ZyWALL USG 300 Unified Security Gateway Default Login Details LAN Port P1 IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Version 2.20 Edition 1, 3/2010 www.zyxel.
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to want to configure the ZyWALL using the Web Configurator. How To Use This Guide • Read Chapter 1 on page 33 chapter for an overview of features available on the ZyWALL. • Read Chapter 3 on page 47 for web browser requirements and an introduction to the main components, icons and menus in the ZyWALL Web Configurator.
About This User's Guide • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. Documentation Feedback Send your comments, questions or suggestions to: techwriters@zyxel.com.tw Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 30099, Taiwan. Need More Help? More help is available at www.zyxel.com.
About This User's Guide See http://www.zyxel.com/web/contact_us.php for contact information. Please have the following information ready when you contact an office. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The ZyWALL may be referred to as the “ZyWALL”, the “device”, the “system” or the “product” in this User’s Guide.
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.
Safety Warnings Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device. • Do NOT open the device or unit.
Contents Overview Contents Overview User’s Guide ........................................................................................................................... 31 Introducing the ZyWALL ............................................................................................................ 33 Features and Applications ......................................................................................................... 39 Web Configurator ................................................
Contents Overview Content Filtering ..................................................................................................................... 643 Content Filter Reports ............................................................................................................. 667 Anti-Spam ................................................................................................................................ 675 Device HA ...............................................................
Table of Contents Table of Contents About This User's Guide .......................................................................................................... 3 Document Conventions............................................................................................................ 6 Safety Warnings........................................................................................................................ 8 Contents Overview .......................................................
Table of Contents 3.3.2 Navigation Panel ........................................................................................................ 50 3.3.3 Main Window .............................................................................................................. 57 3.3.4 Tables and Lists ......................................................................................................... 59 Chapter 4 Installation Setup Wizard .............................................................
Table of Contents 6.3 Terminology in the ZyWALL ................................................................................................. 95 6.4 Packet Flow ......................................................................................................................... 96 6.4.1 ZLD 2.20 Packet Flow Enhancements ....................................................................... 96 6.4.2 Routing Table Checking Flow Enhancements ...........................................................
Table of Contents 7.1.2 Configure Zones ........................................................................................................116 7.1.3 Configure Port Grouping ...........................................................................................117 7.2 How to Configure a Cellular Interface .................................................................................118 7.3 How to Configure Load Balancing ...........................................................................
Table of Contents 7.14.1 Create the Public IP Address Range Object .......................................................... 174 7.14.2 Configure the Policy Route .................................................................................... 175 7.15 How to Use Active-Passive Device HA ........................................................................... 175 7.15.1 Before You Start ..................................................................................................... 176 7.15.
Table of Contents 10.4 The Traffic Statistics Screen ............................................................................................ 243 10.5 The Session Monitor Screen .......................................................................................... 246 10.6 The DDNS Status Screen ................................................................................................ 248 10.7 IP/MAC Binding Monitor .............................................................................
Table of Contents 13.1 Interface Overview ........................................................................................................... 289 13.1.1 What You Can Do in this Chapter .......................................................................... 289 13.1.2 What You Need to Know ........................................................................................ 290 13.2 Port Grouping ..................................................................................................
Table of Contents 15.1 Policy and Static Routes Overview .................................................................................. 373 15.1.1 What You Can Do in this Chapter .......................................................................... 373 15.1.2 What You Need to Know ....................................................................................... 374 15.2 Policy Route Screen .......................................................................................................
Table of Contents 19.2.1 The NAT Add/Edit Screen ...................................................................................... 416 19.3 NAT Technical Reference ................................................................................................ 419 Chapter 20 HTTP Redirect ...................................................................................................................... 423 20.1 Overview ..............................................................................
Table of Contents 24.1.3 Firewall Rule Example Applications ....................................................................... 452 24.1.4 Firewall Rule Configuration Example ..................................................................... 455 24.2 The Firewall Screen ......................................................................................................... 457 24.2.1 Configuring the Firewall Screen .............................................................................
Table of Contents 27.5 Logging Out of the SSL VPN User Screens .................................................................... 526 Chapter 28 SSL User Application Screens ............................................................................................ 529 28.1 SSL User Application Screens Overview ........................................................................ 529 28.2 The Application Screen .........................................................................................
Table of Contents 32.3 Application Patrol Applications ........................................................................................ 558 32.3.1 The Application Patrol Edit Screen ........................................................................ 559 32.3.2 The Application Patrol Policy Edit Screen ............................................................. 563 32.4 The Other Applications Screen ........................................................................................
Table of Contents 34.8.3 Applying Custom Signatures .................................................................................. 618 34.8.4 Verifying Custom Signatures .................................................................................. 619 34.9 IDP Technical Reference ................................................................................................. 620 Chapter 35 ADP .......................................................................................................
Table of Contents 38.1.1 What You Can Do in this Chapter .......................................................................... 675 38.1.2 What You Need to Know ........................................................................................ 675 38.2 Before You Begin ............................................................................................................. 677 38.3 The Anti-Spam General Screen ...................................................................................
Table of Contents 41.1.1 What You Can Do in this Chapter .......................................................................... 731 41.1.2 What You Need To Know ....................................................................................... 731 41.2 Address Summary Screen ............................................................................................... 731 41.2.1 Address Add/Edit Screen ....................................................................................... 733 41.
Table of Contents 45.1.2 Before You Begin ................................................................................................... 759 45.1.3 Example: Selecting a VPN Authentication Method ................................................ 759 45.2 Authentication Method Objects ........................................................................................ 760 45.2.1 Creating an Authentication Method Object ............................................................
Table of Contents 49.3 Endpoint Security Add/Edit .............................................................................................. 803 Chapter 50 System ................................................................................................................................. 809 50.1 Overview .......................................................................................................................... 809 50.1.1 What You Can Do in this Chapter .............................
Table of Contents 50.10.3 Configuring SNMP ............................................................................................... 851 50.11 Dial-in Management ....................................................................................................... 853 50.11.1 Configuring Dial-in Mgmt ...................................................................................... 854 50.12 Vantage CNM .............................................................................................
Table of Contents 55.1 Overview .......................................................................................................................... 893 55.1.1 What You Need To Know ....................................................................................... 893 55.2 The Shutdown Screen ..................................................................................................... 893 Chapter 56 Troubleshooting.........................................................................
Table of Contents 30 ZyWALL USG 300 User’s Guide
P ART I User’s Guide 31
CHAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device. Its flexible configuration helps network administrators set up the network and enforce security policies efficiently.
Chapter 1 Introducing the ZyWALL Use a #2 Phillips screwdriver to install the screws. Note: Failure to use the proper screws may damage the unit. 1.2.1 Rack-Mounted Installation Procedure 1 Align one bracket with the holes on one side of the ZyWALL and secure it with the included bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion.
Chapter 1 Introducing the ZyWALL 1.3 Front Panel This section introduces the ZyWALL’s front panel. Figure 3 ZyWALL Front Panel 1.3.1 Front Panel LEDs The following table describes the LEDs. Table 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR SYS AUX P1, P2 ... Off The ZyWALL is turned off. Green On The ZyWALL is turned on. Red On There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device (see Section 1.5 on page 36).
Chapter 1 Introducing the ZyWALL Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. Figure 4 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port.
Chapter 1 Introducing the ZyWALL Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. Table 3 Starting and Stopping the ZyWALL METHOD DESCRIPTION Turning on the power A cold start occurs when you turn on the power to the ZyWALL. The ZyWALL powers up, checks the hardware, and starts the system processes.
Chapter 1 Introducing the ZyWALL 38 ZyWALL USG 300 User’s Guide
CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features.
Chapter 2 Features and Applications Firewall The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously.
Chapter 2 Features and Applications Anti-Virus Scanner With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled interfaces into the network. The ZyWALL helps stop threats at the network edge before they reach the local host computers. Anti-Spam The anti-spam feature can mark or discard spam. Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail.
Chapter 2 Features and Applications 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users. There are two SSL VPN network access modes: reverse proxy and full tunnel. 2.
Chapter 2 Features and Applications You do not have to install additional client software on the remote user computers for access. Figure 6 Network Access Mode: Reverse Proxy https;// LAN (192.168.1.X) Web Mail File Share Web-based Application 2.2.2.2 Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network.
Chapter 2 Features and Applications 2.2.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 8 Applications: User-Aware Access Control 2.2.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them.
Chapter 2 Features and Applications 2.2.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network.
Chapter 2 Features and Applications 46 ZyWALL USG 300 User’s Guide
CHAPTER 3 Web Configurator The ZyWALL Web Configurator allows easy ZyWALL setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the Web Configurator, you must • Use Internet Explorer 7 or later, or Firefox 1.5 or later • Allow pop-up windows (blocked by default in Windows XP Service Pack 2) • Enable JavaScript (enabled by default) • Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.
Chapter 3 Web Configurator 2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. Figure 11 Login Screen 3 Type the user name (default: “admin”) and password (default: “1234”). If your account is configured to use an ASAS authentication server, use the OTP (One-Time Password) token to generate a number. Enter it in the One-Time Password field.
Chapter 3 Web Configurator 5 The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. Follow the directions in this screen. If you change the default password, the Login screen (Figure 11 on page 48) appears after you click Apply.
Chapter 3 Web Configurator 3.3.1 Title Bar The title bar provides some icons in the upper right corner. Figure 14 Title Bar The icons provide the following functions. Table 4 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator. Help Click this to open the help page for the current screen. About Click this to display basic information about the ZyWALL. Site Map Click this to see an overview of links to the Web Configurator screens.
Chapter 3 Web Configurator hide the navigation panel menus or drag it to resize them. The following sections introduce the ZyWALL’s navigation panel menus and their screens. Figure 15 Navigation Panel 3.3.2.1 Dashboard The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See Chapter 9 on page 221 for details on the dashboard. 3.3.2.
Chapter 3 Web Configurator Table 5 Monitor Menu Screens Summary (continued) FOLDER OR LINK TAB Cellular Status FUNCTION Displays details about the ZyWALL’s 3G connection status. AppPatrol Statistics Displays bandwidth and protocol statistics. VPN Monitor IPSec Displays and manages the active IPSec SAs. SSL Lists users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information.
Chapter 3 Web Configurator Table 6 Configuration Menu Screens Summary (continued) FOLDER OR LINK Interface Routing TAB FUNCTION Port Grouping Configure physical port groups. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. PPP Create and manage PPPoE and PPTP interfaces. Cellular Configure a cellular Internet connection for an installed 3G card. WLAN Configure settings for an installed wireless LAN card. VLAN Create and manage VLAN interfaces and virtual VLAN interfaces.
Chapter 3 Web Configurator Table 6 Configuration Menu Screens Summary (continued) FOLDER OR LINK SSL VPN L2TP VPN AppPatrol TAB FUNCTION Access Privilege Configure SSL VPN access rights for users and groups. Global Setting Configure the ZyWALL’s SSL VPN settings that apply to all connections. L2TP VPN Configure L2TP Over IPSec VPN settings. General Enable or disable traffic management by application and see registration and signature information.
Chapter 3 Web Configurator Table 6 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Device HA General Configure device HA global settings, and see the status of each interface monitored by device HA. Active-Passive Mode Configure active-passive mode device HA. Legacy Mode Configure legacy mode device HA for use with ZyWALLs that already have device HA setup using a firmware version earlier than 2.10. User Create and manage users.
Chapter 3 Web Configurator Table 6 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Console Speed Set the console speed. DNS Configure the DNS server and address records for the ZyWALL. WWW Service Control Configure HTTP, HTTPS, and general authentication. Login Page Configure how the login and access user screens look. SSH Configure SSH server and SSH service settings. TELNET Configure telnet server settings for the ZyWALL. FTP Configure FTP server settings.
Chapter 3 Web Configurator 3.3.3 Main Window The main window shows the screen you select in the navigation panel. The main window screens are discussed in the rest of this document. Right after you log in, the Dashboard screen is displayed. See Chapter 9 on page 221 for more information about the Dashboard screen. 3.3.3.1 Warning Messages Warning messages, such as those resulting from misconfiguration, display in a popup window. Figure 16 Warning Message 3.3.3.
Chapter 3 Web Configurator settings reference the object. The following example shows which configuration settings reference the ldap-users user object (in this case the first firewall rule). Figure 18 Object Reference The fields vary with the type of object. The following table describes labels that can appear in this screen. Table 8 Object References 58 LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed.
Chapter 3 Web Configurator 3.3.3.4 CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following. Figure 19 CLI Messages Click Clear to remove the currently displayed information. See the Command Reference Guide for information about the commands. 3.3.4 Tables and Lists The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries. 3.3.4.
Chapter 3 Web Configurator • Sort in ascending alphabetical order • Sort in descending (reverse) alphabetical order • Select which columns to display • Group entries by field • Show entries in groups • Filter by mathematical operators (<, >, or =) or searching for text Figure 21 Common Table Column Options 3 Select a column heading cell’s right border and drag to re-size the column.
Chapter 3 Web Configurator 4 Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. Figure 23 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. Figure 24 Navigating Pages of Table Entries 3.3.4.
Chapter 3 Web Configurator Here are descriptions for the most common table icons. Table 9 Common Table Icons LABEL DESCRIPTION Add Click this to create a new entry. For features where the entry’s position in the numbered list is important (features where the ZyWALL applies the table’s entries in order like the firewall for example), you can select an entry and click Add to create a new entry after the selected entry.
CHAPTER 4 Installation Setup Wizard 4.1 Installation Setup Wizard Screens If you log into the Web Configurator when the ZyWALL is using its default configuration, the first Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services. This chapter provides information on configuring the Web Configurator's installation setup wizard. See the feature-specific chapters in this User’s Guide for background information.
Chapter 4 Installation Setup Wizard 4.1.1 Internet Access Setup - WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment. The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Note: Enter the Internet access information exactly as your ISP gave it to you.
Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as given to you by your ISP. Figure 29 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong. • IP Address: Enter your (static) public IP address.
Chapter 4 Installation Setup Wizard 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as given to you by your ISP. Figure 30 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and _@$./ characters, and it can be up to 64 characters long.
Chapter 4 Installation Setup Wizard 4.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong. • IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen. • First / Second DNS Server: These fields display if you selected static IP address assignment.
Chapter 4 Installation Setup Wizard • CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node. • CHAP - Your ZyWALL accepts CHAP only. • PAP - Your ZyWALL accepts PAP only. • MSCHAP - Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only. • Type the User Name given to you by your ISP. You can use alphanumeric and _@$./ characters, and it can be up to 31 characters long. • Type the Password associated with the user name.
Chapter 4 Installation Setup Wizard 4.1.6 Internet Access Setup - Second WAN Interface If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 64). Figure 32 Internet Access: Step 3: Second WAN Interface 4.1.7 Internet Access - Finish You have set up your ZyWALL to access the Internet.
Chapter 4 Installation Setup Wizard Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Next and use the following screen to perform a basic registration (see Section 4.2 on page 70). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, close the window to exit the wizard. 4.2 Device Registration Use this screen to register your ZyWALL with myZXEL.
Chapter 4 Installation Setup Wizard • Select existing myZyXEL.com account if you already have an account at myZyXEL.com and enter your user name and password in the fields below to register your ZyWALL. • Enter a User Name for your myZyXEL.com account. Use from six to 20 alphanumeric characters (and the underscore). Spaces are not allowed. Click Check to verify that it is available. • Password: Use six to 20 alphanumeric characters (and the underscore). Spaces are not allowed.
Chapter 4 Installation Setup Wizard 72 ZyWALL USG 300 User’s Guide
CHAPTER 5 Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information. In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup screen.
Chapter 5 Quick Setup 5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the internet. Click Next. Figure 37 WAN Interface Quick Setup Wizard 5.2.1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next. Figure 38 Choose an Ethernet Interface 5.2.
Chapter 5 Quick Setup Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. Figure 39 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Note: Enter the Internet access information exactly as your ISP gave it to you. 5.2.
Chapter 5 Quick Setup • IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 WAN and ISP Connection Settings Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you set the IP Address Assignment to Static. Note: Enter the Internet access information exactly as your ISP gave it to you.
Chapter 5 Quick Setup Table 10 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Authentication Use the drop-down list box to select an authentication protocol for Type outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. MSCHAP - Your ZyWALL accepts MSCHAP only. MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.
Chapter 5 Quick Setup Table 10 WAN and ISP Connection Settings (continued) LABEL First DNS Server Second DNS Server DESCRIPTION These fields only display for an interface with a static IP address. Enter the DNS server IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
Chapter 5 Quick Setup Table 11 Interface Wizard: Summary WAN LABEL DESCRIPTION Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server. User Name This is the user name given to you by your ISP. Nailed-Up If No displays the connection will not time out. Yes means the ZyWALL uses the idle timeout. Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server. 0 means no timeout.
Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to another computer or network. Use this screen to select which type of VPN connection you want to configure. Figure 44 VPN Setup Wizard: Wizard Type Express: Use this wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings. Advanced: Use this wizard to configure detailed VPN security settings such as using certificates.
Chapter 5 Quick Setup 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 44 on page 80 to display the following screen. Figure 45 VPN Express Wizard: Step 2 Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection.
Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - Configuration Figure 46 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password.
Chapter 5 Quick Setup 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and also commands that you can copy and paste into another ZLD-based ZyWALL’s command line interface to configure it. Figure 47 VPN Express Wizard: Step 4 • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection.
Chapter 5 Quick Setup 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 48 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard.
Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 44 on page 80 to display the following screen. Figure 49 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection.
Chapter 5 Quick Setup • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).
Chapter 5 Quick Setup that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key. • Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
Chapter 5 Quick Setup 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 51 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is not. • Encapsulation: Tunnel is compatible with NAT, Transport is not. • Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.
Chapter 5 Quick Setup • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 5.5.7 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figure 52 VPN Advanced Wizard: Step 5 • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device.
Chapter 5 Quick Setup 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 53 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard.
CHAPTER 6 Configuration Basics This information is provided to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL. • Section 6.1 on page 91 introduces the ZyWALL’s object-based configuration. • Section 6.2 on page 92 introduces zones, interfaces, and port groups. • Section 6.
Chapter 6 Configuration Basics objects whenever the interface’s IP address settings change. For example, if you change an Ethernet interface’s IP address, the ZyWALL automatically updates the rules or settings that use the interface-based, LAN subnet address object. You can use the Configuration > Objects screens to create objects before you configure features that use them. If you are in a screen that uses objects, you can also usually select Create new Object to be able to configure a new object.
Chapter 6 Configuration Basics 6.2.1 Interface Types There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL. • Ethernet interfaces are the foundation for defining other interfaces and network policies. You also configure RIP and OSPF in these interfaces. • Port groups create a hardware connection between physical ports at the layer2 (data link, MAC address) level.
Chapter 6 Configuration Basics 6.2.2 Default Interface and Zone Configuration This section introduces the ZyWALL’s default zone member physical interfaces and the default configuration of those interfaces. The following figure uses letters to denote public IP addresses or part of a private IP address. Figure 55 Default Network Topology Table 13 Default Port, Interface, and Zone Configuration PORT INTERFACE ZONE IP ADDRESS AND DHCP SUGGESTED USE WITH SETTINGS DEFAULT SETTINGS 1 ge1 LAN 192.168.1.
Chapter 6 Configuration Basics • The WAN zone contains the ge2 and ge3 interfaces (physical ports 2 and 3). They use public IP addresses to connect to the Internet. • The DMZ zone contains the ge4 and ge5 interfaces (physical ports 4 and 5). The DMZ zone has servers that are available to the public. These interface uses private IP addresses 192.168.2.1 and 192.168.3.1. • The WLAN zone contains the ge6 interface (physical port P6). This is a second protected zone for connecting wireless access points.
Chapter 6 Configuration Basics 6.4 Packet Flow Here is the order in which the ZyWALL applies its features and checks. Figure 56 Packet Flow 6.4.1 ZLD 2.20 Packet Flow Enhancements ZLD version 2.20 has been enhanced to simplify configuration. The packet flow has been changed as follows: • Automatic SNAT and WAN trunk routing for traffic going from internal to external interfaces (you don’t need to configure anything to all LAN to WAN or WLAN to WAN traffic).
Chapter 6 Configuration Basics • You do not need to set up policy routes for 1:1 NAT entries. • You can create Many 1:1 NAT entries to translate a range of private network addresses to a range of public IP addresses • Static and dynamic routes have their own category. Even with these changes, you can still use an existing configuration file from the previous version. 6.4.2 Routing Table Checking Flow Enhancements When the ZyWALL receives packets it defragments them and applies destination NAT.
Chapter 6 Configuration Basics 2 Policy Routes: These are the user-configured policy routes. Configure policy routes to send packets through the appropriate interface or VPN tunnel. See Chapter 15 on page 373 for more on policy routes. 3 1 to 1 and Many 1 to 1 NAT: These are the 1 to 1 NAT and many 1 to 1 NAT rules.
Chapter 6 Configuration Basics ZyWALL stops checking the packets against the NAT table and moves on to bandwidth management. Figure 58 NAT Table Checking Flow 1 SNAT defined in the policy routes. This was already in ZLD 2.1x. 2 1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table. 3 NAT loopback is now included in the NAT table instead of requiring a separate policy route. 4 SNAT is also now performed by default and included in the NAT table. 6.
Chapter 6 Configuration Basics 6.5.1 Feature This provides a brief description. See the appropriate chapter(s) in this User’s Guide for more information about any feature. MENU ITEM(S) This shows you the sequence of menu items and tabs you should click to find the main screen(s) for this feature. See the web help or the related User’s Guide chapter for information about each screen. These are other features you should configure before you configure the main screen(s) for this feature.
Chapter 6 Configuration Basics subscription to update the anti-virus and IDP/application patrol signatures You must have Internet access to myZyXEL.com. MENU ITEM(S) Configuration > Licensing > Update Registration (for anti-virus and IDP/application patrol), Internet PREREQUISITES access to myZyXEL.com 6.5.4 Interface See Section 6.2 on page 92 for background information. Note: When you create an interface, there is no security applied on it until you assign it to a zone.
Chapter 6 Configuration Basics and general NAT on the source address. You have to set up the criteria, next-hops, and NAT settings first.
Chapter 6 Configuration Basics 6.5.7 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL. MENU ITEM(S) Configuration > Network > Routing > Static Route PREREQUISITES Interfaces 6.5.8 Zones See Section 6.2 on page 92 for background information. A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security settings, such as firewall rules and remote management. Zones cannot overlap.
Chapter 6 Configuration Basics The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are redirected by NAT, it does not check the to-ZyWALL firewall rules. MENU ITEM(S) Configuration > Network > NAT PREREQUISITES Interfaces, addresses (HOST) Example: Suppose you have an FTP server with a private IP address connected to a DMZ port. You could configure a NAT rule to forwards FTP sessions from the WAN to the DMZ. 1 Click Configuration > Network > NAT to configure the NAT entry.
Chapter 6 Configuration Basics 3 Name the entry. 4 Select the interface from which you want to redirect incoming HTTP requests (ge1). 5 Specify the IP address of the HTTP proxy server. 6 Specify the port number to use for the HTTP traffic that you forward to the proxy server. 6.5.12 ALG The ZyWALL’s Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the ZyWALL. You can also specify additional signaling port numbers. MENU ITEM(S) Configuration > Network > ALG 6.
Chapter 6 Configuration Basics Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls. You could configure a firewall rule to allow VoIP sessions from the SIP proxy server on DMZ to the LAN so VoIP users on the LAN can receive calls. 1 Create a VoIP service object for UDP port 5060 traffic (Configuration > Object > Service). 2 Create an address object for the VoIP server (Configuration > Object > Address).
Chapter 6 Configuration Basics WHERE USED Policy routes, zones Example: See Chapter 7 on page 115. 6.5.17 L2TP VPN Use L2TP VPN to let remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL.
Chapter 6 Configuration Basics Note: With this example, Bob would have to log in using his account. If you do not want him to have to log in, you might create an exception policy with Bob’s computer IP address as the source. 6.5.19 Anti-Virus Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or one of the wizards. MENU ITEM(S) Configuration > Anti-X > AV PREREQUISITES Registration, zones 6.5.
Chapter 6 Configuration Basics 1 Create a user account for Bill if you have not done so already (Configuration > Object > User/Group). 2 Create a schedule for the work day (Configuration > Object > Schedule). 3 Click Configuration > Anti-X > Content Filter > Filter Profile. Click the Add icon to go to the screen where you can configure a category-based profile. 4 Name the profile and enable it. 5 Enable the external web filter service.
Chapter 6 Configuration Basics 6.6 Objects Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object. Move your cursor over a configuration object that has a magnifying-glass icon (such as a user group, address, address group, service, service group, zone, or schedule) to display basic information about the object. The following table introduces the objects.
Chapter 6 Configuration Basics Table 19 User Types TYPE ABILITIES guest Access network services ext-user The same as a user or a guest except the ZyWALL looks for the specific type in an external authentication server. If the type is not available, the ZyWALL applies default settings. ext-group-user External group user account. If you want to force users to log in to the ZyWALL before the ZyWALL routes traffic for them, you might have to configure prerequisites first.
Chapter 6 Configuration Basics 2 Create an address object for the administrator’s computer (Configuration > Object > Address). 3 Click Configuration > System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry. • Select the address object for the administrator’s computer. • Select the WAN zone. • Set the action to Accept. 6.7.
Chapter 6 Configuration Basics Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt.
Chapter 6 Configuration Basics 114 ZyWALL USG 300 User’s Guide
CHAPTER 7 Tutorials Here are examples of using the Web Configurator to set up features in the ZyWALL. See also Chapter 8 on page 183 for an example of configuring L2TP VPN. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator, see Chapter 3 on page 47 for details. For field descriptions of individual screens, see Technical Reference on page 219. 7.
Chapter 7 Tutorials • You want to be able to apply security settings specifically for all VPN tunnels so you create a new VPN zone. Figure 59 Ethernet Interface, Port Grouping, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL’s ge2 interface a static IP address of 1.2.3.4. Click Configuration > Network > Interface > Ethernet and double-click the ge2 interface’s entry.
Chapter 7 Tutorials 1 Click Configuration > Network > Zone and then the Add icon. 2 Enter VPN as the name, select Default_L2TP_VPN_Connection and move it to the Member box and click OK. Figure 61 Configuration > Network > Zone > WAN Edit 7.1.3 Configure Port Grouping Here is how to combine physical ports P4 and P5 into the ge4 interface port group. 1 Click Configuration > Network > Interface > Port Grouping.
Chapter 7 Tutorials 2 Drag physical port 5 onto representative interface ge4 and click Apply. Figure 62 Configuration > Network > Interface > Port Grouping Example 3 Click Dashboard, and look at the Interface Status Summary. Ethernet interface ge4 has a status of Port Group Up if it is connected or Port Group Down if it is not connected. Ethernet interfaces ge5 has a Status of Port Group Inactive. Figure 63 Dashboard: Interface Status Summary After Port Grouping 7.
Chapter 7 Tutorials 3 Click Configuration > Network > Interface > Cellular. Select the 3G device’s entry and click Edit. Figure 64 Configuration > Network > Interface > Cellular 4 Enable the interface and add it to a zone. It is highly recommended that you set the Zone to WAN to apply your WAN zone security settings to this 3G connection. Leaving Zone set to none has the ZyWALL not apply any security settings to the 3G connection.
Chapter 7 Tutorials 5 Go to the Dashboard. The Interface Status Summary section should contain a “cellular” entry. When its connection status is Connected you can use the 3G connection to access the Internet. Figure 66 Status 6 The ZyWALL automatically adds the cellular interface to the system default WAN trunk. If the ZyWALL is using a user-configured trunk as its default trunk and you want this cellular interface to be part of it, use the Trunk screens to add it.
Chapter 7 Tutorials You do not have to change many of the ZyWALL’s settings from the defaults to set up this trunk. You only have to set up the outgoing bandwidth on each of the WAN interfaces and configure the WAN_TRUNK trunk’s load balancing settings. 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface. 1 Click Configuration > Network > Interface > Ethernet and double-click the ge2 entry.
Chapter 7 Tutorials 7.3.2 Configure the WAN Trunk 1 Click Configuration > Network > Interface > Trunk. Click the Add icon. 2 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add ge2 and enter 2 in the Weight column. Add ge3 and enter 1 in the Weight column. Click OK.
Chapter 7 Tutorials 3 Select the trunk as the default trunk and click Apply. Figure 70 Configuration > Network > Interface > Trunk 7.4 How to Set Up a Wireless LAN You can install a wireless LAN card (IEEE 802.11b/g) in the PCIMCIA slot (see Table 264 on page 915 for the supported cards). You can configure different interfaces to use on the wireless LAN card. This lets you have different wireless LAN networks using different SSIDs.
Chapter 7 Tutorials 1 Click Configuration > Object > User/Group > User and the Add icon. 2 Set the User Name to wlan_user. Enter (and re-enter) the user’s password. Click OK. Figure 71 Configuration > Object > User/Group > User > Add 3 Use the Add icon in the Configuration > Object > User/Group > User screen to set up the remaining user accounts in similar fashion. 7.4.2 Create the WLAN Interface 1 124 Click Configuration > Network > Interface > WLAN > Add to open the WLAN Add screen.
Chapter 7 Tutorials 2 Edit this screen as follows. A (internal) name for the WLAN interface displays. You can modify it if you want to. The ZyWALL’s security settings are configured by zones. Select to which security zone you want the WLAN interface to belong (the WLAN zone in this example). This determines which security settings the ZyWALL applies to the WLAN interface. Configure the SSID (ZYXEL_WPA in this example).
Chapter 7 Tutorials Figure 72 Configuration > Network > Interface > WLAN > Add 126 ZyWALL USG 300 User’s Guide
Chapter 7 Tutorials 3 Turn on the wireless LAN and click Apply. Figure 73 Configuration > Network > Interface > WLAN 7.4.3 Set Up the Wireless Clients to Use the WLAN Interface The following sections show you how to have a wireless client (not included with the ZyWALL) use the wireless network. 7.4.3.1 Configure the ZyXEL Wireless Client Utility This example covers how to configure ZyXEL’s wireless client utility (not included with the ZyWALL) to use the WLAN interface. See Section 7.4.3.
Chapter 7 Tutorials 1 Open the wireless client utility and click Profile. Figure 74 ZyXEL Wireless Client 2 Add a new profile. This example uses “ZYXEL_WPA” as the name. It is also the SSID (name) of the wireless network. Select Infrastructure and click Next.
Chapter 7 Tutorials 3 Select WPA2 as the security type and click Next. Figure 76 ZyXEL Wireless Client > Profile: Security Type 4 Set the encryption type to TKIP and the EAP type to TTLS. Configure wlan_user as the Login Name and enter the account’s password (also wlan_user in this example. In TTLS Protocol, select PAP. Click Next.
Chapter 7 Tutorials 5 Confirm your settings and click Save. Figure 78 ZyXEL Wireless Client > Profile: Save 6 Click Activate Now.
Chapter 7 Tutorials 7 The ZYXEL_WPA profile displays in your list of profiles. Figure 80 ZyXEL Wireless Client > Profile: Activate Since the ZyXEL utility does not have the wireless client validate the ZyWALL’s certificate, you can go to Section 7.4.3.4 on page 139. 7.4.3.2 Configure the Funk Odyssey Wireless Client This example shows how to configure Funk’s Odyssey Access Client Manager wireless client software (not included with the ZyWALL) to use the WLAN interface.
Chapter 7 Tutorials 2 Name the profile (this example uses ZYXEL_WPA). In the User Info tab, configure wlan_user as the Login name. In the Password sub-tab, select Prompt for long name and password. Figure 82 Odyssey Access Client Manager > Profiles > User Info 3 Click the Authentication tab and select Validate server certificate.
