ZyXEL Communications 110 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications 110, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications 110 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications 110. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of ZyXEL Communications 110 should contain:
- informations concerning technical data of ZyXEL Communications 110
- name of the manufacturer and a year of construction of the ZyXEL Communications 110 item
- rules of operation, control and maintenance of the ZyXEL Communications 110 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications 110 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications 110, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications 110.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications 110 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    Quick Start Guide www .zyxel.com ZyWALL 110/310/1100 Series VPN Firewall V e rsion 3.10 Edition 2, 02/2013 Copyright © 2013 Z yXEL Communications Corpor ation User’s Guide Default Login Details LAN P ort IP Address https://192.168.1.1 User Name admin P assword 1234[...]

  • Page 2

    ZyWALL 110/310/1100 Series User’s Guide 2 IMPORT ANT! READ CAREFULL Y BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a User’s Gu ide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ sl ightly from your product due to differences in your product firmware o r you[...]

  • Page 3

    ZyWALL 110/310/1100 Se ries User’s Guide 3 Chapter 1 Introduction ................................................. ..................................................... ............. ...................... 17 1.1 Overview ................ ... ... ............. ... .... ... ... ............. ... ... .... ... ............. ... ... ... .... ... ...[...]

  • Page 4

    ZyWALL 110/310/1100 Series User’s Guide 4 4.3.5 VPN Express W izard - Summa ry ... ... .... ............. ... ... ... ............. ... .... ... ............. ... ... ... ............. . 51 4.3.6 VPN Express W izard - Fini sh ............................. ............. ................ ............. ............ ......... ..... 52 4.3.7 VPN Adv a[...]

  • Page 5

    ZyWALL 110/310/1100 Se ries User’s Guide 5 6.9.1 More Information .......... ... ... .... ... ... ... ... ............. .... ... ... ... .... ... ............. ... ... ... .... ... ... ....... ............ . 95 6.10 USB S torage Screen .. ............. ................ ................ ............. ................ ............. .............. .[...]

  • Page 6

    ZyWALL 110/310/1100 Series User’s Guide 6 8.2 The Trunk Summary Screen .. ................ ................ ............. ................ ................ ............. ...... ......... 180 8.2.1 Configuring a User-Defined T runk .......... ... ...... ............. ............. ................ ............. ............. . . 181 8.2.2 Configur[...]

  • Page 7

    ZyWALL 110/310/1100 Se ries User’s Guide 7 Chapter 13 NA T .......................................... ............................................................... ................... ......................... 221 13.1 NA T O verview ................... ............. ................ ............. ................ ............. ................[...]

  • Page 8

    ZyWALL 110/310/1100 Series User’s Guide 8 Chapter 18 Authentication Policy ........................................... ........... .......... .......................................... ............. 253 18.1 Overview ....... ................ ............. ................ ............. ................. ............ ............. ...... .........[...]

  • Page 9

    ZyWALL 110/310/1100 Se ries User’s Guide 9 Chapter 21 SSL VPN ........................................................................... ............................................. .................... 317 21.1 Overview ....... ................ ............. ................ ............. ................. ............ ............. ...... ...[...]

  • Page 10

    ZyWALL 110/310/1100 Series User’s Guide 10 24.1.2 What Y ou Need to Know ....... ............ ............. .......... ............. ............. ............. ............. .... .... 345 24.2 L2TP VPN Screen ...................... .... ... ... ... ... .... ............. ... ... ... .... ... ... ... ... ............. .... ... ... ... ....... ...[...]

  • Page 11

    ZyWALL 110/310/1100 Se ries User’s Guide 11 28.2.1 IPv4 Address Add/ Edit Screen ...... ................ ............. ................ ............. ................ ........... . 386 28.2.2 IPv6 Address Add/ Edit Screen ...... ................ ............. ................ ............. ................ ........... . 387 28.3 Address Group Sum[...]

  • Page 12

    ZyWALL 110/310/1100 Series User’s Guide 12 32.2 Authentication Method Ob jects ............... ............. ................ ............. ................ ............. ...... ......... 410 32.2.1 Creating an Authenticatio n Method Ob jec t .... .... ... ... ... .... ... ... ... ... .... ... ............. ... ... ... .... ... ... .. 410 Chapter[...]

  • Page 13

    ZyWALL 110/310/1100 Se ries User’s Guide 13 Chapter 37 System .............................................. ................................................................ ........... ...................... 443 37.1 Overview ....... ................ ............. ................ ............. ................. ............ ............. ......[...]

  • Page 14

    ZyWALL 110/310/1100 Series User’s Guide 14 37.12 Language Screen ............... ................ ............. ................ ................ ............. ................ ....... ........ 483 37.13 IPv6 Screen .............. ... .... ... ... ... .... ... ... ............. ... ... .... ... ... ... .... ... ............. ... ... ... .... ... [...]

  • Page 15

    ZyWALL 110/310/1100 Se ries User’s Guide 15 Chapter 42 Reboot .................................... .................................................... ................................. ...................... 525 42.1 Overview ....... ................ ............. ................ ............. ................. ............ ............. ......[...]

  • Page 16

    ZyWALL 110/310/1100 Series User’s Guide 16[...]

  • Page 17

    ZyWALL 110/310/1100 Se ries User’s Guide 17 C HAPTER 1 Introduction 1.1 Overview Note: This he lp covers the followin g ZyW A L L mo dels and refers to them all as “Z yWALL” . Featur es and interface names v ary by model. K e y fe ature di ffe re nces be tw ee n Z yWALL mod els are as follows. Other features are common to all models although [...]

  • Page 18

    Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide 18 Figure 2 Applications: VPN Connectivity SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the Z yWALL’ s web address and enters his user name and password to securely connect to the Z y W ALL’s ne[...]

  • Page 19

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 19 Figure 4 Applications: User-A ware Access Control Load Balancing Set up multiple connections to the Internet on th e same port, or different ports, including cellular interfaces. In either case, you can ba lance the tr affic loads between them. Figure 5 Applications: Multiple WAN [...]

  • Page 20

    Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide 20 Command-Line Interface (CLI) The CLI allows you to use text -based commands to configure the Z yWALL. Access it using remote management (for example, SSH or T elnet) or via the physical or W eb Configurator console port. See the Command Reference Guide for CLI details. The default [...]

  • Page 21

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 21 4 Click Login . If you logged in using the default user name and password, the Update Admin Info screen appears. Otherwise, the dashboard appears. 5 Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click [...]

  • Page 22

    Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide 22 The title bar icons in the upper right corner pro vide the following functions. About Click About to display basic information about the ZyWALL. Figure 8 About Site Map Click Site MAP to see an overview of links to the W eb Configur ator screens. Click a screen’ s link to go to t[...]

  • Page 23

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 23 Figure 9 Site Map Object R eference Click Object Refe rence to open the Object Reference screen. Selec t the type of object and the individual object and click Refresh to show which configur ation settings reference the object. Figure 10 Object Reference The fields vary with the t[...]

  • Page 24

    Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide 24 Console Click Console to open a Java-based console wi ndow from which you can run C LI commands. Y ou will be prompted to enter your user name and password. See the Command Re ference Guide for information about the commands. Figure 1 1 Console Window CLI Messages Click CLI to look[...]

  • Page 25

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 25 1.3.3 Navigation Panel Use the navigation panel menu item s to open status and configuratio n screens. Click the arrow in the middle of the right edge of the navigation pa nel to h ide the panel or drag to resize it. Th e following sections introduce the Z yWALL’ s navigation pa[...]

  • Page 26

    Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide 26 Configuration Menu Use the configur ation menu screens to configure the Z yWALL’ s features. Cellular Status Disp lays details about the ZyWALL’ s 3 G connection statu s. USB Storage Displays details about USB device connect ed to the ZyW ALL. VPN Monit or IPSec Displays and ma[...]

  • Page 27

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 27 Firewall Firewall Create and manage level-3 traffic rules. Session Control Limit the number of concurrent client NA T/firewall sessions . VPN IPSec VPN VPN Connection Config ure IPSec tu nnels. VPN Gateway Confi gure IKE tunn els. Concentr ator Combine IPSec VPN con nections into [...]

  • Page 28

    Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide 28 Maintenance Menu Use the maintenance menu screens to manage configur ation and firmware files, run diagnostics, and reboot or shut down the Z yWALL. 1.3.4 T ables and Lists W eb Configurator tables and lists are flexible with sev eral options for how to display their entries. Click[...]

  • Page 29

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 29 Figure 14 Sorting T able Entries by a Column’ s Criter ia Click the down arrow next to a column heading fo r more options about how to displa y the entries. The options av ailable vary depending on the type of fields in the column. Here are some examples of what you can do: • [...]

  • Page 30

    Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide 30 Figure 17 Moving Columns Use the icons and fields at the bottom of the tabl e to na vigate to different pages of entries and control how many entries displa y at a time. Figure 18 Navigating P ages of T able Entries The tables have icons for working with table entries. Y ou can oft[...]

  • Page 31

    Chapter 1 Introduction ZyWALL 110/310/1100 Se ries User’s Guide 31 Working with List s When a list of available entries displays next to a list of selected entries, you can often just double- click an entry to mov e it from one list to the other . In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use th[...]

  • Page 32

    Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide 32[...]

  • Page 33

    ZyWALL 110/310/1100 Se ries User’s Guide 33 C HAPTER 2 Installation Setup Wizard 2.1 Inst allation Setup Wizard Screens When you log into the W eb Configurator for the first time or when you reset the Z yWALL to its default configuration, the Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings a[...]

  • Page 34

    Chapter 2 Installation Setup Wizard ZyWALL 110/310/1100 Series User’s Guide 34 • WAN Interface : This is the interface you are configuring for Internet access. • Zone : This is the security zone to which this interface and Intern et connection belong. • IP Address Assignment : Select Auto if your ISP did not assign you a fixed IP address. S[...]

  • Page 35

    Chapter 2 Installation Setup Wizard ZyWALL 110/310/1100 Se ries User’s Guide 35 •T y p e t h e Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. •S e l e c t Nailed-Up if you do not w ant the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses befor[...]

  • Page 36

    Chapter 2 Installation Setup Wizard ZyWALL 110/310/1100 Series User’s Guide 36 •T y p e a Connection ID or connection name. It must follow the “c:id” and “n:name” format. F or example, C:12 or N:My ISP . This field is opti onal and depends on the requ irements of your broadband modem or router . Y ou can use alphanumeric and -_ : charac[...]

  • Page 37

    ZyWALL 110/310/1100 Se ries User’s Guide 37 C HAPTER 3 Hardware Introduction 3.1 Default Zones, Interfaces, and Port s The default configur ations for zones, interfaces, an d ports are as follows. R eferences to interfaces may be generic r ather than the specific name used in y our model. F or example, this guide may use “the WAN interface” r[...]

  • Page 38

    Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Series User’s Guide 38 Note: Use an 8-wire Ethernet cable to run your Gigab it Ethernet at 1000 Mbps. Using a 4- wire Ethernet cable limits your connecti on to 100 Mbps. Note that the connection speed also depends on what the Ethernet device at the other end can support. 3.2 S topping the ZyW A [...]

  • Page 39

    Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Se ries User’s Guide 39 3.4 W all-mounting See Chapter 1 on page 17 for the Z yWALL models that can be wall-mounted. Do the follow ing to attach your Z yWALL to a wall. 1 Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.3 1") wide heads into the wall 150 mm ap art (see the figure in step 2[...]

