ZyXEL ZyWALL 1100 Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung ZyXEL ZyWALL 1100 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von ZyXEL ZyWALL 1100, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung ZyXEL ZyWALL 1100 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung ZyXEL ZyWALL 1100. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung ZyXEL ZyWALL 1100 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts ZyXEL ZyWALL 1100
- Den Namen des Produzenten und das Produktionsjahr des Geräts ZyXEL ZyWALL 1100
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts ZyXEL ZyWALL 1100
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von ZyXEL ZyWALL 1100 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von ZyXEL ZyWALL 1100 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service ZyXEL finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von ZyXEL ZyWALL 1100 zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts ZyXEL ZyWALL 1100, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von ZyXEL ZyWALL 1100 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    Quick Start Guide www .zyxel.com ZyWALL 110/310/1100 Series VPN Firewall V e rsion 3.10 Edition 2, 02/2013 Copyright © 2013 Z yXEL Communications Corpor ation User’s Guide Default Login Details LAN P ort IP Address https://192.168.1.1 User Name admin P assword 1234[...]

  • Seite 2

    ZyWALL 110/310/1100 Series User’s Guide 2 IMPORT ANT! READ CAREFULL Y BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a User’s Gu ide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ sl ightly from your product due to differences in your product firmware o r you[...]

  • Seite 3

    ZyWALL 110/310/1100 Se ries User’s Guide 3 Chapter 1 Introduction ................................................. ..................................................... ............. ...................... 17 1.1 Overview ................ ............. ................ ............. ............. ................ ............. .............. ...[...]

  • Seite 4

    ZyWALL 110/310/1100 Series User’s Guide 4 4.3.5 VPN Express W izard - Summa ry ............. ............. ................ ............. ............. ................ ....... 51 4.3.6 VPN Express W izard - Fini sh ................ ............. ................ ............. ............. ................ ..... ..... 52 4.3.7 VPN Adv anced Wiza[...]

  • Seite 5

    ZyWALL 110/310/1100 Se ries User’s Guide 5 6.9.1 More Information ....................... ............. ................ ............. ................ ............. .......... ............ . 95 6.10 USB S torage Screen .. ............. ................ ................ ............. ................ ............. .............. ......... .......[...]

  • Seite 6

    ZyWALL 110/310/1100 Series User’s Guide 6 8.2 The Trunk Summary Screen .. ................ ................ ............. ................ ................ ............. ...... ......... 180 8.2.1 Configuring a User-Defined T runk .......... ... ... ............. ............. ................ ............. ............. .... . 181 8.2.2 Configur[...]

  • Seite 7

    ZyWALL 110/310/1100 Se ries User’s Guide 7 Chapter 13 NA T .......................................... ............................................................... ................... ......................... 221 13.1 NA T O verview ................... ............. ................ ............. ................ ............. ................[...]

  • Seite 8

    ZyWALL 110/310/1100 Series User’s Guide 8 Chapter 18 Authentication Policy ........................................... ..................................................... .......... ........... .. 253 18.1 Overview ....... ................ ............. ................ ............. ................. ............ ............. ...... .........[...]

  • Seite 9

    ZyWALL 110/310/1100 Se ries User’s Guide 9 Chapter 21 SSL VPN . ............................................................... ..................................................... ... .................... 317 21.1 Overview ....... ................ ............. ................ ............. ................. ............ ............. ...... .[...]

  • Seite 10

    ZyWALL 110/310/1100 Series User’s Guide 10 24.1.2 What Y ou Need to Know ....... ............ ............. ................. ............ ................. ............ ........ .... 345 24.2 L2TP VPN Screen ...................... ................ ............. ................. ............ ................. ......... ............. .. 347 Chapt[...]

  • Seite 11

    ZyWALL 110/310/1100 Se ries User’s Guide 11 28.2.1 IPv4 Address Add/ Edit Screen ...... ................ ............. ................ ............. ................ ........... . 386 28.2.2 IPv6 Address Add/ Edit Screen ...... ................ ............. ................ ............. ................ ........... . 387 28.3 Address Group Sum[...]

  • Seite 12

    ZyWALL 110/310/1100 Series User’s Guide 12 32.2 Authentication Method Ob jects ............... ............. ................ ............. ................ ............. ...... ......... 410 32.2.1 Creating an Authenticatio n Method Ob ject .............. ................ ............. ................ ............. .. 410 Chapter 33 Certificate[...]

  • Seite 13

    ZyWALL 110/310/1100 Se ries User’s Guide 13 Chapter 37 System .............................................. ................................................................ ........... ...................... 443 37.1 Overview ....... ................ ............. ................ ............. ................. ............ ............. ......[...]

  • Seite 14

    ZyWALL 110/310/1100 Series User’s Guide 14 37.12 Language Screen ............... ................ ............. ................ ................ ............. ................ ....... ........ 483 37.13 IPv6 Screen .............. ................ ............. ................ ............. ................ ................. .... ...............[...]

  • Seite 15

    ZyWALL 110/310/1100 Se ries User’s Guide 15 Chapter 42 Reboot .... ..................................................... ............................................................... . ...................... 525 42.1 Overview ....... ................ ............. ................ ............. ................. ............ ............. .....[...]

  • Seite 16

    ZyWALL 110/310/1100 Series User’s Guide 16[...]

  • Seite 17

    ZyWALL 110/310/1100 Se ries User’s Guide 17 C HAPTER 1 Introduction 1.1 Overview Note: This help cove rs the follow ing ZyW ALL mo dels and refers to them all as “Z yW ALL” . Featur es and interface names vary by model. K e y feature differences be tween Z yW ALL models are as follows. Other features are common to all models although features[...]

  • Seite 18

    Chapter 1 Introductio n ZyWALL 110/310/1100 Series User’s Guide 18 Figure 2 Applications: VPN Connectivity SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the Z yWALL’ s web address and enters his user name and password to securely connect to the Z yWALL’ s ne[...]

  • Seite 19

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 19 Figure 4 Applications: User-A ware Access Control Load Balancing Set up multiple connections to the Internet on th e same port, or different ports, including cellular interfaces. In either case, you can ba lance the tr affic loads between them. Figure 5 Applications: Multiple WAN [...]

  • Seite 20

    Chapter 1 Introductio n ZyWALL 110/310/1100 Series User’s Guide 20 Command-Line Interface (CLI) The CLI allows you to use text -based commands to configure the Z yWALL. Access it using remote management (for example, SSH or T elnet) or via the physical or W eb Configurator console port. See the Command Reference Guide for CLI details. The default[...]

  • Seite 21

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 21 4 Click Login . If you logged in using the default user name and password, the Update Admin Info screen appears. Otherwise, the dashboard appears. 5 Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click [...]

  • Seite 22

    Chapter 1 Introductio n ZyWALL 110/310/1100 Series User’s Guide 22 The title bar icons in the upper right corner pro vide the following functions. About Click About to display basic information about the ZyWALL. Figure 8 About Site Map Click Site MAP to see an overview of links to the W eb Configurator screens. Click a screen’ s link to go to t[...]

  • Seite 23

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 23 Figure 9 Site Map Object R eference Click Object Refe rence to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configur ation settings reference the object. Figure 10 Object Reference The fields vary with the ty[...]

  • Seite 24

    Chapter 1 Introductio n ZyWALL 110/310/1100 Series User’s Guide 24 Console Click Console to open a Java-based console wi ndow from which you can run C LI commands. Y ou will be prompted to enter your user name and password. See the Command Re ference Guide for information about the commands. Figure 1 1 Console Window CLI Messages Click CLI to loo[...]

  • Seite 25

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 25 1.3.3 Navigation Panel Use the navigation panel menu item s to open status and configuratio n screens. Click the arrow in the middle of the right edge of the navigation pa nel to h ide the panel or drag to resize it. Th e following sections introduce the Z yWALL’ s navigation pa[...]

  • Seite 26

    Chapter 1 Introductio n ZyWALL 110/310/1100 Series User’s Guide 26 Configuration Menu Use the configur ation menu screens to configure the Z yWALL’ s features. Cellular Status Disp lays details about the ZyWALL’ s 3G connection statu s. USB Storage Displays details about USB device connect ed to the ZyW ALL. VPN Monit or IPSec Displays and ma[...]

  • Seite 27

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 27 Firewall Firewall Create and manage level-3 traffic rules. Session Control Limit the number of concurrent client NA T/firewall sessions . VPN IPSec VPN VPN Connection Config ure IPSec tu nnels. VPN Gateway Confi gure IKE tunn els. Concentr ator Combine IPSec VPN connec tions into [...]

  • Seite 28

    Chapter 1 Introductio n ZyWALL 110/310/1100 Series User’s Guide 28 Maintenance Menu Use the maintenance menu screens to manage configur ation and firmware files, run diagnostics, and reboot or shut down the Z yWALL. 1.3.4 T a bles and List s W eb Configurator tables and lists are flexible with sev eral options for how to display their entries. Cl[...]

  • Seite 29

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 29 Figure 14 Sorting T able Entries by a Column’ s Criter ia Click the down arrow next to a column heading fo r more options about how to displa y the entries. The options av ailable vary depending on the type of fields in the column. Here are some examples of what you can do: • [...]

  • Seite 30

    Chapter 1 Introductio n ZyWALL 110/310/1100 Series User’s Guide 30 Figure 17 Moving Columns Use the icons and fields at the bottom of the tabl e to na vigate to different pages of entries and control how many entries displa y at a time. Figure 18 Navigating P ages of T able Entries The tables have icons for working with table entries. Y ou can of[...]

  • Seite 31

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 31 Working with List s When a list of available entries displays next to a list of selected entries, you can often just double- click an entry to mov e it from one list to the other . In some lists you can also u se the [Shift] or [Ctrl] key to select multiple entries, and then use t[...]

  • Seite 32

    Chapter 1 Introductio n ZyWALL 110/310/1100 Series User’s Guide 32[...]

  • Seite 33

    ZyWALL 110/310/1100 Se ries User’s Guide 33 C HAPTER 2 Installation Setup Wizard 2.1 Inst allation Setup Wizard Screens When you log into the W eb Configurator for the first time or when you reset the Z yWALL to its default configuration, the Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings a[...]

  • Seite 34

    Chapter 2 Installation Setup Wi zard ZyWALL 110/310/1100 Series User’s Guide 34 • WAN Interface : This is the interface you are configuring for Internet access. • Zone : This is the security zone to which this interface and Intern et connection belong. • IP Address Assignment : Select Auto if your ISP did not assign you a fixed IP address. [...]

  • Seite 35

    Chapter 2 Installation Setup Wizard ZyWALL 110/310/1100 Se ries User’s Guide 35 •T y p e t h e Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. •S e l e c t Nailed-Up if you do not w ant the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses befor[...]

  • Seite 36

    Chapter 2 Installation Setup Wi zard ZyWALL 110/310/1100 Series User’s Guide 36 •T y p e a Connection ID or connection name. It must follow the “c:id” and “n:name” format. F or example, C:12 or N:My ISP . This field is opti onal and depends on the requirem ents of your broadband modem or router . Y ou can use alphanumeric and -_ : chara[...]

  • Seite 37

    ZyWALL 110/310/1100 Se ries User’s Guide 37 C HAPTER 3 Hardware Introduction 3.1 Default Zones, Interfaces, and Port s The default configur ations for zones, interfaces, an d ports are as follows. R eferences to interfaces may be generic r ather than the specific name used in y our model. For example, this guide ma y use “the WAN interface” r[...]

  • Seite 38

    Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Series User’s Guide 38 Note: Use an 8-wire Ethernet cable to run your Gigab it Ethernet at 1000 Mbps. Using a 4- wire Ethernet cable limits your connecti on to 100 Mbps. Note that the connection speed also depends on what the Ethernet device at the other end can support. 3.2 S topping the ZyW AL[...]

  • Seite 39

    Chapter 3 Hardware Introdu ction ZyWALL 110/310/1100 Se ries User’s Guide 39 3.4 W all-mounting See Chapter 1 on page 17 for the Z yWALL models that can be wall-mounted. Do the follow ing to attach your Z yWALL to a wall. 1 Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.3 1") wide heads into the wall 150 mm ap art (see the figure in step [...]

  • Seite 40

    Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Series User’s Guide 40 Figure 21 Zy WA L L F r on t Pa n el The following tables describe the LEDs. T a ble 10 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyW ALL is turned off . Green On The ZyW ALL is turned on. Red On There is a hardware component failur e. Shut down the device,[...]

  • Seite 41

    Chapter 3 Hardware Introdu ction ZyWALL 110/310/1100 Se ries User’s Guide 41 3.5.1 Rear Panels The following graphic shows the rear panel of the Z yWALL. Ta b l e 1 1 Rear Panel LABEL DESCRIPTION Console Y ou can use the consol e port to manage the ZyW ALL using CLI commands. Y ou will be prompted to enter your user name and pa ssword. See the Co[...]

  • Seite 42

    Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Series User’s Guide 42[...]

  • Seite 43

    ZyWALL 110/310/1100 Se ries User’s Guide 43 C HAPTER 4 Quick Setup Wizards 4.1 Quick Setup Overview The W eb Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the W eb Configurator . See the feature-specific chapters i n this[...]

  • Seite 44

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 44 Figure 23 WAN Interface Quick Setup Wizard 4.2.1 Choose an Ethernet Interface Select the Ethernet interface that you w ant to configure for a W AN connection and click Next . Figure 24 Choose an Ethernet Interface 4.2.2 Select W AN T ype WAN Type Selection : Select the type [...]

  • Seite 45

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 45 Figure 25 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. R efer to information provided by your ISP to know w hat to enter in each field. Leav e a field blank if you don’t have that information. Note: Enter the Internet access [...]

  • Seite 46

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 46 Figure 27 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in this screen. T a ble 12 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Pa rameter This section appear s if the interface uses a PPPo E or PPTP Internet connection. Enca[...]

  • Seite 47

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 47 4.2.5 Quick Setup Interface Wizard: Summary This screen displays the W AN interface’s settings. Figure 28 Interface Wizard: Summary WAN (PPTP Shown) Server IP T ype the IP address of the PPTP server . Connection ID Ente r the connect ion ID or connection name in this fie[...]

  • Seite 48

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 48 The following table describes the labels in this screen. 4.3 VPN Setup Wizard Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. Figure 29 VPN Setup Wizard 4.3.1 Welcome Use wizards to create Virtual Private Network (VPN ) rules. Afte[...]

  • Seite 49

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 49 • VPN Setup configures a VPN tunnel for a secure connection to another computer or network. • VPN Settings for Configuration Provisioning sets up a VPN rule the ZyW ALL IPSec VPN Client can retrieve. Just enter a user name, password an d the IP address of th e Z yWALL [...]

  • Seite 50

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 50 4.3.3 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 31 on page 49 to display the following screen. Figure 32 VPN Express Wizard: Scenario Rule Name : T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 al[...]

  • Seite 51

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 51 4.3.4 VPN Express Wi zard - Configuration Figure 33 VPN Express Wizard: Configuration • Secure Gateway : Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure ga[...]

  • Seite 52

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 52 Figure 34 VPN Express Wizard: Summary • Rule Name : Identifies the VPN gatewa y policy . • Secure Gateway : IP address or domain name of the remo te IPSec device. If this field displays Any , only the remote IPSec device can initiate the VPN connection. • Pre-Shared Ke[...]

  • Seite 53

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 53 Figure 35 VPN Express Wizard: Finish Click Close to exit the wizard. 4.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figu re 31 on page 49 to display the following screen.[...]

  • Seite 54

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 54 Figure 36 VPN Advanced Wizard: Scenario Rule Name : T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric char acters, underscores ( _ ), or dashes (-), but the first char acter cannot be a number . This value is case-sensitive[...]

  • Seite 55

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 55 Figure 37 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway : Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec de[...]

  • Seite 56

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 56 • Dead Peer De tection (DPD) has the ZyW A LL make sure the remote IPSec device is there before transmitting data through the IKE SA. If th ere has been no traffic for at least 15 seconds, the Z yWALL sends a message to the remote IPSec device. If it responds, the Z yWALL [...]

  • Seite 57

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 57 4.3.10 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settin gs. Figure 39 VPN Advanced Wizard: Step 5 • Rule Name : Identifies the VPN connection (and the VPN gatew ay). • Secure Gateway : IP address or domain name of the remote IPSec devi[...]

  • Seite 58

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 58 Figure 40 VPN Wizard: Finish Click Close to exit the wizard. 4.4 VPN Settings for Configuration Provisioning Wizard: Wiz a rd T yp e Use VPN Setti ngs for Config uration Provision ing to set up a VPN rule that can be retrieved with the Z yWALL IPSec VPN Client. VPN rules for[...]

  • Seite 59

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 59 Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key . Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key i n th e V PN r ule . Figure 41 VPN Settings for Configuration[...]

  • Seite 60

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 60 Figure 42 VPN for Configuration Provision ing Express Wizard: Settings Scenario Rule Name : T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric char acters, underscores ( _ ), or dashes (-), but the first char acter cannot be[...]

  • Seite 61

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 61 Figure 43 VPN for Configuration Provision ing Express Wizard: Configuration • Secure Gateway : Any displays in this field because it is no t configurable in this wizard. It allows incoming connections from the Z yWALL IPSec VPN Client. • Pre-Shared Key : T ype the pass[...]

  • Seite 62

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 62 Figure 44 VPN for Configuration Provisioning Express Wizard: Sa ve • Rule Name : Identifies the VPN gatewa y policy . • Secure Gateway : Any displays in this field because it is no t configurable in this wizard. It allows incoming connections from the Z yWALL IPSec VPN C[...]

  • Seite 63

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 63 Figure 45 VPN for Configuration Provision ing Express Wizard: Finish Click Close to exit the wizard. 4.4.5 VPN Settings for Configuratio n Provisioning Advanced Wizar d - Scenario Click the Advanced radio button as shown in the screen shown in Figure 41 on page 59 to displ[...]

  • Seite 64

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 64 Rule Name : T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric char acters, underscores ( _ ), or dashes (-), but the first char acter cannot be a number . This value is case-sensitive. Application Scenario : Only the Remote[...]

  • Seite 65

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 65 • Authentication Algorithm : MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. MD5 gives minimal security . SHA1 gives higher security and SHA256 gives the highest security . The stronger the alg orithm, the slow[...]

  • Seite 66

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 66 • Remote Policy (IP/Mask) : Any displays in this field because it is not configur able in this wizard. • Nailed-Up : This displays for the site-to-site and remo te access client role scenarios. Select this to have the Z yWALL automatically renegotiate the IPSec SA when t[...]

  • Seite 67

    Chapter 4 Quick Setup W izards ZyWALL 110/310/1100 Se ries User’s Guide 67 VPN Connection screen. Enter the IP address of the Z yWA LL in the Z yWALL IPSec VPN Client to get all these VPN settings automatically from the Z yWALL. Figure 50 VPN for Configuration Provision ing Advanced Wizard: Finish Click Close to exit the wizard.[...]

  • Seite 68

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 68[...]

  • Seite 69

    ZyWALL 110/310/1100 Se ries User’s Guide 69 C HAPTER 5 Dashboard 5.1 Overview Use the Dashboard screens to check status information about the Z yWALL. 5.1.1 What Y ou Can Do in this Chapter Use the Dashboard screens for the following. •U s e t h e m a i n Dashboard screen (see Section 5.2 on page 69 ) to see the ZyW ALL’s gener al device info[...]

  • Seite 70

    Chapter 5 Dashboa rd ZyWALL 110/310/1100 Series User’s Guide 70 Figure 51 Dashboard The following table describes the labels in this screen. T a ble 14 Dashboard LABEL DESCRIPTION Widget Setting (A) Use this link to open or cl ose widgets by select ing/clearin g the associate d checkbox. Up Arrow (B) Click this to collapse a widget. It then becom[...]

