ZyXEL Communications 10 manual

ZyW ALL 10/50 Internet Security Gateway User’s Guide Version 3.50 May 2002[...]

ZYWALL 10/50 Internet Security Gateway ii Copyright Copyright Copyright © 2 002 by ZyXEL Com munications Corporation. The contents of this publi cation may not be reproduced i n any part or as a whole, transcribed, stored in a retrieval system, translated into any langu age, or tr ansmitted in any form or by any means, electronic, mechanical, magn[...]

ZYWALL 10/50 Internet Security Gateway FCC iii Federal Communications Commission (FCC) Interference S tatement This device complies with Part 15 of FCC rules. Operation is subject to the following two cond itions: • This device m ay not cause harmful interference. • This device must accept any interference received, including interference that [...]

ZYWALL 10/50 Internet Security Gateway iv Information for Canadian Users Information for Canadian Users The Industry Canada label identifies certified equipmen t. This certification means that the equipment meets certain telecom munications ne twork protect ive operatio n and safety requirem ents. The Indust ry Canada label does not g uarantee that[...]

ZYWALL 10/50 Internet Security Gateway Declaration of Conformity v Declaration of Conformity We, the Manufacturer/Im porter, ZyXEL Communications Corp . No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, Taiwan, 300 R.O.C declare that the product ZYWALL 10/50 is in conformity with (reference to the specification under which conformit[...]

ZYWALL 10/50 Internet Security Gateway vi ZyXEL Limited Warranty ZyXEL Limited W arranty ZyXEL warrants to the original end us er (purchaser) that this product is free from any defects in materials or workmanshi p for a peri od of up t o two years from the date of purchase . During the warranty period, an d upon proof of purchase, should the prod u[...]

ZYWALL 10/50 Internet Security Gateway Customer Support vii Customer Support Please have th e following i nformation re ady when you cont act customer support. • Product model and serial num ber. • Information in Menu 24.2.1 – System Informat ion . • Warranty Information. • Date that you received your device. • Brief descri ption of the[...]

ZYWALL 10/50 Internet Security Gateway viii Table of Contents T able of Content s Copyright ...................................................................................................................... ...............................ii Federal Communications Commission (FCC) Inte rfer ence S t atement ......................................[...]

ZYWALL 10/50 Internet Security Gateway Table of Contents ix 3.1 Turning On Your ZyWALL ..................................................................................................... .. 3-1 3.1.1 Initia l Screen........................................................................................................... ............ 3-1 3.1.2 En[...]

ZYWALL 10/50 Internet Security Gateway x Table of Contents 5.3.7 IP Alias................................................................................................................. ............... 5-5 5.4 TCP/IP a nd DHCP Et her net Setu p Menu....................................................................................5-5 5.4.1 IP A l[...]

ZYWALL 10/50 Internet Security Gateway Table of Contents xi 9.1.5 NAT Mapp ing Ty pes ........................................................................................................ .. 9-4 9.2 Using NAT .................................................................................................................. ............... 9-6 9.2[...]

ZYWALL 10/50 Internet Security Gateway xii Table of Contents 10.5.4 UDP/IC MP Secu rity ....................................................................................................... 10-10 10.5.5 Upper La yer Prot ocols ................................................................................................... .10-11 10.6 Gui delin[...]

ZYWALL 10/50 Internet Security Gateway Table of Contents xiii 13.2.1 Rule Checklist .......................................................................................................... ........ 13-1 13.2.2 Security Ramifications .................................................................................................. ... 13-2 13.2.3 [...]

[...]

Getting S t arted I Part I: Getting Started This part is structured as a step-by-step guide to help you connect, inst all and setup your ZyW ALL to operate on your network and access the Internet.[...]

[...]

ZyW ALL 10/50 Internet Security Gateway Getting to Know Y our ZyW ALL 1-1 Chapter 1 Getting to Know Your ZyWALL This chapter introduces the main features and applications of the Z yWALL. 1.1 The ZyW ALL 10/50 Internet Security Gateway The ZyWALL 10/50 is a dual Ethernet Internet security gateway integrated with a robus t firewall and network manage[...]

ZyW ALL 10/50 Internet Security Gateway 1-2 Getting to Know Y our ZyW ALL Y ou can configure most features of th e ZyW ALL via SMT but we recommend you configure the fire wall and Content Filters using the ZyW ALL web configurator . Content Filtering The ZyWALL can block web features such a s ActiveX cont rols, Java a pplets and cooki es, as well a[...]

ZyW ALL 10/50 Internet Security Gateway Getting to Know Y our ZyW ALL 1-3 Network Add ress T ranslation (NA T) NAT (Network Address Trans lation - NAT, RFC 1631) allows the translat ion of an Inter net Protocol a ddress used within one ne twork to a different I P address known within ano ther network. Port Forwarding Use this featur e to forwar d i[...]

ZyW ALL 10/50 Internet Security Gateway 1-4 Getting to Know Y our ZyW ALL 1.3 Applications 1.3.1 Secure Broadband Internet Access via Cable or DSL Modem A cable modem or xDSL modem can connect to th e ZyWALL 10/50 for broadba nd Internet access via Ethernet port on the modem . It prov ides not only high speed Internet access, but secured internal n[...]

ZyW ALL 10/50 Internet Security Gateway Getting to Know Y our ZyW ALL 1-5 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to conn ect branch offices and business partner s over the Internet without the need (and expens e) for leased lines between sites. Figure 1-3 VPN Application[...]

[...]

ZyW ALL 10/50 Internet Security Gateway Hardware Installation 2-1 Chapter 2 Hardware Installation This chapter explain s the LEDs and ports as we ll as how to connect the hardware and perform the initial setup. 2.1 Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on t he front pa nel indicate t he operational st atus of the Zy [...]

ZyW ALL 10/50 Internet Security Gateway 2-2 Hardware Installation Table 2-1 LED Descriptions LED FUNCTION COLOR ST ATUS MEANING Flashing The 10M LAN is sending/recei ving packets. Off The 100M LAN is not connected. On The ZyWALL is connected to a 100M bps LAN. 100M LAN LAN Orange Flashing The 100M LAN is sending/rec eiving packets. Off The 10M WAN [...]

ZyW ALL 10/50 Internet Security Gateway Hardware Installation 2-3 Figure 2-2 ZyWALL 10 Rear Panel and Connectio ns[...]

ZyW ALL 10/50 Internet Security Gateway 2-4 Hardware Installation Figure 2-3 ZyWALL 50 Rear Panel and Connectio ns This section outlines how to conn ect your ZyWALL 10/50 to the LAN and the WAN. If you want to connect a cable m odem you must connect t he coaxial cabl e from your cable service t o the threaded coaxial cable connector on the back of [...]

ZyW ALL 10/50 Internet Security Gateway Hardware Installation 2-5 port) of yo ur comput er. You can use an exte nsion RS-23 2 cable if the encl osed one is too short. After t he initial setup, you can modify the configuration remotely throug h telnet connections. Step 2. Connecting the ZyWALL to the Br oadband Modem Step 2a. Connecting the ZyWALL t[...]

ZyW ALL 10/50 Internet Security Gateway 2-6 Hardware Installation 2.3 Additional Installation Requirement s In addition to the con tents of your package, there are other hardware and software requirements you need before you can install and use your ZyWALL. These requirements include: 1. A computer with an Ethe rnet NI C (Network Interface Card) in[...]

ZyW ALL 10/50 Internet Security Gateway Initial Setup 3-1 Chapter 3 Initial Setup This chapter explain s how to perform initial ZyWALL setup and gives an o verview of SMT menus. 3.1 T urning On Y our ZyW ALL At this point, you should have connected the console port, the LAN port, the WAN port and the power por t to the appropriate devices or lines.[...]

ZyW ALL 10/50 Internet Security Gateway 3-2 Initial Setup Figure 3-2 Password Screen 3.2 Navigating the SMT Interface The SMT (System Management Terminal) is the inte rface that you use t o configure you r ZyWALL. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table [...]

ZyW ALL 10/50 Internet Security Gateway Initial Setup 3-3 3.2.1 Main Menu After you enter the password, the SMT displays th e ZyWALL Main Men u , as shown next. Figure 3-3 ZyWALL Main Menu 3.2.2 System Management T erminal Interface Summary Table 3-2 Main Menu Summary NO. MENU TITLE FUNCTION 1 General Setup Use this menu to set up administrative in[...]

ZyW ALL 10/50 Internet Security Gateway 3-4 Initial Setup Table 3-2 Main Menu Summary NO. MENU TITLE FUNCTION 23 Sy stem Password Change your pass word in this menu (recommended). 24 Sy stem Maintenance From displaying system st atus to uploading firm ware, this menu provides comprehensive system mainte nance. 26 Schedule Setup Use this menu to sch[...]

ZyW ALL 10/50 Internet Security Gateway Initial Setup 3-5 3.2.3 SMT Menus at a Glance Figure 3-4 Getting Started and Advanced Applications SMT Menus[...]

ZyW ALL 10/50 Internet Security Gateway 3-6 Initial Setup Figure 3-5 Advanced Management SMT Menus[...]

ZyW ALL 10/50 Internet Security Gateway Initial Setup 3-7 Figure 3-6 IPSec VPN Configuration SMT Menus 3.3 Changing the System Password The first thi ng you sh ould do i s change the default system password by followin g the steps sh own next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown belo w. Figure 3-7 Menu 23 ?[...]

ZyW ALL 10/50 Internet Security Gateway 3-8 Initial Setup Step 4. Re-type your new system password for confirmation and press [ENTER] . Note that as y ou type a pa ssword, the sc reen display s an (X) f or each chara cter you type. 3.4 Resetting the ZyW ALL If you forget your password or ca nnot access the Zy WALL, you will need to reload the facto[...]

ZyW ALL 10/50 Internet Security Gateway Initial Setup 3-9 3.4.2 Procedure T o Use The Reset Button Make sure the SYS led is o n (not bli nking) b efore you be gin this p rocedure. 1. Press the RESET button f or ten seconds , then release i t. If the SYS LED begins to blink, the defaults have been restored an d the ZyWA L L restarts. Otherwise, go t[...]

[...]

ZyW ALL 10/50 Internet Security Gateway General and W AN Setup 4-1 Chapter 4 General and WAN Setup Menu 1 - General Setup contains adm inistrative and syst em-relat ed information. Clone a LAN computer MAC addre ss in the Menu 2 - WAN Setup . 4.1 System Name System Name is for i dentificat ion purpose s. ZyXEL recom mends you ent er your com puter?[...]

ZyW ALL 10/50 Internet Security Gateway 4-2 General and W AN Setup IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don’t know your IP add ress. First of all, y ou need to ha ve registered a dynami c DNS account wit h www.dy ndns.org . This is for people with a dynamic IP from[...]

ZyW ALL 10/50 Internet Security Gateway General and W AN Setup 4-3 Domain Name Enter the domain name (if you kno w it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys dom ain name" to see the current domain name used by your router. If you want to clear this field just [...]

ZyW ALL 10/50 Internet Security Gateway 4-4 General and W AN Setup FIELD DESCRIPTION EX AMPLE Active Press [SPACE BAR] to select Yes and then press [ENTER] to make dynamic DNS active. Yes DDNS Type Press [SPACE BAR] and then [ENTER] to select DynamicDN S if you have a dynamic IP address(es). Select StaticDNS if you have a static IP address(s). Sele[...]

