ZyXEL Communications 5 Series manuale d’uso

www .zyxel.com ZyW ALL 5/35/70 Series Internet Security Appliance User ’ s Guide V ersion 4.04 03/2008 Edition 1 DEFAULT LOGIN IP Address http://1 92 .168.1.1 Password 1234[...]

[...]

About This User's Guide ZyWALL 5/35/70 Series User’s Guide 3 About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyW ALL using the web configurator or System Manag eme nt T erminal (SMT). Y ou should have at least a basic knowledge of TCP/IP netw ork ing concepts and topo logy . Related[...]

Document Conventions ZyWALL 5/35/70 Series User’s Guide 4 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User ’ s Guide. 1 W arnings tell you about things that could harm you or your device. " Notes tell you other important informati on (for example, other things you may need to configure or hel[...]

Document Conventions ZyWALL 5/35/70 Series User’s Guide 5 Icons Used in Figures Figures in this User ’ s Guide may use the followi ng generic icons. The ZyW ALL icon is not an exact representation of your device. ZyW ALL Computer No te book computer Server Firewall T elephone Switch Router[...]

Safety Warnings ZyWALL 5/35/70 Series User’s Guide 6 Safety Warnings 1 For your safety , be sure to read and follow all warni ng notices and instructions. • Do NOT use this product near water , for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store thin gs o[...]

Safety Warnings ZyWALL 5/35/70 Series User’s Guide 7 This product is recyclable . Dispose of it properly .[...]

Safety Warnings ZyWALL 5/35/70 Series User’s Guide 8[...]

Contents Overview ZyWALL 5/35/70 Series User’s Guide 9 Contents Overview Introduction .......................................... ........................................................................ .......... 49 Getting to Know Y our ZyW ALL ........ ................ ................ ................ ................ ................... .....[...]

Contents Overview ZyWALL 5/35/70 Series User’s Guide 10 Report s, Logs and Maintenance ........................................................................ ................. 537 Reports Screens ............. ................. ................ ................ ................ ............. ................ .... ....... 539 Logs Screens . ....[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 11 Table of Contents About This User's Guide ..................................................... ................................................... .. 3 Document Conventions.................................................................. ......................................... .4 Sa[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 12 3.2 Accessing the ZyW ALL Web Configurator ................... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... 61 3.3 Resetting the ZyWALL .. ... ............. ... ... ... .... ... ... ... .... ... ... ... ............. ... .... ... ... ... .... ... ... ... ... .... .[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 13 5.1.5 Using the Dynamic VPN Rule for More VPN T unnels ............ .... ... ... ... .... ... ... ... ... .... .. 1 19 5.2 Security Settings for VPN Traf fic .. ... ... ... .... ............. ... ... ... .... ... ... ... ... .... ... ............. ... ... ... .... .. 1 19 5.2.1 IDP for From [...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 14 8.1 Overview ... ... .... ... ... ... .... ... ... ............. ... ... .... ... ... ... .... ... ............. ... ... ... .... ... ... ... .... ....... .......... 161 8.1.1 What Y ou Can Do in the Bridge Screens ...................... ................ ................... ........ 1 61 8.1[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 15 Chapter 1 1 WLAN Screens ...................................... ............................................................................. ... 219 1 1.1 Overview ................. ................. ................ ............. ................ ................ ................ .. ......[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 16 13.7 The Firewall Thresholds Screen ... ................ ................ .................... ................ .............. 264 13.8 The Firewall Services Screen ................. ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... ................ .... . 266 13.8.1 The Fir[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 17 16.1.1 What Y ou Can Do in the Antispam Sc reens ......... .......... .......... ......... .......... .......... . 3 13 16.1.2 What Y ou Need to Know About Antispam ............ ................ ................. ................. 314 16.2 The General Screen ... ... .......... ............ .[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 18 19.1 1 T elecommuter VPN/IPSec Exam ples ........... ... ............. .... ... ... ... ... .... ............. ... ... ... ... .... . 382 19.1 1.1 T elecommuters Sharing One VPN R ule Example .. ......... ................ ............. ........ 3 83 19.1 1.2 T elecommuters Using Un ique VPN [...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 19 Chapter 22 Network Address T ranslation (NA T) .............................................. ...................................... 435 22.1 Overview ................. ................. ................ ................ ................ ............. ................ .. ......... 435 22.1.1[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 20 25.2 The Summary Screen .......... ................ ................. ............. ... ... ... ... .... ... ... ... .... ... ... ... ... .... . 4 67 25.2.1 Maximize Bandwidth Us age Example .................. ................ ................. ................ . 470 25.2.2 Reserving Bandwid[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 21 27.9 The SNMP Screen ....... .......... ................ ................ ............. ................ ................ .......... .5 1 0 27.9.1 Configuring the SNMP Screen ....... ...... .......... ................ ................ ............. ........... 512 27.10 The DNS Screen ......[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 22 31.2.4 System Reports S pec ific ations .......... ................ ................ ................ ................ ..... 545 31.3 The IDP Screen ................. ................ ................. ............. ... ... ... ... .... ... ... ... .... ... ... ... ... . .... 545 31.4 The An[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 23 34.3 Navigating the SMT Int erface ........ ................ ................ .................... ................ .............. 606 34.3.1 Main Menu . ................ ................ ................. ................ ................ ................ ........... 6 07 34.3.2 SMT Menus O[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 24 39.1 Configuring DMZ Setup ....... ................ .................... ................ ................ ................ ........ 6 45 39.2 DMZ Port Filter Setup . ................ ................ ................ ................... ................. ............... .. 645 39.3 TCP/IP S[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 25 44.3 Configuring a Server behi nd NA T .................. ... .... ... ............. ... ... ... .... ... ... ............. ... ... .... . 681 44.4 General NA T Examples .... ............. ............. ................ ................ ................ ............. ........ 6 8 3 44.4.1 In[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 26 48.3.2 Console Port S peed ............. ................ ................ ................ ................. ................ . 716 48.4 Log and T rac e ... ............. ................ ................ ................ ................ ................. ........... ...... 717 48.4.1 View[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 27 50.2.1 Budget Management .. ................ ................. ................ ............. ................ .............. 740 50.2.2 Call History ..................... ................ ............. ................ ................ ................ ......... .. 741 50.3 T ime and Date S[...]

Table of Contents ZyWALL 5/35/70 Series User’s Guide 28 Appendix C Wireless LANs ............................................................ ...................................... 787 Appendix D Windows 98 SE/Me Requirements for Anti-V irus Message Display ................. 801 Appendix E Legal Information .......................................[...]

List of Figures ZyWALL 5/35/70 Series User’s Guide 29 List of Figures Figure 1 Secure Internet Access via Cable, DS L or Wireless Modem ... ................ ................... ............. 52 Figure 2 VPN Application ...... ................ ................... ................. ................ ................ ............ .......... ....... 5[...]

List of Figure s ZyWALL 5/35/70 Series User’s Guide 30 Figure 39 VPN Wizard Se tup Complete ............. ... ... .... ... ... ... .... ... ... ... ............. ... .... ... ... ... .... ... ... ... ... . .... 104 Figure 40 Anti-S pam Wizard: Email Server Location Setting ............ ................ ................. ................ . 105 Fig[...]

List of Figures ZyWALL 5/35/70 Series User’s Guide 31 Figure 82 LAN and WAN ............ ................. ................ ................ ................ ................ ........... ............. 149 Figure 83 NETWORK > LAN .............. ................ ................ ................ ................ ................. ........ ......[...]

List of Figure s ZyWALL 5/35/70 Series User’s Guide 32 Figure 125 WLAN Port Role Example ............ ................ ................ ................... ................. ............ ..... 226 Figure 126 NETWORK > WLAN > Port Roles ......... ............. ............. ................ ................. ................ . 22 7 Figure 12[...]

List of Figures ZyWALL 5/35/70 Series User’s Guide 33 Figure 168 SECURITY > IDP > Signature: Query View ............ ................ ................ ................... ........ 2 85 Figure 169 SECURITY > IDP > Signature: Query by Partial Name .......... ................ ................ ........... 287 Figure 170 SECURITY > IDP [...]

List of Figure s ZyWALL 5/35/70 Series User’s Guide 34 Figure 21 1 SECURITY > VPN > VPN R ules (IKE) > Edit Network Policy ............. ................ .............. 368 Figure 212 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding ..... ... .... . 373 Figure 213 SECURITY > VPN > VPN Rules (IKE)[...]

List of Figures ZyWALL 5/35/70 Series User’s Guide 35 Figure 254 Multiple Serv ers Behind NA T Example ............ ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... .............. 44 2 Figure 255 Port T ranslation Example .............. ......... ................. ............. ................ ................ ...... ........ [...]

List of Figure s ZyWALL 5/35/70 Series User’s Guide 36 Figure 297 SSL Client Aut hentication ................. ................ ................ ................ ................. ........ ......... 502 Figure 298 Secure Web Configurator Login Screen . ....... ................ ................ ............. ................ ........ 5 0 2 Figure [...]

List of Figures ZyWALL 5/35/70 Series User’s Guide 37 Figure 340 MAINTENANCE > General Setup .............. ... ................ ............. ................ ................ ........ 5 8 6 Figure 341 MAINTENANCE > Password ................ ............. ................. ................ ............. ................ . 587 Figure 342 MA[...]

List of Figure s ZyWALL 5/35/70 Series User’s Guide 38 Figure 383 Menu 4: Internet Acce ss Setup (Ethernet) ....... ................ ................ ................. ................ . 64 0 Figure 384 Internet Access Setup (PPTP) ......... ................... ................. ................ ................ .......... .... 6 42 Figure 385 In[...]

List of Figures ZyWALL 5/35/70 Series User’s Guide 39 Figure 426 Example 3: Menu 1 1.1.2 ................ ... .......... ................ ................ ................ ............. ... ........ 687 Figure 427 Example 3: Menu 15.1 .1.1 .. ................ ............. ................ ................ ................. ........... ...... 687[...]

List of Figure s ZyWALL 5/35/70 Series User’s Guide 40 Figure 469 Restore Using FTP Session Example .... .... ............. ................ ................ ............. .............. 73 2 Figure 470 System Maintenance: Restore Conf iguration ... ................ ................ ................. ................ . 732 Figure 471 System Maint[...]

List of Tables ZyWALL 5/35/70 Series User’s Guide 41 List of Tables T a ble 1 ZyW ALL Model S p ecific Features ............... ................. ................ ................... ................ .... ...... 52 T a ble 2 Front Panel Lights ................. ................ ................ ................ ................ ..................[...]

List of Tables ZyWALL 5/35/70 Series User’s Guide 42 T a ble 39 Load Balancing: Weighted Round Robin .. .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... . 18 0 T a ble 40 Load Balancing: S pillover ....... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ................ ... ........[...]

List of Tables ZyWALL 5/35/70 Series User’s Guide 43 T a ble 82 SECURITY > ID P > Signature: Query View ........... ................. ................ ................ .............. 285 T a ble 83 SECURITY > ID P > Anomaly .... .................... ................ ................ ................ ................ .... .... 290 T a [...]

List of Tables ZyWALL 5/35/70 Series User’s Guide 44 T a ble 125 SECURITY > CERTIFICA TES > D irectory Servers .............. ................ ................... ........... 4 25 T a ble 126 SECURITY > CERTIFICA TES > D irectory Server > Add ........... ................... .................... . 426 T a ble 127 SECURITY > AUTH [...]

List of Tables ZyWALL 5/35/70 Series User’s Guide 45 T a ble 168 REPORTS > Anti-S pam .... ................ ................ ................ .................... ................ ........ ...... 549 T a ble 169 REPORTS > E-mail Report ......... ................ ................ ................ ................ ................ ... ..... 5[...]

List of Tables ZyWALL 5/35/70 Series User’s Guide 46 T a ble 21 1 Menu 1: General Setup (Bridge Mode) .......... ................... .................... ................ .............. 6 14 T a ble 212 Menu 1.1: Configure Dynamic DNS ........ ................. ................... ................ ................... ..... 615 T a ble 213 Menu 1.[...]

List of Tables ZyWALL 5/35/70 Series User’s Guide 47 T a ble 254 System Maintenance Menu Syslog Parameters ............... .................... ................ .............. 718 T a ble 255 System Maintenance Menu Diagnostic ... .................... ................... ................ .................... . 72 4 T a ble 256 Filename Convention[...]

List of Tables ZyWALL 5/35/70 Series User’s Guide 48[...]

49 P ART I Introduction Getting to Know Y our ZyW ALL (51) Hardware Installation (55) Introducing the W eb Configurator (61) W izard Setup (87) T utorials (109) Registration Screens (141)[...]

50[...]

ZyWALL 5/35/70 Series User’s Guide 51 C HAPTER 1 Getting to Know Your ZyWALL This chapter introduces the main feat ures and applications of the ZyW ALL. 1.1 ZyW ALL Internet Security Appliance Overview The ZyW ALL is loaded with security features including VPN, firewall, content filtering, anti- spam, IDP (Intrusion Detection and Prevention), ant[...]

Chapter 1 Getting to Know Your ZyWA LL ZyWALL 5/35/70 Series User’s Guide 52 " See Chapter 55 on page 769 for a complete list of features. T able Key: A Y in a model’ s column shows th at the model has the spec ifie d feature. The information in this table was correct at the tim e of writing, although it may be subject to change. 1.3 Appli[...]

Chapter 1 Getting to Know Your ZyWALL ZyWALL 5/35/70 Series User’s Guide 53 1.3.2 VPN Application ZyW ALL VPN is an ideal cost-effective way to securely connect branch offices, business partners and telecommuters over the Internet w ithout the need (and e xpense) for leased lines between sites. Figure 2 VPN Application 1.3.3 3G W AN Application ([...]

Chapter 1 Getting to Know Your ZyWA LL ZyWALL 5/35/70 Series User’s Guide 54 1.4 W ays to Manage the ZyW ALL Use any of the following meth ods to manage the ZyW ALL. • W eb Configurator . This is recommended for everyday management of the ZyW ALL using a (s upported) we b browser . • Command Line Interface. Line commands are mostly used for t[...]

ZyWALL 5/35/70 Series User’s Guide 55 C HAPTER 2 Hardware Installation The ZyW ALL can be placed on a desktop or ra ck-mou nte d on a standa rd EIA rack. Use the brackets in a rack-m ounted installation. 2.1 General Inst allation Instructions Read all the safety warnings in the beginning of this User's Guide before you begin and make sure yo[...]

Chapter 2 Har d war e Insta llation ZyWALL 5/35/70 Series User’s Guide 56 Figure 4 Attaching Rubber Feet " Do not block the ventila tion holes. Leave spac e between ZyW ALLs when stacking. 2.3 Rack-mounted Inst allation Requirement s The ZyW ALL can be mounted on an EIA standard size, 19-inch ra ck or in a wiring closet with other equipment.[...]

Chapter 2 Hardware In stallation ZyWALL 5/35/70 Series User’s Guide 57 2.4 Rack-Mounted Inst allation 1 Align one bracket with the holes on one si de of the ZyW ALL and secure it with the bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion. Figure 5 Attaching Mou nting Brackets and Screws 3 Afte[...]

Chapter 2 Har d war e Insta llation ZyWALL 5/35/70 Series User’s Guide 58 2.5 3G Card, WLAN Card and ZyW ALL T urbo Card Inst allation " Do not insert or remove a ca rd with the ZyW ALL turned on. Make sure the ZyW ALL is off before inserting or removing an 802.1 1b/g-compliant wireless LAN PCMCIA or CardBus card, 3G card or ZyW ALL T u rbo [...]

Chapter 2 Hardware In stallation ZyWALL 5/35/70 Series User’s Guide 59 2.6 Front Panel Light s Figure 8 ZyW ALL 70 Front Panel Figure 9 ZyW ALL 35 Front Panel Figure 10 ZyW ALL 5 Front Panel The following table describes the lights. T able 2 Front Panel Lights LED COLOR STATUS DESCRIPTION PWR Off The ZyW ALL is turned off. Green On The ZyW ALL is[...]

Chapter 2 Har d war e Insta llation ZyWALL 5/35/70 Series User’s Guide 60 W AN1/2 10/ 100 or W AN 10/100 Off The W AN connection is not ready , or has failed. Green On The ZyW ALL has a successful 10 Mbps W AN connectio n. Flashing The 10M W AN is sending or receiving pac kets. Orange On The ZyW ALL ha s a successful 100 Mbps W AN connection. Fla[...]

ZyWALL 5/35/70 Series User’s Guide 61 C HAPTER 3 Introducing the Web Configurator This chapter describes how to access the Zy W ALL web configurator an d provides an overview of its screens. 3.1 W eb Configurator Overview The web configurator is an HTML-based mana gement interface that allows easy ZyW ALL setup and management via Internet browser[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 62 5 Y ou should see a screen asking you to change your password (highly recommended) as shown next. T ype a new password (and retype it to confirm) and click Apply or click Ignore . Figure 1 1 Change Password Screen 6 Click Apply in the Replace Certificate scre en to c[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 63 3.3 Resetting the ZyW ALL If you forget your password or cannot access the web configurator , you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyW ALL. Uploading this configuration f ile replac es the current c[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 64 3.4 Navigating the ZyW ALL Web Configurator The following summarizes how to navigate the web configurator from the HOME scree n. This guide uses the ZyW ALL 70 screenshots as an example . The screens may vary slightly for different ZyW ALL models. Figure 14 HOME Scre[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 65 3.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the [...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 66 System Name This is the System Name you enter in th e MAINTENANCE > General screen. It is for identification purpos es. Click the field label to go to the screen where you can specify a name for this ZyWA L L. Model This is the model name of your ZyW ALL. Bootbase[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 67 S tatus For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. Ethernet port con nections can be in half-duplex or full-duplex mode. Full- duplex refers to a device's ability to send and receive simu ltaneously , while half- duplex ind[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 68 Virus Detected This displays how ma ny virus-infected files the ZyW A LL has dete cted since it last started up. It also displays the percentage of virus-infected files out of the total number of files that the ZyW ALL has sc ann ed (since it last started up). N/A di[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 69 Last Connection Up T ime This displays how long the 3G connection has bee n up. Tx Bytes This displays the total number of data frames transmitted. Rx Bytes This displays the total number of data frames received. 3G Card Manufacturer This displays the manufacturer of[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 70 Disable budget control Th is fie ld displays if you have enabled budget con trol but insert a 3G card with a different user account from the one for which you configured budget control. Select this option to disable budget control. If you want to enable and configure[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 71 3.4.4 HOME Screen: Bridge Mode The following screen displays when the ZyW ALL is set to bridge mode. In bridge mode, the ZyW ALL functions as a transparent firewall (als o kn ow n as a bridge firewall). The ZyW ALL bridges traffic traveling between the ZyW ALL' [...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 72 Bootbase Ve r s i o n This is the bootb ase version and the date created. Firmware Ve r s i o n This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System desi gn. Click the field label to go to the screen wher[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 73 Bridge Hello Ti m e This is the interval of BPDUs (Bridge Prot ocol Data Units) from the root bridge. Bridge Max Age This is the predefined interval th at a bri dge waits to get a Hello message (BPDU) from the root bridge. Forward Delay This is the forward delay inte[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 74 3.4.5 Navigation Panel After you enter the password, use the sub-menus on the navigation panel to configure ZyW ALL features. The following table lists the fe atures available for each device mode. Not all ZyW ALLs have all features listed in this table. Sp a m M a i[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 75 T able Key: A Y in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at the tim e of writing, although it may be subject to change. The following table describes the sub-menus. WA N Y DMZ Y Bridge Y WLA[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 76 LAN LAN Use this screen to confi gure LAN DHCP and TCP/IP settings. S tatic DHCP Use this screen to assign fixed IP addresses on the LAN. IP Alias Use this screen to partition your LAN interface into subnets. Port Roles (ZyW ALL 5 and ZyW AL L 35) Use this screen to [...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 77 FIREW A LL Default Rule Use this screen to activate/deactivate the firewall and the di rection of network traffic to which to apply the rule Rule Summary This screen shows a summary of the firewall rules, and allows you to edit/add a firewall rule. Anti-Probing Use t[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 78 CERTIFICA TES My Certificates Use this screen to view a summary list of certificates and ma nage certificates and cert ifi cation requests. Tr u s t e d C A s Use this screen to view and manage the list of the trusted CAs. Tr u s t e d Remote Hosts Use this screen to[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 79 REMOTE MGMT WWW Use this screen to configure through which interface ( s) and from which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL. SSH Use this screen to configure through which inte rface(s) and from which IP address(es) users can use Secure S[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 80 3.4.6 Port St atistics Click Port St a t i s t i c s in the HOME screen. R ead-only information here includes port s tatus and packet specific statistics. The Poll Interval(s) field is configurable. Not all items described are available on a ll models. Figure 17 HOME[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 81 3.4.7 Show St atistics: Line Chart Click the icon in the Show S tatistics screen. This screen shows you a line chart of e ach port’ s throughput statistics. Figure 18 HOME > Show Statistics > Line Chart S t atus For the W AN interface(s) and the Dial Backup p[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 82 The following table describes the labels in this screen. 3.4.8 DHCP T able DHCP (Dynamic Host Configuration Protocol , RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a se rver . Y ou can configure the ZyW ALL as a DHC[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 83 3.4.9 VPN St atus Click VPN in the HOME screen. This sc reen displays read -only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. [...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 84 3.4.10 Bandwid th Monitor Click Bandwidth in the HOME screen to display the bandwidth monitor . This screen displays the device’ s bandwidth usage and allotments. Figure 21 Home > Bandwidth Monitor The following table describes the labels in this screen. IPSec A[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 85 Automati c Refresh Interval Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics. Refresh Click this button to update the screen’s stati[...]

Chapter 3 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide 86[...]

ZyWALL 5/35/70 Series User’s Guide 87 C HAPTER 4 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator . The Internet access wizard is only applicable when the ZyW ALL is in router mode. 4.1 Wizard Setup Overview The web confi gurator's setup wizards help you configure Intern et and VPN co nn ecti[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 88 4.2 Internet Access The Internet access wizard screen has three vari ations depending on what encapsulation type you use. Refer to information prov ided by your ISP to know what to enter in each field. Leave a field blank if you don’ t have that information. 4.2.1 ISP Parameters The Z[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 89 4.2.1.2 PPPoE Encap sulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering T a sk Force) standard specifying ho w a host personal computer interacts with a broadband modem (for example DSL, cable , wireless, etc.)[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 90 The following table describes the labels in this screen. 4.2.1.3 PPTP Encap sulation Point-to-Point T u nneling Protocol (PP TP) is a network protocol that enables transfers of data from a remote client to a private server , crea ting a V irtual Private Network (VPN) using T CP/ IP-base[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 91 Figure 25 ISP Parameters: PPTP Encap sulation The following table describes the labels in this screen. T able 15 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. T o co nfigure a PPTP client, y[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 92 4.2.2 Internet Access Wizard: Second Screen Click Next to go to the screen whe re you ca n regi ster your ZyW ALL and activate the free content filtering, anti-spam, anti-virus and IDP trial applications. Otherwise, click Skip to display the congratulations screen and click Clos e to co[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 93 Figure 27 Internet Access Setup Complete 4.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 26 on page 92 ), the following screen displays. Use this screen to register the ZyW ALL with myZyX EL.com. Y ou must register your ZyW ALL before yo[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 94 The following table describes the labels in this screen. After you fill in the fields and click Next , the following screen shows indicating the registration is in progress. W ait for the registration progress to finish. Figure 29 Internet Access Wizard: Registration in Progress 4.2.4 I[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 95 Figure 30 Internet Access Wizard: S tatus A screen similar to the following appears if the registra tion was not succes sful. Click Return to go back to the Device Registration screen and check your settings. Figure 31 Internet Access Wizard : Registration Failed 4.2.5 Internet Access W[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 96 Figure 33 Internet Access Wizard: Activated Services 4.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the W izard Setup W elcome screen ( Figure 22 on page 87 ) to op[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 97 4.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec rou ters at either end of a VPN tu nnel. T wo active SAs cannot have the local and remote IP address(es) both the same. T wo active SAs can have the same lo[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 98 Figure 35 VPN Wizard: Network Setting The following table describes the labels in this screen. T able 18 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, p acket s for th e tunnel trigger the Z yW AL L to buil d the tunnel[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 99 4.5 VPN Wizard IKE T unnel Setting (IKE Phase 1) Use this screen to specify the authentication, encryption and othe r settings needed to negotiate a phase 1 IKE SA. Figure 36 VPN Wizard: IKE Tunnel Setting S tarting IP Address When the Remote Network field is configured to Single , ente[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 100 The following table describes the labels in this screen. 4.6 VPN Wizard IPSec Setting (IKE Phase 2) Use this screen to specify the authentication, encryption and othe r settings needed to negotiate a phase 2 IPSec SA. T able 19 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiati[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 101 Figure 37 VPN Wizard: IPSec Setting The following table describes the labels in this screen. T able 20 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tu n n e l is comp a tib le with NA T , Tr a n s p o r t is not. T unnel mode encapsulates the entire IP pa cket to tran[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 102 4.7 VPN Wizard S t atus Summary This read-only screen shows the status of the current VPN settin g. Use the summary table to check whether what you have configured is correct. Figure 38 VPN Wizard: VPN S tatus Perfect Forward Secret (PFS) Perfect Forward Secrecy (PFS) is disabled ( Non[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 103 The following table describes the labels in this screen. T able 21 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This i s the name of this VPN gateway policy . Gateway Policy Setting My ZyW ALL This is the WAN IP address or t he domain name of your ZyW ALL in ro[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 104 4.8 VPN Wizard Setup Complete Congratulations! Y ou have successfully set up the VPN rule for your ZyW ALL. If you already had VPN rules config ured , the wi zard adds the new VPN rule after the last existing VPN rule. Figure 39 VPN Wizard Setup Co mple te 4.9 Anti-Sp am Wizard: Email [...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 105 Figure 40 Anti-S pam Wizard: Email Server Location Setting The following table describes the labels in this screen. 4.10 Anti-S pa m Wizard: Direction Recommendations This screen displays recommended traffic flows to scan for spam base d on the locations of your e-mail servers. T able [...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 106 Figure 41 Anti-S pam Wizard: Direction Recommendations • For e-mail servers on the LAN, DMZ, or WLAN th e ZyW A LL recommends checking traffic that comes from the W AN to the zone(s) where the e-mail server is located. This is to check for spam coming to the ZyW ALL’ s e-mail serve[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 107 Figure 42 Anti-S pam Wizard: Direct ion Configurat ion The following table describes the labels in this screen. T able 23 Anti-Spam Wiz ard: Direction C onfiguration LABEL DESCRIPTION Enable Anti-S pam Select this check box to check traffic for spam SMTP (TCP port 25 and POP3 (TCP port[...]