  • Seite 71

    Chapter 5 Dashboard ZyWALL 110/310/1100 Se ries User’s Guide 71 Device This field displays the name of the device connected to the USB port if one i s connected. Status This field displays the curre nt status of each interface or device installed in a slot. The possible values depend on wh at type of inte rface it is. Inactiv e - The Ethernet int[...]

  • Seite 72

    Chapter 5 Dashboa rd ZyWALL 110/310/1100 Series User’s Guide 72 Boot Status This field di s plays details about the ZyW ALL’s startup state. OK - The ZyW ALL started up su ccessfully . Firmware update OK - A firmware update w as successful. Problematic configuratio n after firmware update - The application of the configuration failed after a fi[...]

  • Seite 73

    Chapter 5 Dashboard ZyWALL 110/310/1100 Se ries User’s Guide 73 Status This field displays the current stat us of ea ch interface. The possible v alues depend on what type of interface it is. For Ethernet interfaces: Inactiv e - The Ethernet interface is disabl ed. Down - The Ethe rnet interface does not have any ph ysical ports associated with i[...]

  • Seite 74

    Chapter 5 Dashboa rd ZyWALL 110/310/1100 Series User’s Guide 74 5.2.1 The CPU Usage Screen Use this screen to look at a chart of the Z yWALL’ s recent CPU usage. T o access this screen, click CPU Usage in the dashboard. Figure 52 Dashboard > CPU Usage The following table describes the labels in this screen. Logs This field displa ys whether [...]

  • Seite 75

    Chapter 5 Dashboard ZyWALL 110/310/1100 Se ries User’s Guide 75 5.2.2 The Memory Usage Screen Use this screen to look at a chart of the Z yWALL’ s recent memory (RAM) usage. T o access this screen, click Memory Usage in the dashboar d. Figure 53 Dashboard > Memory Usage The following table describes the labels in this screen. 5.2.3 The Activ[...]

  • Seite 76

    Chapter 5 Dashboa rd ZyWALL 110/310/1100 Series User’s Guide 76 Figure 54 Dashboard > Session Usage The following table describes the labels in this screen. 5.2.4 The VPN St atus Screen Use this screen to look at the VPN tu nnels that are currently established. T o access this screen, click VPN Status in System Status in the dashboard. Figure [...]

  • Seite 77

    Chapter 5 Dashboard ZyWALL 110/310/1100 Se ries User’s Guide 77 The following table describes the labels in this screen. 5.2.5 The DHCP T a ble Screen Use this screen to look at the IP addresses current ly assigned to DHCP clie nts and the IP addresses reserved for specific MAC addresses. T o access this screen, click DHCP Table in System Status [...]

  • Seite 78

    Chapter 5 Dashboa rd ZyWALL 110/310/1100 Series User’s Guide 78 5.2.6 The Number of Login Users Screen Use this screen to look at a list of the users currently logged into the Zy WALL. Users wh o close their browsers without logging out are still shown as logged in here. T o access this screen, click Number of Login Users in System Status in the [...]

  • Seite 79

    ZyWALL 110/310/1100 Se ries User’s Guide 79 C HAPTER 6 Monitor 6.1 Overview Use the Monitor screens to check status and statistics information. 6.1.1 What Y ou Can Do in this Chapter Use the Monitor screens for the following. •U s e t h e System Status > Port Statistics screen (see Section 6.2 on pag e 80 ) t o l oo k a t p a c ke t statisti[...]

  • Seite 80

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 80 6.2 The Port S t atistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. T o access this screen, click Monitor > System Status > Port Statistics . Figure 58 Monitor > System Status > P ort Statistics The following table describes the lab[...]

  • Seite 81

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 81 6.2.1 The Port S t atistics Graph Screen Use this screen to look at a line gr aph of packet statistics for each physical port. T o access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button . Figure 59 Monitor > System Status > P ort[...]

  • Seite 82

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 82 6.3 Interface S t atus Screen This screen lists all of the ZyW ALL’s interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen.[...]

  • Seite 83

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 83 Figure 60 Monitor > System Status > Interface Status[...]

  • Seite 84

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 84 Each field is described in the following table. T a ble 23 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface Status If an Ethern et interface does not have any ph ysical ports associated with it, its entry is displayed in light gr ay text. Expand/Close Click [...]

  • Seite 85

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 85 Status The activate (light bulb) icon i s lit when the entry is active and dimme d when the entry is inactive. Zone This field displays the zone to which the interf a ce is assigne d. IP Address This is the IP address of the inte rface. If the inte rface is active (and connected), the [...]

  • Seite 86

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 86 6.4 The T r affic S t atistics Screen Click Monitor > System Status > Traffic Statist ics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most- visited Web sites and the number of times each one was visited. Th[...]

  • Seite 87

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 87 • LAN IP with heaviest tr affic and how much traffic has been sent to and from each one Y ou use the Traffic Statistics screen to tell the Zy WALL when to start and when to stop collecting information for these reports. Y ou cannot schedule data collection; you have to start and stop[...]

  • Seite 88

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 88 T raffic T ype Select the type of report to display . Choices are: Host IP Address/User - display s the IP addresses o r users with the mos t traffic and h ow much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amoun[...]

  • Seite 89

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 89 The following table displays the maximum number of records shown in the report, the byte count limit, and the hit count limit. 6.5 The Session Monitor Screen The Session Monitor screen displays all established sessions that pass through the Z yWALL for debugging or statistical analysis[...]

  • Seite 90

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 90 The following table describes the labels in this screen. T a ble 26 Monitor > S ystem Status > Session Monitor LABEL DESCRIPTION View Select how you want the established session s that passed through the ZyWALL to be displayed. Choices are: sessions by users - display all active [...]

  • Seite 91

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 91 6.6 The DDNS S t atus Screen The DDNS Status screen shows the status of the ZyW ALL’s DDNS domain names. Click Monitor > System Status > DDNS St atus to open the following screen. Figure 63 Monitor > System Status > DDNS Statu s The following table describes the labels in[...]

  • Seite 92

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 92 The following table describes the labels in this screen. 6.8 The Login Users Screen Use this screen to look at a list of the users curre ntly logged into the ZyW ALL. T o access this screen, click Monitor > System Status > Login Users . Figure 65 Monitor > System Status > L[...]

  • Seite 93

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 93 6.9 Cellular S t atus Screen This screen displays your 3G connection status. Click Monit or > System Stat us > Cellu lar Status to display this screen. Figure 66 Monitor > System Status > Cellular Status The following table describes the labels in this screen. User Info Thi[...]

  • Seite 94

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 94 Status No device - no 3G device is co nnected to the Z yWALL. No Service - no 3G network is a vailable in the area; you cannot connect to the Internet. Limited Service - returned by the service provid er in cases where the SIM card is expired, the user failed to pay for the se rvice an[...]

  • Seite 95

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 95 6.9.1 More Information This screen displays more information on your 3G, such as the signal strength, IMEA/ESN and IMSI that helps identify your 3G device and SIM card. Cli ck Monitor > System St atus > More Information to display this screen. Note: This screen is only available [...]

  • Seite 96

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 96 6.10 USB S torage Screen This screen displays information about a connected USB stor age device. Click Monitor > System Status > USB Storage to display this screen. Figure 68 Monitor > System Status > U SB Storage The following table describes the labels in this screen. Dev[...]

  • Seite 97

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 97 6.1 1 The IPSec Monitor Screen Y ou can use the IPSec Monitor screen to display and to manage active IPSec T o access this screen, click Monitor > VPN Monitor > IPSec . The following screen appears. SAs. Click a column’ s heading cell to sort the table entries by that column’[...]

  • Seite 98

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 98 Each field is described in the following table. 6.1 1.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single character in th e VPN connection or policy name v ary . For example, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards[...]

  • Seite 99

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 99 The whole VPN connection or policy nam e has to match if you do not use a question mark or asterisk. 6.12 The SSL Connection Monitor Screen The Z yWALL k eeps track of the users who are curre ntly logged into the VPN SSL client Click Monitor > VPN Monitor > SSL to display the use[...]

  • Seite 100

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 100 Figure 71 Monitor > VPN Monitor > L2TP over IPSec The following table describes the fields in this screen. 6.14 Log Screen Log messages are stored in two separate logs, one for regular log message s and one for debugging messages. In the regular log, you can look at all the log [...]

  • Seite 101

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 101 Figure 72 Monitor > Log The following table describes the labels in this screen. T a ble 36 Monitor > Log LABEL DESCRIPTION Show Filt er / Hide Filt er Click th is button to show or hide the filter se ttings. If the filter settings are h idden, the Display , Email Log Now , Ref [...]

  • Seite 102

    Chapter 6 Mon itor ZyWALL 110/310/1100 Series User’s Guide 102 The W eb Configurator saves the filter settings if y ou leave the View Log screen and return to it later . Email Log Now Click th is button to send lo g message(s) to th e Active e-mail address( es) specified in the Send Log To field on the Log Settings page (see Section 38.3.2 on pag[...]

  • Seite 103

    ZyWALL 110/310/1100 Se ries User’s Guide 103 C HAPTER 7 Interfaces 7.1 Interface Overview Use the Interface screens to configure the ZyW ALL’s interfaces. Y ou can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally . Y ou use th[...]

  • Seite 104

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 104 • An interface is a logical entity through which (lay er-3) packets pass. • An interface is bound to a physical po rt or another interface. • Many interfaces can share the same ph ysical port. • An interface belongs to at most one zone. • Many interfaces can belong to the [...]

  • Seite 105

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 105 - * The format of interface names other than the Ethernet and p pp interface names is strict. Each nam e consists of 2-4 letters (interface type), followed by a number ( x ). For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x is[...]

  • Seite 106

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 106 * - Y ou cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. Y ou also cann ot add an Ethernet interface or VLAN interface to a bridge if t he member interface has a virtual interface or PPP interfa[...]

  • Seite 107

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 107 St ateless Autoconfiguration With stateless autoconfiguration in IPv6, addresse s can be uniquely and automatically generated. Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful autoconfiguration, the o wner and status of addr esses don?[...]

  • Seite 108

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 108 7.1.3 What Y ou Need to Do First For IPv6 settings, go to the Con figuration > System > IPv6 screen to enable IPv6 support on the Z yWA LL first. 7.2 Port Role Screen T o access this screen, click Configuration > Network > Interface > Port Role . Use the Port Role scr[...]

  • Seite 109

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 109 Click Reset to change the port groups to their current configuration (last-sav ed values). 7.3 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. If you enabled IPv6 in the Configuration > System > I[...]

  • Seite 110

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 0 Each field is described in the following table. 7.3.1 Ethernet Edit The Ethernet Edit scree n lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP se ttings, connectivity check, and MAC address settings. T o access this screen, click an [...]

  • Seite 111

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 111 • Select which direction(s) routing information is exchanged - The Z yWALL can receive routing information, send routing information, or do both. • Select which version of RIP to support in each direction - The Z yWALL supports RIP-1, RIP-2, and both versions. • Select the br[...]

  • Seite 112

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 2 Figure 75 Configuration > Network > In terface > Ethernet > E dit (External T ype)[...]

  • Seite 113

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 11 3 Figure 76 Configuration > Network > In terface > Ethernet > Edit (Internal T ype)[...]

  • Seite 114

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 4 Figure 77 Configuration > Network > In terface > Ethernet > Edit (OPT)[...]

  • Seite 115

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 11 5 This screen’ s fields are described in the table below. T a ble 41 Configuration > Netwo rk > Interf ace > Ethern et > Edit LABEL DESCRIPTION IPv4/IPv 6 View / IPv4 View / IPv6 View Use this button to display bo th IPv4 and IPv6, IPv4-only , or IPv6-only configuratio[...]

  • Seite 116

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 6 Subnet Mask Enter the subnet mask of this interface in dot deci mal notation . The subnet m ask indicates what part of the IP address is the same for all computers in the network. Gateway This option appears whe n Interface Type is external or general . Enter the IP address of the [...]

  • Seite 117

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 11 7 Address This field displa ys the combin ed IPv6 IP address for this interface. Note: This field displays the combined address after you click OK and reopen this screen. DHCPv6 Setting DUID This field displays the DHCP Unique IDenti fier (DUID) of the in terface, whic h is unique a[...]

  • Seite 118

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 8 Advertised Hosts Get Other Configur ation From DHCPv6 Select this to have t he ZyW A LL indicate to hosts to obtain DNS information through DHCPv6. Clear this to h ave the ZyW ALL indic ate to ho sts that DNS information is not av ailable in this network. Rou t e r Prefer ence Sele[...]

  • Seite 119

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 11 9 Egress Bandwidth Enter the maximum amount of tr affic, in kilobits per second, the ZyWALL can send through the interface to t he network. Allowed v alues are 0 - 1048576. Ingress Bandwidth This is reserved for future use. Enter the maximum amount of tr affic, in ki lobits per seco[...]

  • Seite 120

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 120 IP Pool Start Address Enter the IP address from whic h the Z yWALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer , use the Static DHCP Table . If this field is blank, the Pool Size must also be blank. In this case, the Z yWALL can a[...]

  • Seite 121

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 121 Enable IP/MAC Binding Select this option to h ave this interface enforce links betwee n specific IP addresse s and specific MAC addresse s. This stops any o ne else from manually using a bound IP address on another device conn ected to this inte rface. Use this to make use onl y th[...]

  • Seite 122

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 122 7.3.2 Object References When a configuration screen includes an Object Reference icon, select a configuration object and click Object Re ference to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown v [...]

  • Seite 123

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 123 Figure 78 Object Referen ces The following table describes labels that can appear in this screen. 7.3.3 Add/Edit DHCPv6 Request/Release Options When you configure an interface as a DHCPv6 serv er or client, you can ad ditionally add DHCPv6 request or lease options which hav e the Z[...]

  • Seite 124

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 124 Select a DHCPv6 request or lease object in the Select one object field and click OK to save it. Click Cancel to exit without saving the setting. 7.3.4 Add/Edit DHCP Extended Options When you configure an interface as a DHCPv4 se rver , you can additiona lly add DH CP extended option[...]

  • Seite 125

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 125 The following table lists the available DHCP extend ed options (defined in RFCs) on the ZyW A LL. See RFCs for more information. 7.4 PPP Interfaces Use PPPoE/PPTP interfaces to connect to your ISP . This way , you do not have to install or manage PPPoE/PPTP software on each compute[...]

  • Seite 126

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 126 Figure 81 Example : PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfac es in some ways. They have an IP address, subnet mask, and gateway used to mak e routing decisions; they restrict bandwidth and packet size; and they can verify the gatewa y is availabl e. [...]

  • Seite 127

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 127 Each field is described in the table below . 7.4.2 PPP Interface Add or Edit Note: Y ou have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure a PPP oE or PPTP interface. If you enabled IPv6 in the Configuration > System > IPv6 [...]

  • Seite 128

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 128 Figure 83 Configuration > Network > In terface > PPP > Add[...]

  • Seite 129

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 129 Each field is explained in the following table. T a ble 46 Configuration > Net work > Inter face > PPP > Add LABEL DESCRIPTION IPv4/IPv 6 View / IPv4 View / IPv6 View Use this button to display bo th IPv4 and IPv6, IPv4-only , or IPv6-only configuration fields. Show Adv[...]

  • Seite 130

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 130 IP Address This field is en abled if you sele ct Use Fixed IP Address . Enter the IP address for this interface. Metric Enter the priority of the gatew ay (the ISP) on this interface. The Z yWALL decides which gateway to use based on this priority . The lo wer the number , the highe[...]

  • Seite 131

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 131 Enable Rapid Commit Select this to sh orten the D HCPv6 message exchange process from four to two steps. This function helps reduce heavy network t raffic load. Note: Make sure you also ena ble this option in th e DHCPv6 clients to make rapid commit work. Request Address Select thi[...]

  • Seite 132

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 132 7.5 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet -s witched wireless technology . Bandwidth usage is optimized as multiple users share the same channe l and bandwidth is only allocated to users when t h e y s e n d d a t a . I t a l l o w s f a st t [...]

  • Seite 133

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 133 Aside from selecting the 3G network, the 3G card ma y also select an available 2.5G or 2.75G network automatically . See the following table fo r a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. T o change your 3G W AN settings, click Configuration > Network[...]

  • Seite 134

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 134 Figure 84 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. 7.5.1 Cellular Add/Edit Screen T o change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit ). In the pop-up win[...]

  • Seite 135

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 135 Figure 85 Configuration > Network > In terface > Cellular > Add[...]

  • Seite 136

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 136 The following table describes the labels in this screen. T a ble 49 Configuration > Ne twork > Interface > Cellular > Add LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s Click this button to display a greater or lesser number of configuration fields[...]

  • Seite 137

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 137 User Name This field displays when you se lect an authentication type other than None . This field is read-only if you selected Device in the profile se lection. If this fiel d is configur able, enter the user name for this 3G card exactly as the service provider ga ve it to you. Y[...]

  • Seite 138

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 138 Check Perio d Enter the numbe r of seconds between connection chec k attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. Check F ail To l e r a n c e Enter the number of c onsecutive failures before the Z yWALL stops routing th[...]

  • Seite 139

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 139 Network Selection Home network is th e network to which you are originally subsc ribed. Select Home to have the 3G device connect only to the home network. If the home network is down, the ZyW AL L’s 3G Inte rnet connection is also unavailable. Select Auto (Default) to all ow the[...]

  • Seite 140

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 140 7.6 T u nnel Interfaces The Z yWALL uses tunn el interfaces in Generic R out ing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels. GRE T unneling GRE tunnels encapsulate a wide v ariety of network lay er protocol packet types inside IP tu nnels. A GRE tunnel serves as a virtual p[...]

  • Seite 141

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 141 • your Z yWALL has a public IPv4 IP address given from y our ISP , and • you want to transmit your IPv6 packets to on e and only one remote site whose LAN network is also an IPv6 network. With this mode, the Z yWALL enca psulates IPv6 packets within IPv4 packets across the Inte[...]

  • Seite 142

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 142 Figure 89 6to4 T unnel 7.6.1 Configuring a T unnel This screen lists the Z yWA LL’s configured tunn el interfaces. T o access this screen, click Network > Interface > Tunnel . Figure 90 Network > Interface > T unnel Each field is explained in the following table. Inter[...]

  • Seite 143

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 143 7.6.2 T u nnel Add or Edit Screen This screen lets you configure a tunnel interface. Click Configuration > Net work > Inte rface > Tunnel > Add (or Edit ) to open the following screen. Status The activate (light bulb) icon is lit when the entr y is active an d dimmed wh[...]

  • Seite 144

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 144 Figure 91 Network > Interface > T unnel > Add/Edit Each field is explained in the following table. T a ble 51 Network > Interface > T unnel > Add/Edit LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s Click this button to display a greater or le[...]

  • Seite 145

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 145 T unnel Mode Select the tunnelin g protocol of the interface ( GRE , IPv6-in-IPv4 or 6to4 ). See Section 7.6 on page 140 for more information. IP Address Assignme nt This section is a vailable i f you are configur ing a GRE tunnel. IP Address Enter the IP a ddress for this interfac[...]

  • Seite 146

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 146 Interface Para me t er s Egress Bandwidth Enter the maximum amount of tr affic, in kilobits per second, the ZyWALL can send through the interface to t he network. Allowed v alues are 0 - 1048576. This setting is used in WAN load balancin g and bandwidth management. Ingress Bandwidth[...]

  • Seite 147

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 147 7.7 VLAN Interfaces A Virtual Local Area Netw ork (VLAN) divides a phys ical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 92 Example: Bef ore VLAN In this example, there are two phys ical networks and three departments A , B , and C . The p[...]

  • Seite 148

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 148 This approach provides a few adv antages. • Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller , more logical groups of users. • Higher security - If eac[...]