ZyW ALL 10/50 Internet Security Gateway General and W AN Setup 4-5 If you have a private W AN IP address, then y ou cannot use Dynamic DNS. 4.4 W AN Setup This section describes how to configure the WAN using Menu 2 — WAN Setup . From the m ain menu, enter 2 t o open m enu 2. ZyXEL recommends y ou configure this menu even if your ISP does not req[...]

ZyW ALL 10/50 Internet Security Gateway 4-6 General and W AN Setup FIELD DESCRIPTION EXAMPLE IP Address This field is applicable onl y if you choose the IP Address attached on LAN method. Enter the IP address of the computer on the LAN whose MAC you are clonin g. N/A When you have compl eted this menu, press [ENTER] at the prompt “Press ENTER to [...]

ZyW ALL 10/50 Internet Security Gateway LAN Setup 5-1 Chapter 5 LAN Setup This chapter describes ho w to configure the LAN using Menu 3 – LAN Setup . 5.1 Introduction This section describes how to configure the LAN using Menu 3 — LAN Setup . From the main menu, enter 3 to open m enu 3. Figure 5-1 Menu 3 — LAN Setup 5.2 LAN Port Filter Setup T[...]

ZyW ALL 10/50 Internet Security Gateway 5-2 LAN Setup 5.3.1 Factory LAN Default s The LAN parameters of the ZyWALL are preset in the factory with the following values: 1. IP address of 192.168.1.1 with su bnet mask of 255.255.25 5.0 (24 bits). 2. DHCP serve r enabled with 32 clie nt IP addre sses starting fr om 192.16 8.1.33. These parameters shoul[...]

ZyW ALL 10/50 Internet Security Gateway LAN Setup 5-3 Where you obtain your n etwork number depends on your particular situation. If the ISP or you r network administrat or assigns yo u a block o f registered IP a ddr esses, follow their instructions in selecting the IP addresses and the subnet m ask. If the ISP did not explicitly give you an IP ne[...]

ZyW ALL 10/50 Internet Security Gateway 5-4 LAN Setup Regardless of your p articular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assig nment, please refer to RFC 1597, Address All ocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. 5.3.5[...]

ZyW ALL 10/50 Internet Security Gateway LAN Setup 5-5 5.3.7 IP Alias IP Alias allows you to partition a ph ysical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN in terfa ces via its single physical Ethe rnet interface with the ZyWALL itself as the gat eway for each LAN network. Figure[...]

ZyW ALL 10/50 Internet Security Gateway 5-6 LAN Setup Figure 5-6 Menu 3.2 — TCP/IP and DHCP Ethernet Setup Follow the instructions in the next table on how to con figure the DHCP fields. Table 5-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXA MPLE DHCP T his field enables/disables the DHCP server. If set to Server , your ZyWALL will act a[...]

ZyW ALL 10/50 Internet Security Gateway LAN Setup 5-7 Table 5-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXA MPLE DHCP Server Address If Relay is selected in the DHCP field above, then t ype in the IP address of the actual, remote DHCP server here. Follow the instructions in the following table to configure TCP/IP parameters fo r the LAN p[...]

ZyW ALL 10/50 Internet Security Gateway 5-8 LAN Setup Figure 5-7 Menu 3.2.1 — IP Alias Setup Use the instructions in the following table to configure IP Alias parameters. Table 5-5 IP Alias Setup Menu Fields FIELD DESCRIPTION EXAMPLE IP Alias Choose Yes to configure the LAN net work for the ZyWALL. Yes IP Address Enter the IP address of your ZyWA[...]

ZyW ALL 10/50 Internet Security Gateway Internet Access 6-1 Chapter 6 Internet Access This chapter show s you how to configure your ZyWA LL for Internet access. 6.1 Internet Access Setup You will see three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation . 6.1.1 Ethernet Encap sulation You must choose th[...]

ZyW ALL 10/50 Internet Security Gateway 6-2 Internet Access Table 6-1 Internet Access Setup Menu Fields FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet . The encapsulation method influences your cho ices for IP Address. Service Type Press [SPACE BAR] to select Standard , RR-Toshiba (RoadRunner Toshiba aut[...]

ZyW ALL 10/50 Internet Security Gateway Internet Access 6-3 The ZyW ALL 10/50 support s one PPTP server connection at any given time. 6.1.3 Configuring the PPTP Client T o configure a PPTP client, you m ust configure the My Login and Password fields for a PPP connection and the PPTP pa rameters for a PP TP connection. After configur ing My Login an[...]

ZyW ALL 10/50 Internet Security Gateway 6-4 Internet Access For the se rvice prov ider, PPPo E offers an access a nd authenticatio n method that works with existin g access control system s (e.g., Radius ). For the use r, PPPoE pr ovides a login & authenticati on method that t he existing Microsoft Dial-Up Networking software can activate, and [...]

ZyW ALL 10/50 Internet Security Gateway Internet Access 6-5 If you need a PPPoE service name to identify and reach the PPPoE server, please go to m enu 11 and enter the PPPoE service name provided to you in the Service Name field. 6.2 Basic Setup Complete Well done! You have successfully connect ed, i nstalled and set up your ZyWALL to operate on y[...]

[...]

Advanced Applications II Part II: Advanced Applications This part covers Remote Nod e Setup, IP S tat ic Route Setup and Network Address T ranslation.[...]

[...]

ZyW ALL 10/50 Internet Security Gateway Remote Node Setup 7-1 Chapter 7 Remote Node Setup This chapter show s you how to configure a rem ote node. A remot e node is re quired for placing calls t o a remote gateway. A rem ote node represe nts both t he rem ote gateway and th e network behi nd it across a WAN co nnection. N ote that when y ou use men[...]

ZyW ALL 10/50 Internet Security Gateway 7-2 Remo te Node Setu p Figure 7-1 Menu 11.1 — Remote Node Profile for Ethern et Encapsulation Table 7-1 Fields in Menu 11.1 FIELD DESCRIPTION EXAMPLE Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. LAoffice Active Press [SPACE BAR] to select Yes (activa[...]

ZyW ALL 10/50 Internet Security Gateway Remote Node Setup 7-3 Table 7-1 Fields in Menu 11.1 FIELD DESCRIPTION EXAMPLE Outgoing My Login Enter the login name ass igned by your ISP when the Z yWALL calls this remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellc) to access the PPPoE server. jim My Password Enter t[...]

ZyW ALL 10/50 Internet Security Gateway 7-4 Remo te Node Setu p Figure 7-2 Menu 11.1 — Remote Node Profile for PPPoE Encapsulation Outgoing Authentication Protocol Generally spea king, you s hould em ploy the st rongest authen tication prot ocol possi ble, for o bvious reaso ns. However, s ome vendor’s implem entation in cludes specific aut hen[...]

ZyW ALL 10/50 Internet Security Gateway Remote Node Setup 7-5 Table 7-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION EX AMPLE Authen This field sets the authenticati on protocol used for outgoing calls. Options for this field are: CHAP / PA P - Your ZyWALL will accept either CHAP or PA P when requested by this remote node. C[...]

ZyW ALL 10/50 Internet Security Gateway 7-6 Remo te Node Setu p Figure 7-3 Menu 11.1 — Remote Node Profile for PPTP Encapsulation The next table sh ows how to co nfigure fields in menu 11.1 not previously d iscussed above. Table 7-3 Fields in Menu 11.1 (PPTP Encapsulation) FIELD DESCRIPTION EXAMPLE Encapsulation Toggle the space bar to choo se PP[...]

ZyW ALL 10/50 Internet Security Gateway Remote Node Setup 7-7 7.2 Editing TCP/IP Options (with Ethernet Encap sulation) Move the cur sor to the Edit IP fiel d in menu 11.1, pres s [SPACE BAR] to select Yes . Press [ENTER] to open Menu 11.3 - Network Layer Options . Figure 7-4 Menu 11.3 — Remote Node Net work Layer Options The next table gives you[...]

ZyW ALL 10/50 Internet Security Gateway 7-8 Remo te Node Setu p Table 7-4 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Metric This field is valid only for PPTP/PPPoE encapsulation. The metric represents the “cost” of transmissi on for routing pur poses. IP routing uses hop count as the measurement of cost, with a min[...]

ZyW ALL 10/50 Internet Security Gateway Remote Node Setup 7-9 Figure 7-5 Menu 11.3 — Remote Node Net work Layer Options The next table gives you instructio ns about configu ring remote node network layer options. Table 7-5 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE IP Address Assignment If your ISP did not assign you[...]

ZyW ALL 10/50 Internet Security Gateway 7-10 Remote Node Setup Table 7-5 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Metric The metric represents the “cost” of transmission for routin g purposes. IP routing uses hop count as the measureme nt of cost, with a minimum of 1 for directly connected net works. Enter a numb[...]

ZyW ALL 10/50 Internet Security Gateway Remote Node Setup 7-1 1 Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from tr iggering calls. You can specify up to 4 filter sets separated by commas, e.g., 1, 5, 9, 12, in each filter field. Note tha[...]

[...]

ZyW ALL 10/50 Internet Security Gateway IP S tatic Route Setup 8-1 Chapter 8 IP Static Route Setup This chapter shows you how t o configur e static routes with your ZyWALL. Static routes tell the ZyWALL routing informatio n that it ca nnot learn a utomati cally through other means. This can arise in cases whe re RIP is disabled on the LAN. Each rem[...]

ZyW ALL 10/50 Internet Security Gateway 8-2 IP S tatic Route Setup 8.1 IP S t atic Route Setup You confi gure IP static r outes in m enu 12. 1 by selecting on e of the IP st atic routes as shown next . Enter 12 from the m ain menu. Figure 8-2 Menu 12 — IP Static Route Setup Now, enter t he index n umber of o ne of the stat ic routes you want to c[...]

ZyW ALL 10/50 Internet Security Gateway IP S tatic Route Setup 8-3 The following table describes the IP Static Route Menu fields. Table 8-1 IP Static Route Menu Fields FIELD DESCRIPTION Route # This is the index number of the static route that y ou ch ose in menu 12. Route Name Enter a descriptive name for this r oute. This is for identification pu[...]

[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-1 Chapter 9 Network Address Translation (NAT) This chapter discusses ho w to configure NAT on the ZyWALL. 9.1 Introduction NAT (Network Address Tran slation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, e.g., the sou rce address of an ou tgoing packet, us ed within one ne[...]

ZyW ALL 10/50 Internet Security Gateway 9-2 NA T Global This refers to the packet address (source or destination) as the packet travels on the WAN. NAT never changes the IP address (either local or global) of an outs ide ho st. 9.1.2 What NA T Does In the simplest form, NAT changes the source IP address in a pac ket recei ved from a subscriber (the[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-3 Figure 9-1 How NAT Works 9.1.4 NA T Application The following figure illu strates a possible NAT applica tion, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WA N networks. More exampl es follow at the end of this chapter.[...]

ZyW ALL 10/50 Internet Security Gateway 9-4 NA T Figure 9-2 NAT Application With IP Alias 9.1.5 NA T Mapping T ypes NAT supports five types of IP/port m apping. They a re: 1. One to One : In One -to-One m ode, the ZyWALL m aps one local IP ad dress to one gl obal IP address. 2. Many to One : In Many -to-One m ode, the ZyWALL m aps mult iple local I[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-5 3. Many to Many Overload : In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses. 4. Many One to One : In Many-One-to-One mode , the ZyWALL m aps the each local IP addresses to unique gl obal IP add resses. 5. Server : This type allows you to spe[...]