  • Page 40

    Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Series User’s Guide 40 Figure 21 Zy WA L L F r on t Pa n el The following tables describe the LEDs. T a ble 10 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyW ALL is turned off . Green On The ZyW ALL is turned on. Red On There is a hardware component fail ur e. Shut down the device[...]

  • Page 41

    Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Se ries User’s Guide 41 3.5.1 Rear Panels The following graphic shows the rear panel of the Z yWALL. Ta b l e 1 1 Rear Panel LABEL DESCRIPTION Console Y ou can use the consol e port to manage the ZyW ALL using CLI commands. Y ou will be prompted to enter your user name and pa ssword. See the Com[...]

  • Page 42

    Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Series User’s Guide 42[...]

  • Page 43

    ZyWALL 110/310/1100 Se ries User’s Guide 43 C HAPTER 4 Quick Setup Wizards 4.1 Quick Setup Overview The W eb Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the W eb Configurator . See the feature-specific chapters in this [...]

  • Page 44

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 44 Figure 23 WAN Interface Quick Setup Wizard 4.2.1 Choose an Ethernet Interface Select the Ethernet interface that you w ant to configure for a W AN connection and click Next . Figure 24 Choose an Ethernet Interface 4.2.2 Select W AN T ype WAN Type Selection : Select the type [...]

  • Page 45

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 45 Figure 25 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. R efer to information provided by your ISP to know w hat to enter in each field. Leav e a field blank if you don’t have that information. Note: Enter the Internet access i[...]

  • Page 46

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 46 Figure 27 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in this screen. T a ble 12 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Pa rameter This section appear s if the interface uses a PPPo E or PPTP Internet connection. Enca[...]

  • Page 47

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 47 4.2.5 Quick Setup Interface Wizard: Summary This screen displays the W AN interface’s settings. Figure 28 Interface Wizard: Summary WAN (PPTP Shown) Server IP T ype the IP address of the PPTP server . Connection ID Ente r the connect ion ID or connection name in this fiel[...]

  • Page 48

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 48 The following table describes the labels in this screen. 4.3 VPN Setup Wizard Click VPN Setup in the main Quick Se tup screen to open the VPN Setup Wizard Welcome screen. Figure 29 VPN Setup Wizard 4.3.1 Welcome Use wizards to create Virtual Private Network (VPN ) rules. Aft[...]

  • Page 49

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 49 • VPN Setup configures a VPN tunnel for a secure connection to another computer or network. • VPN Settings for Configuration Provisioning sets up a VPN rule the Z yWALL IPSec VPN Client can retrieve. Just enter a user name, password an d the IP address of th e Z yWALL i[...]

  • Page 50

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 50 4.3.3 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 31 on page 49 to display the following screen. Figure 32 VPN Express Wizard: Scenario Rule Name : T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 al[...]

  • Page 51

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 51 4.3.4 VPN Express Wi zard - Configuration Figure 33 VPN Express Wizard: Configuration • Secure Gateway : Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gat[...]

  • Page 52

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 52 Figure 34 VPN Express Wizard: Summary • Rule Name : Identifies the VPN gatewa y policy . • Secure Gateway : IP address or domain name of the remo te IPSec device. If this field displays Any , only the remote IPSec device can initiate the VPN connection. • Pre-Shared Ke[...]

  • Page 53

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 53 Figure 35 VPN Express Wizard: Finish Click Close to exit the wizard. 4.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figu re 31 on page 49 to display the following screen.[...]

  • Page 54

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 54 Figure 36 VPN Advanced Wizard: Scenario Rule Name : T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric char acters, underscores ( _ ), or dashes (-), but the first char acter cannot be a number . This value is case-sensitive[...]

  • Page 55

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 55 Figure 37 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway : Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec dev[...]

  • Page 56

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 56 • Dead Peer De tection (DPD) has the ZyW A LL make sure the remote IPSec device is there before transmitting data through the IKE S A. If th ere has been no tr affic for at least 15 seconds, the Z yWALL sends a message to the remote IPSec device. If it responds, the Z yWAL[...]

  • Page 57

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 57 4.3.10 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settin gs. Figure 39 VPN Advanced Wizard: Step 5 • Rule Name : Identifies the VPN connection (and the VPN gatew ay). • Secure Gateway : IP address or domain name of the remote IPSec devic[...]

  • Page 58

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 58 Figure 40 VPN Wizard: Finish Click Close to exit the wizard. 4.4 VPN Settings for Configuration Provisioning Wizard: Wiz a rd T y p e Use VPN Setti n g s for Configura t ion Provision in g to set up a VPN rule that can be retrieved with the Z yWALL IPSec VPN Client. VPN rule[...]

  • Page 59

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 59 Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key . Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key i n th e V P N r u le . Figure 41 VPN Settings for Configuratio[...]

  • Page 60

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 60 Figure 42 VPN for Configuration Provision ing Express Wizard: Settings Scenario Rule Name : T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric char acters, underscores ( _ ), or dashes (-), but the first char acter cannot be[...]

  • Page 61

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 61 Figure 43 VPN for Configuration Provision ing Express Wizard: Configuration • Secure Gateway : Any displays in this field because it is no t configurable in this wizard. It allows incoming connections from the Z yWALL IPSec VPN Client. • Pre-Shared Key : T ype the passw[...]

  • Page 62

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 62 Figure 44 VPN for Configuration Provisioning Express Wizard: Sa ve • Rule Name : Identifies the VPN gatewa y policy . • Secure Gateway : Any displays in this field because it is no t configurable in this wizard. It allows incoming connections from the Z yWALL IPSec VPN C[...]

  • Page 63

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 63 Figure 45 VPN for Configuration Provision ing Express Wizard: Finish Click Close to exit the wizard. 4.4.5 VPN Settings for Configuratio n Provisioning Advanced Wizar d - Scenario Click the Advanced radio button as shown in the screen shown in Figure 41 on page 59 to displ [...]

  • Page 64

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 64 Rule Name : T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric char acters, underscores ( _ ), or dashes (-), but the first char acter cannot be a number . This value is case-sensitive. Application Scenario : Only the Remote[...]

  • Page 65

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 65 • Authentication Algorithm : MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. MD5 gives minimal security . SHA1 gives higher security and SHA256 gives the highest security . The stronger the alg orithm, the slowe[...]

  • Page 66

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 66 • Remote Policy (IP/Mask) : Any displays in this field because it is not configur able in this wizard. • Nailed-Up : This displays for the site-to-site and remo te access client role scenarios. Select this to have the Z yWALL automatically renegotiate the IPSec SA when t[...]

  • Page 67

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Se ries User’s Guide 67 VPN Connection screen. Enter the IP address of the Z yW A LL in the Z yWALL IPSec VPN Client to get all these VPN settings automatically from the Z yWALL. Figure 50 VPN for Configuration Provision ing Advanced Wizard: Finish Click Close to exit the wizard.[...]

  • Page 68

    Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide 68[...]

  • Page 69

    ZyWALL 110/310/1100 Se ries User’s Guide 69 C HAPTER 5 Dashboard 5.1 Overview Use the Dashboard screens to check status information about the Z yWALL. 5.1.1 What Y o u Can Do in this Chapter Use the Dashboard screens for the following. •U s e t h e m a i n Dashboard screen (see Section 5.2 on page 69 ) to see the ZyW ALL’s gener al device inf[...]

  • Page 70

    Chapter 5 Dashboard ZyWALL 110/310/1100 Series User’s Guide 70 Figure 51 Dashboard The following table describes the labels in this screen. T a ble 14 Dashboard LABEL DESCRIPTION Widget Setting (A) Use this link to open or cl ose widgets by select ing/clearin g the associate d che ckbox. Up Arrow (B) Cl ick this to coll apse a widget. It then bec[...]

  • Page 71

    Chapter 5 Dashboard ZyWALL 110/310/1100 Se ries User’s Guide 71 Device This field displays the name of the device connected to the USB port if one i s connected. Status This field displays the curre nt status of each interface or device installed in a slot. The possible values depend on wh at type of inte rface it is. Inactiv e - The Ethernet int[...]

  • Page 72

    Chapter 5 Dashboard ZyWALL 110/310/1100 Series User’s Guide 72 Boot Status This field di splays details about the Z yWALL’ s startup state. OK - The ZyW ALL started up su ccessfully . Firmware update OK - A firmware update w as successful. Problematic configuratio n after firmware update - The application of the configuration failed after a fir[...]

  • Page 73

    Chapter 5 Dashboard ZyWALL 110/310/1100 Se ries User’s Guide 73 Status This field displays the current stat us of ea ch interface. The possible v alues depend on what type of interface it is. For Ethernet interfaces: Inactiv e - The Ethernet interface is disabl ed. Down - The Ethe rnet interface does not have any physical ports associated with it[...]

  • Page 74

    Chapter 5 Dashboard ZyWALL 110/310/1100 Series User’s Guide 74 5.2.1 The CPU Usage Screen Use this screen to look at a chart of the Z yWALL’ s recent CPU usage. T o access this screen, click CPU Usage in the dashboard. Figure 52 Dashboard > CPU Usage The following table describes the labels in this screen. Logs This field displays whether a [...]

  • Page 75

    Chapter 5 Dashboard ZyWALL 110/310/1100 Se ries User’s Guide 75 5.2.2 The Memory Usage Screen Use this screen to look at a chart of the Z yWALL’ s recent memory (RAM) usage. T o access this screen, click Memory Usage in the dashboar d. Figure 53 Dashboard > Memory Usage The following table describes the labels in this screen. 5.2.3 The Activ[...]

  • Page 76

    Chapter 5 Dashboard ZyWALL 110/310/1100 Series User’s Guide 76 Figure 54 Dashboard > Session Usage The following table describes the labels in this screen. 5.2.4 The VPN St atus Screen Use this screen to look at the VPN tu nnels that are currently established. T o access this screen, click VPN Status in System Status in the dashboard. Figure 5[...]

  • Page 77

    Chapter 5 Dashboard ZyWALL 110/310/1100 Se ries User’s Guide 77 The following table describes the labels in this screen. 5.2.5 The DHCP T able Screen Use this screen to look at the IP addresses current ly assigned to DHCP clie nts and the IP addresses reserved for specific MAC addresses. T o access this screen, click DHCP Table in System Status i[...]

  • Page 78

    Chapter 5 Dashboard ZyWALL 110/310/1100 Series User’s Guide 78 5.2.6 The Number of Login Users Screen Use this screen to look at a list of the users currently logged into the Zy WALL. Users wh o close their browsers without logging out are still shown as logged in here. T o access this screen, click Number of Login Users in System Status in the d[...]

  • Page 79

    ZyWALL 110/310/1100 Se ries User’s Guide 79 C HAPTER 6 Monitor 6.1 Overview Use the Monitor screens to check status and statistics information. 6.1.1 What Y o u Can Do in this Chapter Use the Monitor screens for the following. •U s e t h e System Status > Port Statistics screen (see Section 6.2 on pag e 80 ) t o l oo k a t p a c ke t statist[...]

  • Page 80

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 80 6.2 The Port S t atistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. T o access this screen, click Monitor > System St atus > Port Statistics . Figure 58 Monitor > System Status > P ort Statistics The following table describes the lab[...]

  • Page 81

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 81 6.2.1 The Port S t atistics Graph Screen Use this screen to look at a line gr aph of packet statistics for each physical port. T o access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button . Figure 59 Monitor > System Status > P ort[...]