Chapter 7 Tutorials 4 Click the TTLS tab and select PAP. Then click OK. Figure 84 Odyssey Access Client Manager > Profiles > Authentication 5 Click Networks > Add.
Chapter 7 Tutorials 6 Enter the name of the wireless network (“ZYXEL_WPA” in this example) or click Scan to look for it. Then select Authenticate using profile and select the profile you configured (“ZYXEL_WPA” in this example). Click OK. Figure 86 Odyssey Access Client Manager > Networks > Add Use the next section to import the ZyWALL’s certificate into the wireless client. 7.4.3.
Chapter 7 Tutorials 1 In Internet Explorer, click Tools > Internet Options > Content and click the Certificates button. Figure 87 Internet Explorer: Tools > Internet Options > Content 2 Click Import.
Chapter 7 Tutorials 3 Use the wizard screens to import the certificate. You may need to change the Files of Type setting to All Files in order to see the certificate file. Figure 89 Internet Explorer Certificate Import Wizard File Open Screen 4 When you get to the Certificate Store screen, select the option to automatically select the certificate store based on the type of certificate.
Chapter 7 Tutorials 5 If you get a security warning screen, click Yes to proceed.
Chapter 7 Tutorials 6 The Internet Explorer Certificates screen remains open after the import is done. You can see the newly imported certificate listed in the Trusted Root Certification Authorities tab. The values in the Issued To and Issued By fields should match those in the ZyWALL’s My Certificates screen’s Subject and Issuer fields (respectively).
Chapter 7 Tutorials 7.4.3.4 Wireless Clients Use the WLAN Interface A login screen displays when the wireless client attempts to connect to the wireless interface. Enter the username and password and click OK. Figure 94 Funk Odyssey Access Wireless Client Login Example 7.5 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 80 for details on the VPN quick setup wizard.
Chapter 7 Tutorials 7.5.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA. You do not have to set up any other objects before you configure the VPN gateway because this VPN tunnel does not use any certificates or extended authentication. 1 Click Configuration > VPN > IPSec VPN > VPN Gateway, and then click the Add icon. 2 Enable the VPN gateway and name it (“VPN_GW_EXAMPLE”). For My Address, select Interface and ge2. For the Peer Gateway Address, select Static Address and enter 2.2.2.
Chapter 7 Tutorials 1 Click Configuration > Object > Address. Click the Add icon. 2 Give the new address object a name (“VPN_REMOTE_SUBNET”), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 97 Configuration > Object > Address > Add 3 Click Configuration > VPN > IPSec VPN > VPN Connection. Click the Add icon. 4 Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”).
Chapter 7 Tutorials 7.5.3 Configure Security Policies for the VPN Tunnel You configure security policies based on zones. Assign the new VPN connection to a zone to be able to apply security policies (firewall rules, IDP, and so on) to the VPN connection. Make sure all firewalls between the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500. 7.
Chapter 7 Tutorials • My Address: 10.0.0.2 • Primary Remote Gateway: 10.0.0.1 Network Policy (Phase 2) • Local Network: 192.168.167.0/255.255.255.0 • Remote Network: 192.168.168.0~192.168.169.255 Headquarters (ZyWALL USG): VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.168.0~192.168.169.255 • Remote Policy:192.168.167.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel2): • My Address: 10.0.0.
Chapter 7 Tutorials 7.6.0.1 Hub-and-spoke VPN Requirements and Suggestions Consider the following when implementing a hub-and-spoke VPN. • This example uses a wide range for the ZyNOS-based ZyWALL’s remote network, to use a narrower range, see Section 25.4.1 on page 491 for an example of configuring a VPN concentrator. • The local IP addresses configured in the VPN rules should not overlap. • The hub router must have at least one separate VPN rule for each spoke.
Chapter 7 Tutorials Table 20 User-aware Access Control Example (continued) GROUP (USER) WEB WEB SURFING BANDWIDTH MSN LAN-TO-DMZ ACCESS Guest (guest) Yes 50K No No Others No --- No No The users are authenticated by an external RADIUS server at 192.168.1.200. First, set up the user accounts and user groups in the ZyWALL. Then, set up user authentication using the RADIUS server. Finally, set up the policies in the table above. The ZyWALL has its default settings. 7.7.
Chapter 7 Tutorials 7.7.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group. Click the Add icon. 2 Enter the name of the group that is used in Table 20 on page 144. In this example, it is “Finance”. Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later.
Chapter 7 Tutorials 1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address authentication port (1812 if you were not told otherwise), key, and click Apply. Figure 102 Configuration > Object > AAA Server > RADIUS > Add 2 Click Configuration > Object > Auth. method. Double-click the default entry. Click the Add icon. Select group radius because the ZyWALL should use the specified RADIUS server for authentication. Click OK.
Chapter 7 Tutorials Note: The users will have to log in using the Web Configurator login screen before they can use HTTP or MSN. Figure 104 Configuration > Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears. They have to log in using the user name and password in the RADIUS server. 7.7.
Chapter 7 Tutorials 1 Click Configuration > AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 105 Configuration > AppPatrol > General 2 Click the Common tab and double-click the http entry.
Chapter 7 Tutorials 3 Double-click the Default policy. Figure 107 Configuration > AppPatrol > Common > http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK.
Chapter 7 Tutorials 5 Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web. Figure 109 Configuration > AppPatrol > Common> http > Edit Default 7.7.
Chapter 7 Tutorials 2 Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK. Figure 110 Configuration > Object > Schedule > Add (Recurring) 3 Follow the steps in Section 7.7.4 on page 148 to set up the appropriate policies for MSN in application patrol. Make sure to specify the schedule when you configure the policy for the Sales group’s MSN access. 7.7.
Chapter 7 Tutorials 2 Click the Add icon again and create a rule for one of the user groups that is allowed to access the DMZ. Figure 112 Configuration > Firewall > Add 3 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. 7.8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups The previous example showed how to have a RADIUS server authenticate individual user accounts.
Chapter 7 Tutorials 1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs. This example uses Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss.
Chapter 7 Tutorials 2 Now you add ext-group-user user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon. Enter a user name and set the User Type to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius.
Chapter 7 Tutorials • Select Endpoint must have Personal Firewall installed and move the Kaspersky Internet Security entries to the allowed list (you can double-click an entry to move it). • Select Endpoint must have Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list. The following figure shows the configuration screen example.
Chapter 7 Tutorials Repeat as needed to create endpoint security objects for other Windows operating system versions. 7.9.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy to use endpoint security objects. • Enable the policy and name it.
Chapter 7 Tutorials 4 Turn on authentication policy and click Apply. Figure 117 Configuration > Auth. Policy The following figure shows an error message example when a user’s computer does not meet an endpoint security object’s requirements. Click Close to return to the login screen. Figure 118 Example: Endpoint Security Error Message 7.
Chapter 7 Tutorials user access (logging into SSL VPN for example). See Chapter 50 on page 809 for more on service control. The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL. They do not distinguish between administrator management access and user access. If you configure service control to allow management or user HTTP or HTTPS access, make sure the firewall is not configured to block that access. 7.10.
Chapter 7 Tutorials 4 Select the new rule and click the Add icon. Figure 121 Configuration > System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny. Click OK.
Chapter 7 Tutorials 6 Click Apply. Figure 123 Configuration > System > WWW (Second Example Admin Service Rule Configured) Now administrator access to the Web Configurator can only come from the LAN zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL’s zones (to use SSL VPN for example). 7.11 How to Allow Incoming H.323 Peer-to-peer Calls Suppose you have a H.323 device on the LAN for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN.
Chapter 7 Tutorials for ge2 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56. Figure 124 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 7.11.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. Figure 125 Configuration > Network > ALG 7.11.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.
Chapter 7 Tutorials 1 Use Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device’s private LAN IP address (called LAN_H323 here).
Chapter 7 Tutorials 2 Click Configuration > Network > NAT > Add. Configure a name for the rule (WAN-LAN_H323 here). You want the LAN H.323 device to receive peer-to-peer calls from the WAN and also be able to initiate calls to the WAN so you set the Classification to NAT 1:1. Set the Incoming Interface to ge2. Set the Original IP to the WAN address object (WAN_IP-for-H323). Set the Mapped IP to the H.323 device’s LAN IP address object (LAN_H323).
Chapter 7 Tutorials 1 Click Configuration > Firewall > Add. In the From field select WAN. In the To field select LAN. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’s LAN IP address object (LAN_H323). LAN_H323 is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Service to H.323. Click OK. Figure 128 Configuration > Firewall > Add 7.
Chapter 7 Tutorials 7.12.1 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. 1 Create a host address object named DMZ_HTTP for the HTTP server’s private IP address of 192.168.3.7. Figure 130 Creating the Address Object for the HTTP Server’s Private IP Address 2 Create a host address object named Public_HTTP_Server_IP for the public WAN IP address 1.1.1.1. Figure 131 Creating the Address Object for the Public IP Address 7.12.
Chapter 7 Tutorials • Keep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP server (see NAT Loopback on page 419 for details). Figure 132 Creating the NAT Entry 7.12.3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.
Chapter 7 Tutorials 1 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the HTTP server’s DMZ IP address object (DMZ_HTTP). DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Access field to allow and the Service to HTTP, and click OK. Figure 133 Configuration > Firewall > Add 7.
Chapter 7 Tutorials address 1.1.1.2 that you will use on the ge3 interface and map to the IPPBX’s private IP address of 192.168.3.7. The local SIP clients are on the LAN.
Chapter 7 Tutorials 7.13.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable SIP ALG and Enable SIP Transformations and click Apply. Figure 135 Configuration > Network > ALG 7.13.2 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. 1 Create a host address object named IPPBX-DMZ for the IPPBX’s private DMZ IP address of 192.168.3.9.
Chapter 7 Tutorials 2 Create a host address object named IPPBX-Public for the public WAN IP address 1.1.1.2. Figure 137 Creating the Public IP Address Object 7.13.3 Setup a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add. • Configure a name for the rule (WAN-DMZ_IPPBX here). • You want the IPPBX to receive calls from the WAN and also be able to send calls to the WAN so you set the Classification to NAT 1:1. • Set the Incoming Interface to ge2.
Chapter 7 Tutorials • Click OK. Figure 138 Configuration > Network > NAT > Add 7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX. If a domain name is registered for IP address 1.1.1.2, users can use it to connect to for making SIP calls.
Chapter 7 Tutorials 1 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). IPPBX_DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Access field to allow and click OK. Figure 139 Configuration > Firewall > Add 7.13.
Chapter 7 Tutorials 1 Click Configuration > Firewall > Add. Set the From field as DMZ and the To field as LAN. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). Set the Source to IPPBX_DMZ. Leave the Access field to allow and click OK. Figure 140 Configuration > Firewall > Add 7.
Chapter 7 Tutorials 7.14.2 Configure the Policy Route Now you need to configure a policy route that has the ZyWALL use the range of public IP addresses as the source address for WAN to LAN traffic. Click Configuration > Network > Routing > Add. Although adding a description is optional, it is recommended. This example uses LAN-to-WAN-Range. Specifying a Source Address is also optional although recommended. This example uses LAN_SUBNET. Set the Source Network Address Translation to Public-IPs and click OK.
Chapter 7 Tutorials An Ethernet switch connects both ZyWALLs’ ge1 interfaces to the LAN. Whichever ZyWALL is functioning as the master uses the default gateway IP address of the LAN computers (192.168.1.1) for its ge1 interface and the static public IP address (1.1.1.1) for its ge2 interface. If ZyWALL A recovers (has both its ge1 and ge2 interfaces connected), it resumes its role as the master and takes over all of its functions again. Figure 143 Device HA: Master Fails and Backup Takes Over LAN 192.168.
Chapter 7 Tutorials 7.15.2 Configure Device HA on the Master ZyWALL 1 Log into ZyWALL A (the master) and click Configuration > Device HA > ActivePassive Mode. Double-click ge1’s entry. 2 Configure 192.168.1.3 as the Management IP and 255.255.255.0 as the Manage IP Subnet Mask. Click OK.
Chapter 7 Tutorials 3 Set the Device Role to Master. This example focuses on the connection from the LAN (ge1) to the Internet through the ge2 interface, so select the ge1 and ge2 interfaces and click Activate. Enter a Synchronization Password (“mySyncPassword” in this example) and click Apply. Figure 146 Configuration > Device HA > Active-Passive Mode: Master ZyWALL Example 4 Click the General tab. Turn on device HA and click Apply.
Chapter 7 Tutorials 7.15.3 Configure the Backup ZyWALL 1 Connect a computer to ZyWALL B’s ge1 interface and log into its Web Configurator. Connect ZyWALL B to the Internet and subscribe it to the same subscription services (like content filtering and anti-virus) to which ZyWALL A is subscribed. See Chapter 11 on page 277 for more on the subscription services. 2 In ZyWALL B click Configuration > Device HA > Active-Passive Mode. Click ge1’s Edit icon. 3 Configure 192.168.1.
Chapter 7 Tutorials 4 Set the Device Role to Backup. Activate monitoring for the ge1 and ge2 interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “mySyncPassword”. Select Auto Synchronize and set the Interval to 60. Click Apply. Figure 149 Configuration > Device HA > Active-Passive Mode: Backup ZyWALL Example 5 Click the General tab. Turn on device HA and click Apply.
Chapter 7 Tutorials 7.15.4 Deploy the Backup ZyWALL Connect ZyWALL B’s ge1 interface to the LAN network. Connect ZyWALL B’s ge2 interface to the same router that ZyWALL A’s ge2 interface uses for Internet access. ZyWALL B copies A’s configuration (and re-synchronizes with A every hour). If ZyWALL A fails or loses its ge1 or ge2 connection, ZyWALL B functions as the master. 7.15.
Chapter 7 Tutorials 182 ZyWALL USG 300 User’s Guide
CHAPTER 8 L2TP VPN Example Here is how to create a basic L2TP VPN tunnel. 8.1 L2TP VPN Example This example uses the following settings in creating a basic L2TP VPN tunnel. Figure 151 L2TP VPN Example 172.16.1.2 L2TP_POOL: 192.168.10.10~192.168.10.20 LAN_SUBNET: 192.168.1.x • The ZyWALL has a static IP address of 172.16.1.2 for the ge2 interface. • The remote user has a dynamic public IP address and connects through the Internet.
Chapter 8 L2TP VPN Example • Configure the My Address setting. This example uses interface ge2 with static IP address 172.16.1.2. Note: If it is possible that the remote user’s public IP address could be in the same subnet as the specified My Address, click Configure > Network > Routing > Policy Route > Show Advanced Settings and select Use Policy Route to Override Direct Route. • Select Pre-Shared Key and configure a password. This example uses topsecret. Click OK.
Chapter 8 L2TP VPN Example 8.3 Configuring the Default L2TP VPN Connection Example 1 Click Configuration > VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Double-click the Default_L2TP_VPN_Connection entry. 2 Click the Show Advanced Settings button. Configure and enforce the local and remote policies. • Create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW.
Chapter 8 L2TP VPN Example 3 Select the Default_L2TP_VPN_Connection entry and click Activate and then Apply to turn on the entry. Figure 155 Configuration > VPN > IPSec VPN > VPN Connection (Enable) 8.4 Configuring the L2TP VPN Settings Example 1 Click Configuration > VPN > L2TP VPN and configure the following. • Configure an IP address pool for the range of 192.168.10.10 to 192.168.10.20. It is called L2TP_POOL here. • Enable the connection. • Set the VPN Connection to the Default_L2TP_VPN_Connection.
Chapter 8 L2TP VPN Example • The other fields are left to the defaults in this example, click Apply. Figure 156 Configuration > VPN > L2TP VPN Example 8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000 The following sections cover how to configure L2TP in remote user computers using Windows Vista, XP, and 2000. The example settings in these sections go along with the L2TP VPN configuration example in Section 8.1 on page 183.
Chapter 8 L2TP VPN Example 2 Select Connect to a workplace and click Next. Figure 157 Set up a connection or network: Chose a connection type 3 Select Use my Internet connection (VPN).
Chapter 8 L2TP VPN Example 4 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). For the Destination Name, enter L2TP to ZyWALL. Select Don’t connect now, just set it up so I can connect later and click Next. Figure 159 Connect to a workplace: Type the Internet address to connect to 5 Enter the user name and password of a user account that can use the L2TP VPN connection and click Next.
Chapter 8 L2TP VPN Example 6 Click Close. Figure 161 Connect to a workplace: The connection is ready to use 7 In the Network and Sharing Center screen, click Connect to a network. Right-click the L2TP VPN connection and select Properties.
Chapter 8 L2TP VPN Example 8 Click Security, select Advanced (custom settings) and click Settings. Figure 163 Connect L2TP to ZyWALL: Security 9 Set Data encryption to Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 164 Connect ZyWALL L2TP: Security > Advanced 10 Click Yes.
Chapter 8 L2TP VPN Example inside it. The L2TP tunnel itself does not need encryption since it is inside the encrypted IPSec VPN tunnel. Figure 165 Connect ZyWALL L2TP: Security > Advanced > Warning 11 Click Networking. Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings.
Chapter 8 L2TP VPN Example 13 Select the L2TP VPN connection and click Connect. Figure 168 L2TP to ZyWALL Properties: Networking 14 Enter the user name and password of your ZyWALL user account. Click Connect.
Chapter 8 L2TP VPN Example 15 A window appears while the user name and password are verified and notifies you when the connection is established. Figure 170 Connecting to L2TP to ZyWALL 16 If a window appears asking you to select a location for the network, you can select Work if you want your computer to be discoverable by computers behind the ZyWALL.
Chapter 8 L2TP VPN Example 17 After the network location has been set, click Close. Figure 172 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray. Click it and then the L2TP connection to open a status screen.
Chapter 8 L2TP VPN Example 19 Click the L2TP connection’s View status link to open a status screen. Figure 174 Network and Sharing Center 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 175 ZyWALL-L2TP Status: Details 21 Access a server or other network resource behind the ZyWALL to make sure your access works.
Chapter 8 L2TP VPN Example 8.5.2 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. 1 Click Start > Control Panel > Network Connections > New Connection Wizard. 2 Click Next in the Welcome screen. 3 Select Connect to the network at my workplace and click Next. Figure 176 New Connection Wizard: Network Connection Type 4 Select Virtual Private Network connection and click Next.
Chapter 8 L2TP VPN Example 5 Type L2TP to ZyWALL as the Company Name. Figure 178 New Connection Wizard: Connection Name 6 Select Do not dial the initial connection and click Next.
Chapter 8 L2TP VPN Example 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 180 New Connection Wizard: VPN Server Selection 172.16.1.2 8 Click Finish. 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security.
Chapter 8 L2TP VPN Example 10 Click Security, select Advanced (custom settings) and click Settings. Figure 182 Connect L2TP to ZyWALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK.
Chapter 8 L2TP VPN Example 12 Click IPSec Settings. Figure 184 L2TP to ZyWALL Properties > Security 13 Select the Use pre-shared key for authentication check box and enter the preshared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK.
Chapter 8 L2TP VPN Example 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Figure 186 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account. Click Connect. Figure 187 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen.
Chapter 8 L2TP VPN Example 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 189 ZyWALL-L2TP Status: Details 19 Access a server or other network resource behind the ZyWALL to make sure your access works. 8.5.3 Configuring L2TP in Windows 2000 Windows 2000 does not support using pre-shared keys by default. Use the following procedures to edit the registry and then configure the computer to use the L2TP client. 8.
Chapter 8 L2TP VPN Example 3 Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\P arameters. Figure 191 Registry Key 4 Right-click Parameters and select New > DWORD Value. Figure 192 New DWORD Value 5 Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. Figure 193 ProhibitIpSec DWORD Value 6 204 Restart the computer and continue with the next section.
Chapter 8 L2TP VPN Example 8.5.3.2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use. 1 Click Start > Run. Type mmc and click OK. Figure 194 Run mmc 2 Click Console > Add/Remove Snap-in.
Chapter 8 L2TP VPN Example 3 Click Add > IP Security Policy Management >Add > Finish. Click Close > OK. Figure 196 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen.
Chapter 8 L2TP VPN Example 5 Name the IP security policy L2TP to ZyWALL, and click Next. Figure 198 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next.
Chapter 8 L2TP VPN Example 7 Leave the Edit Properties check box selected and click Finish. Figure 200 IP Security Policy: Completing the IP Security Policy Wizard 8 In the properties dialog box, click Add > Next.
Chapter 8 L2TP VPN Example 9 Select This rule does not specify a tunnel and click Next. Figure 202 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next.
Chapter 8 L2TP VPN Example 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 204 IP Security Policy Properties: Authentication Method 12 Click Add.
Chapter 8 L2TP VPN Example 13 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add. Figure 206 IP Security Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab. Select My IP Address in the Source address drop-down list box. Select A specific IP Address in the Destination address drop-down list box and type the ZyWALL’s WAN IP address (172.16.1.2 in this example) in the IP Address field. Make certain the Mirrored.
Chapter 8 L2TP VPN Example 15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 208 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next.
Chapter 8 L2TP VPN Example 17 Select Require Security and click Next. Then click Finish and Close. Figure 210 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 211 Console: L2TP to ZyWALL Assign 8.5.3.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection.
Chapter 8 L2TP VPN Example 1 Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next. Figure 212 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next. Figure 213 New Connection Wizard: Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click Next.
Chapter 8 L2TP VPN Example 4 Select For all users and click Next. Figure 215 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish. Figure 216 New Connection Wizard: Naming the Connection 6 Click Properties.
Chapter 8 L2TP VPN Example 7 Click Security and select Advanced (custom settings) and click Settings. Figure 218 Connect L2TP to ZyWALL: Security 8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Click Yes if a screen pops up.
Chapter 8 L2TP VPN Example 9 Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box. Click OK. Figure 220 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network. Figure 221 Connect L2TP to ZyWALL 11 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen.
Chapter 8 L2TP VPN Example 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 223 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works.
P ART II Technical Reference 219
CHAPTER 9 Dashboard 9.1 Overview Use the Dashboard screens to check status information about the ZyWALL. 9.1.1 What You Can Do in this Chapter Use the Dashboard screens for the following. • Use the main Dashboard screen (see Section 9.2 on page 221) to see the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens for more information. • Use the VPN status screen (see Section 9.2.
Chapter 9 Dashboard interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 224 Dashboard A B C D E The following table describes the labels in this screen. Table 21 Dashboard LABEL DESCRIPTION Widget Setting (A) Use this link to re-open closed widgets. Widgets that are already open appear grayed out. Up Arrow (B) Click this to collapse a widget.
Chapter 9 Dashboard Table 21 Dashboard (continued) LABEL DESCRIPTION The following front and rear panel labels display when you hover your cursor over a connected interface or slot. Name This field displays the name of each interface. Slot This field displays the name of each extension slot. Device This field displays the name of the device connected to the extension slot (or none if no device is detected).
Chapter 9 Dashboard Table 21 Dashboard (continued) LABEL Device DESCRIPTION This identifies a device installed in one of the ZyWALL’s extension slots or USB ports. Device Information System Name This field displays the name used to identify the ZyWALL on any network. Click the icon to open the screen where you can change it. See Section 50.2 on page 810. Model Name This field displays the model name of this ZyWALL. Serial Number This field displays the serial number of this ZyWALL.
Chapter 9 Dashboard Table 21 Dashboard (continued) LABEL Status DESCRIPTION This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface is enabled but not connected. Speed / Duplex - The Ethernet interface is enabled and connected. This field displays the port speed and duplex setting (Full or Half).
Chapter 9 Dashboard Table 21 Dashboard (continued) LABEL Action DESCRIPTION Use this field to get or to update the IP address for the interface. Click Renew to send a new DHCP request to a DHCP server. Click the Connect icon to have the ZyWALL try to connect a PPPoE/PPTP interface or the auxiliary interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. Click the Disconnect icon to stop a PPPoE/PPTP or auxiliary interface’s connection.
Chapter 9 Dashboard Table 21 Dashboard (continued) LABEL Boot Status DESCRIPTION This field displays details about the ZyWALL’s startup state. OK - The ZyWALL started up successfully. Firmware update OK - A firmware update was successful. Problematic configuration after firmware update - The application of the configuration failed after a firmware upgrade. System default configuration - The ZyWALL successfully applied the system default configuration.
Chapter 9 Dashboard Table 21 Dashboard (continued) LABEL DESCRIPTION Signature Name The signature name identifies a specific intrusion pattern. Type This column displays when you display the entries by Signature Name. It shows the categories of intrusions. See Table 162 on page 600 for more information. Severity This is the level of threat that the intrusions may pose. Occurrence This is how many times the ZyWALL has detected the event described in the entry. 9.2.
Chapter 9 Dashboard 9.2.2 The Memory Usage Screen Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard. Figure 226 Dashboard > Memory Usage The following table describes the labels in this screen. Table 23 Dashboard > Memory Usage LABEL DESCRIPTION The y-axis represents the percentage of RAM usage.
Chapter 9 Dashboard 9.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the dashboard. Figure 227 Dashboard > Session Usage The following table describes the labels in this screen. Table 24 Dashboard > Session Usage LABEL DESCRIPTION Sessions The y-axis represents the number of session.
Chapter 9 Dashboard 9.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the dashboard. Figure 228 Dashboard > VPN Status The following table describes the labels in this screen. Table 25 Dashboard > VPN Status LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA.
Chapter 9 Dashboard The following table describes the labels in this screen. Table 26 Dashboard > DHCP Table LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific entry. Interface This field identifies the interface that assigned an IP address to a DHCP client. IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address. Click the column’s heading cell to sort the table entries by IP address.
Chapter 9 Dashboard The following table describes the labels in this screen. Table 27 Dashboard > Number of Login Users LABEL DESCRIPTION # This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL. Reauth Lease T. This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user. See Chapter 40 on page 715.
Chapter 9 Dashboard 234 ZyWALL USG 300 User’s Guide
CHAPTER 10 Monitor 10.1 Overview Use the Monitor screens to check status and statistics information. 10.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 10.2 on page 236) to look at packet statistics for each physical port. • Use the System Status > Port Statistics Graph screen (see Section 10.2 on page 236) to look at a line graph of packet statistics for each physical port.
Chapter 10 Monitor • Use the VPN Monitor > SSL screen (see Section 10.13 on page 261) to list the users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information. • Use the VPN Monitor > L2TP over IPSec screen (see Section 10.14 on page 262) to display and manage the ZyWALL’s connected L2TP VPN sessions. • Use the Anti-X Statistics > Anti-Virus screen (see Section 10.
Chapter 10 Monitor The following table describes the labels in this screen. Table 28 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval. Set Interval Click this to set the Poll Interval the screen uses. Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval.
Chapter 10 Monitor 10.2.1 The Port Statistics Graph Screen Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button. Figure 232 Monitor > System Status > Port Statistics > Switch to Graphic View The following table describes the labels in this screen.
Chapter 10 Monitor Table 29 Monitor > System Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Last Update This field displays the date and time the information in the window was last updated. System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on. 10.3 Interface Status Screen This screen lists all of the ZyWALL’s interfaces and gives packet statistics for them.
Chapter 10 Monitor Each field is described in the following table. Table 30 Monitor > System Status > Interface Status 240 LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text. Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces. Name This field displays the name of each interface.
Chapter 10 Monitor Table 30 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface is enabled but not connected. Speed / Duplex - The Ethernet interface is enabled and connected. This field displays the port speed and duplex setting (Full or Half).
Chapter 10 Monitor Table 30 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Zone This field displays the zone to which the interface is assigned. IP Addr/ Netmask This field displays the current IP address and subnet mask assigned to the interface. If the IP address and subnet mask are 0.0.0.0, the interface is disabled or did not receive an IP address and subnet mask via DHCP.
Chapter 10 Monitor 10.4 The Traffic Statistics Screen Click Monitor > System Status > Traffic Statistics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the ZyWALL counts HTTP GET packets. Please see Table 31 on page 244 for more information.
Chapter 10 Monitor There is a limit on the number of records shown in the report. Please see Table 32 on page 245 for more information. The following table describes the labels in this screen. Table 31 Monitor > System Status > Traffic Statistics LABEL DESCRIPTION Data Collection Collect Statistics Select this to have the ZyWALL collect data for the report. If the ZyWALL has already been collecting data, the collection period displays to the right.
Chapter 10 Monitor Table 31 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION These fields are available when the Traffic Type is Service/Port. # This field is the rank of each record. The protocols and service ports are sorted by the amount of traffic. Service/Port This field displays the service and port in this record. The maximum number of services and service ports in this report is indicated in Table 32 on page 245.
Chapter 10 Monitor 10.5 The Session Monitor Screen The Session Monitor screen displays information about active sessions for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed.
Chapter 10 Monitor The following table describes the labels in this screen. Table 33 Monitor > System Status > Session Monitor LABEL DESCRIPTION View Select how you want the information to be displayed.
Chapter 10 Monitor Table 33 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION Service This field displays the protocol used in each active session. If you are looking at the sessions by services report, click + or - to display or hide details about a protocol’s sessions. Source This field displays the source IP address and port in each active session.
Chapter 10 Monitor Table 34 Monitor > System Status > DDNS Status (continued) LABEL DESCRIPTION Last Update Status This shows whether the last attempt to resolve the IP address for the domain name was successful or not. Updating means the ZyWALL is currently attempting to resolve the IP address for the domain name. Last Update Time This shows when the last attempt to resolve the IP address for the domain name occurred (in year-month-day hour:minute:second format). 10.
Chapter 10 Monitor Table 35 Monitor > System Status > IP/MAC Binding (continued) LABEL DESCRIPTION Last Access This is when the device last established a session with the ZyWALL through this interface. Refresh Click this button to update the information in the screen. 10.8 The Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click Monitor > System Status > Login Users.
Chapter 10 Monitor 10.9 WLAN Interface Station Monitor Screen The station monitor displays the connection status of the wireless clients connected to (or trying to connect to) a IEEE 802.11b/g card installed in the ZyWALL. To open the station monitor, click Monitor > System Status > WLAN Status. The screen appears as shown. Figure 239 Monitor > System Status > WLAN Status The following table describes the labels in this menu.
Chapter 10 Monitor 10.10 Cellular Status Screen This screen displays your 3G connection status. click Monitor > System Status > Cellular Status to display this screen. Figure 240 Monitor > System Status > Cellular Status The following table describes the labels in this screen. Table 38 Monitor > System Status > Cellular Status 252 LABEL DESCRIPTION Refresh Click this button to update the information in the screen. # This field is a sequential value, and it is not associated with any interface.
Chapter 10 Monitor Table 38 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Status No device - no 3G device is connected to the ZyWALL. Device detected - displays when you connect a 3G device. Device error - a 3G device is connected but there is an error. Probe device fail - the ZyWALL’s test of the 3G device failed. Probe device ok - the ZyWALL’s test of the 3G device succeeded. Init device fail - the ZyWALL was not able to initialize the 3G device.
Chapter 10 Monitor Table 38 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. More Info. This field displays other details about the 3G connection. 10.11 Application Patrol Statistics This screen displays a bandwidth usage graph and statistics for selected protocols.
Chapter 10 Monitor 10.11.2 Application Patrol Statistics: Bandwidth Statistics The middle of the Monitor > AppPatrol Statistics screen displays a bandwidth usage line graph for the selected protocols. Figure 242 Monitor > AppPatrol Statistics: Bandwidth Statistics • The y-axis represents the amount of bandwidth used. • The x-axis shows the time period over which the bandwidth usage occurred. • A solid line represents a protocol’s incoming bandwidth usage.