ZyW ALL 10/50 Internet Security Gateway 9-6 NA T 9.2 Using NA T You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 9.2.1 SUA (Single User Account) V ersus NA T SUA (Single User Account) is a ZyNOS implementati on of a su bset of NAT that supports two types of mapping,[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-7 The following fi gure shows how you appl y NAT to the rem ote node in menu 11.1 . Step 1. Enter 11 from the main menu. Move the cur sor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 1 1.3 - Remote Nod e Network La yer Options. Figure 9-4 Menu 11.3 — A[...]

ZyW ALL 10/50 Internet Security Gateway 9-8 NA T 9.3 NA T Setup Use the Addre ss Mapping S ets me nus and submenus to creat e the mappin g table used t o assign gl obal addresses to com puters on the LAN. You ca n see two NAT Address Mapp ing sets in m enu 15.1. Y ou can only con figure Set 1 . Set 255 is used for SUA. When you select Full Feature [...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-9 SUA Addr ess Mapping Set Enter 255 to display the next screen (see also section 9.2.1) . The fields i n this m enu cannot be cha nged. Figure 9-7 Menu 15.1.1 — SUA Address Mapping Rules The following table explains th e fields in this screen. The fields in Menu 15.1.255 are read-only. Table 9-4 SUA[...]

ZyW ALL 10/50 Internet Security Gateway 9-10 NA T Table 9-4 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Global End IP This is the ending gl obal IP address (IGA). N/A Type These are the mapping t ypes discussed above (see Table 9-2 ). Server allows us to specify multiple serv ers of different types behind NAT to this machine. See later for [...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-1 1 Figure 9-8 Menu 15.1.1 — First Set The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and th e values are displayed here. Ordering Y our Rules Ordering y our rules is important because the ZyWALL a pplies the rules in the order that you specify. When a rule[...]

ZyW ALL 10/50 Internet Security Gateway 9-12 NA T Table 9-5 Fields in Menu 15.1.1 FIELD DESCRIPTION EXAMPLE Action The default is None . Edit means you want to edit a selected rule (see following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule will then be moved down by one rule. Delete means[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-13 Table 9-6 Menu 15.1.1.1 — Editing/Confi guring an Indivi dual Rule in a Set FIELD DESCRIPTION EXAMPLE Type Press [SPACE BAR] to toggle through a total of five t ypes. These are the mapping t ypes discussed in Table 9-2. Ser ver allows you to specify multiple servers of dif ferent types behind NAT [...]

ZyW ALL 10/50 Internet Security Gateway 9-14 NA T In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly design ated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded. Many residential broadband ISP acc[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-15 Step 2. Enter 2 to go to Menu 15. 2 - NAT Ser ver Setup . Step 3. Enter a port number in an unused Start Port No field. To forward only one por t, enter it again in the End Port No field. To specify a range of ports, e nte r the last port to be forwarded in the End Port No field. Step 4. Enter the i[...]

ZyW ALL 10/50 Internet Security Gateway 9-16 NA T Figure 9-11 Multiple Servers Behind NAT Example[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-17 9.5 General NA T Examples 9.5.1 Internet Access Only In the following Internet access ex am ple, you only need one rule wh ere all your ILAs (Inside Local addresses) map t o one dynam ic IGA (Insi de Global Ad dress) assigned by your ISP. Figure 9-12 NAT Example 1 Figure 9-13 Menu 4 — Internet Acc[...]

ZyW ALL 10/50 Internet Security Gateway 9-18 NA T From m enu 4 shown a bove, sim ply choose the SUA Only option from the Network Address Translation field. This i s the Many -to-One m apping di scussed in secti on 9.5. The SUA Only read-onl y option from the Network Address Translatio n field in m enus 4 an d 11.3 is speci fically pre-c onfigured t[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-19 Figure 9-15 Menu 15.2 — Specifying an Inside Server 9.5.3 Example 3: Multiple Public IP Addresses With Inside Servers In this exam ple, there ar e 3 IGAs from our ISP. T here are many department s but two ha ve their ow n FTP server. All departments share the same router. The ex ample will reserve[...]

ZyW ALL 10/50 Internet Security Gateway 9-20 NA T The example situation looks so mewhat like this: Figure 9-16 NAT Example 3 Step 1. In this case yo u need to confi gure Address Ma pping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in m enu 4 or menu 11. 3[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-21 Step 6. Repeat the previous step for rules 2 to 4 as outlined abov e. Step 7. When finis hed, me nu 15.1.1 shoul d look li ke as shown i n Figure 9- 19. Figure 9-17 Example 3: Menu 11.3 The following figure shows ho w to conf igure the first rule. Figure 9-18 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 A[...]

ZyW ALL 10/50 Internet Security Gateway 9-22 NA T Figure 9-19 Example 3: Final Menu 15.1.1 Now conf igure th e IGA3 to map to our web serv er and ma il serv er on the LA N. Step 8. Enter 15 from the main menu. Step 9. Now enter 2 from this menu and configu re it as shown in Figure 9-20 . Figure 9-20 Example 3: Menu 15.2 Menu 15.1.1 - Address Mappin[...]

ZyW ALL 10/50 Internet Security Gateway NA T 9-23 9.5.4 Example 4: NA T Unfr iendly Application Programs Some applications do not supp ort NAT Mapping using TC P or UDP port address translation. In this case it is better to use Many -One-to-One m apping as po rt numbers do not change for Many-One-to-One (and One-to-One ) NAT m apping types. The fol[...]

ZyW ALL 10/50 Internet Security Gateway 9-24 NA T Figure 9-22 Example 4: Menu 15. 1.1. 1 — Address Mapping Rule After you’ve configured your rule, you should b e able to check the settings in menu 15.1.1 as shown next. Figure 9-23 Example 4: Menu 15.1.1 — Address Mapping Rules Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP:[...]

Firewall and Content Filters III Part III: Firewall and Content Filters Part III introduces firewalls in general and the ZyW A LL firewall. It also explains custom port s and logs and gives example firewall rules and an overvie w of content filtering.[...]

[...]

ZyWALL 10/50 Internet Security Gateway Firewalls 10-1 Chapter 10 Firewalls This chapter gives som e background inform ation on firewalls and explai ns how to get started with the ZyWALL firewall. 10.1 What Is a Firewall? Originally, the term firewall referred to a construction techn ique designed to preven t the spread of fire from one room to anot[...]

ZyWALL 10/50 Internet Security Gateway 10-2 Firewalls i. Inform ation hiding prevents the names of int ernal system s from being m ade known via DNS to outside system s, since the app lication gate way is the only host whose name must be m ade known to outside systems. ii. Robu st authentication and logging pr e-authenticat es application traffic b[...]

ZyWALL 10/50 Internet Security Gateway Firewalls 10-3 Figure 10-1 ZyWALL Fire wall Application 10.4 Denial of Service Denials of Service (DoS) attacks are aim ed at devices an d networks wi th a connection to the Internet. Their goal is not to steal information, but to disable a devi ce or network so users no longer have access to network resources[...]

ZyWALL 10/50 Internet Security Gateway 10-4 Firewalls for use over a sing le port, such as Web on por t 80, other ports are also active. If the person configu ring or managing t he computer i s not careful, a hacker coul d attack it over an unpr otected port. Some of the m ost comm on IP ports are: Table 10-1 Common IP Ports 21 FTP 53 DNS 23 Telnet[...]

ZyWALL 10/50 Internet Security Gateway Firewalls 10-5 Figure 10-2 Three-Way Handshake Under normal circumstances, the application that initiate s a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (ack nowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). A[...]

ZyWALL 10/50 Internet Security Gateway 10-6 Firewalls 2-b In a LAND Atta ck , hackers flood S YN packets i nto th e network with a spoofed source IP address of the targeted system. Th is makes it appear as if the host computer sent t he packets to itself, making the system unavailable while the target system tries to respond to itself. 3. A brute-f[...]

ZyWALL 10/50 Internet Security Gateway Firewalls 10-7 Table 10-3 Legal NetBIOS Command s MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal excep t for th ose displayed in the following tables. Table 10-4 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML TURN VRFY ?[...]

ZyWALL 10/50 Internet Security Gateway 10-8 Firewalls  Denies all sessions originatin g from the WAN to the LAN. Figure 10-5 Stateful Inspection The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can in itiate a Telnet session from within the LAN and responses t[...]

ZyWALL 10/50 Internet Security Gateway Firewalls 10-9 3. The packet is inspected by a firewall rule to de termine and record information about the state of t he packet's connection. This i nform ation is recorded i n a new stat e table entry created for the new connection. If there is not a firewall rule for this pack et and it is not an attac[...]

ZyWALL 10/50 Internet Security Gateway 10-10 Firewalls The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. T est changes af ter creating them to make sure they work correc[...]

ZyWALL 10/50 Internet Security Gateway Firewalls 10-11 little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines. 10.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously[...]

ZyWALL 10/50 Internet Security Gateway 10-12 Firewalls 10.6.1 Security In General You can never be too careful! Factor s outside your fi rewall, filtering or NAT can cause security breach es. Below are som e generalizatio ns about what you can d o to minim ize them. 1. Encourag e your company or or ganization to dev elop a comprehen sive security p[...]

ZyWALL 10/50 Internet Security Gateway Firewalls 10-13 10.7.1 Packet Filtering:  The router filters packets as they pass through the rou ter’s interface according to the filter ru les you designed.  Packet filtering is a powerful tool, yet can be comple x to con figure and maintain, especially if yo u need a chain of rules to filter a servi[...]

ZyWALL 10/50 Internet Security Gateway 10-14 Firewalls 3. To selectively block/allow inbound or outbound traf fic between insi de host/networks a nd outsi de host/networks. Remember that filters can not distin gu ish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filteri ng if you need[...]

ZyWALL 10/50 Internet Security Gateway Introducing the ZyWALL Firewall 11-1 Chapter 11 Introducing the ZyWALL Firewall This chapter show s you how to get started with the Z yWALL firewall. 11.1 Remote Management and the Firewall When SMT menu 24.11 is c onfigured to all ow managem ent from t he WAN, it ove rrides the fire wall. See the Remote Manag[...]

ZyWALL 10/50 Internet Security Gateway 11-2 Introducing the ZyWALL Firewall Figure 11-2 Menu 21.2 — Fire wall Setup Configure the fire w all rules using the web configurator or CLI commands. 11.3.2 Viewing the Firewall Log In menu 21, enter 3 to view the firewall log. An example of a firewall log is shown next. Figure 11-3 Example Fire w all Log [...]

ZyWALL 10/50 Internet Security Gateway Introducing the ZyWALL Firewall 11-3 Table 11-1 View Firewall Log FIELD DESCRIPTION EXAMPLES # This is the index number of the fire wall log. 128 entries are available number ed from 0 to 127. Once they are all used, the log will wrap around and the ol d logs will be lost. 23 mm:dd:yy e.g., Jan 1 00 Time This [...]

[...]

ZyWALL 10/50 Internet Security Gateway Using the ZyWALL Web Configurator 12-1 Chapter 12 Using the ZyWALL Web Configurator This chapter show s you how to configure your fire wall with the web configurator. 12.1 Web Configurator Login and Main Menu Screens Use the ZyWALL we b config urator, to c onfigure you r firewall. T o get started, follow the s[...]

ZyWALL 10/50 Internet Security Gateway 12-2 Usi ng the ZyWA LL Web Configurator 12.2 Enabling the Firewall Click Advanced , Firewall , Confi guration and then the Config tab. Enable (or activate) the firewall by clicking the Fi rewall Enabled check box as seen in the following screen. Figure 12-1 Enabling the Fire wall 12.3 E-mail The E-mail screen[...]

