User's Guide

ManualsBrandsZYXEL ManualsElectronicsZyWALL ATP Firewall

Chapter 35 Object

ZyWALL ATP Series User’s Guide

709

35.11.4.2 The Trusted Certificates Import Screen

Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates

Import screen. Follow the instructions in this screen to save a trusted certificate to the Zyxel Device.

Note: You must remove any spaces from the certificate’s filename before you can import the

certificate.

Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. Some

certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm

and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA

public-private key encryption algorithm and the MD5 hash algorithm).

Valid From This field displays the date that the certificate becomes applicable. The text displays in red

and includes a Not Yet Valid! message if the certificate has not yet become applicable.

Valid To This field displays the date that the certificate expires. The text displays in red and includes

an Expiring! or Expired! message if the certificate is about to expire or has already expired.

Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair

(the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for

example).

Subject Alternative

Name

This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or email

address (EMAIL).

Key Usage This field displays for what functions the certificate’s key can be used. For example,

“DigitalSignature” means that the key can be used to sign certificates and

“KeyEncipherment” means that the key can be used to encrypt text.

Extended Key Usage This field displays the method that the Zyxel Device generates and stores a request for server

authentication, client authentication, or IKE Intermediate authentication certificate.

Basic Constraint This field displays general information about the certificate. For example, Subject Type=CA

means that this is a certification authority’s certificate and “Path Length Constraint=1”

means that there can only be one certification authority in the certificate’s path.

MD5 Fingerprint This is the certificate’s message digest that the Zyxel Device calculated using the MD5

algorithm. You can use this value to verify with the certification authority (over the phone for

example) that this is actually their certificate.

SHA1 Fingerprint This is the certificate’s message digest that the Zyxel Device calculated using the SHA1

algorithm. You can use this value to verify with the certification authority (over the phone for

example) that this is actually their certificate.

Certificate This read-only text box displays the certificate or certification request in Privacy Enhanced

Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a

binary certificate into a printable form.

You can copy and paste the certificate into an email to send to friends or colleagues or

you can copy and paste the certificate into a text editor and save the file on a

management computer for later distribution (via floppy disk for example).

Export Certificate Click this button and then Save in the File Download screen. The Save As screen opens,

browse to the location that you want to use and click Save.

OK Click OK to save your changes back to the Zyxel Device. You can only change the name.

Cancel Click Cancel to quit and return to the Trusted Certificates screen.

Table 299 Configuration > Object > Certificate > Trusted Certificates > Edit (continued)

LABEL DESCRIPTION

Summary of content (194 pages)