  • Page 82

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 82 6.3 Interface S t atus Screen This screen lists all of the ZyW ALL’s interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen.[...]

  • Page 83

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 83 Figure 60 Monitor > System Status > Interface Status[...]

  • Page 84

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 84 Each field is described in the following table. T a ble 23 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface Status If an Ethern et interface does not have any ph ysical ports associated with it, its entry is displayed in light gr ay text. Expand/Close Click t[...]

  • Page 85

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 85 Status The activ ate (light bulb) icon is lit when the en try is active and dim med when the entry is inactive. Zone This field displays the zone to which the interfa ce i s assigned. IP Address This is the IP address o f the interface. If the interface is active (and conn ected), the [...]

  • Page 86

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 86 6.4 The T raffic St atistics Screen Click Monitor > System Status > Traffic Statist ics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most- visited Web sites and the number of times each one was visited. This [...]

  • Page 87

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 87 • LAN IP with heaviest tr affic and how much traffic has been sent to and from each one Y ou use the Traffic Statistics screen to tell the Zy W ALL when to start and when to stop collecting information for these reports. Y ou cannot schedule data collection; you have to start and sto[...]

  • Page 88

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 88 T raffic T ype Select the type of report to display . Choices are: Host IP Address/User - display s the IP addresse s or users with the most tr affic and how much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount [...]

  • Page 89

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 89 The following table displays the maximum number of records shown in the report, the byte count limit, and the hit count limit. 6.5 The Session Monitor Screen The Session Monitor screen displays all established sessions that pass through the Z yWALL for debugging or statistical analysis[...]

  • Page 90

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 90 The following table describes the labels in this screen. T a ble 26 Monitor > System Status > Session Monitor LABEL DESCRIPTION View Select how you want the established sessions that passed through the ZyWALL to be displayed. Choices are: sessions by users - display all active ses[...]

  • Page 91

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 91 6.6 The DDNS S t atus Screen The DDNS Status screen shows the status of the ZyW ALL’ s DDNS domain names. Click Monitor > System Status > DDNS St atus to open the following screen. Figure 63 Monitor > System Status > DDNS Statu s The following table describes the labels i[...]

  • Page 92

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 92 The following table describes the labels in this screen. 6.8 The Login Users Screen Use this screen to look at a list of the users curre ntly logged into the ZyW ALL. T o access this screen, click Monitor > System St at us > Login Users . Figure 65 Monitor > System Status > [...]

  • Page 93

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 93 6.9 Cellular S t atus Screen This screen displays your 3G connection status. Click Monit or > System Stat us > Cellu lar Status to display this screen. Figure 66 Monitor > System Status > Cellular Status The following table describes the labels in this screen. User Info Thi[...]

  • Page 94

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 94 Status No device - no 3G device is co nnected to the Z yWALL. No Service - no 3G network is a vailable in the area; you cannot connect to the Internet. Limited Service - returned by the service provid er in cases where the SIM card is expired, the user failed to pay for the se rvice and[...]

  • Page 95

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 95 6.9.1 More Information This screen displays more information on your 3G, such as the signal strength, IMEA/ESN and IMSI that helps identify your 3G device and SIM card. Cli ck Monitor > System St atus > More Information to display this screen. Note: This screen is only available [...]

  • Page 96

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 96 6.10 USB S torage Screen This screen displays information about a connected USB stor age device. Click Monitor > System Status > USB Storage to display this screen. Figure 68 Monitor > System Status > U SB Storage The following table describes the labels in this screen. Devi[...]

  • Page 97

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 97 6.1 1 The IPSec Monitor Screen Y ou can use the IPSec Monitor screen to display and to manage active IPSec T o access this screen, click Monitor > VPN Monitor > IPSec . The following screen appears. SAs. Click a column’ s heading cell to sort the table entries by that column’[...]

  • Page 98

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 98 Each field is described in the following table. 6.1 1.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single character in th e VPN connection or policy name v ary . For example, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards [...]

  • Page 99

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 99 The whole VPN connection or policy nam e has to match if you do not use a question mark or asterisk. 6.12 The SSL Connection Monitor Screen The Z yWALL k eeps track of the users who are curre ntly logged into the VPN SSL client Click Monitor > VPN Monitor > SSL to display the use[...]

  • Page 100

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 100 Figure 71 Monitor > VPN Monitor > L2TP over IPSec The following table describes the fields in this screen. 6.14 Log Screen Log messages are stored in two separate logs, one for regular log message s and one for debugging messages. In the regular log, you can look at all the log m[...]

  • Page 101

    Chapter 6 Monitor ZyWALL 110/310/1100 Se ries User’s Guide 101 Figure 72 Monitor > Log The following table describes the labels in this screen. T a ble 36 Monitor > Log LABEL DESCRIPTION Show Filt er / Hide Filter Click this button to show or hide the filter se ttings. If the filter settings are h idden, the Display , Email Log Now , Refres[...]

  • Page 102

    Chapter 6 Monitor ZyWALL 110/310/1100 Series User’s Guide 102 The W eb Configurator saves the filter settings if y ou leave the View Log screen and return to it later . Email Log Now Clic k this button to se nd lo g message( s) t o th e Active e-mail address(es) spec ified in the Send Log To field on the Log Settings page (see Section 38.3.2 on p[...]

  • Page 103

    ZyWALL 110/310/1100 Se ries User’s Guide 103 C HAPTER 7 Interfaces 7.1 Interface Overview Use the Interface screens to configure the ZyW ALL’s interfaces. Y ou can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally . Y ou use th[...]

  • Page 104

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 104 • An interface is a logical entity through which (lay er-3) packets pass. • An interface is bound to a physical po rt or another interface. • Many interfaces can share the same ph ysical port. • An interface belongs to at most one zone. • Many interfaces can belong to the [...]

  • Page 105

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 105 - * The format of interface names other than the Ethernet and p pp interface names is strict. Each nam e consists of 2-4 letters (interface type), followed by a number ( x ) . For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x i[...]

  • Page 106

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 106 * - Y ou cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. Y ou also cann ot add an Ethernet interface or VLAN interface to a bridge if t he member interface has a virtual interface or PPP interfa[...]

  • Page 107

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 107 St ateless Autoconfiguration With stateless autoconfiguration in IPv6, addresse s can be uniquely and automatically generated. Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful autoconfiguration, the o wner and status of addr esses don?[...]

  • Page 108

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 108 7.1.3 What Y ou Need to Do First For IPv6 settings, go to the Con figuration > System > IPv6 screen to enable IPv6 support on the Z yWA LL first. 7.2 Port Role Screen T o access this screen, click Configuration > Network > Interface > Port Role . Use the Port Role scr[...]

  • Page 109

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 109 Click Reset to change the port groups to their current configuration (last-sav ed values). 7.3 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. If you enabled IPv6 in the Configuration > System > I[...]

  • Page 110

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 0 Each field is described in the following table. 7.3.1 Ethernet Edit The Ethernet Edit scree n lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP se ttings, connectivity check, and MAC address settings. T o access this screen, click an [...]

  • Page 111

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 111 • Select which direction(s) routing information is exchanged - The Z yWALL can receive routing information, send routing information, or do both. • Select which version of RIP to support in each direction - The Z yW ALL supports RIP-1, RIP-2, and both versions. • Select the b[...]

  • Page 112

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 2 Figure 75 Configuration > Network > In terface > Ethernet > E dit (External T ype)[...]

  • Page 113

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 11 3 Figure 76 Configuration > Network > In terface > Ethernet > Edit (Internal T ype)[...]

  • Page 114

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 4 Figure 77 Configuration > Network > In terface > Ethernet > Edit (OPT)[...]

  • Page 115

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 11 5 This screen’ s fields are described in the table below. T a ble 41 Conf iguration > Networ k > Interfa ce > Ethernet > E dit LABEL DESCRIPTION IPv4/IPv 6 View / IPv4 View / IPv6 View Use this button to display bo th IPv4 and IPv6, IPv4-only , or IPv6-only configurati[...]

  • Page 116

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 6 Subnet Mask Enter the subnet mask of this interface in dot deci mal notation . The subnet m ask indicates what part of the IP address is the same for all computers in the network. Gateway This option appears whe n Interface Type is external or general . Enter the IP address of the [...]

  • Page 117

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 11 7 Address This fiel d displays the co mbin ed IPv6 IP address for this interface. Note: This field displays the combined address after you click OK and reopen this screen. DHCPv6 Setting DUID This field displays the DHCP Unique IDenti fier (DUID) of the in terface, which is unique a[...]

  • Page 118

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 11 8 Advertised Hosts Get Other Configur ation From DHCPv6 Select this to have t he ZyW ALL indicate to hosts to obtain DNS information through DHCPv6. Clear this to h ave the ZyW ALL indic ate to ho sts that DNS information is not av ailable i n this network. Rou t e r Prefer ence Sele[...]

  • Page 119

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 11 9 Egress Bandwidth Enter the maximum amount of tr affic, in kilobits per second, the ZyWALL can send through the interface to t he network. Allowed v alues are 0 - 1048576. Ingress Bandwidth This is reserved for future use. Enter the maximum amount of tr affic, in ki lobits per seco[...]

  • Page 120

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 120 IP Pool Start Address Enter the IP address from whic h the Z yWALL begins allocating IP addresses. If you want to assign a static IP address to a spec ific computer , use the Static DHCP Table . If this field is blank, the Pool Size must also be blank. In this case, the Z yWALL can [...]

  • Page 121

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 121 Enable IP/MAC Binding Selec t this option to have this in terface enforce l inks between spec ific IP addresses an d specific MAC addresse s. This stops any o ne else from manually using a bound IP address on another device conn ected to this inte rfa ce. Use this to make use only [...]

  • Page 122

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 122 7.3.2 Object References When a configuration screen includes an Object Reference icon, select a configuration object and click Object Re ference to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown v [...]

  • Page 123

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 123 Figure 78 Object Referen ces The following table describes labels that can appear in this screen. 7.3.3 Add/Edit DHCPv6 Request/Release Options When you configure an interface as a DHCPv6 serv er or client, you can ad ditionally add DHCPv6 request or lease options which hav e the Z[...]

  • Page 124

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 124 Select a DHCPv6 request or lease object in the Select one object field and click OK to save it. Click Cancel to exit without saving the setting. 7.3.4 Add/Edit DHCP Extended Options When you configure an interface as a DHCPv4 se rver , you can additiona lly add DHCP extended options[...]

  • Page 125

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 125 The following table lists the available DHCP extend ed options (defined in RFCs) on the ZyW ALL. See RFCs for more information. 7.4 PPP Interfaces Use PPPoE/PPTP interfaces to connect to your ISP . This way , you do not have to install or manage PPPoE/PPTP software on each computer[...]

  • Page 126

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 126 Figure 81 Example : PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfac es in some ways. They have an IP address, subnet mask, and gateway used to mak e routing decisions; they restrict bandwidth and packet size; and they can verify the gatewa y is availabl e. [...]

  • Page 127

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 127 Each field is described in the table below . 7.4.2 PPP Interface Add or Edit Note: Y ou have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure a PPP oE or PPTP interface. If you enabled IPv6 in the Configuration > System > IPv6 [...]

  • Page 128

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 128 Figure 83 Configuration > Network > In terface > PPP > Add[...]