ZyWALL 10/50 Internet Security Gateway Using the ZyWALL Web Configurator 12-3 13-4 ) . Whe n an event ge nerates an alert, a message is i mmediately sent t o an e-ma il account specifie d by you. Enter the complete e-mail address to which alert messages will be sent in the E-mail Alerts To field and schedule times for sending alerts i n the Log Tim[...]

ZyWALL 10/50 Internet Security Gateway 12-4 Usi ng the ZyWA LL Web Configurator Table 12-1 E-mail FIELD DESCRIPTION OPTIONS Address Info Mail Server Enter the IP address of your mail server i n dotted decimal notation. Your Internet Service Provi der (ISP) should be able to provide this information. If this field is left blank, log and alert messag[...]

ZyWALL 10/50 Internet Security Gateway Using the ZyWALL Web Configurator 12-5 12.3.3 SMTP Error Messages If there are difficulties in sending e-mail the fo llowing error messages appear. Please see the Support Notes on the include d disk for inf ormation o n other types of error m essages. E-mail error me ssages appear in SM T m enu 24.3.1 as "[...]

ZyWALL 10/50 Internet Security Gateway 12-6 Usi ng the ZyWA LL Web Configurator Figure 12-3 E-mail Log 12.4 Att ack Alert Attack alerts are the first defe nse against DOS attacks. In the Attack Alert screen, shown later, you may choose to gene rate an alert whenever an attack is de tected. For DoS attacks, the Zy WALL uses thresholds t o determine [...]

ZyWALL 10/50 Internet Security Gateway Using the ZyWALL Web Configurator 12-7 2. The minim um capacity of ser ver backlog in your LAN net work. 3. The CPU power of server s in your LAN network. 4. Network bandwidth . 5. Type of traf fic for certain serv ers. If your network is slow er than aver age for any of th ese f actors (especially if you have[...]

ZyWALL 10/50 Internet Security Gateway 12-8 Usi ng the ZyWA LL Web Configurator 2. If the Blocking Time timeout is gr eater than 0, then the ZyWALL blocks all new connection requests to the host givi ng the server ti me to handle t he present con nections. The ZyWALL conti nues to bloc k all new connection requ ests until the Blocking Time expires.[...]

ZyWALL 10/50 Internet Security Gateway Using the ZyWALL Web Configurator 12-9 Table 12-3 Attack Alert FIELD DESCRIPTION DEF AULT VALUES Denial of Service Thresholds One Minute Low This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions. T he ZyWALL continues to delete half-open sessio ns as necessary,[...]

ZyWALL 10/50 Internet Security Gateway 12-10 Using the ZyWA LL Web Configurator Table 12-3 Attack Alert FIELD DESCRIPTION DEF AULT VALUES Incomplete host IP address that causes the firewall to start dropping half-open sessi ons to that same destination host IP address. Enter a number between 1 and 250. As a gener al rule, you should choos e a small[...]

ZyWALL 10/50 Internet Security Gateway Creating Custom Rules 13-1 Chapter 13 Creating Custom Rules This chapter contains in structions for defining both Local Netwo rk and Internet rules. 13.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the ZyWALL’s stateful packet inspection allows all co[...]

ZyWALL 10/50 Internet Security Gateway 13-2 Creating Custom Rules 2. Is the intent of the rule to forward or b lock traffic? 3. What is the direction c onnection: fr om the LAN to the Internet, or from the Internet to the LAN ? 4. What IP services will be affected? 5. What com puters on t he LAN are to be affected (if any)? 6. What computers on the[...]

ZyWALL 10/50 Internet Security Gateway Creating Custom Rules 13-3 Source Address What is the connection’s source addres s; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? Destination Address What is the connection’s destination add ress; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 13.3 Connect[...]

ZyWALL 10/50 Internet Security Gateway 13-4 Creating Custom Rules 13.3.2 W AN to LAN Rules The default rule for WAN to LAN traffic blocks all in coming conn ections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure. Figure 13-2 WAN to LA N Traf[...]

ZyWALL 10/50 Internet Security Gateway Creating Custom Rules 13-5 Figure 13-3 Fire wall Rules Summary — First Screen The following table describes the fields in this screen. Table 13-1 Firewall Rules Summary — First Screen FIELD DESCRIPTION OPTIONS General Name This is the name of the firewall rule set. Type a name to distinguish the LAN-to-WAN[...]

ZyWALL 10/50 Internet Security Gateway 13-6 Creating Custom Rules Table 13-1 Firewall Rules Summary — First Screen FIELD DESCRIPTION OPTIONS Default Policy Log Click this chec k box to log all matched rules i n the ACL default set. The following fields summariz e the rules you have cr eated. Note that these fields are re ad only. Click the tab at[...]

ZyWALL 10/50 Internet Security Gateway Creating Custom Rules 13-7 13.5 Predefined Services The Available Services list box in the Rule Config (uration) screen (see Figure 13-4) displays all predefin ed services that the ZyWALL already s upports. Next to the na me of the servi ce, two fiel ds appear in brackets. The first field indicat es the IP pro[...]

ZyWALL 10/50 Internet Security Gateway 13-8 Creating Custom Rules Table 13-2 Predefined Services SERVICE DESCRIPTION IPSEC_TUNNEL(ESP:0) This service is used by th e IPSec ESP (Encapsulation Securit y Protocol) tunneling protocol. IRC(TCP/UDP:6667) T his is another popular Internet chat progr am. MSN Messenger(TCP:1863) Microsoft Net works’ messe[...]

ZyWALL 10/50 Internet Security Gateway Creating Custom Rules 13-9 Table 13-2 Predefined Services SERVICE DESCRIPTION SNMP(TCP/UDP:161) Simple Network Management Program. SNMP- TRAPS(TCP/UDP:162) Traps for use with the SNMP (RFC:1215). SQL-NET(TCP:1521) Structured Que ry Language is an interface to access data o n many different types of database sy[...]

ZyWALL 10/50 Internet Security Gateway 13-10 Creating Custom Rules 13.5.1 Creating/Editing Firewall Rules To create a new rule, click a num ber ( No. ) then click Edi t in the last screen shown to display the following screen. Figure 13-4 Creating/Editing A Fire wall Rule Table 13-3 Creating/Editing A Fire wall Rule FIELD DESCRIPTION OPTIONS Source[...]

ZyWALL 10/50 Internet Security Gateway Creating Custom Rules 13-11 Table 13-3 Creating/Editing A Fire wall Rule FIELD DESCRIPTION OPTIONS Destination Address Click De stAdd to add a new address, Dest Edit to edit an existing one or DestDelete to del ete one. Please see the following section on a dding and editing destination address es. DestAdd Des[...]

ZyWALL 10/50 Internet Security Gateway 13-12 Creating Custom Rules Figure 13-5 Adding/Editing Source a nd Destination Addresses[...]

ZyWALL 10/50 Internet Security Gateway Creating Custom Rules 13-13 Table 13-4 Adding/Editing Source and Destination Addresse s FIELD DESCRIPTION OPTIONS Address Type Do you want your rule to apply to packets with a particula r (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an op[...]

ZyWALL 10/50 Internet Security Gateway 13-14 Creating Custom Rules Figure 13-6 Timeout Screen[...]

ZyWALL 10/50 Internet Security Gateway Creating Custom Rules 13-15 Table 13-5 Timeout Menu FIELD DESCRIPTION DEFA ULT VA LU E TCP Timeout Values Connection Timeout This is the length of time the ZyWALL waits for a TCP session to reach the estab lished state befor e dropping the session. 30 seconds FIN-Wait Timeout This is the length of time a TCP s[...]

[...]

ZyWALL 10/50 Internet Security Gateway Custom Ports 14-1 Chapter 14 Custom Ports This chapter covers creating, viewing and editing custom ports. 14.1 Introduction Configure cust omized po rt s for services not predefi ned by the ZyWALL (see Figure 13-4 ) . For a comprehensive list of port num bers and services, vi sit the IANA (Intern et Assigned N[...]

ZyWALL 10/50 Internet Security Gateway 14-2 Custom Ports Table 14-1 Custom Ports FIELD DESCRIPTION Customized Services No. T his is the number of your customized p ort. Status Indicates whether ports have alre ad y been configured or are still empt y. Name T his is the name of your customized port. Protocol T his shows the IP protocol (TCP, UDP or [...]

ZyWALL 10/50 Internet Security Gateway Custom Ports 14-3 14.2 Creating/Editing A Custom Port Click Edit in the previous screen to create a new custom port or edit an exi sting o ne. This action displays t he following screen. Figure 14-2 Creating/Editing A Custo m Port The next tabl e describes the fi elds in this sc reen.[...]

ZyWALL 10/50 Internet Security Gateway 14-4 Custom Ports Table 14-2 Creating/Editing A Custo m Port FIELD DESCRIPTION OPTIONS Service Name Enter a unique name for your custom port. Service Type Choose the IP port ( TCP , UDP or TCP/UDP ) that defines your customized po rt from the drop do wn list box. TCP UDP TCP/UDP Port Configuration Type Click S[...]

ZyWALL 10/50 Internet Security Gateway Logs 15-1 Chapter 15 Logs This chapter contains info rmation about using the log screen to view the result s of the rules you have configured. 15.1 Log Screen When you co nfigure a ne w rule y ou also hav e the option to log events th at match, don’t match (or both) this rule (see Figure 13-4). Click on the [...]

ZyWALL 10/50 Internet Security Gateway 15-2 Logs Table 15-1 Log Screen FIELD DESCRIPTION EXAMPLES No. This is the index number of the fire wall log. 128 entries are available numbere d from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. dd:mm:yy e.g., Jan 1 0 Time This is the time the log was recorded in t[...]

ZyWALL 10/50 Internet Security Gateway Example Firewall Rules 16-1 Chapter 16 Example Firewall Rules This chapter gives e xamples for config uring various rules fo r WAN to LAN and LAN to WAN. 16.1 Examples Whenever you open a hole in the firewall to forwa rd a service from the Internet to the local n etwork, and NAT is also e nabled, you m ay have[...]

ZyWALL 10/50 Internet Security Gateway 16-2 Example Firewall Rule s Step 1. Activate the firewall. You may activate the firewa ll throug h the web configurator as shown next (click Configurati on , the Config tab, then click the Firewall Enabled check box) or through SMT menu 21. 2. You can onl y configure the firewall using the we b config urator [...]

ZyWALL 10/50 Internet Security Gateway Example Firewall Rules 16-3 Step 2. Go to the E-mail screen by cl icking Advanced , Firewall , Configur ation , then the E-mail tab. Configure the E-mail screen as follows. Figure 16-2 Example 1: E-Mail Screen Enter 10.100.1.2, the IP address of the mail server here. This is where the alerts will be sent. This[...]

ZyWALL 10/50 Internet Security Gateway 16-4 Example Firewall Rule s Step 3. Configure you r firewall rule as shown in the fo llowing screen. The default firewall blocks all Internet traffic entering our local network, but you want to create a hole for web service from the Internet. Click Internet and go to the Rule Summary. Configure this screen as[...]

ZyWALL 10/50 Internet Security Gateway Example Firewall Rules 16-5 Step 4. Click DestAdd in the previous screen to configure the destinatio n address as the IP of your server on the LAN. Figure 16-4 Example 1: Destinatio n Address for Traffic Originating from the Internet 10.100.1.2 is the IP of our server on the LAN (supporting FTP, HTTP, Telnet a[...]

