to the external content fi ltering server failed. License key is invalid The external content filter ing licen se key is invalid. Table 285 Attack Logs LOG MESSAGE DESC[...]

  • Page 781

    ZyWALL 5/35/70 Series User’s Guide 781 Appendix S Log Descriptions Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS attack ICMP Source Quench ICMP Th e firewall detecte d an ICMP Source Quench attack. ICMP Time Exceed ICMP The firewall detected an ICMP Time Exceed att ack. ICMP Destination U[...]

  • Page 782

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 782 Table 287 Wireless Logs LOG MESSAGE DESCRIPTION WLAN MAC Filter Fail The MAC filter blocked a wireless station from connecting to the device. WLAN MAC Filter Success The MAC filter all owed a wireless station to connect to the device. WLAN STA Association A wireless station associ[...]

  • Page 783

    ZyWALL 5/35/70 Series User’s Guide 783 Appendix S Log Descriptions Table 289 IKE Logs LOG MESSAGE DESCRIPTION Active connection allowed exceeded The IKE process for a ne w conn ection fa iled because the limit of simultaneous phase 2 SAs has been reached. Start Phase 2: Quick Mode Phase 2 Quick Mode has started. Verifying Remote ID failed: Th e c[...]

  • Page 784

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 784 Remote IP <Remote IP> / <Remote IP> conflicts The security gateway is set to “0.0.0.0” and the router used the peer ’s “Local Address” as the router ’s “Remote Address”. This information conflicted with static rule #d; thus the connection is not allowed[...]

  • Page 785

    ZyWALL 5/35/70 Series User’s Guide 785 Appendix S Log Descriptions Rule [%d] Phase 2 authentication algorithm mismatch The listed rule’s IKE phase 2 authentication algorithm did not match between the router an d the peer . Rule [%d] Phase 2 encapsulation mismatch The listed rule’s IKE phase 2 encapsulation did not match between the router and[...]

  • Page 786

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 786 Table 290 PKI Logs LOG MESSAGE DESCRIPTION Enrollment successful The SCEP onlin e certificate enrollment was successful. The Destination field records the certi fication autho rity server IP addre ss and port. Enrollment failed Th e SCEP online certificate enrollmen t failed. The [...]

  • Page 787

    ZyWALL 5/35/70 Series User’s Guide 787 Appendix S Log Descriptions Table 291 Certificate Path Verificati on Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the cert ificate and the search co nstraints. 2 Key usage mismatch between the cert ificate and the search constraints. 3 Certificate was not valid in the time interval. 4 ([...]

  • Page 788

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 788 Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in th e local user database. RADIUS accepts user. A user was authenticated by the RADIUS Server . RADIUS rejects user. Pls check RADIUS Serve[...]

  • Page 789

    ZyWALL 5/35/70 Series User’s Guide 789 Appendix S Log Descriptions (L to L/ZW) LAN to LAN/ ZyW ALL ACL set for packet s traveling from the LAN to the LAN or the ZyW ALL. (W to W/ZW) WA N t o WA N / ZyW ALL ACL set for packet s traveling from the W AN to the W AN or the ZyW ALL. (D to D/ZW) DMZ to DMZ/ ZyW ALL ACL set for packet s traveling from t[...]

  • Page 790

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 790 11 T ime Exceeded 0 T ime to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 T imestamp 0 T imestamp request message 14 T imestamp Reply 0 T imestamp reply message 15 Information Request 0 Information request messa[...]

  • Page 791

    ZyWALL 5/35/70 Series User’s Guide 791 Appendix S Log Descriptions Signature update OK - New signature version: <Signature version> Release Date: <Release date>! The device updated the signa ture file successfully . The sign ature file’s version and re lease date a re included. The turbo card is not ready , please insert the card an[...]

  • Page 792

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 792 The turbo card is not ready , please insert the card and reboot! The turbo card i s not in stalled. The system is doing signature update now , please wait! The device is updating the signatu re file. Table 297 AS Logs LOG MESSAGE DESCRIPTION Mail is in the Black List - Mail From:%[...]

  • Page 793

    ZyWALL 5/35/70 Series User’s Guide 793 Appendix S Log Descriptions Remove rating server [%Rating Server IP Address%] from server list! The listed server IP address has been removed from the list of anti- spam external database servers. "This is a phishing mail - Spam Score:%d Mail From:%EMAIL_ADDRESS% Subject:%MAIL_SUBJECT%!" The spam s[...]

  • Page 794

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 794 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session " is terminated. A tra[...]

  • Page 795

    ZyWALL 5/35/70 Series User’s Guide 795 Appendix S Log Descriptions The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>"[...]

  • Page 796

    ZyWALL 5/35/70 Series User’s Guide Appendix S Log Descriptions 796 Log Commands Go to the command interpreter interface. Appendix M on page 754 explains how to access and use the commands. Configuring What Y ou W a nt the ZyW ALL to Log 1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs th e ZyW[...]

  • Page 797

    ZyWALL 5/35/70 Series User’s Guide 797 Appendix S Log Descriptions • Use the sys logs clear command to erase all of the ZyW ALL ’ s logs. Log Command Example This example shows how to set the ZyW ALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save r[...]