Chapter 10 Monitor 10.11.3 Application Patrol Statistics: Protocol Statistics The bottom of the Monitor > AppPatrol Statistics screen displays statistics for each of the selected protocols. Figure 243 Monitor > AppPatrol Statistics: Protocol Statistics The following table describes the labels in this screen. Table 40 Monitor > AppPatrol Statistics: Protocol Statistics 256 LABEL DESCRIPTION Service This is the protocol.
Chapter 10 Monitor Table 40 Monitor > AppPatrol Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Rule This is a protocol’s rule. Inbound Kbps This is the incoming bandwidth usage for traffic that matched this protocol rule, in kilobits per second. This is the protocol’s traffic that the ZyWALL sends to the initiator of the connection. So for a connection initiated from the LAN to the WAN, the traffic sent from the WAN to the LAN is the inbound traffic.
Chapter 10 Monitor The following table describes the labels in this screen. Table 41 Monitor > AppPatrol Statistics > Service LABEL DESCRIPTION Service Name This is the application. Rule Statistics This table displays the statistics for each of the service’s application patrol rules. # This field is a sequential value, and it is not associated with a specific rule. Inbound Kbps This is the incoming bandwidth usage for traffic that matched this protocol rule, in kilobits per second.
Chapter 10 Monitor screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 245 Monitor > VPN Monitor > IPSec Each field is described in the following table. Table 42 Monitor > VPN Monitor > IPSec LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression. Use up to 30 alphanumeric and _+-.
Chapter 10 Monitor Table 42 Monitor > VPN Monitor > IPSec (continued) LABEL DESCRIPTION Encapsulation This field displays how the IPSec SA is encapsulated. Policy This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed. Algorithm This field displays the encryption and authentication algorithms used in the SA. Up Time This field displays how many seconds the IPSec SA has been active.
Chapter 10 Monitor 10.13 The SSL Connection Monitor Screen The ZyWALL keeps track of the users who are currently logged into the VPN SSL client portal. Click Monitor > VPN Monitor > SSL to display the user list. Use this screen to do the following: • View a list of active SSL VPN connections. • Log out individual users and delete related session information. Once a user logs out, the corresponding entry is removed from the Connection Monitor screen.
Chapter 10 Monitor 10.14 L2TP over IPSec Session Monitor Screen Click Monitor > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen to display and manage the ZyWALL’s connected L2TP VPN sessions. Figure 247 Monitor > VPN Monitor > L2TP over IPSec The following table describes the fields in this screen. Table 44 Monitor > VPN Monitor > L2TP over IPSec 262 LABEL DESCRIPTION Disconnect Select a connection and click this button to disconnect it.
Chapter 10 Monitor 10.15 The Anti-Virus Statistics Screen Click Monitor > Anti-X Statistics > Anti-Virus to display the following screen. This screen displays anti-virus statistics. Figure 248 Monitor > Anti-X Statistics > Anti-Virus: Virus Name The following table describes the labels in this screen. Table 45 Monitor > Anti-X Statistics > Anti-Virus LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-virus statistics.
Chapter 10 Monitor Table 45 Monitor > Anti-X Statistics > Anti-Virus (continued) LABEL DESCRIPTION Top Entry By Use this field to have the following (read-only) table display the top antivirus entries by Virus Name, Source IP or Destination IP. Select Virus Name to list the most common viruses that the ZyWALL has detected. Select Source IP to list the source IP addresses from which the ZyWALL has detected the most virus-infected files.
Chapter 10 Monitor 10.16 The IDP Statistics Screen Click Monitor > Anti-X Statistics > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 251 Monitor > Anti-X Statistics > IDP: Signature Name The following table describes the labels in this screen. Table 46 Monitor > Anti-X Statistics > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect IDP statistics.
Chapter 10 Monitor Table 46 Monitor > Anti-X Statistics > IDP (continued) LABEL DESCRIPTION Top Entry By Use this field to have the following (read-only) table display the top IDP entries by Signature Name, Source or Destination. Select Signature Name to list the most common signatures that the ZyWALL has detected. Select Source to list the source IP addresses from which the ZyWALL has detected the most intrusion attempts.
Chapter 10 Monitor 10.17 The Content Filter Statistics Screen Click Monitor > Anti-X Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 254 Monitor > Anti-X Statistics > Content Filter The following table describes the labels in this screen. Table 47 Monitor > Anti-X Statistics > Content Filter LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect content filtering statistics.
Chapter 10 Monitor Table 47 Monitor > Anti-X Statistics > Content Filter (continued) LABEL DESCRIPTION Web Pages Warned by Category Service This is the number of web pages that matched an external database content filtering category selected in the ZyWALL and for which the ZyWALL displayed a warning before allowing users access.
Chapter 10 Monitor You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site’s category has been changed. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 255 Anti-X > Content Filter > Cache The following table describes the labels in this screen.
Chapter 10 Monitor Table 48 Anti-X > Content Filter > Cache (continued) LABEL DESCRIPTION Category This field shows whether access to the web site’s URL was blocked or allowed. Click the column heading to sort the entries. Point the triangle up to display the blocked URLs before the URLs to which access was allowed. Point the triangle down to display the URLs to which access was allowed before the blocked URLs.
Chapter 10 Monitor 10.19 The Anti-Spam Statistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to display the following screen. This screen displays spam statistics. Figure 256 Monitor > Anti-X Statistics > Anti-Spam The following table describes the labels in this screen. Table 49 Monitor > Anti-X Statistics > Anti-Spam LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-spam statistics. Apply Click Apply to save your changes back to the ZyWALL.
Chapter 10 Monitor Table 49 Monitor > Anti-X Statistics > Anti-Spam (continued) LABEL DESCRIPTION Spam Mails This is the number of e-mails that the ZyWALL has determined to be spam. Spam Mails Detected by Black List This is the number of e-mails that matched an entry in the ZyWALL’s antispam black list. Spam Mails Detected by DNSBL The ZyWALL can check the sender and relay IP addresses in an e-mail’s header against DNS (Domain Name Service)-based spam Black Lists (DNSBLs).
Chapter 10 Monitor 10.20 The Anti-Spam Status Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the AntiSpam Status screen. Use the Anti-Spam Status screen to see how many e-mail sessions the antispam feature is scanning and statistics for the DNSBLs. Figure 257 Monitor > Anti-X Statistics > Anti-Spam > Status The following table describes the labels in this screen.
Chapter 10 Monitor 10.21 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, firewall or user). You can also look at the debugging log by selecting Debug Log. All debugging messages have the same priority. To access this screen, click Monitor > Log. The log is displayed in the following screen.
Chapter 10 Monitor The following table describes the labels in this screen. Table 51 Monitor > Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available. If the filter settings are shown, the Display, Priority, Source Address, Destination Address, Service, Keyword, and Search fields are available.
Chapter 10 Monitor Table 51 Monitor > Log (continued) LABEL DESCRIPTION Priority This field displays the priority of the log message. It has the same range of values as the Priority field above. Category This field displays the log that generated the log message. It is the same value used in the Display and (other) Category fields. Message This field displays the reason the log message was generated.
CHAPTER 11 Registration 11.1 Overview Use the Configuration > Licensing > Registration screens to register your ZyWALL and manage its service subscriptions. 11.1.1 What You Can Do in this Chapter • Use the Registration screen (see Section 11.2 on page 279) to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. • Use the Service screen (see Section 11.3 on page 281) to display the status of your service registrations and upgrade licenses. 11.1.
Chapter 11 Registration Subscription Services Available on the ZyWALL You can have the ZyWALL use anti-virus, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), and content filtering subscription services. You can also purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels. See the respective User’s Guide chapters for more information about these features.
Chapter 11 Registration 11.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 259 Configuration > Licensing > Registration The following table describes the labels in this screen. Table 52 Configuration > Licensing > Registration LABEL DESCRIPTION General Setup If you select existing myZyXEL.
Chapter 11 Registration Table 52 Configuration > Licensing > Registration (continued) LABEL DESCRIPTION Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Select your country from the drop-down box list. Trial Service Activation Select the check box to activate a trial service subscription.
Chapter 11 Registration Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status. Figure 260 Configuration > Licensing > Registration: Registered Device 11.3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses.
Chapter 11 Registration The following table describes the labels in this screen. Table 53 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status # This is the entry’s position in the list. Service This lists the services that available on the ZyWALL. Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
CHAPTER 12 Signature Update 12.1 Overview This chapter shows you how to update the ZyWALL’s signature packages. 12.1.1 What You Can Do in this Chapter • Use the Configuration > Licensing > Update > Anti-virus screen (Section 12.2 on page 284) to update the anti-virus signatures. See Chapter 33 on page 573 for details on anti-virus. • Use the Configuration > Licensing > Update > IDP/AppPatrol screen (Section 12.3 on page 285) to update the signatures used for IDP and application patrol.
Chapter 12 Signature Update 12.2 The Antivirus Update Screen Click Configuration > Licensing > Update > Anti-Virus to display the following screen. Figure 262 Configuration > Licensing > Update >Anti-Virus The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the ZyWALL is using.
Chapter 12 Signature Update LABEL DESCRIPTION Signature Update Use these fields to have the ZyWALL check for new signatures at myZyXEL.com. If new signatures are found, they are then downloaded to the ZyWALL. Update Now Click this button to have the ZyWALL check for new signatures immediately. If there are new ones, the ZyWALL will then download them. Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and day specified.
Chapter 12 Signature Update signatures from myZyXEL.com (see the Registration screens). Use the Update IDP /AppPatrol screen to schedule or immediately download IDP signatures. Figure 263 Configuration > Licensing > Update > IDP/AppPatrol The following table describes the fields in this screen. Table 54 Configuration > Licensing > Update > IDP/AppPatrol LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the ZyWALL is using.
Chapter 12 Signature Update Table 54 Configuration > Licensing > Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time. The time format is the 24 hour clock, so ‘23’ means 11PM for example. Weekly Select this option to have the ZyWALL check for new IDP signatures once a week on the day and at the time specified. Apply Click this button to save your changes to the ZyWALL.
Chapter 12 Signature Update The following table describes the fields in this screen. Table 55 Configuration > Licensing > Update > System Protect LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the ZyWALL is using. Current Version This field displays the system protect signature and anomaly rule set version number. This number gets larger as the set is enhanced.
CHAPTER 13 Interfaces 13.1 Interface Overview Use the Interface screens to configure the ZyWALL’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally. You use them in configuring various features. An interface also describes a network that is directly connected to the ZyWALL. For example, You connect the LAN network to the ge1 interface.
Chapter 13 Interfaces • Use the Virtual Interface screen (Section 13.11 on page 356) to create virtual interfaces on top of Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunks screens (Chapter 14 on page 363) to configure load balancing. 13.1.
Chapter 13 Interfaces • Trunks manage load balancing between interfaces. Port groups, trunks, and the auxiliary interface have a lot of characteristics that are specific to each type of interface. See Section 13.2 on page 293, Chapter 14 on page 363, and Section 13.10 on page 354 for details. The other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and virtual--have a lot of similar characteristics. These characteristics are listed in the following table and discussed in more detail below.
Chapter 13 Interfaces Table 57 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE VLAN interface Ethernet interface bridge interface Ethernet interface* VLAN interface* PPP interface Ethernet interface* VLAN interface* bridge interface virtual interface (virtual Ethernet interface) (virtual VLAN interface) Ethernet interface* VLAN interface* bridge interface (virtual bridge interface) trunk Ethernet interface Cellular interface VLAN interface brid
Chapter 13 Interfaces 13.2 Port Grouping This section introduces port groups and then explains the screen for port groups. 13.2.1 Port Grouping Overview Use port grouping to create port groups and to assign physical ports and port groups to Ethernet interfaces. Each physical port is assigned to one Ethernet interface. In port grouping, the Ethernet interfaces are called representative interfaces. If you assign more than one physical port to a representative interface, you create a port group.
Chapter 13 Interfaces Each section in this screen is described below. Table 58 Configuration > Network > Interface > Port Grouping Role LABEL DESCRIPTION Representative Interface (ge1, ge2, ge3, ge4, ge5, ge6) These are Ethernet interfaces. To add a physical port to a representative interface, drag the physical port onto the corresponding representative interface. Physical Port (1, 2, 3, 4, 5, 6) These are the physical ports as they appear on the front panel of the ZyWALL.
Chapter 13 Interfaces Figure 266 Configuration > Network > Interface > Ethernet Each field is described in the following table. Table 59 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a virtual interface, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 13 Interfaces 13.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, connectivity check, and MAC address settings. To access this screen, click an Edit icon in the Ethernet Summary screen. (See Section 13.3 on page 294.
Chapter 13 Interfaces Figure 267 Configuration > Network > Interface > Ethernet > Edit ZyWALL USG 300 User’s Guide 297
Chapter 13 Interfaces This screen’s fields are described in the table below. Table 60 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Type Select to which type of network you will connect this interface.
Chapter 13 Interfaces Table 60 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Use Fixed IP Address This option appears when Interface Properties is External or General. Select this if you want to specify the IP address, subnet mask, and gateway manually. IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation.
Chapter 13 Interfaces Table 60 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Check Period DESCRIPTION Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Tolerance Enter the number of consecutive failures before the ZyWALL stops routing through the gateway. Check Default Gateway Select this to use the default gateway for the connectivity check.
Chapter 13 Interfaces Table 60 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Pool Size DESCRIPTION Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses. If this field is blank, the IP Pool Start Address must also be blank.
Chapter 13 Interfaces Table 60 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION IP Address Enter the IP address to assign to a device with this entry’s MAC address. MAC Address Enter the MAC address to which to assign this entry’s IP address. Description Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. RIP Setting See Section 16.
Chapter 13 Interfaces Table 60 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Text Authentication Key This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to eight characters long. MD5 Authentication ID This field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255.
Chapter 13 Interfaces Figure 268 Object References The following table describes labels that can appear in this screen. Table 61 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. # This field is a sequential value, and it is not associated with any entry.
Chapter 13 Interfaces Figure 269 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP interfaces and other interfaces. • You must also configure an ISP account object for the PPPoE/PPTP interface to use.
Chapter 13 Interfaces Figure 270 Configuration > Network > Interface > PPP Each field is described in the table below. Table 62 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / System Default The ZyWALL comes with the (non-removable) System Default PPP interfaces pre-configured. You can create (and delete) User Configuration PPP interfaces. Add Click this to create a new user-configured PPP interface.
Chapter 13 Interfaces Table 62 Configuration > Network > Interface > PPP (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The connect icon is lit when the interface is connected and dimmed when it is disconnected. Name This field displays the name of the interface. Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface is.
Chapter 13 Interfaces Figure 271 Configuration > Network > Interface > PPP > Add Each field is explained in the following table. Table 63 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 13 Interfaces Table 63 Configuration > Network > Interface > PPP > Add (continued) LABEL Enable Interface DESCRIPTION Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long. Base Interface Select the interface upon which this PPP interface is built.
Chapter 13 Interfaces Table 63 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface.
Chapter 13 Interfaces Table 63 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.5 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data.
Chapter 13 Interfaces If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. Table 64 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies MOBILE PHONE AND DATA STANDARDS DATA SPEED NAME TYPE GSM-BASED CDMA-BASED 2G CircuitGSM (Global System for Mobile switched Communications), Personal Handy-phone System (PHS), etc.
Chapter 13 Interfaces Figure 272 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 65 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Add Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 13 Interfaces Figure 273 Configuration > Network > Interface > Cellular > Add 314 ZyWALL USG 300 User’s Guide
Chapter 13 Interfaces The following table describes the labels in this screen. Table 66 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this option to turn on this interface. Interface Properties Interface Name Select a name for the interface.
Chapter 13 Interfaces Table 66 Configuration > Network > Interface > Cellular > Add (continued) LABEL Dial String DESCRIPTION Enter the dial string if your ISP provides a string, which would include the APN, to initialize the 3G card. You can enter up to 63 ASCII printable characters. Spaces are allowed. This field is available only when you insert a GSM 3G card. Authentication Type The ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol).
Chapter 13 Interfaces Table 66 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management. Ingress Bandwidth This is reserved for future use. MTU Maximum Transmission Unit.
Chapter 13 Interfaces Table 66 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Get Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address. IP Address Enter the cellular interface’s WAN IP address in this field if you selected Use Fixed IP Address. Metric Enter the priority of the gateway (if any) on this interface.
Chapter 13 Interfaces Table 66 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the 3G connection within one month. Select Download to set a limit on the downstream traffic (from the ISP to the ZyWALL). Select Upload to set a limit on the upstream traffic (from the ZyWALL to the ISP).
Chapter 13 Interfaces Table 66 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.6 WLAN Interface General Screen The following figure provides an example of a wireless network. The wireless network is in the blue circle. Wireless clients (A and B) connect to an access point (AP) to access other devices (such as the printer) or the Internet.
Chapter 13 Interfaces Click Configuration > Network > Interface > WLAN to open the following screen. See Appendix E on page 1019 for more details on wireless LANs. Figure 275 Configuration > Network > Interface > WLAN The following table describes the labels in this screen. Table 67 Configuration > Network > Interface > WLAN LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 13 Interfaces Table 67 Configuration > Network > Interface > WLAN LABEL DESCRIPTION 802.11 Band Select whether you will let wireless clients connect to the ZyWALL using IEEE 802.11b, IEEE 802.11g, or both. Select b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyWALL. Select g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyWALL. Select b+g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the ZyWALL.
Chapter 13 Interfaces Table 67 Configuration > Network > Interface > WLAN LABEL DESCRIPTION IP Address This field displays the current IP address of the WLAN interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet. This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. Mask This field displays the interface’s subnet mask in dot decimal notation.
Chapter 13 Interfaces Figure 276 Configuration > Network > Interface > WLAN > Add (No Security) 324 ZyWALL USG 300 User’s Guide
Chapter 13 Interfaces The following table describes the general wireless LAN labels in this screen. Table 69 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this option to turn on the wireless LAN interface.
Chapter 13 Interfaces Table 69 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network.
Chapter 13 Interfaces Table 69 Configuration > Network > Interface > WLAN > Add (No Security) LABEL Pool Size DESCRIPTION Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
Chapter 13 Interfaces Table 69 Configuration > Network > Interface > WLAN > Add (No Security) LABEL Direction DESCRIPTION This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information. Out-Only - This interface sends routing information. Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets.
Chapter 13 Interfaces Table 69 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.6.2 WLAN Add/Edit: WEP Security WEP provides a mechanism for encrypting data using encryption keys. Both the ZyWALL and the wireless stations must use the same WEP key to encrypt and decrypt data.
Chapter 13 Interfaces The following table describes the WEP-related wireless LAN security labels. See Table 69 on page 325 for information on the 802.1x fields. Table 70 Configuration > Network > Interface > WLAN > Add (WEP Security) LABEL DESCRIPTION WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network. Select 64-bit WEP or 128-bit WEP to enable data encryption.
Chapter 13 Interfaces The following table describes the WPA-PSK/WPA2-PSK-related wireless LAN security labels. Table 71 Configuration > Network > Interface > WLAN > Add (WPA-PSK, WPA2PSK, or WPA/WPA2-PSK Security) LABEL DESCRIPTION Pre Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.
Chapter 13 Interfaces Figure 279 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) The following table describes the WPA/WPA2-related wireless LAN security labels. Table 72 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) LABEL DESCRIPTION Authentication Type Select what the ZyWALL uses to authenticate the wireless clients. Select Auth Method to be able to specify an authentication method object that you have already configured.
Chapter 13 Interfaces Table 72 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) LABEL DESCRIPTION Radius Server Port Enter the RADIUS server’s listening port number (the default is 1812). Radius Server Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL.
Chapter 13 Interfaces Figure 280 Network > Interface > WLAN > MAC Filter The following table describes the labels in this screen. Table 73 Configuration > Network > Interface > WLAN > MAC Filter LABEL DESCRIPTION Enable MAC Filter Select or clear the check box to enable or disable MAC address filtering. Association Define the filter action for the list of MAC addresses in the MAC address filter table.
Chapter 13 Interfaces 13.8 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 281 Example: Before VLAN A B C In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs.
Chapter 13 Interfaces • Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network. • Traffic between VLANs (or between a VLAN and another type of network) is layer-3 communication (network layer, IP addresses). It is handled by the router. This approach provides a few advantages.
Chapter 13 Interfaces 13.8.1 VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. To access this screen, click Configuration > Network > Interface > VLAN. Figure 283 Configuration > Network > Interface > VLAN Each field is explained in the following table. Table 74 Configuration > Network > Interface > VLAN LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Chapter 13 Interfaces Table 74 Configuration > Network > Interface > VLAN (continued) LABEL DESCRIPTION Mask This field displays the interface’s subnet mask in dot decimal notation. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 13.8.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface.
Chapter 13 Interfaces Figure 284 Configuration > Network > Interface > VLAN > Edit ZyWALL USG 300 User’s Guide 339
Chapter 13 Interfaces Each field is explained in the following table. Table 75 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to turn this interface on. Clear this to disable this interface. Interface Properties Interface Name This field is read-only if you are editing an existing VLAN interface.
Chapter 13 Interfaces Table 75 Configuration > Network > Interface > VLAN > Edit (continued) LABEL Metric DESCRIPTION Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first.
Chapter 13 Interfaces Table 75 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DHCP DESCRIPTION Select what type of DHCP service the ZyWALL provides to the network. Choices are: None - the ZyWALL does not provide any DHCP services. There is already a DHCP server on the network. DHCP Relay - the ZyWALL routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network.
Chapter 13 Interfaces Table 75 Configuration > Network > Interface > VLAN > Edit (continued) LABEL Lease time DESCRIPTION Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid.
Chapter 13 Interfaces Table 75 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION OSPF Setting See Section 16.3 on page 391 for more information about OSPF. Area Select the area in which this interface belongs. Select None to disable OSPF in this interface. Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR).
Chapter 13 Interfaces 13.9 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table.
Chapter 13 Interfaces If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly. Table 77 Example: Bridge Table After Computer B Responds to Computer A MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A 2 0B:0B:0B:0B:0B:0B 4 Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridge interface.
Chapter 13 Interfaces 13.9.1 Bridge Summary This screen lists every bridge interface and virtual interface created on top of bridge interfaces. To access this screen, click Configuration > Network > Interface > Bridge. Figure 285 Configuration > Network > Interface > Bridge Each field is described in the following table. Table 79 Configuration > Network > Interface > Bridge LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 13 Interfaces 13.9.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears.
Chapter 13 Interfaces Figure 286 Configuration > Network > Interface > Bridge > Add ZyWALL USG 300 User’s Guide 349
Chapter 13 Interfaces Each field is described in the table below. Table 80 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name This field is read-only if you are editing the interface.
Chapter 13 Interfaces Table 80 Configuration > Network > Interface > Bridge > Edit (continued) LABEL Gateway DESCRIPTION This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. Metric Enter the priority of the gateway (if any) on this interface.
Chapter 13 Interfaces Table 80 Configuration > Network > Interface > Bridge > Edit (continued) LABEL IP Pool Start Address DESCRIPTION Enter the IP address from which the ZyWALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP. If this field is blank, the Pool Size must also be blank.
Chapter 13 Interfaces Table 80 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry. IP Address Enter the IP address to assign to a device with this entry’s MAC address.
Chapter 13 Interfaces 13.10 Auxiliary Interface This section introduces the auxiliary interface and then explains the screen for it. 13.10.1 Auxiliary Interface Overview Use the auxiliary interface to dial out from the ZyWALL’s auxiliary port. For example, you might use this interface as a backup WAN interface. You have to connect an external modem to the ZyWALL’s auxiliary port to use the auxiliary interface. Note: You have to connect an external modem to the auxiliary port.
Chapter 13 Interfaces Figure 287 Configuration > Network > Interface > Auxiliary Each field is described in the table below. Table 81 Configuration > Network > Interface > Auxiliary LABEL DESCRIPTION General Settings Enable Interface Select this to turn on the auxiliary dial up interface. The interface does not dial out, however, unless it is part of a trunk and loadbalancing conditions are satisfied.
Chapter 13 Interfaces Table 81 Configuration > Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Phone Number Enter the phone number to dial here. You can use 1-20 numbers, commas (,), or plus signs (+). Use a comma to pause during dialing. Use a plus sign to tell the external modem to make an international call. User Name Enter the user name required for authentication. Password Enter the password required for authentication.
Chapter 13 Interfaces cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available. 13.11.1 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces.
Chapter 13 Interfaces Table 82 Configuration > Network > Interface > Add (continued) LABEL Metric DESCRIPTION Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first.
Chapter 13 Interfaces For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface ge1. If the ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface ge2. In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 because it is a point-to-point interface. For these interfaces, you can only enter the IP address.
Chapter 13 Interfaces • Egress bandwidth sets the amount of traffic the ZyWALL sends out through the interface to the network. • Ingress bandwidth sets the amount of traffic the ZyWALL allows in through the interface from the network.1 If you set the bandwidth restrictions very high, you effectively remove the restrictions. The ZyWALL also restricts the size of each data packet. The maximum number of bytes in each packet is called the maximum transmission unit (MTU).
Chapter 13 Interfaces • IP address - If the DHCP client’s MAC address is in the ZyWALL’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size. Table 85 Example: Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS 50.50.50.33 5 50.50.50.33 - 50.50.50.37 75.75.75.1 200 75.75.75.1 - 75.75.75.200 99.99.1.1 1023 99.99.1.1 - 99.
Chapter 13 Interfaces PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services.
CHAPTER 14 Trunks 14.1 Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. Maybe you have two Internet connections with different bandwidths.
Chapter 14 Trunks 14.1.2 What You Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffic load. • If one WAN interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk. • For example, you connect one WAN interface to one ISP and connect a second WAN interface to a second ISP. The ZyWALL balances the WAN traffic load between the connections.
Chapter 14 Trunks 2 The ZyWALL is using active/active load balancing. So when LAN user A tries to access something on the server, the request goes out through ge3. 3 The server finds that the request comes from ge3’s IP address instead of ge2’s IP address and rejects the request. If link sticking had been configured, the ZyWALL would have still used ge2 to send LAN user A’s request to the server and server would have given the user A access.
Chapter 14 Trunks Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2. Table 86 Least Load First Example OUTBOUND INTERFACE LOAD BALANCING INDEX (M/A) AVAILABLE (A) MEASURED (M) WAN 1 512 K 412 K 0.8 WAN 2 256 K 198 K 0.77 Weighted Round Robin The Weighted Round Robin (WRR) algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different.
Chapter 14 Trunks interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface. In this example figure, the upper threshold of the first interface is set to 800K. The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface. Figure 293 Spillover Algorithm Example Finding Out More • See Section 6.5.5 on page 101 for related information on the Trunk screens. • See Section 7.
Chapter 14 Trunks 14.2 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 294 Configuration > Network > Interface > Trunk The following table describes the items in this screen.
Chapter 14 Trunks Table 87 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Enable Default SNAT Select this to have the ZyWALL use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks. The ZyWALL automatically adds SNAT settings for traffic it routes from internal interfaces to external interfaces.
Chapter 14 Trunks Each field is described in the table below. Table 88 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 14 Trunks Table 88 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Weight This field displays with the weighted round robin load balancing algorithm. Specify the weight (1~10) for the interface. The weights of the different member interfaces form a ratio. This ratio determines how much traffic the ZyWALL sends through each member interface.
Chapter 14 Trunks 372 ZyWALL USG 300 User’s Guide
CHAPTER 15 Policy and Static Routes 15.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL’s LAN interface. The ZyWALL routes most traffic from A to the Internet through the ZyWALL’s default gateway (R1).
Chapter 15 Policy and Static Routes • Use the Static Route screens (see Section 15.3 on page 383) to list and configure static routes. 15.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Chapter 15 Policy and Static Routes Policy Routes Versus Static Routes • Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management. • Policy routes are only used within the ZyWALL itself. Static routes can be propagated to other routers using RIP or OSPF. • Policy routes take priority over static routes.
Chapter 15 Policy and Static Routes Finding Out More • See Section 6.5.6 on page 101 for related information on the policy route screens. • See Section 7.14 on page 174 for an example of creating a policy route for using multiple static public WAN IP addresses for LAN to WAN traffic. • See Section 15.4 on page 385 for more background information on policy routing. 15.2 Policy Route Screen Click Configuration > Network > Routing to open the Policy Route screen.
Chapter 15 Policy and Static Routes The following table describes the labels in this screen. Table 89 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL.
Chapter 15 Policy and Static Routes Table 89 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” entries stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.
Chapter 15 Policy and Static Routes 15.2.1 Policy Route Edit Screen Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. Figure 298 Configuration > Network > Routing > Policy Route > Add The following table describes the labels in this screen.
Chapter 15 Policy and Static Routes Table 90 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Incoming Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the ZyWALL itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection. Source Address Select a source IP address object from which the packets are sent.
Chapter 15 Policy and Static Routes Table 90 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION VPN Tunnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyWALL directly. Auto Destination Address This field displays when you select VPN Tunnel in the Type field.
Chapter 15 Policy and Static Routes Table 90 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Source Network Address Translation Select none to not use NAT for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. If you select outgoing-interface, you can also configure port trigger settings for this interface.
Chapter 15 Policy and Static Routes Table 90 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Maximum Bandwidth Specify the maximum bandwidth (from 1 to 1048576) allowed for the route in kbps. If you enter 0 here, there is no bandwidth limitation for the route. If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.
Chapter 15 Policy and Static Routes The following table describes the labels in this screen. Table 91 Configuration > Network > Routing > Static Route LABEL DESCRIPTION Add Click this to create a new static route. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. # This is the number of an individual static route.
Chapter 15 Policy and Static Routes Table 92 Configuration > Network > Routing > Static Route > Add (continued) LABEL DESCRIPTION Gateway IP Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your ZyWALL's interface(s). The gateway helps forward packets to their destinations. Interface Select the radio button and a predefined interface through which the traffic is sent.
Chapter 15 Policy and Static Routes following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets.
Chapter 15 Policy and Static Routes 3 Computer A and game server 1 are connected to each other until the connection is closed or times out. Any other computers (such as B or C) cannot connect to remote server 1 using the same port triggering rule as computer A unless they are using a different next hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the connection is closed or times out.
Chapter 15 Policy and Static Routes 388 ZyWALL USG 300 User’s Guide
CHAPTER 16 Routing Protocols 16.1 Routing Protocols Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL can also use routing protocols to propagate routing information to other routers. See Section 6.6 on page 110 for related information on the RIP and OSPF screens.
Chapter 16 Routing Protocols 16.2 The RIP Screen RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers).
Chapter 16 Routing Protocols The following table describes the labels in this screen. Table 95 Configuration > Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication Authentication Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure).
Chapter 16 Routing Protocols System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network. • OSPF responds to changes in the network, such as the loss of a router, more quickly.
Chapter 16 Routing Protocols Each type of area is illustrated in the following figure. Figure 303 OSPF: Types of Areas This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y. Area 2 is a stub area. It has routing information about the OSPF AS, but it depends on a default route to send information to networks X and Y.
Chapter 16 Routing Protocols • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF. Table 96 OSPF: Redistribution from Other Sources to Each Type of Area SOURCE \ TYPE OF AREA NORMAL NSSA STUB Static routes Yes Yes No RIP Yes Yes Yes • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR.
Chapter 16 Routing Protocols to logically connect the area to the backbone. This is illustrated in the following example. Figure 305 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone. You cannot create a virtual link to a router in a different area.
Chapter 16 Routing Protocols Click Configuration > Network > Routing > OSPF to open the following screen. Figure 306 Configuration > Network > Routing > OSPF The following table describes the labels in this screen. See Section 16.3.2 on page 398 for more information as well. Table 97 Configuration > Network > Routing Protocol > OSPF LABEL DESCRIPTION OSPF Router ID Select the 32-bit ID the ZyWALL uses in the OSPF AS.