ZyWALL 10/50 Internet Security Gateway 16-6 Example Firewall Rule s Step 5. When you have finished configuring your rules, the Rule Summary screen should look like th is. Click Apply in this screen to save your configuration back to th e ZyWALL. Figure 16-5 Example 1: Rule Summary Screen 16.1.2 Example 2: Smal l Office With Mail, FTP and W eb Serve[...]

ZyWALL 10/50 Internet Security Gateway Example Firewall Rules 16-7 i. A mail server with an IP of 192.168 .10.2. ii. Two FTP servers. You want FTP server 1 (IP of 192.168.10.3) to be acce ssible from the Internet, but FTP server 2 (192.168.10.4) ma y only be accessed by internal users, i.e., from the local network. iii. HTTP proxy server at 192.168[...]

ZyWALL 10/50 Internet Security Gateway 16-8 Example Firewall Rule s Step 3. Now you want to restrict access to t he Internet except for the HTTP pr oxy server and your mail server. First you need to c reate a custom port for POP3. POP (P ost Office Prot oc ol) is an Internet mail server pr otocol that p rovides an i ncoming m essage storage system.[...]

ZyWALL 10/50 Internet Security Gateway Example Firewall Rules 16-9 Network to see the Rule Summary screen. Now click an available No. (rule number) button, then click Edit to bring up the next screen. Step 5. Click SrcAdd under the Source Address box and enter the IP address of the mail server (192.168.10.2) in the same fashion as in Figure 16-4 . [...]

ZyWALL 10/50 Internet Security Gateway 16-10 Example Firewall Rules Step 7. The Rule Summary screen should look like Figure 16-9 . Don’t forget to click Apply when you have finished configuring your rule(s) to save your setting s back to the ZyWALL. Figure 16-9 Example 2: Local Net work Rule Summary Step 8. Now you want an FTP server (I P of 192.[...]

ZyWALL 10/50 Internet Security Gateway Example Firewall Rules 16-11 screen. Now click on the DestAdd butt on under the Destination Address box and enter the IP of FTP server On e (192.168.1 0.3). Step 9. On completing the procedure the Rule Summary for th is Internet firewall rule should look like the following screen. Don’t forget to click Apply[...]

ZyWALL 10/50 Internet Security Gateway 16-12 Example Firewall Rules 16.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet The following are some Internet firewall rule examples that allow DHCP negotiation between the ISP and the ZyWALL and allow a syslog connection 1 from the Internet. Follow the procedure shown nex t to first [...]

ZyWALL 10/50 Internet Security Gateway Example Firewall Rules 16-13 Custom port s sho w up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after y ou’ve created your custom port. Step 2. Follow the procedures outlined in th e previous ex amples to configure all your rules. You should configur[...]

ZyWALL 10/50 Internet Security Gateway 16-14 Example Firewall Rules Step 3. On completing the configur ation procedure for these Internet firewall rules, the Rule Summary screen should look lik e the following. Don ’t forget to click Apply whe n you ha ve finis hed configuring your rule(s) to sav e your settings back to the ZyWALL. Figure 16-13 E[...]

ZyWALL 10/50 Internet Security Gateway Content Filtering 17-1 Chapter 17 Content Filtering This chapter provides a brief overview o f content filtering using the web embedded configurator. For more detailed informa tion, consult the embedded HTML help. Internet content filtering allows sc hools and businesses to create and enforce Internet access p[...]

ZyWALL 10/50 Internet Security Gateway 17-2 Content Filtering 17.4 Customizing Customize the content filter list by adding or removing specific sites from the filter list . 17.5 Keywords The ZyWALL can al so be config ured to bloc k certain Web sites by u sing URL key words. 17.6 Logs This screen records the results of your content filter policies[...]

Advanced Management V Part IV: Advanced Management This part prov ides information on Filter Configur ation, SNMP Configuration, System Information and Diagnosis, Firmware a nd Configuration File Maint enance, System Maintenance a nd Information and Remote Manageme nt.[...]

[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-1 Chapter 18 Filter Configuration This chapter shows you how to create and appl y filters. 18.1 About Fil tering Your ZyWALL uses filters to decide whether to allow pa ssage of a data packet and/or to make a call. There are two types of filter applications : data filtering and call fil[...]

ZyW ALL 10/50 Internet Security Gateway 18-2 Filter Configuration Figure 18-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL ap plies data f ilters only. Packets are pro cessed depending up on whether a match is found. The following sections describ e how to configure filter sets. 18.1.1 The Filter Structure of the Zy W ALL A f[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set Next Filter Set Available? Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Ru[...]

ZyW ALL 10/50 Internet Security Gateway 18-4 Filter Configuration You can apply up to four filter sets to a particular port to block multiple typ es of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single por t. 18.2 Configuring a Filter Set To configure a filter set, follow the procedu re bel[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-5 Figure 18-5 Menu 21.1 — Filter Set Configuration Step 3. Select the filter set you wish to configure (1 -12) and press [ENTER] . Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER] . Step 5. Press [ENTER] at the message [Press ENTER to confirm] [...]

ZyW ALL 10/50 Internet Security Gateway 18-6 Filter Configuration 18.2.1 Filter Rules Summary Menu This screen shows the summary of th e existing rules in the filter set. The following tables contain a brief description of t he abbreviat ions used in t he previous m enus. Table 18-1 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPT[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-7 Table 18-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION DP Destination Port number GEN Off Offset Len Length Refer to the next section for information on configuring the filter ru les. 18.2.2 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1 - Fil[...]

ZyW ALL 10/50 Internet Security Gateway 18-8 Filter Configuration Figure 18-7 Menu 21.1.1.1 — TCP/IP Filter Rule The following table describes how to con figure your TCP/IP filter rule. Table 18-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Active Yes activates the filter rule and No deactivates it. Yes No IP Protocol Protocol refers[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-9 Table 18-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Comp Select the comparison to apply to the desti nation port in the packet against the value given in Destination: Port # . None Less Greater Equal Not Equal Source IP Address Enter the source IP Address of th[...]

ZyW ALL 10/50 Internet Security Gateway 18-10 Filter Configuration Table 18-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Drop Action Not Matched Select the action for a packet not matching the rule. Check Next Rule Forward Drop Press [SPACE BAR] to select properties for fiel ds that do not need to be typed in. When you have Menu 21.1.[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-1 1 Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Ad[...]

ZyW ALL 10/50 Internet Security Gateway 18-12 Filter Configuration 18.2.4 Generic Filter Rule This section shows you how to configu re a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Zy WALL treats a packet as a byte st [...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-13 Table 18-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Type Use [SPACE BAR] to select a rule type. Paramete rs displayed below ea[...]

ZyW ALL 10/50 Internet Security Gateway 18-14 Filter Configuration Table 18-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Once you have completed filling in Menu 21.4.1.1 - Generic Filter Rule , press [ENTER] at the message “Press ENTER to Confirm” to save y our configuration, or press [ESC] to cancel. This data will now be displa[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-15 Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1 .3 - Filter Rules Summary . Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set)[...]

ZyW ALL 10/50 Internet Security Gateway 18-16 Filter Configuration When you press [ENTER] to confirm, you will see the following sc reen. Note that there is only one filter rule in this set. Figure 18-12 Example Filter Rules Summary — Menu 21.1.3 After you’ve created the filter set, you must apply it. Step 1. Enter 11 fr om the m ain menu to go[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-17 18.4 Filter T ypes and NA T There are two classe s of filter rules, Generic Filter (Device) rules and Protocol Filter ( TCP/I P ) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on the IP packets. Generic and TCP/IP filter rules are dis[...]

ZyW ALL 10/50 Internet Security Gateway 18-18 Filter Configuration 18.6 Applying a Filter and Factory Default s This section shows you wh ere to apply the filter(s) af ter you design it (them). Sets of factory default filter rules have been configure d in m enu 21 to pr event NetBIOS traffic from triggerin g calls, and bl ock incoming telnet, FTP a[...]

ZyW ALL 10/50 Internet Security Gateway Filter Configuration 18-19 numbers separated by commas. See the append ix on filter commands for information on the factory default NetBIOS filter. Figure 18-15 Filtering Remote Node T raffic Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 1 device filters= Output Filter Sets: protocol fil[...]

[...]

ZyW ALL 10/50 Internet Security Gateway SNMP 19-1 Chapter 19 SNMP Configuration This chapter discusses SNMP for network management and monitoring. 19.1 About SNMP SNMP (Sim ple Network M anageme nt Protocol) i s a prot ocol used f or exchanging m anagem ent informati on between netw ork devices. SN MP is a mem ber of TCP/IP p rotocol suit e. Your Z[...]

ZyW ALL 10/50 Internet Security Gateway 19-2 SNMP Figure 19-1 SNMP Management Mod el An SNMP m anaged network consists of t wo mai n components: a gents and a m anager. An agent is a managem ent software m odule that resides i n a managed device (the Zy WALL). An agent translates the local management information from the managed device into a form [...]

ZyW ALL 10/50 Internet Security Gateway SNMP 19-3 Table 19-1 General SNMP Commands COMMAND DESCRIPTION Get Allows the manager to retrieve an object variable from the ag ent. GetNext Allo ws the manager to retrieve the next objec t variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from[...]

ZyW ALL 10/50 Internet Security Gateway 19-4 SNMP Figure 19-2 Menu 22 — SNMP Configuration The following table d escribes the SNMP configu ration parameters. Table 19-2 SNMP Configuration Menu Fields FIELD DESCRIPTION DEFA ULT Get Community Enter the Get Community , which is the password for the incoming Get- and GetNext- requests from the manage[...]

ZyW ALL 10/50 Internet Security Gateway SNMP 19-5 19.4 SNMP T rap s The ZyWALL will send traps to the SNMP manager when any one of the following events o ccurs: Table 19-3 SNMP Traps TRAP # TR AP NAME DESCRIPTION 0 coldStart (defin ed in RFC-1215 ) A trap is sent after booting (power on). 1 warmStart (defined i n RFC-1215 ) A trap is sent after boo[...]

[...]

ZyW ALL 10/50 Internet Security Gateway System Information & Diagnosis 20-1 Chapter 20 System Information & Diagnosis This chapter cove rs SMT menus 24.1 to 24.4. This chapter covers the diagnostic tools th at help you to maintain your ZyWALL. These tools include updates on system status, port status, log and trace capa bilities and upgrade[...]

ZyW ALL 10/50 Internet Security Gateway 20-2 System Information & Diagnosis Step 2. In this menu, enter 1 to open System Maintenance - Status . Step 3. There are three comm ands in Menu 24.1 - System Mainte nance - Status . Entering 1 drop s the WAN connecti on, 9 resets the counters and [ESC] takes yo u back to the previ ous screen. Figure 20-[...]

ZyW ALL 10/50 Internet Security Gateway System Information & Diagnosis 20-3 Table 20-1 System Maintenance — Status M enu Fields FIELD DESCRIPTION Tx B/s Shows the transmission speed in Bytes per second on this port. Rx B/s Shows the reception speed in Bytes per second on this port. Up Time T otal amount of time the line has been up. Ethernet [...]

ZyW ALL 10/50 Internet Security Gateway 20-4 System Information & Diagnosis Figure 20-3 Menu 24.2 — Sy stem Information and Console Port Speed 20.2.1 System Information System Information gives you in formation abou t your system as shown below. More specif ically, it gives you inform ation on yo ur routing protocol, Et hernet address, IP add[...]