Chapter 4 Wizard Setup ZyWALL 5/35/70 Series User’s Guide 108 4.12 Anti-S pa m Wizard: Setup Complete Congratulations! Y ou have successfully set up th e directions tha t the anti-spam feature checks for spam. This does not enable the anti-spam feature. Go to the SECURITY > ANTI-SP AM screens to enable anti-spam. Figure 43 Anti-S pam Wizard: S[...]

ZyWALL 5/35/70 Series User’s Guide 109 C HAPTER 5 Tutorials This chapter gives examples of how to configure some of your ZyW ALL’ s key features. See the related chapter on a feature for more details. 5.1 Dynamic VPN Rule Configuration Dynamic VPN rules allow VPN connections from IPSec routers with dynamic W AN IP addresses. This tutorial shows[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 0 5.1.1 Configure Bob’ s U ser Account This example includes extended authentication. Bob has to enter the correct username and password to use the ZyW ALL tunnel. This keeps others from using Bob’ s ZyW ALL if it is lost or stolen. ZyW ALL A needs to check the VPN tunnel requests tha [...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 111 1 Click SEC URITY > VPN > VPN Rules (IKE) , and then the ad d gateway po licy ( ) icon to display the Edit Gateway Policy screen. Use this screen to configure the VPN gateway policy that identifies the ZyW ALLs. The company’ s ZyW ALL (A) and the telecomm uter ’ s ZyW ALL (B) ga[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 2 Figure 45 VPN Gateway Policy Edit Screens 2 After you click Apply , the A-B_Ga teways gateway policy displays as show n next. Click SECURITY > VPN and the A-B_Gateways ’ add network policy ( ) icon. The following figure shows ZyW ALL A ’ s screen. Remote Device (B) Company Device [...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 3 Figure 46 SECURITY > VPN > Add Network Policy (ZyW ALL A) 3 Edit the VPN-Network Policy -Edit screen to configure network policies. A network policy identifies the devices behind the IPSec ro uters at either end of a VPN tunnel and specifies the authentication, encryption and other[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 4 Figure 47 VPN Network Policy Edit Screens Company Device (A) T elecommuter Device (B)[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 5 4 After you click Apply , the network po licy displa ys with the gateway policy . 5 In the ZyW ALL B, select "X-Y _Networks" in the Activating VPN Rule field to activate the VPN rule. The color of "X-Y_Net works" VPN policy changes to pink. Figure 48 Activate VPN Rule[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 6 Figure 49 T utorial: VPN Summary Screens Comp arison Example Y ou have configured the company’ s ZyW A LL (A) and the telecommuter ’ s ZyW ALL (B). 5.1.3 Configure Ze ro Config uration Mode on ZyW ALL B The ZyW ALL P1’ s zero configuration mode provides a simplified user mode for t[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 7 3 Select Zero Conf iguration Mode . 4 Click Apply . The system reboots automatically and restarts in zero configuration mode. 5.1.4 T esting Y our VPN Configuration T est the VPN configuration befo re giving the ZyW ALL P1 to Bob. 1 ZyW ALL A should already be connected to the Internet u[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 8 3 Open a web browser (like Internet Explorer) to connect to the ZyW ALL P1’ s LAN IP address (http://192.1 68.16 7.1 in this example). 4 The user mode screen for VPN authenti cation displays. Enter the user name "SalesManager" and passwo rd "Manager1234". Click Acti[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 11 9 When you can ping IP address 10.0.0.2 from th e computer with IP address 192.168.167.2 behind ZyW ALL B, you know the VPN tunnel works. 5.1.5 Using the Dynamic VPN Rule for More VPN T unnels Other remote users (like sales people and te lecommuters) using IPSec routers with dynamic W AN I[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 120 " The security settings appl y to VPN traffic going to or from the ZyW ALL’s VPN tunnels. They do not apply to other VPN traffic for which the ZyW ALL is not one of the gateways (VPN pass-through traf fic). Y ou can turn on content filtering for all of the ZyW ALL’ s VPN traffic [...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 121 Figure 54 IDP Configuration for T raffic From VPN 5.2.2 IDP for T o VPN T raffic Example Y ou can also apply security settings to the To V P N packet direction to protect the remote networks from attacks, intrusions, viruses and spam originating from your own network. For example, you can[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 122 1 Click SECURITY > IDP > General . 2 Select the To V P N column’ s first check bo x (with the interface labe l) to select all of the To V P N packet direction s. 3 Click Apply . Figure 56 IDP Configuration for T o VPN T raffic 5.3 Firewall Rule for VPN Example The firewall provide[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 123 Figure 57 Firewall Rule for VPN 5.3.1 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network be hin d B access the FTP server . Y ou would also have to configure a corresponding rule on device B. 1 Click Security > VPN to open the followi[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 124 Figure 59 SECURITY > VPN > VPN Rules (I KE)> Add Gateway Policy 3 Click the Add Network Policy icon.[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 125 Figure 60 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply . Y ou may notice that the example does not specify th e p[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 126 Figure 61 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 127 5.3.2 Configuring the Firewall Rules Suppose you have sever a l VPN tunnels but you only want to allow de vice B’ s network to access the FTP server . Y ou also only want FTP traf fic to go to the FTP server , so you want to block all other traffic types (like chat, e-mail, web and so o[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 128 Figure 63 SECURITY > FIREW ALL > Rule Summary > Edit: Allow 5 The rule displays in the summary list of VPN to LAN firewall rules.[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 129 Figure 64 SECURITY > FIREW ALL > Rule Summary: Allow 5.3.2.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to bl ock all VPN to LAN traf fic. This blocks any other types of access from VPN tunnels to the LA N FTP server . This mean s[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 130 Figure 65 SECURITY > FIREW ALL > Default Rule: Block From VPN T o LAN 5.4 How to Set up a 3G W AN Connection This section shows you how to configure an d set up a 3G W AN connection on the ZyW ALL. In this example, you have set u p W AN 1 and want the ZyW ALL to use both of the W AN[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 131 2 If you have a wireless card or T u rbo card in the ZyW ALL, remove it. 3 Slide the connector end of the 3G card into the slot. 4 Connect the ZyW ALL’ s power . 5.4.2 Configuring 3G W AN Settings Y ou should already have an activated user account a nd network access information from th[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 132 5.4.3 Checking W AN Connections 1 Go to the web configurator ’ s Home screen. 2 In the network status table, make sure the status for W AN 1 and WA N 2 is not Down and there is an IP address. If the W AN 2 connection is not up, make sure you have entered the correct information in the N[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 133 Figure 68 T utorial: NE TWORK > WAN > General 5.6 Configuring Content Filtering Y ou can use the ZyW ALL’ s content filtering pol icies to apply specific content filtering settings to specific users. Y ou ca n even filter certain things at certain times. For example, you decide to[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 134 Use the REGISTRA TION screens (see Chapter 6 on page 141 ) to create a myZyXEL.com account, register your device and activate the external content filtering service. 1 Click SECURITY > CONTENT FIL TER . 2 Enable the content filter and exte rnal database content filtering. 3 Click Apply[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 135 Figure 70 SECURITY > CONTENT FIL TER > Policy 2 Select Active . 3 Select the categories to block. 4 Click Apply . Figure 71 SECURITY > CONTENT FIL TER > Policy > External Database (Default)[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 136 5.6.3 Assign Bob’ s Computer a Specific IP Address Y ou will configure a content filtering policy for traf fic from Bob’ s computer ’ s IP address. Do the following to have the Zy W ALL always give Bob’ s computer the same IP address (192.168.1.33 in this example). 1 Click HOME &g[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 137 Figure 74 SECURITY > CONTENT FIL TER > Policy > Insert 5.6.5 Set the Content Filter Schedule Y ou want to let Bob access arts and entertainmen t web pages, but only during lunch. So you configure a schedu le to only apply the Bo b policy from 12:00 to 13:00. For the rest of the t[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 138 Figure 76 SECURITY > CONTENT FIL TER > Policy > Schedule (Bob) 5.6.6 Block Categories of Web Content for Bob Now you select the categories of we b pages to block Bob from access ing. 1 Click SECURITY > CONTENT FIL TER > Policy and then the Bob policy’ s external database [...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 139 3 Select the categories to block. This is very similar to Section 5.6.2 on page 134 , except you do not select the arts and entertainment category . 4 Click Apply . Figure 78 SECURITY > CONTENT FIL TER > Policy > External Database (Bob)[...]

Chapter 5 Tutorials ZyWALL 5/35/70 Series User’s Guide 140[...]

ZyWALL 5/35/70 Series User’s Guide 141 C HAPTER 6 Registration Screens 6.1 Overview The registration screens let you a ctivate and update your ac count with myZyXEL.com, allowing you access to subscription services required for the ZyW ALL’ s security features. 6.1.1 What Y ou Can Do in the Registration Screens • Use the Registration sc reen [...]

Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 142 IDP IDP allows the ZyW ALL to detect malicious or suspicious p ackets and respond immediately . Signatures This is the pattern of code us ed by a par ticular virus. The ZyW ALL compares files with a database of signatures to identif y possible viruses. The ID&P and anti-vir[...]

Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 143 Figure 79 REGISTRA TION > Registration The following table describes the labels in this screen. T able 25 REGISTRATION > Registration LABEL DESCRIPTION Device Registrati on If you select Existing myZyXEL.com account , only the User Name and Password fields are availab le.[...]

Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 144 " If the ZyW ALL is register ed already , this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 80 REGISTRA TION > Registration: Register ed Device 6.3 The Service Screen Af[...]

Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 145 Figure 81 REGISTRA TION > Service The following table describes the labels in this screen. T able 26 REGISTRATION > Service LABEL DESCRIPTION Service Manage ment Service This field displays the service name ava ila ble on the ZyW AL L. S tatus This field displays whether [...]

Chapter 6 Registration Screens ZyWALL 5/35/70 Series User’s Guide 146[...]

147 P ART II Network LAN Screens (149) Bridge Screens (161) W AN Screens (169) DMZ Screens (207) WLAN Screens (219) W ireless Screens (229)[...]

148[...]

ZyWALL 5/35/70 Series User’s Guide 149 C HAPTER 7 LAN Screens 7.1 Overview A network is a shared commun ication system to which ma ny computers are attached. The Local Area Network (LAN) includes the comp ut ers and networking de vices in your home or office that you connect to the ZyW ALL’ s LAN ports. The W id e Area Network (W AN) is another[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 150 • Use the IP Alias s creen ( Section 7.4 on page 156 ) to configure IP alias sett ings on the ZyW ALL’ s LAN ports. • Use the Port Roles s creen ( Section 7.5 on page 158 ) to configure LAN ports on the ZyW ALL. The Port Roles screen is available on the ZyW ALL 5 and ZyW ALL 35. 7[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 151 " Regardless of your particular situation, do not create an ar bitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation fo r Private Internets and RFC 1466, Guidelines for Managemen t of IP Addr[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 152 Multicast T raditionally , IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of host s on the network - not everybody and not just 1. IGMP (Internet Group M[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 153 Figure 83 NETWORK > LAN The following table describes the labels in this screen. T able 27 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address T ype the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively , click the ri ght mou[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 154 RIP V ersion The RIP V ersion fie ld co ntrols the format and th e broadcasting method of the RIP packet s that the ZyW ALL sends (it reco gnizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 155 7.3 The LAN St atic DHCP Screen This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC addresses. T o change your ZyW ALL’ s static DHCP settings, click NETWORK > LAN > St a t i c D H C P . The screen appears as shown. Windows[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 156 Figure 84 NETWORK > LAN > S tatic DHCP The following table describes the labels in this screen. 7.4 The LAN IP Alias Screen IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. T able 28 NETWORK > LAN > Stati[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 157 The ZyW ALL has a single LAN in terface. Even though more than o ne of po rts 1~4 may be in the LAN port role, they are all still part of a si ngle physical Ethernet interface and all use the same IP address. The ZyW ALL supports three logical LAN interfa ces via its single physical LAN[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 158 The following table describes the labels in this screen. 7.5 The LAN Port Roles Screen Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL 5 and ZyW ALL 35 ports can be part of the LAN, DMZ or WLAN interface. The ZyW A LL 70 ha[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 159 The radio but tons correspond to Ethernet ports on the front panel of the ZyW ALL. On the ZyW ALL 70, ports 1 to 4 are all DMZ ports by default. On the ZyW ALL 5 or ZyW ALL 35, ports 1 to 4 are all LAN ports by default. " Y our changes are also reflected in the DMZ Port Roles and W[...]

Chapter 7 LAN Screens ZyWALL 5/35/70 Series User’s Guide 160[...]

ZyWALL 5/35/70 Series User’s Guide 161 C HAPTER 8 Bridge Screens 8.1 Overview The ZyW ALL ca n ac t as a bridge between a switch and a wired LAN or between two routers. This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyW ALL is in bridge mode. In bridge mode, the ZyW ALL functions as a tr ansparen[...]

Chapter 8 Brid ge Scre en s ZyWALL 5/35/70 Series User’s Guide 162 8.1.2 What Y ou Need T o Know About Bridging Bridge Loop Be careful to avoid bridge lo ops when you en able bridging in the ZyW ALL. Bridge loops cause broadcast traffic to circ le the network endlessly , resulting in possible throughput degradation and disru ption of communicatio[...]

Chapter 8 Bridge Screens ZyWALL 5/35/70 Series User’s Guide 163 8.2 The Bridge Screen Select Bridge and click Apply in the MAINTENANCE > Device Mode screen to have the ZyW ALL function as a bridge. Y ou can use the firewall and VPN in bridge mo de. See the user ’ s guide for a list of other features that are available in bridge mode. Click N[...]

Chapter 8 Brid ge Scre en s ZyWALL 5/35/70 Series User’s Guide 164 8.3 The Bridge Port Roles Screen Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL 5 and ZyW ALL 35 ports can be part of the LAN, DMZ or WLAN interface. The ZyW A LL 70 has a se parate (ded icated) LAN port, so ports 1~[...]

Chapter 8 Bridge Screens ZyWALL 5/35/70 Series User’s Guide 165 The radio but tons correspond to Ethernet ports on the front panel of the ZyW ALL. On the ZyW ALL 70, ports 1 to 4 are all DMZ ports by default. On the ZyW ALL 5 or ZyW ALL 35, ports 1 to 4 are all LAN ports by default. Figure 93 NETWORK > Bridge > Port Roles The following tabl[...]

Chapter 8 Brid ge Scre en s ZyWALL 5/35/70 Series User’s Guide 166 8.4 Bridge T echnical Reference STP T erminology The root bridge is the base of the spanning tr ee. Path cost is the co st of transmitting a frame from the root bridge to that port . It is assigned according to the speed of the link to which a port is attached. The slower the medi[...]

Chapter 8 Bridge Screens ZyWALL 5/35/70 Series User’s Guide 167 STP Port St ates STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly fro m blocking state to forwarding state so as to eliminate transient loops. T able 34 STP Port States PORT ST ATE DESCRIPTION Disabled STP is disab[...]

Chapter 8 Brid ge Scre en s ZyWALL 5/35/70 Series User’s Guide 168[...]

ZyWALL 5/35/70 Series User’s Guide 169 C HAPTER 9 WAN Screens 9.1 Overview This chapter discusses the ZyW ALL’ s WA N screens. Use these screens to configure your ZyW ALL for Internet ac ces s. A W AN (W ide Area Network) connection is an outside conn ection to another network or the Internet. It connects your priv ate networks (such as a LAN ([...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 170 9.1.1 What Y ou Can Do in the W AN Screens • Use the Gene ral screen ( Section 9.2 on page 172 ) to configure load balancing, route priority , and connection test settings for the ZyW ALL. • Use the W AN 1 and 2 screens ( Section 9.3 on page 18 2 ) to configure the W AN1 and W AN2 i[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 171 Y ou can use policy routing to specify the W AN interface that specific services go through. An ISP may give traf fic from certai n (more expens ive) connections priority over the traf fic from other accounts. Y ou co uld route delay in tolerant traffic (like voice over IP calls) throu[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 172 Lets say that you have the W AN operation mo de set to active/passive, me aning the ZyW ALL uses the second highest priority W AN interface as a back up. The W AN 1 route has a metric of "2", the W AN 2 route has a metric of "3", the traf fic-redirect route has a met[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 173 Figure 97 Incorrec t WAN IP 1 LAN user A wants to download a file from a re mote server on the Internet. The ZyW ALL is using active/active load balancing and sends the request to a n update serve r ( B ) through W AN 1. 2 Update server B sends a file list to LAN user A . The download [...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 174 Figure 98 NETWORK > W AN > General[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 175 The following table describes the labels in this screen. T able 35 NETWORK > WAN > General LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fail over) op eration mode to have the ZyWALL use the second highest priority WAN interface as a back up. This m[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 176 Check Fail To l e r a n c e T ype how ma ny W AN connection chec ks can fail (1-10) before the connection is considered "down" (not co nnected). The ZyW ALL still checks a "down" connection to detect if it reconnects. Check W AN1/2 Connectivity Select the check box t[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 177 9.2.2 Configuring Load Balancing T o configure load balanc ing on the ZyW ALL, click NETWORK > WA N in the navigation panel. The WA N G e n e r a l screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyW ALL. The WA N G e n e r [...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 178 Since W AN 2 has a smaller load balancing index (meaning that it is less utilized than W AN 1), the ZyW ALL will send the subsequent new session traffic through W AN 2. Example 2 This example uses the same network scenario as in Figure 99 on page 177 , but uses both the outbound and inb[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 179 The following table describes the re lated fields in this screen. 9.2.4 W eighted Round Robin Round Robin routes traffic on a rotating ba sis an d is activated only when a W AN interface has more traf fic than the configured availabl e bandwidth. On the ZyW ALL with two W AN interfaces[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 180 Figure 101 Weig hted Round Robin Algorithm Example T o load balance using the weight ed round robin m ethod, select W eighted Round Robin in the Load Balancing Algorithm field. Figure 102 Load Balancing: W eighted Round Robin The following table describes the re lated fields in this scr[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 181 In cases where the primary W AN interface use s an unlimite d access In ternet connection and the secondary W AN uses a per-use timed access plan, the ZyW ALL will only use the secondary W A N interface when the traffic load reaches the upper threshold on the primary W AN interface. Th[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 182 9.3 The W AN1 and W AN2 Screen T o change your ZyW ALL's W AN ISP , IP and MAC settings, clic k NETWORK > WA N and then the WA N > WA N 1 or W AN 2 (on a ZyW ALL with two W AN Ethernet interfaces). The screen dif fe rs by the encapsulation. " The W AN 1 and W AN 2 IP add[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 183 " Regardless of your particular situation, do not create an ar bitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocati on for Private Internets and RFC 1466, Guideli nes for Management of IP Add[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 184 Figure 105 NETWORK > W AN > WAN (Ethernet Encap sulation) The following table describes the labels in this screen. T able 42 NETWORK > W AN > W AN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Y ou must choose the Ethernet option[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 185 Login Server IP Address T ype the authentication server IP ad dress here if your ISP gave you one. This field is not a vailable for T elia Login. Login Server (T elia Login on ly) T ype the domain name of the T elia login server, for example login1.telia.com. Relogin Every(min) (T elia[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 186 9.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PP PoE option is for a dial-up conne[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 187 Figure 106 NETWORK > W AN > W AN (PPPoE Encapsulation) The following table describes the labels in this screen. T able 43 NETWORK > W AN > WAN (PPPoE Encap sulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPPoE for a dial-up connection usi[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 188 Nailed-Up Select Nailed-Up if you do not wan t the connection to time out. Idle T imeout This value specifies the time in seconds that elapses before the ZyW ALL automatically disconnects from the PPPoE server . W AN IP Address Assignment Get automatically from ISP Select this option If[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 189 9.3.3 PPTP Encap sulation Point-to-Point T unneling Protocol (PP TP) is a ne twork protocol that enables secure transfer of data from a remote client to a private server , creating a V irtual Private Network (VPN) using TCP/IP-based networks. PP TP supports on-deman d, multi-protocol a[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 190 Figure 107 NETWORK > W AN > W AN (PPTP Encapsulation) The following table describes the labels in this screen. T able 44 NETWORK > W AN > WAN (PP TP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Se t the encapsulation method to PPTP . The [...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 191 Authentication Ty p e The ZyW AL L supports P AP (Password Authen tication Protocol) and CHAP (Challenge Handshake Authenticatio n Protoc ol). CHAP is more secure than P AP; however , P AP is readily availa ble on more platforms. Use the drop-down li st box to select an authentication [...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 192 9.4 The 3G (W AN2) Screen Use this screen to configure your 3G (W AN2) settings. After you insert a 3G card in the ZyW A LL 5, the 3G connection becomes W AN 2. Refer to Section 55.1 on page 773 for the type of 3G cards that you can use in the ZyW ALL along with the correspondin g suppo[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 193 " The actual data rate you obt ain varies depending t he 3G card you use, the signal strength to the service prov ider ’s base station, and so on. If the signal strength of a 3G network is too lo w , the 3G card may switch to an available 2.5G or 2.75G networ k. Refer to Section[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 194 Figure 108 NETWORK > W AN > 3G (W AN 2) The following table describes the labels in this screen. T able 45 NETWORK > WAN > 3G (W AN 2) LABEL DESCRIPTION Enable Select this option to enable WAN 2. 3G Card Configuration The fields below display only when you enable W AN 2. 3G [...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 195 Network T ype Select the type of the network ( UMTS/HSDP A only , GPRS/EDGE only , GSM all or WCDMA all ) to which you want the card to connect. See T able 49 on page 204 for more information. Otherwise, select Automatically to have the ca rd connect to an available network using the d[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 196 Idle T imeout This value specifies the time in seconds that elapses before the ZyW ALL automatically disconnects from the ISP . W AN IP Address Assignment Get automatically from ISP Select this option If your ISP did not as sign you a fixed IP address. This is the default selection. Use[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 197 9.5 The T raffic Redirect Screen T raffic redirect forwards W AN traffic to a backup gateway when the ZyW ALL cannot connect to the Internet through its normal gate way . Connect the backup gateway on the W AN so that the ZyW A LL still provides firewall protection for the LAN. Figure [...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 198 Figure 1 10 Traf fic Redirect LAN Setup 9.6 Configuring the T raffic Redirect Screen T o change your ZyW ALL’ s traffic redirect settings, click NETWORK > WA N > T raffic Redirect . The screen appears as shown. " For the ZyW ALL 5, if t he traffic redirect featur e does not[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 199 9.7 The Dial Backup Screen Click NETWORK > WA N > Dial Backup to display the Dial Backup screen. Use this screen to configure the ba ckup W AN dial-up conn ection. Not all fields are available on all models. Figure 1 12 NETWORK > WAN > Dial Backup[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 200 The following table describes the labels in this screen. T able 47 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name T ype the log in name assigned by your ISP . Password T ype[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 201 9.7.1 The Advanced Modem Setup Screen Click the Edit button in the Dial Backup screen to display the Advanced Setup screen. Use this screen to configure your advanced m odem setup settings for th e Dial Backup screen. RIP V ersion The RIP V ersion fie ld controls the format and the bro[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 202 A T Command Strings For regular telephone lines, the default Dial st ring tells the modem that the line uses tone dialing. ATDT is the command for a switc h that requ ires tone dialing. If your switch requires pulse dialing, change th e string to ATDP . For ISDN lines, there are many mo[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 203 Figure 1 13 NETWORK > WAN > Dial Backup > Edit The following table describes the labels in this screen. T able 48 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION A T Command St r i n g s Dial T ype the A T Command string to make a call. Drop T ype the A T Command[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 204 9.8 W AN T echnical Reference 3G Comp arison T able See the following table for a comparison between 2G , 2.5G , 2.75G and 3G wireless technologies. Retry Interval (sec) T ype a number of seconds for the ZyWALL to wait before trying another cal l after a call has failed. This applies be[...]