  • Page 129

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 129 Each field is explained in the following table. T a ble 46 Conf iguration > Netwo r k > Interf ace > PPP > Add LABEL DESCRIPTION IPv4/IPv 6 View / IPv4 View / IPv6 View Use this button to display bo th IPv4 and IPv6, IPv4-only , or IPv6-only configuration fields. Show A[...]

  • Page 130

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 130 IP Address This field is en abled if you sele ct Use Fixed IP Address . Enter the IP address for this interface. Metric Enter the priority of the gate way (the ISP) on this interfac e. The ZyW ALL decides which gateway to use based on this priority . The lo wer the number , the high[...]

  • Page 131

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 131 Enable Rapid Commit Select this to shorten the DHCPv6 me ssage exchange process from four to two steps. This function helps reduce heavy network t raffic load. Note: Make sure you also ena ble this option in th e DHCPv6 clients to make rapid commit work. Request Address Select this[...]

  • Page 132

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 132 7.5 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet -s witched wireless technology . Bandwidth usage is optimized as multiple users share the same channe l and bandwidth is only allocated to users when t h e y s e n d d a t a . I t a l l o w s f a st t [...]

  • Page 133

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 133 Aside from selecting the 3G network, the 3G card ma y also select an available 2.5G or 2.75G network automatically . See the following table fo r a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. T o change your 3G WAN settings, click Configuration > Network [...]

  • Page 134

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 134 Figure 84 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. 7.5.1 Cellular Add/Edit Screen T o change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit ). In the pop-up win[...]

  • Page 135

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 135 Figure 85 Configuration > Network > In terface > Cellular > Add[...]

  • Page 136

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 136 The following table describes the labels in this screen. T a ble 49 Co nf iguration > Net wo rk > Interface > Cellular > Add LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s Click this button to display a greater or lesser number of configuration fie[...]

  • Page 137

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 137 User Name This field displays when you se lect an authentication type other than None . This field is read-only if you selected Device in the profile se lection. If this fiel d is configur able, enter the user name for this 3G card exactly as the service provider ga ve it to you. Y[...]

  • Page 138

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 138 Check Perio d Enter the numbe r of seconds between connection chec k at tempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a fail ure. Check F ail To l e r a n c e Enter the number of consec utiv e failure s before the Z yWALL stops routin[...]

  • Page 139

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 139 Network Selection Home network is th e network to which you are originally subsc ribed. Select Home to have the 3G device connect only to the home network. If the home network is down, the ZyW AL L’s 3G Inte rnet connection is also unavailable. Select Auto (Default) to all ow the[...]

  • Page 140

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 140 7.6 T unnel Interfaces The Z yW ALL uses tunnel interfaces in Generic R out ing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels. GRE T unneling GRE tunnels encapsulate a wide v ariety of network lay er protocol packet types inside IP tu nnels. A GRE tunnel serves as a virtual po[...]

  • Page 141

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 141 • your Z yWALL has a public IPv4 IP address given from y our ISP , and • you want to transmit your IPv6 packets to on e and only one remote site whose LAN network is also an IPv6 network. With this mode, the Z yWALL enca psulates IPv6 packets within IPv4 packets across the Inte[...]

  • Page 142

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 142 Figure 89 6to4 T unnel 7.6.1 Configuring a T unnel This screen lists the Z yW A LL’ s configured tunn el interfaces. T o access this screen, click Network > Interface > Tunnel . Figure 90 Network > Interface > T unnel Each field is explained in the following table. Int[...]

  • Page 143

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 143 7.6.2 T unnel Add or Edit Screen This screen lets you configure a tunnel interface. Click Configuration > Net work > Inte rface > Tunnel > Add (or Edit ) to open the following screen. Status The activate (light bu lb) icon is lit wh en the en try is ac tive an d dimmed [...]

  • Page 144

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 144 Figure 91 Network > Interface > T unnel > Add/Edit Each field is explained in the following table. T a ble 51 Network > Interface > T unnel > Add/Edit LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s Click this button to display a greater or le[...]

  • Page 145

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 145 T unnel Mode Select the tunnelin g protocol of the interface ( GRE , IPv6-in-IPv4 or 6to4 ). See Section 7.6 on page 140 for more information. IP Address Assignme nt This section is av ailable if you are config uring a GRE tunnel. IP Address Enter the IP a ddress for this interface[...]

  • Page 146

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 146 Interface Para me t er s Egress Bandwidth Enter the maximum amount of tr affic, in kilobits per second, the ZyWALL can send through the interface to t he network. Allowed v alues are 0 - 1048576. This setting is used in WAN load balancin g and bandwidth management. Ingress Bandwidth[...]

  • Page 147

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 147 7.7 VLAN Interfaces A Virtual Local Area Netw ork (VLAN) divides a phys ical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 92 Example: Bef ore VLAN In this example, there are two phys ical networks and three departments A , B , and C . The p[...]

  • Page 148

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 148 This approach provides a few adv antages. • Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller , more logical groups of users. • Higher security - If eac[...]

  • Page 149

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 149 Figure 94 Configuration > Network > In terface > VLAN Each field is explained in the following table. T a ble 52 Co nf iguration > Netwo r k > Interf ace > VLAN LABEL DESCRIPTION Configur atio n / IPv6 Configur atio n Use the Configuration section for IPv4 netw or[...]

  • Page 150

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 150 7.7.2 VLAN Add/Edit This screen lets you configure IP address assi gnment, interface bandwidth par amete rs, DHCP settings, and connectivity check for each VLAN interface. T o access this screen, click the Create Virtual Interface icon in the VLAN Summary screen. The following scree[...]

  • Page 151

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 151 Figure 95 Configuration > Network > In terface > VLAN > Create Virtual Interface[...]

  • Page 152

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 152 Each field is explained in the following table. T a ble 53 Conf iguration > Netwo r k > Interf ace > VLAN > Create Virtual I nterface LABEL DESCRIPTION IPv4/IPv 6 View / IPv4 View / IPv6 View Use this button to display bo th IPv4 and IPv6, IPv4-only , or IPv6-only config[...]

  • Page 153

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 153 Gateway This field is en abled if you sele ct Use Fixed IP Address . Enter the IP address of the gateway . The ZyW ALL sends packet s to the gateway wh en it d o e s n o t k n o w h ow t o r o u t e t h e p a c k e t t o i t s de stination. The gat eway should be on the same networ[...]

  • Page 154

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 154 DHCPv6 Setting DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes wh en the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 107 for more i nformation. DUID as MAC Select th is to h[...]

  • Page 155

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 155 Rou t e r Prefer ence Select the router preferenc e ( Low , Mediu m or High ) for the interface. The interface sends this preference in th e router advertisements t o tel l hosts what preference th ey should use for the Z yWALL. Th is helps hosts to choo se thei r default router es[...]

  • Page 156

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 156 MTU Maximum T ransmission Uni t. T ype the m a xim um size of each data packet, i n bytes, that can move through this interface. If a la rger packet arrives, the Z yWALL divides it into smaller fr agments. Allowed v alues are 576 - 1500. Usual ly , this value is 1500. Connectivity C[...]

  • Page 157

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 157 Poo l Size Enter the number of IP addresses to al locate. This number must be at least one and is limited by the interface’ s Subne t Mask . For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the Z yWALL can allocate 10.10.10.10 to 10.10.10[...]

  • Page 158

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 158 Add Click this to cre ate a new entry . Edit Select an entry and click th is to be able to modif y it. Re move Select an entry and click th is to delete it. # This field is a sequential value, and it is not associated with a specific entry . IP Address Enter the IP address to assign[...]

  • Page 159

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 159 7.8 Bridge Interfaces This section introduces bridges and bridge interf aces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer -2 (MAC address) lev el. In the following example, bridg[...]

  • Page 160

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 160 If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly . Bridge Interface Overview A bridge interface creates a software bridge be[...]

  • Page 161

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 161 Figure 96 Configuration > Network > In terface > Bridge Each field is described in the following table. T a ble 57 Conf iguration > Networ k > Interf a ce > Bridge LABEL DESCRIPTION Configur ation / IPv6 Configur ation Use the Configuration section for IPv4 netw o[...]

  • Page 162

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 162 7.8.2 Bridge Add/Edit This screen lets you configure IP address assi gnment, interface bandwidth par amete rs, DHCP settings, and connectivity check for each bridge interface. T o access this screen, click the Create Virtual Interface icon in the Bridge Summary screen. The following[...]

  • Page 163

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 163 Figure 97 Configuration > Network > In terface > Bridge > Create Virtual Interface[...]

  • Page 164

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 164 Each field is described in the table below . T a ble 58 Co nf iguration > Netwo r k > Interf ace > Bridge > Create Virtual Interface LABEL DESCRIPTION IPv4/IPv 6 View / IPv4 View / IPv6 View Use this button to display bo th IPv4 and IPv6, IPv4-only , or IPv6-only configu[...]

  • Page 165

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 165 IP Address This field is en abled if you sele ct Use Fixed IP Address . Enter the IP address for this interface. Subnet Mask This field is enabled if yo u se lect Use Fixed IP Address . Enter the subnet mask of th is interface in dot decimal notation. The su bnet mask indicates wha[...]

  • Page 166

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 166 Suffix Address Enter the ending part of th e IPv6 address, a slash (/), a nd th e prefix length. Th e Z yWALL will append it to the delegated prefix . For e xample, you got a dele gated prefi x of 2003: 1234:5678/4 8. Y ou want to configure an IP address of 2003:1234: 5678:1111::1 /[...]

  • Page 167

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 167 Advertised Hosts Get Network Configur ation From DHCPv6 Select this to have t he ZyW ALL indicate to ho sts to obtain ne twork settings (such as prefix and DNS settin gs) through DHCPv6. Clear this to hav e the ZyW ALL indicate to hosts that DHCPv6 is not av ailable and they should[...]

  • Page 168

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 168 Address This is the final network prefix comb ined by the selecte d de legated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen. Interface Para me t er s Egress Bandwidth Enter the maximum amount of tr affic, in kilobits[...]

  • Page 169

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 169 First WINS Server , Second WINS Server T ype the IP address of the WINS (Windows Internet Naming Servic e) server that y ou want to send to the DHCP cl ients. The WINS serv er keeps a mapping table of the computer names o n your network and the IP addresses th at they are currently[...]

  • Page 170

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 170 7.9 V irtual Interfaces Use virtual interfaces to tell t he Zy WALL where to route packets. Virtual interfaces can also be used in VPN gateways (see Chapter 20 on page 281 ) and VRRP groups (see Chapter 26 on page 359 ). Virtual interfaces can be created on top of Et hernet interfac[...]

  • Page 171

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 171 7.9.1 V irtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces. T o acce ss this screen, click the Create Virtual Interf ace icon in the Ethernet, VLAN, or bridge interface summary screen. Figure 98 Configurat[...]

  • Page 172

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 172 7.10 Interface T echnical Reference Here is more detailed information about interfaces on the ZyW ALL. IP Address Assignment Most interfaces have an IP addre ss and a subnet ma sk. This information is used to create an entry in the routing table. Figure 99 Example: Entry in the Rout[...]

  • Page 173

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 173 In the example abo v e, if the Z yW A LL gets a pac k e t with a destination address of 5.5.5 .5, it mig ht not find any entries in the routing table. In this case, the pack et is dropped. However , if there is a default router to which the ZyW ALL should send th is packet, you can[...]