  • Seite 149

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 149 Figure 94 Configuration > Network > In terface > VLAN Each field is explained in the following table. T a ble 52 Configuration > Net work > Inter face > VLAN LABEL DESCRIPTION Configur atio n / IPv6 Configur atio n Use the Configuration section for IPv4 netw ork s[...]

  • Seite 150

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 150 7.7.2 VLAN Add/Edit This screen lets you configure IP address assi gnment, interface bandwidth par amete rs, DHCP settings, and connectivity check for each VLAN interface. T o access this screen, click the Create Virtual Interface icon in the VLAN Summary screen. The following scree[...]

  • Seite 151

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 151 Figure 95 Configuration > Network > In terface > VLAN > Create Virtual Interface[...]

  • Seite 152

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 152 Each field is explained in the following table. T a ble 53 Configuration > Net work > Inter face > VLAN > Create Virtual I nterface LABEL DESCRIPTION IPv4/IPv 6 View / IPv4 View / IPv6 View Use this button to display bo th IPv4 and IPv6, IPv4-only , or IPv6-only configur[...]

  • Seite 153

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 153 Gateway This field is en abled if you sele ct Use Fixed IP Address . Enter the IP address of the gateway . The ZyW ALL sends packet s to the gateway wh en it d o e s n o t k n o w h o w t o r o u t e t h e p a c k e t t o i t s de stination. The gat eway should be on the same netwo[...]

  • Seite 154

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 154 DHCPv6 Setting DUID This field displays the DHCP Unique IDentifi er (DUID) of the interface , which is unique and used for identification purposes wh en the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 107 for more i nformation. DUID as MAC Select th is to[...]

  • Seite 155

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 155 Rou t e r Prefer ence Select the router preference ( Low , Mediu m or High ) for the interface. The interface sends this preference in th e router advertisements t o tell hosts what preferenc e they should use for the Z yWALL. Th is helps hosts to choo se thei r default router espe[...]

  • Seite 156

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 156 MTU Maximum T ransmission U nit. T ype th e maximum size of each dat a packet, in bytes, that can move through this interface. If a la rger packet arrives, the Z yWALL divides it into smaller fr agments. Allowed v alues are 576 - 1500. Usual ly , this value is 1500. Connectivity Che[...]

  • Seite 157

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 157 Poo l Size Enter the number of IP addresses to al l ocate. This number mu st be at least one and is limited by the interface’ s Subne t Mask . For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the Z yWALL can allocate 10.10.10.10 to 10.10.[...]

  • Seite 158

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 158 Add Click th is to create a new entry . Edit Select an entry and click th is to be able to modify it. Re move Select an entry and click th is to delete it. # This field is a sequential value, and it is not associated with a specifi c entry . IP Address Enter the IP address to assign[...]

  • Seite 159

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 159 7.8 Bridge Interfaces This section introduces bridges and bridge interf aces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer -2 (MAC address) lev el. In the following example, bridg[...]

  • Seite 160

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 160 If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly . Bridge Interface Overview A bridge interface creates a software bridge be[...]

  • Seite 161

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 161 Figure 96 Configuration > Network > In terface > Bridge Each field is described in the following table. T a ble 57 Configuration > Netwo rk > Interf ace > Bridge LABEL DESCRIPTION Configur ation / IPv6 Configur ation Use the Configuration section for IPv4 netw ork[...]

  • Seite 162

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 162 7.8.2 Bridge Add/Edit This screen lets you configure IP address assi gnment, interface bandwidth par amete rs, DHCP settings, and connectivity check for each bridge interface. T o access this screen, click the Create Virtual Interface icon in the Bridge Summary screen. The following[...]

  • Seite 163

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 163 Figure 97 Configuration > Network > In terface > Bridge > Create Virtual Interface[...]

  • Seite 164

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 164 Each field is described in the table below . T a ble 58 Configuration > Net work > Inter face > Bridge > Create Virtual Interface LABEL DESCRIPTION IPv4/IPv 6 View / IPv4 View / IPv6 View Use this button to display bo th IPv4 and IPv6, IPv4-only , or IPv6-only configurat[...]

  • Seite 165

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 165 IP Address This field is en abled if you sele ct Use Fixed IP Address . Enter the IP address for this interface. Subnet Mask This field is enabled if yo u select Use Fixed IP Address . Enter the subnet mask of th is interface in dot decimal notation. The su bnet mask indicates what[...]

  • Seite 166

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 166 Suffix Address Enter the ending part of th e IPv6 address, a slash (/), and the prefix length. The Z yWALL will append it to the delegated prefix . For e xample, you got a delegated prefix of 20 03:1234:5678/48. Y ou want to configure an IP address of 2003:1234: 5678:1111::1 /128 fo[...]

  • Seite 167

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 167 Advertised Hosts Get Network Configur ation From DHCPv6 Select this to have t he ZyW A LL indicate to hosts to obtai n network settings (such as prefix and DNS settin gs) through DHCPv6. Clear this to hav e the ZyW ALL indicate to hosts that DHCPv6 is not av ailable and they should[...]

  • Seite 168

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 168 Address This is the final network prefix comb ined by the selected de legated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen. Interface Para me t er s Egress Bandwidth Enter the maximum amount of tr affic, in kilobits [...]

  • Seite 169

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 169 First WINS Server , Second WINS Server T ype the IP address of the WINS (Windows Internet Naming Servic e) server that y ou want to send to the DHCP cl ients. The WINS serv er keeps a mapping table of the computer names o n your network and the IP addresses th at they are currently[...]

  • Seite 170

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 170 7.9 V irtual Interfaces Use virtual interfaces to tell t he Zy WALL where to route packets. Virtual interfaces can also be used in VPN gateways (see Chapter 20 on page 281 ) and VRRP groups (see Chapter 26 on page 359 ). Virtual interfaces can be created on top of Et hernet interfac[...]

  • Seite 171

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 171 7.9.1 V irtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces. T o access this screen, click the Create Virtual Inte rface icon in the Ethernet, VLAN, or bridge interface summary screen. Figure 98 Configurati[...]

  • Seite 172

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 172 7.10 Interface T echnical Reference Here is more detailed information about interfaces on the ZyW ALL. IP Address Assignment Most interfaces have an IP addre ss and a subnet ma sk. This information is used to create an entry in the routing table. Figure 99 Example: Entry in the Rout[...]

  • Seite 173

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 173 In the example abo ve, if the Z yWALL gets a packe t with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the pack et is dropped. However , if there is a default router to which the ZyW ALL s hould send th is packet, you can speci[...]

  • Seite 174

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 174 In the Z yWALL, some interfaces can provide DHCP services to the network. In this case, the interface can be a DHCP relay or a DHCP server . As a DHCP relay , the interface routes DHCP requ ests to DHCP servers on different networks. Y ou can specify more than one DHCP server . If y[...]

  • Seite 175

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 175 PPPoE/PPTP Overview Po int-to-P oint Protocol over Ethernet (PPP oE, RFC 2516) and Point -to-Point T unneling Protocol (PPTP , RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPP oE is often used with cable modems and DSL connections. [...]

  • Seite 176

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 176[...]

  • Seite 177

    ZyWALL 110/310/1100 Se ries User’s Guide 177 C HAPTER 8 Trunk 8.1 Overview Use trunks for WAN tr affic load balancing to increase over all network throughput and reliability . Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. M[...]

  • Seite 178

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 178 • If that interface’ s connection goes down, the ZyW ALL can still send its traffic through another interface. • Y ou can define multiple trunks for the same phy sical interfaces. Link Sticking Y ou can have the Z yWALL send each local computer’ s traffic that is going to the sam[...]

  • Seite 179

    Chapter 8 Trunk ZyWALL 110/310/1100 Se ries User’s Guide 179 Figure 101 Least Load First Example The outbound bandwidth utilization is used as th e load balancing index. In this example, the measured (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The Z yWALL calculates the load balancing index as shown in the table below . Sinc[...]

  • Seite 180

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 180 Spillover The spillover load balancing algorithm sends networ k tr affic to the first interface in the trunk member list until the interface’ s maximum allowa ble load is reached, then sends the excess network traffic of new sessions to the n ext interface in the trunk member list. Thi[...]

  • Seite 181

    Chapter 8 Trunk ZyWALL 110/310/1100 Se ries User’s Guide 181 The following table describes the items in this screen. 8.2.1 Configuring a User-Defined T runk Click Conf iguration > Networ k > Interface > Trunk , in the User Configuration table click the Add (or Edit ) icon to open the fo llowing screen. Use this screen to create or edit a[...]

  • Seite 182

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 182 Figure 105 Configuration > Network > Inter face > T runk > Add (or Edit) Each field is described in the table below . T a ble 65 Configuration > N etwork > Int erface > T r unk > Add (or Edi t) LABEL DESCRIPTION Name This is read-only if you are editin g an existi[...]

  • Seite 183

    Chapter 8 Trunk ZyWALL 110/310/1100 Se ries User’s Guide 183 8.2.2 Configuring th e System Default T runk In the Configuration > Network > Interface > Trunk screen and the System Default section, select the default trunk entry and click Edit to open the following screen. Use this screen to change the load balancing algorithm and view the[...]

  • Seite 184

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 184 Figure 106 Configuration > Network > Interface > T runk > Edit (System Default) Each field is described in the table below . T a ble 66 Configur ation > Network > Interface > T runk > Edit (System Default) LABEL DESCRIPTION Name This field displays the nam e of th[...]

  • Seite 185

    Chapter 8 Trunk ZyWALL 110/310/1100 Se ries User’s Guide 185 Spillover This field displays with t he spillover lo ad balancing algorit hm. Specify the ma ximum bandwidth of tr affic in kilobits per second ( 1~1048576) to send out through the interface before using anot her interface. When this spillover bandwidth lim it is exceeded, the ZyWALL se[...]

  • Seite 186

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 186[...]

  • Seite 187

    ZyWALL 110/310/1100 Se ries User’s Guide 187 C HAPTER 9 Policy and Static Routes 9.1 Policy and S t atic Routes Overview Use policy routes and static routes to override the Z yWALL’ s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, th e next figure shows a computer ( A ) connected [...]

  • Seite 188

    Chapter 9 Policy a nd Static Route s ZyWALL 110/310/1100 Series User’s Guide 188 9.1.2 What Y o u Need to Know Policy Routing T raditionally , routing is based on the destination address only and the Z yWALL takes the shortest path to forward a pack et. IP Policy R outing (IPPR) provides a mechanism to override the default routing behavior and al[...]

  • Seite 189

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 189 DiffServ (Differentiated Services) is a class of se rv ice (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-com pliant network devices along the route base d on the application types and traffic flow . Pack ets are mark ed wit[...]

  • Seite 190

    Chapter 9 Policy a nd Static Route s ZyWALL 110/310/1100 Series User’s Guide 190 Figure 108 Configuration > Network > R outing > P olicy Route The following table describes the labels in this screen. T a ble 67 Configuration > Network > R outing > Policy R oute LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting [...]

  • Seite 191

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 191 9.2.1 Policy Route Edit Screen Click Configuration > Network > Routing to o pe n t he Policy Route screen. Then click the Ad d or Edit icon in the IPv4 Conf iguration or IPv6 Configuration section. The Add Policy Route or Policy Route Edit screen opens. Use this[...]

  • Seite 192

    Chapter 9 Policy a nd Static Route s ZyWALL 110/310/1100 Series User’s Guide 192 Figure 109 Configuration > Network > R outing > P olicy Route > Add/Edit (IPv4 Configur a tion)[...]

  • Seite 193

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 193 Figure 1 10 Configuration > Network > R outing > Polic y R oute > Add/Edit (IPv6 Configuration) The following table describes the labels in this screen. T a ble 68 Configuration > Network > R outing > Policy R oute > Add/Edit LABEL DESCRIPTION [...]

  • Seite 194

    Chapter 9 Policy a nd Static Route s ZyWALL 110/310/1100 Series User’s Guide 194 DSCP Code Select a DSCP code point va lu e of incoming packets to whic h this policy route applies or select User Def ine to specify another DS CP code point. The lower the num ber the higher the priority with the exception of 0 which is usually given only be st-effo[...]

  • Seite 195

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 195 9.3 IP S t atic Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Co nfigure static routes to be able to use RIP or OSPF to propagate the routing information[...]

  • Seite 196

    Chapter 9 Policy a nd Static Route s ZyWALL 110/310/1100 Series User’s Guide 196 The following table describes the labels in this screen. 9.3.1 St atic Route Add/Edit Screen Select a static route index number and click Add or Edit . The screen shown next appears. Use this screen to configure the required information for a static route. Figure 1 1[...]

  • Seite 197

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 197 The following table describes the labels in this screen. 9.4 Policy Routing T echnical Reference Here is more detailed information about some of the features you can configure in policy routing. NA T and SNA T NA T (Network Address T ranslation - NA T , RFC 1631) is t[...]

  • Seite 198

    Chapter 9 Policy a nd Static Route s ZyWALL 110/310/1100 Series User’s Guide 198 the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets. Maximize Bandwid th Usage The maximize bandwidth usage option allows the Z y WALL to divide up any available bandwidth on the interface (including unallocated ba[...]

  • Seite 199

    ZyWALL 110/310/1100 Se ries User’s Guide 199 C HAPTER 10 Routing Protocols 10.1 Routing Protocols Overview R outing protocols give the Z yWALL routing information about the network from other routers. The Z yWALL stores this ro uting information in the routing table it uses to make routing decisions. In turn, the Z yWALL can also use routing prot[...]

  • Seite 200

    Chapter 10 Ro uting Protocol s ZyWALL 110/310/1100 Series User’s Guide 200 its routes asynchronously to the network and con verges slowly . Therefore, RIP is more suitable for small networks (up to 15 routers). • In the Z yWALL, you can configure two sets of RIP settings before you can use it in an interface. •F i r s t , t h e Authentication[...]

  • Seite 201

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 201 10.3 The OSPF Screen OSPF (Open Shortest P ath First, RFC 2328) is a link -state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF of fers some advantages ov er vector-space routing protocols like RIP . ?[...]

  • Seite 202

    Chapter 10 Ro uting Protocol s ZyWALL 110/310/1100 Series User’s Guide 202 • A normal area is a group of ad jacent networks. A normal area has routing information about the OSPF AS, an y networks outside the OSPF AS to wh ich it is directly connected, and an y networks outside the OSPF AS that provide routing information to any area in th e OSP[...]

  • Seite 203

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 203 • An Autonomous Sy stem Boundary R outer (ASBR) exch anges routing information with routers in networks outside the OSPF AS. Th is is called redistribution in OSPF . • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a[...]

  • Seite 204

    Chapter 10 Ro uting Protocol s ZyWALL 110/310/1100 Series User’s Guide 204 Figure 1 17 OSPF: Virtual Link In this example, area 100 does not have a dire ct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone. Y ou cannot create [...]

  • Seite 205

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 205 Figure 1 18 Configuration > Network > R outing > OSPF The following table describes the labels in this screen. See Section 10.3.2 on page 206 for more information as well. T a ble 75 Configur ation > Network > Routing Protocol > OSPF LABEL DESCRIPTION OSPF[...]

  • Seite 206

    Chapter 10 Ro uting Protocol s ZyWALL 110/310/1100 Series User’s Guide 206 10.3.2 OSPF Area Add/Edit Screen The OSPF Are a Add/Edit screen allows you to create a new area or edit an existing one. T o access this screen, go to the OSPF summary screen (see Section 10.3 on page 201 ), and click either the Add icon or an Edit icon. Figure 1 19 Config[...]

  • Seite 207

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 207 The following table describes the labels in this screen. T a ble 76 Configuration > Ne twork > Routing > OSPF > Add LABEL DESCRIPTION Area ID T ype the unique, 32-bit i dentifi er for the area in IP address format. T ype Select the type of OSPF area. Normal - Th[...]

  • Seite 208

    Chapter 10 Ro uting Protocol s ZyWALL 110/310/1100 Series User’s Guide 208 10.3.3 V irtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new vi rtual link or edit an existing one. When the OSPF add or edit screen (see Section 10.3 .2 on page 206 ) has the T ype set to Normal, a Virtual Link table displays. Click eit[...]

  • Seite 209

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 209 Authentication T ypes Authentication is used to guarantee the integrit y , but not the confidentiality , of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original[...]

  • Seite 210

    Chapter 10 Ro uting Protocol s ZyWALL 110/310/1100 Series User’s Guide 210[...]

  • Seite 211

    ZyWALL 110/310/1100 Se ries User’s Guide 21 1 C HAPTER 11 Zones 1 1.1 Zones Overview Set up zones to configure network security and network policies in the Z yWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyW ALL uses zo nes instead of interfaces in man y security and policy settings, such as firewall rules, Anti- X, and remote ma[...]

  • Seite 212

    Chapter 11 Zones ZyWALL 110/310/1100 Series User’s Guide 212 Intra-zone T raffic • Intra- zone traffic is traffic between interfaces or VPN tunnels in the same zone. F or example, in Figure 121 on page 211 , traffic between VLAN 2 and the Ethernet is intr a-zone traffic. • In each zone, you can either allow or prohibit all intr a-zone tr affi[...]

  • Seite 213

    Chapter 11 Zones ZyWALL 110/310/1100 Se ries User’s Guide 213 The following table describes the labels in this screen. 1 1.3 Zone Edit The Zone Edit screen allows you to add or edit a zone. T o access this screen, go to the Zone screen (see Section 11.2 on page 212 ), and click the Add icon or an Edit icon. Figure 123 Network > Z one > Add [...]

  • Seite 214

    Chapter 11 Zones ZyWALL 110/310/1100 Series User’s Guide 214 The following table describes the labels in this screen. T a ble 79 Network > Z one > Add/Edit LABEL DESCRIPTION Name F or a system default zone , the name is read only . For a user -configured zone, type the name us ed to refer to the zo ne. Y ou m ay use 1-31 alphanumeric charac[...]

  • Seite 215

    ZyWALL 110/310/1100 Se ries User’s Guide 215 C HAPTER 12 DDNS 12.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain n ame with a dynamic IP address. 12.1.1 What Y ou Can Do in this Chapter •U s e t h e DDNS screen (see Section 12.2 on page 216 ) to view a list of the configured DDNS domain names and their details. •U s e t h e D[...]

  • Seite 216

    Chapter 12 DDNS ZyWALL 110/310/1100 Series User’s Guide 216 12.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new doma in names, edit the configuration for existing domain names, and delete domain names. Click Configuration > N etwork > DDNS t[...]

  • Seite 217

    Chapter 12 DDNS ZyWALL 110/310/1100 Se ries User’s Guide 217 12.2.1 The Dynamic DNS A dd/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the Z yWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 125 Configuration [...]

  • Seite 218

    Chapter 12 DDNS ZyWALL 110/310/1100 Series User’s Guide 218 Username T ype the user nam e used when you registered your domain n ame. Y ou can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry , th is user name is the one you use for logging into the service, not the name recorded in your perso[...]

  • Seite 219

    Chapter 12 DDNS ZyWALL 110/310/1100 Se ries User’s Guide 219 Enable Wildcard T his option is only av ailable with a DynDNS account. Enable the wildcard feature to alias subdoma ins to be aliased to the same IP address as your (dynamic ) domain name. This feature i s useful if you want to be able to use, for example, www.y ourhost.dyndn s.org and [...]

  • Seite 220

    Chapter 12 DDNS ZyWALL 110/310/1100 Series User’s Guide 220[...]

  • Seite 221

    ZyWALL 110/310/1100 Se ries User’s Guide 221 C HAPTER 13 NAT 13.1 NA T Overview NA T (Network Address T ranslation - NA T , RFC 1631) is the translation of the IP address of a host in a packet. F or example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Net[...]

  • Seite 222

    Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide 222 13.2 The NA T Screen The NAT summary screen provides a summary of all NA T rules and their configuration. In addition, this screen allows you to create new NA T rules and ed it and delete existing NA T rules. T o access this screen, login to the W eb Configurator and click Configuratio n [...]