PAGE 1
Chapter 35 Object Table 299 Configuration > Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
PAGE 2
Chapter 35 Object Figure 474 Configuration > Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 300 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device.
PAGE 3
Chapter 35 Object Figure 475 Configuration > Object > ISP Account The following table describes the labels in this screen. See the ISP Account Add/Edit section below for more information as well. Table 301 Configuration > Object > ISP Account LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
PAGE 4
Chapter 35 Object Figure 476 Configuration > Object > ISP Account > Edit The following table describes the labels in this screen. Table 302 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account. The profile name is used to refer to the ISP account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
PAGE 5
Chapter 35 Object Table 302 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Password Type the password associated with the user name above. The password can only consist of alphanumeric characters (A-Z, a-z, 0-9). This field can be blank. Retype to Confirm Type your password again to make sure that you have entered is correctly. IP Address/FQDN Enter the IP address or Fully-Qualified Domain Name (FQDN) of the PPTP or L2TP server.
PAGE 6
Chapter 35 Object The following table describes the labels in this screen. Table 303 Configuration > Object > DHCPv6 > Request LABEL DESCRIPTION Configuration Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
PAGE 7
Chapter 35 Object 35.13.2 The DHCPv6 Lease Screen The Lease screen allows you to add, edit, and remove DHCPv6 lease type objects. To access this screen, login to the Web Configurator, and click Configuration > Object > DHCPv6 > Lease. Figure 479 Configuration > Object > DHCPv6 > Lease The following table describes the labels in this screen. Table 305 Configuration > Object > DHCPv6 > Lease LABEL DESCRIPTION Configuration Add Click this to create a new entry.
PAGE 8
Chapter 35 Object The following table describes the labels in this screen. Table 306 Configuration > DHCPv6 > Lease > Add/Edit LABEL DESCRIPTION Name Type the name for this lease object. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is casesensitive. Lease Type Select the lease type for this lease object. You can choose from Prefix Delegation, DNS Server, Address, Address Pool, NTP Server, or SIP Server.
PAGE 9
C H A P T E R 36 Device HA 36.1 Device HA Overview Device HA lets a backup (or passive) Zyxel Device (B) automatically take over if the master (or active) Zyxel Device (A) fails. Figure 481 Device HA Backup Taking Over for the Master 36.1.1 What You Can Do in These Screens • Use the Device HA Status screen (Section 36.2 on page 717) to see the license status for Device HA Pro, and see the status of the active and passive devices. • Use the Device HA Pro screen (Section 36.
PAGE 10
Chapter 36 Device HA Figure 482 Configuration > Device HA > Device HA Status The following table describes the labels in this screen. Table 307 Configuration > Device HA > Device HA Status LABEL DESCRIPTION Active Device Status This section displays information on the active Zyxel Device with an activated Device HA Pro license. Health Status This displays Off or On depending on whether Device HA Pro is disabled or enabled on the active Zyxel Device.
PAGE 11
Chapter 36 Device HA Table 307 Configuration > Device HA > Device HA Status (continued) LABEL Service Status DESCRIPTION This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired. It displays Not Licensed if there isn’t a license to be activated for this service. If you need a license or a trial license has expired, click Buy to buy a new one.
PAGE 12
Chapter 36 Device HA After failover, the initial active Zyxel Device becomes the passive Zyxel Device after it recovers. 36.3.1 Deploying Device HA Pro 1 Register either the active or passive Zyxel Device with a Device HA Pro license at myZyxel. Check that it’s properly licensed in Licensing > Registration > Service in the active Zyxel Device. 2 Make sure the passive Zyxel Device is offline, then enable Device HA in Device HA > General in the passive Zyxel Device.
PAGE 13
Chapter 36 Device HA Figure 484 Configuration > Device HA > Device HA Pro The following table describes the labels in this screen. Table 308 Configuration > Device HA > Device HA Pro LABEL DESCRIPTION Enable Device HA Select this to turn the Zyxel Device’s Device HA Pro feature on. Enable Configuration Provisioning From Active Device.
PAGE 14
Chapter 36 Device HA Table 308 Configuration > Device HA > Device HA Pro (continued) LABEL DESCRIPTION Password Type a synchronization password of between 1 and 32 single-byte printable characters. You will be prompted for the password before synchronization takes place. Retype to Confirm Type the exact same synchronization password as typed above. Heartbeat Interval Type the number of seconds (1-10) allowed for absence of a heartbeat signal before a failure of the active Zyxel Device is recorded.
PAGE 15
Chapter 36 Device HA Figure 485 Configuration > Device HA > View Log The following table describes the labels in this screen. Table 309 Configuration > Device HA > View Log LABEL DESCRIPTION Logs Active Device This displays Device HA Pro logs on the active Zyxel Device. Passive Device This displays Device HA Pro logs on the passive Zyxel Device. Refresh Click Refresh to update information in this screen.
PAGE 16
C H A P T E R 37 Cloud CNM 37.1 Cloud CNM Overview You need licenses to use Cloud CNM SecuManager and Cloud CNM SecuReporter. You need the SecuManager license to get a CNM ID with which you can access the SecuManager server. It is independent from the Zyxel Devices. The SecuReporter license must be activated on each Zyxel Device. 37.1.1 What You Can Do in this Chapter • Use the Cloud CNM > SecuManager screen (Section 37.
PAGE 17
Chapter 37 Cloud CNM Figure 486 Cloud CNM SecuManager Example Network Topology Cloud CNM SecuManager features include: • Batch import of managed devices at one time using one CSV file • See an overview of all managed devices and system information in one place • Monitor and manage devices • Install firmware to multiple devices of the same model at one time • Backup and restore device configuration • View the location of managed devices on a map • Receive notification for events and alarms, such as when a
PAGE 18
Chapter 37 Cloud CNM Figure 487 Configuration > Cloud CNM > SecuManager The following table describes the labels in this screen. Table 310 Configuration > Cloud CNM > SecuManager LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Enable Select this to allow management of the Zyxel Device by Cloud CNM SecuManager.
PAGE 19
Chapter 37 Cloud CNM Table 310 Configuration > Cloud CNM > SecuManager (continued) LABEL Interval HTTPS Authentication Server Certificate DESCRIPTION Type how often the Zyxel Device should inform Cloud CNM SecuManager server of its presence. Select the check box if you have a HTTPs server certificate. Select a certificate the HTTPS server (the Zyxel Device) uses to authenticate itself to the HTTPS client. Apply Click Apply to save your changes back to the Zyxel Device.
PAGE 20
Chapter 37 Cloud CNM Figure 488 Cloud CNM SecuReporter Application Scenario How to activate and enable SecuReporter 1 Does Service Status displays Activated in the Configuration > Cloud CNM > SecuReporter screen? If not, you have to log in to myZyxel.com and activate the SecuReporter license for this Zyxel Device. The Zyxel Device must be able to communicate with the myZyxel server.
PAGE 21
Chapter 37 Cloud CNM Figure 489 Configuration > Licensing > Registration > Service 2 After the SecuReporter license is activated, go back to the Configuration > Cloud CNM > SecuReporter screen, and select the categories of logs that you want this Zyxel Device to send to the SecuReporter portal. 3 Select Enable SecuReporter. Do not go to the SecuReporter portal until after you have enabled SecuReporter on this Zyxel Devicee and applied the settings.
PAGE 22
Chapter 37 Cloud CNM • Server Status: This is the connection status between the Zyxel Device and the SecuReporter server. This field shows Connected when the Zyxel Device can synchronize with the SecuReporter server. This field shows Timeout when the Zyxel Device can’t synchronize with the SecuReporter server. This field shows Fail when the connection between the Zyxel Device and the SecuReporter server is down. • Device Name: Enter the name of the Zyxel Device.
PAGE 23
Chapter 37 Cloud CNM Figure 492 Configuration > Cloud CNM > SecuReporter The following table describes the labels in this screen. Table 311 Configuration > Cloud CNM > SecuReporter LABEL DESCRIPTION Enable SecuReporter Security-related logs are sent to the SecuReporter portal. Click the General Data Protection Regulation (GDPR) privacy link below to see the Zyxel privacy policy. This must be selected to have SecuReporter collect and analyze logs from this Zyxel Device.
PAGE 24
C H A P T E R 38 System 38.1 Overview Use the system screens to configure general Zyxel Device settings. 38.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 38.2 on page 733) to configure a unique name for the Zyxel Device in your network. • Use the System > USB Storage screen (see Section 38.3 on page 733) to configure the settings for the connected USB devices. • Use the System > Date/Time screen (see Section 38.
PAGE 25
Chapter 38 System • Use the System > IPv6 screen (see Section 38.16 on page 787) to enable or disable IPv6 support on the Zyxel Device. • Use the System > ZON screen (see Section 38.17 on page 787) to enable or disable the Zyxel One Network (ZON) utility that uses Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDPaware Zyxel devices in the same network as the computer on which ZON is installed. Note: See each section for related background information and term definitions. 38.
PAGE 26
Chapter 38 System Click Configuration > System > USB Storage to open the screen as shown next. Figure 494 Configuration > System > USB Storage The following table describes the labels in this screen. Table 313 Configuration > System > USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device(s).