  • Page 174

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 174 In the Z yW ALL, some interfaces can provide DHCP services to the network. In this case, the interface can be a DHCP relay or a DHCP server . As a DHCP relay , the interface routes DHCP requ ests to DHCP servers on different networks. Y ou can specify more than one DHCP server . If [...]

  • Page 175

    Chapter 7 Interfaces ZyWALL 110/310/1100 Se ries User’s Guide 175 PPPoE/PPTP Overview Po int-to-P oint Protocol over Ethernet (PPP oE, RFC 2516) and Point -to-Point T unneling Protocol (PPTP , RFC 26 37) are usually used to connect two computers over phone lines or broadband connections. PPP oE is often used with cable modems and DSL connections.[...]

  • Page 176

    Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide 176[...]

  • Page 177

    ZyWALL 110/310/1100 Se ries User’s Guide 177 C HAPTER 8 Trunk 8.1 Overview Use trunks for WAN tr affic load balancing to increase over all network throughput and reliability . Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. M[...]

  • Page 178

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 178 • If that interface’ s connection goes down, the ZyW ALL can still send its traffic through another interface. • Y ou can define multiple trunks for the same phy sical interfaces. Link Sticking Y ou can have the Z yWALL send each local computer’ s traffic that is going to the sam[...]

  • Page 179

    Chapter 8 Trunk ZyWALL 110/310/1100 Se ries User’s Guide 179 Figure 101 Least Load First Example The outbound bandwidth utilization is used as th e load balancing index. In this example, the measured (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The Z yWALL calculates the load balancing index as shown in the table below . Sinc[...]

  • Page 180

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 180 Spillover The spillover load balancing algorithm sends networ k tr affic to the first interface in the trunk member list until the interface’ s maximum allowa ble load is reached, then sends the excess network traffic of new sessions to the n ext interface in the trunk member list. Thi[...]

  • Page 181

    Chapter 8 Trunk ZyWALL 110/310/1100 Se ries User’s Guide 181 The following table describes the items in this screen. 8.2.1 Configuring a User-Defined T runk Click Conf iguration > Networ k > Interface > Trunk , in the User Configuration table click the Add (or Edit ) icon to open the fo llowing screen. Use this screen to create or edit a[...]

  • Page 182

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 182 Figure 105 Configuration > Net work > Interf ace > T runk > Add (or Edit) Each field is described in the table below . T a ble 65 Conf iguration > N e t wo rk > Interf ace > T runk > Add (or Edi t ) LABEL DESCRIPTION Name This is read-only if you are editing an ex[...]

  • Page 183

    Chapter 8 Trunk ZyWALL 110/310/1100 Se ries User’s Guide 183 8.2.2 Configuring th e System Default T runk In the Configuration > Network > Interface > Trunk screen and the System Default section, select the default trunk entry and click Edit to open the following screen. Use this screen to change the load balancing algorithm and view the[...]

  • Page 184

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 184 Figure 106 Configuration > Network > Interface > T runk > Edit (System Default) Each field is described in the table below . T a ble 66 Configuration > Network > Interface > T runk > Edit (System Default) LABEL DESCRIPTION Name This field displa ys the name of the[...]

  • Page 185

    Chapter 8 Trunk ZyWALL 110/310/1100 Se ries User’s Guide 185 Spillover This field di spl ays with the spillove r load balancin g al gorithm. Speci fy the maxim um bandwidth of tr affic in kilobits per second ( 1~1048576) to send out through the interface before using anot her interface. When this spillover bandwidth lim it is exceeded, the ZyWALL[...]

  • Page 186

    Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide 186[...]

  • Page 187

    ZyWALL 110/310/1100 Se ries User’s Guide 187 C HAPTER 9 Policy and Static Routes 9.1 Policy and S t atic Routes Overview Use policy routes and static routes to override the Z yWALL’ s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, th e next figure shows a computer ( A ) connected [...]

  • Page 188

    Chapter 9 Policy and Stati c Routes ZyWALL 110/310/1100 Series User’s Guide 188 9.1.2 What Y ou Need to Know Policy Routing T raditionally , routing is based on the destination address only and the Z yW ALL takes the shortest path to forward a pack et. IP Policy R outing (IPPR) provides a mechanism to override the default routing behavior and alt[...]

  • Page 189

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 189 DiffServ (Differentiated Services) is a class of se rv ice (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-com pliant network devices along the route base d on the application types and traffic flow . Pack ets are mark ed wit[...]

  • Page 190

    Chapter 9 Policy and Stati c Routes ZyWALL 110/310/1100 Series User’s Guide 190 Figure 108 Configuration > Network > R outing > P olicy Route The following table describes the labels in this screen. T a ble 67 Configuration > Network > Routing > P olicy Route LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s [...]

  • Page 191

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 191 9.2.1 Policy Route Edit Screen Click Configuration > Network > Routin g to o pe n t h e Polic y Route screen. Then click the Add or Edit icon in the IPv4 Conf iguration or IPv6 Configuration section. The Add Policy Route or Policy Route Edit screen opens. Use th[...]

  • Page 192

    Chapter 9 Policy and Stati c Routes ZyWALL 110/310/1100 Series User’s Guide 192 Figure 109 Configuration > Network > R outing > P olicy Route > Add/Edit (IPv4 Configur a t ion)[...]

  • Page 193

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 193 Figure 1 10 Configuration > Network > R outing > Polic y R oute > Add/Edit (IPv6 Configuration) The following table describes the labels in this screen. T a ble 68 Configuration > Network > Routing > P olicy Route > Add/Edit LABEL DESCRIPTION S[...]

  • Page 194

    Chapter 9 Policy and Stati c Routes ZyWALL 110/310/1100 Series User’s Guide 194 DSCP Code Select a DSCP code point valu e of incoming packets to which this policy route appl ies or select User Def ine to specify another DS CP code point. The lower the num ber the higher the priority with the exception of 0 whic h is usually given only best-effort[...]

  • Page 195

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 195 9.3 IP S t atic Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Co nfigure static routes to be able to use RIP or OSPF to propagate the routing information[...]

  • Page 196

    Chapter 9 Policy and Stati c Routes ZyWALL 110/310/1100 Series User’s Guide 196 The following table describes the labels in this screen. 9.3.1 St atic Route Add/Edit Screen Select a static route index number and click Add or Edit . The screen shown next appears. Use this screen to configure the required information for a static route. Figure 1 12[...]

  • Page 197

    Chapter 9 Policy and Static Routes ZyWALL 110/310/1100 Se ries User’s Guide 197 The following table describes the labels in this screen. 9.4 Policy Routing T echnical Reference Here is more detailed information about some of the features you can configure in policy routing. NA T and SNA T NA T (Network Address T ranslation - NA T , RFC 1631) is t[...]

  • Page 198

    Chapter 9 Policy and Stati c Routes ZyWALL 110/310/1100 Series User’s Guide 198 the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets. Maximize Bandwid th Usage The maximize bandwidth usage option allows the Z y WALL to divide up any available bandwidth on the interface (including unallocated ban[...]

  • Page 199

    ZyWALL 110/310/1100 Se ries User’s Guide 199 C HAPTER 10 Routing Protocols 10.1 Routing Protocols Overview R outing protocols give the Z yWALL routing information about the network from other routers. The Z yWALL stores this ro uting information in the routing table it uses to make routing decisions. In turn, the Z yWALL can also use routing prot[...]

  • Page 200

    Chapter 10 Routing Protoc ol s ZyWALL 110/310/1100 Series User’s Guide 200 its routes asynchronously to the network and con verges slowly . Therefore, RIP is more suitable for small networks (up to 15 routers). • In the Z yW ALL, you can configure two sets of RIP settings before you can use it in an interface. •F i r s t , t h e Authenticatio[...]

  • Page 201

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 201 10.3 The OSPF Screen OSPF (Open Shortest P ath First, RFC 2328) is a link -state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF of fers some advantages ov er vector -space routing protocols like RIP . ?[...]

  • Page 202

    Chapter 10 Routing Protoc ol s ZyWALL 110/310/1100 Series User’s Guide 202 • A normal area is a group of ad jacent networks. A normal area has routing information about the OSPF AS, an y networks outside the OSPF AS to wh ich it is directly connected, and an y networks outside the OSPF AS that provide routing information to any area in th e OSP[...]

  • Page 203

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 203 • An Autonomous Sy stem Boundary R outer (ASBR) exch anges routing information with routers in networks outside the OSPF AS. Th is is called redistribution in OSPF . • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a[...]

  • Page 204

    Chapter 10 Routing Protoc ol s ZyWALL 110/310/1100 Series User’s Guide 204 Figure 1 17 OSPF: Virtual Link In this example, area 100 does not have a dire ct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone. Y ou cannot create [...]

  • Page 205

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 205 Figure 1 18 Configuration > Network > R outing > OSPF The following table describes the labels in this screen. See Section 10.3.2 on page 206 for more information as well. T a ble 75 Configuration > Network > R outing Protocol > OSPF LABEL DESCRIPTION OSPF[...]

  • Page 206

    Chapter 10 Routing Protoc ol s ZyWALL 110/310/1100 Series User’s Guide 206 10.3.2 OSPF Area Add/Edit Screen The OSPF Are a Add/Edit screen allows you to create a new area or edit an existing one. T o access this screen, go to the OSPF summary screen (see Section 10.3 on page 201 ), and click either the Add icon or an Edit icon. Figure 1 19 Config[...]

  • Page 207

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 207 The following table describes the labels in this screen. T a ble 76 Conf iguration > Net wo rk > Routing > OSPF > Add LABEL DESCRIPTION Area ID T ype the uniqu e, 32-bit identifi er for the area in IP address format. T ype Select the type of OSPF area. Normal - [...]

  • Page 208

    Chapter 10 Routing Protoc ol s ZyWALL 110/310/1100 Series User’s Guide 208 10.3.3 V irtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new vi rtual link or edit an existing one. When the OSPF add or edit screen (see Section 10.3 .2 on page 206 ) has the T ype set to Normal, a Virtual Link table displays. Click eit[...]

  • Page 209

    Chapter 10 Routing Protocols ZyWALL 110/310/1100 Se ries User’s Guide 209 Authentication T ypes Authentication is used to guarantee the integrit y , but not the confidentialit y , of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the origina[...]

  • Page 210

    Chapter 10 Routing Protoc ol s ZyWALL 110/310/1100 Series User’s Guide 210[...]

  • Page 211

    ZyWALL 110/310/1100 Se ries User’s Guide 21 1 C HAPTER 11 Zones 1 1.1 Zones Overview Set up zones to configure network security and network policies in the Z yWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyW ALL uses zo nes instead of interfaces in man y security and policy settings, such as firewall rules, Anti- X, and remote ma[...]

  • Page 212

    Chapter 11 Zones ZyWALL 110/310/1100 Series User’s Guide 212 Intra-zone T raffic • Intra- zone traffic is traffic between interfaces or VPN tunnels in the same zone. F or example, in Figure 121 on page 211 , traffic between VLAN 2 and the Ethernet is intr a-zone traffic. • In each zone, you can either allow or prohibit all intr a-zone tr affi[...]

  • Page 213

    Chapter 11 Zones ZyWALL 110/310/1100 Se ries User’s Guide 213 The following table describes the labels in this screen. 1 1.3 Zone Edit The Zone Edit screen allows you to add or edit a zone. T o access this screen, go to the Zone screen (see Section 11.2 on page 212 ), and click the Add icon or an Edit icon. Figure 123 Network > Z one > Add [...]