  • Seite 223

    Chapter 13 NAT ZyWALL 110/310/1100 Se ries User’s Guide 223 13.2.1 The NA T Add/Edit Screen The NAT Add/Ed it screen lets you create new NA T rules and edit existing ones. T o open this window, open the NAT summary screen. (See Section 13.2 on page 222 .) Then, click on an Add icon or Edit icon to open the following screen. Figure 128 Configurati[...]

  • Seite 224

    Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide 224 Incoming Interface S elect the interface on whic h packets for the NA T ru le must be received. It can be an Ethernet, VLAN, bridge, or PPP oE/PPTP interface. Original IP Spec ify the destin ation IP address of the pac kets received by this NA T rul e’s specified incoming interface. any[...]

  • Seite 225

    Chapter 13 NAT ZyWALL 110/310/1100 Se ries User’s Guide 225 13.3 NA T T echnical Reference Here is more detailed information about NA T on the Z yWALL. NA T Loopback Suppose an NA T 1:1 rule maps a public IP addre ss to the priv ate IP address of a LAN SMTP e-ma il server to give W A N users access. NA T loopback allows other users to also use th[...]

  • Seite 226

    Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide 226 Figure 129 LAN Computer Queries a Public DNS Server The LAN user ’ s computer then sends traffic to IP address 1.1.1.1. NA T loop back uses the IP address of the Z yWALL’ s LAN interface (19 2.168.1.1) as the source address of the traffic going from th e LAN users to the LAN SMTP serv[...]

  • Seite 227

    Chapter 13 NAT ZyWALL 110/310/1100 Se ries User’s Guide 227 Figure 131 LAN to LAN R eturn T raffic 192.168.1.21 LAN 192.168.1.89 Source 1.1.1.1 SMTP NA T Source 192.168.1.21 SMTP[...]

  • Seite 228

    Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide 228[...]

  • Seite 229

    ZyWALL 110/310/1100 Se ries User’s Guide 229 C HAPTER 14 HTTP Redirect 14.1 Overview HT TP redirect forwards the client’ s HT TP request (except HT TP traffic destined for the Z yWALL) to a web proxy server . In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web [...]

  • Seite 230

    Chapter 14 HT TP Redirect ZyWALL 110/310/1100 Series User’s Guide 230 A client connects to a web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick ac cess and r educe network usage. The proxy checks its local cache for the requested web r esource first. If it is not found, the proxy [...]

  • Seite 231

    Chapter 14 HTTP R edirect ZyWALL 110/310/1100 Se ries User’s Guide 231 Figure 133 Configuration > Netw ork > HT TP Redirect The following table describes the labels in this screen. 14.2.1 The HTTP Redirect Edit Screen Click Network > HTTP Redirect to open the HTTP Redir ect screen. Then click the Add or Edit icon to open the HTTP Redirec[...]

  • Seite 232

    Chapter 14 HT TP Redirect ZyWALL 110/310/1100 Series User’s Guide 232 The following table describes the labels in this screen. T a ble 86 Network > HT TP Redirect > Edit LABEL DESCRIPTION Enable Use this option to turn th e HT TP redirect rule on or off . Name Enter a name to identify this rule. Y o u may use 1-31 alphanumeric characters, u[...]

  • Seite 233

    ZyWALL 110/310/1100 Se ries User’s Guide 233 C HAPTER 15 ALG 15.1 ALG Overview Application Layer Gatewa y (ALG) allows the following applications to oper ate properly through the Zy WA L L ’s N A T . • SIP - Session Initiation Protocol (SIP) - An applic ation-la yer protocol that can be used to create voice and multimedia sessions over Intern[...]

  • Seite 234

    Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide 234 FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the F TP server is located on the LAN, you must also configure NA T (port forwarding) and firewall rules if you want to allow access to the server from the W AN. H.323 ALG • The H.323 ALG suppor[...]

  • Seite 235

    Chapter 15 ALG ZyWALL 110/310/1100 Se ries User’s Guide 235 Peer-to-Peer Calls and the ZyW ALL The Z yWALL ALG can allow peer-to-peer V oIP calls for both H.323 and SIP . Y ou must configure the firewall and NA T (port forwarding) to allow incoming (peer-to-peer) calls from the W AN to a private IP address on the LAN (or DMZ). V oIP Calls from th[...]

  • Seite 236

    Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide 236 Figure 138 V oIP with Multiple WAN IP Addresses •S e e Section 15.3 on page 238 for ALG back ground/technical information. 15.1.3 Before Y ou Begin Y ou must also configure the firewall and enable NA T in the ZyW ALL to allow sessions initiated from the WAN. 15.2 The ALG Screen Click Co[...]

  • Seite 237

    Chapter 15 ALG ZyWALL 110/310/1100 Se ries User’s Guide 237 The following table describes the labels in this screen. T a ble 87 Configuration > N etwork > ALG LABEL DESCRIPTION Enable SIP ALG T urn on the SIP ALG to detect SIP traff i c and help build SIP sessions throu gh the Zy WA L L ’s N AT . Enable SIP T ransformations S e l e c t t [...]

  • Seite 238

    Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide 238 15.3 ALG T echnical Reference Here is more detailed information about the Application Layer Gatew ay . ALG Some applications cannot operate through NA T (are NA T un-friendly) because they embed IP addresses and port numbers in their packets’ da ta payload. The Z yWALL examines and uses[...]

  • Seite 239

    Chapter 15 ALG ZyWALL 110/310/1100 Se ries User’s Guide 239 RTP When you make a V oIP call using H.323 or SIP , the RT P (Real time T ransport Protocol) is used to handle voice data transfer . See RFC 188 9 for details on RTP .[...]

  • Seite 240

    Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide 240[...]

  • Seite 241

    ZyWALL 110/310/1100 Se ries User’s Guide 241 C HAPTER 16 IP/MAC Binding 16.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The Z yWALL uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address. The Z yWALL then checks inco[...]

  • Seite 242

    Chapter 16 IP/M AC Binding ZyWALL 110/310/1100 Series User’s Guide 242 Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by inte rfac e. Y ou can use IP/MAC binding with Et hernet, bridge, VLAN interfaces. Y ou can also enable or di sable IP/MAC binding and logging in an interface’s configuration screen. 16.2 IP/MAC Bindin[...]

  • Seite 243

    Chapter 16 IP/MAC Binding ZyWALL 110/310/1100 Se ries User’s Guide 243 Figure 142 Configuration > Network > IP/MAC Binding > Edit The following table describes the labels in this screen. 16.2.2 S t atic DHCP Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Click the Add or Edit i[...]

  • Seite 244

    Chapter 16 IP/M AC Binding ZyWALL 110/310/1100 Series User’s Guide 244 Figure 143 Configuration > Network > IP /MAC Binding > Edit > Add The following table describes the labels in this screen. 16.3 IP/MAC Binding Exempt List Click Configuration > Network > IP/MAC Binding > Exempt List to open the IP/MAC Binding Exempt List s[...]

  • Seite 245

    Chapter 16 IP/MAC Binding ZyWALL 110/310/1100 Se ries User’s Guide 245 Rem ov e T o r em ov e a n e nt r y , s e l e c t i t a n d c li c k Remove . The Z y WALL confirms you want to remove it before doing so. # This is the index number of the IP/MAC binding list entry . Name Enter a name to help identify this entry . Start IP Enter the first IP [...]

  • Seite 246

    Chapter 16 IP/M AC Binding ZyWALL 110/310/1100 Series User’s Guide 246[...]

  • Seite 247

    ZyWALL 110/310/1100 Se ries User’s Guide 247 C HAPTER 17 Inbound Load Balancing 17.1 Inbound Load Balancing Overview Inbound load balancing enables the Z yWALL to respond to a DNS query message with a different IP address for DNS name resolution. The Z yWALL chec ks which member interface has the least load and responds to the DNS query message w[...]

  • Seite 248

    Chapter 17 Inboun d Load Balancing ZyWALL 110/310/1100 Series User’s Guide 248 •U s e t h e Inbound LB Add/Edit screen (see Se ction 17.2.1 on pag e 249 ) to add or edit a DNS load balancing rule. 17.2 The Inbound LB Screen The Inbound LB screen provides a summary of all DNS load balancing rules and the details. Y ou can also use this screen to[...]

  • Seite 249

    Chapter 17 Inbound Load Balancing ZyWALL 110/310/1100 Se ries User’s Guide 249 17.2.1 The Inbound LB Add/Edit Screen The Add DNS Load Balancing screen allows you to add a domain name for which the Z y WALL manages load balancing between the specified interfaces. Y ou can configure the Z yWA LL to apply DNS load balancing to some specif ic hosts o[...]

  • Seite 250

    Chapter 17 Inboun d Load Balancing ZyWALL 110/310/1100 Series User’s Guide 250 Figure 147 Configuration > Netw ork > Inbound LB > Add The following table describes the labels in this screen. T a ble 93 Configuration > Ne twork > Inbou nd LB > Add/Edit LABEL DESCRIPTION Create New O bject Use this to configure any new sett ing ob[...]

  • Seite 251

    Chapter 17 Inbound Load Balancing ZyWALL 110/310/1100 Se ries User’s Guide 251 17.2.2 The Inbound LB Member Add/Edit Screen The Add Load Balancing Member screen allows you to add a memb er interface for the DNS load balancing rule. Click Configuration > Network > Inbound LB > Add or Edit and then an Add or Edit icon to open this screen. [...]

  • Seite 252

    Chapter 17 Inboun d Load Balancing ZyWALL 110/310/1100 Series User’s Guide 252 Figure 148 Configuration > Network > In bound LB > Add/Edit > Add The following table describes the labels in this screen. T a ble 94 Configuration > N etwork > In bo und LB > Add/Edit > Add/Edit LABEL DESCRIPTION Member The ZyW ALL checks each [...]

  • Seite 253

    ZyWALL 110/310/1100 Se ries User’s Guide 253 C HAPTER 18 Authentication Policy 18.1 Overview Use authentication policies to control who can access the network. After a user passes authentication the user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access. In the following [...]

  • Seite 254

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 254 Multiple End point Security Objects Y ou can set an authentication policy to use multiple endpoint security objects. This allows checking of computers with different OSs or security setting s. When a client attemp ts to log in, the ZyW ALL checks the client’ s computer[...]

  • Seite 255

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 255 Figure 150 Configuration > Auth. P olicy The following table gives an ov erview of the objects you can configure. T a ble 95 Configuration > Auth. P olicy LABEL DESCRIPTION Enable Authentica tion Pol ic y Select this t o turn on the authenticati on policy feature.[...]

  • Seite 256

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 256 18.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy . Authentica tion Policy Summary Use this table to m a[...]

  • Seite 257

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 257 Figure 152 Configuration > Auth. P olicy > Add The following table gives an ov erview of the objects you can configure. T a ble 96 Configuration > Auth. P olicy > Add LABEL DESCRIPTION Create n ew Object Use to configure any new settings objects that you ne [...]

  • Seite 258

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 258 18.3 User-aware A ccess Control Example Y ou can configure many policies and security settings for specific users or groups of users. Users can be authenticated locally by the Z yWALL or by an external (AD, RADIUS , or LDAP) authentication server . In this example the us[...]

  • Seite 259

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 259 18.3.2 Set Up User Group s Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group . Click the Add icon. 2 Enter the name of the group. In this example, it is “Finance” . Then, select User/Leo and [...]

  • Seite 260

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 260 Figure 155 Configuration > Object > AAA Server > RADIUS > Add 2 Click Configuration > Object > A uth. Method . Double-click the default entry . Click the Add icon. Select group radius because the Z y WALL sh ould use the specified RADIUS server for auth[...]

  • Seite 261

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 261 Figure 157 Configuration > Auth. P olicy > Add In the Auth. Policy screen, select Enable Authentication Policy and click Apply . Figure 158 Configuration > Auth. P olicy When the users try to browse the web (or u se any HT TP/HTTPS application), the Login scree[...]

  • Seite 262

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 262 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the Z yWALL is to check to dete[...]

  • Seite 263

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 263[...]

  • Seite 264

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 264[...]

  • Seite 265

    ZyWALL 110/310/1100 Se ries User’s Guide 265 C HAPTER 19 Firewall 19.1 Overview Use the firewall to block or allow services that use static port numbers. This example shows the Z yWALL’ s default firewall behavior for W AN to LAN traffic and how stateful inspection works. A LAN user can initiate a T elnet session from within the LAN zone and th[...]

  • Seite 266

    Chapter 19 Fi rewall ZyWALL 110/310/1100 Series User’s Guide 266 Note: At the time of writing the Z yWALL’ s VPN and GRE tunnels support IPv4 tr affic so IPv6 firewall rule s do not apply to IPSec, S SL VPN, and GRE tunnel tr affic. T o-ZyW ALL Rules Rul es wi th ZyWALL as the To Zone appl y to traffic going to the Zy WALL itself . By default: [...]

  • Seite 267

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 267 A From Any To ZyWALL direction rule applies to traffic from an interface which is not in a zone. Global Firewall Rules Firewall rules with from any and/or to any as the packet direction are called global firewall rules. The global firewall rules are the only firew all rules that app[...]

  • Seite 268

    Chapter 19 Fi rewall ZyWALL 110/310/1100 Series User’s Guide 268 19.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP ad dress in the same subnet as the Z yWALL’s LAN IP address, return traffic ma y not go through the ZyW ALL. This is called an asymmetrical or “triangle” route. This causes the Z yWALL to[...]

  • Seite 269

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 269 • Besides configuring the firewall, you also need to configure NA T rules to allow computers on the WAN to access LAN devices. See Chapter 13 on page 221 for more information. • The Z yWALL applies NA T (Destination NA T) settings before applying the firewall rules. So for examp[...]

  • Seite 270

    Chapter 19 Fi rewall ZyWALL 110/310/1100 Series User’s Guide 270 Figure 163 Configuration > Firewall[...]

  • Seite 271

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 271 The following table describes the labels in this screen. T a ble 98 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this ch eck bo x to activ ate the firewall. The Z y WALL performs access control when the firewall is activ ated. IPv4 / IPv6 Rul[...]

  • Seite 272

    Chapter 19 Fi rewall ZyWALL 110/310/1100 Series User’s Guide 272 19.2.2 The Firewall Add/Edit Screen In the Firewall screen, click the Edit or Add icon to display the Firewall Rule Edit screen. Figure 164 Configuration > Firewall > Add The following table describes the labels in this screen. Schedule This fie ld tells you the sche dule obje[...]

  • Seite 273

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 273 19.3 The Session Limit Screen Click Configuration > Firewall > Session Limit to display the Firewall Session Limit screen. Use this screen to limit the number of concurrent NA T/firewall sessions a client can use. Y ou can apply a default limit for all users and individual lim[...]

  • Seite 274

    Chapter 19 Fi rewall ZyWALL 110/310/1100 Series User’s Guide 274 Figure 165 Configuration > Firewall > Session Limit The following table describes the labels in this screen. T a ble 100 Configur ation > Firewall > Session Limit LABEL DESCRIPTION General Settings Enable Session limit Select this check box to control th e number of conc[...]

  • Seite 275

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 275 19.3.1 The Session Limit Add/Edit Screen Click Configuration > Firewall > Session Limit and the Add or Edit icon to display the Firewall Sessio n Limit Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses. Figure 166 Confi[...]

  • Seite 276

    Chapter 19 Fi rewall ZyWALL 110/310/1100 Series User’s Guide 276 19.4 Firewall Rule Configuration Example The following Internet firewall rule example allo ws Doom play ers from the WAN to IP addresses 192.168.1.10 through 19 2.168.1.15 (Dest_1) on the LAN1. 1 Click Configuration > Firewall . In the summary of IPv4 firewall rules click Add to [...]

  • Seite 277

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 277 Figure 169 Firewall Example: Create a Service Object 4 Select From WAN and To LAN1 and enter a name for the firewall rule. Select Dest_1 for the Destination and Doom as the Service . Enter a description and configure the rest of the screen as follows. Click OK when y ou are done. Fi[...]

  • Seite 278

    Chapter 19 Fi rewall ZyWALL 110/310/1100 Series User’s Guide 278 19.5 Firewall Rule Example Applications Suppose you decide to block LAN users from using IRC (Internet Relay Chat) through the Internet. T o do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from an y source IP address from going to any destination addr[...]

  • Seite 279

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 279 Now you configure a LAN1 to W AN fire wall rule that allows IRC tr affic from the IP address of the CEO’ s computer (192.168.1.7 for example) to go to any destination address. Y ou do not need to specify a schedule since you want the firewall rule to a l w a y s b e i n ef f e c t[...]

  • Seite 280

    Chapter 19 Fi rewall ZyWALL 110/310/1100 Series User’s Guide 280 The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic. If the rule that blocks all LAN1 to W AN IRC traffic came first, the CEO’s IRC traffic would match that rule and the Z yWALL would drop it and not check any other firewall rules.[...]

  • Seite 281

    ZyWALL 110/310/1100 Se ries User’s Guide 281 C HAPTER 20 IPSec VPN 20.1 V irtual Private Networks (VPN) Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a co mbination of tunneling, encryption, authentication, access control and auditing. It is [...]

  • Seite 282

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 282 Figure 175 SSL V PN L2TP VPN L2TP VPN uses the L2TP and IPSec client software included in remote users’ Andr oid, iOS, or Windows operating systems for secure connections to the network behind the Z yWALL. The remote users do not need their own IPSec gateways or third-party VPN cl[...]

  • Seite 283

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 283 20.1.2 What Y ou Need to Know An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contr act indicating what security parameters the Z yWALL and the remote IPSec router will use. The first phase establishes an In ternet K e[...]

  • Seite 284

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 284 Application Scenarios The Z yWALL’ s application scenarios make it easier to configure y our VPN connection settings. Finding Out More •S e e Section 20.6 on page 305 for IPSec VPN background information. 20.1.3 Before Y ou Begin This section briefly explains the relationship be[...]

  • Seite 285

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 285 • In any VPN connection, you ha ve to select addre ss objects to specify the local policy and remote policy . Y ou should set up the address objects first. • In a VPN gateway , you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or virtual VLAN int[...]

  • Seite 286

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 286 Each field is discussed in the following table. See Section 20.2 .2 on page 292 and Section 20.2.1 on page 286 for more information. 20.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an[...]

  • Seite 287

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 287 Figure 179 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE)[...]

  • Seite 288

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 288 Each field is described in the following table. T a ble 107 Configur ation > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s Click this butto n to display a great er or lesser nu mber of configu ration fields.[...]

  • Seite 289

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 289 Re mote Polic y Select the address corresponding to the rem ote network. Use Create new Object if you need to configure a new one. Policy Enforcement Clear this to allo w traffic with so urce and destination IP a ddresses that do not match the local and rem ote policy to use th e V[...]

  • Seite 290

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 290 Authenti cation Select which hash algorithm to use to au thenticate pack et data in the IPSe c SA. Choices are SHA1 , SHA256 , SHA512 and MD5 . SHA is generally considered stronger than MD5 , but it is also slower . The Z yWALL and the remote IPSec router mu st both hav e a proposal[...]

  • Seite 291

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 291 Source NA T This translation hides the source address of computers in the l ocal network. It may also be necessary if you want the Z yWA LL to route packets from computers outsi de the local ne twork through the IPSec SA. Source Select the address o bject that represent s the origi[...]

  • Seite 292

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 292 20.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key . This is useful if you ha ve problems with IKE key management. T o access this screen, go to the V[...]

  • Seite 293

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 293 This table describes labels specific to manual key configuration. See Section 20.2 on page 285 for descriptions of the other fields. T a ble 108 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key LABEL DESCRIPTION Manual K ey My Address T ype the IP [...]

  • Seite 294

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 294 20.3 The VPN Gateway Screen The VPN Gateway summary screen displays th e IPSec VPN gateway policies in the Z yWALL, as well as the Z yWALL’ s address, remote IPSec router ’s address, and associated VPN connections for each one. In addition, it also lets you activ ate and deactiv[...]