PAGE 27
Chapter 38 System Figure 495 Configuration > System > Date and Time The following table describes the labels in this screen. Table 314 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your Zyxel Device. Current Date This field displays the present date of your Zyxel Device. Time and Date Setup Manual Select this radio button to enter the time and date manually.
PAGE 28
Chapter 38 System Table 314 Configuration > System > Date and Time (continued) LABEL New Date mm-dd) DESCRIPTION (yyyy- This field displays the last updated date from the time server or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the Zyxel Device get the time and date from the time server you specify below.
PAGE 29
Chapter 38 System Table 314 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Offset Specify how much the clock changes when daylight saving begins and ends. Enter a number from 1 to 5.5 (by 0.5 increments). For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 38.4.
PAGE 30
Chapter 38 System 3 Enter the Zyxel Device’s time in the New Time field. 4 Enter the Zyxel Device’s date in the New Date field. 5 Under Time Zone Setup, select your Time Zone from the list. 6 As an option you can select the Enable Daylight Saving check box to adjust the Zyxel Device clock for daylight savings. 7 Click Apply. To get the Zyxel Device date and time from a time server 1 Click System > Date/Time. 2 Select Get from Time Server under Time and Date Setup.
PAGE 31
Chapter 38 System The following table describes the labels in this screen. Table 316 Configuration > System > Console Speed LABEL DESCRIPTION Console Port Speed Use the drop-down list box to change the speed of the console port. Your Zyxel Device supports 9600, 19200, 38400, 57600, and 115200 bps (default) for the console port. The Console Port Speed applies to a console port connection using terminal emulation software and NOT the Console in the Zyxel Device Web Configurator Status screen.
PAGE 32
Chapter 38 System In a DNS amplification attack, an attacker sends a DNS name lookup request to an open DNS server with the source address spoofed as the victim’s address. When the DNS server sends the DNS record response, it is sent to the victim. Attackers can request as much information as possible to maximize the amplification effect.
PAGE 33
Chapter 38 System The following table describes the labels in this screen. Table 317 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Record This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
PAGE 34
Chapter 38 System Table 317 Configuration > System > DNS (continued) LABEL Domain Zone DESCRIPTION A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. A “*” means all domain zones. Type This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-Defined). DNS Server This is the IP address of a DNS server.
PAGE 35
Chapter 38 System Table 317 Configuration > System > DNS (continued) LABEL # DESCRIPTION This the index number of the service control rule. The ordering of your rules is important as rules are applied in sequence. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule.
PAGE 36
Chapter 38 System The following table describes the labels in this screen. Table 318 Configuration > System > DNS > (IPv6) Address/PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
PAGE 37
Chapter 38 System The following table describes the labels in this screen. Table 319 Configuration > System > DNS > CNAME Record > Add LABEL DESCRIPTION Alias name Enter an Alias Name. Use "*." as a prefix in the Alias name for a wildcard domain name (for example, *.example.com). FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.
PAGE 38
Chapter 38 System The following table describes the labels in this screen. Table 320 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the Zyxel Device receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.
PAGE 39
Chapter 38 System The following table describes the labels in this screen. Table 321 Configuration > System > DNS > MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for. IP Address/FQDN Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above. OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 38.6.
PAGE 40
Chapter 38 System The following table describes the labels in this screen. Table 322 Configuration > System > DNS > Security Option Control Edit (Customize) LABEL DESCRIPTION Name You may change the name for the customized security option control policy. The customized security option control policy is checked first and if an address object match is not found, the Default control policy is checked.
PAGE 41
Chapter 38 System Table 323 Configuration > System > DNS > Service Control Rule Add (continued) LABEL DESCRIPTION Action Select Accept to have the Zyxel Device allow the DNS queries from the specified computer. Select Deny to have the Zyxel Device reject the DNS queries from the specified computer. OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 38.
PAGE 42
Chapter 38 System HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys.
PAGE 43
Chapter 38 System Figure 506 Configuration > System > WWW > Service Control The following table describes the labels in this screen. Table 324 Configuration > System > WWW > Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device Web Configurator using secure HTTPs connections.
PAGE 44
Chapter 38 System Table 324 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the Zyxel Device, for example 8443, then you must notify people who need to access the Zyxel Device Web Configurator to use “https://Zyxel Device IP Address:8443” as the URL.
PAGE 45
Chapter 38 System Table 324 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
PAGE 46
Chapter 38 System Figure 507 Configuration > System > Service Control Rule > Edit The following table describes the labels in this screen. Table 325 Configuration > System > Service Control Rule > Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen. Address Object Select ALL to allow or deny any computer to communicate with the Zyxel Device using this service.
PAGE 47
Chapter 38 System Figure 508 Configuration > System > WWW > Login Page (Desktop View) ZyWALL ATP Series User’s Guide 755
PAGE 48
Chapter 38 System Figure 509 Configuration > System > WWW > Login Page (Mobile View) The following figures identify the parts you can customize in the login and access pages.
PAGE 49
Chapter 38 System Figure 510 Login Page Customization Logo Title Message (color of all text) Background Note Message (last line of text) Figure 511 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color.
PAGE 50
Chapter 38 System • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. Your desired color should display in the preview screen on the right after you click in another field, click Apply, or press [ENTER]. If your desired color does not display, your browser may not support it.
PAGE 51
Chapter 38 System Table 326 Configuration > System > WWW > Login Page (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 38.7.
PAGE 52
Chapter 38 System Figure 513 Security Certificate 1 (Firefox) Figure 514 Security Certificate 2 (Firefox) 38.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the Zyxel Device’s HTTPS server certificate and what you can do to avoid seeing the warnings: • The issuing certificate authority of the Zyxel Device’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
PAGE 53
Chapter 38 System Figure 515 Login Screen (Internet Explorer) 38.7.7.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the Zyxel Device. You must have imported at least one trusted CA to the Zyxel Device in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
PAGE 54
Chapter 38 System Figure 517 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 38.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard.
PAGE 55
Chapter 38 System Figure 518 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 519 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
PAGE 56
Chapter 38 System Figure 520 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 521 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
PAGE 57
Chapter 38 System Figure 522 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 523 Personal Certificate Import Wizard 6 38.7.7.6 Using a Certificate When Accessing the Zyxel Device Example Use the following procedure to access the Zyxel Device via HTTPS. 1 Enter ‘https://Zyxel Device IP Address/ in your browser’s web address field.
PAGE 58
Chapter 38 System Figure 525 SSL Client Authentication 3 You next see the Web Configurator login screen. Figure 526 Secure Web Configurator Login Screen 38.8 SSH You can use SSH (Secure SHell) to securely access the Zyxel Device’s command line interface. Specify which zones allow SSH access and from which IP address the access can come.
PAGE 59
Chapter 38 System Figure 527 SSH Communication Over the WAN Example 38.8.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 528 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
PAGE 60
Chapter 38 System 3 Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 38.8.2 SSH Implementation on the Zyxel Device Your Zyxel Device supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish).
PAGE 61
Chapter 38 System Table 327 Configuration > System > SSH (continued) LABEL DESCRIPTION Server Certificate Select the certificate whose corresponding private key is to be used to identify the Zyxel Device for SSH connections. You must have certificates already configured in the My Certificates screen. Service Control This specifies from which computers you can access which Zyxel Device zones. Add Click this to create a new entry.
PAGE 62
Chapter 38 System Table 328 Configuration > System > SSH > Service Control Rule Add/Edit (continued) LABEL DESCRIPTION Action Select Accept to allow the user to access the Zyxel Device from the specified computers. Select Deny to block the user’s access to the Zyxel Device from the specified computers. OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 38.8.
PAGE 63
Chapter 38 System Figure 532 SSH Example 2: Test $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the Zyxel Device using SSH version 1. If this is the first time you are connecting to the Zyxel Device using SSH, a message displays prompting you to save the host information of the Zyxel Device. Type “yes” and press [ENTER].