Chapter 9 WAN Screen s ZyWALL 5/35/70 Series User’s Guide 205 A. The I nternational T elecommunica tion Union (ITU) is an inter national organization within which governments and the private sector coordinate global telecom netw orks and services.[...]

Chapter 9 WAN Screens ZyWALL 5/35/70 Series User’s Guide 206[...]

ZyWALL 5/35/70 Series User’s Guide 207 C HAPTER 10 DMZ Screens 10.1 Overview The DeMilitarized Zone (DMZ) pr ovides a way for public servers (W eb, e-mail, FTP , etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of D eath). These public servers can also still b[...]

Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 208 10.1.2 What Y ou Need T o Know About DMZ DMZ and Security It is highly recommended that you connect a ll of your public servers to the DMZ port(s). It is also highly recommended that you keep all sensitive inform ation off of the public servers connected to the DMZ port. S tore se ns[...]

Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 209 Figure 1 15 DMZ Public Address Ex ample 10.1.4 DMZ Private and Pu blic IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and conne[...]

Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 210 Figure 1 16 DMZ Private and Pu blic Address Exam ple 10.2 The DMZ Screen Use this screen to configure TCP/IP , DHCP , IP/MAC binding and Ne tBIOS settings on the DMZ. The DMZ and the connected computers can have private or public IP addresses. When the DMZ uses public IP addresses, t[...]

Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 21 1 Figure 1 17 NETWORK > DMZ The following table describes the labels in this screen. T able 50 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address T ype the IP address of your ZyWALL’ s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, W AN, WLA[...]

Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 212 RIP V ersion The RIP V ersion field contro ls the format and the broadcasti ng method of the RIP packet s that the ZyW ALL sends (it recognizes both formats when receiving). RIP-1 is universally supported bu t RIP-2 carries mo re information. RIP-1 is probably adequate for most netwo[...]

Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 213 10.3 The S t atic DHCP Screen This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. T o change your ZyW ALL’ s static DHCP settings on the DMZ, click NETWORK > DMZ > St a t i c D H C P . The screen appears as show[...]

Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 214 Figure 1 18 NETWORK > DMZ > S tatic DHCP The following table describes the labels in this screen. 10.4 The IP Alias Screen Configure IP alias settings to partition a physical network into di fferent logical networks over the same Ethernet interface. See Section 7.4 on page 1 56[...]

Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 215 T o change your ZyW ALL’ s IP alias settings, click NETWORK > DM Z > IP Alias . The screen appears as shown. Figure 1 19 NETWORK > DMZ > IP Alias The following table describes the labels in this screen. T able 52 NETWORK > DMZ > IP Alias LABEL DESCRIPTION Enable IP [...]

Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 216 10.5 The DMZ Port Roles Screen Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . See Section 7.5 on page 1 58 for more information on port roles. T o change your ZyW ALL’ s port role se ttings, click NETWORK > DMZ > Port Roles . The screen[...]

Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 217[...]

Chapter 10 DMZ Scre en s ZyWALL 5/35/70 Series User’s Guide 218[...]

ZyWALL 5/35/70 Series User’s Guide 219 C HAPTER 11 WLAN Screens 1 1.1 Overview A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-p eer network or as complex as a number of computers with wireless LAN adapters communicating through a ccess points which bridge network traffic to the wired LAN. T [...]

Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 220 • Use the Port Roles screen ( Section 11 .5 on page 226 ) to set a port to be part of the WLAN and connect an Access Point (AP) to th e WLAN interface to extend the ZyW ALL’ s wireless LAN coverage. 1 1.1.2 What Y ou Need to Know About WLAN DHCP See Section 7.1.2 on page 150 for [...]

Chapter 11 WLAN Screens ZyWALL 5/35/70 Series User’s Guide 221 Figure 122 NETWORK > WLAN The following table describes the labels in this screen. T able 54 NETWORK > WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address T ype the IP address of your Z yW ALL’s WLAN interface in dotted decimal notation. Alternatively , click the right mouse butto n[...]

Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 222 RIP V ersion The RIP V ersion fie ld co ntrols the format and th e broadcasting method of the RIP packet s that the ZyW ALL sends (it reco gnizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most netwo[...]

Chapter 11 WLAN Screens ZyWALL 5/35/70 Series User’s Guide 223 1 1.3 WLAN St atic DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. T o change your ZyW ALL’ s WLAN static DHCP settings, click NETWORK > WLAN > St a t i c D H C P . The screen appears as shown. Window[...]

Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 224 Figure 123 NETWORK > WLAN > S tatic DHCP The following table describes the labels in this screen. 1 1.4 WLAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. See Section 7.4 on page 1 56 for more in[...]

Chapter 11 WLAN Screens ZyWALL 5/35/70 Series User’s Guide 225 T o change your ZyW ALL’ s IP alias settings, click NETWORK > WLAN > IP Alias . The screen appears as shown. Figure 124 NETWORK > WLAN > IP Alias The following table describes the labels in this screen. T able 56 NETWORK > WLAN > IP Alias LABEL DESCRIPTION Enable I[...]

Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 226 1 1.5 WLAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW A LL’ s wireless LAN coverage. The WLAN port role allows the ZyW A LL’ s firewall to treat tr[...]

Chapter 11 WLAN Screens ZyWALL 5/35/70 Series User’s Guide 227 Figure 126 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure[...]

Chapter 11 WLAN Scr eens ZyWALL 5/35/70 Series User’s Guide 228[...]

ZyWALL 5/35/70 Series User’s Guide 229 C HAPTER 12 Wireless Screens 12.1 Overview In this section you can enable your wireless card and configure wireless security . Y ou can configure th e ZyW ALL to use data encryption and user authentica tion methods to help protect data transmitted on your network and to ensure only devices w ith permission t[...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 230 The figure below shows the p ossible wireless security levels on your ZyW ALL. Figure 129 ZyW ALL Wireless Security Levels If you do not enable any wireless security on your ZyW ALL, your network is accessible to any wireless networki ng device that is within range. ESSID ESSID [...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 231 • An optional network RADIUS server for re mote user authentic ation and accounting. EAP Authentication EAP (Extensible Authentication Protocol) is an au thentication protocol that runs on top of the IEEE 802.1x transport mechanism in order t o su pport multiple types of us er [...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 232 Finding Out More • See Section 12.4 on page 244 for t echnical details on wireless security . 12.2 Wireless Card The wireless card provides wirel ess functionality to your ZyW ALL. " T urn the ZyW ALL off before you install or remove the wireless LAN card. See the product[...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 233 The following table describes the labels in this screen. T able 58 WIRELESS > Wi-Fi > Wirele ss Card: No Security LABEL DESCRIPTION Enable Wireless Card The wireless LAN thro ugh a wireless LAN card is turned off by default, before you enable the wireless LAN you should con[...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 234 12.2.1 S tatic WEP Stat ic WEP provides a mechanism for encrypting data using encryption k eys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Y o ur ZyW ALL allows you to configure up to fou r 64-bit or 128-bit WEP keys, but only on[...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 235 Figure 131 WIRELESS > Wi-Fi > Wirele ss Card: S tatic WEP The following table describes the wireless LAN security labels in this screen. 12.2.2 WP A-PSK Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select WP A-PSK from the Se curity[...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 236 Figure 132 WIRELESS > Wi-Fi > Wireless Card: WP A-PSK The following wireless LAN security fiel ds become available when you select WP A-PSK in the Security drop down list-bo x. T able 60 WIRELESS > Wi-Fi > Wi reless Card: WPA-PSK LABEL DESCRIPTION Security Select WP [...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 237 12.2.3 WP A Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select WP A from the Security list. Figure 133 WIRELESS > Wi-Fi > Wireless Card: WP A The following wireless LAN security fiel ds become available when you select WP A in the [...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 238 12.2.4 IEEE 802.1x + Dynamic WEP Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select 802.1x + Dy namic WEP from the Security list. Figure 134 WIRELESS > Wi-Fi > Wireless Card: 802.1x + Dynamic WEP The following wireless LAN securit[...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 239 12.2.5 IEEE 802.1x + St atic WEP Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select 802.1x + S tatic WEP from the Security list. Figure 135 WIRELESS > Wi-Fi > Wireless Card: 802.1x + S tatic WEP The following wireless LAN security [...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 240 12.2.6 IEEE 802.1x + No WEP Click WIRELESS > Wi-Fi > W ireless Card to display the Wire le s s Card sc reen. Select 802.1x + No WEP from the Security list. Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter a ny 5 characters (ASCII string) or 10[...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 241 Figure 136 WIRELESS > Wi-Fi > Wireless Card: 802.1x + No WEP The following wireless LAN security fiel ds become available when you select 802.1x + No WEP in the Security drop down list-box. 12.2.7 No Access 802.1x + St atic WEP Click WIRELESS > Wi -Fi > W ir eless Car[...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 242 Figure 137 WIRELESS > Wi-Fi > Wireless Card: No Access 802.1x + S tatic WEP The following wireless LAN security fiel ds become available when you select No Acce ss 802.1x + S tatic WEP in the Security drop down list-box. 12.2.8 No Access 802.1x + No WEP Click the NETWORK &[...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 243 12.3 MAC Filter The MAC filter screen allows you to config ure the ZyW ALL to give exclusive access to specific devices ( Allow Association ) or exclude specific de vices from accessing the ZyW ALL ( Deny Association ). Y ou need to know the MAC addresses of the devic es to confi[...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 244 12.4 T echnical Reference IRADIUS RADIUS user is a simple package exchange in which your ZyW ALL acts as a message relay between the wireless station and the network RADIUS server . See RFC 2138 and RFC 2139 for more on RADIUS. T ypes of RADIUS Messages The following types of RA[...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 245 Figure 139 EAP Authentication The details below provide a general descrip tion of how IEEE 802.1x EAP authentication works. • The wireless sta tion sends a start message to the ZyW ALL. • The ZyW ALL sends a reques t identity message to the wireless station for identity infor[...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 246 The Message Integrity Check (MIC ) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not ma[...]

Chapter 12 Wireless Scr eens ZyWALL 5/35/70 Series User’s Guide 247 2 The RADIUS server then checks the user's iden tification against its database and grants or denies network access accordingly . 3 The RADIUS server distributes a Pairwise Mast er Key (PMK) key to th e AP th at then sets up a key hierarchy and management sy st em, using the[...]

Chapter 12 Wir ele ss Screens ZyWALL 5/35/70 Series User’s Guide 248[...]

249 P ART III Security Firewall Screens (251) Intrusion Detection and Prev ention (IDP) Screens (277) Anti-V irus Screens (299) Anti-Spam Screens (313) Content Filtering Screens (327) Content Filtering Reports (349) IPSec VPN (357) Certificates (399) Authentication Server Screens (427)[...]

250[...]

ZyWALL 5/35/70 Series User’s Guide 251 C HAPTER 13 Firewall Screens This chapter shows you how to co nfigure your ZyW ALL’ s firewall. 13.1 Overview A firewall is a system that enforces an access- control policy between two networks. It is generally a mechan is m used to protect a trusted n etwork from an untrusted ne twork. The ZyW ALL physica[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 252 13.1.1 What Y ou Can Do Using the Firewall Screens • Use the Default Rule screens ( Section 13.4 on page 256 ) to configure general firewall settings when the ZyW ALL is set to router mode or bridge mode. • Use the Rule Summary screens ( Section 13.5 on page 259 ) to config[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 253 Figure 143 Blocking All LAN to W AN IRC Traf fic Example Y our firewall would have the following configuration. • The first row blocks LAN access to the IRC service on the W AN. • The second row is the firewall’ s default policy that allows all traf fic from the LAN to go to[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 254 Figure 144 Limited LAN to W AN IRC Traf fic Example Y our firewall would have the following configuration. • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the W AN. • The second row blocks LAN access to the IRC servic e on the [...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 255 Figure 145 SECURITY > FIREW ALL > Defa ult Rule (R outer Mode) The following table describes the labels in this screen. T able 69 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION 0-100% This ba r displays the percentage of the Z yWALL’ s firewal l r[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 256 13.4 The Firewall Default Rule (Bridge Mode) Screen Click SECURITY > FIREW ALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyW ALL is in Bridge mode. From, T o The firewall rules are grouped by the dire ction of packet tra[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 257 Figure 146 SECURITY > FIREW ALL > Default Rule (Bridge Mode) The following table describes the labels in this screen. T able 70 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION 0-100% This ba r displays the percentage of the Z yWALL’ s firewal l rul[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 258 From, T o The firewall rules are grouped by the dire ction of packet travel. The nu mber of rules for each packet direction displays. Click Edit to go to a summary screen of the rules for that packet direction. Here are some example descriptions of the directions of travel. Fro[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 259 13.5 The Firewall Rule Summar y Screen Click SECURITY > FIREW ALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. " The ordering of your rules is very important as rule s are applied in the order that they are listed. See[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 260 13.5.1 The Firewall Edit Rule Screen In the Rule Summary screen, click the edit icon or the insert icon to display the Fire wall Edit Rule screen. Use this screen to create or edit a firewall rule . Refer to the following table for information on the labels. See Section 13.1 on[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 261 Figure 148 SECURITY > FIREW ALL > Rule Summary > Edit[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 262 The following table describes the labels in this screen. T able 72 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. S paces ar[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 263 13.6 The Anti-Probing Screen Click SECURITY > FIREW ALL > Anti-Pro bing to open the follo wing screen. Configure this screen to help keep the ZyW ALL hidden fro m probing attempts. Y o u can specify which of the ZyW ALL’ s interfaces will respond to Ping re quests and whet[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 264 The following table describes the labels in this screen. 13.7 The Firewall Thresholds Screen For DoS attacks, the ZyW ALL uses thre sholds to determine when to start dropping sessions that do not become fully estab lished (half-open sessions). These thresholds apply globally to[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 265 The following table describes the labels in this screen. T able 74 SECURITY > FIREW ALL > Threshold LABEL DESCRIPTION Disable DoS Attack Protec tion on Select the check boxes of any interfaces (or all VPN tunnel s) for which you want the ZyW ALL to not use the Denial of Serv[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 266 13.8 The Firewall Services Screen Click SECURITY > FIREW ALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyW ALL. Figure 151 SECURITY > FIREW ALL >[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 267 13.8.1 The Firewall Edit Custom Service Screen Click SECURITY > FIREW ALL > Service > Add to display the followi ng screen. Use this screen to configure a custom service entry not is not predefined in the ZyW ALL. See Appendix B on pa ge 783 for a list of commonly used se[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 268 13.8.2 My Service Firewall Rule Example The following Internet firewa ll rule example allows a hypot hetical My Service connection from the Internet. 1 In the Service screen, click Add to open th e Edit Custom Service screen. Figure 153 My Service Firewall Rule Example: Service[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 269 Figure 155 My Service Firewall Rule Example: Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and th en click Delete . 8 Configure the destination address fields as follows and click Add . Figure 156 My Service Firewall Rule Examp[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 270 Figure 157 My Service Firewall Rule Ex ample: Rule Configuration[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 271 Rule 1 allows a My Service connection from the W AN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 158 My Service Firewall Rule Example: Rule Summary 13.9 T echnical Reference This technical reference cont ains the following sections: • Packet Direction Examples [...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 272 By default, the ZyW ALL drops packets tr aveling in the following directions. See Chapter 5 on page 109 for information about packets traveling to or from the VPN tunnels. T o VPN Packet Direction The ZyW ALL can apply firewall rules to traffi c before encrypting it to se nd th[...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 273 Figure 159 From LAN to VPN Example From VPN Packe t Direction Y ou can also apply firewall rules to traffic th at comes in through the ZyW ALL’ s VPN tunnels. The ZyW ALL de crypts the VPN traffic an d then applies the firewall rules. From VPN means traffic that came into the Zy[...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 274 From VPN T o VPN Packet Direction From VPN T o VPN firewall rules apply to traffic th at comes in through one of the ZyW ALL’ s VPN tunnels and terminates at th e ZyW ALL (like for remote management) or goes out through another of the ZyW ALL’ s VPN tunnels (this is called [...]

Chapter 13 Firewall Screens ZyWALL 5/35/70 Series User’s Guide 275 3 The reply from the W AN goes to the ZyW ALL. 4 The ZyW ALL then sends it to the computer on the LAN in Subnet 1 . Figure 162 Using IP Alias to Solve the T riangle Route Problem DoS Thresholds For TCP , half-open means tha t the session has not reache d the established state-the [...]

Chapter 13 F ire wall Sc reens ZyWALL 5/35/70 Series User’s Guide 276 1 The maximum number of opened sessions. 2 The minimum capacity of server backlog in your LAN network. 3 The CPU power of servers in your LAN netwo r k. 4 Network bandwidth. 5 T ype of traf fic for certain servers. Reduce the threshold values if your network is slower than aver[...]

ZyWALL 5/35/70 Series User’s Guide 277 C HAPTER 14 Intrusion Detection and Prevention (IDP) Screens 14.1 Overview An IDP system can detect malicious or suspic io us packets and respond instantaneously . It can detect anomalies based on violations of prot ocol standards (RFCs – Requests for Comments) or traffic flows and abnormal flows such as p[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 278 • Use the Update s creen ( Section 14.5 on page 29 1 ) to immediately download or schedule new signature downloads. • Use the Backup & Restore screen ( Section 14.6 on page 293 ) to back up IDP signatures with your custom configured setting[...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 279 Finding out More See Section 14.7 on page 294 for more detailed information on IDP . 14.1.3 Before Y ou Begin T o use IDP on the ZyW ALL, you need to insert the ZyW ALL T urbo Card into the rear panel slot of the ZyW ALL. See the ZyW ALL Turbo Card[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 280 The following table describes the labels in this screen. T able 77 SECURITY > IDP > General Setup LABEL DESCRIPTION General Setup Enable Intrusion Detection and Protec tion Select this check box to enable IDP on the ZyW ALL . When this check [...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 281 14.3 The Signatures Screen The rules that define how to id entify and respond to intrusions are called “signatures”. Click SECURITY > IDP > Signatures to se e the ZyW ALL’ s signatures. 14.3.1 Att ack T ypes Click SECURITY > IDP >[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 282 14.3.2 Intrusion Severity Intrusions are assigned a severity level based on the following table. The intrusion severity level then determines the default signature action. 14.3.3 Signature Actions Y ou can enable/disable individual signatures. Y ou[...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 283 14.3.4 Configuring The IDP Signatures Screen Click SECURITY > IDP > Signature to see the ZyW ALL’ s “group view” signature scre en where you can view signatures by attack type. T o searc h for signatures based on othe r criteria such as[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 284 14.3.5 The Query V iew Screen Click SECURITY > IDP > Signature to see the ZyW ALL’ s “gro up view” signature screen, then click the Switch to query view li nk to go to this ‘query view” screen. Use this screen to search for signatur[...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 285 Figure 168 SECURITY > IDP > Signature: Query View The following table describes th e fields in this screen. T able 82 SECURITY > IDP > Signature: Query Vi ew LABEL DESCRIPTION Back to group view Click this button to go to the IDP group [...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 286 Configure Signatures The resul ts display in a table showing the criteria as selected in th e search. Click a column’s header to sort the entries by that attribute. Go T o Navigate between signatures found. This field is available onl y if th ere[...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 287 14.3.5.1 Query Example 1 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Sear ch . 2 Select By Name or By ID from the list box. 3 Enter a name (complete or partial) or compl ete ID to display al[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 288 Figure 170 SECURITY > IDP > Signature: Query by Complete ID 14.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Sear ch By Attributes . 2 Select the Severity , Ty p e [...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 289 Figure 171 Signature Query by Attribute. 14.4 The Anomaly Screen This section introduces ADP (Anomaly Detection and Prevention). An ADP system protects against anomalies based on violations of prot oc ol standards (RFCs – Requests for Comments) a[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 290 Figure 172 SECURITY > IDP > Anomaly The following table describes the labels in this screen. T able 83 SECURITY > IDP > Anomaly LABEL DESCRIPTION Protoc ol Anomaly HTTP Inspection/TCP Decoder/UDP Decoder/ICMP Decoder Name Thi s is the n[...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 291 14.5 The Up date Screen The ZyW ALL comes with built-in signatures. These are updated as ne w intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads. " Y ou should have already registered the ZyW A[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 292 14.5.2 Configuring The IDP Up date Screen When scheduling signatu re updates, you should choose a day and time when your network is least busy so as to minimize disru ption to your network. Y our custom signature configurations are not over-written[...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 293 14.6 The Backup and Restore Screen Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. • Restore previously saved IDP signatures (with your custom configured settings). • Revert to the factor[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 294 Figure 174 SECURITY > IDP > Backup & Restore T o back up IDP signatures, click Backup and then choose a location and filename for the IDP configuration set. T o restore previously saved IDP signatures, ty pe in the location where the prev[...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 295 IDS and IDP An Intrusion Detection System (IDS) can detect suspicious activity , but does not take action against attacks. On the other hand an IDP is a proactive defense mechanisms designed to detect malicious packets within normal network traffic[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 296 SQL Slammer Worm W32.SQLExp.W orm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 b ytes to UDP port 1434, the SQL Server Resolution Servi ce Port. The worm h[...]

Chapter 14 Intrusion Detection and Prevention (IDP) Scree ns ZyWALL 5/35/70 Series User’s Guide 297 W32/MyDoom-A is a worm that is spread by email. When the infected attachment is launched, the worm gathers e-mail addresses from address books and from file s with the following extensions: W AB, TXT , HTM, SHT , PHP , ASP , DBX, TBB, ADB and PL. W[...]

Chapter 14 Intrusion Detection and Preventi on (IDP) Screens ZyWALL 5/35/70 Series User’s Guide 298[...]

ZyWALL 5/35/70 Series User’s Guide 299 C HAPTER 15 Anti-Virus Screens 15.1 Overview This section shows you how to configure the ZyW ALL to scan files tr ansmitted through the enabled interfaces into your network. As a network-based anti-virus scanner, the ZyW ALL helps stop threats at the network edge be fore they reach the local host computers. [...]

Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 300 15.1.2 What Y ou Need to Know A bout Antivirus Vir u s A computer virus is a small program designed to corrupt and/or alter the operati on of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself. The ef fect of a virus[...]

Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 301 • Simultaneous downloads of a file using mu ltiple connections. For example, when you use FlashGet to download sectio ns of a file simultaneously . • Encrypted traffic (such as on a VPN) or password-protected files. • T raffic throug h custom (non-standard) ports. • ZIP[...]

Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 302 Figure 176 SECURITY > ANTI-VIRUS > General The following table describes the labels in this screen. T able 85 SECURITY > ANTI-VIRUS > General LABEL DESCRIPTION General Setup Enable Anti -Virus S elect this check box to check traf fic for viruses. Enable ZIP F ile Sca[...]

Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 303 15.3 The Signature Screen Click SECURITY > ANTI-VIRUS > Signature to display this screen. Use this screen to locate signatures and manage how the ZyW ALL uses them. Servi ce This field displays the services for which the ZyWALL can scan traf fic for viruses. Select a serv[...]

Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 304 Figure 177 SECURITY > ANTI-VIRUS > Signature: Query V i ew The following table describes the labels in this screen. T able 86 SECURITY > ANTI-VIRUS > Signature : Query View LABEL DESCRIPTION Query Signatures Select the criteria on wh ich to perform the search. Signat[...]

Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 305 15.3.1 Signature Search Example This example shows a search for signatures that are enabled, set to generate logs and alerts, send W indows messages and destroy the infected portion of the file. Figure 178 Query Example Sear ch Criteria Configure Signatures The sign ature searc[...]

Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 306 Figure 179 Query Example Sear ch Results 15.4 The Up date Screen The ZyW ALL comes with built-in signatures cr eated by the ZyXEL Security Response T eam (ZSR T). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or sched ule new[...]

Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 307 15.4.1 mySecurityZone mySecurityZone is a we b portal that provides all security-relate d information such as intrusion and anti-virus information fo r ZyXEL security products. Y ou should have already registered your ZyW ALL on myZyXEL.com at: http://www .myzyxel.com/myzyxel/.[...]

Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 308 The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information Current Pattern Ve r s i o n This fi eld di splays the signature s version number currently used by the ZyW ALL. This number is defined by the ZyXEL Security Response T e am (ZSRT) w[...]

Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 309 15.5 The Backup and Restore Screen Click ANTI-VIRUS > Backup & Restore . The screen displays as shown next. Y ou can change the pre-defined Active , Log , Alert , Send W indows Message and/or Destroy File settings of individual signatures. Figure 181 SECURITY > ANTI-V[...]

Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 310 15.6 T echnical Reference T ypes of Computer Viruses The following table describes some of the common computer viruses. Computer Virus Infection and Prevention The following describes a simple life cycle of a computer virus. 1 A computer gets a copy of a virus from a sour ce suc[...]

Chapter 15 Anti-Virus Scre ens ZyWALL 5/35/70 Series User’s Guide 31 1 A network-based anti-virus (NA V) scanner is often deployed as a dedicated security device (such as your ZyW ALL) on the networ k ed ge. NA V scanners inspect real-time data traffic (such as E-mail messages or web) that tends to bypass HA V scanners. The following lists some o[...]