  • Seite 295

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 295 Figure 181 Configuration > VPN > IPSec VPN > VPN Gatewa y Each field is discussed in the following table. See Section 20.3.1 on page 295 for more information. 20.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gatew ay pol[...]

  • Seite 296

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 296 Figure 182 Configuration > VPN > IPSec VPN > VPN Gatewa y > Edit[...]

  • Seite 297

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 297 Each field is described in the following table. T a ble 1 10 Configuration > VPN > IPSec VPN > VPN Gatew ay > Edit LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s Click this button to display a greater or lesser number of co nfiguration fields. Gen[...]

  • Seite 298

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 298 Certificate Select this t o have the ZyW A LL and remote IPSec router use cert ificates to authentic ate each other when they negotiat e the IKE SA. Then select the cert ificate the ZyWALL uses to identify itself to the remote IPsec router . This certificate is one of the certificat[...]

  • Seite 299

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 299 Content This field is disabled if the Peer ID Type is Any . T ype the identity of the remo te IPSec router during authentication. The i dentity depen ds on the Peer ID Type . If the Z yWALL and remote IPSec router do not use certificates, IP - type an IP address; see the no te at t[...]

  • Seite 300

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 300 Encryption Select which k e y size and en cryption algorith m to use in the IKE S A. Choices are: DES - a 56-bit key with t he DES encrypti on algorithm 3DES - a 168-bit key with the DES e ncryption algorithm AES128 - a 128-bit key with the AES encrypt ion algorithm AES192 - a 192-b[...]

  • Seite 301

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 301 20.4 VPN Concentrator A VPN concentrator combines se veral IPSec VPN connections into one secure network. Figure 183 VPN T opologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology ( 1 in the figure), there is a VPN connection between every pair of routers. In a hub[...]

  • Seite 302

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 302 20.4.1 VPN Concentrator Re quirement s and Suggestions Consider the following when using the VPN concentrator . • The local IP addresses configured in the VPN rules should not ov erlap. • The concentrator must hav e at least one separate VPN rule for each spoke. In the local pol[...]

  • Seite 303

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 303 Figure 185 Configuration > VPN > IPSec VPN > Concentrator > Edit Each field is described in the following table. 20.5 ZyW ALL IPSec VPN Client Configuration Provisioning Use the Configuration > VPN > IPSec VPN > Configuration Provisioning screen to configure wh[...]

  • Seite 304

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 304 In the ZyW ALL Quick Setup wizard, y ou can use the VPN Settings for Configuration Provisioni ng wizard to create a VPN rule that will not violate these restrictions. Figure 186 Configuration > VPN > IPSec VPN > Configur ation Provisioning Each field is discussed in the fol[...]

  • Seite 305

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 305 20.6 IPSec VPN Background Information Here is some more detailed IP Sec VPN background information. IKE SA Overview The IKE SA provides a secure connection between the ZyW A LL and remote IPSec router . It takes sever al steps to establish an IKE SA. The negotiation mode determines[...]

  • Seite 306

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 306 IKE SA Proposal The IKE SA proposal is used to identify the encr yption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the Z yWALL and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustr ated next. Figure 187 IK[...]

  • Seite 307

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 307 Diffie-Hellman (DH) Key Exchange The Z yWALL and the remote IPSec router use DH public -key cryptograph y to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustr at[...]

  • Seite 308

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 308 Note: The Z yWALL and the remote IPSec ro uter must use the same pre-shared key . Router ide nti ty co nsi sts of ID ty pe a nd c ont ent . Th e ID typ e ca n be dom ai n na me, I P a ddr ess , or e- mail address, and the content is a (properly -fo rmatted) domain name, IP address, [...]

  • Seite 309

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 309 Steps 1 - 2: The Z yWALL sends its proposals to the remote IPSec router . The remote IPSec router selects an acceptable proposal and sends i t back to the ZyW ALL. Steps 3 - 4: The Z yWALL and the remote IPSec router ex change pre-shared keys for authentication and participate in a[...]

  • Seite 310

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 310 Extended Authentication Extended authentication is often used when mult iple IPSec routers use the sam e VPN tunnel to connect to a single IPSec router . For exampl e, this might be used with telecommuters. In extended authentication, one of the routers (the Z yWALL or the remote IP[...]

  • Seite 311

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 31 1 Note: The ZyW ALL and remo te IPSec rout er must use the same active protocol. Usually , you should select ESP . AH does not support encryption, and ESP is more suitable wi th NA T . Encap sulation There are two ways to encapsulate packets. Usually , y ou should use tunnel mode be[...]

  • Seite 312

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 312 If you do not enable PFS, the Z yWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to gener ate encryption keys. The DH key exchange is time-consum ing and may be unnecessary for data that does not require such security . Additiona[...]

  • Seite 313

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 313 Figure 192 VPN Example: NA T for Inbound and Outbound T raffic Source Address in Outbound Packet s (Outbound T raffic, Source NA T) This translation lets the ZyW ALL route packets from computers that are not part of th e specified local network (local policy) through the IPSec SA. [...]

  • Seite 314

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 314 Y ou have to specif y one or more rules when you set up this kind of NA T . The ZyW ALL checks these rules similar to the way it checks rules for a fi rewall. The first part of these rules define the conditions in which the rule apply . • Original IP - the original destination add[...]

  • Seite 315

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 315 Set Up the VPN Connection th at Manages the IPSec SA 1 In Configuration > VPN > IPSec VPN > V PN Connection > Add , click Create New Object > Address to create an address object for the remote network. Set the Address Type to SUBNET , the Network field to 172.16.1. 0[...]

  • Seite 316

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 316[...]

  • Seite 317

    ZyWALL 110/310/1100 Se ries User’s Guide 317 C HAPTER 21 SSL VPN 21.1 Overview Use SSL VPN to allow users to use a web browser fo r secure remote user login. The remote users do not need a VPN router or VPN client softw are. 21.1.1 What Y ou Can Do in this Chapter •U s e t h e VPN > SSL VPN > Access Privilege screens (see Section 21.2 on [...]

  • Seite 318

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 318 SSL Access Policy Object s The SSL access policies reference the following objects. If you update this information, in response to changes, the Z yWA LL automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy , the objects ar[...]

  • Seite 319

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Se ries User’s Guide 319 The following table describes the labels in this screen. 21.2.1 The SSL Access Policy Add/Edit Screen T o create a new or edit an existing SSL access policy , click the Add or Edit icon in the Access Privilege screen. T a ble 1 17 VPN > SSL VPN > Access Privilege LABEL DESCRIPT[...]

  • Seite 320

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 320 Figure 196 VPN > SSL VPN > Add/Edit The following table describes the labels in this screen. T a ble 1 18 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create n ew Object Use to configu re any new sett ings objects that you need to us e in this screen. C[...]

  • Seite 321

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Se ries User’s Guide 321 Name Enter a descriptiv e na me to identify this policy . Y ou ca n enter up to 31 characters (“a-z” , A- Z” , “0-9”) with no spaces allowed. Zone Select the zone to which to add this SSL access policy . Y ou use zones to apply security settings such as firewall and remote [...]

  • Seite 322

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 322 21.3 The SSL Global Setting Screen Click VPN > SSL VPN and click the Global Setting tab to display the following screen. Use this screen to set the IP address of the Z yWALL (or a gatew ay device) on y our network for full tunnel mode access, enter access messages or upload a custo[...]

  • Seite 323

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Se ries User’s Guide 323 21.3.1 How to Upload a Custom Logo Follow th e steps below to upload a custom logo to display on the remote user SSL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configur ation screen. 2 Click Browse to locate the logo graphic. Make sure the f[...]

  • Seite 324

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 324 Figure 198 Example Logo Graphic Display 21.4 SSL VPN Example This example uses SSL VPN to let remote users securely access the internal http://info website. 1 Click Configuration > VPN > SSL VPN > Access Privilege > Add and click Create New Object > Application to creat[...]

  • Seite 325

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Se ries User’s Guide 325 3 Display the Z yWALL’ s login screen, enter your user account information (the user name and password), and click SSL VPN to establish an SSL VPN connection. 4 Y our computer starts establishing a secure connecti on to the ZyW ALL after the login. This may take up to two minutes. [...]

  • Seite 326

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 326 5 The client portal screen displays after the connection is up. In this example, click the Web Server link to go to http://info. If the user account is not included in an S SL VPN access policy , the ZyW ALL redi rects the user to the user aware screen. F or more information on user p[...]

  • Seite 327

    ZyWALL 110/310/1100 Se ries User’s Guide 327 C HAPTER 22 SSL User Screens 22.1 Overview This chapter introduces the remote user SSL VPN screens. The followin g figure shows a network example where a remote user ( A ) logs into the ZyW A LL from the Internet to access the web server ( WWW ) on the local network. Figure 199 Network Example 22.1.1 W[...]

  • Seite 328

    Chapter 22 SSL Us er Screens ZyWALL 110/310/1100 Series User’s Guide 328 • Using RDP requires Internet Explorer • Sun’ s Runtime Environment (JRE) v ersion 1.6 or later installed and enabled. Required Information A remote user needs the following information from the network administrator to log in and access network resources. • the doma[...]

  • Seite 329

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 329 Figure 201 Login Security Screen 3 A login screen displays. Enter the user nam e and password of your login account. If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to a[...]

  • Seite 330

    Chapter 22 SSL Us er Screens ZyWALL 110/310/1100 Series User’s Guide 330 Figure 204 ActiveX Object Installation Blocked by Browser Figure 205 SecuExtender Blocked by Internet Explorer 6 The Z yWALL tries to run the “ssltun” application. Y ou may need to click somethin g to get your browser to allow this. In Internet Explorer , click Run . Fig[...]

  • Seite 331

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 331 Figure 207 SecuExtender Progress 8 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer . Figure 208 Installation W arning 9 The Application screen displays showing the list of resources av ailable to yo[...]

  • Seite 332

    Chapter 22 SSL Us er Screens ZyWALL 110/310/1100 Series User’s Guide 332 Figure 209 Remote User Screen The following table describes the various parts of a remote user screen. 22.4 Bookmarking the ZyW ALL Y o u c a n c re a te a bo ok m ar k o f th e Zy WAL L b y cl ic k in g t h e Add to Favorite icon. This allows you to access the Z yWALL using[...]

  • Seite 333

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 333 3 Click OK to create a bookmark in your web browser . Figure 210 Add F avorite 22.5 Logging Out of th e SSL VPN User Screens T o properly terminate a connection, click on the Logout icon in an y remote user screen. 1 Click the Logout icon in any remote user screen. 2 A promp[...]

  • Seite 334

    Chapter 22 SSL Us er Screens ZyWALL 110/310/1100 Series User’s Guide 334 Figure 212 Application 22.7 SSL User File Sharing The File Sharing screen lets you access files on a file server through the SSL VPN connection. Use it to display and access shared files/folders on a file serv er . Y ou can also perform the following actions: • Access a fo[...]

  • Seite 335

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 335 Figure 213 File Sharing 22.7.2 Opening a File or Folder Y ou can open a file if the file extension is re cognized by the web brow ser and the associated application is installed on your computer . 1 Log in as a remote user and click th e File Sharing tab. 2 Click on a file s[...]

  • Seite 336

    Chapter 22 SSL Us er Screens ZyWALL 110/310/1100 Series User’s Guide 336 4 A list of files/folders displays. Double click a file to open it in a separate browser window or select a file and click Download to save it to your computer . Y ou can also click a folder to access it. For this example, click on a .doc file to open the W ord document. Fig[...]

  • Seite 337

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 337 Figure 216 File Sharing: Save a W ord File 22.7.5 Creating a New Folder T o create a new folder in the file share location, click the New Folder icon. Specify a descriptive n ame for the folder . Y ou can enter up to 356 char acters. Then click Add . Note: Make sure the leng[...]

  • Seite 338

    Chapter 22 SSL Us er Screens ZyWALL 110/310/1100 Series User’s Guide 338 A popup window displays. Specify the new name and/ or file extension in the field provided. Y ou can enter up to 356 characters. Then click Appl y . Note: Make sure th e length of the nam e do es not exceed the maximum allowed on the file server . Y ou may not be able to ope[...]

  • Seite 339

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 339 Note: Uploading a file with the same name and file extensio n replaces the existing file on the file server . No warning message is di splayed.[...]

  • Seite 340

    Chapter 22 SSL Us er Screens ZyWALL 110/310/1100 Series User’s Guide 340[...]

  • Seite 341

    ZyWALL 110/310/1100 Se ries User’s Guide 341 C HAPTER 23 ZyWALL SecuExtender The Z yWALL au tomatically loads the Z yWA LL SecuExtender client program to your com puter after a successful login to an S SL VPN tunnel with ne twork extension support enabled. The ZyW ALL SecuExtender lets you: • Access servers, remote desktops and manage files as [...]

  • Seite 342

    Chapter 23 ZyWAL L SecuExtender ZyWALL 110/310/1100 Series User’s Guide 342 Figure 222 ZyW ALL SecuExtender Status The following table describes the labels in this screen. 23.3 V iew Log If you hav e problems with the Zy WALL SecuExtend er , customer support may request you to provid e information from the log. Right-click the Z yWALL Se cuExtend[...]

  • Seite 343

    Chapter 23 ZyWALL SecuExten der ZyWALL 110/310/1100 Se ries User’s Guide 343 Figure 223 ZyW ALL SecuExtend er Log Example 23.4 Suspend and Resume the Connection When the Z yWALL SecuExtender icon in the system tray is green, you can right -cli ck the icon and select Suspend Connection to keep the SSL VPN tun nel connected but not send any tr affi[...]

  • Seite 344

    Chapter 23 ZyWAL L SecuExtender ZyWALL 110/310/1100 Series User’s Guide 344 Figure 224 Uninstalling the ZyW A LL Secu Extender Confirmation 3 Windows uninstalls the Z yWA LL SecuExtender . Figure 225 ZyW ALL SecuExtender Uninstallation[...]

  • Seite 345

    ZyWALL 110/310/1100 Se ries User’s Guide 345 C HAPTER 24 L2TP VPN 24.1 Overview L2TP VPN uses the L2TP and IPSec client software included in remote users’ Andr oid, iOS, or Windows operating systems for secure connections to the network behind the Z yWALL. The remote users do not need their own IPSec gateways or third-party VPN client softw are[...]

  • Seite 346

    Chapter 24 L2 TP VPN ZyWALL 110/310/1100 Series User’s Guide 346 Using the Default L2 TP VPN Connection The Default_L2TP_VPN_ GW gateway entry is pre-configured to be conv enient to use for L2TP VPN. Edit it as follows: •S e t My Address to the W A N interface domain name o r IP address you want to use. • Replace the default Pre-Shared Key . [...]

  • Seite 347

    Chapter 24 L2TP VPN ZyWALL 110/310/1100 Se ries User’s Guide 347 24.2 L2TP VPN Screen Click Configuration > VPN > L2TP VPN to open the following screen. Use this screen to configure the Z yWALL’ s L2TP VPN settings. Note: Disconnect an y existing L2TP VPN sessions bef ore modifying L2TP VPN setting s. The remote users must make any needed[...]

  • Seite 348

    Chapter 24 L2 TP VPN ZyWALL 110/310/1100 Series User’s Guide 348 Authentica tion Server Certificate Select the certific ate to use to identi fy the ZyW ALL for L2TP VP N connections . Y ou must have certificates already configured in the My Certificate s screen (Click My Certificates and see Chapter 33 on page 413 for details). The cert ificate i[...]

  • Seite 349

    ZyWALL 110/310/1100 Se ries User’s Guide 349 C HAPTER 25 Bandwidth Management 25.1 Overview Bandwidth management provides a con venient way to manage the use of v arious services on the network. It manages general protocols (for example, HT TP and F TP) and applies traffic prioritization to enhance the performance of delay-sensitiv e applications[...]

  • Seite 350

    Chapter 25 Bandwi dth Management ZyWALL 110/310/1100 Series User’s Guide 350 Connection and Packet Directions Bandwidth management looks at the connection direction, that is from which interface the connection was initiated and to which interface the connection is going. A connection has outbound and inbound packet flow s. The ZyW ALL controls th[...]

  • Seite 351

    Chapter 25 Bandwidth Management ZyWALL 110/310/1100 Se ries User’s Guide 351 Figure 230 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps Bandwid th Management Priority • The Z yWA LL gives bandwidth to higher-pr iority tr affic first, until it reaches its configured bandwidth rate. • Then lower-priority traffic gets bandwidth. • The Z yWALL[...]

  • Seite 352

    Chapter 25 Bandwi dth Management ZyWALL 110/310/1100 Series User’s Guide 352 Figure 231 Bandwidth Management Behavior Configured Rate Effect In the following table the configured r ates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Priority Effect Here the configured r at[...]

  • Seite 353

    Chapter 25 Bandwidth Management ZyWALL 110/310/1100 Se ries User’s Guide 353 Priority and Over Allotm ent of Ban dwid t h Effect Server A has a configured r ate that equals the total amount of a vailable bandwidth and a higher priority . Y ou should regard extreme over allotment of traffic with different priorities (as shown here) as a configurat[...]

  • Seite 354

    Chapter 25 Bandwi dth Management ZyWALL 110/310/1100 Series User’s Guide 354 The following table describes the labels in this screen. See Section 25.2.1 on page 355 for more information as well. T a ble 127 Configuration > Bandwidth Management LABEL DESCRIPTION Enable BWM Sel ect this check bo x to activ ate management bandwidth. Add Click thi[...]

  • Seite 355

    Chapter 25 Bandwidth Management ZyWALL 110/310/1100 Se ries User’s Guide 355 25.2.1 The Bandwid th Ma nagement Add/Edit Screen The Configuration > Bandwi dth Manageme nt Add/Edit screen allows y ou to create a new condition or edit an existing one. T o access this screen, go to the Configuration > Bandwidth Management screen (see Section 25[...]

  • Seite 356

    Chapter 25 Bandwi dth Management ZyWALL 110/310/1100 Series User’s Guide 356 Figure 234 Configuration > Bandwidth Management > Add/Edit The following table describes the labels in this screen. T a ble 128 Configuration > Bandwidth Management LABEL DESCRIPTION Create n ew Objec t Use to c onfigure any new settings obje cts that you need t[...]

  • Seite 357

    Chapter 25 Bandwidth Management ZyWALL 110/310/1100 Se ries User’s Guide 357 Outgoing Interface Select the dest ination in terface of th e traffic to which this polic y applies. Source Selec t a source address or address group for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effec[...]

  • Seite 358

    Chapter 25 Bandwi dth Management ZyWALL 110/310/1100 Series User’s Guide 358 Outbound kbps T ype how much outbound ban dwidth, in kilobits per second, t his policy allows the traffic to use. Outbound refers to the tra ffic the Z yWALL sends out from a connecti on’ s initiator . If you enter 0 here, this policy does not ap ply bandwidth manageme[...]

  • Seite 359

    ZyWALL 110/310/1100 Se ries User’s Guide 359 C HAPTER 26 Device HA 26.1 Overview Device HA lets a backup Zy WALL ( B ) automatically take over if the master Z yWALL ( A ) fails. Figure 235 Device HA Backup T aking Over for the Master 26.1.1 What Y ou Can Do in this Chapter •U s e t h e General screen ( Section 26.2 on page 360 ) to configure de[...]

  • Seite 360

    Chapter 26 De vice HA ZyWALL 110/310/1100 Series User’s Guide 360 Note: Only ZyW ALLs of the sa me model an d firmware version ca n synchronize. Otherwise you must manually configure the master Z yWALL’ s settings on the backup (by editing copies of the configuration files in a text editor for example). Finding Out More •S e e Section 26.5 on[...]