ZyW ALL 10/50 Internet Security Gateway System Information & Diagnosis 20-5 Table 20-2 Fields in System Maintenance — Inform ation FIELD DESCRIPTION IP Address This is the IP address of the ZyWALL in dotted decimal notation. IP Mask This shows the IP mask of the ZyWALL. DHCP This field shows the DHCP setting of the ZyWALL. When finished vie w[...]

ZyW ALL 10/50 Internet Security Gateway 20-6 System Information & Diagnosis Step 1. Select option 2 4 from t he main menu t o open Menu 24 - System Maintenance . Step 2. From me nu 24, select opt ion 3 to ope n Menu 24. 3 - System Mainten ance - Log and Tr ace . Step 3. Select the first option from Menu 24.3 - System Main tenance - Lo g and Tra[...]

ZyW ALL 10/50 Internet Security Gateway System Information & Diagnosis 20-7 20.3.2 UNIX Syslog The ZyWALL uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and ac counting can be confi gured in Menu 24.3.2 - System Maintenance - Syslog and Ac count ing , as shown ne xt. Figure 20-8 [...]

ZyW ALL 10/50 Internet Security Gateway 20-8 System Information & Diagnosis Table 20-3 System Maintenance Men u Syslog Parameters PARAMETER DESCRIPTION Filter log No filters are logged when this field is set to No . Filters with the individual filter Log Filter field set to Yes (Menu 21.x.x).) are logged when this field is set to Yes . PPP log [...]

ZyW ALL 10/50 Internet Security Gateway System Information & Diagnosis 20-9 Data=4500003c100100001f010004c0a 86614ca849a7b08004a5c020001006 162636465666768696a6b6c6d6e6f7071727374 Jul 19 11:28:56 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1, Data=4500002c1b0140001f06b50ec0a86614ca849a7b042700 1700195b3e0000000060022000 8cd40000020405b 4 Jul [...]

ZyW ALL 10/50 Internet Security Gateway 20-10 System Information & Diagnosis Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 19 2.168.102.2 ZyXEL: pp p:LCP Closing Jul 19 11:42:49 192.168.102.2 ZyXEL: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.2 ZyXEL: ppp:CCP Cl osing 5. Firewall log Firewall Log Messa[...]

ZyW ALL 10/50 Internet Security Gateway System Information & Diagnosis 20-1 1 Figure 20-9 Call-Triggering Packet Example 20.4 Diagnostic The diagnostic facility allows you to test the diffe rent aspects of your ZyWALL to determine if it is working properly. Me nu 24.4 all ows you to choose among various ty pes of diag nostic test s to evaluate [...]

ZyW ALL 10/50 Internet Security Gateway 20-12 System Information & Diagnosis Figure 20-10 Menu 24.4 — Sy stem Maintenance — Diagnosti c Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. Step 1. From the m ain menu, select option 24 to open Menu 24 - System Maintenance . Step 2. From this menu, select option[...]

ZyW ALL 10/50 Internet Security Gateway System Information & Diagnosis 20-13 Figure 20-11 WAN & LAN DHCP The following table describes the diagnostic tests av ailable in menu 24.4 for your ZyWALL and associa ted connections. Table 20-4 System Maintenance Men u Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP ad[...]

[...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-1 Chapter 21 Firmware and Configuration Maintenance This chapter tells you how to back up an d restor e your configuration file as well as upload new firmware and a new config uration file. 21.1 Filename Convent ions The configu ration file ( often called t he r[...]

ZyW ALL 10/50 Internet Security Gateway 21-2 Firmware and Configuration File Maintenance you have upl oaded the c orrect firm ware version . The AT com mand is the c ommand you e nter after y ou press “y” whe n prompted i n the SMT m enu to go i nto debug m ode. Table 21-1 Filename Conventions FILE TYPE INTERNAL NA ME EXTERNAL NA ME DESCRIPTION[...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-3 Figure 21-1 Telnet into Menu 24.5 21.2.2 Using the FTP Command from the Command Line Step 1. Launch the FTP client on your com puter. Step 2. Enter “open”, followed by a space and the IP addres s of your ZyWALL . Step 3. Press [ENTER] when prom pted for a [...]

ZyW ALL 10/50 Internet Security Gateway 21-4 Firmware and Configuration File Maintenance Figure 21-2 FTP Session Example 21.2.4 GUI-Based FTP Client s The followin g table describes some of t he comma nds that you may see in GUI-Based FT P clients. Table 21-2 General Commands for GUI-Based FTP Clients COMMAND DESCRIPTION Host Address Enter the addr[...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-5 • There is an SM T console sessi on running . • The firewall is active. The default firewall policies bl ock all traffic from the WAN, so to enable TFTP over the WAN, you must turn the firewall off (m enu 21.2) o r create a firewall rule to allo w TFTP fro[...]

ZyW ALL 10/50 Internet Security Gateway 21-6 Firmware and Configuration File Maintenance TFTP [-i] host get rom-0 config.rom where “i” specifies binary image tra nsfer mode (use t his mode when transferring binary files), “host” is the ZyWALL IP address, “get” transfers the file source on the Zy WALL (rom -0 name of t he configurati on [...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-7 Step 2. The following screen indicates that t he Xmodem download has started. Figure 21-4 System Maintena nce — Starting Xmodem Do wnload Screen Step 3. Run the Hype rTermi nal program by clicki ng Transfer , then Receive File as shown in the following scree[...]

ZyW ALL 10/50 Internet Security Gateway 21-8 Firmware and Configuration File Maintenance FTP is the pre ferred m ethods for restoring you r current com puter confi guration to you r ZyWALL sinc e it is faster. Please note that you m ust wait for the system to automatically restart after the file transfer is complete. WA R N I N G ! DO NOT INTERUPT [...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-9 Step 3. Press [ENTER] when prom pted for a use rname. Step 4. Enter your pas sword as re quested (the default is “12 34”). Step 5. Enter “bin” to set transfer mode to binary. Step 6. Find the “rom ” file (on your com puter) that you want t o restor[...]

ZyW ALL 10/50 Internet Security Gateway 21-10 Firmware and Configuration File Maintenan ce Figure 21-10 System Mainten ance — Starting Xmodem Do wnload Screen Step 3. Run the Hype rTermi nal program by clicki ng Transfer , then Receive File as shown in the following screen. Figure 21-11 Restore Configuration Example Step 4. After a successful res[...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-1 1 WA R N I N G ! DO NOT INTERUPT THE FILE TRAN SFER PROCESS AS THIS MA Y PERMANENTL Y DAMAGE YOUR ZY W ALL. 21.4.1 Firmware File Upload FTP is the pre ferred me thod for uploa ding the fi rmware and confi guration. To use this feat ure, your computer m ust hav[...]

ZyW ALL 10/50 Internet Security Gateway 21-12 Firmware and Configuration File Maintenan ce Figure 21-14 Telnet into Menu 24.7.2 — Sy stem Maintenance To upload the firmware and the conf iguration file, follow these examples 21.4.3 FTP File Upload Command from the Command Line Example Step 1. Launch the FTP client on your com puter. Step 2. Enter [...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-13 Step 7. Enter “quit” to exit the FTP prom pt. 21.4.4 FTP Session Example of Fir mware File Upload Figure 21-15 FTP Session Example of Firmware File Upload More command s (found in GUI-Based FTP clie nts) are listed earlier in this chap ter. Refer to secti[...]

ZyW ALL 10/50 Internet Security Gateway 21-14 Firmware and Configuration File Maintenan ce Step 4. Launch the TFTP client on your computer a nd co nnect to the ZyWALL. Set the transfer mode to binary be fore starting data transfe r. Step 5. Use the TFTP client (see the exam ple below) to transfer files bet ween the ZyWALL and the computer. The file[...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-15 Figure 21-16 Menu 24.7.1 Using the Console Port Step 2. After the "St arting Xm odem uploa d" message appears , activate the Xmodem protocol o n your computer. Fol low the p rocedure as s hown previ ously for t he HyperTerm inal program . The proced[...]

ZyW ALL 10/50 Internet Security Gateway 21-16 Firmware and Configuration File Maintenan ce 21.4.10 Uploading a Configurat ion File Via Console Port Step 1. Select 2 from Menu 24.7 – System Maint enance – Upload Firmware to d ispla y Menu 24.7.2 - System Mai ntenance - Up load System C onfiguration File . Follow the instructions as shown in the [...]

ZyW ALL 10/50 Internet Security Gateway Firmware and Configuration File Mainte nance 21-17 Figure 21-19 Example Xmodem Upload After the co nfiguration upload process has c ompleted, rest art the ZyWA LL by ente ring “at go”. Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem p rotocol. Then click Send [...]

[...]

ZyW ALL 10/50 Internet Security Gateway System Maintenance & Information 22-1 Chapter 22 System Maintenance & Information This chapter leads yo u through SMT menus 24.8 to 24.11. 22.1 Command Interpreter Mode The Command I nterpreter (CI) is a part o f the main system firmware. The CI provides much of t he same functionality as the SMT, whi[...]

ZyW ALL 10/50 Internet Security Gateway 22-2 System Maint enance & Information Figure 22-2 Valid Commands 22.2 Call Control Support The ZyWALL pr ovides two cal l control func tions: bud get managem ent and call histo ry. Please note t hat this menu is only applicable when Encapsulation is set to PPPoE or PPTP in m enu 4 or menu 11. 1. The budg[...]

ZyW ALL 10/50 Internet Security Gateway System Maintenance & Information 22-3 22.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for ou tgoing calls. Enter 1 from Menu 24. 9 - System Maintenance - Call Contro l to br ing up th e fo llow ing menu . Figure 22-4 Budget Managemen t The total budget is the time limit on the [...]

ZyW ALL 10/50 Internet Security Gateway 22-4 System Maint enance & Information 22.2.2 Call History This is the second option in Menu 24.9 - System Main tenance - Call C ontrol . It displ ays inform ation about past incom ing and outgoing calls. Ent er 2 from Menu 24.9 - System Mainte nance - Call Control to bring up the following menu. Figure 2[...]

ZyW ALL 10/50 Internet Security Gateway System Maintenance & Information 22-5 on your Zy WALL. Menu 24. 10 allows you to update t he time and date settings of y our ZyWALL. The real time is then displayed in the ZyWALL error l ogs and fire wall logs. Select menu 24 in the main menu to open Menu 24 - System Maintenance , as shown next. Figure 22[...]

ZyW ALL 10/50 Internet Security Gateway 22-6 System Maint enance & Information Table 22-3 Time and Date Setting Fields FIELD DESCRIPTION Enter the time service protocol that your time server sends when you turn on the ZyWALL. Not all time servers support all pr otocols, so you may have to check with your ISP/network administrator or use trial a[...]

ZyW ALL 10/50 Internet Security Gateway System Maintenance & Information 22-7 ii. When the ZyWALL starts up, if there is a time server configured in menu 24.10. iii. 24-hour intervals after starting .[...]

[...]

ZyW ALL 10/50 Internet Security Gateway Remote Management 23-1 Chapter 23 Remote Management This chapter cove rs remote management found in SMT m enu 24.11. 23.1 T elnet The only way t o configure the ZyWALL for remote management is t hrough an SMT session usin g the console port. Once your ZyWALL is configured , you can use telnet to configure it [...]

ZyW ALL 10/50 Internet Security Gateway 23-2 Remote Management 23.3 Web You can use the ZyWALL’s e mbedded we b configurat or for con figuration an d file m anagement. See th e Using the ZyW ALL Web Conf igurator chapter for an introduction to the web configurator. 23.4 Remote Management Remote ma nagement cont rol is for m anaging Telnet, Web an[...]