PAGE 64
Chapter 38 System Figure 534 Configuration > System > TELNET The following table describes the labels in this screen. Table 329 Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device CLI using this service.
PAGE 65
Chapter 38 System 38.9.2 Service Control Rules Click the Add or Edit icon in the Service Control table to add a service control rule. Figure 535 Configuration > System > TELNET > Service Control Rule Add/Edit The following table describes the labels in this screen. Table 330 Configuration > System > TELNET > Service Control Rule Add/Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen.
PAGE 66
Chapter 38 System Figure 536 Configuration > System > FTP The following table describes the labels in this screen. Table 331 Configuration > System > FTP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device using this service. TLS required Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication.
PAGE 67
Chapter 38 System Table 331 Configuration > System > FTP (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 38.10.2 Service Control Rules Click the Add or Edit icon in the Service Control table to add a service control rule. Figure 537 Configuration > System > FTP > Service Control Rule Add/Edit The following table describes the labels in this screen.
PAGE 68
Chapter 38 System Figure 538 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Zyxel Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
PAGE 69
Chapter 38 System Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them. 38.11.2 Supported MIBs The Zyxel Device supports MIB II that is defined in RFC-1213 and RFC-1215. The Zyxel Device also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.
PAGE 70
Chapter 38 System Figure 539 Configuration > System > SNMP The following table describes the labels in this screen. Table 334 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device using this service.
PAGE 71
Chapter 38 System Table 334 Configuration > System > SNMP (continued) LABEL DESCRIPTION SNMPv3 Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager. SNMPv3 (RFCs 3413 to 3415) provides secure access by authenticating and encrypting data packets over the network. The Zyxel Device uses your login password as the SNMPv3 authentication and encryption passphrase.
PAGE 72
Chapter 38 System 38.11.5 Add SNMPv3 User Click Add under SNMPv3 in Configuration > System > SNMP to create an SNMPv3 user for authentication with managers using SNMP v3. Use the username and password of the login accounts you specify in this screen to create accounts on the SNMP v3 manager. Figure 540 Configuration > System > SNMP(v3) > Add The following table describes the labels in this screen.
PAGE 73
Chapter 38 System Figure 541 Configuration > System > SNMP > Service Control Rule Add/Edit The following table describes the labels in this screen. Table 336 Configuration > System > SNMP > Service Control Rule Add/Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen. Address Object Select ALL to allow or deny any computer to communicate with the Zyxel Device using SNMP.
PAGE 74
Chapter 38 System Figure 542 Configuration > System > Auth. Server The following table describes the labels in this screen. Table 337 Configuration > System > Auth. Server LABEL DESCRIPTION Enable Authentication Server Select the check box to have the Zyxel Device act as a RADIUS server. Authentication Server Certificate Select the certificate whose corresponding private key is to be used to identify the Zyxel Device to the RADIUS client.
PAGE 75
Chapter 38 System 38.12.1 Add/Edit Trusted RADIUS Client Click Configuration > System > Auth. Server to display the Auth. Server screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new entry or edit an existing one. Figure 543 Configuration > System > Auth. Server > Add/Edit The following table describes the labels in this screen. Table 338 Configuration > System > Auth.
PAGE 76
Chapter 38 System Figure 544 Configuration > System > Notification The following table describes the labels in this screen. Table 339 Configuration > System > Notification LABEL DESCRIPTION Mail Server Type the name or IP address of the outgoing SMTP server. Mail Subject Go to Configuration > Log & Report > Email Daily Report to type a subject line for outgoing email from the Zyxel Device. Append system name Select Append system name to add the Zyxel Device’s system name to the subject.
PAGE 77
Chapter 38 System 38.14 Notification > SMS The Zyxel Device supports Short Message Service (SMS) to send short text messages to mobile phone devices. At the time of writing, the Zyxel Device uses ViaNett as the SMS gateway to help forward SMS messages. You must already have a ViaNett account in order to use the SMS service. Click Configuration > System > Notification > SMS to open the following screen. Configure the settings according to your SMS service provider’s format.
PAGE 78
Chapter 38 System Table 340 Configuration > System > Notification > SMS (continued) LABEL Provider Domain DESCRIPTION Enter the domain name of your SMS service provider. The domain name can be of up to 252 characters. Select auto append to "Mail to" to add the domain name of your SMS service provider after the mobile phone number in the Mail To field. Mail Subject Type the subject line of up to 128 characters for outgoing e-mail from the Zyxel Device.
PAGE 79
Chapter 38 System The following table describes the labels in this screen. Table 341 Configuration > System > Language LABEL DESCRIPTION Language Setting Select a display language for the Zyxel Device’s Web Configurator screens. You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 38.
PAGE 80
Chapter 38 System then displayed in the ZON Utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it. You can download the ZON Utility at www.zyxel.com and install it on a computer. 38.17.1 Requirements Before installing the ZON Utility on your computer, please make sure it meets the requirements listed below.
PAGE 81
Chapter 38 System Figure 548 Supported Devices and Versions If you want to check the supported models and firmware versions later, you can click the Show information about ZON icon in the upper right hand corner of the screen. Then select the Supported model and firmware version link. If your device is not listed here, see the device release notes for ZON utility support. The release notes are in the firmware zip file on the Zyxel web site.
PAGE 82
Chapter 38 System Figure 550 Network Adapter 4 Click the Go button for the ZON Utility to discover all supported devices in your network. Figure 551 Discovery 5 The ZON Utility screen shows the devices discovered. Figure 552 ZON Utility Screen 1 6 3 2 4 5 6 7 8 9 10 11 12 13 Select a device and then use the icons to perform actions. Some functions may not be available for your devices. The following table describes the icons numbered from left to right in the ZON Utility screen.
PAGE 83
Chapter 38 System Table 343 ZON Utility Icons ICON DESCRIPTION 3 Reboot Device Use this icon to restart the selected device(s). This may be useful when troubleshooting or upgrading new firmware. 4 Reset Configuration to Default If you forget your password or cannot access the Web Configurator, you can use this icon to reload the factory-default configuration file. This means that you will lose all configurations that you had previously.
PAGE 84
Chapter 38 System Table 344 ZON Utility Fields LABEL DESCRIPTION Serial Number Enter the admin password of the discovered device to display its serial number. Hardware Version This field displays the hardware version of the discovered device. 38.17.3 Zyxel One Network (ZON) System Screen Enable ZDP (ZON) and Smart Connect (Ethernet Neighbor) in the System > ZON screen.
PAGE 85
C H A P T E R 39 Log and Report 39.1 Overview Use these screens to configure daily reporting and log settings. 39.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 39.2 on page 793) to configure where and how to send daily reports and what reports to send. • Use the Log Setting screens (Section 39.3 on page 795) to specify settings for recording log messages and alerts, e-mailing them, storing them on a connected USB storage device, and sending them to remote syslog servers.
PAGE 86
Chapter 39 Log and Report Figure 554 Configuration > Log & Report > Email Daily Report The following table describes the labels in this screen. Table 346 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Daily Report Select this to send reports by email every day. Mail Subject Type the subject line for outgoing email from the Zyxel Device.
PAGE 87
Chapter 39 Log and Report Table 346 Configuration > Log & Report > Email Daily Report (continued) LABEL DESCRIPTION Mail To Type the email address (or addresses) to which the outgoing email is delivered. Send Report Now Click this button to have the Zyxel Device send the daily email report immediately. Report Items Select the information to include in the report. Types of information include System Resource Usage, Wireless Report, Interface Traffic Statistics and DHCP Table.
PAGE 88
Chapter 39 Log and Report Figure 555 Configuration > Log & Report > Log Setting The following table describes the labels in this screen. Table 347 Configuration > Log & Report > Log Setting LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
PAGE 89
Chapter 39 Log and Report Figure 556 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers) Figure 557 Configuration > Log & Report > Log Setting > Edit (System Log ) ZyWALL ATP Series User’s Guide 797
PAGE 90
Chapter 39 Log and Report Figure 558 Configuration > Log & Report > Log Setting > Edit (System Log - AP) The following table describes the labels in this screen. Table 348 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
PAGE 91
Chapter 39 Log and Report Table 348 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL E-mail Server 1 DESCRIPTION Use the E-Mail Server 1 drop-down list to change the settings for emailing logs to email server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your email server 1 settings. enable normal logs (green check mark) - email log messages for all categories to email server 1.