Chapter 15 Anti-Virus Screens ZyWALL 5/35/70 Series User’s Guide 312[...]

ZyWALL 5/35/70 Series User’s Guide 313 C HAPTER 16 Anti-Spam Screens 16.1 Overview The ZyW A LL’ s anti-spam featur e identifies un solicited commercial or junk e-mail (spam). Y ou can set the ZyW ALL to mark or discar d spam. The ZyW ALL can use an anti-spam external database to help identify spam. Use the whitelist to identify legitimate e-ma[...]

Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 314 16.1.2 What Y ou Need to Know A bout Antisp am MIME Headers MIME (Multipurpose Internet Ma il Extensions) allows varied me di a types to be used in e- mail. MIME headers describe an e-mail’ s cont ent enco ding and type. For exam ple, it may show which program generated the[...]

Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 315 Sp amBulk Engine The e-mail fingerprint ID that the ZyW ALL gene rates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam exte rnal database maintain s a d[...]

Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 316 The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analys is to dete ct phishing. Click SECURITY > ANTI-SP AM to open the Anti-Spam General screen. The following screen appears. Figure 183 SECURITY > ANTI-[...]

Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 317 From, T o Select the directi ons of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column. Y ou could for example have the ZyW ALL check packet s traveling[...]

Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 318 16.3 The External DB Screen Click SECURITY > ANTI-SP AM > External DB to display the Anti-Spam External DB screen. Use this sc reen to enable or di sable the use of the anti-spam external database. Y ou can also configure the spam threshold and what to do wh en no valid[...]

Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 319 Figure 184 SECURITY > ANTI-SP AM > External DB The following table describes the labels in this screen. T able 89 SECURITY > ANTI-SP AM > External DB LABEL DESCRIPTION External Database Enable External Database Enable the anti-spam external database feature to have t[...]

Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 320 16.4 The List s Screen Click SECURITY > ANTI-SP A M > Lists to display the Anti-Spam Lists screen. Configure the whitelist to identify legitimate e- mail. Configure the blac klist to id entify spam e-mail. Y ou can create whitelist or blacklist entr ies based on the sen[...]

Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 321 Figure 185 SECURITY > ANTI-SP AM > Lists The following table describes the labels in this screen. T able 90 SECURITY > ANTI-SPAM > Lists LABEL DESCRIPTION Resource Usage Whitelist & Blacklist S torage S pace in Use This bar displays the percentage of the ZyWALL?[...]

Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 322 16.5 Anti-S p am Lists Edit Screen Click SECURITY > ANTI-SP AM > Lists to display the Anti-Spam Lists screen. Use this screen to configure an anti-spam whitelist entry to identify legitimate e-mail or a blacklist entry to identify spam e-mail. Y ou can create entr ies b[...]

Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 323 The following table describes the labels in this screen. T able 91 SECURITY > ANTI-SP AM > Lists > Edit LABEL DESCRIPTION Rule Edit Active Turn this entry on to have the ZyW ALL use it as part of the wh itelist or blacklist. Y o u must also turn on the use of the corres[...]

Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 324 16.6 T echnical Reference The anti-spam external database uses the following spam detec tion engines in checking each e-mail. • SpamBulk: This engine identifies e-mail that ha s been sent in bulk or is similar to e-mail that is sent in bulk. • SpamRepute: This engine chec[...]

Chapter 16 Anti-Spam Scre ens ZyWALL 5/35/70 Series User’s Guide 325 S p amContent Engine The SpamContent engine examines the e-mail’ s content to decide if it would generally be considered offensive. The vocabu lary design, format and layout are considered as part of thousands of checks on message attr i butes that include the following. •T [...]

Chapter 16 Anti- S pa m Scre ens ZyWALL 5/35/70 Series User’s Guide 326[...]

ZyWALL 5/35/70 Series User’s Guide 327 C HAPTER 17 Content Filtering Screens 17.1 Overview Content filtering all ows you to block certain web features, such as co okies, and/or block access to specific websites. W ith cont ent filtering, you can do the following: • Restrict web features. The ZyW ALL can block web features such as ActiveX contro[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 328 Figure 187 Content Filtering Looku p Pro cedure 1 A computer behind the ZyW ALL tries to access a web site . 2 The ZyW ALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site ’ s category will be in th[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 329 Use the REGISTRA TION screens (see Chapter 6 on page 141 ) to create a myZyXEL.com account, register your device and activate the external content filtering service. Figure 188 SECURITY > CONTENT FIL TER > General The following table describes the labels in this scr[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 330 Matched Web Pages Se lect Block to prevent users from accessing web pages that match the categories that you select belo w . When external database c o ntent filter ing blocks access to a web page, it displays the denied access message that you config ured in the CONTENT [...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 331 17.3 The Policy Screen Click SECURITY > CONTENT FIL TE R > Policy to display the follow ing screen. Use this screen to configure content filtering policies on your ZyW A LL. Y ou may find that a web site has not been accura tely categorized or that a web site’ s c[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 332 The following table describes the labels in this screen. 17.4 Content Filter Policy: General Click SECURITY > CONTENT FIL TER > Policy and use the Inser t button or a policy’ s general icon to dis pla y the following screen. Use this screen to restrict web feature[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 333 Figure 190 SECURITY > CONTENT FIL TER > Policy > General The following table describes the labels in this screen. T able 94 SECURITY > CONTENT FIL TER > Policy > General LABEL DESCRIPTION Active Select this option to turn on the content filter policy . P[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 334 17.5 Content Filter Policy: External Dat abase Click SECURITY > CONTENT FIL TER > Policy a nd then a policy’ s external database icon to display th e followin g screen. Use this screen to edit which content categories the content filter policy blocks. Figure 191 S[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 335 The following table describes the labels in this screen. T able 95 SECURITY > CONTENT FIL T ER > Policy > External Database LABEL DESCRIPTION Policy Name This is the name of the content filter policy that you are configuring. Active Select this option to apply ca[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 336 Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool (including lotteries) online. It also includes pages that provide informa tion, assistance, recommendations, or training on placing bets or participat ing in game[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 337 Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty , or alumni groups. Cultural/Charitable O[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 338 S pyware/Malware Sou rces Selecting this category exclu des pages which distribute spyware and other malware. S pyware is defined as software which takes control of your computer , modifies computer se ttings, collects or reports personal information, or misrepresents its[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 339 Religion Selecting this category excludes pages that promote and provide information on conventional or unconvention al religious or quasi- religious subjects, as well as chu rches, synagogues, or other houses o f worship. It does not include pages containing altern ative[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 340 T ravel Selecting this category excl udes p age s that promote or provide opportunity for travel plan ning , including finding and makin g travel reservations, vehicle ren tals, descri ptions of travel d estinations, or promotions for hotels or casinos. V eh icles Selecti[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 341 17.6 Content Filter Policy: Customization Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s customization icon to display the following screen. Use this screen to select good (allowed) web site addresses for this policy and bad (blocked) web site addr[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 342 The following table describes the labels in this screen. 17.7 Content Filter Policy: Schedule Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s schedule icon to display the following screen. Use this screen to set for which da ys and times the policy [...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 343 Figure 193 SECURITY > CONTENT FIL T ER > Policy > Schedule The following table describes the labels in this screen. 17.8 Content Filter Object Click SECURITY > CONTENT FIL TER > Object to display the following screen. T able 97 SECURITY > CONTENT FIL T E[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 344 Use this screen to configure a list of allowed web site addresses for this policy and a list of blocked web site addresses. Y ou can also block web sites based on whether the web site’ s address contains a keyword. Use this screen to add or remove specific sites or keyw[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 345 The following table describes the labels in this screen. T able 98 SECURITY > CONTENT FIL TER > Object LABEL DESCRIPTION T rusted Web Sites T hese are sites that you want to allow access to, regardless of th eir content rating, can be allowed by adding them to this [...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 346 17.9 Content Filtering Cache Click SECURITY > CONTENT FIL TER > Cache to display th e CONTENT FIL TER Cache screen. Use this screen to view and co nfigure your ZyW ALL’ s URL caching. Y ou can also configure how long a categorized web site address remains in the c[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 347[...]

Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 348[...]

ZyWALL 5/35/70 Series User’s Guide 349 C HAPTER 18 Content Filtering Reports 18.1 Overview This chapter describes how to view content filtering reports after yo u have activated the category-based content filtering subscription service. See Chapter 6 on pa ge 141 on how to create a myZyXEL.com account, register your device and activate the subscr[...]

Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 350 Figure 196 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyW ALL’ s model name and/or MAC address under Registered ZyXEL Pr oducts . Y ou can change the descriptive name for your ZyW ALL using the Rename button in the Service Management screen (see Figure 1[...]

Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 351 Figure 198 myZyXEL.com: Service Manage ment 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 198 on page 351 ). T ype your myZyXEL.com account password in the Password [...]

Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 352 Figure 200 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single Use r Reports to view the corresponding reports. Figure 201 Blue Coat: Report Ho me 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Ta k [...]

Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 353 Figure 202 Global Report Screen Example 11 Y ou can click a ca tegory in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.[...]

Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 354 Figure 203 Requested URLs Example 18.4 W eb Site Submission Y ou may find that a web site has not been accura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed. Use the following procedure to submit the[...]

Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 355 Figure 204 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Submit to have the web site reviewed.[...]

Chapter 18 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide 356[...]

ZyWALL 5/35/70 Series User’s Guide 357 C HAPTER 19 IPSec VPN 19.1 Overview A virtual private network (VPN) provides secu re communications between sites without the expense of leased site-to-site lines. A secure VP N is a combination of tunneling, encryption, authentication, access control and a uditing. It is used to transpor t traffic over the [...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 358 • Use the VPN Global Setting screen (see Section 1 9.1 0 on page 379 ) to change settings that apply to all of your VPN tunnels. 19.1.2 What Y ou Need to Know About IPSec VPN An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 359 Figure 207 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 208 IPSec Fields Summa ry Negotiation Mode It takes several steps to establish an IKE SA. The negotiation mode dete rmines the number of steps to use. There are two negotiation mode[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 360 Y ou can usually provide a static IP address or a domain name for the ZyW ALL. Sometimes, your ZyW ALL might also offer another alternative, suc h as using the IP address of a port or interface. Y ou can usually provide a static IP address or a domain name for the remote IPSec router as [...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 361 19.3 The VPN Rules (IKE) Gateway Policy Edit Screen In the VPN Rule (IKE) screen, click the add gateway polic y ( ) icon or the edit ( ) icon to display the VPN-Gatew ay Policy -Edit screen. Gateway Policies The first row of each VPN rule represents the gateway policy . The gateway polic[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 362 Use this screen to configure a VPN gateway po licy . The gateway policy identifies the IPSec routers at either end of a VPN tunnel ( My ZyW ALL and Remote Gateway ) and specifies the authentication, encryption and other settings nee ded to negotiate a phase 1 IKE SA. Figure 210 SECURITY [...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 363 The following table describes the labels in this screen. T able 101 SECURITY > VPN > VPN Rules (I KE) > Edit Gateway Policy LABEL DESCRIPTION Property Name T ype up to 32 characters to iden tify this VPN gateway policy . Y ou may use any character , including spaces, but the ZyW[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 364 Fall back to Primary Rem ote Gateway when possible Select this to have the ZyW ALL ch ang e back to using the primary remote gateway if the connection becomes avai lable again. Fall Back Check Interval* Set how often the ZyW ALL should check the connection to the primary remote gateway w[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 365 Peer ID T ype Select from th e fo llowing when you set Authentication Key to Pre-shared Key . Select IP to identify the remote IPSe c router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router b y an e-mail[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 366 Server Mode Select Server Mode to have this ZyW ALL authent icate extended au thentication clients that request this VPN connecti on. Y ou must also configure the e xtended authentication cl ients’ usernames and passwords in the authentication server ’s lo cal user database or a RADI[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 367 19.4 The Network Policy Edit Screen Click SECURITY > VPN and the add network po licy ( ) icon or a networ k policy’ s edit icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit s creen. Use this screen to configure a network policy . A ne twork policy identifies[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 368 Figure 21 1 SECURITY > VPN > VP N Rules (I KE) > Edit Network Policy[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 369 The following table describes the labels in this screen. T able 102 SECURITY > VPN > VPN Rules (I KE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selecte d, packets for the tunnel trigger the ZyWALL to build the tunnel . Clear th e Active check box [...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 370 Port Forwarding Rules If you are configuring a Many-to-One rule, click this button to go to a screen where you can configure port forwarding for yo ur VPN tunnels. The VPN network policy port forwarding rules let the ZyWALL forward traf fic coming in through the VPN tunnel to the appropr[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 371 Ending IP Address/ Subnet Mask When the Address T ype field is configured to Single Ad dress , this fiel d is N/A. When the Addres s T ype field is configu red to Range Address , enter the end (static) IP address, in a range of comp uters on the LAN behind your ZyW ALL. When the Addres s[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 372 19.5 The Network Policy Ed it: Port Forwarding Screen Click SECURITY > VPN and the add network policy ( ) icon in th e VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Then, under Virtual Addr ess Mapping Rule , select Many-to-One as the Ty p e and click the Port[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 373 Figure 212 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > P ort Forwarding The following table describes the labels in this screen. T able 103 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding LABEL DESCRIPTION Default Server In ad[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 374 19.6 The Network Policy Move Screen Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. A VPN (V irtual Private Network) tunnel gives yo u a secure connection to another computer or network. Each VPN tunnel uses a single gatew[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 375 19.7 The VPN Rules (Manual) Screen Refer to Figure 208 o n page 359 for a graphical representa tion of the fields in the web configurator . Click SECURITY > VPN > VPN Rules (Manual) to open the VPN Rules (Manual) screen. Use this screen to manage the ZyW ALL’ s list of VPN rules [...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 376 19.8 The VPN Rules (Manual): Edit Screen Click the Add button or the edit icon on the VPN Rules (Manual) screen to open the following screen. Use this screen to configure VPN rul e s that use manual keys. Manual key management is useful if yo u have pr oblems with IKE key managemen t. Se[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 377 The following table describes the labels in this screen. T able 106 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy . Name T ype up to 32 characte rs to identify this VPN policy . Y ou may use any cha[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 378 Ending IP Address/Subnet Mask When the Addres s T ype field is configu r ed to Single Address , this field is N/A. When the Addres s T ype field is configu r ed to Rang e Address , enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router . [...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 379 19.9 The VPN SA Monitor Screen In the web configurator , click SECURIT Y > VPN > SA Monitor . Use this sc reen to display and manage activ e VPN connections. A Security Association (SA) is the group of se cu rity settings related to a specific VPN tunnel. This screen displays activ[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 380 Local and Remote IP Address Co nflict Resolution Normally , you do not configure your local VPN po licy rule’ s IP addresses to overlap with the remote VPN policy rule’ s IP addresses . For ex ample, you usually would not configure both with 192.168.1.0. However , overlapping local a[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 381 Figure 218 Overlap in IP Alias and VPN Remote Networks In this case, if you want to send packets from ne twork A to an overlapped IP (ex. 10.1.2.241) that is in the IP alias ne twork M, you h ave to set Local and Remote IP Address Conflict Resolution to The Local Network . Figure 219 SEC[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 382 19.1 1 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyW ALL at headquarters. The telecommut ers use IPSec routers with dynamic W AN IP addresses. The ZyW ALL at headquarters has a static public IP address. Ga[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 383 19.1 1.1 T elecommuters Shar ing One VPN Rule Example See the following figure and table for an exampl e configuration that allows multiple telecommuters ( A , B and C in the figure) to use one VPN rule to simultaneously access a ZyW ALL at headquarters ( HQ in the figure). The telecommu[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 384 See the following table and figure for an ex ample where three telecommuters each use a different VPN rule for a VPN connection with a ZyW ALL located at he adquarters. The ZyW ALL at headquarters (HQ in the figure) identifies each inco ming SA by its ID type and content and uses the app[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 385 19.12 VPN and Remote Management Y ou can allow someone to use a service (like T elnet or HTTP) through a VPN tunnel to manage the ZyW ALL. One of the ZyW ALL’ s port s must be part of the VPN rule’ s local network. This can be the ZyW ALL’ s LAN port if you do not want to allow rem[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 386 Figure 223 VPN T opo lo gies Hub-and-spoke VPN reduces the number of VPN conn ections that you have to set up an d maintain in the network. Small of fice or tele commuter IPSec routers that support a limited number of VPN tunnels are also able to use VP N to connect to more networks. Hub[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 387 Figure 224 Hub-and-sp oke VPN Example 19.13.2 Hub-and-spoke E xample VPN Rule Addresses The VPN rules for this hub-and-spoke exampl e would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192. 168.167.0/255.255.255.0 • Remote IP a[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 388 • The hub router must have at least one separ a te VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub- and-spoke netw orks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. • If you want to [...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 389 Diffie-Hellman (DH) Key Exchange The ZyW ALL and the remote IPSe c router use a DH key exchange to establish a shared secret, which is used to generate encryp tion keys for IKE SA and IPSec SA. In main m od e, th e DH key exchange is done in step s 3 and 4, as illustrated below . Figure [...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 390 The ZyW ALL and the remote IPSec router each has its own identity , so each one must store two sets of information, one for itself and one for the other router . Local ID type and ID content refers to the ID type and ID content that applies to the router itself, and peer ID type and ID c[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 391 " Y ou must set up the certificates fo r the ZyW ALL and remote IPSec router before you can use certif icates in IKE SA. See Chapter 20 on page 399 for more information about certificates. Extended Authentication Extended authentication is often used when multiple IPSec router s use[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 392 VPN, NA T, and NA T T r aversal In the following example, there is another router ( A ) between router X and router Y . Figure 228 VPN/NA T Example If router A does NA T , it might change the IP addre sses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, th[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 393 Y ou can configure a remote network as 0.0.0.0 (any) when: • Forwarding all outgoing traf fic to the remote gateway . • The remote network's addres ses are unknown or there are many remote networks using one VPN rule (see Section 19.1 1.1 on page 383 for an example of telecommut[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 394 Figure 229 Virtual Mapping of Loca l and Remote Network IP Ad dresses Computers on ne twork X use IP addresses 192.168.1.2 to 192.168.1.4 to access local network devices and IP addresses 172.21.2.2 to 172.21 .2.27 to ac cess the remote network devices. Computers on network Y use IP addre[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 395 In tunnel mode, the ZyW ALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contai ns the IP addre ss of the ZyW ALL or remote IPSec router , whicheve r is the destination. • Inside header: T[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 396 Additional IPSec VPN T opics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SA s or both. Relationships between the topics are also highlighted. SA Life Time SAs have a lifetime that specifi es how long the SA lasts until it times out. When an SA time[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 397 Figure 231 IPSec High Availability When setting up an IPSec high availabili ty VPN tunnel , the remote IPSec router: • Must have multiple W AN connections • Only needs one corr esponding IPSec rule • Should only have IPSec high availability se ttings in its correspondi ng IPSec rul[...]

Chapter 19 IPSec VPN ZyWALL 5/35/70 Series User’s Guide 398[...]

ZyWALL 5/35/70 Series User’s Guide 399 C HAPTER 20 Certificates 20.1 Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users. Certificates are based on public-priva te key pairs. A certificate contains the certificate owner ’ s identity and public key . Certificates provide a way to exchange public keys fo r u[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 400 The ZyW ALL uses certific ates base d on publ ic-key cryptology to authenticate users attempting to establish a connection. The method u sed to secure the data that you send through an established connection depends on the type of connection. For ex ample, a VPN tunnel might use the t[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 401 Figure 233 Certificate Details 4 Use a secure method to verify that the certificate owner ha s the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS [...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 402 Figure 234 SECURITY > CERTIFICA T ES > My Certificates The following table describes the labels in this screen. T able 1 13 SECUR ITY > CERTIFICA TES > My Certificates LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’s PKI stor[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 403 20.2.1 The My Certificate Det ails Screen Click SECURITY > CER TIFICA TES > My Certificates to open the My Certificates screen (see Figure 234 on page 402 ). Click the details icon to open the My Certificate Details screen. Y ou can use this screen to view in -depth certificate [...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 404 Figure 235 SECURITY > CERTIFICA TES > My Certificates > D etails The following table describes the labels in this screen. T able 1 14 SECUR ITY > CERTIFICA TES > My Certificates > Details LABEL DESCRIPTION Name T his field displays the identifying name of this ce rti[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 405 Issuer This field displays identifying in fo rmation about the certificate’s issuing certification authority , such as Common Name , Organizati onal Unit, Organization and Coun try . With self-signed certificates, th is is the same as the Subject Name field. Signature Algorithm T hi[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 406 20.3 The My Certificate Export Screen Click SECURITY > CERTIFICA TES > My Certific ates and then a certific ate’ s export icon to open the My Certificate Export screen. Follow the instructions in this screen to choose the file format to use for saving the certificate fro m the[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 407 20.4 The My Certificate Import Screen Y ou can only import a certificate that matche s a corresponding certification re quest that was generated by the ZyW ALL (the certification requ est contains the private key). The certificate you import replaces the corresponding request in the M[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 408 Figure 237 SECURITY > CERTIFICA TES > My Certificates > Import The following table describes the labels in this screen. When you import a binary PKCS#12 format certificate, another screen displays for y ou to enter the password. Figure 238 SECURITY > CERTIFICA TES > My [...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 409 20.5 The My Certificate Create Screen Click SECURITY > CER TIFICA TES > My Certificates > Create to open the My Certificate Cr eate screen. Use this screen to have the ZyW ALL create a self-signed certificate, enroll a certificate with a certificatio n authority or generate a[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 410 Figure 240 SECURITY > CERTIFICA TES > My Cert ificates > Create (Advan ced) The following table describes the labels in this screen. T able 1 18 SECUR ITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name T ype up to 31 ASCII characters (no[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 41 1 Common Name Select a radio button to identify th e certificate’s owner by IP address, domain name or e-mail address. T y pe the IP address (in dotted decimal notation), domain name or e-mail address in the field provide d. The domain name or e- mail address can be up to 31 ASCII ch[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 412 Subject Alternative Name Select a radio button to identify the cert ifica te’s owner by IP address, domain name or e-mail address. T y pe the IP address (in dotted decimal notation), domain name or e-mail address in the field provide d. The domain name or e- mail address can be up t[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 413 • After you click Apply in the My Certificate Cr eate screen, you see a screen that tells you the ZyW ALL is generating the self-sig ned certificate or certification request. • After the ZyW ALL succes sfully enrolls a certifi cate or generates a certification request or a self-si[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 414 Figure 241 SECURITY > CERTIFICA T ES > T rusted CAs The following table describes the labels in this screen. T able 1 19 SECURITY > CERTIFICA TES > Trusted CAs LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’s PKI storage spac[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 415 20.7 The T rusted CA Det a ils Screen Click SECURITY > CER TIFICA TES > T rus ted CAs to open the T rusted CAs screen. Click the details icon to open the T rusted CA Details screen. Use this screen to view in-depth information about the certification authority’ s certif icate,[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 416 Figure 242 SECURITY > CERTIFICA T ES > T rusted CAs > Details The following table describes the labels in this screen. T able 120 SECURITY > CERTIFICA TES > T rus ted CAs > Details LABEL DESCRIPTION Name This field displ ays the identifying name of this certificate. [...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 417 Certification Path Click the Refresh button to have this read-only text box display th e end entity’s certificat e and a list of cert ification authority certificat es that shows the hierarchy of certification author ities that validate the end entity’ s certificate. If the issuin[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 418 20.8 The T rusted CA Import Screen Click SECURITY > CER TIFICA TES > T rus ted CAs to open the T rusted CAs screen and then click Import to open the T rusted CA Import screen. Follow the instructions in this screen to save a trusted certification authority ’ s certificat e fro[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 419 Figure 243 SECURITY > CERTIFICA T ES > T rusted CAs > Import The following table describes the labels in this screen. 20.9 The T rusted Remote Hosts Screen Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen. This screen disp[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 420 Figure 244 SECURITY > CERTIFICA TES > Tr usted Remote Hosts The following table describes the labels in this screen. T able 122 SECURITY > CERTIFICA TES > T rus ted Remote Hosts LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 421 20.10 The T rusted Remote Host s Import Screen Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen and then click Import to open the T rusted Remote Host Import screen. Y ou may have peers with certificates that you want to trust, but[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 422 20.1 1 The T rusted Remote Host Certificate Det ails Screen Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen. Click the details icon to open the T rusted Remote Host Details screen. Y ou can use this screen to view in-dep th inform[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 423 The following table describes the labels in this screen. T able 124 SECURITY > CERTIFICA TES > T rus ted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certi ficate. If you want to change the name, ty pe up to 31 charac ters t o[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 424 20.12 The Directory Servers Screen Click SECURITY > CER TIFICA TES > Directory Servers to open the Dire c tory Servers screen. This screen displays a summary list of di rectory servers (that contain lists of valid and revoked certificates) that have bee n saved into the ZyW ALL.[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 425 The following table describes the labels in this screen. 20.13 The Directory Server Add or Edit Screen Click SECURITY > CER TIFICA TES > Directory Servers to open the Directory Servers screen. Click Add (or the details icon) to open the Directory Server Add screen. Use this scre[...]

Chapter 20 Certificates ZyWALL 5/35/70 Series User’s Guide 426 The following table describes the labels in this screen. T able 126 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name T ype up to 31 ASCII characters (spa ces are not permitted) to identify this directory server . Access Protoco[...]