  • Page 214

    Chapter 11 Zones ZyWALL 110/310/1100 Series User’s Guide 214 The following table describes the labels in this screen. T a ble 79 Network > Zone > Add/Edit LABEL DESCRIPTION Name F or a system default zone , the name is read only . For a user -configured zone, type the name us ed to refer to the zone . Y ou may use 1-31 alphanumeric characte[...]

  • Page 215

    ZyWALL 110/310/1100 Se ries User’s Guide 215 C HAPTER 12 DDNS 12.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain n ame with a dynamic IP address. 12.1.1 What Y ou Can Do in this Chapter •U s e t h e DDNS screen (see Section 12.2 on page 216 ) to view a list of the configured DDNS domain names and their details. •U s e t h e D[...]

  • Page 216

    Chapter 12 DDNS ZyWALL 110/310/1100 Series User’s Guide 216 12.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new doma in names, edit the configuration for existing domain names, and delete domain names. Click Configuration > N etwork > DDNS t[...]

  • Page 217

    Chapter 12 DDNS ZyWALL 110/310/1100 Se ries User’s Guide 217 12.2.1 The Dynamic DNS A dd /Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the Z yWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 125 Configuration[...]

  • Page 218

    Chapter 12 DDNS ZyWALL 110/310/1100 Series User’s Guide 218 Username T ype the user nam e used when you registered your domain n ame. Y ou can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry , th is user name is the one you use for logging into the service, not the name recorded in your perso[...]

  • Page 219

    Chapter 12 DDNS ZyWALL 110/310/1100 Se ries User’s Guide 219 Enable Wildcard T his option is only av ailable with a DynDNS account. Enable the wildcard feature to alias subdoma ins to be aliased to the same IP address as your (dynamic ) domain name. This feature i s useful if you want to be able to use, for example, www.y ourhost.dyndn s.org and [...]

  • Page 220

    Chapter 12 DDNS ZyWALL 110/310/1100 Series User’s Guide 220[...]

  • Page 221

    ZyWALL 110/310/1100 Se ries User’s Guide 221 C HAPTER 13 NAT 13.1 NA T Overview NA T (Network Address T ranslation - NA T , RFC 1631) is the translation of the IP address of a host in a packet. F or example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Net[...]

  • Page 222

    Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide 222 13.2 The NA T Screen The NAT summary screen provides a summary of all NA T rules and their configuration. In addition, this screen allows you to create new NA T rules and ed it and delete existing NA T rules. T o access this screen, login to the W eb Configurator and click Configuratio n [...]

  • Page 223

    Chapter 13 NAT ZyWALL 110/310/1100 Se ries User’s Guide 223 13.2.1 The NA T Add/Edit Screen The NAT Add/Ed it screen lets you create new NA T rules and edit existing ones. T o open this window, open the NAT summary screen. (See Section 13.2 on page 222 .) Then, click on an Add icon or Edit icon to open the following screen. Figure 128 Configurati[...]

  • Page 224

    Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide 224 Incoming Interface Select the interface on whic h packets for the NA T ru le mus t be re ceived. It can be an Ethernet, VLAN, bridge, or PPP oE/PPTP interface. Original IP Spec ify the destin ati on IP address of the pac kets received by this NA T rul e’ s specifi ed incoming interface.[...]

  • Page 225

    Chapter 13 NAT ZyWALL 110/310/1100 Se ries User’s Guide 225 13.3 NA T T echnical Reference Here is more detailed information about NA T on the Z yWALL. NA T Loopback Suppose an NA T 1:1 rule maps a public IP addre ss to the priv ate IP address of a LAN SMTP e-ma il server to give W A N users access. NA T loopback allows other users to also use th[...]

  • Page 226

    Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide 226 Figure 129 LAN Computer Queries a Public DNS Server The LAN user ’ s computer then se nds traffic to IP address 1.1.1.1. NA T loopback uses the IP address of the Z yWALL’s LAN interface (19 2.168.1.1) as the source address of the traffic going from th e LAN users to the LAN SMTP serve[...]

  • Page 227

    Chapter 13 NAT ZyWALL 110/310/1100 Se ries User’s Guide 227 Figure 131 LAN to LAN R eturn T raffic 192.168.1.21 LAN 192.168.1.89 Source 1.1.1.1 SMTP NA T Source 192.168.1.21 SMTP[...]

  • Page 228

    Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide 228[...]

  • Page 229

    ZyWALL 110/310/1100 Se ries User’s Guide 229 C HAPTER 14 HTTP Redirect 14.1 Overview HT TP redirect forwards the client’ s HT TP request (except HT TP traffic destined for the Z yW ALL) to a web proxy server . In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web[...]

  • Page 230

    Chapter 14 HTTP Redirect ZyWALL 110/310/1100 Series User’s Guide 230 A client connects to a web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick ac cess and r educe network usage. The proxy checks its local cache for the requested web r esource first. If it is not found, the proxy g[...]

  • Page 231

    Chapter 14 HTTP Redirect ZyWALL 110/310/1100 Se ries User’s Guide 231 Figure 133 Configuration > Netw ork > HT TP Redirect The following table describes the labels in this screen. 14.2.1 The HTTP Redirect Edit Screen Click Network > HTTP Redirect to open the HTTP Redir ect screen. Then click the Add or Edit icon to open the HTTP Redirect[...]

  • Page 232

    Chapter 14 HTTP Redirect ZyWALL 110/310/1100 Series User’s Guide 232 The following table describes the labels in this screen. T a ble 86 Network > HTTP R edirect > Edit LABEL DESCRIPTION Enable Use this option to turn th e HT TP redirect rule on or off . Name Enter a name to identify this rule. Y o u may use 1-31 alphanumeric characters, un[...]

  • Page 233

    ZyWALL 110/310/1100 Se ries User’s Guide 233 C HAPTER 15 ALG 15.1 ALG Overview Application Layer Gatewa y (ALG) allows the following applications to oper ate properly through the Zy W A L L ’s N AT . • SIP - Session Initiation Protocol (SIP) - An applic ation-la yer protocol that can be used to create voice and multimedia sessions over Intern[...]

  • Page 234

    Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide 234 FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the F TP server is located on the LAN, you must also configure NA T (port forwarding) and firewall rules if y ou want to allow access to the server from the W AN. H.323 ALG • The H.323 ALG suppo[...]

  • Page 235

    Chapter 15 ALG ZyWALL 110/310/1100 Se ries User’s Guide 235 Peer-to-Peer Calls and the ZyW ALL The Z yWALL ALG can allow peer-to-peer V oIP calls for both H.323 and SIP . Y ou must configure the firewall and NA T (port forwarding) to allow incoming (peer-to-peer) calls from the W AN to a private IP address on the LAN (or DMZ). V oIP Calls from th[...]

  • Page 236

    Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide 236 Figure 138 V oIP with Multiple WAN IP Addresses •S e e Section 15.3 on page 238 for ALG back ground/technical information. 15.1.3 Before Y ou Begin Y ou must also configure the firewall and enable NA T in the ZyW ALL to allow sessions initiated from the WAN. 15.2 The ALG Screen Click Co[...]

  • Page 237

    Chapter 15 ALG ZyWALL 110/310/1100 Se ries User’s Guide 237 The following table describes the labels in this screen. T a ble 87 Co nf iguration > Ne t work > ALG LABEL DESCRIPTION Enable SIP ALG T urn on the SIP ALG to detect SIP traff i c and help build SIP sessions throu gh the Zy WA L L’s N AT . Enable SIP T ransformations S e l e c t [...]

  • Page 238

    Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide 238 15.3 ALG T echnical Reference Here is more detailed information about the Application Layer Gatew ay . ALG Some applications cannot operate through NA T (are NA T un-friendly) because they embed IP addresses and port numbers in their packets’ da ta payload. The Z yWALL examines and uses[...]

  • Page 239

    Chapter 15 ALG ZyWALL 110/310/1100 Se ries User’s Guide 239 RTP When you make a V oIP call using H.323 or SIP , the R TP (Real time T ransport Protocol) is used to handle voice data transfer . See RFC 1889 for de tails on RTP .[...]

  • Page 240

    Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide 240[...]

  • Page 241

    ZyWALL 110/310/1100 Se ries User’s Guide 241 C HAPTER 16 IP/MAC Binding 16.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The Z yWALL uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address. The Z yWALL then checks inco[...]

  • Page 242

    Chapter 16 IP/MAC Binding ZyWALL 110/310/1100 Series User’s Guide 242 Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by inte rfac e. Y ou can use IP/MAC binding with Ethernet, bridge, VLAN interfaces. Y ou can also enable or di sable IP/MAC binding and logging in an interface’ s configuration screen. 16.2 IP/MAC Binding[...]

  • Page 243

    Chapter 16 IP/MAC Binding ZyWALL 110/310/1100 Se ries User’s Guide 243 Figure 142 Configuration > Network > IP/MAC Binding > Edit The following table describes the labels in this screen. 16.2.2 S t atic DHCP Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Click the Add or Edit i[...]

  • Page 244

    Chapter 16 IP/MAC Binding ZyWALL 110/310/1100 Series User’s Guide 244 Figure 143 Configuration > Network > IP /MAC Binding > Edit > Add The following table describes the labels in this screen. 16.3 IP/MAC Binding Exempt List Click Configuration > Network > IP/MAC Binding > Exempt List to open the IP/MAC Binding Exempt List sc[...]

  • Page 245

    Chapter 16 IP/MAC Binding ZyWALL 110/310/1100 Se ries User’s Guide 245 Rem ov e T o r e m o v e an e n t ry, s e l e c t i t a n d c l i ck Remov e . The ZyW ALL confirms you want to remove it before doing so. # This is the index number of the IP/MAC binding l ist entry . Name Enter a name to help identify this entry . Start IP Enter the first IP[...]

  • Page 246

    Chapter 16 IP/MAC Binding ZyWALL 110/310/1100 Series User’s Guide 246[...]

  • Page 247

    ZyWALL 110/310/1100 Se ries User’s Guide 247 C HAPTER 17 Inbound Load Balancing 17.1 Inbound Load Balancing Overview Inbound load balancing enables the Z yWALL to respond to a DNS query message with a different IP address for DNS name resolution. The Z yWALL chec ks which member interface has the least load and responds to the DNS query message w[...]

  • Page 248

    Chapter 17 Inbound Load Bal ancing ZyWALL 110/310/1100 Series User’s Guide 248 •U s e t h e Inbound LB Add/Edit screen (see Se c t io n 17 .2 . 1 on pag e 24 9 ) to add or edit a DNS load balancing rule. 17.2 The Inbound LB Screen The Inbound LB screen provides a summary of all DNS load balancing rules and the details. Y ou can also use this sc[...]

  • Page 249

    Chapter 17 Inbound Load Balancing ZyWALL 110/310/1100 Se ries User’s Guide 249 17.2.1 The Inbound LB Add/Edit Screen The Add DNS Load Balancing screen allows you to add a domain name for which the Z y WALL manages load balancing between the specified interfaces. Y ou can configure the Z yWA LL to apply DNS load balancing to some specif ic hosts o[...]

  • Page 250

    Chapter 17 Inbound Load Bal ancing ZyWALL 110/310/1100 Series User’s Guide 250 Figure 147 Configuration > Netw ork > Inbound LB > Add The following table describes the labels in this screen. T a ble 93 Conf iguration > Net wo rk > Inboun d LB > Add/Edit LABEL DESCRIPTION Create New O b ject Use this to co nfigure any new sett in[...]