PAGE 92
Chapter 39 Log and Report 39.3.3 Edit Log on USB Storage Setting The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 39.3.1 on page 795), and click the USB storage Edit icon. Figure 559 Configuration > Log & Report > Log Setting > Edit (USB Storage) The following table describes the labels in this screen.
PAGE 93
Chapter 39 Log and Report Table 349 Configuration > Log & Report > Log Setting > Edit (USB Storage) (continued) LABEL DESCRIPTION Log Category This field displays each category of messages. The Default category includes debugging messages generated by open source software. Selection Select what information you want to log from each Log Category (except All Logs; see below).
PAGE 94
Chapter 39 Log and Report Configuration > Log & Report > Log Setting > Edit (Remote Server - AP) The following table describes the labels in this screen. Table 350 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this section. You specify what kinds of messages are included in log information in the Active Log section.
PAGE 95
Chapter 39 Log and Report 39.3.5 Log Category Settings Screen The Log Category Settings screen allows you to view and to edit what information is included in the system log, USB storage, email profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is emailed or remote server names). To access this screen, go to the Log Settings Summary screen (see Section 39.3.1 on page 795), and click the Log Category Settings button.
PAGE 96
Chapter 39 Log and Report The following table describes the fields in this screen. Table 351 Configuration > Log & Report > Log Setting > Log Category Settings LABEL DESCRIPTION System Log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any information for any category for the system log or email any logs to email server 1 or 2.
PAGE 97
Chapter 39 Log and Report Table 351 Configuration > Log & Report > Log Setting > Log Category Settings (continued) LABEL DESCRIPTION USB Storage Select which event log categories to save to a connected USB storage device.
PAGE 98
C H A P T E R 40 File Manager 40.1 Overview Configuration files define the Zyxel Device’s settings. Shell scripts are files of commands that you can store on the Zyxel Device and run when you need them. You can apply a configuration file or run a shell script without the Zyxel Device restarting. You can store multiple configuration files and shell script files on the Zyxel Device. You can edit configuration files or shell scripts in a text editor and upload them to the Zyxel Device.
PAGE 99
Chapter 40 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 563 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3 interface ge3 ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.
PAGE 100
Chapter 40 File Manager Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp ! Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. ! interface ge1 # this interface is a DHCP client ! Lines 1 and 2 are comments. Line 5 exits sub command mode.
PAGE 101
Chapter 40 File Manager Configuration File Flow at Restart • If there is not a startup-config.conf when you restart the Zyxel Device (whether through a management interface or by physically turning the power off and back on), the Zyxel Device uses the system-default.conf configuration file with the Zyxel Device’s default settings. • If there is a startup-config.conf, the Zyxel Device checks it for errors and applies it. If there are no errors, the Zyxel Device uses it and copies it to the lastgood.
PAGE 102
Chapter 40 File Manager The following table describes the labels in this screen. Table 353 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the Zyxel Device. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, systemdefault.conf and startup-config.conf files. You cannot rename a configuration file to the name of another configuration file in the Zyxel Device.
PAGE 103
Chapter 40 File Manager Table 353 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the Zyxel Device use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the Zyxel Device use that configuration file. The Zyxel Device does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.
PAGE 104
Chapter 40 File Manager Table 353 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Size This column displays the size (in KB) of a configuration file. Last Modified This column displays the date and time that the individual configuration files were last changed or saved.
PAGE 105
Chapter 40 File Manager Note: Go to myZyxel, create an account and register your Zyxel Device first. Then you will be able to see links to and get notifications on new firmware available. At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications is free when you register your Zyxel Device. The license does not expire if you have firmware version 4.32 patch 1 and later.
PAGE 106
Chapter 40 File Manager The following table explains the Upgrade icons in the web configurator. Table 354 Cloud Helper Firmware Icons Cloud Helper New A later firmware is available on the Cloud Helper Server. Click this icon to display a What’s New pop-up screen. You need a Firmware Upgrade license to upgrade the firmware. If you do not have a license, Upgrade Now is grayed out.
PAGE 107
Chapter 40 File Manager Table 354 Cloud Helper Firmware Icons Cloud Helper Cloud firmware is being downloaded from the Cloud Helper Server. If you Downloading select another partition or the local firmware upgrade icon, you will see the following warning message. When firmware is downloading, you can pause, resume, stop or retry the firmware download. Local Firmware Use this if you have already downloaded the latest firmware from the Zyxel website to your computer and unzipped it.
PAGE 108
Chapter 40 File Manager Figure 568 Maintenance > File Manager > Firmware Management The following table describes the labels in this screen. Table 355 Maintenance > File Manager > Firmware Management LABEL DESCRIPTION Firmware Status Reboot Click the Reboot icon to restart the Zyxel Device. If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot.
PAGE 109
Chapter 40 File Manager Table 355 Maintenance > File Manager > Firmware Management (continued) LABEL DESCRIPTION Upgrade A cloud helper icon displays if there is a later firmware on the Cloud Server than the firmware in the partition. Click the cloud helper icon to download a later firmware from the Cloud Helper Server. Use the local firmware icon if you have already downloaded the latest firmware from the Zyxel website to your computer and unzipped it.
PAGE 110
Chapter 40 File Manager Figure 571 Firmware Upload Error 40.3.3 Firmware Upgrade via USB Stick In addition to uploading firmware via the web configurator or console port (see the CLI Reference Guide), you can also upload firmware directly from a USB stick connected to the Zyxel Device. 1 Create a folder on the USB stick called ‘/[ProductName_dir]/firmware’. For example, if your Zyxel Device is USG110, then create a ‘/usg110_dir/firmware/’ folder on the stick.
PAGE 111
Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the Zyxel Device restarts. You could use multiple write commands in a long script. Figure 572 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 356 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the Zyxel Device.
PAGE 112
Chapter 40 File Manager Table 356 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the Zyxel Device. Click a shell script file’s row to select it and click Copy to open the Copy File screen. Figure 574 Maintenance > File Manager > Shell Script > Copy Specify a name for the duplicate file. Use up to 63 characters (including a-zA-Z09;‘~!@#$%^&()_+[]{}’,.=-).
PAGE 113
Chapter 41 Diagnostics C H A P T E R 41 Diagnostics 41.1 Overview Use the diagnostics screens for troubleshooting. 41.1.1 What You Can Do in this Chapter • Use the Diagnostics screens (see Section 41.2 on page 821) to generate a file containing the Zyxel Device’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting. • Use the Packet Capture screens (see Section 41.3 on page 825) to capture packets going through the Zyxel Device.
PAGE 114
Chapter 41 Diagnostics 41.2.1 The Diagnostics Collect Screen When you click Collect Now, a series of commands are run to display information about the Zyxel Device. This is an example of a default script with interface diagnostic commands.
PAGE 115
Chapter 41 Diagnostics Table 357 Maintenance > Diagnostics > Collect (continued) LABEL DESCRIPTION Copy the diagnostic file to USB storage (if ready) Select this to have the Zyxel Device create an extra copy of the diagnostic file to a connected USB storage device. Select Upload the cmd file as the customized script to display the following fields. Shell Scripts Filename This displays the names of the customized shell script you created.
PAGE 116
Chapter 41 Diagnostics The following table describes the labels in this screen. Table 358 Maintenance > Diagnostics > Collect on AP LABEL DESCRIPTION AP General Setting Available APs This text box lists the managed APs that are connected and available. Select the managed APs that you want the Zyxel Device to generate a diagnostic file containing their configuration, and click the right arrow button to add them.
PAGE 117
Chapter 41 Diagnostics Table 359 Maintenance > Diagnostics > Files (continued) LABEL DESCRIPTION File Name This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. 41.3 The Packet Capture Screen Use this screen to capture network traffic going through the Zyxel Device’s interfaces. Studying these packet captures may help you identify network problems.
PAGE 118
Chapter 41 Diagnostics Figure 578 Maintenance > Diagnostics > Packet Capture The following table describes the labels in this screen. Table 360 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list. Use the [Shift] and/or [Ctrl] key to select multiple objects.
PAGE 119
Chapter 41 Diagnostics Table 360 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Host IP Select a host IP address object for which to capture packets. Select any to capture packets for all hosts. Select User Defined to be able to enter an IP address. Host Port This field is configurable when you set the IP Type to any, tcp, or udp. Specify the port number of traffic to capture.