ZyW ALL 10/50 Internet Security Gateway Remote Management 23-3 Figure 23-2 Menu 24.11 – Remote Manageme nt Control Table 23-1 Menu 24.11 – Remote Managemen t Control FIELD DESCRIPTION EXAMPLE TELNET Server FTP Server Web Server SNMP Server DNS Server These read-only labels de note t he kind of server that you may remotely manage. Server Port Yo[...]

ZyW ALL 10/50 Internet Security Gateway 23-4 Remote Management FIELD DESCRIPTION EXAMPLE Secured Client IP The default value for Secured Client IP is 0.0.0.0, which means you don’t care which host is tryi ng to use a service (Telnet, FTP or Web). If you enter an IP address in this fi eld, the ZyWALL will chec k if the client IP address matches th[...]

ZyW ALL 10/50 Internet Security Gateway Remote Management 23-5  Use the ZyWALL’s LAN IP address wh en configu ring from the LAN . 23.6 System Timeout There is a syst em tim eout of five m inutes (three hundred seconds) for eith er the console port or telnet/web/FTP connections. Your ZyWALL will automa tically log you out if you do nothing in t[...]

[...]

Call Scheduling and VPN/IPSec V Part V: Call Scheduling and VPN/IPSec Part V provides information about Call Scheduling and VPN/IPSec.[...]

[...]

ZyW ALL 10/50 Internet Security Gateway Call Scheduling 24-1 Chapter 24 Call Scheduling Call scheduling allows you to dictate when a remote node sho uld be called and for how lo ng. 24.1 Introduction The call schedul ing feature allows t he ZyWALL to m anage a remote node and dictate w hen a remote node should be called and fo r how long. This feat[...]

ZyW ALL 10/50 Internet Security Gateway 24-2 Call Scheduling T o delete a schedule set, enter the set number and press [SP ACE BAR] or [DELETE] in the Edit Name field. To setup a schedul e set select the sc hedule set y ou want to set up from menu 2 6 (1-12) and p ress [ ENTER ] to see Menu 26.1 - Sch edule Set Setup as show n next. Figure 24-2 Sch[...]

ZyW ALL 10/50 Internet Security Gateway Call Scheduling 24-3 Table 24-1 Schedule Set Setup Fields FIELD DESCRIPTION OPTION Once: Date If you selected Once in the How Often field above, then enter the date the set should activate here in year-month-date format. Weekday: Day If you selected Weekly in the How Often field above, then select the day(s) [...]

ZyW ALL 10/50 Internet Security Gateway 24-4 Call Scheduling Figure 24-3 Applying Schedule Set( s) to a Remote Node (PPPoE) You can ap ply up to 4 schedule sets, se parated by com mas, for one remote no de. Change t he schedule set numbers to your prefe rence(s). Figure 24-4 Apply ing Schedule Set( s) to a Remote Node (PPTP) Menu 11.1 - Remote Node[...]

ZyW ALL 10/50 Internet Security Gateway Introduction to IPSec 25-1 Chapter 25 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 25.1 Introduction 25.1.1 VPN A VPN (Virt ual Private Net work) provi des secure com munications between site s without t he expense of leased site-to-site lines. A secure VPN is a com bination of tunn[...]

ZyW ALL 10/50 Internet Security Gateway 25-2 Introduction to IPSec Figure 25-1 Encryption and Dec ryption  Data Confidentiality The IPSec sender can enc rypt packets befo re transm itting them across a network.  Data Integrity The IPSec receiver ca n validate pack ets sent by the IPSec sender t o en sure that the data has not been altered dur[...]

ZyW ALL 10/50 Internet Security Gateway Introduction to IPSec 25-3 Figure 25-2 VPN Application 25.2 IPSec Architecture The overall IPSec architect ure is shown as follows.[...]

ZyW ALL 10/50 Internet Security Gateway 25-4 Introduction to IPSec Figure 25-3 IPSec Architecture 25.2.1 IPSec Algorithms The ESP (Encapsulati ng Security Payl oad) Protocol (RFC 2406) and AH (Aut hentication Heade r) protocol (RFC 2402) describe the packet formats and the default stand ards for packet structure (includ ing implementation algorithm[...]

ZyW ALL 10/50 Internet Security Gateway Introduction to IPSec 25-5 25.3 Encap sulation The two modes of ope ration for IPSec VPNs are Transpor t mode and Tu nnel mode. Figure 25-4 Transport and Tunnel Mo de IPSec Encapsulation 25.3.1 T ransport Mode Transport mode is used to pr otect upper l ayer protocol s and only affects the data in the IP packe[...]

ZyW ALL 10/50 Internet Security Gateway 25-6 Introduction to IPSec A NAT device in between the IPSec endpoints will rewrite either the source or des tination address with one of its own choosing. The VPN device at the receivi ng en d will verify t he integrity of the incom ing packet by computing its own has h value, and complain that t he hash val[...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-1 Chapter 26 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 26.1 VPN/IPSec Setup The VPN/IPSe c main SMT me nu has three m ain submenus. 1. Define VP N policie s in menu 2 7.1 submenu s, including security pol icies, endp oint IP address es, peer IPSec router IP address and key [...]

ZyW ALL 10/50 Internet Security Gateway 26-2 VPN/IPSec Setup Figure 26-2 Menu 27 — VPN/IPSec Setup 26.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Securi ty Association (SA), the fo undatio n of an IPSec VPN. An SA is built from the authentication provid ed by the AH and ESP protocols. The p rimary functi on of key manage[...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-3 Table 26-1 AH and ESP ESP AH Select DES for minimal security and 3DES for maximum. Select NULL to set up a tunnel without encryption. Select MD5 for minimal security and SHA-1 for maximum security. DES (default) Data Encryption Standard (D ES) is a widely used method of data encryption us[...]

ZyW ALL 10/50 Internet Security Gateway 26-4 VPN/IPSec Setup 26.3.1 My IP Address My IP Addr is the WAN IP a ddress of the Z yWALL. If this fi eld is confi gured as 0.0.0. 0, then the Zy WALL will use the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel. The ZyWALL has to rebuild the VPN tunnel if the My IP Addr cha nges a[...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-5 Figure 26-4 Telecommuter’s ZyWALL Configur ation Figure 26-5 Headquarter s ZyWALL Configuration The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. A Z y WAL L w i t h Sec ure Gateway Address set to 0.0.0.0 can rec[...]

ZyW ALL 10/50 Internet Security Gateway 26-6 VPN/IPSec Setup Figure 26-6 Menu 27.1 — IPSec Summary Table 26-3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EX AMPLE # T his is the VPN policy index number. 1 Name T his field displays the unique iden tification na me for this VPN rule. The name may be up to 32 characters long but onl y 10 character[...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-7 Table 26-3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EX AMPLE Local Addr End When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single , this is the same (static) IP address as in the Local A ddr Star t field. When the Addr Type field in Menu 27.1.1 IPSec Setup is co[...]

ZyW ALL 10/50 Internet Security Gateway 26-8 VPN/IPSec Setup Table 26-3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EX AMPLE field in SMT 27.1.1 to 0.0.0.0. Remote Addr End When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single , this is the same (static) IP address as in the Remote A ddr Star t field. When the Addr Type fiel[...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-9 26.4 IPSec Setup Select Edit in the Select Command field, type the index num ber of a rule in the Select Rule field and press [ENTER] to edit the VPN us ing the m enu shown next. Figure 26-7 Menu 27.1.1 — IPSec Setup Y ou must also configure menu 27.1.1. 1 or menu 27.1.1.2 to fully conf[...]

ZyW ALL 10/50 Internet Security Gateway 26-10 VPN/IPSec Setup Table 26-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION EX AMPLE My IP Addr Enter the WAN IP address of your ZyWALL. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunn el if you leave this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this [...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-1 1 Table 26-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION EX AMPLE Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3 0 End Enter a port number in this f[...]

ZyW ALL 10/50 Internet Security Gateway 26-12 VPN/IPSec Setup Table 26-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION EX AMPLE Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. 0 End Enter a port number in this f[...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-13 Figure 26-8 T wo Phases to set up the IPSec SA In phase 1 you m ust:  Choose a negot iation m ode.  Authenticate the connection by en tering a pre-shar ed key.  Choo se an en cryption a lgorith m.  Choose an authentication algorith m.  Choose a D iffie-Hellman public-key c[...]

ZyW ALL 10/50 Internet Security Gateway 26-14 VPN/IPSec Setup  Aggressive Mode is quicker than Main Mode because it elim inates several steps when the communicating parties are negotiating authenticati on (phase 1). However the trade-of f is that faster speed limits its nego tiating power and it also does not pro vide identit y protection. It is[...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-15 Figure 26-9 Menu 27.1.1.1 — IKE Setup Table 26-5 Menu 27.1.1.1 — IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Negotiation Mode Press [SPACE BAR] to choose from Main or Aggressive and then press [ENTER]. See earlier for a discussi on of thes e modes. Multiple SAs connecting through a s[...]

ZyW ALL 10/50 Internet Security Gateway 26-16 VPN/IPSec Setup Table 26-5 Menu 27.1.1.1 — IKE Setup FIELD DESCRIPTION EXAMPLE Encryption ALgorithm When DES is used for data communications, both sender and receiver mus t know the same secret key, which can be used to encrypt and decrypt the message or to generate and verif y a message authenticatio[...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-17 Table 26-5 Menu 27.1.1.1 — IKE Setup FIELD DESCRIPTION EXAMPLE Perfect Forward Secrecy (PFS) Perfect Forward Secrecy (PFS) is disabled ( None ) by default in phase 2 IPSec SA setup. This allows faster IPSe c setup, but is not so secure. Press [SPACE BAR] and choose from DH1 or DH2 to e[...]

ZyW ALL 10/50 Internet Security Gateway 26-18 VPN/IPSec Setup Figure 26-10 Menu 27.1.1.2 — Manual Setup Table 26-7 Menu 27.1.1.2 — Manual Setup FIELD DESCRIPTION EXAMPLE Active Protocol Press [SPACE BAR] to choose from ESP Tunnel , ESP Transport , AH Tunnel or AH Transport and then press [ENTER]. Choosing an ESP combination causes the AH S e t [...]

ZyW ALL 10/50 Internet Security Gateway VPN/IPSec Setup 26-19 Table 26-7 Menu 27.1.1.2 — Manual Setup FIELD DESCRIPTION EXAMPLE Authentication ALgorithm Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. MD5 Key Enter the authentication key to be used by IPSec if applicable. T he key must be unique. Enter 16 characters for MD5 a[...]

[...]

ZyW ALL 10/50 Internet Security Gateway SA Monitor 27-1 Chapter 27 SA Monitor This chapter teaches you h ow to manage your SAs by usi ng the SA Monitor in SMT menu 27.2. 1.1. Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. Th is menu (shown next) displays activ e VPN connections. When the[...]

ZyW ALL 10/50 Internet Security Gateway 27-2 SA Monitor Table 27-1 Menu 27.2 — SA Monitor FIELD DESCRIPTION EXAMPLE # This is the security association ind ex number. Name This field displays th e identification name for this VPN policy. This name i s unique for each connection where the secure gateway IP address is a public static IP address. Whe[...]

ZyW ALL 10/50 Internet Security Gateway SA Monitor 27-3 Table 27-1 Menu 27.2 — SA Monitor FIELD DESCRIPTION EXAMPLE configuration, or press [ESC] at any time to cancel.[...]

[...]