ZyWALL 5/35/70 Series User’s Guide 427 C HAPTER 21 Authentication Server Screens 21.1 Overview This chapter discusses how to configure the ZyW ALL’ s authentication server feature. A ZyW ALL set to be a VPN extended authenti cation server can us e either the local user database internal to the ZyW ALL or an extern al RADIUS server for an unlimi[...]

Chapter 21 Authenticati on Server Scre ens ZyWALL 5/35/70 Series User’s Guide 428 21.2 The Local User Dat abase Screen Click SECURITY > AUTH SER VER to open the Local User Data base screen. The loca l user database is a list of user profiles stored on the ZyW ALL. The ZyW ALL can use this list of user profiles to authenticate users. Use th is [...]

Chapter 21 Authentication Server Scre ens ZyWALL 5/35/70 Series User’s Guide 429 Figure 249 SECURITY > AUTH SERVER > Local User Database[...]

Chapter 21 Authenticati on Server Scre ens ZyWALL 5/35/70 Series User’s Guide 430 The following table describes the labels in this screen. 21.3 The RADIUS Screen Click SECURITY > AUTH SER VER > RADIUS to open the RADIUS screen. Configure this screen to use an external RA DIUS server to authenticate users. Figure 250 SECURITY > AUTH SERVE[...]

Chapter 21 Authentication Server Scre ens ZyWALL 5/35/70 Series User’s Guide 431 Key Enter a password (up to 31 alphanumeri c characters) as the key to be shared between the external auth entic ation server and the ZyWALL. The key is not sent over the network . This key must be the same on the external authenticatio n server and ZyW A LL . Accoun[...]

Chapter 21 Authenticati on Server Scre ens ZyWALL 5/35/70 Series User’s Guide 432[...]

433 P ART IV Advanced Network Address T ranslation (NA T) (435) Static Route Screens (451) Policy Route Screens (457) Bandwidth Management Screens (465) DNS Screens (479) Remote Management Screens (491) UPnP Screens (519) Custom Application Screen (529) ALG Screen (531)[...]

434[...]

ZyWALL 5/35/70 Series User’s Guide 435 C HAPTER 22 Network Address Translation (NAT) 22.1 Overview NA T (Network Address Translation - NA T , RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outg oing packet, used within one network is changed to a different IP address known w ithin anoth[...]

Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 436 The following table summarizes the NA T mapping types. " Port numbers do not change for One-to-One and Many -One-to-One NA T mapping types. SUA (Single User Account) V ersus NA T SUA (Single User Account) is a ZyNOS implemen tation of a subset of NA T that su[...]

Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 437 Figure 251 ADV ANCED > NA T > NA T Overview The following table describes the labels in this screen. T able 130 ADVANCED > NAT > NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent Sessions This read-only field disp lays the highest number[...]

Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 438 22.3 The NA T Address Mapping Screen Click ADV ANCED > NA T > Address Mapping to open the following screen. Use this screen to change your ZyW ALL’ s ad dress mapping settings. Not all fields are available on all models. Ordering your rules is important be[...]

Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 439 Figure 252 ADV ANCED > NA T > Address Mapping The following table describes the labels in this screen. T able 131 ADVANCED > NAT > Address Mapping LABEL DESCRIPTI ON SUA Add ress Mapping Rules This read-only table displays the default address mapping[...]

Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 440 22.3.1 NA T Address Mapping Edit Click the edit icon to display the NA T Address Mapping Edit screen. Use this screen to edit an address mapping rule. See Section 22.1 on pa ge 435 for information on NA T and address mapping. Figure 253 ADV ANCED > NA T > Ad[...]

Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 441 The following table describes the labels in this screen. 22.4 The Port Forwarding Screen A port forwarding set is a list of inside (behind NA T on the LAN) servers, for example, web or FTP , that you can make visible to the o utside world even though NA T makes [...]

Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 442 " If you do not assign a Default Server IP address, the Zy W ALL discards all packet s received for ports that are not specified here or in the remote management setup. 22.4.2 Port Forwarding: Services and Port Numbers The ZyW ALL provides the add itional saf[...]

Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 443 22.4.5 Port T ranslation The ZyW ALL can translate the destination port num ber or a range of port numbers of packets coming from the W AN to another destination port number or range of port numbers on the local network. When you use po rt forwarding w ithout po[...]

Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 444 " The last port forwarding ru le is reserved for Roadrunn er services. The rule is activated only when you set the W AN Encapsulation to Ethernet and the Service T ype to something other than St andard . Figure 256 ADV ANCED > NA T > Port Forwarding The[...]

Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 445 22.5 The Port T riggering Screen Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA T to forward a service (coming in from the server o[...]

Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 446 2 Port 7070 is a “trigger” port and causes th e ZyW ALL to record Jane’ s computer IP address. The ZyW ALL associates Jane's c omput er IP address with the "incoming" port range of 6970-7170. 3 The Real Audio server resp on ds using a port num[...]

Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 447 22.6 T echnical Reference This technical reference cont ains the following sections: • Inside/outside and Global/local • What NA T Does • How NA T W orks • NA T Application • Port Restricted Cone NA T Inside/out side and Global/local Inside/outside den[...]

Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 448 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the inside global address) before forwarding the packet to the W AN side. When the respon se comes back, NA T tr[...]

Chapter 22 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 449 NA T Application The following figure illustrates a possible NA T application, wher e three inside LANs (logical LANs using IP Alias) behind the ZyW A LL can communicate with three distinct W AN networks. More examples follow at the end of this chapter . Figure [...]

Chapter 22 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 450 Figure 261 Port Restricted Cone NA T Example[...]

ZyWALL 5/35/70 Series User’s Guide 451 C HAPTER 23 Static Route Screens 23.1 Overview This chapter shows you how to config ure static routes for your ZyW ALL. The ZyW ALL usually uses the de fault gateway to route outbound traf fic from local computers to the Internet. T o have the ZyW ALL send data to devices not reachable through the default ga[...]

Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 452 • Use the IP S tatic Route Edit screen ( Sectio n 23.2.1 on page 454 ) to configure the required information for a static route. 23.2 The IP S t atic Route Screen Click ADV ANCED > ST A TIC ROUTE to open th e IP S tatic Route screen (some of the screen’ s blank rows are[...]

Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 453 Figure 263 ADV ANCED > ST A TIC ROUTE > IP S tatic Route The following table describes the labels in this screen. T able 135 ADVANCED > STATIC ROUT E > IP S tatic Route LABEL DESCRIPTION # This is the number of an indivi dual static route. Name This is the name tha[...]

Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 454 23.2.1 The IP S tatic Route Edit Screen Click the edit icon in the IP S tatic Route screen. The screen shown next appears. Use this screen to configure the required information for a static route. Figure 264 ADV ANCED > ST A TIC ROUTE > IP S tatic Route > Edit The fol[...]

Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 455 Priva te This parameter determines if the ZyW ALL will include this route to a remote node in its RIP broadcasts. Select this check b ox to keep this route private and not incl uded in RIP broadcasts. Clear this check box to propagate this ro ute to othe r hosts through RIP br[...]

Chapter 23 Static Route Screens ZyWALL 5/35/70 Series User’s Guide 456[...]

ZyWALL 5/35/70 Series User’s Guide 457 C HAPTER 24 Policy Route Screens 24.1 Overview This chapter covers setting and appl ying policies used for IP routing. T raditionally , routing is based on the destination address only and the ZyW ALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) prov ides a mechanism t o override the[...]

Chapter 24 Policy Ro ut e Scre e ns ZyWALL 5/35/70 Series User’s Guide 458 Routing Policy Individual routing policies are used as part of the ove rall IPPR proce ss. A policy defines the matching criteria and the action to take when a packet meets th e crit eria. The action is taken only when all the criteria are met. The criteria include the sou[...]

Chapter 24 Policy Route Screens ZyWALL 5/35/70 Series User’s Guide 459 Figure 265 ADV ANCED > POLICY ROUTE > Policy Route Summary The following table describes the labels in this screen. T able 137 ADVANCED > POLICY ROUTE > P olicy Route Summary LABEL DESCRIPTION # This is the numb er of an indivi dual policy route. Activ e This field[...]

Chapter 24 Policy Ro ut e Scre e ns ZyWALL 5/35/70 Series User’s Guide 460 24.2.1 The Policy Route Edit Screen Click ADV ANCED > POLICY ROUTE to open the Policy Route Summary screen. Then click the edit icon to open the Edit IP Policy Route screen. W AN 2 refers to either the physical W AN 2 port on the ZyW ALL with multiple W AN ports or the [...]

Chapter 24 Policy Route Screens ZyWALL 5/35/70 Series User’s Guide 461 Figure 266 ADV ANCED > POLICY ROUTE > Edit The following table describes the labels in this screen. T able 138 ADV ANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Activ e Select the check box to activate the policy . Rule Index This is the index number of th[...]

Chapter 24 Policy Ro ut e Scre e ns ZyWALL 5/35/70 Series User’s Guide 462 Length Comparison Choose from Equal , Not Equal , Less , Greater , Less or Equal or Greater or Equal . Applicati on Select a predefined appli cation ( FTP , H.323 or SIP ) for the policy rule. If you do not want to use a predefined applicati on, select Custom . Y ou can al[...]

Chapter 24 Policy Route Screens ZyWALL 5/35/70 Series User’s Guide 463 Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway . Th e gateway is an immediate neighbor of your ZyW ALL that will forward the packet to the destination. The g ateway must be a router on the same segment a[...]

Chapter 24 Policy Ro ut e Scre e ns ZyWALL 5/35/70 Series User’s Guide 464[...]

ZyWALL 5/35/70 Series User’s Guide 465 C HAPTER 25 Bandwidth Management Screens 25.1 Overview Bandwidth management allo ws you to allocate an interface’ s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyW ALL forwards certain types of traffic, such as V oice-over-IP (V oIP), with minimum delay . Bandwid[...]

Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 466 Proportional Bandwid th Allocation Bandwidth management allo ws you to define ho w much bandwidth each class gets; however , the actual bandwidth a llotted to each class de creases or increases in proportion to actual available bandwidth. Application-based Bandwid th [...]

Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 467 25.1.4 Over Allotment of Ban dw id th Example It is possible to set the bandwidth manageme nt speed for an interfa ce high er tha n the interface’ s actual transmission speed. H igher prio rity traffic get s to use up to its allocated bandwidth, even if it takes up a[...]

Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 468 Y ou can configure up to one bandwidth filter per bandwidth class. Y ou can also configure bandwidth classes without bandwidth filters. However , it is recommended that you configure sub-classes with filters for any classes that you configure without filters. The ZyW [...]

Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 469 The following table describes the labels in this screen. T able 141 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only label s represent the physical inte rfaces. Select an interfa ce’s check box to enable bandwidth management on that interfac[...]

Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 470 25.2.1 Maximize Ba ndwid th Usage Exam ple Here is an example of a ZyW ALL tha t has maxi mize bandwidth usage enabled on an interface. The following table shows each bandwidth class’ s bandwidth budget. The classes are set up based on subnets. The interface is set [...]

Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 471 25.2.1.2 Fairness-based Allot ment of Unused and Unbudgeted Bandwid th The following table shows the amount of bandwidth that each class gets. Suppose that all of the classes except for th e administration class need more bandwidth. • Each class gets up to its budg e[...]

Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 472 Figure 269 ADV ANCED > BW MGMT > Class Setup The following table describes the labels in this screen. T able 145 ADVANCED > BW MGMT > Class S etup LABEL DESCRIPTION Interface Select an in terface for which you w ant to set up bandwidth management classes. [...]

Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 473 25.4 Bandwid th Manager Class Configuration Configure a bandwidth management class in the Class Setup scree n. Y ou must use the Summary screen to en able bandwidth management on an interface before you can configure classes for that interface. Bandwid th Borrowing Ban[...]

Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 474 Figure 270 ADV ANCED > BW MGMT > Cla ss Setup > Add Sub-Class The following table describes the labels in this screen. T able 146 ADV ANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-gen erat[...]

Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 475 Enable Bandwi dth Filter Select Enable Bandwid th Filter to have the ZyW ALL use this bandwidth filter when it performs bandwidth management. Y ou must ente r a value in at least one of the following fields (other than the Subnet Mask fields which are only available wh[...]

Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 476 25.4.1 Bandwid th Borrowing Example Here is an example of bandw idth manageme nt with classes configured for bandwidth borrowing. The classes are set up based on de partments and individuals within certain departmen ts. Refer to the product specifications chapter to s[...]

Chapter 25 Bandwidth Management Screens ZyWALL 5/35/70 Series User’s Guide 477 • The Research Software and Hardware class es can both borrow unused bandwidth from the Research class because the R esearch Software and Hardware classes both have bandwidth borrowing e nabled. • The Research Software and Hardware classe s can also borrow unused b[...]

Chapter 25 Bandwidth Management Screen s ZyWALL 5/35/70 Series User’s Guide 478 25.6 The Monitor Screen Click ADV ANCED > BW MGMT > Monitor to open the following screen. Use this screen to view the device’ s bandwidth usage and allotments. Figure 272 ADV ANCED > BW MGMT > Monitor The following table describes the labels in this scre[...]

ZyWALL 5/35/70 Series User’s Guide 479 C HAPTER 26 DNS Screens 26.1 Overview This chapter shows you how to configure the DNS screens. DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely impo rtant because without it, you must know the IP address of a machine before you [...]

Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 480 3 Y ou can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could ev en be behind a remote IPSec router (see Section on page 480 ). Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN[...]

Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 481 Figure 273 Private DNS Server Example " If you do not spec ify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computer s on the remote private network. DDNS DDNS (Dynamic DNS) allows you to update yo ur current dynamic IP addr[...]

Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 482 Figure 274 ADV ANCED > DNS > System DNS The following table describes the labels in this screen. LABEL DESCRIPTION Address Record An address record specifies the mapp ing of a fu lly qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and i[...]

Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 483 26.2.1 The Add Address Record Screen Click Add in the System screen to open this screen. Use th is screen to add an address record. An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. Configure address records about the ZyW ALL itself or[...]

Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 484 The following table describes the labels in this screen. 26.2.2 The Insert Name Server Record Screen Click Inser t in the System screen to open this screen. Use this screen to insert a name server record.A name server record contains a DNS server ’ s IP address. The ZyW ALL can que[...]

Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 485 The following table describes the labels in this screen. 26.3 The DNS Cache Screen DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyW ALL receives a positive or negati ve response for a DNS query , it records the response in the DNS[...]

Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 486 Figure 277 ADV ANCED > DNS > Cache The following table describes the labels in this screen. LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Resolutions Select the check box to record the positive DNS resolutions in the cache . Caching positive DNS resolutions helps speed u[...]

Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 487 26.4 The DHCP Screen Click ADV ANCED > DN S > DHCP to open the DNS DHCP screen shown next. Use th is screen to configure the DNS server information that the ZyW ALL sends to its LAN, DMZ or WLAN DHCP clients. Figure 278 ADV ANCED > DNS > DHCP The following table describes[...]

Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 488 26.5 The DDNS Screen First of all, you need to h ave registered a dynamic DNS account with www .dyndns.com. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provid er will give you a password or ke[...]

Chapter 26 DN S Screen s ZyWALL 5/35/70 Series User’s Guide 489 High A vailability A DNS server maps a domain name to a port's IP address. If that W AN port loses its connection, high availability allo ws the router to substitute anot her port's IP address for the domain name mapping. 26.6 Configuring the Dynamic DNS Screen T o change y[...]

Chapter 26 DN S Scre ens ZyWALL 5/35/70 Series User’s Guide 490 Domain Name 1~5 Enter the host names in these fields. DDNS T ype Select the type of service that y ou are registered for from yo ur Dynamic DNS service provider if you have selected WWW .DynDNS.COM . Select Dynamic if you have the Dynamic DNS service. Select Static if you have the S [...]

ZyWALL 5/35/70 Series User’s Guide 491 C HAPTER 27 Remote Management Screens 27.1 Overview This chapter provides informa tion on the remote management screens. Remote management allows you to determine which services/proto cols can access which ZyW ALL interface (if any) from which comp uters. The following figure shows secu re and insecure manag[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 492 27.1.2 What Y ou Need T o Know About Remote Management Firewall Rules When you config ure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 13 on page 251 for details on config[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 493 27.2 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW ALL, then in your browser enter “https://ZyW ALL IP Address/” as the web site address where “Z yW ALL IP Address” is the IP address or domain name of the ZyW ALL you wish to acc[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 494 Figure 282 Security Certificate 1 (Net scape) Figure 283 Security Certificate 2 (Net scape) 27.2.3 A voiding the Browser W arn ing Messages The following describes the main reasons that your browser displays warnings about the ZyW ALL’ s HTTPS server certificate and w[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 495 6a Click REMOTE MGMT . W rite down the name of the certificate displayed in the Server Certificate field. 6b Click CERT IFICA TES . Find the certificate and check its Subject column. CN stands for certificate’ s common name (see Figure 286 on page 496 for an ex[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 496 Figure 286 Device-specific Certificate Click Ignor e in the Replace Certificate screen to use the common ZyW ALL certificate. Y ou will then see this information in the My Certificates screen. Figure 287 Common ZyW ALL Certificate 27.2.5 Enrolling and Importing SS L Cli[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 497 Figure 288 ZyW ALL T rusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your persona l certificate(s) and a password to inst all the personal certificate(s). 27.2.6 Inst alling the CA ’ s Certificate (Example) 1 Double c[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 498 Figure 289 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. 27.2.7 Inst alling Y our Pers onal Certificate(s) (Example) Y ou need a password in advance. The CA may is sue the passwo rd or you may have to specif[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 499 Figure 290 Personal Certificate Import Wizard 1 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br owse if you wish to import a dif ferent certific ate. Figure 291 Personal Certificate I[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 500 Figure 292 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificat e should be saved on your computer or select Place all certificates in the following stor e and choose a different location. Figure 293 Personal Certificate Import Wizard 4 [...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 501 Figure 294 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the ce rtificate is correctly installed on your computer . Figure 295 Personal Certificate Import Wizard 6 27.2.8 Using a Certificate When Accessing the ZyW ALL (Example) [...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 502 Figure 297 SSL Client Authentication 3 Y ou next see the web configurator login screen. Figure 298 Secure W eb Configurator Login Screen 27.2.9 Secure T elnet Using SSH Examples This section shows two examples using a comm and interface and a graphical interface SSH cli[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 503 Figure 299 SSH Example 1: S tore Host Key Enter the password to log in to the ZyW ALL. The SMT main menu displays next. 27.2.9.2 Example 2: Linux This section describes how to access the ZyW A LL using the OpenSSH client program that comes with most Linux di stri[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 504 3 The SMT main menu displays next. 27.2.9.3 Secure FTP Using SSH Exam ple This section shows an example on file tran sfer using the OpenSSH client program. The configuration and connection steps are similar fo r other SSH client programs. Refer to your SSH client progra[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 505 requires it to do so (select Authenticate Client Certificates in the REMOTE MGM T > WWW screen). Authenticate Client Certificates is optional and if selected means the SSL- client must send the ZyW ALL a certificate. Y ou must apply for a certificate for the b[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 506 Figure 304 ADV ANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. T able 149 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Serve r Certifica te Select the Server Certific ate that the ZyW AL L will use to identify itsel[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 507 27.5 The SSH Screen Y ou can use SSH (Secure SHell) to securely access the ZyW ALL’ s SMT or command line interface. Specify which interfaces allow SS H acces s and from whic h IP address the access can come. Unlike T elnet or FTP , which transmit data in pl ai[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 508 " It is recommended that y ou disable T elnet and FTP when you configure SSH for secure connections. Figure 306 ADV ANCED > REMOTE MGMT > SSH The following table describes the labels in this screen. 27.7 The T elnet Screen Y ou can use T e lnet to access the [...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 509 " It is recommended that y ou disable T elnet and FTP when you configure SSH for secure connections. Figure 307 ADV ANCED > REMOTE MGMT > T e lnet The following table describes the labels in this screen. 27.8 The FTP Screen Y ou can use FTP (File T ran[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 510 " It is recommended that y ou disable T elnet and FTP when you configure SSH for secure connections. Figure 308 ADV ANCED > REMOTE MGMT > FTP The following table describes the labels in this screen. 27.9 The SNMP Screen Simple Network Management Protocol is a[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 51 1 Figure 309 SNMP Managemen t Model An SNMP managed network consis ts of two main types of comp onent : ag ents and a man age r . An agent is a management software module th at resi des in a managed device (the ZyW ALL). An agent translates the local management in[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 512 SNMP T raps The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: 27.9.1 Configuring the SNMP Screen T o change your ZyW ALL’ s SNMP settings, click ADV ANCED > REMOTE MGMT > SNMP . The screen appears as shown. Figure 310 [...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 513 The following table describes the labels in this screen. 27.10 The DNS Screen Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 9 on page 169 for more information. Click ADV ANCED > REMOTE MGMT &[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 514 Figure 31 1 ADV ANC ED > REMOTE MGMT > DNS The following table describes the labels in this screen. 27.1 1 The CNM Screen V antage C NM (Centraliz ed Network Managemen t ) is a browser-based global managemen t solution that allows an administrator from any locatio[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 515 Figure 312 ADV ANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. T able 156 ADV ANCED > REMOTE MGMT > CNM LABEL DESCRIPTION Registration Information Registration S tatus This read only field displays Not Re gistered wh[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 516 27.13 Remote Management T echnical Reference How SSH W orks The following table summarizes how a secure c onnection is establishe d between two re mote hosts. Figure 313 How SSH Works 1 Host Identification The SSH client s ends a connection reque s t to the SSH server .[...]

Chapter 27 Rem ot e Ma n ag em e nt Scre en s ZyWALL 5/35/70 Series User’s Guide 517 The client automatically saves any new server public keys. In subsequent connections, the server public key is checked ag ainst the saved version on the client computer . 2 Encryption Method Once the identification is verified, both the c lient and server must ag[...]

Chapter 27 Remote Management Scr e ens ZyWALL 5/35/70 Series User’s Guide 518[...]

ZyWALL 5/35/70 Series User’s Guide 519 C HAPTER 28 UPnP Screens 28.1 Overview This chapter introduces the Universal Plug and Pl ay feature. This chapter is only applicable when the ZyW ALL is in router mode. Universal Plug and Play (UPnP) is a distributed, open networking s tandard that uses TCP/IP for simple peer-to-peer network connectiv ity be[...]

Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 520 Cautions with UPnP The automated nature of NA T traversal applications in establishing their own services and opening firewall ports ma y present network security issues. Network information and configuration may also be obtained and modifi ed by users in some network environments.[...]

Chapter 28 UPnP Screens ZyWALL 5/35/70 Series User’s Guide 521 28.2.1.1 Inst alling UPnP in Windows Me Follow the steps below to in stall UPnP in Wi ndows Me. 1 Click St a r t , Settings and Control Panel . Double-click Add/Remove Programs . 2 Click on the Win d ow s S e tu p tab and select Communication in the Components selection box. Click Det[...]

Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 522 28.2.1.2 Inst alling UPnP in Windows XP Follow the steps below to install UPnP in W indows XP . 28.2.2 Using UPnP in Windows XP Example This section shows yo u how to use the UPnP feature in W indows XP . Y ou must already hav e UPnP installed in W indows XP and UPnP ac tivated on [...]

Chapter 28 UPnP Screens ZyWALL 5/35/70 Series User’s Guide 523 28.2.2.1 Auto-discover Y our UPnP-enabled Network Device 1 Click St a r t and Control Panel . Double-click Network Connections . An icon disp lays under Internet Gateway . 2 Right-click the icon and select Properties . 3 In the Internet Connection Properties window , click Settings to[...]

Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 524 " When the UPnP-enabled device is disconn ected from your computer , all port mappings will be delet ed automatically . 28.2.2.2 W eb Configurator Easy Access W ith UPnP , you can access the web-based configur ator on the ZyXEL device without finding out the IP address of the [...]

Chapter 28 UPnP Screens ZyWALL 5/35/70 Series User’s Guide 525 Follow the steps below to access the web configurator . 1 Click St a r t and then Control Panel . 2 Double-click Network Connections . 3 Select My Network Places under Other Places . 4 An icon with the d escription for each UPnP-enabled device displays under Local Network . 5 Right-cl[...]

Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 526 28.3 The UPnP Screen Click ADV ANCED > UPnP to display the UPnP screen. Figure 314 ADV ANCED > UPnP The following table describes th e fields in this screen. 6 Right-click the icon for your ZyXEL device and select Properties . A properties window displays with basic informati[...]

Chapter 28 UPnP Screens ZyWALL 5/35/70 Series User’s Guide 527 28.4 The Port s Screen Click ADV ANCED > UPnP > Ports to display the UPnP Ports screen. Use this screen to view the NA T port mapping rules th at UPnP creates on the ZyW ALL. Figure 315 ADV ANCED > UPnP > Port s The following table describes the labels in this screen. Allo[...]

Chapter 28 UP nP Scre e ns ZyWALL 5/35/70 Series User’s Guide 528 # This is the index numb er of the UP nP-crea ted NA T mapping rule en try . Remote Host This fi eld displays the source IP address (on the WAN) of inbound IP p ackets. Since this is often a wildcard, the field may be blank. When the field is blank, th e ZyW ALL forwards all traffi[...]