Chapter 16 Routing Protocols Table 97 Configuration > Network > Routing Protocol > OSPF (continued) LABEL Type DESCRIPTION Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored. Metric Area Type the external cost for routes provided by static routes.
Chapter 16 Routing Protocols 16.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 16.3 on page 391), and click either the Add icon or an Edit icon. Figure 307 Configuration > Network > Routing > OSPF > Add The following table describes the labels in this screen.
Chapter 16 Routing Protocols Table 98 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Text Authentication Key This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long. MD5 Authentication ID This field is available if the Authentication is MD5. Type the default ID for MD5 authentication in the area.
Chapter 16 Routing Protocols 398) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following. Figure 308 Configuration > Network > Routing > OSPF > Add > Add The following table describes the labels in this screen. Table 99 Configuration > Network > Routing > OSPF > Add > Add LABEL DESCRIPTION Peer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link.
Chapter 16 Routing Protocols Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message. The receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it.
Chapter 16 Routing Protocols 402 ZyWALL USG 300 User’s Guide
CHAPTER 17 Zones 17.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL uses zones instead of interfaces in many security and policy settings, such as firewall rules, Anti-X, and remote management. Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface, auxiliary interface, and VPN tunnel can be assigned to at most one zone.
Chapter 17 Zones 17.1.2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. Intra-zone Traffic • Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 309 on page 403, traffic between VLAN 2 and the Ethernet is intra-zone traffic.
Chapter 17 Zones 17.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone. Figure 310 Configuration > Network > Zone The following table describes the labels in this screen. Table 100 Configuration > Network > Zone LABEL DESCRIPTION User Configuration / System Default The ZyWALL comes with pre-configured System Default zones that you cannot delete.
Chapter 17 Zones 17.3 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 17.2 on page 405), and click the Add icon or an Edit icon. Figure 311 Network > Zone > Add The following table describes the labels in this screen. Table 101 Network > Zone > Edit LABEL DESCRIPTION Name For a system default zone, the name is read only. For a user-configured zone, type the name used to refer to the zone.
CHAPTER 18 DDNS 18.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 18.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 18.2 on page 408) to view a list of the configured DDNS domain names and their details. • Use the DDNS Add/Edit screen (see Section 18.2.1 on page 410) to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. 18.1.
Chapter 18 DDNS Note: Record your DDNS account’s user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. Finding Out More See Section 6.5.9 on page 103 for related information on these screens. 18.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration.
Chapter 18 DDNS Table 103 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Primary Interface/IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name.
Chapter 18 DDNS 18.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 313 Configuration > Network > DDNS > Add The following table describes the labels in this screen.
Chapter 18 DDNS Table 104 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website. Password Type the password provided by the DDNS provider.
Chapter 18 DDNS Table 104 Configuration > Network > DDNS > Add (continued) LABEL IP Address DESCRIPTION The options available in this field vary by DDNS provider. Interface -The ZyWALL uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field. Auto -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name.
CHAPTER 19 NAT 19.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the ZyWALL available outside the private network.
Chapter 19 NAT 19.1.2 What You Need to Know NAT is also known as virtual server, port forwarding, or port translation. Finding Out More • See Section 6.5.10 on page 103 for related information on these screens. • See Section 19.3 on page 419 for technical background information related to these screens. • See Section 7.11.2 on page 162 for an example of how to configure NAT to allow H.323 traffic from the WAN to the LAN. • See Section 7.12.
Chapter 19 NAT Table 105 Configuration > Network > NAT (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. # This field is a sequential value, and it is not associated with a specific entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive.
Chapter 19 NAT 19.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 19.2 on page 414.) Then, click on an Add icon or Edit icon to open the following screen. Figure 316 Configuration > Network > NAT > Add The following table describes the labels in this screen.
Chapter 19 NAT Table 106 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL (like the Internet).
Chapter 19 NAT Table 106 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Mapped IP Subnet/Range This field displays for Many 1:1 NAT. Select to which translated destination IP address subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses.
Chapter 19 NAT Table 106 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Firewall By default the firewall blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Firewall link to configure a firewall rule to allow the NAT rule’s traffic to come in. The ZyWALL checks NAT rules before it applies To-ZyWALL firewall rules, so To-ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules.
Chapter 19 NAT For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server’s mapped public IP address of 1.1.1.1. Figure 317 LAN Computer Queries a Public DNS Server DNS xxx.LAN-SMTP.com = 1.1.1.1 xxx.LAN-SMTP.com = ? 1.1.1.1 LAN 192.168.1.89 192.168.1.21 The LAN user’s computer then sends traffic to IP address 1.1.1.1.
Chapter 19 NAT SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 319 LAN to LAN Return Traffic NAT Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP LAN 192.168.1.21 ZyWALL USG 300 User’s Guide 192.168.1.
Chapter 19 NAT 422 ZyWALL USG 300 User’s Guide
CHAPTER 20 HTTP Redirect 20.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN zone wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Chapter 20 HTTP Redirect 20.1.2 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks. It also keeps hackers from knowing internal IP addresses. A client connects to a web proxy server each time he/she wants to access the Internet.
Chapter 20 HTTP Redirect • a application patrol rule to allow HTTP traffic between ge4 and ge2. • a policy route to forward HTTP traffic from proxy server A to the Internet. Finding Out More See Section 6.5.11 on page 104 for related information on these screens. 20.2 The HTTP Redirect Screen To configure redirection of a HTTP request to a proxy server, click Configuration > Network > HTTP Redirect. This screen displays the summary of the HTTP redirect rules.
Chapter 20 HTTP Redirect Table 107 Configuration > Network > HTTP Redirect (continued) LABEL DESCRIPTION Port This is the service port number used by the proxy server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 20.2.1 The HTTP Redirect Edit Screen Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule.
CHAPTER 21 ALG 21.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. • H.323 - A teleconferencing protocol suite that provides audio, data and video conferencing. • FTP - File Transfer Protocol - an Internet file transfer service.
Chapter 21 ALG 21.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT and firewall. The ZyWALL dynamically creates an implicit NAT session and firewall session for the application’s traffic from the WAN to the LAN. The ALG on the ZyWALL supports all of the ZyWALL’s NAT mapping types.
Chapter 21 ALG • There should be only one SIP server (total) on the ZyWALL’s private networks. Any other SIP servers must be on the WAN. So for example you could have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both. • Using the SIP ALG allows you to use bandwidth management on SIP traffic. • The SIP ALG handles SIP calls that go through NAT or that the ZyWALL routes. You can also make other SIP calls that do not go through NAT or routing.
Chapter 21 ALG can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet. Figure 325 VoIP Calls from the WAN with Multiple Outgoing Calls VoIP with Multiple WAN IP Addresses With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and NAT (port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ). Use policy routing to have the H.
Chapter 21 ALG • See Section 21.3 on page 433 for ALG background/technical information. 21.1.3 Before You Begin You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN. 21.2 The ALG Screen Click Configuration > Network > ALG to open the ALG screen. Use this screen to turn ALGs off or on, configure the port numbers to which they apply, and configure SIP ALG time outs.
Chapter 21 ALG The following table describes the labels in this screen. Table 109 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth (see Chapter 32 on page 547).
Chapter 21 ALG Table 109 Configuration > Network > ALG (continued) LABEL DESCRIPTION Enable FTP ALG Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the ZyWALL’s NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic’s bandwidth (see Chapter 32 on page 547).
Chapter 21 ALG connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. VoIP clients usually re-register automatically at set intervals or the users can manually force them to re-register.
CHAPTER 22 IP/MAC Binding 22.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address. The ZyWALL then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the ZyWALL. Suppose you configure access privileges for IP address 192.168.1.
Chapter 22 IP/MAC Binding 22.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the ZyWALL’s dynamic and static DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen. 22.
Chapter 22 IP/MAC Binding Table 110 Configuration > Network > IP/MAC Binding > Summary (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive. Interface This is the name of an interface that supports IP/MAC binding.
Chapter 22 IP/MAC Binding Table 111 Configuration > Network > IP/MAC Binding > Edit (continued) LABEL DESCRIPTION Enable Select this option to have the ZyWALL generate a log if a device Logs for IP/ connected to this interface attempts to use an IP address not assigned by MAC the ZyWALL. Binding Violation Static DHCP Bindings This table lists the bound IP and MAC addresses. The ZyWALL checks this table when it assigns IP addresses.
Chapter 22 IP/MAC Binding The following table describes the labels in this screen. Table 112 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the ZyWALL and the interface’s IP address and subnet mask. IP Address Enter the IP address that the ZyWALL is to assign to a device with the entry’s MAC address. MAC Address Enter the MAC address of the device to which the ZyWALL assigns the entry’s IP address.
Chapter 22 IP/MAC Binding Table 113 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION End IP Enter the last IP address in a range of IP addresses for which the ZyWALL does not apply IP/MAC binding. Add icon Click the Add icon to add a new entry. Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Apply 440 Click Apply to save your changes back to the ZyWALL.
CHAPTER 23 Authentication Policy 23.1 Overview Use authentication policies to control who can access the network. You can authenticate users (require them to log in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can access the network. After a users passes authentication the user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Chapter 23 Authentication Policy 23.1.2 What You Need to Know Authentication Policy and VPN Authentication policies are applied based on a traffic flow’s source and destination IP addresses. If VPN traffic matches an authentication policy’s source and destination IP addresses, the user must pass authentication. Multiple Endpoint Security Objects You can set an authentication policy to use multiple endpoint security objects. This allows checking of computers with different OSs or security settings.
Chapter 23 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 334 Configuration > Auth.
Chapter 23 Authentication Policy The following table gives an overview of the objects you can configure. Table 114 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentication Policy Select this to turn on the authentication policy feature. Exceptional Services Use this table to list services that users can access without logging in. Click Add to change the list’s membership. A screen appears. Available services appear on the left.
Chapter 23 Authentication Policy Table 114 Configuration > Auth. Policy (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Priority This is the position of the authentication policy in the list. The priority is important as the policies are applied in order of priority. Default displays for the default authentication policy that the ZyWALL uses on traffic that does not match any exceptional service or other authentication policy.
Chapter 23 Authentication Policy Figure 336 Configuration > Auth. Policy > Add The following table gives an overview of the objects you can configure. Table 115 Configuration > Auth. Policy > Add 446 LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Policy Select this check box to activate the authentication policy. This field is available for user-configured policies.
Chapter 23 Authentication Policy Table 115 Configuration > Auth. Policy > Add (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy. Authentication Select the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated.
Chapter 23 Authentication Policy 448 ZyWALL USG 300 User’s Guide
CHAPTER 24 Firewall 24.1 Overview Use the firewall to block or allow services that use static port numbers. Use application patrol (see Chapter 32 on page 547) to control services using flexible/ dynamic port numbers. The firewall can also limit the number of user sessions. This figure shows the ZyWALL’s default firewall rules in action and demonstrates how stateful inspection works. User 1 can initiate a Telnet session from within the LAN zone and responses to this request are allowed.
Chapter 24 Firewall 24.1.2 What You Need to Know Stateful Inspection The ZyWALL has a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces or VPN tunnels. Group the ZyWALL’s interfaces into different zones based on your needs.
Chapter 24 Firewall To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN, WLAN, or WAN computers to access or manage the ZyWALL. • The ZyWALL drops most packets from the WAN zone to the ZyWALL itself, except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log.
Chapter 24 Firewall Firewall and Application Patrol To use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. The ZyWALL checks the firewall rules before the application patrol rules for traffic going through the ZyWALL. Firewall and VPN Traffic After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic.
Chapter 24 Firewall the firewall rule to always be in effect. The following figure shows the results of this rule. Figure 338 Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following rules. Table 117 Blocking All LAN to WAN IRC Traffic Example # USER SOURCE DESTINATION SCHEDULE SERVICE ACTION 1 Any Any Any Any IRC Deny 2 Any Any Any Any Any Allow • The first row blocks LAN access to the IRC service on the WAN.
Chapter 24 Firewall Now you configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO’s computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect. The following figure shows the results of your two custom rules. Figure 339 Limited LAN to WAN IRC Traffic Example Your firewall would have the following configuration.
Chapter 24 Firewall • The first row allows any LAN computer to access the IRC service on the WAN by logging into the ZyWALL with the CEO’s user name. • The second row blocks LAN access to the IRC service on the WAN. • The third row is the firewall’s default policy of allowing all traffic from the LAN to go to the WAN. The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic.
Chapter 24 Firewall 5 The screen for configuring a service object opens. Configure it as follows and click OK. Figure 342 Firewall Example: Create a Service Object 6 Select From WAN and To LAN1. 7 Enter the name of the firewall rule. 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done.
Chapter 24 Firewall 9 The firewall rule appears in the firewall rule summary. Figure 344 Firewall Example: Doom Rule in Summary 24.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged.
Chapter 24 Firewall 4 The ZyWALL then sends it to the computer on the LAN in Subnet 1. Figure 345 Using Virtual Interfaces to Avoid Asymmetrical Routes LAN 24.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable the firewall and asymmetrical routes, set a maximum number of sessions per host, and display the configured firewall rules.
Chapter 24 Firewall • The ordering of your rules is very important as rules are applied in sequence. Figure 346 Configuration > Firewall The following table describes the labels in this screen. Table 120 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated.
Chapter 24 Firewall Table 120 Configuration > Firewall (continued) LABEL DESCRIPTION From Zone / To Zone This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN.
Chapter 24 Firewall Table 120 Configuration > Firewall (continued) LABEL DESCRIPTION Service This displays the service object to which this firewall rule applies. Access This field displays whether the firewall silently discards packets (deny), discards packets and sends a TCP reset packet to the sender (reject) or permits the passage of packets (allow). Log This field shows you whether a log (and alert) is created when packets match this rule or not.
Chapter 24 Firewall Table 121 Configuration > Firewall > Add (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies. Otherwise, select none and the rule is always effective. User This field is not available when you are configuring a to-ZyWALL rule. Select a user name or user group to which to apply the rule.
Chapter 24 Firewall individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. Figure 348 Configuration > Firewall > Session Limit The following table describes the labels in this screen. Table 122 Configuration > Firewall > Session Limit LABEL DESCRIPTION General Settings Enable Session limit Select this check box to control the number of concurrent sessions hosts can have.
Chapter 24 Firewall Table 122 Configuration > Firewall > Session Limit (continued) LABEL DESCRIPTION # This is the index number of a session limit rule. It is not associated with a specific rule. User This is the user name or user group name to which this session limit rule applies. Address This is the address object to which this session limit rule applies. Limit This is how many concurrent sessions this user or address is allowed to have.
Chapter 24 Firewall Table 123 Configuration > Firewall > Session Limit > Edit (continued) LABEL DESCRIPTION User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out. Otherwise, select any and there is no need for user logging.
Chapter 24 Firewall 466 ZyWALL USG 300 User’s Guide
CHAPTER 25 IPSec VPN 25.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 25 IPSec VPN • Use the VPN Gateway screens (see Section 25.2.1 on page 472) to manage the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway. • Use the VPN Concentrator screens (see Section 25.4 on page 491) to combine several IPSec VPN connections into a single secure network. 25.1.
Chapter 25 IPSec VPN Application Scenarios The ZyWALL’s application scenarios make it easier to configure your VPN connection settings. Table 124 IPSec VPN Application Scenarios SITE-TO-SITE Choose this if the remote IPSec router has a static IP address or a domain name. This ZyWALL can initiate the VPN tunnel. The remote IPSec router can also initiate the VPN tunnel if this ZyWALL has a static IP address or a domain name.
Chapter 25 IPSec VPN • See Section 25.5 on page 495 for IPSec VPN background information. • See Section 5.3 on page 79 for the IPSec VPN quick setup wizard. • See Section 7.5 on page 139 for an example of configuring IPSec VPN. • See Section 7.6 on page 142 for an example of how to configure a hub-andspoke IPSec VPN without using a VPN concentrator. 25.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features.
Chapter 25 IPSec VPN SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 352 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table. See Section 25.2.2 on page 479 and Section 25.2.1 on page 472 for more information.
Chapter 25 IPSec VPN Table 125 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific connection. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The connect icon is lit when the interface is connected and dimmed when it is disconnected. Name This field displays the name of the IPSec SA.
Chapter 25 IPSec VPN Figure 353 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 300 User’s Guide 473
Chapter 25 IPSec VPN Each field is described in the following table. Table 126 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Use to configure any new settings objects that you need to use in this screen. General Settings Connection Name Type the name used to identify this IPSec SA.
Chapter 25 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Policy Local Policy Select the address corresponding to the local network. Use Create new Object if you need to configure a new one. Remote Policy Select the address corresponding to the remote network. Use Create new Object if you need to configure a new one.
Chapter 25 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Encryption DESCRIPTION This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA.
Chapter 25 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Check Method DESCRIPTION Select how the ZyWALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyWALL regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings.
Chapter 25 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Inbound Traffic 478 Source NAT This translation hides the source address of computers in the remote network. Source Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the remote network.
Chapter 25 IPSec VPN 25.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key. This is useful if you have problems with IKE key management. To access this screen, go to the VPN Connection summary screen (see Section 25.2 on page 470), and click either the Add icon or an existing manual key entry’s Edit icon. In the VPN Gateway section of the screen, select Manual Key.
Chapter 25 IPSec VPN Table 127 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Secure Gateway Address Type the IP address of the remote IPSec router in the IPSec SA. SPI Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ZyWALL during authentication. The ZyWALL and remote IPSec router must use the same SPI. Encapsulation Mode Select which type of encapsulation the IPSec SA uses.
Chapter 25 IPSec VPN Table 127 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Encryption Key This field is applicable when you select an Encryption Algorithm. Enter the encryption key, which depends on the encryption algorithm.
Chapter 25 IPSec VPN 25.3 The VPN Gateway Screen The VPN Gateway summary screen displays the IPSec VPN gateway policies in the ZyWALL, as well as the ZyWALL’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway. To access this screen, click Configuration > VPN > Network > IPSec VPN > VPN Gateway. The following screen appears.
Chapter 25 IPSec VPN Table 128 Configuration > VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 25.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 25.
Chapter 25 IPSec VPN Figure 356 Configuration > VPN > IPSec VPN > VPN Gateway > Edit 484 ZyWALL USG 300 User’s Guide
Chapter 25 IPSec VPN Each field is described in the following table. Table 129 Configuration > VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings VPN Gateway Name Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 25 IPSec VPN Table 129 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Pre-Shared Key DESCRIPTION Select this to have the ZyWALL and remote IPSec router use a preshared key (password) to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right. The preshared key can be • • 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./ <>=-". 8 - 32 pairs of hexadecimal (0-9, A-F) characters, preceded by “0x”.
Chapter 25 IPSec VPN Table 129 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Content DESCRIPTION This field is read-only if the ZyWALL and remote IPSec router use certificates to identify each other. Type the identity of the ZyWALL during authentication. The identity depends on the Local ID Type. IP - type an IP address; if you type 0.0.0.0, the ZyWALL uses the IP address specified in the My Address field.
Chapter 25 IPSec VPN Table 129 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Content DESCRIPTION This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type. If the ZyWALL and remote IPSec router do not use certificates, IP - type an IP address; see the note at the end of this description.
Chapter 25 IPSec VPN Table 129 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Negotiation Mode DESCRIPTION Select the negotiation mode to use to negotiate the IKE SA. Choices are Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes more time to establish the IKE SA Aggressive - this is faster but does not encrypt the identities The ZyWALL and the remote IPSec router must use the same negotiation mode. Proposal Add Click this to create a new entry.
Chapter 25 IPSec VPN Table 129 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL NAT Traversal DESCRIPTION Select this if any of these conditions are satisfied. • • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol. There are one or more NAT routers between the ZyWALL and remote IPSec router, and these routers do not support IPSec pass-thru or a similar feature.
Chapter 25 IPSec VPN 25.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 357 VPN Topologies (Fully Meshed and Hub and Spoke) 1 2 In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers. In a hub-and-spoke VPN topology (2 in the figure), there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A), which uses the VPN concentrator.
Chapter 25 IPSec VPN • Branch office A’s ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch office B’s network. • Branch office B’s ZyWALL uses one VPN rule to access branch office A’s network only. Branch office B is not permitted to access the headquarters network. Figure 358 IPSec VPN Concentrator Example This IPSec VPN concentrator example uses the following settings. Branch Office A (ZyNOS-based ZyWALL): VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.
Chapter 25 IPSec VPN VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.1.0/255.255.255.0 • Remote Policy:192.168.11.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel 2): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.3 VPN Connection (VPN Tunnel 2): • Local Policy: 192.168.1.0/255.255.255.0 • Remote Policy: 192.168.12.0/255.255.255.0 • Disable Policy Enforcement Concentrator • Add VPN tunnel 1 and VPN tunnel 2 to an IPSec VPN concentrator.
Chapter 25 IPSec VPN • The local IP addresses configured in the VPN rules should not overlap. • The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule for each spoke. • To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.
Chapter 25 IPSec VPN Concentrator summary screen (see Section 25.4 on page 491), and click either the Add icon or an Edit icon. Figure 360 Configuration > VPN > IPSec VPN > Concentrator > Edit Each field is described in the following table. Table 131 VPN > IPSec VPN > Concentrator > Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 25 IPSec VPN IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Note: Both routers must use the same negotiation mode. These modes are discussed in more detail in Negotiation Mode on page 500.
Chapter 25 IPSec VPN The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the ZyWALL. If the remote IPSec router rejects all of the proposals, the ZyWALL and remote IPSec router cannot establish an IKE SA.
Chapter 25 IPSec VPN 3 Y 4 the longer it takes to encrypt and decrypt information. For example, DH2 keys X (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt. Authentication Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity. This process is based on pre-shared keys and router identities. In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below.
Chapter 25 IPSec VPN Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond to the ZyWALL’s or remote IPSec router’s properties.
Chapter 25 IPSec VPN Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL.
Chapter 25 IPSec VPN feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on page 502 for more information about active protocols.) If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and IPSec SA packets.
Chapter 25 IPSec VPN • The local and peer ID type and content come from the certificates. Note: You must set up the certificates for the ZyWALL and remote IPSec router first. IPSec SA Overview Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks. Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore.
Chapter 25 IPSec VPN These modes are illustrated below. Figure 365 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet.
Chapter 25 IPSec VPN Additional Topics for IPSec SA This section provides more information about IPSec SA in your ZyWALL. IPSec SA using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA.
Chapter 25 IPSec VPN Each kind of translation is explained below. The following example is used to help explain each one. Figure 366 VPN Example: NAT for Inbound and Outbound Traffic Source Address in Outbound Packets (Outbound Traffic, Source NAT) This translation lets the ZyWALL route packets from computers that are not part of the specified local network (local policy) through the IPSec SA.
Chapter 25 IPSec VPN • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL to forward some packets from the remote network to a specific computer in the local network.
CHAPTER 26 SSL VPN 26.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 26.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access Privilege screens (see Section 26.2 on page 510) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 26.
Chapter 26 SSL VPN You do not have to install additional client software on the remote user computers for access. Figure 367 Network Access Mode: Reverse Proxy Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network.
Chapter 26 SSL VPN changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed. Table 134 Objects OBJECT TYPE OBJECT SCREEN DESCRIPTION User Accounts User Account/ User Group Configure a user account or user group to which you want to apply this SSL access policy. Endpoint Security Endpoint Security Endpoint Security (EPS) checking makes sure users’ computers comply with defined corporate policies before they can access the SSL VPN tunnel.
Chapter 26 SSL VPN 26.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 369 VPN > SSL VPN > Access Privilege The following table describes the labels in this screen. Table 135 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Chapter 26 SSL VPN Table 135 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Apply Click Apply to save the settings. Reset Click Reset to discard all changes.
Chapter 26 SSL VPN 26.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen.
Chapter 26 SSL VPN The following table describes the labels in this screen. Table 136 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Policy Select this option to activate this SSL access policy. Name Enter a descriptive name to identify this policy. You can enter up to 15 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed.
Chapter 26 SSL VPN Table 136 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION SSL Application List (Optional) The Selectable Application Objects list displays the name(s) of the SSL application(s) you can select for this SSL access policy. To associate an SSL application to this SSL access policy, select a name and click >> to add to the Selected Application Objects list. You can select more than one application.
Chapter 26 SSL VPN on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen. Figure 371 VPN > SSL VPN > Global Setting The following table describes the labels in this screen. Table 137 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Extension Local IP Specify the IP address of the ZyWALL (or a gateway device) for full tunnel mode SSL VPN access.
Chapter 26 SSL VPN Table 137 VPN > SSL VPN > Global Setting (continued) LABEL DESCRIPTION Logout Message Specify a message to display on the screen when a user logs out and the SSL VPN connection is terminated successfully. You can enter up to 60 characters (“a-z”, A-Z”, “0-9”) with spaces allowed. Update Client Virtual Desktop Logo You can upload a graphic logo to be displayed on the web browser on the remote user computer. The ZyXEL company logo is the default logo.
Chapter 26 SSL VPN The following shows an example logo on the remote user screen. Figure 372 Example Logo Graphic Display 26.4 Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL, use the ZyWALL login screen’s SSL VPN button to establish an SSL VPN connection. See Section 27.2 on page 520 for details. 1 Display the ZyWALL’s login screen and enter your user account information (the user name and password). Click SSL VPN.
Chapter 26 SSL VPN 2 SSL VPN connection starts. This may take several minutes depending on your network connection. Once the connection is up, you should see the client portal screen. The following shows an example. Figure 374 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again.
CHAPTER 27 SSL User Screens 27.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL from the Internet to access the web server (WWW) on the local network. Figure 375 Network Example Internet WWW A 27.1.
Chapter 27 SSL User Screens System Requirements Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and above • Using RDP requires Internet Explorer • Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.6.
Chapter 27 SSL User Screens 1 Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 376 Enter the Address in a Web Browser 2 Click OK or Yes if a security screen displays. Figure 377 Login Security Screen 3 A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field.
Chapter 27 SSL User Screens 5 Your computer starts establishing a secure connection to the ZyWALL after a successful login. This may take up to two minutes. If you get a message about needing Java, download and install it and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or Continue. Figure 379 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client.
Chapter 27 SSL User Screens 7 The ZyWALL tries to install the SecuExtender client. You may need to click a popup to get your browser to allow this. In Internet Explorer, click Install. Figure 381 SecuExtender Blocked by Internet Explorer 8 The ZyWALL tries to run the “ssltun” application. You may need to click something to get your browser to allow this. In Internet Explorer, click Run.
Chapter 27 SSL User Screens 10 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 384 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you. See Figure 385 on page 525 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made.
Chapter 27 SSL User Screens 27.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 385 Remote User Screen 1 2 3 4 5 6 The following table describes the various parts of a remote user screen. Table 138 Remote User Screen Overview # DESCRIPTION 1 Click on a menu tab to go to the Application or File Sharing screen. 2 Click this icon to create a bookmark to the SSL VPN user screen in your web browser.
Chapter 27 SSL User Screens 27.4 Bookmarking the ZyWALL You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon. This allows you to access the ZyWALL using the bookmark without having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon. 2 A screen displays. Accept the default name in the Name field or enter a descriptive name to identify this link. 3 Click OK to create a bookmark in your web browser. Figure 386 Add Favorite 27.
Chapter 27 SSL User Screens 3 An information screen displays to indicate that the SSL VPN connection is about to terminate.
Chapter 27 SSL User Screens 528 ZyWALL USG 300 User’s Guide
CHAPTER 28 SSL User Application Screens 28.1 SSL User Application Screens Overview Use the Application screen to access web-based applications (such as web sites and e-mail) on the network through the SSL VPN connection. Which applications you can access depends on the ZyWALL’s configuration. 28.2 The Application Screen Click the Application tab to display the screen. The Name field displays the descriptive name for an application.
Chapter 28 SSL User Application Screens 530 ZyWALL USG 300 User’s Guide
CHAPTER 29 SSL User File Sharing 29.1 Overview The File Sharing screen lets you access files on a file server through the SSL VPN connection. 29.1.1 What You Need to Know Use the File Sharing screen to display and access shared files/folders on a file server. You can also perform the following actions: • Access a folder. • Open a file (if your web browser cannot open the file, you are prompted to download it). • Save a file to your computer. • Create a new folder. • Rename a file or folder.
Chapter 29 SSL User File Sharing 29.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) available. The following figure shows an example with one file share. Figure 390 File Sharing 29.3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. 532 1 Log in as a remote user and click the File Sharing tab. 2 Click on a file share icon.
Chapter 29 SSL User File Sharing 3 If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue.
Chapter 29 SSL User File Sharing 4 A list of files/folders displays. Click on a file to open it in a separate browser window. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 392 File Sharing: Open a Word File 29.3.1 Downloading a File You are prompted to download a file which cannot be opened using a web browser. Follow the on-screen instructions to download and save the file to your computer.
Chapter 29 SSL User File Sharing 29.3.2 Saving a File After you have opened a file in a web browser, you can save a copy of the file by clicking File > Save As and following the on-screen instructions. Figure 393 File Sharing: Save a Word File 29.4 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add.
Chapter 29 SSL User File Sharing 29.5 Renaming a File or Folder To rename a file or folder, click the Rename icon next to the file/folder. Figure 395 File Sharing: Rename A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Note: Make sure the length of the name does not exceed the maximum allowed on the file server. You may not be able to open a file if you change the file extension.
Chapter 29 SSL User File Sharing 29.7 Uploading a File Follow the steps below to upload a file to the file server. 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of the file you want to upload. Or click Browse to locate it. 3 Click Upload to send the file to the file server. 4 After the file is uploaded successfully, you should see the name of the file and a message in the screen.
Chapter 29 SSL User File Sharing 538 ZyWALL USG 300 User’s Guide
CHAPTER 30 ZyWALL SecuExtender The ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer after a successful login. The ZyWALL SecuExtender lets you: • Access servers, remote desktops and manage files as if you were on the local network. • Use applications like e-mail, file transfer, and remote desktop programs directly without using a browser. For example, you can use Outlook for e-mail instead of the ZyWALL’s web-based e-mail.
Chapter 30 ZyWALL SecuExtender 30.2 Statistics Right-click the ZyWALL SecuExtender icon in the system tray and select Status to open the Status screen. Use this screen to view the ZyWALL SecuExtender’s statistics. Figure 399 ZyWALL SecuExtender Status The following table describes the labels in this screen.
Chapter 30 ZyWALL SecuExtender Table 139 ZyWALL SecuExtender Statistics LABEL DESCRIPTION Transmitted This is how many bytes and packets the computer has sent through the SSL VPN connection. Received This is how many bytes and packets the computer has received through the SSL VPN connection. 30.3 View Log If you have problems with the ZyWALL SecuExtender, customer support may request you to provide information from the log.
Chapter 30 ZyWALL SecuExtender connected but not send any traffic through it until you right-click the icon and resume the connection. 30.5 Stop the Connection Right-click the icon and select Stop Connection to disconnect the SSL VPN tunnel. 30.6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender. 1 Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. 2 In the confirmation screen, click Yes.
CHAPTER 31 L2TP VPN 31.1 Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or VPN client software. Figure 403 L2TP VPN Overview 31.1.1 What You Can Do in this Chapter • Use the L2TP VPN screen (see Section 31.2 on page 545) to configure the ZyWALL’s L2TP VPN settings. 31.1.
Chapter 31 L2TP VPN • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN. If you use it, edit the following. Configure the local and remote policies as follows.
Chapter 31 L2TP VPN Finding Out More • See Section 6.5.17 on page 107 for related information on these screens. • See Chapter 8 on page 183 for an example of how to create a basic L2TP VPN tunnel. 31.2 L2TP VPN Screen Click Configuration > VPN > L2TP VPN to open the following screen. Use this screen to configure the ZyWALL’s L2TP VPN settings. Note: Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings.