PAGE 120
Chapter 41 Diagnostics Table 360 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Save data to ftp server (available: xx MB) Select this to have the Zyxel Device store packet capture entries on the defined FTP site. The available storage size is displayed as well. Server Address Type the IP address of the FTP server. Server Port Type the port this server uses for FTP traffic. The default FTP port is 21. Name Type the login username to access the FTP server.
PAGE 121
Figure 579 Maintenance > Diagnostics > Packet Capture > Capture on AP The following table describes the labels in this screen. Table 361 Maintenance > Diagnostics > Packet Capture > Capture on AP LABEL DESCRIPTION Select on AP This lists the managed APs that are connected and available. Select the managed AP that you want the Zyxel Device to capture network traffic going through it.
PAGE 122
Chapter 41 Diagnostics Table 361 Maintenance > Diagnostics > Packet Capture > Capture on AP (continued) LABEL DESCRIPTION IP Version Select the version of IP for which to capture packets. Select any to capture packets for all IP versions. Protocol Type Select the protocol of traffic for which to capture packets. Select any to capture packets for all types of traffic. Host IP Select a host IP address object for which to capture packets. Select any to capture packets for all hosts.
PAGE 123
Chapter 41 Diagnostics Table 361 Maintenance > Diagnostics > Packet Capture > Capture on AP (continued) LABEL DESCRIPTION Save data to USB storage Select this to have the Zyxel Device store packet capture entries only on a USB storage device connected to the Zyxel Device if the Zyxel Device allows this. Status: Unused - the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the Zyxel Device cannot mount it. none - no USB storage device is connected.
PAGE 124
Chapter 41 Diagnostics Figure 580 Maintenance > Diagnostics > Packet Capture > Files The following table describes the labels in this screen. Table 362 Maintenance > Diagnostics > Packet Capture > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the Zyxel Device or the connected USB storage device. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.
PAGE 125
Chapter 41 Diagnostics Figure 581 Maintenance > Diagnostics > CPU / Memory Status The following table describes the labels in this screen. Table 363 Maintenance > Diagnostics > CPU / Memory Status LABEL DESCRIPTION CPU Status This table displays the applications that use the most Zyxel Device CPU processing. CPUn Usage CPU usage shows how much processing power the Zyxel Device is using.
PAGE 126
Chapter 41 Diagnostics Table 363 Maintenance > Diagnostics > CPU / Memory Status LABEL DESCRIPTION Memory This field displays the current DRAM memory utilization percentage for each application used on the Zyxel Device. Application This field displays the name of the application consuming the related memory on the Zyxel Device. CPU This field displays the current CPU utilization percentage for each application used on the Zyxel Device. Time This field displays each application’s running time.
PAGE 127
Chapter 41 Diagnostics Figure 583 Maintenance > Diagnostics > Remote Assistance - Random Figure 584 Maintenance > Diagnostics > Remote Assistance - Manual The following table describes the labels in this screen. Table 365 Maintenance > Diagnostics > Remote Assistance LABEL DESCRIPTION General Setting Enable Remote Assistance Select this to enable an external person, such as customer support to access the Zyxel Device from a network outside the Zyxel Device local network for troubleshooting.
PAGE 128
Chapter 41 Diagnostics Table 365 Maintenance > Diagnostics > Remote Assistance (continued) LABEL DESCRIPTION Password Type a password for the selected user/group to allow external access. SSH Port This field displays the SSH port number for external access. It should be the same port number as the one configured in Configuration > System > SSH. HTTPS Port This field displays the HTTPS port number for external access.
PAGE 129
Figure 586 Maintenance > Diagnostics > Network Tool - Test Email Server The following table describes the labels in this screen. Table 366 Maintenance > Diagnostics > Network Tool LABEL DESCRIPTION Network Tool Select a network tool: • • • • Domain Name or IP Address Select NSLOOKUP IPv4 or NSLOOKUP IPv6 to perform name server lookup for querying the Domain Name System (DNS) to get the domain name or IP address mapping. Select PING IPv4 or PING IPv6 to ping the IP address that you entered.
PAGE 130
Chapter 41 Diagnostics Table 366 Maintenance > Diagnostics > Network Tool (continued) LABEL DESCRIPTION TLS Security Select this option if the mail server uses Transport Layer Security (TLS) for encrypted communications between the mail server and the Zyxel Device. STARTTLS Select this option if the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device.
PAGE 131
Chapter 41 Diagnostics Table 367 Maintenance > Diagnostics > Routing Traces (continued) LABEL Port DESCRIPTION Enter the destination port number of traffic that you want to trace. Host Enter the IP address of a specific source or destination host whose traffic you want to trace. Port Enter the port number for particular source traffic on the host that you want to trace. Protocol Select the protocol of traffic that you want to trace. any means any protocol.
PAGE 132
Chapter 41 Diagnostics The following table describes the labels in this screen. Table 368 Maintenance > Diagnostics > Wireless Frame Capture > Capture LABEL DESCRIPTION MON Mode APs Configure AP to MON Mode Click this to go the Configuration > Wireless > AP Management screen, where you can set one or more APs to monitor mode. Available MON Mode APs This column displays which APs on your wireless network are currently configured for monitor mode.
PAGE 133
Chapter 41 Diagnostics 41.9.1 The Wireless Frame Capture Files Screen Click Maintenance > Diagnostics > Wireless Frame Capture > Files to open this screen. This screen lists the files of wireless frame captures the Zyxel Device has performed. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark.
PAGE 134
Chapter 42 Packet Flow Explore C H A P T E R 42 Packet Flow Explore 42.1 Overview Use this to get a clear picture on how the Zyxel Device determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems. 42.1.1 What You Can Do in this Chapter • Use the Routing Status screen (see Section 42.
PAGE 135
Chapter 42 Packet Flow Explore Figure 590 Maintenance > Packet Flow Explore > Routing Status (Direct Route) Figure 591 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) Figure 592 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 593 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) ZyWALL ATP Series User’s Guide 843
PAGE 136
Chapter 42 Packet Flow Explore Figure 594 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) Figure 595 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 596 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 597 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL ATP Series User’s Guide 844
PAGE 137
Chapter 42 Packet Flow Explore The following table describes the labels in this screen. Table 370 Maintenance > Packet Flow Explore > Routing Status LABEL DESCRIPTION Routing Flow This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the Routing Table section. Routing Table This section shows the corresponding settings according to the function box you click in the Routing Flow section.
PAGE 138
Chapter 42 Packet Flow Explore Table 370 Maintenance > Packet Flow Explore > Routing Status (continued) LABEL DESCRIPTION Destination This is the external destination IP address(es). Outgoing This is the outgoing interface that the SNAT rule uses to transmit packets. Gateway This is the IP address of the gateway in the same network of the outgoing interface. The following fields are available if you click Dynamic VPN or SiteToSite VPN in the Routing Flow section.
PAGE 139
Chapter 42 Packet Flow Explore Figure 599 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) Figure 600 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT) Figure 601 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) The following table describes the labels in this screen.
PAGE 140
Chapter 42 Packet Flow Explore Table 371 Maintenance > Packet Flow Explore > SNAT Status (continued) LABEL DESCRIPTION Outgoing This is the outgoing interface that the route uses to transmit packets. SNAT This is the source IP address(es) that the SNAT rule uses finally. The following fields are available if you click 1-1 SNAT in the SNAT Flow section. # This field is a sequential value, and it is not associated with any entry. NAT Rule This is the name of an activated NAT rule which uses SNAT.
PAGE 141
Chapter 43 Shutdown C H A P T E R 43 Shutdown 43.1 Overview Use this to shutdown the device in preparation for disconnecting the power. Always use the Maintenance > Shutdown > Shutdown screen or the “shutdown” command before you turn off the Zyxel Device or remove the power. Not doing so can cause the firmware to become corrupt. 43.1.1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes. 43.
PAGE 142
P ART III Appendices and Troubleshooting 850
PAGE 143
C H A P T E R 44 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Section 6.36 on page 181). • For the order in which the Zyxel Device applies its features and checks, see Chapter 42 on page 842. None of the LEDs turn on. Make sure that you have the power cord connected to the Zyxel Device and plugged in to an appropriate power source. Make sure you have the Zyxel Device turned on. Check all cable connections.
PAGE 144
Chapter 44 Troubleshooting I cannot update the anti-malware/IDP/application patrol/botnet filter/IP reputation signatures. • Make sure your Zyxel Device has the anti-malware/IDP/application patrol service registered and that the license is not expired. Purchase a new license if the license is expired. • Make sure your Zyxel Device is connected to the Internet. I cannot update the threat intelligence machine learning (TIML) signatures.
PAGE 145