  • Page 798

    ZyWALL 5/35/70 Series User’s Guide Index 798 Index Numerics 10/100 Mbps Ethernet WAN 55 11 0 V A C 5 230V AC 5 A Abnormal Working Conditions 6 AC 5 Access control 247 Access Point 545 Accessories 5 Action for Matched Packe ts 225 Action for No Sp am Score 273 Action for S pam Mails 271 Active 519 , 521 , 552 Acts of God 6 Address Assignment 142 ,[...]

  • Page 799

    ZyWALL 5/35/70 Series User’s Guide 799 Index C CA 715 Cable Modem 203 Cables, Connecting 5 Call Back Delay 518 Call Control 630 Call History 63 1 , 632 Call Scheduling 59 , 648 Max Number of Schedule Sets 648 PPPoE 650 Precedence 648 Call-Triggering Packet 608 CardBus slot 56 Central Network Man agement 60 certificate 321 Certificate Authority 71[...]

  • Page 800

    ZyWALL 5/35/70 Series User’s Guide Index 800 DNS 452 DNS Server For VPN Host 419 Domain Name 142 , 276 , 38 4 , 484 , 603 DoS Basics 204 Ty p e s 205 DoS (Denial of Service) 57 Drop T imeout 518 DSL Modem 62 , 553 DTR 159 , 517 Dust 5 Dynamic DNS 428 Dynamic DNS Support 60 Dynamic WEP Key Exchange 717 DYNDNS Wildcard 419 , 428 E EAP 182 , 183 , 1[...]

  • Page 801

    ZyWALL 5/35/70 Series User’s Guide 801 Index Firmware File Maintenance 612 Fitness 6 Flow Control 500 Fragmentation Threshold 71 1 Fragmentation threshold 71 1 France, Contact Information 7 Fraudsters 268 FTP 384 , 428 , 432 , 447 , 614 , 638 File Upload 623 GUI-based Clie nts 615 Restoring Files 618 FTP File T ransfer 621 FTP Restrictio ns 432 ,[...]

  • Page 802

    ZyWALL 5/35/70 Series User’s Guide Index 802 IP Addressing 694 IP Alias 60 , 530 IP Alias Setup 530 IP Classes 694 IP Multicast 60 Internet Group Manage ment Protocol (IGMP) 60 IP Policy Routing 60 IP Pool 11 4 , 164 , 176 , 528 IP Pool Setup 11 0 IP Ports 204 IP Routing Policy (IPPR) 396 Benefits 396 Cost Savings 396 Criteria 396 Load Sharing 39[...]

  • Page 803

    ZyWALL 5/35/70 Series User’s Guide 803 Index MIME 273 MIME Header 276 MIME Headers 270 MIME V alue 27 6 Modifications 3 MSDU 545 Multicast 11 2 , 11 4 , 176 , 523 , 529 , 557 Multimedia 235 , 469 Multipurpose Internet Mail Extensions 27 0 Mutation virus 258 My IP Addr 555 My Login 519 , 552 My Login Name 533 My Password 519 , 533 , 552 My Server [...]

  • Page 804

    ZyWALL 5/35/70 Series User’s Guide Index 804 Levels 248 Policy-based Routing 396 Polyphormic virus 258 Pool 5 POP2 269 POP3 204 , 269 , 27 1 , 273 , 384 Port Forwarding 61 Port Restricted Cone NA T 377 port scans 240 Post Office Protocol 269 Postage Prepaid. 6 Power Cord 5 PPP 520 PPPoE 59 , 84 , 86 , 702 PPPoE Encapsulation 532 , 535 , 551 , 553[...]

  • Page 805

    ZyWALL 5/35/70 Series User’s Guide 805 Index Return Material Auth orization (RMA) Number 6 Returned Products 6 Returns 6 RFC 1889 467 RFC 3489 469 Rights 2 Rights, Legal 6 RIP 111 , 11 2 , 523 , 529 , 530 , 557 Direction 530 Ve r s i o n 530 , 557 Risk 5 Risks 5 RMA 6 RoadRunner Support 61 Roaming 719 Example 720 Requirements 721 Root bridge 123 [...]

  • Page 806

    ZyWALL 5/35/70 Series User’s Guide Index 806 SSH 57 , 441 SSH Implement ation 442 startup 728 S tateful Inspection 57 , 202 , 203 , 208 , 209 Process 209 ZyW ALL 210 S tatic Route 392 S torage Sp ace 274 STP (S panning Tree Protocol) 56 STP Port S tates 124 STP See S panning Tree Protocol 122 STP T erminology 123 SUA (Single User Account) 378 , 5[...]

  • Page 807

    ZyWALL 5/35/70 Series User’s Guide 807 Index Unsolicited Commercial E-mail 266 Upload Firmware 621 UPnP 58 , 456 UPnP Examples 459 UPnP Port Mapping 458 Upper Layer Prot ocols 210 , 21 1 Use Server Detected IP 513 User Authentication 187 , 718 User Name 510 User Profiles 370 V Va l u e 6 V endor 5 V entilation Slots 5 Viewing Certifications 3 Vir[...]