  • Seite 361

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 361 26.3 The Active-P assive Mode Screen Virtual Router The master and backup Z y WALL form a single ‘virtual router’ . In the following example, master ZyW A L L A and backup ZyW ALL B form a virtual router . Figure 237 Virtual Router Cluster ID Y ou can have multiple ZyW ALL virt[...]

  • Seite 362

    Chapter 26 De vice HA ZyWALL 110/310/1100 Series User’s Guide 362 Figure 238 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Acti ve-Passive Mode Device HA Y ou can select which interfaces device HA monito rs. If a monitored interf ace on the Z yWALL loses its connection, device HA has the backup Z yWALL take over . Enable monito[...]

  • Seite 363

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 363 26.3.1 Configuring Acti ve-Passive Mode Device HA The Device HA Active -Passive Mode screen lets you configure general active-passiv e mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup Z yWALLs. T o access this screen, click Configura[...]

  • Seite 364

    Chapter 26 De vice HA ZyWALL 110/310/1100 Series User’s Guide 364 Inactiv ate T o turn off an entry , select it and click Inactivate . # This is the e ntry’s index number in the list. Status The activ ate (light bulb) icon is lit when th e entry is activ e and dimmed when the entry is inactive. Interface This field identifies the interface. At [...]

  • Seite 365

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 365 26.4 Configuring an Acti ve-Passive Mode Monitored Interface The Device HA Active -Passive Mode Monitore d Interface Edi t screen lets you enable or disable monitoring of an interface and set the in terface’ s manage ment IP address and subnet mask. T o access this screen, click [...]

  • Seite 366

    Chapter 26 De vice HA ZyWALL 110/310/1100 Series User’s Guide 366 The following table describes the labels in this screen. 26.5 Device HA T echnical Reference Active-Passive Mode Device HA with Bridge Interfaces Here are two ways to av oid a broadcast storm wh en you connect the bridge interfaces on two ZyW A L L s . First Option for Connecting t[...]

  • Seite 367

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 367 2 Configure the bridge interface on the master Z y WA LL, set the bridge interface as a moni tored interface, and activate device HA. 3 Configure the bridge interface on the backup Z y WALL, set the bridge interface as a monitored interface, and activate device HA. 4 Connect the Z [...]

  • Seite 368

    Chapter 26 De vice HA ZyWALL 110/310/1100 Series User’s Guide 368 Second Option for Connecting the Bridge Interfaces on T w o ZyW ALLs Another option is to disable the bridge interfaces, connect the bridge interfac es, activate device HA, and finally reactivate the bridge interfaces as shown in the following example. 1 In this case the Z yWALLs a[...]

  • Seite 369

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 369 3 Enable the bridge interface on the master Z yWALL and then on the backup Z yWALL. 4 Connect the Z yWALLs. Synchronization During synchronization, the master Z yWALL sends the following information to the back up ZyW ALL. • Startup configuration file ( startup-config.conf ) • [...]

  • Seite 370

    Chapter 26 De vice HA ZyWALL 110/310/1100 Series User’s Guide 370 • The backup Z yWA LL cannot be the master . This refers to the actual role at the time of synchronization, not the role se tting in the configu ration screen.[...]

  • Seite 371

    ZyWALL 110/310/1100 Se ries User’s Guide 371 C HAPTER 27 User/Group 27.1 Overview This chapter describes how to set up user account s, user groups, and use r settings for the ZyW ALL. Y ou can also set up rules that control when users have to log in to the ZyW ALL before the ZyW ALL routes traffic for them . 27.1.1 What Y ou Can Do in this Chapte[...]

  • Seite 372

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 372 Note: The de fault admin accoun t is always authentica ted locally , regardless of the authentication method setting. (See Chapt er 32 on page 409 for more information about authentication methods.) Ext-User Account s Set up an ext- user account if the user is authenticated by an e[...]

  • Seite 373

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 373 User A wareness By default, users do not ha ve to log into the Z y WALL to use the network services it provides. The Z yWALL automatically routes packets for everyone. If you want to restrict network services that certain users can use via the Z yWALL, you can require them to log [...]

  • Seite 374

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 374 27.2.1 User Add/Edit Screen The User Add/ Edit screen allows you to create a new user account or edit an existing one. 27.2.1.1 Rules for User Names Enter a user name from 1 to 31 char acters. The user name can only contain the following ch aracters: • Alphanum eric A-z 0-9 (ther[...]

  • Seite 375

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 375 Figure 243 Configuration > User/Group > User > Add The following table describes the labels in this screen. T a ble 134 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name T ype the user name fo r this user account. Y ou may us e 1-31 alphanumer i[...]

  • Seite 376

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 376 27.3 User Group Summary Screen User groups consist of access users and other user groups. Y ou cannot put admin users in user groups. The Grou p screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. T o a ccess this [...]

  • Seite 377

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 377 27.3.1 Group Add/Edit Screen The Group Add/Edit screen allows y ou to create a new user group or edit an existing one. T o access this screen, go to the Group screen (see Section 27.3 on page 376 ), and click either the Add icon or an Edit icon. Figure 245 Configuration > User/[...]

  • Seite 378

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 378 27.4 The User/Group Setting Screen The Setting screen controls default settings, login se ttings, lockout settings, and other user settings for the Z y WALL. Y ou can also use this screen to specify when users must log in to the Z yWALL before it routes traffic for them. T o access[...]

  • Seite 379

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 379 # This field is a sequential value, and it is not associated wi th a specific en try . User T ype These are the kinds of us er account the Z yWALL su pports. • admin - this user can look at and change the configuration of the Zy WA L L • limited-ad min - this user can look at [...]

  • Seite 380

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 380 27.4.1 Default User Authenticati on T imeout Settings Edit Screens The Default Authentication Timeout Settings Edit screen allows you to set the default authentication timeout settings for the selected ty pe of user account. These default authentication timeout settings also contro[...]

  • Seite 381

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 381 The following table describes the labels in this screen. 27.4.2 User A ware Login Example Access users cannot use the W eb Configurator to br owse the configuration of the Z yWALL. Instead, after access users log into the Z yWALL, the following screen appears. Figure 248 W eb C on[...]

  • Seite 382

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 382 The following table describes the labels in this screen. 27.5 User /Group T echnical Reference This section provides some information on users wh o use an external authentication server in order to log in. Setting up User Attributes in an External Server T o set up user attributes,[...]

  • Seite 383

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 383 Creating a Large Number of Ext-User Account s If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the W eb Configurator , to create the accounts. Extract the user n ames from the LDAP or RADIUS server , and create a shell script that c[...]

  • Seite 384

    ZyWALL 110/310/1100 Se ries User’s Guide 384 C HAPTER 28 Addresses 28.1 Overview Address objects can represent a single IP address or a range of IP addre sses. Address groups are composed of address objects and other address groups. 28.1.1 What Y ou Can Do in this Chapter •T h e Address screen ( Section 28.2 on page 384 ) provides a summary of [...]

  • Seite 385

    Chapter 28 Addresses ZyWALL 110/310/1100 Se ries User’s Guide 385 Figure 251 Configuration > Object > Address > Address The following table describes the labels in this screen. See Section 28.2.1 on page 386 for more information as well. T a ble 141 Configur ation > Object > Address > Address LABEL DESCRIPTION IPv4 Address Confi[...]

  • Seite 386

    Chapter 28 Addr esses ZyWALL 110/310/1100 Series User’s Guide 386 28.2.1 IPv4 Address Add/Edit Scre en The Configuration > IPv4 Address Add/Edit screen allows you to create a new address or edit an existing one. T o access this screen, go to the Address screen (see Section 28.2 on page 384 ), and click either the Ad d icon or an Edit icon in t[...]

  • Seite 387

    Chapter 28 Addresses ZyWALL 110/310/1100 Se ries User’s Guide 387 28.2.2 IPv6 Address Add/Edit Scre en The Configuration > IPv6 Address Add/Edit screen allows you to create a new address or edit an existing one. T o access this screen, go to the Address screen (see Section 28.2 on page 384 ), and click either the Ad d icon or an Edit icon in t[...]

  • Seite 388

    Chapter 28 Addr esses ZyWALL 110/310/1100 Series User’s Guide 388 28.3 Address Group Summary Screen The Address Group screen provides a summary of all address groups. T o access this screen, click Configuration > Object > Address > Address Group . Click a column’ s heading cell to sort the table entries by that column’ s criteria. Cl[...]

  • Seite 389

    Chapter 28 Addresses ZyWALL 110/310/1100 Se ries User’s Guide 389 28.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. T o access this screen, go to the Address Group screen (see Section 28.3 on page 388 ), and click either the Add icon or an Edit icon in the IPv4[...]

  • Seite 390

    ZyWALL 110/310/1100 Se ries User’s Guide 390 C HAPTER 29 Services 29.1 Overview Use service objects to define TCP applications, UD P applications, and ICMP messages. Y ou can also create service groups to refer to mult iple service objects in other features. 29.1.1 What Y ou Can Do in this Chapter •U s e t h e Service screens ( Section 29.2 on [...]

  • Seite 391

    Chapter 29 Services ZyWALL 110/310/1100 Se ries User’s Guide 391 Service Object s and Service Group s Use service objects to define IP protocols. • TCP applications • UDP applications • ICMP messages • user-defined services (for other types of IP protocols) These objects are used in policy routes, firewall rules. Use service groups when y[...]

  • Seite 392

    Chapter 29 Serv ices ZyWALL 110/310/1100 Series User’s Guide 392 The following table describes the labels in this screen. 29.2.1 The Service Add/Edit Screen The Se rvice Add/Edit screen allows you to create a new service or edit an existing one. T o access this screen, go to the Service screen (see Section 29.2 on page 391 ), and click either the[...]

  • Seite 393

    Chapter 29 Services ZyWALL 110/310/1100 Se ries User’s Guide 393 29.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. T o access this screen, log in to the W eb Configurator , and click Configuration > Object[...]

  • Seite 394

    Chapter 29 Serv ices ZyWALL 110/310/1100 Series User’s Guide 394 29.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. T o access this screen, go to the Service Group screen (see Section 29.3 on page 393 ), and click either the Add icon or an Edit icon. Figure [...]

  • Seite 395

    Chapter 29 Services ZyWALL 110/310/1100 Se ries User’s Guide 395 Member List The Member list displays the names of the servic e and service group objects that have been added to the service group. The order of members is not important. Select items from th e Available list that you want to be members and m ove them to the Member list. Y ou can do[...]

  • Seite 396

    ZyWALL 110/310/1100 Se ries User’s Guide 396 C HAPTER 30 Schedules 30.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules. The Z yWALL supports one-time and recurring schedules. One-time schedules are effective only on ce, while recurring schedules usually repeat. Both types of schedules are based[...]

  • Seite 397

    Chapter 30 Schedules ZyWALL 110/310/1100 Se ries User’s Guide 397 30.2 The Schedule Summary Screen The Schedule summary screen prov ides a summary of all schedules in the Z yWALL. T o access this screen, click Configuration > Object > Schedule . Figure 260 Configuration > Object > Schedule The following table describes the labels in t[...]

  • Seite 398

    Chapter 30 Schedul es ZyWALL 110/310/1100 Series User’s Guide 398 30.2.1 The One-T ime Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. T o access this screen, go to the Schedule screen (see Section 30.2 on page 397 ), and click either the Add icon or an Edit icon in [...]

  • Seite 399

    Chapter 30 Schedules ZyWALL 110/310/1100 Se ries User’s Guide 399 30.2.2 The Recurring Sc hedule Add/Edit Screen The Recurring Sche dule Add/Edit screen allows you to define a recurring schedule or edit an existing one. T o access this screen, go to the Schedule screen (see Section 30.2 on page 397 ), and click either the Add icon or an Edit icon[...]

  • Seite 400

    ZyWALL 110/310/1100 Se ries User’s Guide 400 C HAPTER 31 AAA Server 31.1 Overview Y ou can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory , LDAP , or RADIUS serve r . Use the AAA Server screens to cre ate and manage objects that contain settings for [...]

  • Seite 401

    Chapter 31 AAA Server ZyWALL 110/310/1100 Se ries User’s Guide 401 Figure 264 RADIUS Server Network Example 31.1.3 ASAS ASAS (Authenex Strong Au thentication System) is a RADIUS server that works with the One- Time Password (O TP) feature. Purchase a ZyW ALL OTP pack age in order to use this feature. The package contains server softw are and phys[...]

  • Seite 402

    Chapter 31 AAA Server ZyWALL 110/310/1100 Series User’s Guide 402 • Directory Service (LDAP/AD) LDAP (Lightweight Directory Access Protocol)/AD (Act ive Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retriev al a[...]

  • Seite 403

    Chapter 31 AAA Server ZyWALL 110/310/1100 Se ries User’s Guide 403 Bind DN A bind DN is used to authenticate with an LDAP/AD serv er . For example a bind DN of cn=zywallAdmin allows the Z yWALL to log into the LDAP/AD server using the user name of zywallAdmin . The bind DN is used in conjunction with a bind password. When a bind DN is not specifi[...]

  • Seite 404

    Chapter 31 AAA Server ZyWALL 110/310/1100 Series User’s Guide 404 Figure 267 Configuration > Object > AAA Serv er > Active Dire ctory (or LDAP) > Add The following table describes the labels in this screen. T a ble 154 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a des[...]

  • Seite 405

    Chapter 31 AAA Server ZyWALL 110/310/1100 Se ries User’s Guide 405 Base DN Specify the directory (up to 127 alphanumerical char acters). For e xample, o=ZyXEL, c=US . This is only for LDAP . Use SSL Select Use SSL to establish a secure con nection to the AD or LDAP server(s). Search time limit Specify the timeout period (between 1 and 300 s econd[...]

  • Seite 406

    Chapter 31 AAA Server ZyWALL 110/310/1100 Series User’s Guide 406 31.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the Z yWALL can use in authenticating users. Click Configuration > Object > AAA Server > RADIUS to display th e RADIUS screen. Figure 268 Configuration > Object > AAA Server > RA[...]

  • Seite 407

    Chapter 31 AAA Server ZyWALL 110/310/1100 Se ries User’s Guide 407 Figure 269 Configuration > Object > AAA Server > RA DIUS > Add The following table describes the labels in this screen. T a ble 156 Configur ation > Object > AAA Server > RADIUS > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanum erical[...]

  • Seite 408

    Chapter 31 AAA Server ZyWALL 110/310/1100 Series User’s Guide 408 Group Membership Attribu te A RADIUS server defines attributes for its accounts. S elect the name and num ber of the attribute that the Z yWALL is t o check to dete rmine to which group a user belongs. If it does not display , select user-defined and spe cify the attribute’s numb[...]

  • Seite 409

    ZyWALL 110/310/1100 Se ries User’s Guide 409 C HAPTER 32 Authentication Method 32.1 Overview Authentication method objects set how the Z yWALL authenticates wireless, HT TP/HTTPS clients, and peer IPSec routers (extended authentication) c lients. Configure authentication method objects to have the ZyW ALL use the local user database, and/or the a[...]

  • Seite 410

    Chapter 32 Aut henticatio n Method ZyWALL 110/310/1100 Series User’s Guide 410 Figure 270 Example: Using Authentication Method in VPN 32.2 Authentication Method Object s Click Configuration > Object > A uth. Method to display the screen as shown. Note: Y ou can create up to 16 authentication method objects. Figure 271 Configuration > Obj[...]

  • Seite 411

    Chapter 32 Authentication Method ZyWALL 110/310/1100 Se ries User’s Guide 41 1 2 Click Add . 3 Specify a descriptive name for identification purposes in the Name field. Y ou may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number . This value is case-sensitiv e. For example, “My_Device” [...]

  • Seite 412

    Chapter 32 Aut henticatio n Method ZyWALL 110/310/1100 Series User’s Guide 412 Move T o change a method’s position in the numbe red list, select the method and click Move to display a field to type a number for where yo u want to put it and press [ENTER] to move the rule to th e number that you ty ped. The ordering of your me thods is importan [...]

  • Seite 413

    ZyWALL 110/310/1100 Se ries User’s Guide 413 C HAPTER 33 Certificates 33.1 Overview The Z yWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate co ntains the certificate owner’s identity and public key . Certificates provide a wa y to exchange public keys fo[...]

  • Seite 414

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 414 5 Additionally , Jenny uses her own private k ey to sign a message and Tim uses Jenny’ s public key to verify the message. The Z yWALL uses certificates based on public-k ey cryptology to authenticate users attempting to establish a connection, not to encrypt the data th at y [...]

  • Seite 415

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 415 • Binary PKCS#12: This is a format for tr ansferring public key and private k ey certificates. The private k ey in a PKCS #12 file is within a passw ord-encrypted envelope. The file’ s password is not connected to your certificate’ s public or private passwords. Exporting [...]

  • Seite 416

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 416 Figure 274 Certificate Details 4 Use a secure method to v erify that the cert ificate owner has the sa me information in the Thumbprin t Algorith m and Thumbprint fields. The se cure method may ve ry based on your situation. Possible examples would be over th e telephone or thro[...]

  • Seite 417

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 417 The following table describes the labels in this screen. 33.2.1 The My Certificates Add Screen Click Configuration > Object > Certifi cate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the Z yWALL create a self-s[...]

  • Seite 418

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 418 Figure 276 Configuration > Object > Certificate > My Certificates > Add The following table describes the labels in this screen. T a ble 160 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify this [...]

  • Seite 419

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 419 If you configured the My Certificate Create screen to have the Z yWALL enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information in[...]

  • Seite 420

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 420 Figure 277 Configuration > Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. T a ble 161 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name Th is field display s the id[...]

  • Seite 421

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 421 Certifi cate Information These read-only fields displ ay detailed information about the certific ate. T ype This fiel d displays general info rmation abou t the certifi cate. CA-signed means tha t a Certification Autho rity signed the certi ficate. Self -signed means that the ce[...]

  • Seite 422

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 422 33.2.3 The My Certif icates Import Screen Click Configuration > Object > Certifi cate > My Certificates > Import to open the My Certificate Impor t screen. F ollow the instructions in this screen to save an existing certificate to the Z y WALL. Note: Y ou can import [...]

  • Seite 423

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 423 The following table describes the labels in this screen. 33.3 The T rusted Cert ificates Screen Click Configuration > Object > Certifi cate > Trusted Certificates to open the Trusted Certificates screen. This screen displays a summary list of certificates that you ha ve[...]

  • Seite 424

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 424 33.3.1 The T rusted Ce rtificates Edit Screen Click Configuration > Object > Cert ific ate > Trust ed Certific ates and then a certificate’ s Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, ch[...]

  • Seite 425

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 425 Figure 280 Configuration > Object > Certificate > T rusted Certificates > Edit[...]

  • Seite 426

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 426 The following table describes the labels in this screen. T a ble 164 Configuration > Object > Certificate > T ruste d Certificates > Edit LABEL DESCRIPTION Name This field displays the ide ntifying name of this ce rtificate. Y ou can change the name. Y ou can use up [...]

  • Seite 427

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 427 33.3.2 The T rusted Cert ificates Import Screen Click Configuration > Object > Certificat e > Trusted Certificates > Import to open the Trusted Certificates Import screen. F ollow the instructions in this screen to sav e a trusted certificate to the Z yWALL. Issuer T[...]

  • Seite 428

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 428 Note: Y ou mus t remove any spaces from t he certificat e’ s filenam e before you can import the certificate. Figure 281 Configuration > Object > Certificate > T rusted Certificates > Import The following table describes the labels in this screen. 33.4 Certificates[...]

  • Seite 429

    ZyWALL 110/310/1100 Se ries User’s Guide 429 C HAPTER 34 ISP Accounts 34.1 Overview Use ISP accounts to manage Internet Service Prov ider (ISP) account info rmation for PPPoE/PPTP interfaces. An ISP account is a profile of se ttings for Internet access using PPP oE or PPTP . Finding Out More •S e e Section 7.4 on page 125 for information about [...]