Chapter 31 L2TP VPN Table 140 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION VPN Connection Select the IPSec VPN connection the ZyWALL uses for L2TP VPN. All of the configured VPN connections display here, but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN on page 543. Note: Modifying this VPN connection (or the VPN gateway that it uses) disconnects any existing L2TP VPN sessions.
CHAPTER 32 Application Patrol 32.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers).
Chapter 32 Application Patrol 32.1.2 What You Need to Know If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. Note: The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL. Application patrol examines every TCP and UDP connection passing through the ZyWALL and identifies what application is using the connection.
Chapter 32 Application Patrol numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic. DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class.
Chapter 32 Application Patrol • The outbound traffic flows from the connection initiator to the connection responder. • The inbound traffic flows from the connection responder to the connection initiator. For example, a LAN to WAN connection is initiated from LAN and goes to the WAN. • Outbound traffic goes from a LAN zone device to a WAN zone device. Bandwidth management is applied before sending the packets out a WAN zone interface on the ZyWALL.
Chapter 32 Application Patrol Bandwidth Management Priority • The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. • Then lower-priority traffic gets bandwidth. • The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority. • The ZyWALL automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority).
Chapter 32 Application Patrol Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 141 Configured Rate Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE A 300 kbps No 1 300 kbps B 200 kbps No 1 200 kbps Priority Effect Here the configured rates total more than the available bandwidth.
Chapter 32 Application Patrol regardless of its priority, server B gets almost no bandwidth with this configuration. Table 144 Priority and Over Allotment of Bandwidth Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE A 1000 kbps Yes 1 999 kbps B 1000 kbps Yes 2 1 kbps Finding Out More • See Section 6.5.18 on page 107 for related information on these screens. • See Section 7.7 on page 144 for an example of how to set up web surfing policies with bandwidth restrictions.
Chapter 32 Application Patrol • FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic. Figure 409 Application Patrol Bandwidth Management Example SIP: Any to WAN Outbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Max. B. U. SIP: WAN to Any Outbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Max. B. U.
Chapter 32 Application Patrol • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. Figure 410 SIP Any to WAN Bandwidth Management Example Outbound: 200 kbps BWM BWM Inbound: 200 kbps 32.1.3.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN. It is the same as the SIP Any to WAN policy, but with the directions reversed (WAN to Any instead of Any to WAN). 32.1.3.
Chapter 32 Application Patrol 32.1.3.5 FTP WAN to DMZ Bandwidth Management Example • ADSL supports more downstream than upstream so you allow remote users 300 kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). • Third highest priority (3). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 412 FTP WAN to DMZ Bandwidth Management Example Outbound: 300 kbps BWM BWM Inbound: 100 kbps 32.1.3.
Chapter 32 Application Patrol 32.2 Application Patrol General Screen Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using. Note: You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it. See Chapter 11 on page 277 for how to register. Click Configuration > App Patrol to open the following screen.
Chapter 32 Application Patrol Table 145 Configuration > App Patrol > General (continued) LABEL Enable Highest Bandwidth Priority for SIP Traffic Registration DESCRIPTION Select this to maximize the throughput of SIP traffic to improve SIPbased VoIP call sound quality. This has the ZyWALL immediately send SIP traffic upon identifying it.
Chapter 32 Application Patrol Click Configuration > App Patrol > Common to open the following screen. Figure 415 Configuration > App Patrol > Common The following table describes the labels in this screen. See Section 32.3.1 on page 559 for more information as well. Table 146 Configuration > App Patrol > Common LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Chapter 32 Application Patrol Streaming screen and click an application’s Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 416 Application Edit The following table describes the labels in this screen. Table 147 Application Edit LABEL DESCRIPTION Service Enable Service Select this check box to turn on patrol for this application. Service Identification Name This field displays the name of the application.
Chapter 32 Application Patrol Table 147 Application Edit (continued) LABEL # DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Note: The ZyWALL checks ports in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list. Service Port This column lists port numbers the ZyWALL uses to identify this application.
Chapter 32 Application Patrol Table 147 Application Edit (continued) LABEL Access DESCRIPTION This field displays what the ZyWALL does with packets for this application that match this policy. forward - the ZyWALL routes the packets for this application. Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision. Reject - the ZyWALL does not route the packets for this application and notifies the client of its decision.
Chapter 32 Application Patrol Table 147 Application Edit (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 32.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings for an application.
Chapter 32 Application Patrol Table 148 Application Policy Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 43 on page 743 for details). Otherwise, select none to make the policy always effective. User Select a user name or user group to which to apply the policy. Use Create new Object if you need to configure a new user account (see Section 40.2.1 on page 718 for details).
Chapter 32 Application Patrol Table 148 Application Policy Edit (continued) LABEL DESCRIPTION Action Block For some applications, you can select individual uses of the application that the policy will have the ZyWALL block. These fields only apply when Access is set to forward. Login - Select this option to block users from logging in to a server for this application. Message - Select this option to block users from sending or receiving instant messages.
Chapter 32 Application Patrol Table 148 Application Policy Edit (continued) LABEL Priority DESCRIPTION This field displays when the inbound or outbound bandwidth management is not set to 0. Enter a number between 1 and 7 to set the priority for this application’s traffic that matches this policy. The smaller the number, the higher the priority. The ZyWALL gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority.
Chapter 32 Application Patrol Click AppPatrol > Other to open the Other (applications) screen. Figure 418 AppPatrol > Other The following table describes the labels in this screen. See Section 32.4.1 on page 569 for more information as well. Table 149 AppPatrol > Other LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it.
Chapter 32 Application Patrol Table 149 AppPatrol > Other (continued) LABEL DESCRIPTION Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. Protocol This is the protocol of the traffic to which this policy applies. Access This field displays what the ZyWALL does with packets that match this policy. forward - the ZyWALL routes the packets.
Chapter 32 Application Patrol Table 149 AppPatrol > Other (continued) LABEL DESCRIPTION Log Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this policy. See Chapter 51 on page 859 for more on logs. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 32.4.
Chapter 32 Application Patrol Table 150 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 43 on page 743 for details). Otherwise, select any to make the policy always effective. User Select a user name or user group to which to apply the policy. Use Create new Object if you need to configure a new user account (see Section 40.2.1 on page 718 for details).
Chapter 32 Application Patrol Table 150 AppPatrol > Other > Edit (continued) LABEL Inbound kbps DESCRIPTION Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the ZyWALL sends to the initiator.
Chapter 32 Application Patrol Table 150 AppPatrol > Other > Edit (continued) 572 LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes.
CHAPTER 33 Anti-Virus 33.1 Overview Use the ZyWALL’s anti-virus feature to protect your connected network from virus/ spyware infection. The ZyWALL checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone. Figure 420 ZyWALL Anti-Virus Example 33.1.1 What You Can Do in this Chapter • Use the General screens (Section 33.
Chapter 33 Anti-Virus 33.1.2 What You Need to Know Anti-Virus Engines Subscribe to signature files for ZyXEL’s anti-virus engine or one powered by Kaspersky. When using the trial, you can switch from one engine to the other in the Registration screen. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen.
Chapter 33 Anti-Virus 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets. 3 The scanning engine checks the contents of the packets for virus. 4 If a virus pattern is matched, the ZyWALL removes the infected portion of the file along with the rest of the file. The un-infected portion of the file before a virus pattern was matched still goes through.
Chapter 33 Anti-Virus 33.1.3 Before You Begin • Before using anti-virus, see Chapter 11 on page 277 for how to register for the anti-virus service. • You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction. 33.2 Anti-Virus Summary Screen Click Configuration > Anti-X > Anti-Virus to display the configuration screen as shown next.
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 151 Configuration > Anti-X > Anti-Virus > General LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable AntiVirus and AntiSpyware Select this check box to check traffic for viruses and spyware. The following table lists policies that define which traffic the ZyWALL scans and the action it takes upon finding a virus.
Chapter 33 Anti-Virus Table 151 Configuration > Anti-X > Anti-Virus > General (continued) LABEL Protocol DESCRIPTION These are the protocols of traffic to scan for viruses. FTP applies to traffic using the TCP port number specified for FTP in the ALG screen. HTTP applies to traffic using TCP ports 80, 8080 and 3128. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143.
Chapter 33 Anti-Virus 33.2.1 Anti-Virus Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus > General screen to display the configuration screen as shown next. Figure 422 Configuration > Anti-X > Anti-Virus > General > Add The following table describes the labels in this screen.
Chapter 33 Anti-Virus Table 152 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Actions When Matched Destroy infected file When you select this check box, if a virus pattern is matched, the ZyWALL overwrites the infected portion of the file (and the rest of the file) with zeros. The un-infected portion of the file before a virus pattern was matched goes through unmodified.
Chapter 33 Anti-Virus Table 152 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL Destroy compressed files that could not be decompressed DESCRIPTION Note: When you select this option, the ZyWALL deletes ZIP files that use password encryption. Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file.
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 153 Configuration > Anti-X > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns. Use the black list to log and delete files with names that match the black list patterns. Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it.
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 154 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the ZyWALL apply this entry when using the black list. If this is a white list entry, select this option to have the ZyWALL apply this entry when using the white list.
Chapter 33 Anti-Virus column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 425 Configuration > Anti-X > Anti-Virus > Black/White List > White List The following table describes the labels in this screen.
Chapter 33 Anti-Virus If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 156 Configuration > Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Search Select the criteria on which to perform the search. Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find. This search is not case-sensitive. Select By ID from the drop down list box and type the ID or part of the ID of the signature you want to find.
Chapter 33 Anti-Virus 33.7 Anti-Virus Technical Reference Types of Computer Viruses The following table describes some of the common computer viruses. Table 157 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program. A file infector is able to copy and attach itself to other programs that are executed on an infected computer.
Chapter 33 Anti-Virus A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved in and out of the hard drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons: • HAV scanners are slow in stopping virus threats through real-time traffic (such as from the Internet).
CHAPTER 34 IDP 34.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously. IDP on the ZyWALL protects against network-based intrusions. 34.1.1 What You Can Do in this Chapter • Use the Anti-X > IDP > General screen (Section 34.
Chapter 34 IDP IDP Profiles An IDP profile is a set of related IDP signatures that you can activate as a set and configure common log and action settings. You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers. Note: You can only apply one IDP profile to one traffic flow. Base IDP Profiles Base IDP profiles are templates that you use to create new IDP profiles.
Chapter 34 IDP 34.2 The IDP General Screen Click Configuration > Anti-X > IDP > General to open this screen. Use this screen to turn IDP on or off, bind IDP profiles to traffic directions, and view registration and signature information. Note: You must register in order to use packet inspection signatures. See the Registration screens. If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled.
Chapter 34 IDP Table 158 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Chapter 34 IDP Table 158 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Current Version This field displays the IDP signature set version number. This number gets larger as the set is enhanced. Signature Number This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
Chapter 34 IDP 34.3.1 Base Profiles The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > IDP > Profile screen, click Add to display the following screen. Figure 428 Base Profiles The following table describes this screen. Table 159 Base Profiles BASE PROFILE 594 DESCRIPTION none All signatures are disabled. No logs are generated nor actions are taken. all All signatures are enabled.
Chapter 34 IDP Table 159 Base Profiles (continued) BASE PROFILE DESCRIPTION dmz This profile is most suitable for networks containing your servers. Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Chapter 34 IDP Table 160 Configuration > Anti-X > IDP > Profile (continued) LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. 34.5 Creating New Profiles You may want to create a new profile if not all signatures in a base profile are applicable to your network. In this case you should disable non-applicable signatures so as to improve ZyWALL IDP processing efficiency.
Chapter 34 IDP 34.6 Profiles: Packet Inspection Select Configuration > Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. 34.6.
Chapter 34 IDP The following table describes the fields in this screen. Table 161 Configuration > Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 34 IDP Table 161 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches the signature(s).
Chapter 34 IDP Table 161 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Log These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ZyWALL should take when a packet matches a signature here. To edit this, select an item and use the Action icon. OK A profile consists of three separate screens.
Chapter 34 IDP Table 162 Policy Types (continued) POLICY TYPE DESCRIPTION Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels. A network scan occurs at layer-3. For example, an attacker looks for network devices such as a router or server running in an IP network. A scan on a protocol is commonly referred to as a layer-4 scan.
Chapter 34 IDP Table 163 IDP Service Groups (continued) SQL SNMP SMTP RSERVICES RPC POP3 POP2 P2P ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP IM ICMP FTP FINGER DNS The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server-side HTML embedded scripting language that allows web developers to build dynamic websites.
Chapter 34 IDP signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. Figure 432 Configuration > Anti-X > IDP > Profile: Query View The following table describes the fields specific to this screen’s query view. Table 164 Configuration > Anti-X > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Group View screen.
Chapter 34 IDP Table 164 Configuration > Anti-X > IDP > Profile: Query View (continued) LABEL Severity DESCRIPTION Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the ZyWALL. The number in brackets is the number you use if using commands. Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.
Chapter 34 IDP 34.6.
Chapter 34 IDP • Actions: Any Figure 433 Query Example Search Criteria Figure 434 Query Example Search Results 606 ZyWALL USG 300 User’s Guide
Chapter 34 IDP 34.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures. 34.7.1 IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header.
Chapter 34 IDP Table 165 IP v4 Packet Headers (continued) HEADER DESCRIPTION Time To Live This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops. Protocol The protocol indicates the type of transport packet being carried, for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP.
Chapter 34 IDP Note: The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZyWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order). If a packet matches a rule for rejectreceiver and it also matches a rule for reject-sender, then the ZyWALL will reject-both.
Chapter 34 IDP Table 166 Configuration > Anti-X > IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Signature Rule Importing Use this part of the screen to import custom signatures (previously saved to your computer) to the ZyWALL. Note: The name of the complete custom signature file on the ZyWALL is ‘custom.rules’. If you import a file named ‘custom.rules’, then all custom signatures on the ZyWALL are overwritten with the new file.
Chapter 34 IDP Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit.
Chapter 34 IDP The following table describes the fields in this screen. Table 167 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 34 IDP Table 167 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Fragmentation A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses. Fragmentation Offset When an IP datagram is fragmented, it is reassembled at the final destination.
Chapter 34 IDP Table 167 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL Flow DESCRIPTION If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers. Select Flow and then select the identifying options.
Chapter 34 IDP Table 167 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL Payload Size DESCRIPTION This field may be used to check for abnormally sized packets or for detecting buffer overflows. Select the check box, then select Equal, Smaller or Greater and then type the payload size. Stream rebuilt packets are not checked regardless of the size of the payload. Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it.
Chapter 34 IDP Table 167 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION OK Click this button to save your changes to the ZyWALL and return to the summary screen. Cancel Click this button to return to the summary screen without saving any changes. 34.8.2 Custom Signature Example Before creating a custom signature, you must first clearly understand the vulnerability. 34.8.2.1 Understand the Vulnerability Check the ZyWALL logs when the attack occurs.
Chapter 34 IDP 34.8.2.2 Analyze Packets Use the packet capture screen (see Section 53.3 on page 886) and a packet analyzer (also known as a network or protocol analyzer) such as Wireshark or Ethereal to investigate some more. Figure 438 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern.
Chapter 34 IDP The final custom signature should look like as shown in the following figure. Figure 439 Example Custom Signature 34.8.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999.
Chapter 34 IDP You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone. Figure 440 Example: Custom Signature in IDP Profile 34.8.4 Verifying Custom Signatures Configure the signature to create a log when traffic matches the signature. (You may also want to configure an alert if it is for a serious attack and needs immediate attention.
Chapter 34 IDP destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Figure 441 Custom Signature Log 34.9 IDP Technical Reference This section contains some background information on IDP. Host Intrusions The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer. You must install a host IDP directly on the system being protected.
Chapter 34 IDP Network Intrusions Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server.
Chapter 34 IDP Table 168 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM SNORT EQUIVALENT TERM Same IP sameip Transport Protocol Transport Protocol: TCP Port (In Snort rule header) Flow flow Flags flags Sequence Number seq Ack Number ack Window Size window Transport Protocol: UDP Port (In Snort rule header) (In Snort rule header) Transport Protocol: ICMP Type itype Code icode ID icmp_id Sequence Number icmp_seq Payload Options (Snort rule options) Payload Size dsize Of
CHAPTER 35 ADP 35.1 Overview This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and applying an ADP profile to a traffic direction. ADP protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. 35.1.
Chapter 35 ADP Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ADP Profile An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you can activate as a set and configure common log and action settings.
Chapter 35 ADP 35.2 The ADP General Screen Click Configuration > Anti-X > ADP > General. Use this screen to turn anomaly detection on or off and apply anomaly profiles to traffic directions. Figure 442 Configuration > Anti-X > ADP > General The following table describes the screens in this screen. Table 169 Configuration > Anti-X > ADP > General LABEL DESCRIPTION General Settings Enable Anomaly Detection Policies Select this check box to enable traffic anomaly and protocol anomaly detection.
Chapter 35 ADP Table 169 Configuration > Anti-X > ADP > General (continued) LABEL From, To DESCRIPTION This is the direction of travel of packets to which an anomaly profile is bound. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to. Use the From field to specify the zone from which the traffic is coming. Select ZyWALL to specify traffic coming from the ZyWALL itself. Use the To field to specify the zone to which the traffic is going.
Chapter 35 ADP 35.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 443 Base Profiles These are the default base profiles at the time of writing. Table 170 Base Profiles BASE PROFILE DESCRIPTION none All traffic anomaly and protocol anomaly rules are disabled. No logs are generated nor actions are taken.
Chapter 35 ADP The following table describes the fields in this screen. Table 171 Anti-X > ADP > Profile LABEL DESCRIPTION Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This is the entry’s index number in the list. Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. 35.3.
Chapter 35 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab.
Chapter 35 ADP The following table describes the fields in this screen. Table 172 Configuration > ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 35 ADP Table 172 Configuration > ADP > Profile > Traffic Anomaly (continued) LABEL DESCRIPTION Name This is the name of the traffic anomaly rule. Click the Name column heading to sort in ascending or descending order according to the rule name. Log These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ZyWALL should take when a packet matches a rule. To edit this, select an item and use the Action icon.
Chapter 35 ADP Figure 446 Profiles: Protocol Anomaly 632 ZyWALL USG 300 User’s Guide
Chapter 35 ADP The following table describes the fields in this screen. Table 173 Configuration > ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 35 ADP Table 173 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. original setting: Select this action to return each signature in a service group to its previously saved configuration. none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches a rule.
Chapter 35 ADP Table 173 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION OK Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. Cancel Click Cancel to return to the profile summary page without saving any changes. Save Click Save to save the configuration to the ZyWALL but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile.
Chapter 35 ADP Decoy Port Scans Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types: • TCP Decoy Portscan • UDP Decoy Portscan • IP Decoy Portscan Distributed Port Scans Distributed port scans are many-to-one port scans. Distributed port scans occur when multiple hosts query one host for open services. This may be used to evade intrusion detection.
Chapter 35 ADP • ICMP Filtered Portsweep • TCP Filtered Distributed • UDP Filtered Portscan Distributed Portscan • IP Filtered Distributed Portscan Flood Detection Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible. ICMP Flood Attack An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system, that it slows it down or locks it up.
Chapter 35 ADP the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 448 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue.
Chapter 35 ADP UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.
Chapter 35 ADP Table 174 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL 640 DESCRIPTION DOUBLE-ENCODING ATTACK This rule is IIS specific. IIS does two passes through the request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second pass ASCII, bare byte, and %u encodings are done. IIS-BACKSLASHEVASION ATTACK This is an IIS emulation rule that normalizes backslashes to slashes.
Chapter 35 ADP Table 174 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL WEBROOT-DIRECTORYTRAVERSAL ATTACK DESCRIPTION This is when a directory traversal traverses past the web server root directory. This generates much fewer false positives than the directory option, because it doesn’t alert on directory traversals that stay within the web server directory structure.
Chapter 35 ADP Table 174 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL 642 DESCRIPTION TRUNCATED-HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP header length. This may cause some applications to crash. TRUNCATEDTIMESTAMP-HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length. This may cause some applications to crash.
CHAPTER 36 Content Filtering 36.1 Overview Use the content filtering feature to control access to specific web sites or web content. 36.1.1 What You Can Do in this Chapter • Use the General screens (Section 36.2 on page 645) to configure global content filtering settings, configure content filtering policies, and check the content filtering license status. • Use the Filter Profile screens (Section 36.4 on page 650) to set up content filtering profiles. 36.1.
Chapter 36 Content Filtering Content Filtering Profiles A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The ZyWALL can block access to particular categories of web site content, such as pornography or racial intolerance. • Restrict Web Features The ZyWALL can disable web proxies and block web features such as ActiveX controls, Java applets and cookies.
Chapter 36 Content Filtering Since the ZyWALL checks the URL’s domain name (or IP address) and file path separately, it will not find items that go across the two. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the ZyWALL would find “tw” in the domain name (www.zyxel.com.tw). It would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”. Finding Out More • See Section 6.5.22 on page 108 for related information on these screens. • See Section 36.
Chapter 36 Content Filtering your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status. Figure 450 Configuration > Anti-X > Content Filter > General The following table describes the labels in this screen. Table 175 Configuration > Anti-X > Content Filter > General LABEL DESCRIPTION General Settings Enable Content Filter Select this check box to enable the content filter.
Chapter 36 Content Filtering Table 175 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. # This column lists the index numbers of the content filter policies.
Chapter 36 Content Filtering Table 175 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service. Expired displays if your subscription to the service has expired. Licensed displays if you have successfully registered the ZyWALL and activated the service.
Chapter 36 Content Filtering filter policy. A content filter policy defines which content filter profile should be applied, when it should be applied, and to whose web access it should be applied. Figure 451 Configuration > Anti-X > Content Filter > General > Add l The following table describes the labels in this screen.
Chapter 36 Content Filtering 36.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Figure 452 Configuration > Anti-X > Content Filter > Filter Profile The following table describes the labels in this screen.
Chapter 36 Content Filtering See Chapter 37 on page 667 for how to view content filtering reports.
Chapter 36 Content Filtering The following table describes the labels in this screen. Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service. Expired displays if your subscription to the service has expired.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action for Unsafe Web Pages Select Pass to allow users to access web pages that match the unsafe categories that you select below. Select Block to prevent users from accessing web pages that match the unsafe categories that you select below.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action When Category Server Is Unavailable Select Pass to allow users to access any requested web page if the external content filtering database is unavailable. Select Block to block access to any requested web page if the external content filtering database is unavailable.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Spyware/Malware Sources This category includes pages which distribute spyware and other malware. Spyware and malware are defined as software which takes control of your computer, modifies computer settings, collects or reports personal information, or misrepresents itself by tricking users to install, download, or enter personal information.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Nudity This category includes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature. This category also includes nudist or naturist pages that contain pictures of nude individuals.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Arts/Entertainment This category includes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Government/Legal This category includes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services. It also includes pages that discuss or explain laws of various governmental entities.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Religion This category includes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship. It does not include pages containing alternative religions such as Wicca or witchcraft or atheist beliefs (Alternative Spirituality/Occult).
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) 660 LABEL DESCRIPTION Sports/Recreation/ Hobbies This category includes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Alcohol Sites that promote, offer for sale, glorify, review, or in any way advocate the use or creation of alcoholic beverages, including but not limited to beer, wine, and hard liquors. Pages that sell alcohol as a subset of other products such as restaurants or grocery stores are not included.
Chapter 36 Content Filtering Table 178 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Placeholders This category includes pages that are under construction, parked domains, search-bait or otherwise generally having no useful value. Test Web Site Category URL to test You can check which category a web page belongs to. Enter a web site URL in the text box.
Chapter 36 Content Filtering 36.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list.
Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Customization LABEL DESCRIPTION Allow Web traffic for trusted web sites only When this box is selected, the ZyWALL blocks Web access to sites that are not on the Trusted Web Sites list. If they are chosen carefully, this is the most effective way to block objectionable material. Restricted Web Features Select the check box(es) to restrict a feature.
Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Customization LABEL DESCRIPTION Forbidden Web Sites This list displays the forbidden web sites already added. Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are also blocked. For example, entering “bad-site.com” also blocks “www.badsite.com”, “partner.bad-site.com”, “press.bad-site.com”, and do on.
Chapter 36 Content Filtering External Content Filter Server Lookup Procedure The content filter lookup process is described below. Figure 456 Content Filter Lookup Procedure 666 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration.
CHAPTER 37 Content Filter Reports 37.1 Overview You can view content filtering reports after you have activated the category-based content filtering subscription service. See Chapter 11 on page 277 on how to create a myZyXEL.com account, register your device and activate the subscription services. 37.2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen.
Chapter 37 Content Filter Reports 2 Fill in your myZyXEL.com account information and click Login. Figure 457 myZyXEL.
Chapter 37 Content Filter Reports 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 459 on page 670). Figure 458 myZyXEL.
Chapter 37 Content Filter Reports 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 459 myZyXEL.com: Service Management 5 In the Web Filter Home screen, click the Reports tab.
Chapter 37 Content Filter Reports 6 Select items under Global Reports to view the corresponding reports. Figure 461 Content Filter Reports: Report Home 7 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Chapter 37 Content Filter Reports 8 A chart and/or list of requested web site categories display in the lower half of the screen.
Chapter 37 Content Filter Reports 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
Chapter 37 Content Filter Reports 674 ZyWALL USG 300 User’s Guide
CHAPTER 38 Anti-Spam 38.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. 38.1.1 What You Can Do in this Chapter • Use the General screens (Section 38.3 on page 677) to turn anti-spam on or off and manage anti-spam policies.
Chapter 38 Anti-Spam Black List Configure black list entries to identify spam. The black list entries have the ZyWALL classify any e-mail that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries. The ZyWALL classifies an e-mail that matches a black list entry as spam and immediately takes the configured action for dealing with spam.
Chapter 38 Anti-Spam E-mail Header Buffer Size The ZyWALL has a 5 K buffer for an individual e-mail header. If an e-mail’s header is longer than 5 K, the ZyWALL only checks up to the first 5 K. DNSBL A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam. A DNSBL is also known as a DNS spam blocking list.
Chapter 38 Anti-Spam spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is reached. Figure 464 Configuration > Anti-X > Anti-Spam > General The following table describes the labels in this screen. Table 180 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 38 Anti-Spam Table 180 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
Chapter 38 Anti-Spam check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 465 Configuration > Anti-X > Anti-Spam > General > Add The following table describes the labels in this screen. Table 181 Configuration > Anti-X > Anti-Virus > General > Add LABEL DESCRIPTION Enable Policy Select this check box to have the ZyWALL apply this anti-spam policy to check e-mail traffic for spam.
Chapter 38 Anti-Spam Table 181 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Check White List Select this check box to check e-mail against the white list. The ZyWALL classifies e-mail that matches a white list entry as legitimate (not spam). Check Black List Select this check box to check e-mail against the black list. The ZyWALL classifies e-mail that matches a black list entry as spam.
Chapter 38 Anti-Spam specific subject text. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 466 Configuration > Anti-X > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen.
Chapter 38 Anti-Spam 38.4.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address. You can also create entries that check for particular header fields and values.
Chapter 38 Anti-Spam Table 183 Configuration > Anti-X > Anti-Spam > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Sender or Mail Relay IP Address This field displays when you select the IP type. Enter an IP address in dotted decimal notation. Netmask This field displays when you select the IP type. Enter the subnet mask here, if applicable. Sender E-Mail Address This field displays when you select the E-Mail type. Enter a keyword (up to 63 ASCII characters). See Section 38.4.
Chapter 38 Anti-Spam 38.5 The Anti-Spam White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to display the Anti-Spam White List screen. Configure the white list to identify legitimate e-mail. You can create white list entries based on the sender’s or relay’s IP address or e-mail address. You can also create entries that check for particular header fields and values or specific subject text.
Chapter 38 Anti-Spam Table 184 Configuration > Anti-X > Anti-Spam > Black/White List > White List LABEL DESCRIPTION Type This field displays whether the entry is based on the e-mail’s subject, source or relay IP address, source e-mail address, or a header. Content This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks. OK Click OK to save your changes.
Chapter 38 Anti-Spam The following table describes the labels in this screen. Table 185 Configuration > Anti-X > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable DNS Black List (DNSBL) Checking Select this to have the ZyWALL check the sender and relay IP addresses in e-mail headers against the DNSBL servers maintained by the DNSBL domains listed in the ZyWALL.
Chapter 38 Anti-Spam Table 185 Configuration > Anti-X > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. # This is the entry’s index number in the list.
Chapter 38 Anti-Spam Here is an example of an e-mail classified as spam based on DNSBL replies. Figure 470 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b 1 4 a? . a. ? a . a b m .b . pa ts b .b o N .a a . a.a 2 a.a.a.a? b.b.b.b? DNSBL B a .a . b .b a .a ? .b . b? b .b .b . DNSBL C bS pa m 3 1 The ZyWALL receives an e-mail that was sent from IP address a.a.a.a and relayed by an e-mail server at IP address b.b.b.b.
Chapter 38 Anti-Spam Here is an example of an e-mail classified as legitimate based on DNSBL replies. Figure 471 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c? .c . ? c . c d .d . d .d 1 c.c.c.c? d.d.d.d? d.d.d.d Not spam c .c 4 d .d c.c 690 DNSBL B 2 .c . c? .d . d? DNSBL C .c. c No ts pa m 3 1 The ZyWALL receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
Chapter 38 Anti-Spam If the ZyWALL receives conflicting DNSBL replies for an e-mail routing IP address, the ZyWALL classifies the e-mail as spam. Here is an example. Figure 472 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z 1 4 d? . c. a.b y.z? m . pa ts w.x o dN .c. b . a 2 a.b.c.d? w.x.y.z? a.b.c.d Spam! a .b w.x . DNSBL B 3 . c. d? y.z ? DNSBL C 1 The ZyWALL receives an e-mail that was sent from IP address a.b.c.d and relayed by an e-mail server at IP address w.x.y.z.
Chapter 38 Anti-Spam 692 ZyWALL USG 300 User’s Guide
CHAPTER 39 Device HA 39.1 Overview Device HA lets a backup ZyWALL (B) automatically take over if the master ZyWALL (A) fails. Figure 473 Device HA Backup Taking Over for the Master A B 39.1.1 What You Can Do in this Chapter • Use the General screen (Section 39.2 on page 695) to configure device HA global settings, and see the status of each interface monitored by device HA. • Use the Active-Passive Mode screens (Section 39.3 on page 696) to use active-passive mode device HA.
Chapter 39 Device HA • Legacy mode allows for more complex relationships between the master and backup ZyWALLs, such as active-active or using different ZyWALLs as the master ZyWALL for individual interfaces. Legacy mode configuration involves a greater degree of complexity. Active-passive mode is recommended for general failover deployments. • The ZyWALLs must all support and be set to use the same device HA mode (either active-passive or legacy).
Chapter 39 Device HA 39.2 Device HA General The Configuration > Device HA General screen lets you enable or disable device HA, and displays which device HA mode the ZyWALL is set to use along with a summary of the monitored interfaces. Figure 474 Configuration > Device HA > General The following table describes the labels in this screen. Table 186 Configuration > Device HA > General LABEL DESCRIPTION Enable Device HA Turn the ZyWALL’s device HA feature on or off.
Chapter 39 Device HA Table 186 Configuration > Device HA > General (continued) LABEL DESCRIPTION HA Status The text before the slash shows whether the device is configured as the master or the backup role. This text after the slash displays the monitored interface’s status in the virtual router. Active - This interface is up and using the virtual IP address and subnet mask. Stand-By - This interface is a backup interface in the virtual router. It is not using the virtual IP address and subnet mask.