ZyW ALL 10/50 Internet Security Gateway IPSec Log 28-1 Chapter 28 IPSec Log This chapter i nterprets com mon IPSec log m essages. 28.1 VPN Initiator IPSec Log To view the IPSec and IKE connection log, type 3 in menu 27 and pr ess [ENTE R] to display the IPSec lo g as shown next. The following figure shows a typical log from the initiato r of a VPN [...]

ZyW ALL 10/50 Internet Security Gateway 28-2 IPSec Log 28.2 VPN Responder IPSec Log The following f igure shows a typical log from the VPN c onnection pee r. Figure 28-2 Example VPN Responde r IPSec Log This menu is useful for t roubleshoot ing. A lo g index num ber, the date and time the log was created and a log message are di splayed. Double exc[...]

ZyW ALL 10/50 Internet Security Gateway IPSec Log 28-3 Table 28-1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send:<Symbol><Symbol> Recv:<Symbol><Symbol> IKE uses the ISAKMP protoc ol (refer to RFC2408 – ISAKMP) to transmit data. Each ISAKMP packet contains payloads of differe nt types that sh ow in the log - see [...]

ZyW ALL 10/50 Internet Security Gateway 28-4 IPSec Log Table 28-1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! IKE Packet Retransmit The ZyWALL did not receive a respons e from the peer and so retransmits the last packet sent. !! Failed to send IKE Packet The ZyWALL cann ot send IKE packets due to a network error. !! Too many errors! Del[...]

ZyW ALL 10/50 Internet Security Gateway IPSec Log 28-5 Table 28-3 RFC-2408 ISAKMP Payload Ty pes LOG DISPLAY P AYLOA D TYPE TRANS T ransform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonc e NOTFY Notification DEL Delete VID Vendor ID[...]

[...]

Troubleshooting, Appendices, Glossary and Index VI Part VI: Troubleshooting, Appendices and Index This part provides T roubles hooting, followed by some Appendices and an Index.[...]

[...]

ZyWALL 10/50 Internet Security Gateway Troubleshooting 29-1 Chapter 29 Troubleshooting This chapter cove rs potential problem s and possible remedies. After ea ch problem description, some instructions are p rovided to help you to diagnose and to sol ve the problem. Please see our included disk for further inform ation. 29.1 Problems St artin g Up [...]

ZyWALL 10/50 Internet Security Gateway 29-2 Troubleshooting 29.2 Problems with the LAN Interface Table 29-2 Troubleshooti ng the LAN Inter face PROBLEM CORRECTIVE ACTION Check the 10M/100M LEDs on the front panel. One of these LEDs should be on. If they are both off, check the cables between your ZyWALL and hub or the station. Can’t ping any work[...]

ZyWALL 10/50 Internet Security Gateway Troubleshooting 29-3 Table 29-3 Troubleshooti ng the WAN interface PROBLEM CORRECTIVE ACTION Can’t connect to a remote node or ISP. Check menu 24.1 to verify th e line status. If it indicates Down , then refer to the section on the line problems. 29.4 Problems with Internet Access Table 29-4 Troubleshooti ng[...]

ZyWALL 10/50 Internet Security Gateway 29-4 Troubleshooting 29.6 Problems with Remote Management Table 29-6 Troubleshooti ng Remote Management PROBLEM CORRECTIVE ACTION Refer to the Remote Management Li mitations section for scenarios when remote management may not be possibl e. When NAT is enabled:  Use the ZyWALL’s WAN IP address when config[...]

ZyWALL 10/50 Internet Security Gateway The Big Picture A Appendix A The Big Picture The following figure g ives an overview of how filtering, the firewall, VPN and NAT are related. Diagram 1 Big Picture — Filtering, Fire wall, NAT and VPN[...]

[...]

ZyWALL 10/50 Internet Security Gateway PPPoE C Appendix B PPPoE PPPoE in Action An ADSL m odem bridges a PPP session over Ether net (PPP ove r Ethernet , RFC 2516) from your PC to an ATM PVC (Permanent Virt ual Circuit) that connects to a xDSL Access Conce ntrator where the PPP session terminates (see the next fig ure). One PVC can support a ny num[...]

ZyWALL 10/50 Internet Security Gateway D PPPoE How PPPoE Works The PPPoE driver m akes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Et hernet frames to the Access Conce n trator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 T unneling Protocol) LAC (L2T P Access Conce[...]

ZyWALL 10/50 Internet Security Gateway PPTP E Appendix C PPTP What is PPTP? PPTP (Point -to-Point T unneling Pr otocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadb and modem over Ethernet? A solution is to build PPTP into th e ANT (ADSL Ne [...]

ZyWALL 10/50 Internet Security Gateway F PPTP PPTP is very si milar t o L2TP, since L2T P is based on both PPTP a nd L2F (C isco’s Layer 2 Forwarding) . Conceptually, there are three parties in PPTP, name ly the PNS (PPTP Network Serve r), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is t h e box that hosts both the PPP and the P[...]

ZyWALL 10/50 Internet Security Gateway PPTP G PPP Data Connection The PPP frames are tunneled betwee n the PNS and PAC over GRE (General Ro uting Encapsulation, RFC 1701, 1702). The individual calls within a tu nnel are distinguishe d using the Call ID field in the GRE header.[...]

[...]

ZyWALL 10/50 Internet Security Gateway Hardware specifications I Appendix D Hardware S pecifications Power Specification I/P AC 120V / 60Hz ; O/P DC 12V 1200 mA MTBF 10000 0 hrs Operation Temperature 0º C ~ 40º C Ethernet Specification for WAN 10Mbit Half Duplex Ethernet Specification for LAN 10/100 Mbit Half / Full Auto-negotiation Console Port [...]

[...]

ZyWALL 10/50 Internet Security Gateway Important Safety Instructions K Appendix E Import ant Safety Instructions The following safety instructions apply to the ZyWALL. 1. Be sure to read and follow all warning notices and instructions. 2. The maxim um recomm ended ambi ent temperat ure for the Z yWALL is 40º Celsi us (104º Fahrenheit).Ca re must [...]

[...]

ZyWALL 10/50 Internet Security Gateway Boot Commands M Appendix F Boot Commands The BootMod ule AT comm ands execute from within the ro uter’s bootu p software, whe n debug mode i s selected before the main system firmware (ZyNOS) is star ted. When you start up your ZyWALL, you are given a ch oice to go int o debug m ode by pressi ng a key at th [...]

ZyWALL 10/50 Internet Security Gateway N Boot Commands Diagram 8 Boot Module Commands ======= Debug Command Listing ======= AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to [...]

ZyWALL 10/50 Internet Security Gateway Command Interpreter O Appendix G Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system m aintenance m enu. Ente r 8 to go to Menu 24.8 - Comm and Interpreter Mode . See the included disk or zyxel.c om for m ore detail ed informati on on[...]

[...]

ZyWALL 10/50 Internet Security Gateway Firewall Commands Q Appendix H Firewall Commands The following descri bes the firewall com mands. See the Command Interpreter appendix for in formation on the command structure. FUNCTION COMMAND DESCRIPTION F F i i r r e e w w a a l l l l S S e e t t - - U U p p config edit firewall active <yes | no> Thi[...]

ZyWALL 10/50 Internet Security Gateway R Firewall Commands FUNCTION COMMAND DESCRIPTION config display firewall ? This command shows all of the available firewall sub commands. E E d d i i t t E E - - m m a a i i l l config edit firewall e-mail mail- server <ip address of mail server> This command sets the IP address to which the e- mail mess[...]

ZyWALL 10/50 Internet Security Gateway Firewall Commands S FUNCTION COMMAND DESCRIPTION config edit firewall attack block <yes | no> Set this command to yes to block new traffic after the tcp-max-incomplete threshold is exceeded. Set it to no to delete the oldest half-open session when traffic exceeds the tcp-ma x-incomplete threshold. config[...]

ZyWALL 10/50 Internet Security Gateway T Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> icmp-timeout <seconds> This command sets the time period to allow an ICMP session to wait for the ICMP response. Config edit firewall set <set #> udp-idle-timeout <seconds> This command sets how long a UDP[...]

ZyWALL 10/50 Internet Security Gateway Firewall Command s U FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> rule <rule #> log <none | match | not-match | both> This command sets the ZyWALL to log traffic that matches the rule, doesn't match, both or neither. Config edit firewall set <set #> rule <rule #[...]

ZyWALL 10/50 Internet Security Gateway V Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> rule <rule #> TCP destport-range <start port #> <end port #> This command sets a rule to have the ZyWALL check for TCP traffic with a destination port in this range. config edit firewall set <set #> [...]

ZyWALL 10/50 Internet Security Gateway NetBIOS Filter Commands W Appendix I NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the comm and structure. Introduction NetBIOS (Network Basic Input/Output System ) are TCP or UDP b roadcast pa c kets that enable a co[...]

ZyWALL 10/50 Internet Security Gateway X NetBIOS Filter Commands The filter types and their default settings are as follows. NAME DESCRIPTION DEF AULT LAN to WAN T his field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN. Forward LAN to DMZ This field displays whether NetBIOS packets are blocked o r forwarded from[...]

ZyWALL 10/50 Internet Security Gateway NetBIOS Filter Commands Y Command: sys filter netbios config 1 off This comm and forwards LA N to DMZ Net BIOS packets Command: sys filter netbios config 2 on This comm and blocks IP Sec NetBIOS packets Command: sys filter netbios config 3 off This command stops NetBIOS commands from initiatin g calls.[...]

[...]

ZyWALL 10/50 Internet Security Gateway Index AA Index A Action for Matched Packets ......................... 13-11 Activate The Firewall..................................... 16-3 Alert Schedule................................................ 12-4 Application-level Firewalls ............................ 10-1 Applications for the Zy WALL 50 .........[...]

ZyWALL 10/50 Internet Security Gateway BB Index Custom Ports Creating/Editin g ......................................... 14-3 Introduction ............................................... 14-1 Customer Support ..............................................vii Customized Services...................................... 14-2 D DDNS Configuration .......[...]

ZyWALL 10/50 Internet Security Gateway Index CC Filters Executing a Filt er Rule .............................. 18-2 Logic Flow of an IP Filter ........................ 18-10 Firewall Access Methods ......................................... 11-1 Activating ................................................... 11-1 Address Type .......................[...]

ZyWALL 10/50 Internet Security Gateway DD Index Internet Access via Cable or xDSL Modem .... 1-4 Internet Assigned Numbers Authority .. See IANA Internet Cont rol Message Protocol (ICM P) ... 10-6 Internet Secur ity Gate way .................................... i IP address.................................................. 5-3, 5-7 IP Address Assig[...]

ZyWALL 10/50 Internet Security Gateway Index EE O One Minute High ........................................... 12-9 One Minute Low ............................................ 12-9 One-Minute High ........................................... 12-7 Online Registration ............................................ vi P Packet Filte ring .................[...]

ZyWALL 10/50 Internet Security Gateway FF Index Source and Destination Addresses ........... 13-11 Summary.................................................... 13-4 Timeout.................................................... 13-13 S SA Monitor .................................................... 27-1 Safety Instructions .............................[...]

ZyWALL 10/50 Internet Security Gateway Index GG TCP Security ................................................ 10-10 TCP/IP ... 5-1, 5-2, 5-5, 5-7, 7-7 , 7-10, 10-3, 10-4 , 18-7, 18-8 , 18-10, 18-13, 18-1 7, 23-1 TCP/IP filter rule............................................ 18-7 Teardrop ......................................................... 10-[...]

ZyWALL 10/50 Internet Security Gateway HH Index Introduction ............................................... 10-2[...]