  • Seite 430

    Chapter 34 ISP Accounts ZyWALL 110/310/1100 Series User’s Guide 430 34.2.1 ISP Account Edit The ISP Account Edit screen lets y ou add information about new accounts and edit information about existing accounts. T o open this window , open the ISP Account screen. (See Section 34 .2 on page 429 .) Then, click on an Add icon or Ed it icon to open th[...]

  • Seite 431

    Chapter 34 ISP Accounts ZyWALL 110/310/1100 Se ries User’s Guide 431 Authentica tion Ty p e Use the drop-down list box to select an authen tication protocol for outgoing calls. Options are: CHAP/PAP - Y our ZyW ALL accepts either CHAP or PAP when requested by this remote node. Chap - Y our ZyW ALL accepts CHAP only . PAP - Y our ZyW ALL accepts P[...]

  • Seite 432

    ZyWALL 110/310/1100 Se ries User’s Guide 432 C HAPTER 35 SSL Application 35.1 Overview Y ou use SSL application objects in SSL VPN. Configur e an S SL application object to specify the type of application and the address of the local computer , server , or web site SSL users are to be able to access. Y ou can apply one or more SSL application obj[...]

  • Seite 433

    Chapter 35 SSL Appli cation ZyWALL 110/310/1100 Se ries User’s Guide 433 The LAN computer to be managed m ust have VNC (Virtual Network Com puting) or RDP (R emote Desktop Protocol) server software in stalled. The remote user’s computer does not use VNC or RDP client software. The Z yWALL works with the fo llowing remote desktop connection soft[...]

  • Seite 434

    Chapter 35 SSL Applicatio n ZyWALL 110/310/1100 Series User’s Guide 434 Figure 285 Example: SSL Application: Specifying a W eb Site for Access 35.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Configuration > Object > SSL Application in the navigation panel. Figu[...]

  • Seite 435

    Chapter 35 SSL Appli cation ZyWALL 110/310/1100 Se ries User’s Guide 435 35.2.1 Creating/Editing an SSL Application Object Y ou can create a web-based application that allows remote users to access an application via standard web browsers. Y ou can also create a file sharing application that specify the name of a folder on a file server (Linux or[...]

  • Seite 436

    Chapter 35 SSL Applicatio n ZyWALL 110/310/1100 Series User’s Guide 436 Figure 288 Configuration > Object > S SL Application > Add/Edit: File Sharing The following table describes the labels in this screen. T a ble 169 Configuration > Object > SSL App lic ation > Add/Edit: Web Application LABEL DESCRIPTION Create n ew Object Use[...]

  • Seite 437

    Chapter 35 SSL Appli cation ZyWALL 110/310/1100 Se ries User’s Guide 437 Preview This fi eld only appears when yo u choose Web Application as the object type. This field displays if the Server Type is set to Web Server , OWA or Weblink . Click Preview to access the URL you specifie d in a new IE web browser . Entry P oint This fi eld only appears[...]

  • Seite 438

    ZyWALL 110/310/1100 Se ries User’s Guide 438 C HAPTER 36 DHCPv6 36.1 Overview This chapter describes how to configure DHCP v6 request type and lease type objects. 36.1.1 What Y ou Can Do in this Chapter •T h e Request screen (see Section 27.2 on page 373 ) allows you to configure DHCPv6 request type objects. •T h e Le ase screen (see Section [...]

  • Seite 439

    Chapter 36 DHCPv6 ZyWALL 110/310/1100 Se ries User’s Guide 439 36.2.1 DHCPv6 Request Add/Edit Screen The Request Add/Edit screen allows you to create a new request object or edit an existing one. T o access this screen, go to the Request screen (see Section 27.2 on page 373 ), and click either the Add icon or an Edit icon. Figure 290 Configuratio[...]

  • Seite 440

    Chapter 36 DHCPv6 ZyWALL 110/310/1100 Series User’s Guide 440 Figure 291 Configuration > Object > DHCPv6 > Lease The following table describes the labels in this screen. 36.3.1 DHCPv6 Lease Add/Edit Screen The Lease Add/Ed it screen allows you to create a new lease object or edit an existing one. T o access this screen, go to the Lease s[...]

  • Seite 441

    Chapter 36 DHCPv6 ZyWALL 110/310/1100 Se ries User’s Guide 441 The following table describes the labels in this screen. T a ble 173 Configuration > DH CP v6 > Lease > Add LABEL DESCRIPTION Name T ype the name for this lease object. Yo u m a y u s e 1 - 3 1 a l p h anumeric characters, underscores( _ ), or dashes (-), but the first c hara[...]

  • Seite 442

    Chapter 36 DHCPv6 ZyWALL 110/310/1100 Series User’s Guide 442[...]

  • Seite 443

    ZyWALL 110/310/1100 Se ries User’s Guide 443 C HAPTER 37 System 37.1 Overview Use the system screens to configure general Z yWALL settings. 37.1.1 What Y ou Can Do in this Chapter •U s e t h e System > Host Name screen (see Section 37.2 on page 444 ) to configure a unique name for the Z yWALL in you r network. •U s e t h e System > USB [...]

  • Seite 444

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 444 37.2 Host Name A host name is the unique name by which a device is k nown on a network. Click Configuration > System > Host Name to open the Host Name screen. Figure 293 Configuration > System > Host Name The following table describes the labels in this screen. 37.3 USB S t[...]

  • Seite 445

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 445 Figure 294 Configuration > System > USB Storage The following table describes the labels in this screen. 37.4 Date and T i me For effectiv e scheduling and logging, the Z yWALL system time must be accur ate. The ZyW ALL’ s Real Time Chip (RT C) keeps track of the time and date[...]

  • Seite 446

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 446 Figure 295 Configuration > System > Date and Time The following table describes the labels in this screen. T a ble 176 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your Z yWALL. Current D[...]

  • Seite 447

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 447 Get from Time Serve r Select this radio button to have th e Z yWALL get th e time and date from the time serv er you specify below . The ZyWALL requests time and date settings from the time serv er under the following circumstances. • When the ZyW ALL starts up. • When you click A[...]

  • Seite 448

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 448 37.4.1 Pre-define d NTP Time Serv ers List When you turn on the Z yWALL for the first time, the date and time start at 2003-01-01 00:00:00. The Z yWALL then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers. The Z yWALL conti[...]

  • Seite 449

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 449 7 Click Apply . T o get the Z yWALL date and time from a time serv er 1 Click System > Date/Time . 2 Select Get from T ime Server under Time and Date Setup . 3 Under Time Zone Setup , select y our Time Zone from the list. 4 As an option you can select the Enable Daylight Saving che[...]

  • Seite 450

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 450 37.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, y ou must know the IP address of a machine before you can access it. 37.6.1 DNS Server Address Assignment Th[...]

  • Seite 451

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 451 The following table describes the labels in this screen. T a ble 179 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Rec or d This record specifie s the mapping of a Full y-Qualified Domain Name (F QDN) to an IP address. An FQDN consists of a host and domain name. For[...]

  • Seite 452

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 452 37.6.3 Address Record An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and doma in name. F or example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “z yxel” is the second-leve[...]

  • Seite 453

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 453 37.6.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/ PTR record. Figure 299 Configuration > System > DNS > Address/PTR R ecord Edit The following table describes the labels in this screen. 37.6.6 Domain Zone Forwarder A dom[...]

  • Seite 454

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 454 Figure 300 Configuration > System > DNS > Domain Z one Forw arder Add The following table describes the labels in this screen. 37.6.8 MX Record A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is[...]

  • Seite 455

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 455 Figure 301 Configuration > System > DNS > MX R ecord Add The following table describes the labels in this screen. 37.6.10 Adding a DN S Service Control Rule Click the Add icon in the Service Contro l table to add a service control rule. Figure 302 Configuration > System &g[...]

  • Seite 456

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 456 37.7 WWW Overview The following figure shows secure and insecure management of the Z yWALL coming in from the W AN. HTTPS and S SH access are se cure. HTTP and T elnet access are not secure. Note: T o allow the Z yWALL to be accessed from a specifi ed computer using a service, make sur[...]

  • Seite 457

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 457 It relies upon certificates, public keys, and priv ate keys (see Chapter 33 on page 413 for more information). HT TPS on the Z yWALL is u sed so that you can securely access the Z yWALL using the W eb Configurator . The SSL protocol specifies that the HTTPS server (the Z yWALL) must a[...]

  • Seite 458

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 458 Figure 304 Configuration > System > WWW > Service Control The following table describes the labels in this screen. T a ble 184 Configuration > System > WWW > Service Control LABEL DESCRIPTION HT TPS Enable Select the check bo x to allow or disall ow the computer with [...]

  • Seite 459

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 459 Authenticate Cl ient Certifi cates Select Authenticate Clie nt Certificates (optional) to r equire the SSL client to authenticate itself to the Z yWALL by send ing the Z yWALL a ce rtificate. T o do that the SSL client must have a CA-signed certificat e from a CA that has been importe[...]

  • Seite 460

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 460 37.7.5 Service Control Rules Click Add or Edit in the Service Cont rol table in a WWW , SSH , Telnet , FTP or SNMP screen to add a service control rule. Figure 305 Configuration > System > Service Control Rule > Edit Edit Double-click an entry or sel ect it and click Edit to b[...]

  • Seite 461

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 461 The following table describes the labels in this screen. 37.7.6 Customizing the WWW Login Page Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the W eb Configurator login screen. Y ou can also customize the page that[...]

  • Seite 462

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 462 Figure 306 Configuration > System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages.[...]

  • Seite 463

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 463 Figure 307 Login Page Customization Figure 308 Access Page Customization Y ou can specify colors in one of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color . Logo Ti t l e Message Note Message Back[...]

  • Seite 464

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 464 • Enter a pound sign (#) followed by the six -digit hexadecimal number that represents the desired color . For example, use “#000000” for black. • Enter “rgb” followed by red , green, and blue va lues in parenthesis and separate by commas. F or example, use “rgb(0,0,0)”[...]

  • Seite 465

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 465 37.7.7 HTTPS Example If you haven’t changed the default HT TPS port on the ZyW ALL, then in your browser enter “https:// Z yWALL IP Address/” as the web site address where “Z yWALL IP Address” is the IP address or domain name of the ZyW ALL you wish to access. 37.7.7.1 Inter[...]

  • Seite 466

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 466 Figure 310 Security Certificate 1 (Firefox) Figure 311 Security Certificate 2 (Firefox) 37.7.7.3 A voiding Browser W arning Messages Here are the main reasons your browser displa ys warnings about the Z yWALL’ s HTTPS server certificate and what you can do to av oid seeing the warnin[...]

  • Seite 467

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 467 Figure 312 Login Screen (Internet Explorer) 37.7.7.5 Enrolling and Impor ting SSL Client Certifica tes The SSL client needs a certificate if Authenticate Client Certificates is selected on the Z y WALL. Y ou must have imported at least one trusted CA to the Z yWALL in order for the Au[...]

  • Seite 468

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 468 Figure 314 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 37.7.7.5.2 Installing Y our Personal Certificate(s) Y ou need a password in advance. The CA may issu e the password or you may have to specify it during the enrollment[...]

  • Seite 469

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 469 Figure 315 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you do uble-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 316 Personal Certificate Import Wizard 2 3 Enter th[...]

  • Seite 470

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 470 Figure 317 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be sav ed on your computer or select Place all cert ificates i n the fo llowing st ore and choose a different location. Figure 318 Personal Certificate Import Wizard 4 5 Click Finis[...]

  • Seite 471

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 471 Figure 319 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the certificate is correctly installed on y our computer . Figure 320 Personal Certificate Import Wizard 6 37.7.7.6 Using a Certificate Wh en Accessing the ZyW ALL Example Use the following pro[...]

  • Seite 472

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 472 Figure 322 SSL Client Authentication 3 Y ou next see the W eb Configurator login screen. Figure 323 Secure W eb Configurator Login Screen 37.8 SSH Y ou can use SSH (Secure SHell) to securely access the Z yWALL’ s command line interface. Specify which zones allow SSH access and from w[...]

  • Seite 473

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 473 Figure 324 SSH Communication Over the W AN Example 37.8.1 How SSH Works The following figure is an example of how a secure connection is estab lished between two remote hosts using SSH v1. Figure 325 How SSH v1 W orks Example 1 Host Identification The SSH client sends a connection req[...]

  • Seite 474

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 474 37.8.2 SSH Implementation on the ZyW ALL Y our Z yWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour , and Blowfish). The SSH server is implemented on the ZyW ALL for management using port 22 (by default). 37.8.3 Requirement s f[...]

  • Seite 475

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 475 37.8.5 Secure T eln et Using SSH Examples This section shows two examples using a command interface and a gr aphical interface SSH client program to remotely access the Z yWALL. The conf iguration and connection steps are similar for most SSH client programs. R efer to your SSH client[...]

  • Seite 476

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 476 37.8.5.2 Example 2: Linux This section describes how to access the Z yWALL using the OpenS SH client program that comes with most Linux distributions. 1 T est whether the SSH service is av ailable on the ZyW ALL. Enter “ telnet 192.168.1.1 22 ” at a terminal pr ompt and press [ENTE[...]

  • Seite 477

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 477 Figure 330 Configuration > System > TELNET The following table describes the labels in this screen. T a ble 188 Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with th e IP address that matc hes the IP address[...]

  • Seite 478

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 478 37.10 FTP Y ou can upload and download the Z y W ALL’s firmw are and configuration files using FTP . T o use this feature, your computer must hav e an FTP client. Please see Chapter 39 on page 499 for more information about firmware and configuration files. 37.10.1 Configuring FTP T [...]

  • Seite 479

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 479 37.1 1 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Y our ZyW ALL supports SN MP agent functionality , which allows a manager station to manage and monitor the Z yWALL through the network. The Z yWALL support[...]

  • Seite 480

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 480 Figure 332 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager . An agent is a management software module that reside s in a managed device (the ZyW A LL). An agent translates the local management information from the managed devi[...]

  • Seite 481

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 481 statistical data and monitor status and performa nce. Y ou can download the Z yWALL’ s MIBs from www .zyxel.com. 37.1 1.2 SNMP T rap s The Z yWALL will send traps to the SNMP manager when any one of the following events occurs. 37.1 1.3 Configuring SNMP T o change your Z yWALL’ s [...]

  • Seite 482

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 482 Figure 333 Configuration > System > SNMP The following table describes the labels in this screen. T a ble 191 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the I P address that matches the IP address( es) [...]

  • Seite 483

    Chapter 37 System ZyWALL 110/310/1100 Se ries User’s Guide 483 37.12 Language Screen Click Configuration > System > Language to open the following screen. Use th is screen to select a display language for the Z yWALL’ s W eb Configurato r screens. Figure 334 Configuration > S ystem > Language The following table describes the labels[...]

  • Seite 484

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 484 Figure 335 Configuration > Sy stem > IPv6 The following table describes the labels in this screen. T a ble 193 Configuration > System > IPv6 LABEL DESCRIPTION Enable IPv6 Select this to have the Z yWALL support IPv6 and make IPv6 se ttings be available on the screens that t[...]

  • Seite 485

    ZyWALL 110/310/1100 Se ries User’s Guide 485 C HAPTER 38 Log and Report 38.1 Overview Use these screens to configure daily reporting and log settings. 38.1.1 What Y ou Can Do In this Chapter •U s e t h e Email Daily Re port screen ( Section 38.2 on page 485 ) to configur e where and ho w to send daily reports and what reports to send. •U s e [...]

  • Seite 486

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 486 Figure 336 Configuration > Log & R eport > Email Daily Report The following table describes the labels in this screen. T a ble 194 Configuration > Log & Report > Email Daily R eport LABEL DESCRI PTION Enable Email Daily Report Select this to send repo rts by[...]

  • Seite 487

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 487 38.3 Log Setting Screens The Log Setting screens control log messages and alerts. A log message stores the information for viewing or regular e-mailing later , and an alert is e-mailed immediately . Usually , alerts are used for events that require more serious attention, such[...]

  • Seite 488

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 488 Figure 337 Configuration > Log & Report > Log Setting The following table describes the labels in this screen. T a ble 195 Configuration > Log & Report > Lo g Setting LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen w[...]

  • Seite 489

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 489 38.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 38.3.1 on page 487 ), and click the system log Edit icon. Figure [...]

  • Seite 490

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 490 The following table describes the labels in this screen. T a ble 196 Configur ation > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in thi s section[...]

  • Seite 491

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 491 38.3.3 Edit Log on USB S torage Setting The Edit Log on USB Storage Set ting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 38.3.1 on page 487 ), and click the USB storage Edit icon. E-[...]

  • Seite 492

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 492 Figure 339 Configuration > Log & Repo rt > Log Setting > Edit (USB Stor age)[...]

  • Seite 493

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 493 The following table describes the labels in this screen. 38.3.4 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 38.3.1 on page 487 ), and [...]

  • Seite 494

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 494 Figure 340 Configuration > Log & Report > Log Setting > Edit (R emote Server)[...]

  • Seite 495

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 495 The following table describes the labels in this screen. 38.3.5 Log Category Settings Screen The Log Category Settings screen allows you to view and to edit what information is included in the system log, USB storage, e-mail profiles, and re mote servers at the same time. It d[...]

  • Seite 496

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 496 Figure 341 Log Category Settings This screen provides a different view and a different wa y of indicating which messages are included in each log and each alert. Please see Section 38.3.2 on pag e 489 , where this process is discussed. (The Default category includes debugging m[...]

  • Seite 497

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 497 The following table describes the fields in this screen. T a ble 199 Configur ation > Log & Report > Log Setting > Log Category Settings LABEL DESCRIPTION System L og Use th e System Log drop-down list to change the log se ttings for all of the log categories. dis[...]

  • Seite 498

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 498 System Log Select which events you want to log by Log Category . There are three choices: disable all logs (red X) - do not log any information from this category enable normal logs (green check mark) - create lo g messages and al erts from this category enable normal logs and [...]

  • Seite 499

    ZyWALL 110/310/1100 Se ries User’s Guide 499 C HAPTER 39 File Manager 39.1 Overview Configuration files define the Z yWALL’ s settings. Shell scripts are files of commands that you can store on the Z yWALL and run when you need them. Y ou can apply a configuration file or run a shell script without the Z yWALL restarting. Y ou can store multipl[...]

  • Seite 500

    Chapter 39 Fil e Manager ZyWALL 110/310/1100 Series User’s Guide 500 These files have the same syntax, which is also identical to the way y ou run CLI commands manually . An example is shown below . While configuration files and shell scripts have th e same syntax, the Z yWALL applies configuration files differently than it runs shell scripts. Th[...]

  • Seite 501

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 501 Line 3 in the following exam ple exits sub command mode. Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. Lines 1 and 2 are comments. Line 5 exits sub command mode. Errors in Configuration Files or Shell Script s When you apply a configur at[...]

  • Seite 502

    Chapter 39 Fil e Manager ZyWALL 110/310/1100 Series User’s Guide 502 Configuration File Flow at Rest art • If there is not a startup-config.conf when you restart the Z yWALL (whether through a management interface or by physically turning th e power off and back on), the ZyW ALL uses the system-default.conf configur ation file with the Zy WALL?[...]

  • Seite 503

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 503 The following table describes the labels in this screen. T a ble 201 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Ren am e Use this button to ch ange the label of a configu ration file on the Z yWALL. Y ou can only rename manually saved configuratio n [...]

  • Seite 504

    Chapter 39 Fil e Manager ZyWALL 110/310/1100 Series User’s Guide 504 Apply Use t his button to have t he ZyW ALL use a spec ific conf iguration file. Click a configuration file ’s row to select it and cl ick Apply to have the ZyWALL use that configuration file. The Z yWALL does not have to restart in order to use a different configuration file [...]