Chapter 39 Device HA B form a virtual router that uses cluster ID 1. ZyWALLs C and D form a virtual router that uses cluster ID 2. Figure 476 Cluster IDs for Multiple Virtual Routers A 1 B C D 2 Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors. If a monitored interface on the ZyWALL loses its connection, device HA has the backup ZyWALL take over. Enable monitoring for the same interfaces on the master and backup ZyWALLs.
Chapter 39 Device HA 192.168.1.5 and ZyWALL B has its own LAN management IP address of 192.168.1.6. These do not change when ZyWALL B becomes the master. Figure 477 Management IP Addresses A 192.168.1.1 192.168.1.5 B 192.168.1.1 192.168.1.6 39.3.1 Configuring Active-Passive Mode Device HA The Device HA Active-Passive Mode screen lets you configure general activepassive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs.
Chapter 39 Device HA The following table describes the labels in this screen. See Section 39.4 on page 701 for more information as well. Table 187 Configuration > Device HA > Active-Passive Mode LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Device Role Select the device HA role that the ZyWALL plays in the virtual router. Choices are: Master - This ZyWALL is the master ZyWALL in the virtual router.
Chapter 39 Device HA Table 187 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Monitored Interface Summary This table shows the status of the device HA settings and status of the ZyWALL’s interfaces. Edit Select an entry and click this to be able to modify it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. # This is the entry’s index number in the list.
Chapter 39 Device HA Table 187 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Password Enter the password used for verification during synchronization. Every ZyWALL in the virtual router must use the same password. If you leave this field blank in the master ZyWALL, no backup ZyWALLs can synchronize from it. If you leave this field blank in a backup ZyWALL, it cannot synchronize from the master ZyWALL.
Chapter 39 Device HA A bridge interface’s device HA settings are not retained if you delete the bridge interface. Figure 479 Configuration > Device HA > Active-Passive Mode > Edit The following table describes the labels in this screen. Table 188 Configuration > Device HA > Active-Passive Mode > Edit LABEL DESCRIPTION Enable Monitored Interface Select this to have device HA monitor the status of this interface’s connection. Interface Name This identifies the interface.
Chapter 39 Device HA 39.5 The Legacy Mode Screen Virtual Router Redundancy Protocol (VRRP) Legacy mode device HA uses Virtual Router Redundancy Protocol (VRRP) to create redundant backup gateways to ensure that a default gateway is always available. The ZyWALL uses a custom VRRP implementation and is not compatible with standard VRRP.
Chapter 39 Device HA 39.6 Configuring the Legacy Mode Screen The Device HA Legacy Mode screen lets you configure general legacy mode HA settings including link monitoring, configure the VRRP group and synchronize backup ZyWALLs. To access this screen, click Configuration > Device HA > Legacy Mode. Figure 480 Configuration > Device HA > Legacy Mode The following table describes the labels in this screen. See Table 190 on page 707 for more information as well.
Chapter 39 Device HA Table 189 Configuration > Device HA > Legacy Mode (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Activating a VRRP group has the ZyWALL monitor the connection of the group’s interface. Each interface must have a static IP address and be connected to the same subnet as the group’s interface on the other ZyWALL. Inactivate To turn off an entry, select it and click Inactivate.
Chapter 39 Device HA Table 189 Configuration > Device HA > Legacy Mode (continued) LABEL DESCRIPTION Auto Synchronize Select this to get configuration and subscription service updates automatically from the specified ZyWALL according to the specified Interval. The first synchronization begins after the specified Interval; the ZyWALL does not synchronize immediately. Interval This field is only available if Auto Synchronize is checked. Type the number of minutes to wait between synchronizations.
Chapter 39 Device HA The following table describes the labels in this screen. Table 190 Configuration > Device HA > Legacy Mode > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable VRRP Group Select this to make the specified interface part of the virtual router. Clear this to take the specified interface out of the virtual router.
Chapter 39 Device HA Table 190 Configuration > Device HA > Legacy Mode > Add (continued) LABEL DESCRIPTION VRID Type the virtual router ID number. Virtual Router IP (VRIP) / Subnet Mask This is the interface’s IP address and subnet mask in the virtual router. Authentication Select the authentication method used in the virtual router. Every interface in a virtual router must use the same authentication method and password.
Chapter 39 Device HA 1 Make sure the bridge interfaces of the master ZyWALL (A) and the backup ZyWALL (B) are not connected. A B 2 Configure the bridge interface on the master ZyWALL, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} A B 3 Configure the bridge interface on the backup ZyWALL, set the bridge interface as a monitored interface, and activate device HA.
Chapter 39 Device HA 4 Connect the ZyWALLs. Br0 {ge4, ge5} A B Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two ZyWALLs Another option is to disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces as shown in the following example. 1 In this case the ZyWALLs are already connected, but the bridge faces have not been configured yet. Configure a disabled bridge interface on the master ZyWALL but disable it.
Chapter 39 Device HA 2 Configure a corresponding disabled bridge interface on the backup ZyWALL. Then set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Disabled A B Br0 {ge4, ge5} 3 Disabled Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL. Br0 {ge4, ge5} A B Br0 {ge4, ge5} 4 Connect the ZyWALLs.
Chapter 39 Device HA Legacy Mode ZyWALL VRRP Application In VRRP, a virtual router represents a number of ZyWALLs associated with one IP address, the IP address of the default gateway. Each virtual router is identified by a unique 8-bit identification number called a Virtual Router ID (VR ID). In the example below, ZyWALL A and ZyWALL B are part of virtual router 10 with IP address 192.168.10.254. Figure 482 Example: VRRP, Normal Operation The VR ID is not shown.
Chapter 39 Device HA If ZyWALL A becomes available again, ZyWALL A preempts ZyWALL B and becomes the master again (the network returns to the state shown in Figure 482 on page 712). Synchronization During synchronization, the master ZyWALL sends the following information to the backup ZyWALL. • Startup configuration file (startup-config.
Chapter 39 Device HA 714 ZyWALL USG 300 User’s Guide
CHAPTER 40 User/Group 40.1 Overview This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them. 40.1.1 What You Can Do in this Chapter • The User screen (see Section 40.2 on page 718) provides a summary of all user accounts. • The Group screen (see Section 40.3 on page 721) provides a summary of all user groups.
Chapter 40 User/Group Table 191 Types of User Accounts (continued) TYPE ABILITIES LOGIN METHOD(S) limited-admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console, Dial-in Perform basic diagnostics (CLI) Access Users user Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) guest Access network services WWW ext-user External user account WWW ext-group-user External group user account WWW Note: The default admin account is always authenticated locally, rega
Chapter 40 User/Group See Setting up User Attributes in an External Server on page 729 for a list of attributes and how to set up the attributes in an external server. Ext-Group-User Accounts Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server. See Section 44.2.1 on page 753 for more on the group membership attribute.
Chapter 40 User/Group 40.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group. Figure 484 Configuration > Object > User/Group The following table describes the labels in this screen. Table 192 Configuration > Object > User/Group LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 40 User/Group • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (). Other limitations on user names are: • User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not ‘bob’. • User names have to be different than user group names.
Chapter 40 User/Group The following table describes the labels in this screen. Table 193 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved. See Section 40.2.1.1 on page 718.
Chapter 40 User/Group Table 193 Configuration > User/Group > User > Add (continued) LABEL DESCRIPTION Reauthentication Time This field is not available if you select the ext-group-user type. Configuration Validation Use a user account from the group specified above to test if the configuration is correct. Enter the account’s user name in the User Name field and click Test. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes.
Chapter 40 User/Group Table 194 Configuration > Object > User/Group > Group (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific user group. Group Name This field displays the name of each user group. Description This field displays the description for each user group. Member This field lists the members in the user group. Each member is separated by a comma. 40.3.
Chapter 40 User/Group Table 195 Configuration > User/Group > Group > Add (continued) LABEL DESCRIPTION Member List The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important. Select users and groups from the Available list that you want to be members of this group and move them to the Member list.
Chapter 40 User/Group To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. Figure 488 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 196 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication Timeout Settings 724 Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account.
Chapter 40 User/Group Table 196 Configuration > Object > User/Group > Setting (continued) LABEL User Type DESCRIPTION These are the kinds of user account the ZyWALL supports.
Chapter 40 User/Group Table 196 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Limit the number of simultaneous logons for administration account Select this check box if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses. Maximum number per administration account This field is effective when Limit ...
Chapter 40 User/Group To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 40.4 on page 723), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 489 Configuration > Object > User/Group > Setting > Edit The following table describes the labels in this screen.
Chapter 40 User/Group 40.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, after access users log into the ZyWALL, the following screen appears. Figure 490 Web Configurator for Non-Admin Users The following table describes the labels in this screen. Table 198 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined lease time (max ...
Chapter 40 User/Group 40.5 User /Group Technical Reference This section provides some information on users who use an external authentication server in order to log in. Setting up User Attributes in an External Server To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file. Table 199 LDAP/RADIUS: Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR type User Type.
Chapter 40 User/Group 730 ZyWALL USG 300 User’s Guide
CHAPTER 41 Addresses 41.1 Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. 41.1.1 What You Can Do in this Chapter • The Address screen (Section 41.2 on page 731) provides a summary of all addresses in the ZyWALL. Use the Address Add/Edit screen to create a new address or edit an existing one. • Use the Address Group summary screen (Section 41.
Chapter 41 Addresses • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address. • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Configuration > Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Chapter 41 Addresses 41.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 41.2 on page 731), and click either the Add icon or an Edit icon. Figure 494 Configuration > Object > Address > Address > Edit The following table describes the labels in this screen.
Chapter 41 Addresses Table 201 Configuration > Object > Address > Address > Edit (continued) LABEL DESCRIPTION Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 41.
Chapter 41 Addresses 41.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Address Group screen (see Section 41.3 on page 734), and click either the Add icon or an Edit icon. Figure 496 Configuration > Object > Address > Address Group > Add The following table describes the labels in this screen.
Chapter 41 Addresses 736 ZyWALL USG 300 User’s Guide
CHAPTER 42 Services 42.1 Overview Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 42.1.1 What You Can Do in this Chapter • Use the Service screens (Section 42.2 on page 738) to view and configure the ZyWALL’s list of services and their definitions. • Use the Service Group screens (Section 42.2 on page 738) to view and configure the ZyWALL’s list of service groups. 42.1.
Chapter 42 Services Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number. Some port numbers have been standardized and are used by lowlevel system processes; many others have no particular meaning. Unlike TCP and UDP, Internet Control Message Protocol (ICMP, IP protocol 1) is mainly used to send error messages or to investigate problems. For example, ICMP is used to send the response if a computer cannot be reached. Another use is ping.
Chapter 42 Services entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 497 Configuration > Object > Service > Service The following table describes the labels in this screen. Table 204 Configuration > Object > Service > Service LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 42 Services 42.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. To access this screen, go to the Service screen (see Section 42.2 on page 738), and click either the Add icon or an Edit icon. Figure 498 Configuration > Object > Service > Service > Edit The following table describes the labels in this screen.
Chapter 42 Services To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 499 Configuration > Object > Service > Service Group The following table describes the labels in this screen. See Section 42.3.1 on page 742 for more information as well. Table 206 Configuration > Object > Service > Service Group LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 42 Services 42.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 42.3 on page 740), and click either the Add icon or an Edit icon. Figure 500 Configuration > Object > Service > Service Group > Edit The following table describes the labels in this screen.
CHAPTER 43 Schedules 43.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. The ZyWALL supports onetime and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the ZyWALL. Note: Schedules are based on the ZyWALL’s current date and time. 43.1.
Chapter 43 Schedules Finding Out More • See Section 6.6 on page 110 for related information on these screens. • See Section 50.3 on page 811 for information about the ZyWALL’s current date and time. 43.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL. To access this screen, click Configuration > Object > Schedule. Figure 501 Configuration > Object > Schedule The following table describes the labels in this screen. See Section 43.2.
Chapter 43 Schedules Table 208 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Recurring Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 13.3.
Chapter 43 Schedules Table 209 Configuration > Object > Schedule > Edit (One Time) (continued) LABEL DESCRIPTION Date Time StartDate Specify the year, month, and day when the schedule begins. Year - 1900 - 2999 Month - 1 - 12 Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.) Hour - 0 - 23 Minute - 0 - 59 StartTime Specify the hour and minute when the schedule begins. Hour - 0 - 23 Minute - 0 - 59 StopDate Specify the year, month, and day when the schedule ends.
Chapter 43 Schedules (see Section 43.2 on page 744), and click either the Add icon or an Edit icon in the Recurring section. Figure 503 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen.
Chapter 43 Schedules 748 ZyWALL USG 300 User’s Guide
CHAPTER 44 AAA Server 44.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers. You use AAA server objects in configuring ext-group-user user objects and authentication method objects (see Chapter 45 on page 759). 44.1.
Chapter 44 AAA Server 44.1.2 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. Figure 505 RADIUS Server Network Example 44.1.
Chapter 44 AAA Server • Use the Configuration > Object > AAA Server > RADIUS screen (Section 44.3 on page 755) to configure the default external RADIUS server to use for user authentication. 44.1.5 What You Need To Know AAA Servers Supported by the ZyWALL The following lists the types of authentication server the ZyWALL supports.
Chapter 44 AAA Server organizational boundaries. The following figure shows a basic directory structure branching from countries to organizations to organizational units to individuals. Figure 506 Basic Directory Structure Sales Sprint RD3 US QA UPS CSO Root Sales Japan NEC Countries Organizations RD Organization Units Unique Common Name (cn) Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas.
Chapter 44 AAA Server • See Section 7.8 on page 153 for an example of how to use a RADIUS server to authenticate user accounts based on groups. 44.2 Active Directory or LDAP Server Summary Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the ZyWALL can use in authenticating users. Click Configuration > Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen.
Chapter 44 AAA Server following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 508 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add The following table describes the labels in this screen. Table 212 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Chapter 44 AAA Server Table 212 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US. Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server(s). Search time limit Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails.
Chapter 44 AAA Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 509 Configuration > Object > AAA Server > RADIUS The following table describes the labels in this screen. Table 213 Configuration > Object > AAA Server > RADIUS LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 44 AAA Server 44.3.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 510 Configuration > Object > AAA Server > RADIUS > Add The following table describes the labels in this screen.
Chapter 44 AAA Server Table 214 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
CHAPTER 45 Authentication Method 45.1 Overview Authentication method objects set how the ZyWALL authenticates wireless, HTTP/ HTTPS clients, peer IPSec routers (extended authentication), and L2TP VPN clients. Configure authentication method objects to have the ZyWALL use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects. By default, user accounts created and stored on the ZyWALL are authenticated locally. 45.1.
Chapter 45 Authentication Method 3 Select Server Mode and select an authentication method object from the dropdown list box. 4 Click OK to save the settings. Figure 511 Example: Using Authentication Method in VPN 45.2 Authentication Method Objects Click Configuration > Object > Auth. Method to display the screen as shown. Note: You can create up to 16 authentication method objects. Figure 512 Configuration > Object > Auth. Method The following table describes the labels in this screen.
Chapter 45 Authentication Method Table 215 Configuration > Object > Auth. Method (continued) LABEL DESCRIPTION Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. 45.2.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. 1 Click Configuration > Object > Auth. Method. 2 Click Add.
Chapter 45 Authentication Method 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 513 Configuration > Object > Auth. Method > Add The following table describes the labels in this screen. Table 216 Configuration > Object > Auth. Method > Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Chapter 45 Authentication Method Table 216 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. OK Click OK to save the changes. Cancel Click Cancel to discard the changes.
Chapter 45 Authentication Method 764 ZyWALL USG 300 User’s Guide
CHAPTER 46 Certificates 46.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 46.1.1 What You Can Do in this Chapter • Use the My Certificate screens (see Section 46.2 on page 769 to Section 46.2.
Chapter 46 Certificates 2 Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. 3 Tim uses his private key to sign the message and sends it to Jenny. 4 Jenny receives the message and uses Tim’s public key to verify it.
Chapter 46 Certificates Factory Default Certificate The ZyWALL generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Certificate File Formats Any certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.
Chapter 46 Certificates 2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 514 Remote Host Certificates 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 515 Certificate Details 4 768 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields.
Chapter 46 Certificates 46.2 The My Certificates Screen Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Figure 516 Configuration > Object > Certificate > My Certificates The following table describes the labels in this screen.
Chapter 46 Certificates Table 217 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate.
Chapter 46 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.
Chapter 46 Certificates The following table describes the labels in this screen. Table 218 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Subject Information Use these fields to record information that identifies the owner of the certificate.
Chapter 46 Certificates Table 218 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Create a certification request and save it locally for later manual enrollment Select this to have the ZyWALL generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.
Chapter 46 Certificates Table 218 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Request Authentication When you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses the CMP enrollment protocol.
Chapter 46 Certificates 46.2.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
Chapter 46 Certificates The following table describes the labels in this screen. Table 219 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Certification Path This field displays for a certificate, not a certification request.
Chapter 46 Certificates Table 219 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL).
Chapter 46 Certificates Table 219 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. You can only change the name. Cancel Click Cancel to quit and return to the My Certificates screen. 46.2.3 The My Certificates Import Screen Click Configuration > Object > Certificate > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL.
Chapter 46 Certificates Table 220 Configuration > Object > Certificate > My Certificates > Import (continued) LABEL DESCRIPTION Password This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. OK Click OK to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 46.
Chapter 46 Certificates Table 221 Configuration > Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Object References You cannot delete certificates that any of the ZyWALL’s features are configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 13.3.2 on page 303 for an example. # This field displays the certificate index number. The certificates are listed in alphabetical order.
Chapter 46 Certificates authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
Chapter 46 Certificates The following table describes the labels in this screen. Table 222 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Chapter 46 Certificates Table 222 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.
Chapter 46 Certificates Table 222 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
Chapter 46 Certificates The following table describes the labels in this screen. Table 223 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload. OK Click OK to save the certificate on the ZyWALL.
Chapter 46 Certificates 786 ZyWALL USG 300 User’s Guide
CHAPTER 47 ISP Accounts 47.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPPoE or PPTP. Finding Out More • See Section 13.4 on page 304 for information about PPPoE/PPTP interfaces. • See Section 6.6 on page 110 for related information on these screens. 47.1.1 What You Can Do in this Chapter Use the Object > ISP Account screens (Section 47.
Chapter 47 ISP Accounts The following table describes the labels in this screen. See the ISP Account Edit section below for more information as well. Table 224 Configuration > Object > ISP Account LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 47 ISP Accounts The following table describes the labels in this screen. Table 225 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account. The profile name is used to refer to the ISP account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 47 ISP Accounts Table 225 Configuration > Object > ISP Account > Edit (continued) 790 LABEL DESCRIPTION Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four. Idle Timeout This value specifies the number of seconds that must elapse without outbound traffic before the ZyWALL automatically disconnects from the PPPoE/PPTP server.
CHAPTER 48 SSL Application 48.1 Overview You use SSL application objects in SSL VPN. Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group. 48.1.1 What You Can Do in this Chapter • Use the SSL Application screen (Section 48.
Chapter 48 SSL Application Remote Desktop Connections Use SSL VPN to allow remote users to manage LAN computers. Depending on the functions supported by the remote desktop software, they can install or remove software, run programs, change settings, and open, copy, create, and delete files. This is useful for troubleshooting, support, administration, and remote access to files and programs.
Chapter 48 SSL Application 2 Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the Address field, enter “http://info”. Select Web Page Encryption to prevent users from saving the web content. Click Apply to save the settings. The configuration screen should look similar to the following figure.
Chapter 48 SSL Application The following table describes the labels in this screen. Table 226 Configuration > Object > SSL Application LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 48 SSL Application The following table describes the labels in this screen. Table 227 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings This displays for VNC or RDP type web application objects. Click this button to display a greater or lesser number of configuration fields. Create new Object Use this to configure any new settings objects that you need to use in this screen.
Chapter 48 SSL Application Table 227 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Server Address(es) This field displays if the Server Type is set to RDP or VNC. Specify the IP address or Fully-Qualified Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage. Starting Port This field displays if the Server Type is set to RDP or VNC.
Chapter 48 SSL Application The following table describes the labels in this screen. Table 228 Configuration > Object > SSL Application > Add/Edit: File Sharing LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen. Object Type Select File Sharing to create a file share application for VPN SSL. File Sharing Name Enter a descriptive name to identify this object. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-” and “_”).
Chapter 48 SSL Application 798 ZyWALL USG 300 User’s Guide
CHAPTER 49 Endpoint Security 49.1 Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Chapter 49 Endpoint Security 49.1.1 What You Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens (Section 49.2 on page 801) to create and manage endpoint security objects. 49.1.2 What You Need to Know What Endpoint Security Can Check The settings endpoint security can check vary depending on the OS of the user’s computer.
Chapter 49 Endpoint Security 49.2 Endpoint Security Screen The Endpoint Security screen displays the endpoint security objects you have configured on the ZyWALL. Click Configuration > Object > Endpoint Security to display the screen. Figure 531 Configuration > Object > Endpoint Security The following table gives an overview of the objects you can configure. Table 229 Configuration > Object > Endpoint Security LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 49 Endpoint Security Table 229 Configuration > Object > Endpoint Security (continued) 802 LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings.
Chapter 49 Endpoint Security 49.3 Endpoint Security Add/Edit Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object.
Chapter 49 Endpoint Security Figure 532 Configuration > Object > Endpoint Security > Add 804 ZyWALL USG 300 User’s Guide
Chapter 49 Endpoint Security The following table gives an overview of the objects you can configure. Table 230 Configuration > Object > Endpoint Security > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Setup Object Name Specify a descriptive name for identification purposes. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-”, “_” with no spaces allowed).
Chapter 49 Endpoint Security Table 230 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item - Personal Firewall If you selected Windows as the operating system, you can select whether or not the user’s computer is required to have personal firewall software installed. Move the permitted personal firewalls from the Available list to the Allowed Personal Firewall List. Use the [Shift] and/or [Ctrl] key to select multiple entries.
Chapter 49 Endpoint Security Table 230 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item - File Information If you selected Windows or Linux as the operating system, you can use this table to check details of specific files on the user’s computer.
Chapter 49 Endpoint Security 808 ZyWALL USG 300 User’s Guide
CHAPTER 50 System 50.1 Overview Use the system screens to configure general ZyWALL settings. 50.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 50.2 on page 810) to configure a unique name for the ZyWALL in your network. • Use the System > Date/Time screen (see Section 50.3 on page 811) to configure the date and time for the ZyWALL. • Use the System > Console Speed screen (see Section 50.
Chapter 50 System • Connect an external serial modem to the AUX port to provide a management connection in case the ZyWALL’s other WAN connections are down. Use the System > Dial-in Mgmt. screen (see Section 50.11 on page 853) to configure the external serial modem. • Vantage CNM (Centralized Network Management) is a browser-based global management tool that allows an administrator to manage ZyXEL devices. Use the System > Vantage CNM screen (see Section 50.
Chapter 50 System 50.3 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server. To change your ZyWALL’s time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown.
Chapter 50 System Table 232 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered. When you enter the time settings manually, the ZyWALL uses the new setting once you click Apply.
Chapter 50 System Table 232 Configuration > System > Date and Time (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The at field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time.
Chapter 50 System 50.3.2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field. When the Please Wait... screen appears, you may have to wait up to one minute. Figure 535 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful. If the synchronization was not successful, a log displays in the View Log screen.
Chapter 50 System 5 Under Time and Date Setup, enter a Time Server Address (Table 233 on page 813). 6 Click Apply. 50.4 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program. See Table 2 on page 36 for default console port settings. Click Configuration > System > Console Speed to open the Console Speed screen.
Chapter 50 System 50.5.1 DNS Server Address Assignment The ZyWALL can get the DNS server addresses in the following ways. • The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields. • If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
Chapter 50 System The following table describes the labels in this screen. Table 235 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Record This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 50 System Table 235 Configuration > System > DNS (continued) LABEL DESCRIPTION DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active. Query Via This is the interface through which the ZyWALL sends DNS queries to the entry’s DNS server. If the ZyWALL connects through a VPN tunnel, tunnel displays.
Chapter 50 System 50.5.3 Address Record An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain. mail.myZyXEL.com.tw is also a FQDN, where “mail” is the host, “myZyXEL” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 50 System The following table describes the labels in this screen. Table 236 Configuration > System > DNS > Address/PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 50 System The following table describes the labels in this screen. Table 237 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.
Chapter 50 System 50.5.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 540 Configuration > System > DNS > MX Record Add The following table describes the labels in this screen. Table 238 Configuration > System > DNS > MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for.
Chapter 50 System The following table describes the labels in this screen. Table 239 Configuration > System > DNS > Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen. Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL. Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL.
Chapter 50 System • See To-ZyWALL Rules on page 451 for more on To-ZyWALL firewall rules. • See Section 7.10 on page 158 for an example of configuring service control to block administrator HTTPS access from all zones except the LAN. To stop a service from accessing the ZyWALL, clear Enable in the corresponding service screen. 50.6.1 Service Access Limitations A service cannot be used to access the ZyWALL when: 1 You have disabled that service in the corresponding screen.
Chapter 50 System It relies upon certificates, public keys, and private keys (see Chapter 46 on page 765 for more information). HTTPS on the ZyWALL is used so that you can securely access the ZyWALL using the Web Configurator.
Chapter 50 System Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the ZyWALL (logging into SSL VPN for example). Figure 544 Configuration > System > WWW > Service Control The following table describes the labels in this screen.
Chapter 50 System Table 240 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL Web Configurator to use “https://ZyWALL IP Address:8443” as the URL.
Chapter 50 System Table 240 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION HTTP Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using HTTP connections. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the ZyWALL.
Chapter 50 System Table 240 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 50.6.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 545 Configuration > System > Service Control Rule > Edit The following table describes the labels in this screen.
Chapter 50 System also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 40 on page 715 for more on access user accounts.
Chapter 50 System The following figures identify the parts you can customize in the login and access pages.
Chapter 50 System • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black.
Chapter 50 System Table 242 Configuration > System > WWW > Login Page LABEL DESCRIPTION Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. Window Background Set how the window’s background looks. To use a graphic, select Picture and upload a graphic. Specify the location and file name of the logo graphic or click Browse to locate it. Note: Use a GIF, JPG, or PNG of 100 kilobytes or less.
Chapter 50 System 50.6.7.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape.
Chapter 50 System • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authority of the ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a self-signed certificate. • For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate.
Chapter 50 System Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL’s Trusted CA Web Configurator screen). Figure 553 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 50.6.7.5.1 Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Chapter 50 System 50.6.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. Figure 555 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box.
Chapter 50 System 3 Enter the password given to you by the CA. Figure 557 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Chapter 50 System 5 Click Finish to complete the wizard and begin the import process. Figure 559 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 560 Personal Certificate Import Wizard 6 50.6.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field.
Chapter 50 System 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 562 SSL Client Authentication 3 You next see the Web Configurator login screen. Figure 563 Secure Web Configurator Login Screen 50.7 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface.
Chapter 50 System SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. Figure 564 SSH Communication Over the WAN Example 50.7.
Chapter 50 System 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. 3 Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 50.7.
Chapter 50 System Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 566 Configuration > System > SSH The following table describes the labels in this screen. Table 243 Configuration > System > SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Chapter 50 System Table 243 Configuration > System > SSH (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. # This the index number of the service control rule. Zone This is the zone on the ZyWALL the user is allowed or denied to access.
Chapter 50 System Enter the password to log in to the ZyWALL. The CLI screen displays next. 50.7.5.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the ZyWALL. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL (using the default IP address of 192.168.1.1).
Chapter 50 System 50.8.1 Configuring Telnet Click Configuration > System > TELNET to configure your ZyWALL for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. Figure 570 Configuration > System > TELNET The following table describes the labels in this screen.
Chapter 50 System Table 244 Configuration > System > TELNET (continued) LABEL DESCRIPTION # This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (nonconfigurable) default policy. The ZyWALL applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the ZyWALL will not have to use the default policy.
Chapter 50 System be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 571 Configuration > System > FTP The following table describes the labels in this screen. Table 245 Configuration > System > FTP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
Chapter 50 System Table 245 Configuration > System > FTP (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. # This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (nonconfigurable) default policy.
Chapter 50 System and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 572 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Chapter 50 System • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events. 50.10.
Chapter 50 System settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 573 Configuration > System > SNMP The following table describes the labels in this screen. Table 247 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
Chapter 50 System Table 247 Configuration > System > SNMP (continued) LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 241 on page 829 for details on the screen that opens. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 50 System Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH. Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem. The response strings have not been standardized; please consult the documentation of your serial modem to find the correct tags. 50.11.
Chapter 50 System Table 248 Configuration > System > Dial-in Mgmt (continued) LABEL DESCRIPTION Port Speed Use the drop-down list box to select the speed of the connection between the ZyWALL’s auxiliary port and the external modem. Available speeds are: 9600, 19200, 38400, 57600, or 115200 bps. Initial String Type the AT command string that the ZyWALL returns to the external serial modem connected to the ZyWALL’s auxiliary port during connection initialization.
Chapter 50 System 50.12.1 Configuring Vantage CNM Vantage CNM is disabled on the device by default. Click Configuration > System > Vantage CNM to configure your device’s Vantage CNM settings. Figure 575 Configuration > System > Vantage CNM The following table describes the labels in this screen. Table 249 Configuration > System > Vantage CNM LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 50 System Table 249 Configuration > System > Vantage CNM (continued) LABEL DESCRIPTION Transfer Protocol Select whether the Vantage CNM sessions should use regular HTTP connections or secure HTTPS connections. Note: HTTPS is recommended. The Vantage CNM server must use the same setting. Device Management IP Select Auto to have the ZyWALL allow Vantage CNM sessions to connect to any of the ZyWALL’s IP addresses. Custom IP Specify the ZyWALL’s IP address that allows Vantage CNM sessions.
Chapter 50 System 50.13 Language Screen Click Configuration > System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s Web Configurator screens. Figure 576 Configuration > System > Language The following table describes the labels in this screen. Table 250 Configuration > System > Language 858 LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL’s Web Configurator screens.
CHAPTER 51 Log and Report 51.1 Overview Use these screens to configure daily reporting and log settings. 51.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 51.2 on page 859) to configure where and how to send daily reports and what reports to send. • Use the Maintenance > Log Setting screens (Section 51.3 on page 861) to specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed. 51.
Chapter 51 Log and Report Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day.
Chapter 51 Log and Report The following table describes the labels in this screen. Table 251 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Daily Report Select this to send reports by e-mail every day. Mail Server Type the name or IP address of the outgoing SMTP server. Mail Subject Type the subject line for the outgoing e-mail. Select Append system name to add the ZyWALL’s system name to the subject.
Chapter 51 Log and Report The Log Setting tab also controls what information is saved in each log. For the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed. For alerts, the Log Settings tab controls which events generate alerts and where alerts are e-mailed. The Log Settings Summary screen provides a summary of all the settings.
Chapter 51 Log and Report Table 252 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific log. Name This field displays the name of the log (system log or one of the remote servers). Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format.
Chapter 51 Log and Report Figure 579 Configuration > Log & Report > Log Setting > Edit (System Log) 864 ZyWALL USG 300 User’s Guide
Chapter 51 Log and Report The following table describes the labels in this screen. Table 253 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section. You specify what kinds of log messages are included in log information and what kinds of log messages are included in alerts in the Active Log and Alert section.
Chapter 51 Log and Report Table 253 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL E-mail Server 1 DESCRIPTION Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings. enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 1.
Chapter 51 Log and Report Table 253 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Chapter 51 Log and Report 51.3.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 51.3.1 on page 862), and click a remote server Edit icon.