Chapter 44 Troubleshooting The Zyxel Device is not applying the custom security policy I configured. The Zyxel Device checks the security policies in the order that they are listed. So make sure that your custom security policy comes before any other rules that the traffic would also match. I cannot enter the interface name I want. The format of interface names other than the Ethernet interface names is very strict.
PAGE 146
Chapter 44 Troubleshooting The actual cellular data rate you obtain varies depending on the cellular device you use, the signal strength to the service provider’s base station, and so on. I created a cellular interface but cannot connect through it. • Make sure you have a compatible mobile broadband device installed or connected. See www.zyxel.com for details. • Make sure you have the cellular interface enabled.
PAGE 147
Chapter 44 Troubleshooting The Zyxel Device’s performance slowed down after I configured many new application patrol entries. The Zyxel Device checks the ports and conditions configured in application patrol entries in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the Zyxel Device by putting more commonly used ports at the top of the list.
PAGE 148
Chapter 44 Troubleshooting The threat intelligence machine learning (TIML) feature is not working. 1 Make sure you purchase the gold security pack. • Make sure you’ve registered the Zyxel Device and activated the anti-malware service on portal.myZyxel.com. • Go to the screen, and select the Enable check box in the Configuration > Security Service > AntiMalware to activate the TIML feature. 2 Make sure the gold security pack is not expired. If it is, renew the license.
PAGE 149
Chapter 44 Troubleshooting The Zyxel Device’s performance seems slower after configuring ADP. Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the Zyxel Device’s performance. Some of the files I download don’t go through Sandboxing even though it is enabled. The Sandboxing feature only applies to certain file types. Check the list in File Submission Options to see if the file types you use are included.
PAGE 150
Chapter 44 Troubleshooting • Make sure you recorded your DDNS account’s user name, password, and domain name and have entered them properly in the Zyxel Device. • You may need to configure the DDNS entry’s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the Zyxel Device and the DDNS server. • The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server.
PAGE 151
Chapter 44 Troubleshooting I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both Zyxel IPSec routers and check the settings in each field methodically and slowly. Make sure both the Zyxel Device and remote IPSec router have the same security settings for the VPN tunnel. It may help to display the settings for both routers side-by-side. Here are some general suggestions.
PAGE 152
Chapter 44 Troubleshooting • If you have the Zyxel Device and remote IPSec router use certificates to authenticate each other, You must set up the certificates for the Zyxel Device and remote IPSec router first and make sure they trust each other’s certificates. If the Zyxel Device’s certificate is self-signed, import it into the remote IPSec router. If it is signed by a CA, make sure the remote IPSec router trusts that CA.
PAGE 153
Chapter 44 Troubleshooting The Zyxel Device automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface. I configured application patrol to allow and manage access to a specific service but access is blocked.
PAGE 154
Chapter 44 Troubleshooting The schedule I configured is not being applied at the configured times. Make sure the Zyxel Device’s current date and time are correct. I cannot get a certificate to import into the Zyxel Device. 1 For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the Zyxel Device. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys.
PAGE 155
Chapter 44 Troubleshooting I uploaded a logo to use as the screen or window background but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. The Zyxel Device’s traffic throughput rate decreased after I started collecting traffic statistics. Data collection may decrease the Zyxel Device’s traffic throughput rate. I can only see newer logs. Older logs are missing.
PAGE 156
Chapter 44 Troubleshooting generate. If you have existing capture files you may need to set this size larger or delete existing capture files. The Zyxel Device stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires. My earlier packet capture files are missing. New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this.
PAGE 157
Chapter 44 Troubleshooting 44.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions.
PAGE 158
APPENDIX A Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a Zyxel office for the region in which you bought the device. See http://www.zyxel.com/homepage.shtml and also http://www.zyxel.com/about_zyxel/zyxel_worldwide.shtml for the latest information. Please have the following information ready when you contact an office. Required Information • Product model and serial number.
PAGE 159
Appendix A Customer Support Korea • Zyxel Korea Corp. • http://www.zyxel.kr Malaysia • Zyxel Malaysia Sdn Bhd. • http://www.zyxel.com.my Pakistan • Zyxel Pakistan (Pvt.) Ltd. • http://www.zyxel.com.pk Philippines • Zyxel Philippines • http://www.zyxel.com.ph Singapore • Zyxel Singapore Pte Ltd. • http://www.zyxel.com.sg Taiwan • Zyxel Communications Corporation • http://www.zyxel.com/tw/zh/ Thailand • Zyxel Thailand Co., Ltd • http://www.zyxel.co.
PAGE 160
Appendix A Customer Support Belgium • Zyxel Communications B.V. • http://www.zyxel.com/be/nl/ • http://www.zyxel.com/be/fr/ Bulgaria • Zyxel България • http://www.zyxel.com/bg/bg/ Czech Republic • Zyxel Communications Czech s.r.o • http://www.zyxel.cz Denmark • Zyxel Communications A/S • http://www.zyxel.dk Estonia • Zyxel Estonia • http://www.zyxel.com/ee/et/ Finland • Zyxel Communications • http://www.zyxel.fi France • Zyxel France • http://www.zyxel.
PAGE 161
Appendix A Customer Support Latvia • Zyxel Latvia • http://www.zyxel.com/lv/lv/homepage.shtml Lithuania • Zyxel Lithuania • http://www.zyxel.com/lt/lt/homepage.shtml Netherlands • Zyxel Benelux • http://www.zyxel.nl Norway • Zyxel Communications • http://www.zyxel.no Poland • Zyxel Communications Poland • http://www.zyxel.pl Romania • Zyxel Romania • http://www.zyxel.com/ro/ro Russia • Zyxel Russia • http://www.zyxel.ru Slovakia • Zyxel Communications Czech s.r.o. organizacna zlozka • http://www.
PAGE 162
Appendix A Customer Support • http://www.zyxel.ch/ Turkey • Zyxel Turkey A.S. • http://www.zyxel.com.tr UK • Zyxel Communications UK Ltd. • http://www.zyxel.co.uk Ukraine • Zyxel Ukraine • http://www.ua.zyxel.com Latin America Argentina • Zyxel Communication Corporation • http://www.zyxel.com/ec/es/ Brazil • Zyxel Communications Brasil Ltda. • https://www.zyxel.com/br/pt/ Ecuador • Zyxel Communication Corporation • http://www.zyxel.
PAGE 163
Appendix A Customer Support North America USA • Zyxel Communications, Inc. - North America Headquarters • http://www.zyxel.com/us/en/ Oceania Australia • Zyxel Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.
PAGE 164
APPENDIX B Product Features Please refer to the product datasheet for the latest product features. Version Model Name # Of MAC 4.35 ATP100 4.35 ATP200 6 7 4.35 ATP500 7 4.
PAGE 165
Appendix B Product Features Service Object 200 500 1000 Service Group 50 100 200 1000 200 Max. Service Object In One Group 64 128 128 256 Schedule Object 32 32 32 32 Schedule Group 16 16 16 16 Max. Schedule Object In One Group 24 24 24 24 1000 Application Object 500 500 1000 Application Group 100 100 200 200 Max. Application Object In One Group 128 128 128 256 ISP Account 16 (PPP+3G) 16(PPP+3G) 32(PPP+3G) 32 Max. LDAP Server Object # 2 8 16 16 Max.
PAGE 166
Appendix B Product Features Common Forbidden Domain Entry Number Common Trusted Domain Entry Number 1024 1024 1024 1024 1024 1024 1024 1024 Email Security Maximum AS Rule Number (Profile) 1 1 1 1 Maximum White List Rule Support 128 128 128 256 Maximum Black List Rule Support 128 128 128 256 Maximum DNSBL Domain Support 5 5 5 10 Concurrent Mail Session Scanning 200 200 200 200 Max. Statistics Number 500 500 500 500 Max.
PAGE 167
APPENDIX C Legal Information Copyright Copyright © 2019 by Zyxel Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of Zyxel Communications Corporation. Published by Zyxel Communications Corporation.
PAGE 168
Appendix C Legal Information EUROPEAN UNION The following information applies if you use the product within the European Union. Declaration of Conformity with Regard to EU Directive 2014/53/EU (Radio Equipment Directive, RED) Model List: ATP100W • • • • Compliance information for 2.4GHz and/or 5GHz wireless products relevant to the EU and other Countries following the EU Directive 2014/53/ EU (RED).
PAGE 169
Appendix C Legal Information • • • • Please use the provided or designated connection cables/power cables/ adaptors. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). If the power adaptor or cord is damaged, it might cause electrocution. Remove it from the device and the power source, repairing the power adapter or cord is prohibited. Contact your local vendor to order a new one.
PAGE 170
Appendix C Legal Information • • • • • • • • • • • • • • 若接上不正確的電源變壓器會有爆炸的風險。請勿隨意更換產品內的電池。如果更換不正確之電池型式，會有爆炸的風險，請依製造商說明書處理使用過之電池。請將廢電池丟棄在適當的電器或電子設備回收處。請勿將設備解體。請勿阻礙設備的散熱孔，空氣對流不足將會造成設備損害。請插在正確的電壓供給插座 ( 如 : 北美 / 台灣電壓 110V AC，歐洲是 230V AC)。假若電源變壓器或電源變壓器的纜線損壞，請從插座拔除，若您還繼續插電使用，會有觸電死亡的風險。請勿試圖修理電源變壓器或電源變壓器的纜線，若有毀損，請直接聯絡您購買的店家，購買一個新的電源變壓器。請勿將此設備安裝於室外，此設備僅適合放置於室內。請勿隨一般垃圾丟棄。請參閱產品背貼上的設備額定功率。請參考產品型錄或是彩盒上的作業溫度。產品沒有斷電裝置或者採用電源線的插頭視為斷電裝置的一部分，以下警語將適用 : - 對永久連接之設備，在設備外部須安裝可觸及之斷電裝置； - 對插接式之設備，插座必須接近安裝之地點而且是易於觸及的
PAGE 171
Appendix C Legal Information Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact your vendor.
PAGE 172
Appendix C Legal Information List of National Codes COUNTRY ISO 3166 2 LETTER CODE COUNTRY ISO 3166 2 LETTER CODE Austria AT Liechtenstein LI Belgium BE Lithuania LT Bulgaria BG Luxembourg LU Croatia HR Malta MT Cyprus CY Netherlands NL Czech Republic CR Norway NO Denmark DK Poland PL Estonia EE Portugal PT Finland FI Romania RO France FR Serbia RS Germany DE Slovakia SK Greece GR Slovenia SI Hungary HU Spain ES Iceland IS Sweden SE Ireland IE S