  • Seite 505

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 505 39.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware v ersion and upload firmware to the Z yWALL. Note: The W eb Configur ator is the recomme[...]

  • Seite 506

    Chapter 39 Fil e Manager ZyWALL 110/310/1100 Series User’s Guide 506 Figure 347 Maintenance > File Manager > Firmware P ackage The following table describes the labels in this screen. After you see the Firmware Upload in Process screen, wait tw o minutes before logging into the Z yWALL again. Figure 348 Firmware Upload In Process Note: The [...]

  • Seite 507

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 507 Figure 350 Firmware Upload Error 39.4 The Shell Script Screen Use shell script files to have the Z yWALL use command s that y ou specify . Use a text editor to create the shell script files. They must use a “.zysh” filename extension. Click Maintenance > File Manager >[...]

  • Seite 508

    Chapter 39 Fil e Manager ZyWALL 110/310/1100 Series User’s Guide 508 Each field is described in the following table. T a ble 203 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Ren am e Use this button to change the labe l of a shell script file on the Z yWALL. Y ou cannot rename a shell scri pt to the name of another shell scri[...]

  • Seite 509

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 509 Upload Shell Script The bottom part of the screen allows you to upload a new or previously sa ved shell script file from your computer to your Z yWALL. File Pat h T ype in the location of the file you wa nt to upload in this field o r click Browse ... to find it. Browse... Click[...]

  • Seite 510

    ZyWALL 110/310/1100 Se ries User’s Guide 510 C HAPTER 40 Diagnostics 40.1 Overview Use the diagnostics screens for troubleshooting. 40.1.1 What Y ou Can Do in this Chapter •U s e t h e Diagnostics screen (see Section 40.2 on page 510 ) to generate a file containin g the Z yWALL’ s configuration and diagnostic information if you need to provid[...]

  • Seite 511

    Chapter 40 Diagno stics ZyWALL 110/310/1100 Se ries User’s Guide 51 1 The following table describes the labels in this screen. 40.2.1 The Diagnostics Files Screen Click Maintenance > Diagnostics > Files to open the diagnostic files screen. This screen lists the files of diagnostic information the Z yWALL has co llected and stored in a conne[...]

  • Seite 512

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Series User’s Guide 512 40.3 The Packet Capture Screen Use this screen to capture network traffic going throu gh the Z yWALL’ s interfaces. Studying these packet captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. No[...]

  • Seite 513

    Chapter 40 Diagno stics ZyWALL 110/310/1100 Se ries User’s Guide 513 The following table describes the labels in this screen. T a ble 206 Maintenance > Diagnostics > P acket Capture LABEL DESCRIPTION Interfaces Enabled interface s (except for virtual in terfaces) appear under Available Interfaces . Select inte rfaces for which to capt ure p[...]

  • Seite 514

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Series User’s Guide 514 40.3.1 The Packet Capture Files Screen Click Maintenance > Diagnostics > Packet Capture > File s to open the packet capture files screen. This screen lists the files of packet captures stored on the ZyW ALL or a connected USB storage device. Y ou can download the files to[...]

  • Seite 515

    Chapter 40 Diagno stics ZyWALL 110/310/1100 Se ries User’s Guide 515 The following table describes the labels in this screen. 40.4 Core Dump Screen Use the Core Dump screen to have the Z yWALL save a process’ s core dump to an attached USB storage device if the process terminates abnormally (crashes). Y ou may need to send this file to customer[...]

  • Seite 516

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Series User’s Guide 516 40.4.1 Core Dump Files Screen Click Maintenance > Diagnostics > Core Dump > Files to open the core dump files screen. This screen lists the core dump files stored on the Z y WALL or a connected USB storage device. Y ou may need to send these files to customer support for [...]

  • Seite 517

    Chapter 40 Diagno stics ZyWALL 110/310/1100 Se ries User’s Guide 517 Figure 360 Maintenance > Diagnostics > System Log The following table describes the labels in this screen. T a ble 210 Maintenance > Diagnostics > System Log LABEL DESCRIPTION Rem ov e Select files and cli ck Remove to delete them from th e ZyW ALL. Use the [Shift] a[...]

  • Seite 518

    ZyWALL 110/310/1100 Se ries User’s Guide 518 C HAPTER 41 Packet Flow Explore 41.1 Overview Use this to get a clear picture on how the Z yWALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all y our routing and SNA T settings an[...]

  • Seite 519

    Chapter 41 Packet Flow Expl ore ZyWALL 110/310/1100 Se ries User’s Guide 519 Figure 361 Maintenance > P acket Flow Explore > Routing Status (Direct R oute) Figure 362 Maintenance > P acket Flow Explore > Routing Status (P olicy Route) Figure 363 Maintenance > P acket Flow Explore > Routing Status (1-1 SNA T) Figure 364 Maintenan[...]

  • Seite 520

    Chapter 41 Packet Flow Exp lore ZyWALL 110/310/1100 Series User’s Guide 520 Figure 365 Maintenance > P acket Flow Explore > Routing Status (Dynamic VPN) Figure 366 Maintenance > P acket Flow Explore > Routing Status (Static -Dynamic R oute) Figure 367 Maintenance > P acket Flow Explore > Routing Status (Defau lt WAN T runk) Figu[...]

  • Seite 521

    Chapter 41 Packet Flow Expl ore ZyWALL 110/310/1100 Se ries User’s Guide 521 The following table describes the labels in this screen. T a ble 21 1 Maintena nce > Packet Flow Explore > Routing Status LABEL DESCRIPTION Rou ti n g F l ow This section shows you the flow of how the Z yWALL determines wher e to route a pa cket. Click a function b[...]

  • Seite 522

    Chapter 41 Packet Flow Exp lore ZyWALL 110/310/1100 Series User’s Guide 522 41.3 The SNA T St atus Screen The SNAT Status screen allows you to view and quickly link to specific source NA T (SNA T) settings. Click a function box in the SNAT Flow section, the related SNA T rules (activated) will display in the SNAT Table section. T o access this sc[...]

  • Seite 523

    Chapter 41 Packet Flow Expl ore ZyWALL 110/310/1100 Se ries User’s Guide 523 Figure 370 Maintenance > Pack et Flow Expl ore > SNA T Status (1-1 SNA T) Figure 371 Maintenance > P acket Flow Explor e > SNA T Status (Loopback SNA T) Figure 372 Maintenance > P acket Flow Explore > SNA T Status (Default SNA T ) The following table de[...]

  • Seite 524

    Chapter 41 Packet Flow Exp lore ZyWALL 110/310/1100 Series User’s Guide 524 Destination This is the original destinat ion IP address(es). Outgoing This is the outgoing interface that the SNA T rule uses to transmit packets. SNA T This is the sou rce IP address(es ) that the SNA T rule uses finally . The following fields are a vailable if you clic[...]

  • Seite 525

    ZyWALL 110/310/1100 Se ries User’s Guide 525 C HAPTER 42 Reboot 42.1 Overview Use this to restart the device (for example, if the device begins behaving err atically). See also Section on page 31 for information on different ways to start an d stop the Z yWALL. 42.1.1 What Y ou Need T o Know If you applied changes in the W eb configurator , these[...]

  • Seite 526

    ZyWALL 110/310/1100 Se ries User’s Guide 526 C HAPTER 43 Shutdown 43.1 Overview Use this to shutdown the device in preparation for disconnecting the power . See also Section on page 31 for information on different ways to start and stop the Z yWALL. Always use the Maintenance > Shut down > Shut down screen or the “shut down” command bef[...]

  • Seite 527

    ZyWALL 110/310/1100 Se ries User’s Guide 527 C HAPTER 44 Troubleshooting This chapter offers some suggestions to solve problems you might encounter . • Y ou can also refer to the logs (see Chapter 6 on page 100 ). • For the order in which the Z yWALL applies its features and checks, see Chapter 41 on page 518 . None of the LEDs turn on. Make [...]

  • Seite 528

    Chapter 44 Tro ubleshooting ZyWALL 110/310/1100 Series User’s Guide 528 I configured securi ty settings but the Z yWALL i s not applying them for certain interfaces. Many security settings are usually applied to zones. Make su re you assign the interfaces to the appropriate zones. When you create an interface, there is no security applied on it u[...]

  • Seite 529

    Chapter 44 Troubl eshooting ZyWALL 110/310/1100 Se ries User’s Guide 529 The interface’ s IP address may have changed. T o av oid this create an IP address object based on the interface. This way the Z yWALL automatically upda tes every rule or setting that u ses the object whenever the interface’ s IP address settings change. F or example, i[...]

  • Seite 530

    Chapter 44 Tro ubleshooting ZyWALL 110/310/1100 Series User’s Guide 530 The Z yWALL is deleting some zipped files. The Z yWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Z yWA LL can concurrently unzip. The Z yWALL routes and applies SNA T for tr affi [...]

  • Seite 531

    Chapter 44 Troubl eshooting ZyWALL 110/310/1100 Se ries User’s Guide 531 subnets. See Asymmetrical Routes on page 268 and the chapter about interfaces for more information. I cannot set up an IPSec VPN tunnel to anot her device. If the IPSec tunnel does not build properly , the problem is likely a configuration error at one of the IPSec routers. [...]

  • Seite 532

    Chapter 44 Tro ubleshooting ZyWALL 110/310/1100 Series User’s Guide 532 • Make sure regular firew all rules allow traffic betw een the VPN tunnel and the rest of the network. R egular firewall rules check packets the Z yWALL sends before the Z yWALL encrypts them and check packets the Z yWALL receives after the Z yWALL decrypts them. This depen[...]

  • Seite 533

    Chapter 44 Troubl eshooting ZyWALL 110/310/1100 Se ries User’s Guide 533 The default admin account is always authenticated locally , regardless of the authentication method setting. (See Chapter 31 on page 400 for more inform ation about authentication methods.) The Z yWALL fails to authentication the ext -user user accounts I configured. An exte[...]

  • Seite 534

    Chapter 44 Tro ubleshooting ZyWALL 110/310/1100 Series User’s Guide 534 • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. • Binary PKCS#12: This is a format for tr ansferri ng public key and private ke y c[...]

  • Seite 535

    Chapter 44 Troubl eshooting ZyWALL 110/310/1100 Se ries User’s Guide 535 • Y our configuration files or shell scripts can use “e xit ” or a command line consisting of a single “! ” to have the Z yWALL exit sub command mode. •I n c l u d e write commands in your scripts. Otherwise the changes will be lost when the Z yWALL restarts. Y o[...]

  • Seite 536

    Chapter 44 Tro ubleshooting ZyWALL 110/310/1100 Series User’s Guide 536 If you want to reboot the device withou t changing the current configuration, see Chapter 42 on page 525 . 1 Make sure the SYS LED is on and not blinking. 2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about fiv e seconds.) 3 Relea[...]

  • Seite 537

    ZyWALL 110/310/1100 Se ries User’s Guide 537 A PPENDIX A Legal Information Copyright Copyright © 2013 by Z yXEL Communications Corpor ation. Th e co n te n t s o f th i s p u b li ca t i on m ay n ot b e r e p ro d uc e d i n an y pa r t o r as a w ho l e, t ra ns c ri b e d, s to r ed i n a r e tr i ev al s ys t e m, t r anslated into any langu[...]

  • Seite 538

    Appendix A Legal Information ZyWALL 110/310/1100 Series User’s Guide 538 T a iwanese BSMI (Bureau of St andards, Metrology and Inspectio n) A W arning: Notices Changes or modific ations not exp ressly approved by the party re sp onsible f or complianc e could vo id the user's au thority to ope r ate the equipment. Cet appareil numériqu e de[...]

  • Seite 539

    Appendix A Legal Informa tion ZyWALL 110/310/1100 Se ries User’s Guide 539 • CAUTION: RISK OF EXPLOSION IF BAT TERY (on the mother boar d) IS REPLACED BY AN INCORREC T TYPE. DISPOSE OF USED BA TTERIES ACCORDING TO T HE INSTRUCTIONS. Di spose them at the applicable collec tion point for t he recycling of el ectrical and electronic eq uipment. F [...]

  • Seite 540

    Appendix A Legal Information ZyWALL 110/310/1100 Series User’s Guide 540[...]

  • Seite 541

    Index ZyWALL 110/310/1100 Se ries User’s Guide 541 Index Symbols Numbers 3322 Dynamic DNS 215 3DES 306 3G see also cellular 13 2 6in4 tunneling 140 6to4 tunneling 141 A AAA Base DN 40 2 Bind DN 403 , 405 directory structure 402 Distinguished Name, see DN DN 402 , 403 , 405 password 405 port 404 , 407 search time limit 405 SSL 405 AAA server 400 A[...]

  • Seite 542

    Index ZyWALL 110/310/1100 Series User’s Guide 542 address record 452 admin user troubleshooting 53 3 admin users 371 multiple logins 37 9 see also users 37 1 Advanced Encryption Standard, see AES AES 306 AF 197 AH 289 , 310 and transport mode 31 1 alerts 490 , 491 , 493 , 495 , 496 , 497 ALG 233 , 238 and firewall 233 , 235 and NA T 233 , 235 and[...]

  • Seite 543

    Index ZyWALL 110/310/1100 Se ries User’s Guide 543 signal quality 94 , 95 SIM card 137 status 96 system 94 , 95 troubleshooting 52 9 certificate troubleshooting 53 3 Certificate Authority (CA) see certificates Certificate Revocation List (CRL) 414 vs OCSP 428 certificates 413 advantages of 414 and CA 414 and FTP 478 and HT TPS 457 and IKE SA 310 [...]

  • Seite 544

    Index ZyWALL 110/310/1100 Series User’s Guide 544 access user page 461 login page 461 D Data Encryption Standard, see DES date 445 daylight savings 447 DDNS 215 backup mail exchanger 219 mail exchanger 21 9 service providers 215 troubleshooting 53 0 Dead Peer Detection, see DPD default firewall behavior 265 Default_L2TP_VPN_Connection 346 Default[...]

  • Seite 545

    Index ZyWALL 110/310/1100 Se ries User’s Guide 545 E egress bandwidth 137 , 146 e-mail daily statistics report 48 5 Encapsulating Security Pa yload, see ESP encapsulation and active protocol 31 1 IPSec 289 transport mode 31 1 tunnel mode 31 1 VPN 31 1 encryption IPSec 289 RSA 421 encryption algorithms 306 3DES 306 AES 306 and active protocol 306 [...]

  • Seite 546

    Index ZyWALL 110/310/1100 Series User’s Guide 546 and address groups 479 and address objects 479 and certificates 478 and zones 479 signaling port 237 with T ransport Lay er Security (TLS) 478 full tunnel mode 317 , 32 1 Fully-Qualified Domain Name, see FQDN G Generic Ro uting Encapsulation, see GRE. global SSL setting 322 user portal logo 323 GR[...]

  • Seite 547

    Index ZyWALL 110/310/1100 Se ries User’s Guide 547 status 72 , 84 , 85 troubleshooting 52 8 interfaces 103 and DNS servers 174 and HT TP redirect 232 and layer-3 virtualization 104 and NA T 224 and physical ports 104 and policy routes 194 and static routes 197 and VPN gateways 285 and zones 104 as DHCP relays 174 as DHCP servers 174 , 444 backup,[...]

  • Seite 548

    Index ZyWALL 110/310/1100 Series User’s Guide 548 and to-Z yWALL firewall 531 authentication algorithms 306 authentication key (manual keys) 312 destination NA T for inbound traffic 313 encapsulation 31 1 encryption algorithms 306 encryption key (manual keys) 312 local policy 310 manual keys 312 NA T for inbound traff ic 312 NA T for outbound tra[...]

  • Seite 549

    Index ZyWALL 110/310/1100 Se ries User’s Guide 549 Lightweight Directory Access Protocol, see LDAP load balancing 177 algorithms 178 , 182 , 18 4 DNS inbound 247 least load first 178 round robin 179 see also trunks 17 7 session-oriented 178 spillover 180 weighted round robin 179 local user database 401 log troubleshooting 53 4 log messages catego[...]

  • Seite 550

    Index ZyWALL 110/310/1100 Series User’s Guide 550 port translation, see NA T tra versal 309 NBNS 12 0 , 157 , 169 , 174 , 321 NetBIOS Broad cast over I PSec 288 Name Server , see NBNS. NetBIOS Name Server , see NBNS NetMeeting 23 8 see also H.323 Netscape Navigator 20 network access mode 18 full tunnel 317 Network Address T ranslation, see NA T n[...]

  • Seite 551

    Index ZyWALL 110/310/1100 Se ries User’s Guide 551 PIN code 137 PIN generator 401 pointer record 452 Po int-to-P oint Protocol over Ethernet, see PPP oE. Po int-to-P oint T unneling Protocol, see PPTP policy enforcement in IPSec 289 policy route troubleshooting 52 8 policy routes 188 actions 189 and address objects 194 and ALG 23 5 , 238 and HT T[...]

  • Seite 552

    Index ZyWALL 110/310/1100 Series User’s Guide 552 FTP , se e FTP see also service control 456 Te l n e t 476 to-Z yWALL firewall 266 WWW , see WWW remote network 281 remote user screen links 432 replay detection 288 reports collecting data 87 daily 485 daily e-mail 485 specifications 89 traffic statistics 86 reset 535 vs reboot 525 RESET button 5[...]

  • Seite 553

    Index ZyWALL 110/310/1100 Se ries User’s Guide 553 SHA1 306 shell script troubleshooting 53 4 shell scripts 499 and users 383 downloading 508 editing 507 how applied 500 managing 507 syntax 50 0 uploading 509 shutdown 526 signal quality 94 , 95 SIM card 137 Simple Network Management Protocol, see SNMP Simple T rav ersal of UDP through NA T , see [...]

  • Seite 554

    Index ZyWALL 110/310/1100 Series User’s Guide 554 full tunnel mode 317 network access mode 18 remote desktop connections 432 see also SSL 317 troubleshooting 53 2 weblink 433 stac compression 431 startup-config.conf 505 and synchronization (device HA) 369 if errors 502 missing at restart 502 present at restart 502 startup-config-bad.conf 502 stat[...]

  • Seite 555

    Index ZyWALL 110/310/1100 Se ries User’s Guide 555 management access 534 packet capture 535 policy route 528 PPP 529 RADIUS server 532 routing 530 schedules 533 security settings 52 8 shell scripts 534 SNA T 530 SSL 532 SSL V PN 532 throughput rate 534 VLAN 529 VPN 532 zipped files 529 trunks 104 , 177 and ALG 23 8 and policy routes 177 , 194 mem[...]

  • Seite 556

    Index ZyWALL 110/310/1100 Series User’s Guide 556 Guest (type) 371 lease time 376 limited-admin (type) 371 lockout 380 reauthentication time 376 types of 371 user (type) 37 1 user names 374 V Va n t a g e Re p o r t ( V R P T ) 488 , 495 virtual interfaces 104 , 17 0 basic characteristics 104 not DHCP clients 17 2 types of 170 vs asymmetrical rou[...]

  • Seite 557

    Index ZyWALL 110/310/1100 Se ries User’s Guide 557 WINS server 120 , 348 Wizard Setup 33 , 43 WWW 457 and address groups 461 and address objects 461 and authentication method objects 460 and certificates 459 and zones 461 see also HTTP , HT TPS 457 Z zipped files troubleshooting 52 9 zones 21 1 and firewall 265 , 271 and FTP 479 and interfaces 21[...]

  • Seite 558

    Index ZyWALL 110/310/1100 Series User’s Guide 558[...]

  • Seite 559

    Index ZyWALL 110/310/1100 Se ries User’s Guide 559[...]

  • Seite 560

    Index ZyWALL 110/310/1100 Series User’s Guide 560[...]

  • Seite 561

    Index ZyWALL 110/310/1100 Se ries User’s Guide 561[...]

  • Seite 562

    Index ZyWALL 110/310/1100 Series User’s Guide 562[...]