ZyWALL 5/35/70 Series User’s Guide 529 C HAPTER 29 Custom Application Screen 29.1 Overview Use custom application to ha ve the ZyW ALL’ s ALG , anti-spam, anti-virus, and content filtering features monitor traf fic on custom ports, in addition to the default ports. 29.1.1 What Y ou Can Do in the Custom Application Screen Use the Custom App scre[...]

Chapter 29 Cust om Application Screen ZyWALL 5/35/70 Series User’s Guide 530 " Changes in the Custom APP screen do not apply to the firewall. Figure 316 ADV ANCED > Custom APP The following table describes the labels in this screen. T able 159 ADV ANCED > Custom APP LABEL DESCRIPTION Applic ation Select the application for wh ich you w[...]

ZyWALL 5/35/70 Series User’s Guide 531 C HAPTER 30 ALG Screen 30.1 Overview This chapter covers how to use the ZyW ALL’ s AL G feature to allow certain applications to pass through the ZyW ALL. An Application Layer Gateway (ALG) manages a specific protocol (such as SIP , H.323 or FTP) at the application layer . The ZyW ALL can function as an AL[...]

Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 532 ALG and the Firewall The ZyW ALL uses the dynamic port tha t the sessi on uses for data transfer in creating an implicit temporary firewall rule for the session’ s traffic. The firewall rule only allows the session’ s traffic to go thro ugh in the direction that th e ZyW ALL determi[...]

Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 533 • Y ou must configure the firewall and port fo rwarding to allow in coming (peer-to-peer) calls from the W AN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signalin g (1) and audio (2) sessions between H.323 devic es A and B. Figure 317 H.323 ALG E[...]

Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 534 Figure 319 H.323 Calls from the W AN with Multiple Outgoing Calls • The H.323 ALG operat es on TCP packets with a port 1720 destination. • The ZyW ALL allows H.323 audio con nections. • The ZyW ALL can also apply bandwid th management to traffic that goes th rough the H.323 ALG . [...]

Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 535 Figure 320 SIP ALG Example SIP Signaling Session T imeout Most SIP clients have an “ expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packe ts to the SIP server periodically and keeps the session alive in the ZyW ALL. If the SIP [...]

Chapter 30 ALG Screen ZyWALL 5/35/70 Series User’s Guide 536 Figure 321 ADV ANCED > ALG The following table describes the labels in this screen. T able 160 ADV ANCED > ALG LABEL DESCRIPTION Enable FT P ALG Select this check box to allow FTP sessi ons to pass through the ZyWALL. FTP (File T ransfer Program) is a program that enables fast tra[...]

537 P ART V Report s, Logs and Maintenance Reports Screens (539) Logs Screens (555) Maintenance Screens (585)[...]

538[...]

ZyWALL 5/35/70 Series User’s Guide 539 C HAPTER 31 Reports Screens 31.1 Overview The Reports screens display statistics about network usage and IDP , anti- virus and anti-spam statistics. Y ou can also configure how reports are emailed. 31.1.1 What Y ou Can Do in the Report s Screens •U s e t h e T raffic S tatistics screen ( Section 31.2 on pa[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 540 " The web site hit count may not be 10 0% accurate because sometimes when an individual web page loads, it may cont ain references to other web sites that also get counted as hits. Figure 322 REPORTS > T raffic S tatistics " Enabling the ZyW ALL’ s reporting function[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 541 " All of the recorded reports dat a is erased when you turn off the ZyW ALL. 31.2.1 V iewing Web Site Hit s In the Reports sc reen, select W eb Site Hits from the Report T y pe drop-down list box to have the ZyW ALL rec ord and display which web sites have bee n visited the mo[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 542 Figure 323 REPORTS > T raffic S tatistics: W eb Site Hits Example The following table describes the label in this screen. 31.2.2 V iewing Host IP Address In the Reports screen, select Host IP Address from the Report T ype drop-down list box to have the ZyW ALL record and displa [...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 543 " Computers take turns using dynamical ly assigned LAN, DM Z or WLAN IP addresses. The ZyW ALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a diff erent computer . Figure 324 REPOR TS > T raffic S tatistics: Host IP Addr[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 544 Figure 325 REPOR TS > T raffic S tatistics: Protocol/Port Examp l e The following table describes the labels in this screen. T able 164 REPORTS > Traffic Stat istics: Protocol/ Port LABEL DESCRIPTION Protoc ol/Port This column lists the protocols or servic e ports for which t[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 545 31.2.4 System Report s Specifications The following table lists detailed specifications on the reports feature. 31.3 The IDP Screen Click REPOR TS > IDP to display the IDP screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 326 REPORTS > I[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 546 The following table describes the labels in this screen. The statistics display as follows when yo u display the top entries by source. T able 166 REPORTS > IDP LABEL DESCRIPTI ON Collect St a t i s t i c s Select this check box to have the ZyW ALL collect IDP statistics. The co[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 547 Figure 327 REPORTS > IDP > Source The statistics display as follows when you display the top entr ies by destination. Figure 328 REPORTS > IDP > Destination 31.4 The Anti-V irus Screen Click REPOR TS > Anti-V irus to display the Anti-V irus screen. This screen displa[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 548 The following table describes the labels in this screen. The statistics display as follows when yo u display the top entries by source. Figure 330 REPORTS > Anti-V irus > Source The statistics display as follows when you display the top entr ies by destination. T able 167 REP[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 549 Figure 331 REPORTS > Anti-V irus > Destination 31.5 The Anti-S p am Screen Click REPOR TS > Anti-Spam to display the Anti-Spam screen. This screen displays anti- spam statistics. Figure 332 REPORTS > Anti-S pam The following table describes the labels in this screen. T [...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 550 The statistics display as follows when yo u display the top entries by source. Phishing Mail Detected This field displays the number of e-mails that the ZyWALL has classified as phishing. No Score Mail Detected This field displays the number of e-mails for which the ZyWALL did not [...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 551 Figure 333 REPORTS > Anti-S pam > Source The statistics display as follows when you display the score distribution. Figure 334 REPORTS > Anti-S pam > Score Distribution 31.6 The E-mail Report Screen Y ou can configure the ZyW ALL to email a repo rt including the informa[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 552 Figure 335 REPORTS > E-mail Report The following table describes the labels in this screen. T able 169 REPORTS > E-mail Report LABEL DESCRIPTI ON General Setup Enable E-mail Report Select this to turn on the e-ma il repo rt feature. Y o u must then specify a valid e-mail serv[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 553 Send Report Now Click this to send the report e-mail immediately . Schedule Reporting Frequency Select the frequency of the report e-mail from the drop-down box. Options are None , Hourly , Daily and Weekly . If you select Daily or Weekly , specify a time of day for the ZyWALL to g[...]

Chapter 31 Reports Screens ZyWALL 5/35/70 Series User’s Guide 554[...]

ZyWALL 5/35/70 Series User’s Guide 555 C HAPTER 32 Logs Screens 32.1 Overview In the log screens you can configure general log settings and view the ZyW ALL’ s logs. The logs cover categories such as system maintena nce, system errors, access control, allowed or blocked web sites, blocked web features (such as ActiveX controls, java and cookies[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 556 Figure 336 LOGS > Vi ew Log The following table describes the labels in this screen. 32.2.1 Log Description Example The following is an example of how a log di splays in the command line interpreter and a description of the sample log. Refer to Section on page 561 for more log mess[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 557 5|06/08/2004 05:58:20 |172.21.4.187:137 |172.21.255.255:137 |ACCESS BLOCK Firewall default policy: UDP (W to W/ZW) 32.2.2 About the Cert ificate Not T rusted Log myZyXEL.com and the update server use cer tificates signed by V eriSign to identify themselves. If th e ZyW ALL does not [...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 558 Figure 337 myZyXEL.com: Download Ce nter 3 Click the link in the Certificate Download screen. Figure 338 myZyXEL.com: Certificate Download 32.3 The Log Settings Screen T o change your ZyW A LL’ s log settings, click LOGS > Log Settings . The screen appears as shown. Use the Log S[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 559 Figure 339 LOGS > Log Settings The following table describes the labels in this screen. T able 172 LOGS > Log Settin gs LABEL DESCRIPTION E-mail Settings Mail Server Enter the server name or th e IP ad d re ss of the ma il serv er for the e-mail addresses specified below . If [...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 560 Mail Subject T ype a title that you want to be in the su bject line of the log e-mail message that the ZyW A LL sends. Mail Sender Enter the e-mail address that you want to be in the from/sender line of the log e-mail message that the ZyW ALL sends. If you activate SMTP authentication[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 561 32.4 T echnical Reference Log Descriptions This section provides descrip tions of example log messages. The variables “%d”, “%x” and “%s” respectivel y refer to decimal numbers, hexadecimal numbers and strings (a list of up per/lower case letters or numbers). Activ e Som[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 562 Starting Connectivity Monitor S tarting Connectivity Monitor . Time initialized by Daytime Server The router got the time and date from the Daytime server . Time initialized by Time server The router got the time and date from the time server . Time initialized by NTP server The route[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 563 %s The myZyXEL.com service registration failed due to the error listed. If you are unable to register for services at myZYXEL.com, the error message displayed in this log may be useful when contacting customer support. Remote node is connecting. A remote user is connecting using PPP[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 564 Triangle route packet forwarded: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall allowe d a triangle route sessi on to pass through. Packet without a NAT table entry blocked: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The router blocked a packet that didn't have a corresponding[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 565 F or type and code details, see T able 192 on page 57 8 . Firewall session time out, sent TCP RST The router sent a TCP reset p acket when a dynamic firewal l session timed out. The default timeout values are as follows: ICMP idle timeout: 3 minutes UDP idle timeout: 3 minutes TCP c[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 566 T able 179 CDR Logs LOG MESSAGE DESCRIPTION board %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %s The router received the setup requ irements for a call. “cal l” is the reference (count) numbe r of the call. “dev” is the device type (3 is for dial-up, 6 is[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 567 3G SIM authentication failed because of no response from SIM card. SIM card authentication fa iled because the ZyW ALL received a SIM busy message three times when querying for the card status. 3G card has no response, card is restarted. The card was reset due to no response from th[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 568 For type and code details, see T able 192 on page 578 . T able 183 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted web list The web site is not in a tru sted domain, and th e rou[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 569 ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an IP spoofing attack on the W A N port. ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack on the W AN port. icmp echo : ICMP (type:%d, code:%d) The firewall dete[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 570 T able 185 Remote Ma nagement Logs LOG MESSAGE DESCRIPTION Remote Management: FTP denied Attempted use of FTP servic e was blocked according to remote management settings. Remote Management: TELNET denied Attempted use of T ELNET service was blocked according to remo te management set[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 571 T able 187 IPSec Logs LOG MESSAGE DESCRIPTION Discard REPLAY packet The router received and discarded a packet with an incorrect sequence number . Inbound packet authentication failed The router received a packet that has been altered. A third party may have altered or tampered with[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 572 No proposal chosen Phase 1 or phase 2 parameters don’t match. Please check all protocols / settings. Ex. One device being configured for 3DES and the other being configured for DES causes the connection to fail. Local / remote IPs of incoming request conflict with rule <%d> Th[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 573 ERROR !!! build_id(): Unable to obtain my DSS keys RCA encryption in phase 1 faile d becau se the ZyW ALL did not receive the DSS (Digital Signature S tandard) keys. Build Phase 1 ID The router h as started to build the phase 1 ID. Adjust TCP MSS to %d The ro uter automatically chan[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 574 Rule [%d] Tunnel built successfully The listed rule’s IPSec tunnel has been built successfully . Rule [%d] Peer's public key not found The listed rule’s IKE phase 1 peer ’s public key was not found. Rule [%d] Verify peer's signature failed The listed rule’s IKE phase[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 575 Enrollment failed The CMP online certificate enrol lment failed. The Destinatio n field records the certification authori ty server ’s IP address and port. Failed to resolve <CMP CA server url> The CMP online certificate enrollment failed because the certification authority [...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 576 8 Certificate was not added to the cache. 9 Certificate decoding failed. 10 Certificate was not found (anywhere). 11 Certificate chain looped (did not fi nd tru sted root). 12 Certificate contains critical extension that wa s no t handled. 13 Certificate issuer was not valid (CA speci[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 577 User logout because of no authentication response from user. The router logge d out a user from which there was no authentication response. User logout because of idle timeout expired. The router logged out a us er whose idle ti meout period expired. User logout because of user requ[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 578 (D to WL) DMZ to WLAN ACL set for packets traveling from the DMZ to the WLAN. (WL to D) WLAN to DMZ ACL set for packets traveling from the WLAN to the DMZ. (WL to WL) WLAN to WLAN/ ZyW ALL ACL set for packets traveling from the WLAN to the WLAN or the ZyW ALL. T able 192 ICMP Notes TY[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 579 16 Information Reply 0 Information reply message T able 193 IDP Logs LOG MESSAGE DESCRIPTION The buffer size is too small! The buffer for holding IDP information such as the si gnature file version was too small to hold any more information. The format of the user config file is inc[...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 580 SMTP Virus infected - %s! The device detected a virus in a SMTP connectio n. The format of %s is “ID” Virus ID number , virus name, fi lename. For example, ID:30001,CIH.Win95,/game.e xe. POP3 Virus infected - %s! The device detected a virus in a POP3 connection. The format of %s i[...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 581 SMTP Block. The session is over maximun ZIP sessions - %s! %PACKET_DIRECTION% The number of zip files in SMTP connections has exceeded the maximum number that can be concurrently scanned. “%s” is the name of the zip f ile which has exceeded the limit. POP3 Block. The session is [...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 582 Mail From:Email address Subject:Mail Subject! This is the source and subj ect of an e-mail for which the anti-spam external database query failed . Remove rating server [%Rating Server IP Address%] from server list! The listed server IP address has been removed from the list of anti- [...]

Chapter 3 2 Logs Scre ens ZyWALL 5/35/70 Series User’s Guide 583 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session " is terminated. A traf [...]

Chapter 32 Logs Screens ZyWALL 5/35/70 Series User’s Guide 584 The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob[...]

ZyWALL 5/35/70 Series User’s Guide 585 C HAPTER 33 Maintenance Screens 33.1 Overview This chapter displays informat ion on the maintenance screens. The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyW ALL. 33.1.1 What Y ou Can Do in the Maintenance Screens •U s e t h e Gene[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 586 • In W indows X P , click St a r t , My Computer , V iew system information and then click the Computer Na me tab. Note the entry in the Full computer name field and enter it as the ZyW ALL System Name . Click MAINTENANCE to open the General scre en. Us e this screen to confi[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 587 Figure 341 MAINTENANCE > Password The following table describes the labels in this screen. 33.4 The T ime and Date Screen The ZyW ALL’ s Real T ime Chip (R TC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current [...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 588 When the ZyW ALL uses the NTP time server pools, it randomly selects one pool and tries to synchronize with a server in it. If the synchr onization fails, then the ZyW ALL goes through the rest of the list in order from the first one tried until either it is successful or all t[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 589 Manual Select this radio button to enter the time and da te manually . If you configure a new time and date, T ime Zone and Daylight Saving at the sa me time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it. New T i[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 590 33.4.1 T ime Server Synchronization Example Click the Synchr onize Now button to get the time and date from the predefined time server or the time server you specified in the T ime Server Add ress field. When the System Time and Date Synchr onization in Pr ocess screen appears,[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 591 Figure 345 Synchronization Fail 33.5 The Device Mode Screen Use this screen to configure y our ZyW ALL as a router or a bridge. In router mode, the ZyW ALL functions as a router . In bridge mode, the ZyW ALL functions as a tran sparent firewall (also known as a bridge firewall)[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 592 • If no association is found, the frame is fl ooded to all ports exce pt the inbound port. Broadcasts and multicasts also are flooded in this way . • If the associated port is the sa me as the incoming port, then the frame is dropped (filtered). T ransparent Firewalls A tra[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 593 Figure 346 MAINTENANCE > Device M ode (Router Mode) The following table describes the labels in this screen. 33.7 Configuring the Device Mode Screen (Bridge) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your Zy W ALL as a rout[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 594 In bridge mode, the Zy W ALL cannot ge t an IP address from a DHCP server . The LAN, W AN, DMZ and WLAN interfaces all have the same (sta tic) IP address and subnet ma sk. Y ou can configure the ZyW ALL's IP address in order to access the ZyW ALL for ma nagement. If you co[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 595 33.8 The F/W Upload Screen Find firmware at www .zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”. The uplo ad process uses HTTP (Hypertext T ransfer Protocol) and may take up to two minutes. Afte r a successful [...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 596 1 Do not turn off the ZyW ALL whil e firmware upload is in progress! After you see the Firmware Upload in Pr ocess screen, wait two minutes before logging into the ZyW ALL again. Figure 349 Firmware Uplo ad In Process The ZyW ALL automatically restarts in this tim e causing a t[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 597 33.9 The Backup and Restore Screen See Section 49.5 on page 733 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restor e . Information related to fa ctory defaults, backup configuration, and restorin g configuration appears as s[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 598 After you see a “restore configuration successf ul” scree n, you must then wa it one minute before logging into the ZyW ALL again. Figure 353 Configuration Upload Successfu l The ZyW ALL automatically restarts in this tim e causing a temporary network disconnect. In some op[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 599 Figure 356 Reset W arning Message Y ou can also press the hardware RESET button to reset the fa ctory defau lts of your ZyW ALL. Refer to Section 3.3 on page 63 for more information on the RESET button. 33.10 The Rest art Screen System restart allows you t o reboot th e ZyW ALL[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 600 Figure 358 MAINTENANCE > Diagnostics The following table describes the labels in this screen. T able 206 MAINTENANCE > Diagnostics LABEL DESCRIPTION General Setup Enable Diagnostics Select this op tion to turn on the diagn osti cs feature. Perform Diagnostics when CPU uti[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 601 Send Report to Diagnosti c files are sent to the e -mail address specified in this field. If this field is left blank, diagnostic files will not be sent via e-mail. SMTP Authentication SMTP (Simple Ma il T ransfer Protocol) is the message-exchange standard for the Internet. SMT[...]

Chapter 33 Maintenance Screens ZyWALL 5/35/70 Series User’s Guide 602[...]

603 P ART VI SMT Introducing the SMT (605) SMT Menu 1 - General Setup (613) W AN and Dial Backup Setup (619) LAN Setup (633) Internet Access (639) DMZ Setup (645) Route Setup (649) W ireless Setup (653) Remote Node Setup (659) IP Static Route Setup (669) Network Address T ranslation (NA T) (673) Introducing the ZyW ALL Firewall (693) Filter Configu[...]

604[...]

ZyWALL 5/35/70 Series User’s Guide 605 C HAPTER 34 Introducing the SMT This chapter explains how to access the System Management T erminal and gives an overview of its menus. 34.1 Introduction to the SMT T he ZyW ALL’ s SMT (System Management T erminal) is a menu-driven interface that you can access from a terminal emulator through the cons ole[...]

Chapter 34 Introd ucing the SMT ZyWALL 5/35/70 Series User’s Guide 606 Figure 359 Initial Screen 34.2.2 Entering the Password The login screen appears after you press [ENTER] , prompting you to enter the password, as shown below . For your first login, en ter the default password “ 1234 ”. As you type the password, the screen displays an “ [...]

Chapter 34 Intro du cin g th e S MT ZyWALL 5/35/70 Series User’s Guide 607 34.3.1 Main Menu After you enter the passwor d, the SMT displays the ZyW ALL Main Menu , as shown next. This guide uses the ZyW A LL 70 menus as an example. The menus ma y vary slightly for different ZyW ALL models. Not all fields or menus are available on all models. Figu[...]

Chapter 34 Introd ucing the SMT ZyWALL 5/35/70 Series User’s Guide 608 Figure 362 Main Menu (Bridge Mod e) The following table describes the fields in this menu. Copyright (c) 1994 - 2007 ZyXEL Comm unications Corp. ZyWALL 70 Main Menu Getting Started Advanc ed Management 1. General Setup 21. Filter and Firewall Setup 22. SNMP Configuration 23. S[...]

Chapter 34 Intro du cin g th e S MT ZyWALL 5/35/70 Series User’s Guide 609 34.3.2 SMT Menus Overview The following table gi ves you an overview of your ZyW ALL’ s various SMT menus. 26 Schedule Setup Use this menu to schedule outgoing calls. 99 Exit Use this menu to exit (necessary for remote configuration). T able 208 Main Menu Summary NO . ME[...]

Chapter 34 Introd ucing the SMT ZyWALL 5/35/70 Series User’s Guide 610 34.4 Changing the System Password Change the system password by following the steps shown next. 1 Enter 23 in the main menu to open Menu 23 - System Password as shown next. 21 Filter and Firewall Setup 21.1 Filte r Set Co n f i g ur ation 21.1.x Filter Rules Summary 21.1.x.x G[...]

Chapter 34 Intro du cin g th e S MT ZyWALL 5/35/70 Series User’s Guide 61 1 Figure 363 Menu 23: System Password 2 T ype your existing passwo rd and press [ENTER] . 3 T ype your new system password and press [ENTER] . 4 Re-type your new system password for confirmation and press [ENTER] . Note that as you type a password, the screen displays an ?[...]

Chapter 34 Introd ucing the SMT ZyWALL 5/35/70 Series User’s Guide 612[...]

ZyWALL 5/35/70 Series User’s Guide 613 C HAPTER 35 SMT Menu 1 - General Setup Menu 1 - General Setup contains administra tive an d system-related information. 35.1 Introduction to General Setup Menu 1 - General Setup contains administra tive an d system-related information. 35.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 [...]

Chapter 35 SMT Menu 1 - General Set up ZyWALL 5/35/70 Series User’s Guide 614 Figure 365 Menu 1: General Setup (Bridge Mode) The following table describes the fiel ds not previously discussed (see T able 210 on page 613 ). Device Mode Press [SP ACE BAR] and th en [ENTER] to select Router Mo de . Edit Dynamic DNS Press [SP ACE BAR] and then [ENTER[...]

Chapter 35 SMT Menu 1 - General Setup ZyWALL 5/35/70 Series User’s Guide 615 35.2.1 Configuring Dynamic DNS T o configure Dynamic DNS, set the ZyW ALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SP A CE BAR] to select Ye s in the Edit Dynamic DNS field. Press [ENTER] to display Men[...]

Chapter 35 SMT Menu 1 - General Set up ZyWALL 5/35/70 Series User’s Guide 616 Figure 367 Menu 1.1.1: DDNS Host Summ ary The following table describes the fields in this screen. 5 Select Edit in the Select Command field; type the index number of the DDN S host you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 - DD[...]

Chapter 35 SMT Menu 1 - General Setup ZyWALL 5/35/70 Series User’s Guide 617 Figure 368 Menu 1.1.1: DDNS Edit Host The following table describes the fields in this screen. Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDN[...]

Chapter 35 SMT Menu 1 - General Set up ZyWALL 5/35/70 Series User’s Guide 618 The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. IP Address Update Policy: Y ou can select Ye s in ei ther the Let DDNS Se rver Auto Detect field (recom mended) or the Use User-Defined field, but not both. With the Let DDNS Server Auto [...]

ZyWALL 5/35/70 Series User’s Guide 619 C HAPTER 36 WAN and Dial Backup Setup This chapter describes how to configure the W AN using menu 2 and dial-backup using menu s 2.1 and 1 1.1. 36.1 Introduction to W AN and Dial Backup Setup This chapter explains how to configure settings for your, a dial back up connection using the SMT menus. 36.2 W AN Se[...]

Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 620 The following table describes the fields in this screen. 36.3 Dial Backup The Dial Backup port can be used in reser ve, as a traditional dial- up connection should the broadband connection to the W AN port fail. T o set up the au xiliary port (Dial Backup) for use in th[...]

Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 621 Figure 370 Menu 2: Dial Backup Setup The following table describes the fields in this menu. 36.3.2 Advanced W AN Setup " Consult the manual of y our W AN device connected to your Dial Backup port for specific A T commands. Menu 2 - WAN Setup WAN 1 MAC Address: Assign[...]

Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 622 T o edit the advanced setup for the Dial Backup port, move the cursor to the Edit Ad van ced Setup field in Menu 2 - W A N Setup , press the [SP ACE BAR] to sele ct Ye s and then press [ENTER]. Figure 371 Menu 2.1: Adva nced WAN Setup The following table describes field[...]

Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 623 36.3.3 Remote Node Profile (Backup ISP) Enter 3 in Menu 1 1 - Remote Node Setup to open Menu 1 1.3 - Remote Node Profile (Backup ISP) (shown below) and configure th e setup for your Dial Backup port connection. Not all fields are available on all models. Figure 372 Menu 1[...]

Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 624 The following table describes the fields in this menu. T able 219 Menu 1 1.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Name Enter a descriptiv e name fo r the remote node. This field can be up to eight characters. Activ e Press [SP ACE BAR] and then [[...]

Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 625 36.3.4 Editing TCP/IP Options Move the cu rs or to the Edit IP field in menu 1 1.3, then press [SP ACE BAR] to select Ye s . Press [ENTER] to open Menu 1 1.3.2 - Remote Node Network Layer Options . Not all fields are available on all models. Figure 373 Menu 1 1.3.2: Remot[...]

Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 626 36.3.5 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyW ALL provides a script facility for this purpose. The script has six programmable sets; each set is composed of an ‘Expe ct’ string an d a ‘Send?[...]

Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 627 T o handle the first prompt, you sp ecify “ ogin: ” as the ‘Expect’ string and “ myLogin ” as the ‘Send’ string in set 1. The reason for leaving out the leading “ L ” is to avoid having to know exactly whether it is upper or lowe r case. Similarly , yo[...]

Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 628 The following table describes the fields in this menu. 36.3.6 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.3, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1.3.4 - Remote Node Filter . Use menu 1 1.3[...]

Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 629 36.3.7 3G Modem Setup From the main menu, enter 2 to open menu 2 on the ZyW ALL that supports a 3G card. " It is not necessary to configure menu 2 with a Sierra Wireless AC595 3G card. Figure 376 3G Modem Setup in W AN Setup (ZyW ALL 5) The following table describes [...]

Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 630 36.3.8 Remote Node Profile (3G W AN) enter 2 in Menu 1 1 - Remote Node Setup to open Menu 1 1.2 - Remote Node Profile (3G W AN) (shown below) and configure the setup for your 3G connection. Figure 377 Menu 1 1.2: Remote Node Profile (3G WAN) The following table describe[...]

Chapter 36 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide 631 Retype to Confirm Enter your password again to make sure that you have en tered is correctly . Authen This field sets the authentica ti on protocol used for outgoing calls. Options for this field are: CHAP / PA P - Y our ZyW ALL will accept either CHAP or PA P when reques[...]

Chapter 36 WA N and Dial B ackup Setup ZyWALL 5/35/70 Series User’s Guide 632[...]

ZyWALL 5/35/70 Series User’s Guide 633 C HAPTER 37 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup . 37.1 Introduction to LAN Setup This chapter describes how to configure the ZyW ALL for LAN and wireless LAN connections. 37.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup . Figur[...]

Chapter 37 LA N Set up ZyWALL 5/35/70 Series User’s Guide 634 Figure 379 Menu 3.1: LAN Port Filter Setu p 37.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1 155) and DHCP Ethernet setu p. Figure 380 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP a[...]

Chapter 37 LAN Setup ZyWALL 5/35/70 Series User’s Guide 635 Figure 381 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next tabl e on how to configure the DHCP fields. Use the instructions in the following table to configure TCP/IP parameters for the LAN port. " LAN and DMZ IP addresses mu st be on separate subnet s. [...]

Chapter 37 LA N Set up ZyWALL 5/35/70 Series User’s Guide 636 37.4.1 IP Alias Setup IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL supports th ree logical LAN interfaces via its single physical Ethernet interface with the ZyW ALL itself as the gateway for each LA[...]

Chapter 37 LAN Setup ZyWALL 5/35/70 Series User’s Guide 637 Use the instructions in the following ta ble to configure IP alias parameters. T able 226 Menu 3.2.1: IP Alias Set up FIELD DESCRIPTION IP Alias 1, 2 Choose Ye s to configure the LAN ne t wo r k fo r the ZyW ALL. IP Address Enter the IP address of your ZyWALL in dotted decimal nota ti on[...]

Chapter 37 LA N Set up ZyWALL 5/35/70 Series User’s Guide 638[...]

ZyWALL 5/35/70 Series User’s Guide 639 C HAPTER 38 Internet Access This chapter shows you how to config ure your ZyW ALL for Internet access. 38.1 Introduction to Internet Access Setup Use information from your ISP along with the in st ructions in this chapter to set up your ZyW ALL to access the Inte rnet. The re are three different menu 4 scree[...]

Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 640 Figure 383 Menu 4: Internet Access Setup (Ethernet) The following table describes the fields in this menu. Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= Etherne t Service Type= Standa rd My Login= N/A My Password= N/A Retype to Confirm= N /A Login Server= N/A[...]

Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 641 38.3 Configuring the PPTP Client " The ZyW ALL supports only one PP TP serv er connection at any given time. T o configure a PP TP client, you must configure the My Login and Password fields for a PPP connection and the PP TP parame ters for a PP TP connection. After configuri[...]

Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 642 Figure 384 Internet Access Setup (PPTP) The following table contains in structions about the new fiel ds wh en you choose PPTP in the Encapsula tion field in menu 4. 38.4 Configuring the PPPoE Client If you enable PPPoE in menu 4, you will see the next screen. Menu 4 - Internet Acc[...]

Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 643 Figure 385 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsula tion field in menu 4. If you need a PPPoE service name to identify and reach the P PPoE server , please go to menu 1 1 and enter the PPPoE [...]

Chapter 38 Internet Access ZyWALL 5/35/70 Series User’s Guide 644[...]

ZyWALL 5/35/70 Series User’s Guide 645 C HAPTER 39 DMZ Setup This chapter describes how to co nfigure the ZyW ALL’ s DMZ using Menu 5 - DMZ Setup . 39.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup . Figure 386 Menu 5: DMZ Setup 39.2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you[...]

Chapter 39 DMZ Setu p ZyWALL 5/35/70 Series User’s Guide 646 39.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 7 on page 149 . 39.3.1 IP Address From the main menu, enter 5 to ope n Menu 5 - DMZ Setup to configure TCP/IP (RFC 1 155). Figure 388 Menu 5: DMZ Setup From menu 5, select[...]

Chapter 39 DMZ Setup ZyWALL 5/35/70 Series User’s Guide 647 " DMZ, WLAN and LAN IP addresses must be on sep a rate subnets. Y ou must also configure NA T for the DMZ port (see Chapter 44 on pa ge 673 ) in menus 15.1 and 15.2. 39.3.2 IP Alias Setup Use menu 5.2 to config ure the first network. Move the cursor to the Edit IP Alias field, press[...]

Chapter 39 DMZ Setu p ZyWALL 5/35/70 Series User’s Guide 648[...]

ZyWALL 5/35/70 Series User’s Guide 649 C HAPTER 40 Route Setup This chapter describes how to config ure the ZyW ALL's traffic redirect. 40.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup . Figure 391 Menu 6: Route Setup 40.2 Route Assessment This menu allows you to config ure traffic redirect properties. Fi[...]

Chapter 40 Route Setup ZyWALL 5/35/70 Series User’s Guide 650 The following table describes the fields in this menu. 40.3 T raffic Redirect T o configure the parameters for traffic redirect, enter 2 in Menu 6 - Route Setup to open Menu 6.2 - T raffic Redirect as shown next. Figure 393 Menu 6.2: T raffic Redir ect The following table describes the[...]

Chapter 40 Route Setup ZyWALL 5/35/70 Series User’s Guide 651 40.4 Route Failover This menu allows you to configure how the ZyW ALL uses the rout e assessment ping check function. Figure 394 Menu 6.3: Route Failover The following table describes the fields in this menu. Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER[...]

Chapter 40 Route Setup ZyWALL 5/35/70 Series User’s Guide 652[...]

ZyWALL 5/35/70 Series User’s Guide 653 C HAPTER 41 Wireless Setup Use menu 7 to set up your ZyW ALL as the wireless access point. 41.1 Wireless LAN Setup " If you are configuring t he ZyW ALL from a computer connected to the wireless LAN and you change the ZyW ALL’s ESSID or WEP settings, you will lose your wireless connection when you pre[...]

Chapter 41 Wire less Setup ZyWALL 5/35/70 Series User’s Guide 654 " The settings of all client stations on t he wireless LAN must match those of the ZyW ALL. Follow the instructions in the next table on how to configure the wireless LAN parameters. T able 233 Menu 7.1: Wireless Set up FIELD DESCRIPTION Enable Wireless LAN Press [SP ACE BAR] [...]

Chapter 41 Wireless Setup ZyWALL 5/35/70 Series User’s Guide 655 41.1.1 MAC Address Filter Setup Y our ZyW ALL checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses. However , intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication. Follow the [...]

Chapter 41 Wire less Setup ZyWALL 5/35/70 Series User’s Guide 656 The following table describes the fields in this menu. 41.2 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 7 on page 149 . 41.2.1 IP Address From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP ([...]

Chapter 41 Wireless Setup ZyWALL 5/35/70 Series User’s Guide 657 Figure 398 Menu 7.2: TCP/IP and DHCP Ethernet Setup The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup . Each public server will need a unique IP address. Refer to Section 37.4 on page 634 for information on how to configure these [...]

Chapter 41 Wire less Setup ZyWALL 5/35/70 Series User’s Guide 658 Figure 399 Menu 7.2.1: IP Alias Setup Refer to T able 226 on pa ge 637 for instructions on config uring IP alias parameters. Menu 7.2.1 - IP Ali as Setup IP Alias 1= No IP Address= N/ A IP Subnet Mask = N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/ A IP Subnet M[...]

ZyWALL 5/35/70 Series User’s Guide 659 C HAPTER 42 Remote Node Setup This chapter shows you how to configure a remote node. 42.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gatewa y . A remote node represents both the remote gateway an d the network behind it across a W AN connection. Note that when y[...]

Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 660 42.3 Remote Node Profile Setup The following explains how to configure the re mote node profile menu. Not all fields are available on all models. 42.3.1 Ethernet Encap sulation There are three variations of m enu 1 1.x depending on whether you choo se Ethernet Encap sulation , [...]

Chapter 42 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide 661 42.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). Y ou can only use PPPoE encapsulation when you’re using th e ZyW ALL with a DSL modem as the W AN device. If you change the Encapsulation to PPPoE, then you will see the next screen[...]

Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 662 Figure 402 Menu 1 1 .1: Remote Node Prof ile for PPPoE Encapsulation 42.3.2.1 Outgoing Authentication Protocol Generally speaking, you sh ould employ the strongest authent ication protocol possible, for obvious reasons. However , some ve ndor ’ s impl ementa tion includes a s[...]

Chapter 42 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide 663 42.3.2.3 Metric See Section on page 171 for details on the Metric field. 42.3.3 PPTP Encap sulation If you change the Encap sula tion to PPTP in menu 1 1.1, then you will see the next screen. T able 236 Fields in Menu 11.1 (PPPo E Encapsulation Specific) FIELD DESCRIPTION Service[...]

Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 664 Figure 403 Menu 1 1 .1: Remote Node Prof ile for PPTP Encapsulation The next table shows h o w to configure fields in menu 1 1.1 not previously discussed. 42.4 Edit IP Move the cu rs or to the Edit IP field in menu 1 1.1, then press [SP ACE BAR] to select Ye s . Press [ENTER] t[...]

Chapter 42 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide 665 Figure 404 Menu 1 1 .1.2: Remote Node Network Layer Options for Ethernet Encapsulation This menu displays the My W A N Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation. The following table describes the fields in this menu. Menu 11[...]

Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 666 42.5 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.1, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1.1.4 - Remote Node Filter . Use menu 1 1.1.4 to specify the filter set(s) to apply to the incoming and outg[...]

Chapter 42 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide 667 Figure 405 Menu 1 1.1.4: Remote Node Filter (Ethernet Encapsulation) Figure 406 Menu 1 1 .1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filte[...]

Chapter 42 Rem ot e Node Setup ZyWALL 5/35/70 Series User’s Guide 668[...]

ZyWALL 5/35/70 Series User’s Guide 669 C HAPTER 43 IP Static Route Setup This chapter shows you how to config ure static routes with your ZyW ALL. 43.1 IP S t atic Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. " The first two static route entries are fo r[...]

Chapter 43 IP Static Rout e Setup ZyWALL 5/35/70 Series User’s Guide 670 Figure 407 Menu 12: IP S tatic Route Setup Now , enter the index number o f the static route that you want to configure. Figure 408 Menu 12. 1: Edit IP S tatic Route `The following table describes the IP Static Route Menu fields. Menu 12 - IP Static Route Setup 1. Reserved 1[...]

Chapter 43 IP Static Route Setup ZyWALL 5/35/70 Series User’s Guide 671 Destination IP Address This parameter specifies the IP network add ress of the final de stination. Routing is always based on network numb er . If you nee d to specify a route to a single host, use a subnet mask of 2 55.255.255.255 in the subnet mask field to force the networ[...]

Chapter 43 IP Static Rout e Setup ZyWALL 5/35/70 Series User’s Guide 672[...]

ZyWALL 5/35/70 Series User’s Guide 673 C HAPTER 44 Network Address Translation (NAT) This chapter discusses how to configure NA T on the ZyW ALL. 44.1 Using NA T " Y ou must create a firewall rule in addi tion to setting up SUA/NA T , to allow traffic from the W AN to be forwarded through the ZyWALL. 44.1.1 SUA (Single User Account) V ersus [...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 674 Figure 409 Menu 4: Applying NA T for Internet Access The following figure shows how you apply NA T to the remote node in menu 1 1.1. 1 Enter 1 1 from the main menu. 2 Enter 1 to open Menu 1 1.1 - Remote Node Pr ofile . 3 Move the cu rs or to the Edit IP field, pre[...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 675 The following table describes the fields in this menu. 44.2 NA T Setup Use the address mapping sets me nus and submenus to create the mapping table used to assign global addresses to computers on the LAN, DMZ and WLAN. Set 255 is used for SUA. When you select Fu[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 676 " Configure DMZ, WLAN and LAN IP addresses in NA T menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnet s. 44.2.1 Address Mapping Set s Enter 1 to bring up Menu 15.1 - Addr ess Mapping Sets . Figure 412 Menu 15.1: Address Ma pping Se[...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 677 " Menu 15.1.255 is read-only . 44.2.1.2 User-Defined Address Mapping Sets Now look at option 1 in menu 15.1. Enter 1 to bring up this menu . Look at the differen ces from the previous menu. Note the extra Action and Select Rule fields mean yo u can configur[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 678 Figure 414 Menu 15.1.1: First Set " The T ype, Local and Global S tart/End IP s are configured in menu 15.1.1.1 (described later) and the values are displayed here. 44.2.1.3 Ordering Y our Rules Ordering your rules is important because the Zy W A LL applies t[...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 679 Now if you delete rule 4, rules 5 to 7 will be pus hed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and o ld rule 7 becomes rule 6. " Y ou must press [ENTER] at the bottom of the screen to save the whole set. Y ou must do this ag[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 680 Figure 415 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set The following table describes the fields in this menu. Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Server Mapping Set= N/A Pres[...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 681 44.3 Configuring a Server behind NA T " If you do not assign a Default Server IP address, the Zy W ALL discards all packet s received for ports that are not specified here or in the remote management setup. Follow these steps to config ure a server behind N[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 682 4 Select Edit Rule in the Select Command field; type the index number of the NA T server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.x.x - NA T Server Configuration (see the next figure). Figure 418 15.2.x.x: NA T Server Conf[...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 683 Figure 419 Menu 15.2.1: NA T Server Setup Y ou assign the private network IP addresses. Th e NA T network a ppears as a single host on the Internet. A is the FTP/T elnet/SMTP server . Figure 420 Server Behind NA T Example 44.4 General NA T Examples The following[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 684 Figure 421 NA T Example 1 Figure 422 Menu 4: Internet Access & NA T Example From menu 4 sho wn abov e, simply choose the SUA Only option from the Network Address Tr a n s l a t i o n field. This is the Many-to-One mapping discussed in Section 44.4 on page 683 [...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 685 44.4.2 Example 2: Inter net Access with a Default Server Figure 423 NA T Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NA T as shown in the nex[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 686 2 Map the second IGA to our second inside FTP se rver for FTP traffic in both directions ( 1 : 1 mapping, giving both loca l and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 ( Many : 1 mapping). 4 Y ou also map your third IGA to the web serve[...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 687 Figure 426 Example 3: Menu 1 1.1.2 The following figure shows how to configure the first rule. Figure 427 Example 3: Menu 15.1.1.1 Menu 11.1.2 - Remote Node Net work Layer Options IP Address Assig nment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Add[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 688 Figure 428 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. 1 Enter 15 from the main menu. 2 Enter 2 to go to menu 15 .2. 3 (Enter 1 or 2 from menu 15.2 on a ZyW A LL with multiple W AN ports) configure the m[...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 689 44.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NA T Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do no t change for Many-One-to-One (and One-[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 690 Figure 432 Example 4: Menu 15.1.1: Address Mapping Rules 44.5 T rigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA[...]

Chapter 44 Network Add ress Translatio n (NAT) ZyWALL 5/35/70 Series User’s Guide 691 " Only one LAN computer can use a trigger por t (range) at a time. Enter 3 in menu 15 to d isplay Menu 15.3 - T rigger Ports . For a ZyW ALL with multiple W AN interfaces, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - T rigger Port Setup[...]

Chapter 44 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide 692 End Port Enter a port number or the ending por t number in a range of port numb ers. Press [ENTER] at the message “Press ENTER to Co nfirm ...” to save your con figuration, or press [ESC] at any time to cancel. T able 245 Menu 15.3.1: Trigger Port Setup (conti[...]

ZyWALL 5/35/70 Series User’s Guide 693 C HAPTER 45 Introducing the ZyWALL Firewall This chapter shows you how to ge t started with the ZyW ALL firewall. 45.1 Using ZyW ALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 434 Menu 21: Filter and Firewa ll Setup [...]

Chapter 45 Intr o du cin g th e Zy WALL Firew all ZyWALL 5/35/70 Series User’s Guide 694 Figure 435 Menu 21.2: Fi rewall Setup " Configure the firewall ru les using the web confi gurator or CLI commands. Menu 21.2 - Firewall Se tup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to [...]

ZyWALL 5/35/70 Series User’s Guide 695 C HAPTER 46 Filter Configuration This chapter shows you how to create and apply filters. 46.1 Introduction to Filters Y our ZyW ALL uses filters to decide whether to a llow passage of a data packet and/or to make a call. There are two types of filter applications : data filtering and call filtering. Filters [...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 696 46.1.1 The Filter Structure of the ZyW ALL A filter set consists of one or more filter rules. Usually , you would group related rules, e.g., all the rules for NetBIOS, into a s ingle set and give it a descriptive name. The ZyW ALL allows you to configure up to twelve filte r s[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 697 Figure 437 Filter Rule Process Y ou can apply up to four filter sets to a particular port to block multiple types of packets. W ith each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 698 46.2 Configuring a Filter Set The ZyW ALL includes filtering for NetBIOS over TCP/IP packets by default. T o configure another filter set, follow the procedure below . 1 Enter 21 in the main me nu to open menu 2 1. Figure 438 Menu 21: Filter and Firewa ll Setup 2 Enter 1 to br[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 699 The protocol dependent filter rules abbreviation are listed as follows: Refer to the next section for inform ation on configurin g the filter rules. 46.2.1 Configuring a Filter Rule T o configure a filter rule, type its number in Menu 21.1.x - Filter Rules Summary and press [E[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 700 46.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fiel ds in the IP and the upper layer protocol, for example, UDP and TCP headers. T o configure TCP/IP rules, select TCP/IP Filt[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 701 The following figure illustrates th e logic flow of an IP filter . Port # Comp Press [SP ACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value gi ve n in Destination: Port # . Options are None , Equal , Not Equal , [...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 702 Figure 441 Executing an IP Filter 46.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generi c filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP , it is generally easier to us e the IP rules directly .[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 703 For generic rules, the ZyW ALL treats a packet as a byte stre am as opposed to an IP or IPX packet. Y ou specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyW ALL applie s th e Mask (bit-wise ANDing) to the data porti[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 704 46.3 Example Filter Here is an example to bloc k outside users from accessing the ZyW ALL via telnet. Figure 443 T eln et F ilter Exam pl e 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup . 2 Enter 1 to open Menu 21.1 - Filter Set Configuration. 3 Ent[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 705 Figure 444 Example Filter: Menu 21 .1.3.1 The port number for the telnet service (TCP protocol) is 23 . See RFC 1060 for port numbers of well-known services. When you press [ENTER] to confirm, you will see the fo llowing screen. Note that there i s only one filter rule in this[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 706 After you’ve created the filte r set, you must apply it. 1 Enter 1 1 from the main menu to go to menu 1 1. 2 Enter 1 or 2 to open Menu 1 1 .x - Remote Node Profile . 3 Go to the Edit Filter Sets field, press [SP ACE BAR] to select Ye s and press [ENTER] . 4 This brings you t[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 707 46.5.1.1 When T o Use Filtering 1 T o block/allow LAN packets by their MAC addresses. 2 T o block/allow special IP packet s which are neither TCP nor UDP , nor ICMP packets. 3 T o block/allow both inboun d (W AN to LAN) and outb ou nd (LAN to W AN) traffic between the specific[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 708 " If you do not activate the firewa ll, it is advisable to apply filters. 46.6.1 Applying LAN Filters LAN traffic filter sets may be useful to bloc k certain packets, reduce traffic and prevent security breaches. Go to menu 3. 1 (shown next) and enter the number(s) of the[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 709 46.6.3 Applying Re mote Node Filters Go to menu 1 1.1.4 (shown be low – note that call filter sets are only present for PPPoE encapsulation) and enter the numb er(s) of the filter set(s) as appropriate. Y ou can cascade up to four filter sets by entering their numbers separa[...]

Chapter 46 Filter Configuration ZyWALL 5/35/70 Series User’s Guide 710[...]

ZyWALL 5/35/70 Series User’s Guide 71 1 C HAPTER 47 SNMP Configuration This chapter explains SNMP configuratio n menu 22. 47.1 SNMP Configuration T o configure SNMP , enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get , Set and Tr a p fields is SNMP terminology for password. Figure 450 M[...]

Chapter 47 SNMP Configuration ZyWALL 5/35/70 Series User’s Guide 712 47.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: Destination T ype the IP add ress of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm[...]

ZyWALL 5/35/70 Series User’s Guide 713 C HAPTER 48 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 48.1 Introduction to System St atus This chapter covers the diagnostic tools that he lp you to maintain your ZyW ALL. These tools include updates on system status, port status and log and trace capabilities. Select men[...]

Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 714 3 There are three commands in Menu 24.1 - System Maintenance - S tatus . Entering 1 or 2 drops the W AN1 or W AN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 452 Menu 24.1: System Maintenance: S tatus The following t[...]

Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 715 48.3 System Information and Console Port S peed This section describes your system and allows you to choose different console port speeds. T o get to the System Informa tion and Console Port Speed: 1 Enter 24 to go to Menu 24 - System Maintenance . 2 Enter 2 to o[...]

Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 716 Figure 454 Menu 24.2.1: System Ma intenance: Information The following table describes the fields in this screen. 48.3.2 Console Port Speed Y ou can change the speed of the console po rt through Menu 24.2.2 – Console Port Speed . Y our ZyW ALL supports 9600 (d[...]

Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 717 Figure 455 Menu 24.2.2: System Maintenance: Change Cons ole Port S pee d 48.4 Log and T race There are two logging facilities in the ZyW ALL. Th e first is the error logs and trace records that are stored locally . The second is the UNIX syslog facility for messa[...]

Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 718 Figure 457 Examples of Error and Information Messages 48.4.2 Syslog Logging The ZyW ALL uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server . Syslog an d accounting can be configured in Menu 24.3.2 - System Mainten[...]

Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 719 1 CDR 2 Packet triggered 3 Filter log CDR Message Format SdcmdSyslogSend( SYSLOG_ CDR, SYSLOG_INFO, S tring ); S tring = board xx line xx channel xx, call xx, str board = the hardware board ID line = the W AN ID in a board Channel = channel ID within the WAN call[...]

Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 720 4 PPP log Filter log Message F ormat SdcmdSyslogSend(SYSLOG_FILLOG , SYSLOG_NOTICE, S tring ); S tring = IP[Src=xx.xx.xx.xx Dst=xx.xx. xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R),[...]

Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 721 5 Firewall log 48.4.3 Call-T riggering Packet Call-T riggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equiva lent information is available in menu 24.1 in hex format. An example is shown next. Firew[...]

Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 722 Figure 459 Call-T riggering Packet Example 48.5 Diagnostic The diagnostic facility allows you to test th e dif ferent aspects of your ZyW ALL to determine if it is working properly . Menu 24.4 allows you to choose among various types of diagnostic tests to evalu[...]

Chapter 48 System Information & Diagnosis ZyWALL 5/35/70 Series User’s Guide 723 Figure 460 Menu 24.4: System Maintenance: Diagnostic (ZyW ALL 5) 48.5.1 W AN DHCP DHCP functionality can be enable d on the LAN or W AN as show n in Figure 461 on page 723 . LAN DHCP has already been discussed. The ZyW ALL can act either as a W AN DHCP client ( I[...]

Chapter 48 System In formation & Diagnosis ZyWALL 5/35/70 Series User’s Guide 724 T able 255 System Maint enance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LA N, DMZ, WLAN or W AN. Enter its IP address in the Host IP Address field below . W AN DHCP Re lease Enter 2 to release your WAN [...]

ZyWALL 5/35/70 Series User’s Guide 725 C HAPTER 49 Firmware and Configuration File Maintenance This chapter tells you how t o back up and rest ore your configuration file as well as upload new firmware and a new configura tion file. 49.1 Introduction Use the instructions in this chapter to change the ZyW ALL’ s configuration file or upgrade its[...]

Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 726 The following table is a summary . Please note that the internal filename refe rs to the filename on the ZyW ALL and the external file name refers to the filename not on the ZyW ALL, that is, on your computer , local network or FTP site and so the name[...]

Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 727 Figure 462 T elnet into Menu 24. 5 49.3.2 Using the FTP Command from the Command L i ne 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space an d the IP address of yo ur ZyW ALL. 3 Press [ENTER] when prompted for a user[...]

Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 728 49.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. 49.3.5 File Maintenance Over W AN TFTP , FTP and T elnet over the W AN will not work when: 1 The firewall is active (turn the fir[...]

Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 729 4 Launch the TFTP client on your computer and connect to th e ZyW ALL. Set the transfer mode to binary before starting data transfer . 5 Use the TFTP cli ent (se e the examp le b elow) to transfer files between the ZyW ALL and the computer . The fil[...]

Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 730 Figure 464 System Maintenance: Backup Configuration 2 The following screen indicates that the Xmodem download has started. Figure 465 System Maintenance: S tarting Xmodem Download Screen 3 Run the HyperT erminal program by clicking Tr a n s f e r , the[...]

Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 731 FTP is the preferred method for restoring your current computer configuration to your ZyW ALL since FTP is faster . Please note that yo u must wait for the syst em to automatically restart after the file transfer is complete. " W ARNING! Do not[...]

Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 732 49.4.2 Restore Usin g FTP Session Example Figure 469 Restore Using FTP Session Example Refer to Section 49.3.5 o n page 728 to read about configurations that disallow TFTP and FTP over W AN. 49.4.3 Restore V ia Console Port Restore configuration via co[...]

Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 733 4 After a successful restoration you will see the following screen. Press any key to restart the ZyW ALL and return to the SMT menu. Figure 473 Successful Restoration Confirmati on Screen 49.5 Uploading Firmware and Configuration Files This section [...]

Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 734 Figure 474 T elnet Into Menu 24.7.1: Upload System Firmware 49.5.2 Configuration File Upload Y ou see the following screen when you telnet into menu 24.7.2. Figure 475 T elnet Into Menu 24.7.2 : System Maintenance T o upload the firmware and the config[...]

Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 735 49.5.3 FTP File Upload Comman d from the DOS Prompt Example 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space an d the IP address of yo ur ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password [...]

Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 736 2 Put the SMT in command interprete r (CI) mode by entering 8 in Menu 24 – System Maintenance . 3 Enter the command “ sys stdio 0 ” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “ command sy s stdio 5 ” t[...]

Chapter 49 Fir mw ar e an d Co nfiguration File Maintenance ZyWALL 5/35/70 Series User’s Guide 737 Figure 477 Menu 24.7.1 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer . Follow the procedure as sh own pre viously for the HyperT ermina l program. The pr[...]

Chapter 49 Firmware and Conf iguration File Mainte nance ZyWALL 5/35/70 Series User’s Guide 738 Figure 479 Menu 24.7.2 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer . Follow the procedure as sh own pre viously for the HyperT ermina l program. The proce[...]

ZyWALL 5/35/70 Series User’s Guide 739 C HAPTER 50 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24.10. 50.1 Command Interpreter Mode The Command Interpre ter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT , while a dding some low-level se tup and diagnost[...]

Chapter 50 System Maintenance Menus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 740 50.2 Call Control Support The ZyW A LL provides two cal l control functions: budget management and call history . Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 1 1.1. The budget management func tion allow[...]

Chapter 5 0 System Ma intenance Me nus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 741 The total budget is the time li mit on the accumulated time for ou tgoing calls to a remo te node. When this limit is reached, th e call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is re set[...]

Chapter 50 System Maintenance Menus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 742 50.3 T ime and Date Setting The ZyW ALL’ s Real T ime Chip (R TC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on you r ZyW ALL. Menu 24.10 all[...]

Chapter 5 0 System Ma intenance Me nus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 743 Figure 486 Menu 24.10 System Maintenance : Time and Da te Setting The following table describes the fields in this screen. Menu 24.10 - System Maintenance - Ti me and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= 0.pool.ntp.org Current Time: 08[...]

Chapter 50 System Maintenance Menus 8 to 10 ZyWALL 5/35/70 Series User’s Guide 744 S tart Date (mm- nth-week-hr) Configure the day and time when Daylight Savi ng Time start s if you selecte d Ye s in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time st arts in most part s of the U[...]

ZyWALL 5/35/70 Series User’s Guide 745 C HAPTER 51 Remote Management This chapter covers remote management found in SMT menu 24.1 1. 51.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers. " When you configure remote managem ent to allow mana[...]

Chapter 51 Remote Management ZyWALL 5/35/70 Series User’s Guide 746 Figure 487 Menu 24.1 1 – Remo te Ma na ge m ent Co ntr o l The following table describes the fields in this screen. Menu 24.11 - Remot e Management Control TELNET Server: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = LAN+WAN1+DMZ+WLAN+WAN2[...]

Chapter 51 Remote Management ZyWALL 5/35/70 Series User’s Guide 747 51.1.1 Remote Management Limit ations Remote management over LAN or W AN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service. 2 Y ou have disabled that service in menu 24.1 1. 3 The IP address in the Secure C[...]

Chapter 51 Remote Management ZyWALL 5/35/70 Series User’s Guide 748[...]

ZyWALL 5/35/70 Series User’s Guide 749 C HAPTER 52 IP Policy Routing This chapter covers setting and applyi ng policies used for IP routing. 52.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a si ngle policy , and whether a policy is ac tive or not. Each policy contains two lines. [...]

Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 750 52.2 IP Routing Policy Setup T o setup a routing policy , perform the following procedures: 1 T ype 25 in the main menu to open Men u 25 - IP Routing Policy Summary . Criteria/Action Thi s displays the details about to which packets the p olicy applies and how the policy has the [...]

Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 751 2 Select Edit in the Select Command field; type the inde x number of the rule you want to configure in th e Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 489 Menu 25.1: IP Routing Policy Setup The following table des[...]

Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 752 52.2.1 Applying Policy to Packet s T o apply the policy to packets received on the selected interface(s), go to Menu 25.1: IP Routing Policy Setup and press [SP ACE BAR] to select Ye s in the Edit policy to packets received fr om field. Press [ENTER] to display Menu 25.1.1 - IP R[...]

Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 753 Figure 490 Menu 25.1.1: IP Routing Policy Setup The following table describes the fields in this screen. 52.3 IP Policy Routing Example If a network has both Internet and remote node connections, you can route W eb packets to the Internet using one policy and route FTP packets to[...]

Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 754 Figure 491 Example of IP Policy Routing T o force W eb packets coming from clients with IP addres ses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the W AN port of the ZyW ALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Se[...]

Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 755 2 Select Ye s in the LAN fie ld in menu 25.1.1 to apply the policy to packets re ceived on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly . 4 Create another rule in menu 25.1 for this ru le to route packets from a ny host (IP=0.0.0[...]

Chapter 52 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide 756[...]

ZyWALL 5/35/70 Series User’s Guide 757 C HAPTER 53 Call Scheduling Call scheduling allows you to dictate when a re mote node sho uld be called and for how long. 53.1 Introduction to Call Scheduling The call scheduling feature allows the ZyW ALL to manage a remote node and dictate when a remote node should be called and for ho w long. This feature[...]

Chapter 53 Call Scheduling ZyWALL 5/35/70 Series User’s Guide 758 " T o delete a schedule set, enter the set number and press [SP ACE BAR] and then [ENTER] or [DEL] in the Edit Name field. T o set up a schedule set, select the schedule se t you want to se tup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as show[...]

Chapter 53 Call Scheduling ZyWALL 5/35/70 Series User’s Guide 759 Once your schedule sets are conf igured , yo u must then apply them to the desired remote node(s). Enter 1 1 from the Main Menu and then enter the tar get remo te node index. Press [SP A CE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets f[...]

Chapter 53 Call Scheduling ZyWALL 5/35/70 Series User’s Guide 760 Figure 497 Applying Schedule Set(s ) to a Re mo te Nod e (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Ed it IP= No Service Type= Standard T elco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedule s[...]

761 P ART VII T roubleshooting and Product S p ecifications T roubleshooting (763) Product Specification s (769)[...]

762[...]

ZyWALL 5/35/70 Series User’s Guide 763 C HAPTER 54 Troubleshooting This chapter offers some sugg estions to solve problems you might encounter . The potential problems are divided into the following categories. • Power , Hardware Connections, and LEDs • ZyW ALL Access and Login • Internet Access • W ireless Router/A P T roubles hooting ?[...]

Chapter 54 Tro u blesh oo tin g ZyWALL 5/35/70 Series User’s Guide 764 54.2 ZyW ALL Access and Login V I forgot the LAN IP address for the ZyW ALL. 1 The default LAN IP address is 192.168.1.1 . 2 Use the console port to log in to the ZyW ALL. 3 If you changed the IP addre ss and have forgotten it, you might get the IP address o f the ZyW ALL by l[...]

Chapter 54 Troubleshooting ZyWALL 5/35/70 Series User’s Guide 765 • If there is a DHCP server on your netwo r k, make sure your computer is u sing a dynamic IP address. See Appendix D on pag e 795 . Y our ZyW ALL is a DHCP server by default. 6 Reset the device to its factory defaults, an d try to access the ZyW ALL with the default IP address. [...]

Chapter 54 Tro u blesh oo tin g ZyWALL 5/35/70 Series User’s Guide 766 See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator . Ignore the suggestions about your bro wser . V I cannot use FTP to upload / download the configuratio n file. / I cannot use FTP to upload new firmware. See the troublesho[...]

Chapter 54 Troubleshooting ZyWALL 5/35/70 Series User’s Guide 767 V I cannot access the Internet anymore. I had access to the Internet (with the ZyW ALL), but my Internet connection is not available anymore. 1 Check the hardware connections , and make su re the LEDs are be having as expected. Se e the Quick S tart Guide and Section 2.6 on page 59[...]

Chapter 54 Tro u blesh oo tin g ZyWALL 5/35/70 Series User’s Guide 768 5 Check that both the ZyW ALL an d your wireless station are using the same wireles s and wireless security settings. 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the ZyW ALL. 7 Make sure you allow the ZyW ALL to be remotely accessed throu[...]

ZyWALL 5/35/70 Series User’s Guide 769 C HAPTER 55 Product Specifications The following tables summarize the ZyW ALL’ s hardware and firmware fea tures. T able 268 Hardware Specifications Dimensions ZyW ALL 7 0: 355(L) x 200(D) x 55(H) mm ZyW ALL 5 and ZyWALL 35: 242.0(W) x 175.0(D) x 35.5 (H) mm Weight ZyW ALL 70: 2,600g ZyW ALL 5 and ZyWALL 3[...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 770 T able 269 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192.168.1.1 Default Subnet Mask 255.255 .255.0 (24 bits) Default Password 1234 Default DHCP Pool 1 92.168.1.33 to 192.168.1.16 0 Device Management Use the web config urator to easi ly configure t he ri[...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 771 Firewall Y o u can configure fire wall on the ZyXEL D evice for secure Internet access. When the fire wall is on, by default, all incoming traffic from the Internet to your network is blocke d unless it is initiated from your network. This means that probes from the outside [...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 772 Comp atible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyW ALL at the time of writing. It also shows the secu rity features that each card supports. " Check the product page on the www . zyxel. com website for updates on ZyXE[...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 773 55.1 Comp atible 3G Cards At the time of writing, you can use the following 3G wireless cards in the ZyW ALL 5. The table also shows you the 3G features su pported by the compatible 3G cards. T able 272 3G Featur es Supporte d By Compat ible 3G Cards 3G CA RD FEATURES SIERRA[...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 774 Manual or au tomatic service provider selection via the web configurator YYY Signal strength u pdate even when data is transmitting YYY Network type update even when data is transmitting Roaming status update even when data is transmitting Dormant status update after the con[...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 775 55.2 Power Adaptor Sp ecifications B u d g e t C o n t r o lYYYYY Bandwidth Management Y Y Y Y Y T able 274 3G Featur es Supported By Additional C ompatible 3 G Cards 3G CA RD FEATURES HUAWEI EC500 HUAWEI E220 OPTION GLOBET RO TTER HSDP A 7.2 READY NOVATEL MERLIN EX720 NOVAT[...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 776 Cable Pin Assignment s In a serial communications connection, gene rally a computer is DTE (Data T erminal Equipment) and a modem is DCE (Data Circ uit-terminating Equipment). The ZyW ALL is DCE when you connect a computer to the co nsole port. The ZyW ALL is DTE when you co[...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 777 T able 282 Ethernet Cable Pin Assignments W AN / LAN ETHERNET CABLE PIN LAYOUT Straight-through Crossover (Switch) (Adapter) (Switch ) (Switch) 1 IRD + 1 OTD + 1 IRD + 1 IRD + 2 IRD - 2 OTD - 2 IRD - 2 IRD - 3O T D + 3 IRD + 3 OTD + 3 OTD + 6 OTD - 6 IRD - 6 OTD - 6 OTD -[...]

Chapter 55 Product Specifications ZyWALL 5/35/70 Series User’s Guide 778[...]

779 P ART VIII Appendices and Index Removing and Installing a Fuse (781) Common Services (783) W ireless LANs (787) W indows 98 SE/Me Requirements for Anti-V irus Message Display (801) Legal Information (805) Customer Support (809) Index (815)[...]

780[...]

ZyWALL 5/35/70 Series User’s Guide 781 A PPENDIX A Removing and Inst alling a Fuse This appendix shows you how to remo ve and install fuses for the ZyW ALL. If you need to install a new fuse, follow the procedure below . " If you use a fuse other t han the included fuses, make sure it matches the fuse specifications in the pro duct specifica[...]

Appendix A Removing and Installing a Fuse ZyWALL 5/35/70 Series User’s Guide 782[...]

ZyWALL 5/35/70 Series User’s Guide 783 A PPENDIX B Common Services The following table l ists some commonly-used se rvices and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name : This is a short, descrip[...]

Appendix B Com mon Servic es ZyWALL 5/35/70 Series User’s Guide 784 FTP TCP TCP 20 21 File Tr ansfer Program, a program to enable fast transfer of files, including large fil es that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this proto c ol. HTTP TCP 80 Hyper T ext Transfer Protocol - a client/ server protocol for the world wid[...]

Appendix B Common Services ZyWALL 5/35/70 Series User’s Guide 785 RTE L NE T TCP 10 7 Remote T elnet. RTS P TCP/UDP 554 The Real T ime S t reaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 11 5 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standa[...]

Appendix B Com mon Servic es ZyWALL 5/35/70 Series User’s Guide 786[...]

ZyWALL 5/35/70 Series User’s Guide 787 A PPENDIX C W ireless LANs Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an inde pendent (Ad-hoc) WLAN that connects a se t of computers with wireless adapters (A, B, C). An y time two [...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 788 Figure 500 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type o[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 789 Figure 501 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your g eographical area. Y ou may have a choice of channels (for your region) so you should use a channel different from an[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 790 Figure 502 RTS /C T S When station A sends data to the AP , it might not know that the station B is already using the channel. If these two stations se nd data at the same time, collis ions may occur when both sets of data arrive at the AP at the same time, r esulting in a loss of me[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 791 If the Fragmentation Threshold value is smaller than the RT S /C T S value (see previously) you set then the R TS (Request T o Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmen ted before they reach R TS/CTS size. Preamble T ype Preamble is used to s[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 792 W ireless security methods available on the Zy W ALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyW ALL identity . The following figure shows th e relative effectiveness of th ese wireless security methods available on[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 793 Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’ s network activity . RADIUS is a simple package exchange in whic h your AP acts as a message rela y between the wireless client and the[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 794 For EAP-TLS authentication type, you must firs t hav e a wired connection to the network an d obtain the certificate(s) from a certificate authorit y (CA). A certificate (als o called digital IDs) can be used to authenticate users and a CA issu es certificates and guar antees the ide[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 795 Dynamic WEP Key Exchange The AP maps a unique ke y that is generated w ith the RADIUS se rver . This key expires when the wireless connection times out, disconnects or reauthentic ation times out. A new WEP key is generated each time r eauthentication is performed. If this feature is[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 796 Encryption Both WP A and WP A2 improve data encryption by using T emporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IE EE 802.1x. WP A and WP A2 use Advanced Encryption S tandard (AES) in the Counter mode with Cipher block chaining Message authentication code P[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 797 Wireless Client WP A Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WP A. At the time of writing, the most widely available supplicant is the WP A patch for W indows XP , Funk Software's Odysse[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 798 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to [...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 799 Antenna Overview An antenna couples RF signals onto air . A tran smitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air . The antenna also operates in reverse by capturing RF signals fro m the air . Positioning the antennas pro[...]

Appendix C Wireless LANs ZyWALL 5/35/70 Series User’s Guide 800 Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point ap plication, position both antennas at the same height and in a direct line of si ght to each othe r to attain the best performance. For omni-dir[...]

ZyWALL 5/35/70 Series User’s Guide 801 A PPENDIX D W indows 98 SE/Me Requirement s for Anti-V irus Message Display W ith the anti-virus packet scan, when a virus is detected, an alert messa ge is displaye d on Miscrosoft W indows-based computers. For W indows 98 SE/Me, you must open the W inPopup window in order to view real-time alert messages. [...]

Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display ZyWALL 5/35/70 Series User’s Guide 802 Figure 506 WIndows 98 SE: Program T ask Bar 2 Click the S tart Menu Pr ograms tab an d click Advanced .. . Figure 507 Windows 98 SE: T ask Bar Properties 3 Double-click Programs and click St a r t U p . 4 Right-click in the St a r t U p [...]

Appendix D Windows 98 SE/Me Requirements for Anti-Viru s Message Display ZyWALL 5/35/70 Series User’s Guide 803 Figure 508 Windows 98 SE: S tartUp 5 A Cr eate Shortcut window displays. Enter “winpo pup” in the Command line field and click Next . Figure 509 Windows 98 SE: S tartup: Create Shortcut 6 Specify a name for the shortcut or accept th[...]

Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display ZyWALL 5/35/70 Series User’s Guide 804 Figure 510 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created in the St a r t U p pane. Restart the computer when prompted. Figure 51 1 Windows 98 SE: S tartup: Shortcut " The WinPopup window displays a[...]

ZyWALL 5/35/70 Series User’s Guide 805 A PPENDIX E Legal Information Copyright Copyright © 2008 by ZyXEL Communications Corporation. The contents of this publication may not be reprod uced in any part or as a whole, transcribed, stored in a retrieval system, tran slated into any language, or transmitted in any form or by any means, el ectronic, [...]

Appendix E Leg al In fo rm at ion ZyWALL 5/35/70 Series User’s Guide 806 This device has been tested and foun d to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. Thes e limits are designed to provide reasonable protection against harmful interference in a resi dential installation. This device generates,[...]

Appendix E Legal Information ZyWALL 5/35/70 Series User’s Guide 807 Vie wing Ce rtifi cations 1 Go to http://www .zyxel.com . 2 Select your product on the ZyXEL home pag e to go to that product's page. 3 Select the certification you wish to view from this page. ZyXEL Limited W arranty ZyXEL warrants to the original en d user (purchaser) that[...]

Appendix E Leg al In fo rm at ion ZyWALL 5/35/70 Series User’s Guide 808[...]

ZyWALL 5/35/70 Series User’s Guide 809 A PPENDIX F Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor . If you cannot contact yo ur vendor , then contac t a ZyXEL office for the region in which you bought the dev ice. Regional of fices are listed below (see also http:// www .zyxel.[...]

Appendix F Custo m er Supp o rt ZyWALL 5/35/70 Series User’s Guide 810 • Address: 1005F , ShengGao Internationa l T ower , No.137 XianXia Rd., Shanghai • W eb: http://www .zyxel.cn Cost a Rica • Support E-mail: soporte@zyxel.co.cr • Sales E-mail: sales@zyxel.co.cr • T elephone: +506-2017878 • Fax: +506-2 015098 • W eb: www .zyxel.co[...]

Appendix F Customer Support ZyWALL 5/35/70 Series User’s Guide 81 1 Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • T elephone: +49-2405-69 0 9-69 • Fax: +49-2405-6909-99 • W eb: www .zyxel.de • Re g u l ar M a il : ZyXEL Deut schland GmbH., A denauerstr . 20/A2 D-52146, W uerselen, Germany Hungary • Supp[...]

Appendix F Custo m er Supp o rt ZyWALL 5/35/70 Series User’s Guide 812 Malaysia • Support E-mail: support@zyxel.com.my • Sales E-mail: sales@zyxel.com.my • T elephone: +603-8076-9933 • Fax: +603-8076- 9833 • W eb: http://www .zyxel.com.my • Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F , Bandar Puchong Jaya,[...]

Appendix F Customer Support ZyWALL 5/35/70 Series User’s Guide 813 Singapore • Support E-mail: support@zyxel.com.sg • Sales E-mail: sales@zyxel.com.sg • T elephone: +65-6899-6678 • Fax: +65-6899-8887 • W eb: http://www .zyxel.com.sg • Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy #03-28, Sin g[...]

Appendix F Custo m er Supp o rt ZyWALL 5/35/70 Series User’s Guide 814 T urkey • Support E-mail: cso@zyxel.com.tr • T elephone: +90 212 222 5 5 22 • Fax: +90-212-220-2 526 • W eb: http:www .zyxel.com.tr • Address: Kaptanpasa Mahallesi Piyalep asa Bulvari Ortadogu Plaza N:14/13 K:6 Okmeydani/Sisli Istanbul/T urkey Ukraine • Support E-m[...]

Index ZyWALL 5/35/70 Series User’s Guide 815 Index Numerics 9600 baud 605 A access control 281 active protocol 394 AH 394 and encapsulation 394 ESP 394 Address Assignment 479 address assignment 182 ADP (Anomaly , Dete ction and Preventi on) 277 , 289 Advanced Encryption St andard See AES. AES 796 AH 394 and transport mode 395 ALG 531 RTP 532 SIP [...]

Index ZyWALL 5/35/70 Series User’s Guide 816 Bridge Protocol Data Unit. See BPDU. broadcast 152 BSS 787 budget 663 budget management 740 buffer overflow 281 C CA 399 , 794 call back delay 623 call control 740 call history 741 call scheduling 757 max number of schedule sets 757 PPPoE 759 precedence 757 setting up a schedule 758 call-triggering pac[...]

Index ZyWALL 5/35/70 Series User’s Guide 817 diagnostic 722 diagnostics 599 dial timeout 623 Diffie-Hellman key group 389 Perfect Forward Secrecy (PFS) 395 digest 314 disclaimer 805 DMZ IP alias setup 647 port filter setup 64 5 setup 645 TCP/IP setup 646 DNS 513 DNS Server For VPN Host 480 DNS server address assignment 183 domain name 716 Domain [...]

Index ZyWALL 5/35/70 Series User’s Guide 818 one minute high 265 one minute low 265 rules 251 rules for VPN 122 , 127 service type 266 SMT menus 693 stateful inspection 251 TCP maximum incomplete 265 three-way handshake 275 VPN 127 when to use 707 firmware file maintenance 725 upload 595 firmware upload 733 FTP 733 flow control 605 fragment ation[...]

Index ZyWALL 5/35/70 Series User’s Guide 819 IP address assignment 640 , 665 pool 151 , 154 , 212 , 222 , 635 private 150 IP alias 636 IP alias setup 636 DMZ 647 IP policy routing 457 , 749 IP protocol type 262 IP routing policy 749 IP st atic route 669 active 670 destination IP address 671 name 670 route number 670 IPSec 357 established in two p[...]

Index ZyWALL 5/35/70 Series User’s Guide 820 N nailed-up connectio n 662 , 664 NA T 150 , 43 5 , 441 , 44 2 , 626 , 641 , 665 , 666 , 70 6 and VPN 392 application 449 configuring 675 default server IP address 441 examples 683 in the SMT 673 inside global address 447 inside local address 447 Many to Many No Overload 435 Many to Many Overload 435 M[...]

Index ZyWALL 5/35/70 Series User’s Guide 821 product registration 807 protocol filter 637 incoming 637 outgoing 637 PSK 796 Q QoS 457 Quality of Service. See QoS. query view (IDP) 284 R RADIUS 231 , 244 , 792 and IKE SA 391 message types 244 , 79 3 messages 793 shared secret key 244 , 793 Rapid S panning Tree Protocol. See Rapid STP . Rapid STP 1[...]

Index ZyWALL 5/35/70 Series User’s Guide 822 scanner types 310 schedule 661 , 664 duration 758 searching for IDP signatures 284 secure FTP using SSH 504 secure T elnet using SSH 502 security associations. See VPN. security settings for VPN traf fic 11 9 server set 675 service set 230 , 233 service type 266 , 640 , 660 services 141 Session Initiat[...]

Index ZyWALL 5/35/70 Series User’s Guide 823 time 588 and date sett ing 742 Daylight Saving Time 589 resetting 588 synchronization with server 590 zone 589 , 744 T ime protocol 589 time protocol 589 Daytime 589 NTP 589 Ti m e 589 time sett ing 742 timeout system 492 TKIP 245 T o VPN traf fic 121 To S 457 trace 717 trademarks 805 traffic from VPN [...]

Index ZyWALL 5/35/70 Series User’s Guide 824 warranty 807 note 807 web attack 282 web configurator 61 web site hits 541 WEP encryption 239 , 242 whitelist 314 , 321 Wi-Fi Protected Access 79 5 Wi-Fi Protected Access. See WP A. Windows Internet Naming Service. See WINS. WinPopup windo w 801 WINS 152 , 154 WINS server 154 wireless channel 767 wirel[...]