Chapter 51 Log and Report The following table describes the labels in this screen. Table 254 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this section. You specify what kinds of messages are included in log information in the Active Log section. Log Format This field displays the format of the log information. It is read-only.
Chapter 51 Log and Report 51.3.4 Active Log Summary Screen The Active Log Summary screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 51.3.1 on page 862), and click the Active Log Summary button.
Chapter 51 Log and Report The following table describes the fields in this screen. Table 255 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any information for any category for the system log or e-mail any logs to e-mail server 1 or 2.
Chapter 51 Log and Report Table 255 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Select which events you want to log by Log Category.
CHAPTER 52 File Manager 52.1 Overview Configuration files define the ZyWALL’s settings. Shell scripts are files of commands that you can store on the ZyWALL and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL restarting. You can store multiple configuration files and shell script files on the ZyWALL. You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL. Configuration files use a .
Chapter 52 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 582 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3 interface ge3 ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.
Chapter 52 File Manager Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp ! Lines 1 and 3 in the following example are comments and line 4 exits sub command mode.
Chapter 52 File Manager 52.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL.
Chapter 52 File Manager The following table describes the labels in this screen. Table 257 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startupconfig.conf files. You cannot rename a configuration file to the name of another configuration file in the ZyWALL.
Chapter 52 File Manager Table 257 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a configuration file on the ZyWALL. Click a configuration file’s row to select it and click Copy to open the Copy File screen. Figure 585 Maintenance > File Manager > Configuration File > Copy Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-).
Chapter 52 File Manager Table 257 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL use that configuration file. The ZyWALL does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.
Chapter 52 File Manager Table 257 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL’s default settings. Select this file and click Apply to reset all of the ZyWALL settings to the factory defaults. This configuration file is included when you upload a firmware package.
Chapter 52 File Manager Note: The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”.
Chapter 52 File Manager After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 588 Firmware Upload In Process Note: The ZyWALL automatically reboots after a successful upload. The ZyWALL automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Chapter 52 File Manager Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the ZyWALL restarts. You could use multiple write commands in a long script. Figure 591 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 259 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the ZyWALL.
Chapter 52 File Manager Table 259 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the ZyWALL. Click a shell script file’s row to select it and click Copy to open the Copy File screen. Figure 593 Maintenance > File Manager > Shell Script > Copy Specify a name for the duplicate file. Use up to 25 characters (including a-zAZ0-9;‘~!@#$%^&()_+[]{}’,.=-).
CHAPTER 53 Diagnostics 53.1 Overview Use the diagnostics screens for troubleshooting. 53.1.1 What You Can Do in this Chapter • Use the Maintenance > Diagnostics screen (see Section 53.2 on page 885) to generate a file containing the ZyWALL’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting. • Use the Maintenance > Diagnostics > Packet Capture screens (see Section 53.3 on page 886) to capture packets going through the ZyWALL. 53.
Chapter 53 Diagnostics The following table describes the labels in this screen. Table 260 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-dd hh:mm:ss. Size This is the size of the most recently created diagnostic file. Collect Now Click this to have the ZyWALL create a new diagnostic file.
Chapter 53 Diagnostics The following table describes the labels in this screen. Table 261 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list. Use the [Shift] and/or [Ctrl] key to select multiple objects. IP Type Select the protocol of traffic for which to capture packets.
Chapter 53 Diagnostics Table 261 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Capture Click this button to have the ZyWALL capture packets according to the settings configured in this screen. You can configure the ZyWALL while a packet capture is in progress although you cannot modify the packet capture settings. The ZyWALL’s throughput or performance may be affected while a packet capture is in progress.
Chapter 53 Diagnostics Table 262 Maintenance > Diagnostics > Packet Capture > Files (continued) LABEL DESCRIPTION # This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space. File Name This column displays the label that identifies the file. The file name format is interface name-file suffix.cap. Size This column displays the size (in bytes) of a configuration file.
Chapter 53 Diagnostics 890 ZyWALL USG 300 User’s Guide
CHAPTER 54 Reboot 54.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.5 on page 36 for information on different ways to start and stop the ZyWALL. 54.1.1 What You Need To Know If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot.
Chapter 54 Reboot 892 ZyWALL USG 300 User’s Guide
CHAPTER 55 Shutdown 55.1 Overview Use this to shutdown the device in preparation for disconnecting the power. See also Section 1.5 on page 36 for information on different ways to start and stop the ZyWALL. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. 55.1.1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes. 55.
Chapter 55 Shutdown 894 ZyWALL USG 300 User’s Guide
CHAPTER 56 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 10 on page 274). For individual log descriptions, Appendix A on page 923. For the order in which the ZyWALL applies its features and checks, see Section 6.4 on page 96. None of the LEDs turn on. Make sure that you have the power cord connected to the ZyWALL and plugged in to an appropriate power source. Make sure you have the ZyWALL turned on.
Chapter 56 Troubleshooting • If you’ve forgotten the ZyWALL’s IP address, you can use the commands through the console port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed. Clicking different links in the web help displays the same help screen.
Chapter 56 Troubleshooting I downloaded updated anti-virus or IDP/application patrol signatures. Why has the ZyWALL not re-booted yet? The ZyWALL does not have to reboot when you upload new signatures. The content filter category service is not working. • Make sure your ZyWALL has the content filter category service registered and that the license is not expired. Purchase a new license if the license is expired. • Make sure your ZyWALL is connected to the Internet.
Chapter 56 Troubleshooting • The format of interface names other than the Ethernet interface names is very strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on. • The names of virtual interfaces are derived from the interfaces on which they are created.
Chapter 56 Troubleshooting created a cellular interface but cannot connect through it. • Make sure you have a compatible 3G device installed or connected. See Chapter 57 on page 915 for details. • Make sure you have the cellular interface enabled. • Make sure the cellular interface has the correct user name, password, and PIN code configured with the correct casing. • If the ZyWALL has multiple WAN interfaces, make sure their IP addresses are on different subnets.
Chapter 56 Troubleshooting The ZyWALL is not applying an interface’s configured ingress bandwidth limit. At the time of writing, the ZyWALL does not support ingress bandwidth management. The ZyWALL is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management. The ZyWALL’s performance slowed down after I configured many new application patrol entries.
Chapter 56 Troubleshooting The ZyWALL is deleting some zipped files. The anti-virus policy may be set to delete zipped files that the ZyWALL cannot unzip. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip. The ZyWALL’s performance seems slower after configuring IDP.
Chapter 56 Troubleshooting The ZyWALL’s performance seems slower after configuring ADP. Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the ZyWALL’s performance. The ZyWALL routes and applies SNAT for traffic from some interfaces but not from others. The ZyWALL automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic.
Chapter 56 Troubleshooting I cannot get the application patrol to manage SIP traffic. Make sure you have the SIP ALG enabled. I cannot get the application patrol to manage H.323 traffic. Make sure you have the H.323 ALG enabled. I cannot get the application patrol to manage FTP traffic. Make sure you have the FTP ALG enabled. The ZyWALL keeps resetting the connection.
Chapter 56 Troubleshooting Here are some general suggestions. See also Chapter 25 on page 467. • The system log can often help to identify a configuration problem. • If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled. • The ZyWALL and remote IPSec router must use the same authentication method to establish the IKE SA. • Both routers must use the same negotiation mode. • Both routers must use the same encryption algorithm, authentication algorithm, and DH key group.
Chapter 56 Troubleshooting • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using). • If you have the ZyWALL and remote IPSec router use certificates to authenticate each other, You must set up the certificates for the ZyWALL and remote IPSec router first and make sure they trust each other’s certificates. If the ZyWALL’s certificate is self-signed, import it into the remote IPsec router.
Chapter 56 Troubleshooting If you have the Configuration > VPN > IPSec VPN > VPN Connection screen’s Use Policy Route to control dynamic IPSec rules option enabled, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels. I uploaded a logo to show in the SSL VPN user screens but it does not display properly. The logo graphic must be GIF, JPG, or PNG format. The graphic should use a resolution of 127 x 57 pixels to avoid distortion when displayed.
Chapter 56 Troubleshooting option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package. See Section 33.2.1 on page 579 for more on the anti-virus Destroy compressed files that could not be decompressed option.
Chapter 56 Troubleshooting Device HA is not working. • You may need to disable STP (Spanning Tree Protocol). • The master and its backups must all use the same device HA mode (either active-passive or legacy). • Configure a static IP address for each interface that you will have device HA monitor. • Configure a separate management IP address for each interface. You can use it to access the ZyWALL for management whether the ZyWALL is the master or a backup.
Chapter 56 Troubleshooting user, the authentication attempt will always fail. (This is related to AAA servers and authentication methods, which are discussed in Chapter 44 on page 749 and Chapter 45 on page 759, respectively.) I cannot add the admin users to a user group with access users. You cannot put access users and admin users in the same user group. I cannot add the default admin account to a user group. You cannot put the default admin account into any user group.
Chapter 56 Troubleshooting 1 For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the ZyWALL. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys. 2 You must remove any spaces from the certificate’s filename before you can import the certificate. 3 Any certificate that you want to import has to be in one of these file formats: • Binary X.
Chapter 56 Troubleshooting I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. The ZyWALL’s traffic throughput rate decreased after I started collecting traffic statistics.
Chapter 56 Troubleshooting I cannot get the firmware uploaded using the commands. The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. My packet capture captured less than I wanted or failed.
Chapter 56 Troubleshooting If you want to reboot the device without changing the current configuration, see Chapter 54 on page 891. 1 Make sure the SYS LED is on and not blinking. 2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 56.
Chapter 56 Troubleshooting 914 ZyWALL USG 300 User’s Guide
CHAPTER 57 Product Specifications The following specifications are subject to change without notice. See Chapter 2 on page 39 for a general overview of key features. This table provides basic device specifications. Table 263 Default Login Information ATTRIBUTE SPECIFICATION Default IP Address (ge1) 192.168.1.1 Default Subnet Mask (ge1) 255.255.255.0 (24 bits) Default Password 1234 This table provides hardware specifications.
Chapter 57 Product Specifications Table 264 Hardware Specifications (continued) FEATURE SPECIFICATION Storage Environment Temperature: -30 C to 60 C Humidity: 20% to 95% (non-condensing) MTBF Mean Time Between Failures: 180,382 hours Dimensions 430 (W) x 201.2 (D) x 42.0 (H) mm Weight 2.8 kg Rack-mounting Rack-mountable (rack-mount kit included) This table gives details about the ZyWALL’s features. Table 265 ZyWALL USG 300 Feature Specifications VERSION # V2.00 V2.11, V2.12 V2.
Chapter 57 Product Specifications Table 265 ZyWALL USG 300 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.
Chapter 57 Product Specifications Table 265 ZyWALL USG 300 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.
Chapter 57 Product Specifications Table 265 ZyWALL USG 300 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.
Chapter 57 Product Specifications The following table, which is not exhaustive, lists standards referenced by ZyWALL features. Table 266 Standards Referenced by Features 920 FEATURE STANDARDS REFERENCED Interface-Bridge A subset of the ANSI/IEEE 802.1d standard Interface RFCs 2131, 2132, 1541 Interface-PPP RFCs 1144, 1321, 1332, 1334, 1661, 1662, 2472 Interface-PPTP RFCs 2637, 3078 Interface-PPPOE RFC 2516 Interface-VLAN IEEE 802.
Chapter 57 Product Specifications 57.1 3G PCMCIA Card Installation Only insert a compatible 3G card. Slide the connector end of the card into the slot. Note: Do not force, bend or twist the card.
Chapter 57 Product Specifications 922 ZyWALL USG 300 User’s Guide
APPENDIX A Log Descriptions This appendix provides descriptions of example log messages for the ZLD-based ZyWALLs. The logs do not all apply to all of the ZLD-based ZyWALLs. You will not necessecarily see all of these logs in your device. Table 267 Content Filter Logs LOG MESSAGE DESCRIPTION Content filter has been enabled An administrator turned the content filter on. Content filter has been disabled An administrator turned the content filter off.
Appendix A Log Descriptions Table 269 Blocked Web Site Logs LOG MESSAGE DESCRIPTION %s :%s The rating server responded that the web site is in a specified category and access was blocked according to a content filter profile. 1st %s: website host 2nd %s: website category %s: Unrated The rating server responded that the web site cannot be categorized and access was blocked according to a content filter profile.
Appendix A Log Descriptions Table 269 Blocked Web Site Logs (continued) LOG MESSAGE DESCRIPTION %s: Proxy mode is detected The system detected a proxy connection and blocked access according to a profile. %s: website host %s: Forbidden Web site The web site is in forbidden web site list. %s: website host %s: Keyword blocking The web content matched a user defined keyword.
Appendix A Log Descriptions Table 270 Anti-Spam Logs (continued) 926 LOG MESSAGE DESCRIPTION Black List checking has been activated. The anti-spam black list has been turned on. Black List checking has been deactivated. The anti-spam black list has been turned off. Black List rule %d has been added. The anti-spam black list rule with the specified index number (%d) has been added. Black List rule %d has been modified.
Appendix A Log Descriptions Table 271 SSL VPN Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in SSLVPN A user has logged into SSL VPN. The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the user is using (HTTP or HTTPS). %s %s from %s has logged out SSLVPN A user has logged out of SSL VPN. The first %s is the type of user account. The second %s is the user’s user name.
Appendix A Log Descriptions Table 271 SSL VPN Logs (continued) 928 LOG MESSAGE DESCRIPTION The %s address-object is wrong type for 'network' in SSL Policy %s. The listed address object (first %s) is not the right kind to be specified as a network in the listed SSL VPN policy (second %s). The SSL VPN policy %s has been changed 'ippool' value. The IP pool setting has been modified in the specified SSL VPN policy (%s). The SSL VPN policy %s has been changed '1stdns' value.
Appendix A Log Descriptions Table 271 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION %s %s is accessed. sent= rcvd= The listed SSL VPN access was used to send and receive the listed numbers of bytes. The first %s is the type of SSL VPN access (web application, file sharing, or network extension). The second %s is the name of the application. This is N/A for a network extension.
Appendix A Log Descriptions Table 272 L2TP Over IPSec Logs 930 LOG MESSAGE DESCRIPTION The configuration of L2TP over IPSec has been changed. The L2TP over IPSec configuration has been modified. L2TP over IPSec may not work since Crypto Map %s using Manual Key. L2TP over IPSec does not support manual key management. L2TP over IPSec may not work because the IPSec VPN connection it uses (Crypto Map %s) has been set to use manual key management.
Appendix A Log Descriptions The ZySH logs deal with internal system errors. Table 273 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon.
Appendix A Log Descriptions Table 273 ZySH Logs (continued) LOG MESSAGE DESCRIPTION Can't remove %s 1st:zysh list name Table OPS 932 %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of range! 1st:zysh table name %s: cannot set entry #%d 1st:zysh table name,2st: zysh entry num %s: table is full! 1st:zysh table name %s: invalid old/new index! 1st:zysh table name Unable to move entry #%d! 1st:zysh entry num %s: invalid index! 1st:zysh table name Unable to delete
Appendix A Log Descriptions Table 274 ADP Logs LOG MESSAGE DESCRIPTION from to [type=] , Action: , Severity: The ZyWALL detected an anomaly in traffic traveling between the specified zones. The = {scan-detection() | flooddetection() | http-inspection() | tcpdecoder()}. The gives details about the attack, although the message is dropped if the log is more than 128 characters.
Appendix A Log Descriptions Table 275 Anti-Virus Logs LOG MESSAGE DESCRIPTION Initializing Anti-Virus signature reference table has failed. The ZyWALL failed to initialize the anti-virus signatures due to an internal error. Reloading Anti-Virus signature database has failed. The ZyWALL failed to reload the anti-virus signatures due to an internal error. Reloading Anti-Virus signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to an internal error.
Appendix A Log Descriptions Table 275 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION AV signature update has failed. Can not update last update time. The anti-virus signatures update did not succeed. AV signature update has failed. (Replacement failure) Anti-virus signatures update failed because the ZyWALL was not able to replace the old set of anti-virus signatures with the new one. AV signature update has failed. (Unknown signature package).
Appendix A Log Descriptions Table 275 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION Anti-Virus rule %d has been modified. The anti-virus rule of the specified number has been changed. Anti-Virus rule %d has been inserted. An anti-virus rule has been inserted. %d is the number of the new rule. Anti-Virus rule %d has been appended. The anti-virus rule with the listed number (%d) has been added to the end of the list.
Appendix A Log Descriptions Table 276 User Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in ZyWALL A user logged into the ZyWALL. 1st %s: The type of user account. 2nd %s: The user’s user name. 3rd %s: The name of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console). %s %s from %s has logged out ZyWALL A user logged out of the ZyWALL. 1st %s: The type of user account. 2nd %s: The user’s user name.
Appendix A Log Descriptions Table 276 User Logs (continued) LOG MESSAGE DESCRIPTION Failed login attempt to ZyWALL from %s (login on a lockout address) A login attempt came from an IP address that the ZyWALL has locked out. Failed login attempt to ZyWALL from %s (reach the max. number of user) The ZyWALL blocked a login because the maximum login capacity for the particular service has already been reached. Failed login attempt to ZyWALL from %s (reach the max.
Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Registration has failed. Because of lack must fields. The device received an incomplete response from the myZyXEL.com server and it caused a parsing error for the device. %s:Trial service activation has failed:%s. Trail service activation failed for the specified service, an error message returned by the MyZyXEL.com server will be appended to this log.
Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) 940 LOG MESSAGE DESCRIPTION Do device register. The device started device registration. Do trial service activation. The device started trail service activation. Do standard service activation. The device started standard service activation. Do expiration check. The device started the service expiration day check. Build query message has failed. Some information was missing in the packets that the device sent to the MyZyXEL.
Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Device has latest signature file; no need to update The device already has the latest version of the signature file so no update is needed. Connect to update server has failed. The device cannot connect to the update server. Wrong format for packets received. The device cannot parse the response returned by the server. Maybe some required fields are missing. Server setting error. Update stop.
Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Get server response has failed. The device sent packets to the server, but did not receive a response. The root cause may be that the connection is abnormal. Expiration dailycheck has failed:%s. The daily check for service expiration failed, an error message returned by the MyZyXEL.com server will be appended to this log. %s: error message returned by myZyXEL.com server 942 Do expiration dailycheck has failed.
Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Self signed certificate. Verification of a server’s certificate failed because it is selfsigned. Self signed certificate in certificate chain. Verification of a server’s certificate failed because there is a self-signed certificate in the server’s certificate chain. Verify peer certificates has succeeded. The device verified a server’s certificate while processing an HTTPS connection.
Appendix A Log Descriptions Table 278 IDP Logs (continued) 944 LOG MESSAGE DESCRIPTION Enable IDP engine succeeded. The device turned on the IDP engine. Disable IDP engine succeeded. The device turned off the IDP engine. IDP service is not registered. IDP will not be activated. The IDP service could has not been turned on and the IDP signatures will not be updated because the IDP service is not registered. IDP service standard license is expired. Update signature failed.
Appendix A Log Descriptions Table 278 IDP Logs (continued) LOG MESSAGE DESCRIPTION Add custom signature error: signature is over length. An attempt to add a custom IDP signature failed because the signature’s contents were too long. Edit custom signature error: signature is over length. An attempt to edit a custom IDP signature failed because the signature’s contents were too long. IDP off-line update failed. File damaged. An update attempt for the IDP signatures failed.
Appendix A Log Descriptions Table 278 IDP Logs (continued) LOG MESSAGE DESCRIPTION from to [type=] , Action: , Severity: The ZyWALL detected an intrusion in traffic traveling between the specified zones. The = {scan-detection() | flooddetection() | http-inspection() | tcpdecoder()}. The gives details about the attack, although the message is dropped if the log is more than 128 characters.
Appendix A Log Descriptions Table 278 IDP Logs (continued) LOG MESSAGE DESCRIPTION Duplicate sid in import file at line . The listed signature ID is duplicated at the listed line number in the signature file. IDP rule has been deleted. The listed IDP rule has been removed. IDP rule has been moved to . The IDP rule with the specified index number (first num) was moved to the specified index number (second num). New IDP rule has been appended.
Appendix A Log Descriptions Table 279 Application Patrol (continued) MESSAGE EXPLANATION Protocol %s has been enabled. The listed protocol has been turned on in the application patrol. Protocol %s has been disabled. The listed protocol has been turned off in the application patrol. Classification mode of protocol %s has been modified to portless. The device will now use the portless classification mode to identify the listed protocol’s traffic.
Appendix A Log Descriptions Table 280 IKE Logs LOG MESSAGE DESCRIPTION Peer has not announced DPD capability The remote IPSec router has not announced its dead peer detection (DPD) capability to this device. [COOKIE] Invalid cookie, no sa found Cannot find SA according to the cookie. [DPD] No response from peer. Using existing Phase-1 SA in %u seconds. Trying with Phase-1 rekey. The device’s DPD feature has not detected a response from the remote IPSec router. %u is the retry time.
Appendix A Log Descriptions Table 280 IKE Logs (continued) LOG MESSAGE DESCRIPTION [SA] : Tunnel [%s] Phase 1 invalid protocol %s is the tunnel name. When negotiating Phase-1, the packet was not a ISKAMP packet in the protocol field. [SA] : Tunnel [%s] Phase 1 invalid transform %s is the tunnel name. When negotiating Phase-1, the transform ID was invalid. [SA] : Tunnel [%s] Phase 1 key group mismatch %s is the tunnel name.
Appendix A Log Descriptions Table 280 IKE Logs (continued) LOG MESSAGE DESCRIPTION Could not dial manual key tunnel "%s" %s is the tunnel name. The manual key tunnel cannot be dialed. DPD response with invalid ID When receiving a DPD response with invalid ID ignored. DPD response with no active request When receiving a DPD response with no active query. IKE Packet Retransmit When retransmitting the IKE packets. Phase 1 IKE SA process done When Phase 1 negotiation is complete.
Appendix A Log Descriptions Table 280 IKE Logs (continued) LOG MESSAGE DESCRIPTION VPN gateway %s was enabled %s is the gateway name. An administrator enabled the VPN gateway. XAUTH fail! My name: %s %s is the my xauth name. This indicates that my name is invalid. XAUTH fail! Remote user: %s %s is the remote xauth name. This indicates that a remote user’s name is invalid. XAUTH succeed! My name: %s %s is the my xauth name. This indicates that my name is valid.
Appendix A Log Descriptions Table 281 IPSec Logs (continued) LOG MESSAGE DESCRIPTION Get outbound transform fail When outgoing packet need to be transformed, the engine cannot obtain the transform context. Inbound transform operation fail After encryption or hardware accelerated processing, the hardware accelerator dropped a packet (resource shortage, corrupt packet, invalid MAC, and so on).
Appendix A Log Descriptions Table 282 Firewall Logs (continued) LOG MESSAGE DESCRIPTION Firewall %s %s rule %d was %s. 1st %s is from zone, 2nd %s is to zone, %d is the index of the rule 3rd %s is appended/inserted/modified Firewall %s %s rule %d has been moved to %d. 1st %s is from zone, 2nd %s is to zone, 1st %d is the old index of the rule 2nd %d is the new index of the rule Firewall %s %s rule %d has been deleted.
Appendix A Log Descriptions Table 284 Policy Route Logs (continued) LOG MESSAGE DESCRIPTION The policy route %d Use an empty object group. uses empty user group! %d: the policy route rule number The policy route %d uses empty source address group! Use an empty object group. The policy route %d uses empty destination address group! Use an empty object group. The policy route %d uses empty service group Use an empty object group. Policy-route rule %d was inserted. Rules is inserted into system.
Appendix A Log Descriptions Table 285 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION HTTPS port has been changed to port %s. An administrator changed the port number for HTTPS. HTTPS port has been changed to default port. An administrator changed the port number for HTTPS back to the default (443). HTTP port has changed to port %s. An administrator changed the port number for HTTP. HTTP port has changed to default port.
Appendix A Log Descriptions Table 285 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION Console baud has been reset to %d. An administrator changed the console port baud rate back to the default (115200). %d is default baud rate DHCP Server on Interface %s will not work due to Device HA status is Stand-By If interface is stand-by mode for device HA, DHCP server can't be run. Otherwise it has conflict with the interface in master mode.
Appendix A Log Descriptions Table 285 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION DNS access control rule %u has been moved to %d. An administrator moved the rule %u to index %d. %u is previous index %d variable is current index The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. The default record DNS servers is more than 128. Interface %s ping check is successful. Zone Forwarder adds DNS servers in records. Ping check ok, add DNS servers in bind.
Appendix A Log Descriptions Table 285 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION Access control rule %u of %s was modified. An access control rule was modified successfully. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. Access control rule %u of %s was deleted. An access control rule was removed successfully. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET.
Appendix A Log Descriptions Table 286 System Logs (continued) LOG MESSAGE DESCRIPTION DHCP Server executed with cautious mode disabled DHCP Server executed with cautious mode disabled. Received packet is not A packet was received but it is not an ARP response packet. an ARP response packet 960 Receive an ARP response The device received an ARP response. Receive ARP response from %s (%s) The device received an ARP response from the listed source.
Appendix A Log Descriptions Table 286 System Logs (continued) LOG MESSAGE DESCRIPTION Device is rebooted by administrator! An administrator restarted the device. Insufficient memory. Cannot allocate system memory. Connect to dyndns server has failed. Cannot connect to members.dyndns.org to update DDNS. Update the profile %s has failed because of strange server response. Update profile failed because the response was strange, %s is the profile name.
Appendix A Log Descriptions Table 286 System Logs (continued) LOG MESSAGE DESCRIPTION Update the profile %s has failed because the feature requested is only available to donators. Update profile failed because the feature requested is only available to donators, %s is the profile name. Update the profile %s has failed because of error response. Update profile failed because the response is incorrect, %s is the profile name.
Appendix A Log Descriptions Table 286 System Logs (continued) LOG MESSAGE DESCRIPTION The profile %s has been paused because the HA interface of VRRP status was standby. The profile is paused by Device-HA, because the VRRP status of that HA iface is standby, %s is the profile name. Update the profile %s has failed because HA interface was linkdown. DDNS profile cannot be updated for HA IP address because HA iface is link-down, %s is the profile name.
Appendix A Log Descriptions Table 287 Connectivity Check Logs LOG MESSAGE DESCRIPTION Can't open link_up2 Cannot recover routing status which is link-down. Can not open %s.pid Cannot open connectivity check process ID file. %s: interface name Can not open %s.arg Cannot open configuration file for connectivity check process. %s: interface name The connectivitycheck is activate for %s interface The link status of interface is still activate after check of connectivity check process.
Appendix A Log Descriptions Table 287 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION Can't use MULTICAST IP for destination The connectivity check process can't use multicast address to check link-status. The destination is invalid, because destination IP is broadcast IP The connectivity check process can't use broadcast address to check link-status. Can't get MAC address of %s interface! The connectivity check process can't get MAC address of interface.
Appendix A Log Descriptions Table 288 Device HA Logs (continued) LOG MESSAGE DESCRIPTION %s file not existed, There is no file to be synchronized from the Master when Skip syncing it for %s syncing a object (AV/AS/IDP/Certificate/System Configuration), But in fact, there should be something in the Master for the device to synchronize with, 1st %s: The syncing object, 2ed %s: The feature name for the syncing object. 966 Master firmware version can not be recognized. Stop syncing from Master.
Appendix A Log Descriptions Table 288 Device HA Logs (continued) LOG MESSAGE DESCRIPTION Device HA authentication type for VRRP group %s maybe wrong. A VRRP group’s Authentication Type (Md5 or IPSec AH) configuration may not match between the Backup and the Master. %s: The name of the VRRP group. Device HA authenticaton string of text for VRRP group %s maybe wrong. A VRRP group’s Simple String (Md5) configuration may not match between the Backup and the Master. %s: The name of the VRRP group.
Appendix A Log Descriptions Table 289 Routing Protocol Logs 968 LOG MESSAGE DESCRIPTION RIP on interface %s has been stopped because Device-HA binds this interface. Device-HA is currently running on the interface %s, so all the local service have to be stopped including RIP.
Appendix A Log Descriptions Table 289 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP global version has been deleted. RIP redistribute OSPF routes has been disabled. RIP redistribute OSPF routes has been disabled. RIP redistribute static routes has been disabled. RIP redistribute static routes has been disabled.
Appendix A Log Descriptions Table 289 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION Invalid OSPF virtuallink %s authentication of area %s. Virtual-link %s authentication has been set to same-as-area but the area has invalid authentication configuration. %s: Virtual-Link ID Invalid OSPF md5 authentication on interface %s. Invalid OSPF md5 authentication is set on interface %s. %s: Interface Name Invalid OSPF text authentication on interface %s.
Appendix A Log Descriptions Table 290 NAT Logs (continued) LOG MESSAGE DESCRIPTION Register SIP ALG SIP ALG apply signal port failed. signal port=%d failed. %d: Port number Register H.323 ALG extra port=%d failed. H323 ALG apply additional signal port failed. %d: Port number Register H.323 ALG H323 ALG apply signal port failed. signal port=%d failed. %d: Port number Register FTP ALG extra port=%d failed. FTP ALG apply additional signal port failed.
Appendix A Log Descriptions Table 291 PKI Logs (continued) 972 LOG MESSAGE DESCRIPTION SCEP enrollment "%s" successfully, CA "%s", URL "%s" The device used SCEP to enroll a certificate. 1st %s is a request name, 2nd %s is the CA name, 3rd %s is the URL . SCEP enrollment "%s" failed, CA "%s", URL "%s" The device was unable to use SCEP to enroll a certificate.
Appendix A Log Descriptions Table 291 PKI Logs (continued) LOG MESSAGE DESCRIPTION Export X509 certificate "%s" from "Trusted Certificate" successfully The device exported a x509 format certificate from Trusted Certificates. %s is the certificate request name. Export X509 certificate "%s" from "My Certificate" failed The device was not able to export a x509 format certificate from My Certificates. %s is the certificate request name.
Appendix A Log Descriptions CODE DESCRIPTION 25 Database method failed due to timeout. 26 Database method failed. 27 Path was not verified. 28 Maximum path length reached. Table 292 Interface Logs 974 LOG MESSAGE DESCRIPTION Interface %s has been deleted. An administrator deleted an interface. %s is the interface name. AUX Interface dialing failed. This AUX interface is not enabled. A user tried to dial the AUX interface, but the AUX interface is not enabled.
Appendix A Log Descriptions Table 292 Interface Logs (continued) LOG MESSAGE DESCRIPTION Interface %s is enabled. An administrator enabled an interface. %s: interface name. Interface %s is disabled. An administrator disabled an interface. %s: interface name. %s MTU > (%s MTU - 8), %s may not work correctly.
Appendix A Log Descriptions Table 292 Interface Logs (continued) 976 LOG MESSAGE DESCRIPTION Interface %s connect failed: MS-CHAP authentication failed. MS-CHAP authentication failed (the server must support MSCHAP and verify that the authentication failed, this does not include cases where the server does not support MS-CHAP). %s: interface name. Interface %s connect failed: CHAP authentication failed.
Appendix A Log Descriptions Table 292 Interface Logs (continued) LOG MESSAGE DESCRIPTION "SIM card has been successfully unlocked by PUK code on interface cellular%d. You entered the correct PUK code and unlocked the SIM card for the cellular device associated with the listed cellular interface (%d). "Incorrect PUK code of interface cellular%d. Please check the PUK code setting.
Appendix A Log Descriptions Table 292 Interface Logs (continued) LOG MESSAGE DESCRIPTION "Cellular device [%s %s] has been removed from %s. The cellular device (identified by its manufacturer and model) has been removed from the specified slot. Interface cellular%d required authentication password.Please set password in cellular%d edit page. You need to manually enter the password for the listed cellular interface (%d). Table 293 WLAN Logs 978 LOG MESSAGE DESCRIPTION Wlan %s is enabled.