  • Page 251

    Chapter 17 Inbound Load Balancing ZyWALL 110/310/1100 Se ries User’s Guide 251 17.2.2 The Inbound LB Member Add/Edit Screen The Add Load Balancing Member screen allows you to add a memb er interface for the DNS load balancing rule. Click Configuration > Network > Inbound LB > Add or Edit and then an Add or Edit icon to open this screen. [...]

  • Page 252

    Chapter 17 Inbound Load Bal ancing ZyWALL 110/310/1100 Series User’s Guide 252 Figure 148 Configuration > Network > In bound LB > Add/Edit > Add The following table describes the labels in this screen. T a ble 94 Co nf iguration > Ne t work > Inbo und LB > Ad d/Edit > A dd/Edit LABEL DESCRIPTION Member The ZyW ALL checks e[...]

  • Page 253

    ZyWALL 110/310/1100 Se ries User’s Guide 253 C HAPTER 18 Authentication Policy 18.1 Overview Use authentication policies to control who can access the network. After a user passes authentication the user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access. In the following [...]

  • Page 254

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 254 Multiple End point Security Objects Y ou can set an authentication policy to use multiple endpoint security objects. This allows checking of computers with different OSs or security setting s. When a client attemp ts to log in, the ZyW ALL checks the client’ s computer[...]

  • Page 255

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 255 Figure 150 Configuration > Auth. P olicy The following table gives an ov erview of the objects you can configure. T a ble 95 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentica tion Pol ic y Select this t o turn on the authenticati on policy feature. [...]

  • Page 256

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 256 18.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy . Authentica tion Policy Summary Use this table to man[...]

  • Page 257

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 257 Figure 152 Configuration > Auth. P olicy > Add The following table gives an ov erview of the objects you can configure. T a ble 96 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create n ew Object Use to configure any new settings objects that you ne e[...]

  • Page 258

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 258 18.3 User-aware A ccess Control Example Y ou can configure many policies and security settings for specific users or groups of users. Users can be authenticated locally by the Z yWALL or by an external (AD, RADIUS , or LDAP) authentication server . In this example the us[...]

  • Page 259

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 259 18.3.2 Set Up User Group s Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group . Click the Add icon. 2 Enter the name of the group. In this example, it is “Finance” . Then, select User/Leo and [...]

  • Page 260

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 260 Figure 155 Configuration > Object > AAA Server > RADIUS > Add 2 Click Configuration > Object > A uth. Method . Double-click the default entry . Click the Add icon. Select group radius because the Z y WALL should use the specified RADIUS server for authe[...]

  • Page 261

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 261 Figure 157 Configuration > Auth. P olicy > Add In the Auth. Policy screen, select Enable Authentication Policy and click Apply . Figure 158 Configuration > Auth. P olicy When the users try to browse the web (or u se any HT TP/HTTPS application), the Login scree[...]

  • Page 262

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 262 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the Z yWALL is to check to dete[...]

  • Page 263

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Se ries User’s Guide 263[...]

  • Page 264

    Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 264[...]

  • Page 265

    ZyWALL 110/310/1100 Se ries User’s Guide 265 C HAPTER 19 Firewall 19.1 Overview Use the firewall to block or allow services that use static port numbers. This example shows the Z yW ALL’s default firew all beha vior for W AN to LAN traffic and how stateful inspection works. A LAN user can initiate a T elnet session from within the LAN zone and [...]

  • Page 266

    Chapter 19 Firewall ZyWALL 110/310/1100 Series User’s Guide 266 Note: At the time of writing the Z yWALL’ s VPN and GRE tunnels support IPv4 tr affic so IPv6 firewall rule s do not apply to IPSec, S SL VPN, and GRE tunnel tr affic. T o-ZyW ALL Rules Rul es wi th ZyWALL as the To Zone appl y to traffic going to the Z yWA LL itself . By default: [...]

  • Page 267

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 267 A From Any To ZyWALL direction rule applies to traffic from an interface which is not in a zone. Global Firewall Rules Firewall rules with from any and/or to any as the packet direction are called global firewall rules. The global firewall rules are the only firew all rules that app[...]

  • Page 268

    Chapter 19 Firewall ZyWALL 110/310/1100 Series User’s Guide 268 19.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP ad dress in the same subnet as the Z yWALL’s LAN IP address, return traffic ma y not go through the Z yWALL. This is called an asymmetrical or “triangle” route. This causes the Z yWALL to [...]

  • Page 269

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 269 • Besides configuring the firewall, you also need to configure NA T rules to allow computers on the WAN to access LAN devices. See Chapter 13 on page 221 for more information. • The Z yWALL applies NA T (Destination NA T) settings before applying the firewall rules. So for examp[...]

  • Page 270

    Chapter 19 Firewall ZyWALL 110/310/1100 Series User’s Guide 270 Figure 163 Configuration > Firewall[...]

  • Page 271

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 271 The following table describes the labels in this screen. T a ble 98 Conf iguration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this ch eck bo x to activ ate the firewall. The Z y WALL performs access control when the firewall is activ ated. IPv4 / IPv6 Ru[...]

  • Page 272

    Chapter 19 Firewall ZyWALL 110/310/1100 Series User’s Guide 272 19.2.2 The Firewall Add/Edit Screen In the Firewall screen, click the Edit or Add icon to display the Firewall Rule Edit screen. Figure 164 Configuration > Firewall > Add The following table describes the labels in this screen. Schedule This field tells you th e sche dule objec[...]

  • Page 273

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 273 19.3 The Session Limit Screen Click Configuration > Firewall > Session Limit to display the Firewall Session Limit screen. Use this screen to limit the number of concurrent NA T/firewall sessions a client can use. Y ou can apply a default limit for all users and individual lim[...]

  • Page 274

    Chapter 19 Firewall ZyWALL 110/310/1100 Series User’s Guide 274 Figure 165 Configuration > Firewall > Session Limit The following table describes the labels in this screen. T a ble 100 Configur ation > Firewall > Session Limit LABEL DESCRIPTION General Settings Enable Session limit Select this check box to control the nu mber of concu[...]

  • Page 275

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 275 19.3.1 The Session Limit Add/Edit Screen Click Configuration > Firewall > Session Limit and the Add or Edit icon to display the Firewall Sessio n Limit Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses. Figure 166 Confi[...]

  • Page 276

    Chapter 19 Firewall ZyWALL 110/310/1100 Series User’s Guide 276 19.4 Firewall Rule Configuration Example The following Internet firewall rule example allo ws Doom play ers from the WAN to IP addresses 192.168.1.10 through 19 2.168.1.15 (Dest_1) on the LAN1. 1 Click Configuration > Firewall . In the summary of IPv4 firewall rules click Add to c[...]

  • Page 277

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 277 Figure 169 Firewall Example: Create a Service Object 4 Select From WAN and To LAN1 and enter a name for the firewall rule. Select Dest_1 for the Destination and Doom as the Service . Enter a description and configure the rest of the screen as follows. Click OK when y ou are done. Fi[...]

  • Page 278

    Chapter 19 Firewall ZyWALL 110/310/1100 Series User’s Guide 278 19.5 Firewall Rule Example Applications Suppose you decide to block LAN users from using IRC (Internet Relay Chat) through the Internet. T o do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from an y source IP address from going to any destination addre[...]

  • Page 279

    Chapter 19 Firewall ZyWALL 110/310/1100 Se ries User’s Guide 279 Now you configure a LAN1 to W AN fire wall rule that allows IRC tr affic from the IP address of the CEO’ s computer (192.168.1.7 for example) to go to any destination address. Y ou do not need to specify a schedule since you want the firewall rule to a l w a y s b e i n ef f e c t[...]

  • Page 280

    Chapter 19 Firewall ZyWALL 110/310/1100 Series User’s Guide 280 The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic. If the rule that blocks all LAN1 to W AN IRC traffic came first, the CEO’s IRC traffic would match that rule and the Z yWALL would drop it and not check any other firewall rules.[...]

  • Page 281

    ZyWALL 110/310/1100 Se ries User’s Guide 281 C HAPTER 20 IPSec VPN 20.1 V irtual Private Networks (VPN) Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a co mbination of tunneling, encryption, authentication, access control and auditing. It is [...]

  • Page 282

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 282 Figure 175 SSL V PN L2TP VPN L2TP VPN uses the L2TP and IPSec client software included in remote users’ Andr oid, iOS, or Windows operating systems for secure connections to the network behind the Z yW ALL. The remote users do not need their own IPSec gateways or third-party VPN c[...]

  • Page 283

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 283 20.1.2 What Y ou Need to Know An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contr act indicating what security parameters the Z yWALL and the remote IPSec router will use. The first phase establishes an In ternet K e[...]

  • Page 284

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 284 Application Scenarios The Z yWALL’ s application scenarios make it easier to configure y our VPN connection settings. Finding Out More •S e e Section 20.6 on page 305 for IPSec VPN background information. 20.1.3 Before Y ou Begin This section briefly explains the relationship be[...]

  • Page 285

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 285 • In any VPN connection, you ha v e to select addre ss objects to specify the local policy and remote policy . Y ou should set up the address objects first. • In a VPN gateway , you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or virtual VLAN in[...]

  • Page 286

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 286 Each field is discussed in the following table. See Section 20.2 .2 on page 292 and Section 20.2.1 on page 286 for more information. 20.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an[...]

  • Page 287

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 287 Figure 179 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE)[...]

  • Page 288

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 288 Each field is described in the following table. T a ble 107 Configur ation > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s Click this butto n t o display a greater or lesser nu mber of configu ration fields.[...]

  • Page 289

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 289 Re mot e P olicy Select the address cor responding to the rem ote ne twork . Us e Create new Object if you need to configure a new one. Policy Enforcement Clear this to allo w traffic with so urce and destination IP a ddresses that do not match the local and rem ote policy to use t[...]

  • Page 290

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 290 Authenti cation Select which hash al gorithm to use to authen ticate packe t data in the IPSec S A. Choices are SHA1 , SHA256 , SHA512 an d MD5 . SHA is generally considered stronger than MD5 , but it is also slower . The Z yWALL and the remote IPSec router mu st both hav e a propos[...]

  • Page 291

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 291 Source NA T This translation hides the sourc e address of computers in the lo cal network. It may also be necessary if you want the Z yWA LL to route packets from computers outsi de the local ne twork through the IPSec SA. Source Select the address object that re presents the origi[...]

  • Page 292

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 292 20.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key . This is useful if you ha ve problems with IKE key management. T o access this screen, go to the V[...]

  • Page 293

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 293 This table describes labels specific to manual key configuration. See Section 20.2 on page 285 for descriptions of the other fields. T a ble 108 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key LABEL DESCRIPTION Manual K ey My Address T ype the IP [...]

  • Page 294

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 294 20.3 The VPN Gateway Screen The VPN Gateway summary screen displays th e IPSec VPN gateway policies in the Z yWALL, as well as the Z yWALL’ s address, remote IPSec router ’s address, and associated VPN connections for each one. In addition, it also lets you activ ate and deactiv[...]

  • Page 295

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 295 Figure 181 Configuration > VPN > IPSec VPN > VPN Gatewa y Each field is discussed in the following table. See Section 20.3.1 on page 295 for more information. 20.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gatew ay pol[...]