PAGE 173
Appendix C Legal Information Environment Statement European Union - Disposal and Recycling Information The symbol below means that according to local regulations your product and/or its battery shall be disposed of separately from domestic waste. If this product is end of life, take it to a recycling station designated by local authorities.
PAGE 174
Appendix C Legal Information • • • • • • 請勿試圖修理電源變壓器或電源變壓器的纜線，若有毀損，請直接聯絡您購買的店家，購買一個新的電源變壓器。請勿將此設備安裝於室外，此設備僅適合放置於室內。請勿隨一般垃圾丟棄。請參閱產品背貼上的設備額定功率。請參考產品型錄或是彩盒上的作業溫度。產品沒有斷電裝置或者採用電源線的插頭視為斷電裝置的一部分，以下警語將適用 : - 對永久連接之設備，在設備外部須安裝可觸及之斷電裝置； - 對插接式之設備，插座必須接近安裝之地點而且是易於觸及的。 About the Symbols Various symbols are used in this product to ensure correct usage, to prevent danger to the user and others, and to prevent property damage. The meaning of these symbols are described below.
PAGE 175
Index Index logging in 461 multiple logins 628 see also users 617 Web Configurator 629 Symbols access users, see also force user authentication policies Numbers account user 617, 713 3322 Dynamic DNS 337 accounting server 675 3DES 424 Active Directory, see AD 6in4 tunneling 260 active protocol 428 AH 428 and encapsulation 428 ESP 428 6to4 tunneling 260 active sessions 114, 129 A ActiveX 538 AD 676, 678, 679, 681 directory structure 677 Distinguished Name, see DN password 681 port 681, 683 sea
PAGE 176
Index RANGE 656 SUBNET 656 types of 656, 662 anti-spam 588, 591, 593 action for spam mails 592 black list 588, 591, 593 concurrent e-mail sessions 176 DNSBL 589, 591 e-mail header buffer 589 e-mail headers 589 general settings 590 identifying legitimate e-mail 588 identifying spam 588 POP2 589 POP3 589 regular expressions 595 SMTP 589 status 177 white list 588, 591, 594 address record 743 admin user troubleshooting 861 admin users 617 multiple logins 628 see also users 617 ADP 501 false negatives 503 fal
PAGE 177
Index P2P 570 scan 570 spam 570 trapdoor 569 trojan 569 virus 543, 571 worm 571 see also application patrol 515 troubleshooting 854 Base DN 678 Batch import 725 BGP 336 Bind DN 678, 681 Authenex Strong Authentication System (ASAS) 676 authentication in IPSec 408 LDAP/AD 677 server 675 BitTorrent 570 black list 591, 593 anti-spam 588 Blaster 582 boot sector virus 554 Botnet 559 authentication algorithms 423, 424 and active protocol 423 MD5 424 SHA1 424 Botnet Filtering 556 bridge interfaces 214, 280 an
PAGE 178
Index Certificate Authority (CA) see certificates concurrent e-mail sessions 176 Certificate Revocation List (CRL) 694 vs OCSP 710 configuration information 821 certificates 693 advantages of 694 and CA 694 and FTP 774 and HTTPS 750 and IKE SA 428 and SSH 769 and VPN gateways 401 and WWW 752 certification path 694, 702, 708 expired 694 factory-default 694 file formats 694 fingerprints 703, 709 importing 699 in IPSec 414 not used for encryption 694 revoked 694 self-signed 694, 701 serial number 703, 708
PAGE 179
Index filter list 525 managed web pages 531 policies 524, 525 registration status 189 statistics 165 testing 532 uncategorized pages 531 URL for blocked access 527 Denial of Service (Dos) attacks 405 DES 423 device access troubleshooting 851 Device HA 717 device HA virtual router 719 device High Availability see Device HA 717 cookies 29, 538 DHCP 307, 733 and DNS servers 308 and domain name 733 and interfaces 307 pool 308 static DHCP 308 copyright 875 CPU usage 114 Cross Site Scripting 559 current date
PAGE 180
Index domain name 733 DES 423 Domain Name System, see DNS encryption method 712 DoS 558 end of IP list 573 DoS (Denial of Service) attacks 570 enforcing policies in IPSec 406 DPD 416 ESP 407, 428 and transport mode 429 DSA 701 Dynamic Host Configuration Protocol, see DHCP.
PAGE 181
Index flash usage 114 vs HTTPS 750 forcing login 461 HTTP redirect and application patrol 352 and interfaces 356 and policy routes 352, 353 and security policy 352 packet flow 352 troubleshooting 858 FQDN 743 fragmentation flag 575 fragmentation offset 575 FTP 773 additional signaling port 362 ALG 357 and address groups 774 and address objects 774 and certificates 774 and zones 774 signaling port 362 troubleshooting 858 with Transport Layer Security (TLS) 774 HTTPS 750 and certificates 750 authenticat
PAGE 182
Index IEEE 802.1q. See VLAN. and HTTP redirect 356 and layer-3 virtualization 214 and NAT 347 and physical ports 214 and policy routes 317 and static routes 320 and VPN gateways 401 and zones 214 as DHCP relays 307 as DHCP servers 307, 733 auxiliary, see also auxiliary interfaces. backup, see trunks bandwidth management 304, 305, 307 bridge, see also bridge interfaces. cellular 214 DHCP clients 306 Ethernet, see also Ethernet interfaces.
PAGE 183
Index IP options 573, 576 see also VPN site-to-site with dynamic peer 406 static site-to-site 406 transport encapsulation 407 tunnel encapsulation 407 VPN gateway 401 IP policy routing, see policy routes IP pool 436 IP protocols 665 and service objects 666 ICMP, see ICMP TCP, see TCP UDP, see UDP IPSec SA active protocol 428 and security policy 859 and to-ZyWALL security policy 859 authentication algorithms 423, 424 destination NAT for inbound traffic 431 encapsulation 428 encryption algorithms 423 loca
PAGE 184
Index PAP 712 SSL 681 user attributes 632 ISP accounts 710 and PPPoE/PPTP interfaces 244, 710 authentication type 712 encryption method 712 stac compression 713 least connection algorithm 390 least load algorithm 390 least load first load balancing 299 LED suppression mode 197 LED troubleshooting 851 legitimate e-mail 588 J level-4 inspection 516 level-7 inspection 515 Java 538 permissions 29 licensing 186 Lightweight Directory Access Protocol, see LDAP JavaScripts 29 Link Layer Discovery Protocol
PAGE 185
Index syslog servers 795 system 795 types of 795 rack 28, 70 wall 71 MPPE (Microsoft Point-to-Point Encryption) 712 loose source routing 573 MSCHAP (Microsoft Challenge-Handshake Authentication Protocol) 712 MSCHAP-V2 (Microsoft Challenge-Handshake Authentication Protocol Version 2) 712 M MTU 256, 265 multicast 638 MAC address 630 and VLAN 266 Ethernet interface 230 range 111 multicast rate 638 mutation virus 554 My Certificates, see also certificates 696 MyDoom 582 MAC authentication 645 Calling S
PAGE 186
Index full tunnel 432 redistribute type (cost) 327 routers, see OSPF routers virtual links 326 vs RIP 322, 324 Network Address Translation, see NAT network list, see SSL 436 Network Time Protocol (NTP) 737 OSPF areas 324 and Ethernet interfaces 222 backbone 324 Not So Stubby Area (NSSA) 324 stub areas 324 types of 324 network-based intrusions 582 Nimda 582 no IP options 573 No-IP 337 NSSA 324 OSPF routers 325 area border (ABR) 325 autonomous system boundary (ASBR) 325 backbone (BR) 325 backup designat
PAGE 187
Index managing 515 port translation, see NAT Perfect Forward Secrecy (PFS) 408 Diffie-Hellman key group 429 Post Office Protocol, see POP 589 performance troubleshooting 855, 856, 857 PPP 308 troubleshooting 853 Personal Identification Number code, see PIN code PPP interfaces subnet mask 306 power off 849 PFS (Perfect Forward Secrecy) 408, 429 Phishing 559 PPPoE 308 and RADIUS 308 TCP port 1723 309 physical ports packet statistics 121, 122, 146 PPPoE/PPTP interfaces 214, 243 and ISP accounts 24
PAGE 188
Index Real-time Transport Protocol, see RTP and Ethernet interfaces 222 and OSPF 322 and static routes 322 and to-ZyWALL security policyl 322 authentication 322 direction 222 redistribute 322 RIP-2 broadcasting methods 222 versions 222 vs OSPF 322 record route 573 Reference Guide, CLI 2 registration 186 product 879 reject (IDP) both 509 receiver 509 sender 509 Relative Distinguished Name (RDN) 678, 679, 681 Rivest, Shamir and Adleman public-key algorithm (RSA) 701 remote access IPSec 406 Remote Authent
PAGE 189
Index security policy 493 actions 501 and address groups 465 and address objects 465 and ALG 357, 359 and application patrol 515 and H.
PAGE 190
Index SMS 785 send account information 785 ViaNett account 785 versions 768 with Linux 770 with Microsoft Windows 770 SMS gateway 785 SSL 432, 436, 750 access policy 432 and AAA 681 and AD 681 and LDAP 681 computer names 436 connection monitor 164 full tunnel mode 436 global setting 436 IP pool 436 network list 436 see also SSL VPN 432 troubleshooting 860 WINS 436 SMTP 589 SMTP redirect and firewall 353 and policy routes 353 packet flow 353 SNAT 321 troubleshooting 857 SNMP 28, 775, 776 agents 776 and
PAGE 191
Index stub area 324 and service control 749 and VPN 859 STUN 359 and ALG 359 TR-069 protocol 724 subscription services status 189 trademarks 879 supported browsers 29 Transmission Control Protocol, see TCP syslog 796, 802 transport encapsulation 407 syslog servers, see also logs Transport Layer Security (TLS) 774 system log, see logs trapdoor attacks 569 system name 111, 733 system uptime 112 triangle routes 495 allowing through the security policy 498 vs virtual interfaces 495 system-defau
PAGE 192
Index schedules 862 security policy 853 security settings 852 shell scripts 863 SIP 858 SNAT 857 SSL 860 SSL VPN 860 throughput rate 863 VLAN 854 VPN 860 WLAN 854 zipped files 855 usage CPU 114 flash 114 memory 114 onboard flash 114 sessions 114 user accounts for WLAN 619 user authentication 617 external 618 local user database 677 user awareness 619 User Datagram Protocol, see UDP trunks 214, 298 and ALG 363 and policy routes 298, 317 member interface mode 303, 305 member interfaces 303, 305 see also lo
PAGE 193
Index guest-manager (type) 618 lease time 623 limited-admin (type) 617 lockout 628 reauthentication time 623 types of 617 user (type) 617 user names 620 and NAT 426 basic troubleshooting 859 hub-and-spoke, see VPN concentrator IKE SA, see IKE SA IPSec 396, 493 IPSec SA proposal 423 security associations (SA) 398 see also IKE SA see also IPSec 396, 493 see also IPSec SA troubleshooting 860 V VPN concentrator 418 advantages 418 and IPSec SA policy enforcement 420 disadvantages 418 Vantage Report (VRPT) 7
PAGE 194
Index white list (anti-spam) 588, 591, 594 bridge loops 653 hop 653 profile 654 Repeater 653 repeater 652 Root AP 653 root AP 652 security 655 SSID 655 WDS 652 Wi-Fi Protected Access 633 Windows Internet Naming Service, see WINS Windows Internet Naming Service, see WINS.