Appendix A Log Descriptions Table 293 WLAN Logs (continued) LOG MESSAGE DESCRIPTION Station association has failed. Maximum associations have reached the maximum number. Interface: %s, MAC: %s. A wireless client with the specified MAC address (second %s) failed to connect to the specified WLAN interface (first %s) because the WLAN interface already has its maximum number of wireless clients. WPA authentication has failed. Interface: %s, MAC: %s.
Appendix A Log Descriptions Table 295 Port Grouping Logs LOG MESSAGE DESCRIPTION Interface %s links up because of changing Port Group. Enable DHCP client. An administrator used port-grouping to assign a port to a representative Interface and this representative interface is set to DHCP client and only has one member. In this case the DHCP client will be enabled. %s: interface name. Interface %s links down because of changing Port Group. Disable DHCP client.
Appendix A Log Descriptions Table 297 File Manager Logs (continued) LOG MESSAGE DESCRIPTION ERROR:#%s, %s Run script failed, this log will be what wrong CLI command is and what error message is. 1st %s is CLI command. 2nd %s is error message when apply CLI command. WARNING:#%s, %s Run script failed, this log will be what wrong CLI command is and what warning message is. 1st %s is CLI command. 2nd %s is warning message when apply CLI command. Resetting system... Before apply configuration file.
Appendix A Log Descriptions Table 299 E-mail Daily Report Logs LOG MESSAGE DESCRIPTION Email Daily Report has been activated. The daily e-mail report function has been turned on. The ZyWALL will e-mail a daily report about the selected items at the scheduled time if the required settings are configured correctly. Email Daily Report has been deactivated. The daily e-mail report function has been turned off. The ZyWALL will not e-mail daily reports. Email daily report has been sent successfully.
APPENDIX B Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/ code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
Appendix B Common Services Table 302 Commonly Used Services (continued) 984 NAME PROTOCOL PORT(S) DESCRIPTION ESP (IPSEC_TUNNEL) User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP TCP 20 TCP 21 File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.
Appendix B Common Services Table 302 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. PPTP_TUNNEL (GRE) User-Defined 47 PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel. RCMD TCP 512 Remote Command Service.
Appendix B Common Services Table 302 Commonly Used Services (continued) 986 NAME PROTOCOL PORT(S) DESCRIPTION TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE TCP 7000 Another videoconferencing solution.
APPENDIX C Displaying Anti-Virus Alert Messages in Windows With the anti-virus packet scan, when a virus is detected, you can have the ZyWALL display an alert message on Miscrosoft Windows-based computers. If the log shows that virus files are being detected but your Miscrosoft Windows-based computer is not displaying an alert message, use one of the following procedures to make sure your computer is set to display the messages. Windows XP 1 Click Start > Control Panel > Administrative Tools > Services.
Appendix C Displaying Anti-Virus Alert Messages in Windows 2 Select the Messenger service and click Start. Figure 601 Windows XP: Starting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services.
Appendix C Displaying Anti-Virus Alert Messages in Windows 2 Select the Messenger service and click Start Service. Figure 603 Windows 2000: Starting the Messenger Service 3 Close the window when you are done. Windows 98 SE/Me For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages. Click Start > Run and enter “winpopup” in the field provided and click OK. The WinPopup window displays as shown.
Appendix C Displaying Anti-Virus Alert Messages in Windows 1 Right-click on the program task bar and click Properties. Figure 605 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... Figure 606 Windows 98 SE: Task Bar Properties 3 990 Double-click Programs and click StartUp.
Appendix C Displaying Anti-Virus Alert Messages in Windows 4 Right-click in the StartUp pane and click New, Shortcut. Figure 607 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next.
Appendix C Displaying Anti-Virus Alert Messages in Windows 6 Specify a name for the shortcut or accept the default and click Finish. Figure 609 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 610 Windows 98 SE: Startup: Shortcut Note: The WinPopup window displays after the computer finishes the startup process (see Figure 604 on page 989).
APPENDIX D Importing Certificates This appendix shows you how to import public key certificates into your web browser. Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar.
Appendix D Importing Certificates 1 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Figure 611 Internet Explorer 7: Certification Error 2 Click Continue to this website (not recommended). Figure 612 Internet Explorer 7: Certification Error 3 In the Address Bar, click Certificate Error > View certificates.
Appendix D Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 614 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next.
Appendix D Importing Certificates 6 If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9. Figure 616 Internet Explorer 7: Certificate Import Wizard 7 Otherwise, select Place all certificates in the following store and then click Browse.
Appendix D Importing Certificates 8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 618 Internet Explorer 7: Select Certificate Store 9 In the Completing the Certificate Import Wizard screen, click Finish.
Appendix D Importing Certificates 10 If you are presented with another Security Warning, click Yes. Figure 620 Internet Explorer 7: Security Warning 11 Finally, click OK when presented with the successful certificate installation message. Figure 621 Internet Explorer 7: Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information.
Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Double-click the public key certificate file. Figure 623 Internet Explorer 7: Public Key Certificate File 2 In the security warning dialog box, click Open.
Appendix D Importing Certificates 1 Open Internet Explorer and click Tools > Internet Options. Figure 625 Internet Explorer 7: Tools Menu 2 In the Internet Options dialog box, click Content > Certificates.
Appendix D Importing Certificates 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove. Figure 627 Internet Explorer 7: Certificates 4 In the Certificates confirmation, click Yes. Figure 628 Internet Explorer 7: Certificates 5 In the Root Certificate Store dialog box, click Yes.
Appendix D Importing Certificates 6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms. 1 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.
Appendix D Importing Certificates 3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information.
Appendix D Importing Certificates 1 Open Firefox and click Tools > Options. Figure 632 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates.
Appendix D Importing Certificates 3 In the Certificate Manager dialog box, click Web Sites > Import. Figure 634 4 Use the Select File dialog box to locate the certificate and then click Open. Figure 635 5 Firefox 2: Certificate Manager Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information.
Appendix D Importing Certificates Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2. 1 Open Firefox and click Tools > Options. Figure 636 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates.
Appendix D Importing Certificates 3 In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete. Figure 638 4 Firefox 2: Certificate Manager In the Delete Web Site Certificates dialog box, click OK. Figure 639 Firefox 2: Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix D Importing Certificates 1 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. 2 Click Install to accept the certificate. Figure 640 Opera 9: Certificate signer not found 3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details.
Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Open Opera and click Tools > Preferences.
Appendix D Importing Certificates 2 In Preferences, click Advanced > Security > Manage certificates.
Appendix D Importing Certificates 3 In the Certificates Manager, click Authorities > Import. Figure 644 4 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open.
Appendix D Importing Certificates 5 In the Install authority certificate dialog box, click Install. Figure 646 6 Next, click OK. Figure 647 7 Opera 9: Install authority certificate Opera 9: Install authority certificate The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9.
Appendix D Importing Certificates 1 Open Opera and click Tools > Preferences. Figure 648 Opera 9: Tools Menu 2 In Preferences, Advanced > Security > Manage certificates.
Appendix D Importing Certificates 3 In the Certificates manager, select the Authorities tab, select the certificate that you want to remove, and then click Delete. Figure 650 4 Opera 9: Certificate manager The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button.
Appendix D Importing Certificates 2 Click Continue. Figure 651 Konqueror 3.5: Server Authentication 3 Click Forever when prompted to accept the certificate. Figure 652 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 653 Konqueror 3.
Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Konqueror Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Double-click the public key certificate file. Figure 654 Konqueror 3.5: Public Key Certificate File 2 In the Certificate Import Result - Kleopatra dialog box, click OK. Figure 655 Konqueror 3.
Appendix D Importing Certificates 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details. Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3.5. 1 Open Konqueror and click Settings > Configure Konqueror. Figure 657 Konqueror 3.5: Settings Menu 2 In the Configure dialog box, select Crypto.
Appendix D Importing Certificates 4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button.
APPENDIX E Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Appendix E Wireless LANs with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. Figure 660 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Appendix E Wireless LANs An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Figure 661 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area.
Appendix E Wireless LANs wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. Figure 662 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel.
Appendix E Wireless LANs Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.
Appendix E Wireless LANs (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows: Table 303 IEEE 802.11g DATA RATE (MBPS) MODULATION 1 DBPSK (Differential Binary Phase Shift Keyed) 2 DQPSK (Differential Quadrature Phase Shift Keying) 5.
Appendix E Wireless LANs accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: • User based identification that allows for roaming. • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server.
Appendix E Wireless LANs The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: • Accounting-Request Sent by the access point requesting accounting. • Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network.
Appendix E Wireless LANs authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server.
Appendix E Wireless LANs Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.
Appendix E Wireless LANs use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael.
Appendix E Wireless LANs authentication. These two features are optional and may not be supported in all wireless devices. Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.
Appendix E Wireless LANs 4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 663 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows.
Appendix E Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 664 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type.
Appendix E Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.
Appendix E Wireless LANs • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. • Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb.
APPENDIX F Open Software Announcements End-User License Agreement for “ZyWALL USG 300” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
Appendix F Open Software Announcements You may not remove any proprietary notice of ZyXEL or any of its licensors from any copy of the Software or Documentation. 4.Restrictions You may not publish, display, disclose, sell, rent, lease, modify, store, loan, distribute, or create derivative works of the Software, or any part thereof. You may not assign, sublicense, convey or otherwise transfer, pledge as security or otherwise encumber the rights and licenses granted hereunder with respect to the Software.
Appendix F Open Software Announcements 6.No Warranty THE SOFTWARE IS PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY LAW, ZyXEL DISCLAIMS ALL WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Appendix F Open Software Announcements 9.Audit Rights ZyXEL SHALL HAVE THE RIGHT, AT ITS OWN EXPENSE, UPON REASONABLE PRIOR NOTICE, TO PERIODICALLY INSPECT AND AUDIT YOUR RECORDS TO ENSURE YOUR COMPLIANCE WITH THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. 10.Termination This License Agreement is effective until it is terminated. You may terminate this License Agreement at any time by destroying or returning to ZyXEL all copies of the Software and Documentation in your possession or under your control.
Appendix F Open Software Announcements bridge-utils 0.9.5. http://linux-net.osdl.org/index.php/Bridge dhcpcd-1.3.22-pl4 1.3.22-pl4 http://www.phystech.com/download/ ppp-2.4.2 2.4.2 http://ppp.samba.org/ppp/index.html pptp-1.7.0 1.7.0 http://pptpclient.sourceforge.net/ rp-pppoe-3.5 3.5 http://www.roaringpenguin.com/penguin/open_source_rp-pppoe.php vlan-1.8 1.8 http://www.candelatech.com/~greear/ keepalived-1.1.11-p1 1.1.11-p1 http://www.keepalived.org/ libnet 1.1.2.1 http://www.
Appendix F Open Software Announcements libxml2-2.6.8 2.6.8 http://www.xmlsoft.org libgcgi-0.9.5 0.9.5 http://catchen.org/gcgi/ Linux kernel 2.4.27 http://www.kernel.org/ hostapd-0.5.7 0.5.7 http://hostap.epitest.fi/hostapd/ wireless_tools.28 28 http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html arp-sk-0.0.16 0.0.16 http://sid.rstack.org/arp-sk/ Prototype 1.6.0 http://www.prototypejs.org/ tablekit 1.2.1 http://www.millstream.com.au/view/code/tablekit/ ipset 2.3.
Appendix F Open Software Announcements PPP License Copyright (c) 1993 The Australian National University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by the Australian National University.
Appendix F Open Software Announcements All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Appendix F Open Software Announcements This Product includes expat-1.95.
Appendix F Open Software Announcements •This license is compatible with The GNU General Public License, Version 2 This is just like a Simple Permissive license, but it requires that a copyright notice be maintained.
Appendix F Open Software Announcements 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/ )" 4.
Appendix F Open Software Announcements be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used.
Appendix F Open Software Announcements This Product includes libevent-1.1a and xinetd-2.3.14 software under the a 3clause BSD License a 3-clause BSD-style license This is a Free Software License •This license is compatible with The GNU General Public License, Version 1 •This license is compatible with The GNU General Public License, Version 2 This is the BSD license without the obnoxious advertising clause. It's also known as the "modified BSD license.
Appendix F Open Software Announcements * Neither the name of [original copyright holder] nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Appendix F Open Software Announcements DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. $Id: COPYRIGHT,v 1.6.2.2 2002/02/12 06:05:48 marka Exp $ Portions Copyright (C) 1996-2001 Nominum, Inc.
Appendix F Open Software Announcements Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
Appendix F Open Software Announcements "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity.
Appendix F Open Software Announcements "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License.
Appendix F Open Software Announcements attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
Appendix F Open Software Announcements Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS Version 1.1 Copyright (c) 1999-2003 The Apache Software Foundation. All rights reserved.
Appendix F Open Software Announcements USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see . Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign.
Appendix F Open Software Announcements guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it.
Appendix F Open Software Announcements Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.
Appendix F Open Software Announcements 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".
Appendix F Open Software Announcements still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.
Appendix F Open Software Announcements "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License.
Appendix F Open Software Announcements version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
Appendix F Open Software Announcements 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11.
Appendix F Open Software Announcements Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
Appendix F Open Software Announcements pcmcia-cs-3.2.8, libeeprog, mgetty-1.1.35, gmp-4.1, msmtp-1.4.12 and libqsearch 0.8 software under GPL license. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Appendix F Open Software Announcements the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents.
Appendix F Open Software Announcements b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
Appendix F Open Software Announcements source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
Appendix F Open Software Announcements whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices.
Appendix F Open Software Announcements DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12.
Appendix F Open Software Announcements means a mechanism generally accepted in the software development community for the electronic transfer of data. 1.5. "Executable" means Covered Code in any form other than Source Code. 1.6. "Initial Developer" means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A. 1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License. 1.8.
Appendix F Open Software Announcements 1.11. "Source Code" means the preferred form of the Covered Code for making modifications to it, including all modules it contains, plus any associated interface definition files, scripts used to control compilation and installation of an Executable, or source code differential comparisons against either the Original Code or another well known, available Covered Code of the Contributor's choice.
Appendix F Open Software Announcements Subject to third party intellectual property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license under intellectual property rights (other than patent or trademark) Licensable by Contributor, to use, reproduce, modify, display, perform, sublicense and distribute the Modifications created by such Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code and/or as part of a Larger W
Appendix F Open Software Announcements made available via Electronic Distribution Mechanism, must remain available for at least twelve (12) months after the date it initially became available, or at least six (6) months after a subsequent version of that particular Modification has been made available to such recipients. You are responsible for ensuring that the Source Code version remains available even if the Electronic Distribution Mechanism is maintained by a third party. 3.3.
Appendix F Open Software Announcements You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not possible to put such notice in a particular Source Code file due to its structure, then You must include such notice in a location (such as a relevant directory) where a user would be likely to look for such a notice. If You created one or more Modification(s) You may add your name as a Contributor to the notice described in Exhibit A.
Appendix F Open Software Announcements regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be included in the legal file described in Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5.
Appendix F Open Software Announcements (not the initial developer or any other contributor) assume the cost of any necessary servicing, repair or correction. This disclaimer of warranty constitutes an essential part of this license. No use of any covered code is authorized hereunder except under this disclaimer. 8. Termination 8.1.
Appendix F Open Software Announcements granted by You or any distributor hereunder prior to termination shall survive termination. 9.
Appendix F Open Software Announcements As between Initial Developer and the Contributors, each party is responsible for claims and damages arising, directly or indirectly, out of its utilization of rights under this License and You agree to work with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing herein is intended or shall be deemed to constitute any admission of liability. 13.
Appendix F Open Software Announcements NOTE: The text of this Exhibit A may differ slightly from the text of the notices in the Source Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. This Product includes libnet-1.1.2.1, net-snmp-5.1.1, libpcap-0.9.4, openssh4.3p2, unzip-5.50, zip-2.3 and tcpdump-3.6.
Appendix F Open Software Announcements USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Product includes libxml2-2.6.8, Prototype 1.6.0 and persist-js-0.1.
Appendix F Open Software Announcements Redistribution and use of this software and associated documentation("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2.
Appendix F Open Software Announcements Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. This Product includes gd-2.0.36RC1 software under the below License Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health.
Appendix F Open Software Announcements use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation.
Appendix F Open Software Announcements Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1.
Appendix F Open Software Announcements 3. This notice may not be removed or altered from any source distribution. COPYRIGHT NOTICE, DISCLAIMER, and LICENSE: * * If you modify libpng you may insert additional notices immediately following * this sentence. * * libpng versions 1.2.6, August 15, 2004, through 1.2.12, June 27, 2006, are * Copyright (c) 2004, 2006 Glenn Randers-Pehrson, and are * distributed according to the same disclaimer and license as libpng-1.2.
Appendix F Open Software Announcements * There is no warranty against interference with your enjoyment of the * library or against infringement. There is no warranty that our * efforts or the library will fulfill any of your particular purposes * or needs. This library is provided with all faults, and the entire * risk of satisfactory quality, performance, accuracy, and effort is with * the user. * * libpng versions 0.97, January 1998, through 1.0.
Appendix F Open Software Announcements * Greg Roelofs * Tom Tanner * * libpng versions 0.5, May 1995, through 0.88, January 1996, are * Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc. * * For the purposes of this copyright and license, "Contributing Authors" * is defined as the following set of individuals: * * Andreas Dilger * Dave Martindale * Guy Eric Schalnat * Paul Schmidt * Tim Wegner * * The PNG Reference Library is supplied "AS IS".
Appendix F Open Software Announcements * to the following restrictions: * * 1. The origin of this source code must not be misrepresented. * * 2. Altered versions must be plainly marked as such and * must not be misrepresented as being the original source. * * 3. This Copyright notice may not be removed or altered from * any source or altered source distribution. * * The Contributing Authors and Group 42, Inc.
Appendix F Open Software Announcements 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the project nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
Appendix F Open Software Announcements PARTICULAR PURPOSE ARE DISCLAIMED.
APPENDIX G Legal Information Copyright Copyright © 2010 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix G Legal Information • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Appendix G Legal Information Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page.
Appendix G Legal Information To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com.
Index Index Symbols Numerics 1 to 1 NAT 98 1 to 1 SNAT 99 3322 Dynamic DNS 407 3DES 497 3G 118 3G see also cellular 311 A AAA Base DN 752 Bind DN 752, 755 directory structure 751 Distinguished Name, see DN DN 752, 753, 755, 756 password 755 port 754, 757 search time limit 755 SSL 755 AAA server 749 AD 751 and users 716 directory service 749 LDAP 749, 751 local user database 751 object, where used 110 RADIUS 750, 751, 755 RADIUS group 757 see also RADIUS access 47 access control attacks 601 Access Point N
Index and SNMP 853 and SSH 844 and Telnet 847 and VPN connections 470 and WWW 829 HOST 731 RANGE 732 SUBNET 732 types of 731 where used 110 address record 819 admin user troubleshooting 909 admin users 715 multiple logins 726 see also users 715 ADP 623 base profiles 624, 627 configuration overview 108 false negatives 628 false positives 628 inline profile 628 monitor profile 628 port scanning 635 prerequisites 108 protocol anomaly 624 signatures 287 traffic anomaly 624, 628 updating signatures 287 Advanced
Index packet types 574 polymorphic virus 587 prerequisites 108 priority 577 real-time alert message 989 registration status 578 scanner types 587 signatures 584 statistics 263 trial service activation 280 troubleshooting 897, 900 troubleshooting signatures update 896 updating signatures 284 virus 574 virus types 587 white list 580, 584 Windows 98/Me requirements 989 worm 574 AP (Access Point) 320, 1021 Apache server 639, 640 Apache-whitespace attack 639 APN 315 Application Layer Gateway, see ALG application
Index severity of 599 spam 600 trapdoor 601 trojan 601 truncated-address-header 641 truncated-header 641, 642 truncated-options 641 truncated-timestamp-header 642 TTCP-detected 641 types of 600 u-encoding 640 undersize-len 641 undersize-offset 641 UTF-8-encoding 640 virus 574, 601 worm 601 Authenex Strong Authentication System (ASAS) 750 authentication in IPSec 476 LDAP/AD 751 server 749 authentication algorithms 401, 496, 497 and active protocol 497 and routing protocols 401 MD5 401, 497 SHA1 497 text 401
Index brackets 34 bridge interfaces 290, 346 and virtual interfaces of members 346 basic characteristics 291 effect on routing table 346 member interfaces 346 virtual 356 bridges 345 broadcast storm troubleshooting 908 BSS 1019 buffer overflow 601 buffer overflow attacks 601 C CA 1027 and certificates 766 CA (Certificate Authority), see certificates capturing packets 886 card installation 921 and FTP 848 and HTTPS 825 and IKE SA 501 and SSH 843 and synchronization (device HA) 713 and VPN gateways 470 and
Index Common Event Format (CEF) 863, 869 common services 983 compression (stac) 790 computer names 301, 327, 342, 352, 361, 546 computer virus 574 infection and prevention 587 see also virus concurrent e-mail sessions 272, 678 configuration information 885 object-based 91 overview 99 web-based SSL application example 792 configuration file troubleshooting 911 configuration files 873 at restart 876 backing up 876 downloading 877 downloading with FTP 847 editing 873 how applied 874 lastgood.
Index D dashboard 49, 51, 221 Data Encryption Standard, see DES Data Terminal Ready, see DTR date 811 daylight savings 812 DDNS 407 backup mail exchanger 412 configuration overview 103 mail exchanger 412 prerequisites 103 service providers 407 status 248 troubleshooting 902 DDoS attacks 600 Dead Peer Detection, see DPD decompression of files (in anti-virus) 580 default firewall behavior 450 interfaces and zones 94 LAN IP address 33 login settings 915 port mapping 33 default SNAT 99, 369 default trunk 369 d
Index file structure 751 directory traversal attack 639 E directory traversals 639 EAP Authentication 1026 disclaimer 5, 1091 e-Donkey 600 Distinguished Name (DN) 752, 753, 755, 756 EGP (Exterior Gateway Protocol) 635 Distributed Denial of Service (DDoS) attacks 600 egress bandwidth 317 distributed port scans 636 DN 752, 753, 755, 756 DNS 327, 815 address records 819 domain name forwarders 820 domain name to IP address 819 IP address to domain name 819 L2TP VPN 546 Mail eXchange (MX) records 821 p
Index and transport mode 503 filtered port scan 636 ESS 1020 Firefox 47 ESSID 325 firewall 449, 450 actions 462 and address groups 446, 462 and address objects 446, 462 and ALG 427, 430 and application patrol 548 and H.
Index flood detection 637 force user authentication policies prerequisites 111 forcing login 442 FQDN 819 fragmentation flag 613 fragmentation offset 613 fragmentation threshold 1023 fragmenting IPSec packets 471 front panel 35 front panel ports 33 FTP 847 additional signaling port 433 ALG 427 and address groups 849 and address objects 849 and certificates 848 and zones 849 signaling port 433 troubleshooting 903 with Transport Layer Security (TLS) 848 full tunnel mode 43, 508, 514 Fully-Qualified Domain Nam
Index code 614 datagram length 642 decoder 631, 639 echo 637 flood attack 637 portsweep 636 sequence number 614 Time Stamp header length 642 type 614 unreachables 636 identification (IP) 612 identifying legitimate e-mail 675 spam 676 IDP 589 action 599, 634 alerts 598 and services 738 applying custom signatures 618 base profiles 590, 594 configuration overview 108 custom signature example 616 custom signatures 607 false negatives 596 false positives 596 inline profile 596 log options 598, 600, 631, 634 moni
Index inline profile 596, 628 inspection signatures 593 installation 33 Installation Setup Wizard 63 Instant Messenger (IM) 547, 600 managing 547 interface bandwidth 554 external 96, 298 internal 96, 298 mapping 33 statistics 239 status 224, 239 troubleshooting 897 type 96, 298 types 93 interfaces 33, 92, 115, 289 and DNS servers 361 and HTTP redirect 426 and layer-3 virtualization 290 and NAT 417 and physical ports 92, 290 and policy routes 381 and static routes 385 and VPN gateways 470 and VRRP groups 703
Index basic troubleshooting 903 certificates 486 connections 470 connectivity check 476 Default_L2TP_VPN_Connection 544 Default_L2TP_VPN_Connection example 185 Default_L2TP_VPN_GW 544 Default_L2TP_VPN_GW example 183 encapsulation 475 encryption 476 ESP 475 established in two phases 468 fragmentation 471 L2TP VPN 543 local network 467 local policy 475 manual key 474 NetBIOS 474 peer 467 Perfect Forward Secrecy 476 PFS 476 phase 2 settings 475 policy enforcement 475 remote access 474 remote IPSec router 467 r
Index L L2TP VPN 543 configuration overview 107 configuring in Windows 2000 203 configuring in Windows Vista 187 configuring in Windows XP 197 Default_L2TP_VPN_Connection 544 Default_L2TP_VPN_Connection example 185 Default_L2TP_VPN_GW 544 Default_L2TP_VPN_GW example 183 DNS 546 example 183 IPSec configuration 543 policy routes 544 prerequisites 107 remote user configuration 187 session monitor 262 troubleshooting 905 where used 107 WINS 546 LAN interface 33 IP address 33 LAND attack 638 lastgood.
Index settings 861 syslog servers 861 system 861 types of 861 loose source routing 608 monitor 261 SA 258 monitor menu 51 monitor profile ADP 628 IDP 596 monitor screens 235 M monitored interfaces 697 device HA 701 MAC address and VLAN 335 Ethernet interface 298 filter 333 range 224 MPPE (Microsoft Point-to-Point Encryption) 789 macro virus 587 MTU 317 mail sessions threshold 678 multiple slash encoding 640 main routing table 98 multiple WAN IP addresses 174 MSCHAP (Microsoft Challenge-Handshake
Index port forwarding, see NAT port translation, see NAT port triggering 386 port triggering, see also policy routes prerequisites 104 table 98 traversal 501 trigger port, see also policy routes tutorial 165, 168 NAT loopback 99 navigation panel 50 obsolete-options attack 641 NBNS 301, 327, 342, 352, 361, 514 offset (patterns) 615 NetBIOS Broadcast over IPSec 474 Name Server, see NBNS.
Index backbone (BR) 394 backup designated (BDR) 394 designated (DR) 394 internal (IR) 393 link state advertisements priority 394 types of 393 calls 161, 429 managing 547 Perfect Forward Secrecy (PFS) 476 Diffie-Hellman key group 503 performance troubleshooting 900, 901, 902 other documentation 3 Personal Identification Number code, see PIN code OTP (One-Time Password) 750 PFS (Perfect Forward Secrecy) 476, 503 outgoing bandwidth 317 phishing 654 oversize chunk-encoding attack 640 len attack 641 offs
Index POP2 676 POP3 676 pop-up windows 47 port forwarding, see NAT packet inspection 597 protocol usage statistics 256, 257 protocol anomaly 624, 639 detection 631 port groups 115, 290, 293 and Ethernet interfaces 293 and physical ports 293 representative interfaces 293 proxy servers 424 web, see web proxy servers port mapping 33 PTR record 819 port scan, filtered 636 public server tutorial 165 port scanning 635 Public-Key Infrastructure (PKI) 766 port speed 855 public-private key pairs 765 PSK
Index registration 277 and content filtering 648, 650, 652 configuration overview 100 prerequisites 100 product 1094 subscription services, see subscription services registration status anti-virus 578 application patrol 558 IDP 592 regular expressions 260 reject (IDP) both 599, 634 receiver 599, 634 sender 599, 634 related documentation 3 Relative Distinguished Name (RDN) 752, 753, 755, 756 remote access IPSec 474 Remote Authentication Dial-In User Service, see RADIUS remote desktop connections 792 Remote D
Index RTS (Request To Send) 1022 threshold 1021, 1023 service objects 737 service set 325 Service Set IDentity, See SSID.
Index anti-virus 584 IDP 589 packet inspection 597 updating 283 device 915 feature 916 hardware 915 spillover (for load balancing) 366 SIM card 316 spyware 655 Simple Certificate Enrollment Protocol (SCEP) 773 SQL slammer 621 Simple Mail Transfer Protocol, see SMTP 676 Simple Network Management Protocol, see SNMP Simple Traversal of UDP through NAT, see STUN SIP 428, 434 ALG 427 and firewall 429 and RTP 434 media inactivity timeout 432 signaling inactivity timeout 432 signaling port 432 troubleshootin
Index SSL application object 791 file sharing 791 file sharing application 796 remote user screen links 791 summary 793 types 791 web-based 791, 794 web-based example 792 where used 110 SSL policy add 512 edit 512 objects used 508 status bar 57 warning message popup 57 stopping the ZyWALL 36, 37 streaming protocols management 547 strict source routing 608 stub area 392 STUN 429 and ALG 429 subscription services 278 and synchronization (device HA) 694 AppPatrol 280 content filtering 280 IDP 280 new IDP/AppP
Index T T/TCP 641 tables 59 target market 33 task bar properties 990 TCP 737 ACK (acknowledgment) 637 ACK number 614 attack packet 599, 634 connections 737 decoder 631, 639 decoy portscan 636 distributed portscan 636 flag bits 614 port numbers 738 portscan 635 portsweep 636 RST 636 SYN (synchronize) 637 SYN flood 637 window size 614 technical reference 219 Telnet 845 and address groups 847 and address objects 847 and zones 847 with SSH 844 Temporal Key Integrity Protocol (TKIP) 1028 terminology differences
Index IDP 897, 901 IDP signatures update 896 interface 897 Internet access 896, 907 IPSec VPN 903 L2TP VPN 905 LEDs 895 logo 911 logs 911 management access 910 packet capture 912 packet flow 96 performance 900, 901, 902 policy route 897, 907 port triggering 902 PPP 898 RADIUS server 908 routing 902 schedules 909 security settings 897 shell scripts 911 SIP 903 SNAT 902 SSL 906 SSL VPN 906 throughput rate 911 VLAN 899 VPN 905 VPN concentrator 905 WLAN 899 zipped files 900 truncated-address-header attack 641 t
Index user accounts for WLAN 123 configuration overview 110 currently logged in 226, 232 default lease time 725, 727 default reauthentication time 725, 727 default type for Ext-User 716 ext-group-user (type) 716 Ext-User (type) 716 ext-user (type) 716 groups, see user groups Guest (type) 716 lease time 720 limited-admin (type) 716 lockout 726 logged in 250 prerequisites for force user authentication policies 111 reauthentication time 721 types of 715 user (type) 716 user names 718 user authentication 715
Index macro 587 mutation 587 polymorphic 587 scan 574 VLAN 335 advantages 336 and MAC address 335 ID 335 troubleshooting 899 VLAN interfaces 290, 336 and Ethernet interfaces 336, 899 basic characteristics 291 virtual 356 VoIP pass through 434 and firewall 430 and NAT 430 and policy routes 429, 430 see also ALG 428 VPN 467 active protocol 502 and NAT 500 and the firewall 452 basic troubleshooting 903 hub-and-spoke, see VPN concentrator IKE SA, see IKE SA IPSec 467 IPSec SA proposal 497 security associations
Index weighted round robin (for load balancing) 366 vs WPA2-PSK 1029 wireless client supplicant 1030 with RADIUS application example 1030 white list (anti-spam) 675, 681, 683, 685 Wi-Fi Protected Access 1028 Windows Internet Naming Service, see WINS WPA2-Pre-Shared Key (WPA2-PSK) 1028 Windows Internet Naming Service, see WINS. WPA2-PSK 1028, 1029 application example 1031 Windows Internet Naming Service. See WINS.