  • Page 296

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 296 Figure 182 Configuration > VPN > IPSec VPN > VPN Gatewa y > Edit[...]

  • Page 297

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 297 Each field is described in the following table. T a ble 110 Configuration > VPN > IPSec VPN > VPN Gatew ay > Edit LABEL DESCRIPTION Show Adv anced Settings / Hide Adv anced S etting s Click this button to display a greater or lesser number of co nfiguration fields. Gene[...]

  • Page 298

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 298 Certificate Select th is to have the ZyW ALL and remote IPSec router use certificates to authe nticate each other when they negotiat e the IKE SA. Then select the cert ificate the ZyWALL uses to identify itself to the remote IPsec router . This certificate is one of the certificates[...]

  • Page 299

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 299 Content This field is disabled if the Pee r I D Type is Any . T ype the identity of the remote IPSec router during authentication. The i dentity depen ds on the Peer ID Type . If the Z yWALL and remote IPSec router do not use certificates, IP - type an IP address; see the no te at [...]

  • Page 300

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 300 Encryption Select which k e y size and en cryption algorith m to use in the IKE S A. Choices are: DES - a 56-bit key with t he DES encrypti on algorithm 3DES - a 168-bit key with the DES e ncryption algorithm AES128 - a 128-bit key with the AES encrypt ion algorithm AES192 - a 192-b[...]

  • Page 301

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 301 20.4 VPN Concentrator A VPN concentrator combines se veral IPSec VPN connections into one secure network. Figure 183 VPN T opologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology ( 1 in the figure), there is a VPN connection between every pair of routers. In a hub[...]

  • Page 302

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 302 20.4.1 VPN Concentrator Re quirement s and Suggestions Consider the following when using the VPN concentrator . • The local IP addresses configured in the VPN rules should not ov erlap. • The concentrator must hav e at least one separate VPN rule for each spoke. In the local pol[...]

  • Page 303

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 303 Figure 185 Configuration > VPN > IPSec VPN > Concentrator > Edit Each field is described in the following table. 20.5 ZyW ALL IPSec VPN Client Configuration Provisioning Use the Configuration > VPN > IPSec VPN > Con figuration Provisioning screen to configure w[...]

  • Page 304

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 304 In the ZyW ALL Quick Setup wizard, y ou can use the VPN Settings for Configuration Provisioni ng wizard to create a VPN rule that will not violate these restrictions. Figure 186 Configuration > VPN > IPSec VPN > Configur ation Provisioning Each field is discussed in the fol[...]

  • Page 305

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 305 20.6 IPSec VPN Background Information Here is some more detailed IP Sec VPN background information. IKE SA Overview The IKE SA provides a secure connection between the ZyW A LL and remote IPSec router . It takes sever al steps to establish an IKE SA. The negotiation mode determines[...]

  • Page 306

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 306 IKE SA Proposal The IKE SA proposal is used to identify the encr yption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the Z yW ALL and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustr ated next. Figure 187 I[...]

  • Page 307

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 307 Diffie-Hellman (DH) Key Exchange The Z yWALL and the remote IPSec router use DH public -key cryptograph y to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec S A. In main mode, this is done in steps 3 and 4, as illustr a[...]

  • Page 308

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 308 Note: The Z yWALL and the remote IPSec ro uter must use the same pre-shared key . Router ide nti ty co nsi sts of ID ty pe a nd c ont ent . Th e ID typ e ca n be dom ai n na me, I P a ddr ess , or e- mail address, and the content is a (properly -fo rmatted) domain name, IP address, [...]

  • Page 309

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 309 Steps 1 - 2: The Z yWALL sends its proposals to the remote IPSec router . The remote IPSec router selects an acceptable proposal and sends i t back to the ZyW ALL. Steps 3 - 4: The Z yWA LL and the remote IPSec router exchange pre-shared keys for authentication and participate in a[...]

  • Page 310

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 310 Extended Authentication Extended authentication is often used when mult iple IPSec routers use the sam e VPN tunnel to connect to a single IPSec router . For exampl e, this might be u sed with telecommuters. In extended authentication, one of the routers (the Z yWALL or the remote I[...]

  • Page 311

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 31 1 Note: The ZyW ALL and remo te IPSec router must use the same active protocol. Usually , you should select ESP . AH does not support encryption, and ESP is more suitable with NA T . Encap sulation There are two ways to encapsulate packets. Usually , you should use tunnel mode becau[...]

  • Page 312

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 312 If you do not enable PFS, the Z yWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to gener ate encryption keys. The DH key exchange is time-consum ing and may be unnecessary for data that does not require such security . Additiona[...]

  • Page 313

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 313 Figure 192 VPN Example: NA T for Inbound and Outbound T raffic Source Address in Outbound Packet s (Outbound T raffic, Source NA T) This translation lets the ZyW ALL route packets from computers that are not part of th e specified local network (local policy) through the IPSec SA. [...]

  • Page 314

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 314 Y ou have to specif y one or more rules when you set up this kind of NA T . The Z yWALL check s these rules similar to the way it checks rules for a fi rewall. The first part of these rules define the conditions in which the rule apply . • Original IP - the original destination ad[...]

  • Page 315

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Se ries User’s Guide 315 Set Up the VPN Connection th at Manages the IPSec SA 1 In Configuration > VPN > IPSec VPN > V PN Con nection > Add , click Create New Object > Address to create an address object for the remote network. Set the Address Type to SUBNET , the Network field to 172.16.1. [...]

  • Page 316

    Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide 316[...]

  • Page 317

    ZyWALL 110/310/1100 Se ries User’s Guide 317 C HAPTER 21 SSL VPN 21.1 Overview Use SSL VPN to allow users to use a web browser fo r secure remote user login. The remote users do not need a VPN router or VPN client softw are. 21.1.1 What Y ou Can Do in this Chapter •U s e t h e VPN > SSL VPN > Access Privilege screens (see Section 21.2 on [...]

  • Page 318

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 318 SSL Access Policy Object s The SSL access policies reference the following objects. If you update this information, in response to changes, the Z yWA LL automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy , the objects ar[...]

  • Page 319

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Se ries User’s Guide 319 The following table describes the labels in this screen. 21.2.1 The SSL Access Policy Add/Edit Screen T o create a new or edit an existing SSL access policy , click the Add or Edi t icon in the Access Privilege screen. T a ble 117 VPN > SSL VPN > Access Privilege LABEL DESCRIPT[...]

  • Page 320

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 320 Figure 196 VPN > SSL VPN > Add/Edit The following table describes the labels in this screen. T a ble 118 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create n ew Object Use to configu re any new sett ings objects that you need to us e in this screen. Co[...]

  • Page 321

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Se ries User’s Guide 321 Name Enter a descriptive na me to identify this policy . Y ou ca n enter up to 31 characters (“a-z” , A- Z” , “0-9”) with no spaces allowed. Zone Se le ct the zone to which to add this SSL access policy . Y ou use zones to appl y se curity settings such as firewall and remo[...]

  • Page 322

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 322 21.3 The SSL Global Setting Screen Click VPN > SSL VPN and click the Global Setting tab to display the following screen. Use this screen to set the IP address of the Z yWALL (or a gatew ay device) on y our network for full tunnel mode access, enter access messages or upload a custo[...]

  • Page 323

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Se ries User’s Guide 323 21.3.1 How to Upload a Custom Logo Follow th e steps below to upload a custom logo to display on the remote user SSL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configur ation screen. 2 Click Browse to locate the logo graphic. Make sure the f[...]

  • Page 324

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 324 Figure 198 Example Logo Graphic Display 21.4 SSL VPN Example This example uses SSL VPN to let remote users securely access the internal http://info website. 1 Click Configuration > VPN > SSL VPN > Access Privilege > Add and click Create New Object > Application to creat[...]

  • Page 325

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Se ries User’s Guide 325 3 Display the Z yWALL’ s login screen, enter your user account information (the user name and password), and click SSL VPN to establish an SSL VPN connection. 4 Y our computer starts establishing a secure connecti on to the ZyW ALL after the login. This may take up to two minutes. [...]

  • Page 326

    Chapter 21 SSL VPN ZyWALL 110/310/1100 Series User’s Guide 326 5 The client portal screen displays after the connection is up. In this example, click the Web Server link to go to http://info. If the user account is not included in an S SL VPN access policy , the ZyW ALL redi rects the user to the user aware screen. F or more information on user p[...]

  • Page 327

    ZyWALL 110/310/1100 Se ries User’s Guide 327 C HAPTER 22 SSL User Screens 22.1 Overview This chapter introduces the remote user SSL VPN screens. The followin g figure shows a network example where a remote user ( A ) logs into the ZyW ALL from the Internet to access the web server ( WWW ) on the local network. Figure 199 Network Example 22.1.1 Wh[...]

  • Page 328

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Series User’s Guide 328 • Using RDP requires Internet Explorer • Sun’ s Runtime Environment (JRE) v ersion 1.6 or later installed and enabled. Required Information A remote user needs the following information from the network administrator to log in and access network resources. • the domai[...]

  • Page 329

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 329 Figure 201 Login Security Screen 3 A login screen displays. Enter the user nam e and password of your login account. If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to a[...]

  • Page 330

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Series User’s Guide 330 Figure 204 ActiveX Object Installation Blocked by Browser Figure 205 SecuExtender Blocked by Internet Explorer 6 The Z yWALL tries to run the “ssltun” application. Y ou may need to click somethin g to get your browser to allow this. In Internet Explorer , click Run . Figu[...]

  • Page 331

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 331 Figure 207 SecuExtender Progress 8 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer . Figure 208 Installation W arning 9 The Application screen displays showing the list of resources av ailable to yo[...]

  • Page 332

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Series User’s Guide 332 Figure 209 Remote User Screen The following table describes the various parts of a remote user screen. 22.4 Bookmarking the ZyW ALL Y ou ca n cr e at e a bo o km a rk of t he ZyWAL L by cl i ck i ng th e Add to Favorite icon. This allows you to access the Z yWALL using the bo[...]

  • Page 333

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 333 3 Click OK to create a bookmark in your web browser . Figure 210 Add F avorite 22.5 Logging Out of th e SSL VPN User Screens T o prope rly terminate a connection, click on the Logout icon in any remote user screen. 1 Click the Logout icon in any remote user screen. 2 A promp[...]

  • Page 334

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Series User’s Guide 334 Figure 212 Application 22.7 SSL User File Sharing The File Sharing screen lets you access files on a file server through the SSL VPN connection. Use it to display and access shared files/folders on a file serv er . Y ou can also perform the following actions: • Access a fol[...]

  • Page 335

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 335 Figure 213 File Sharing 22.7.2 Opening a File or Folder Y ou can open a file if the file extension is re cognized by the web brow ser and the associated application is installed on your computer . 1 Log in as a remote user and click th e File Sharing tab. 2 Click on a file s[...]

  • Page 336

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Series User’s Guide 336 4 A list of files/folders displays. Double click a file to open it in a separ ate browser window or select a file and click Download to save it to your computer . Y ou can also click a folder to access it. For this example, click on a .doc file to open the W ord document. Fig[...]

  • Page 337

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 337 Figure 216 File Sharing: Save a W ord File 22.7.5 Creating a New Folder T o create a new folder in the file share location, click the New Folder icon. Specify a descriptive n ame for the folder . Y ou can en ter up to 356 char acters. Th en click Add . Note: Make sure the le[...]

  • Page 338

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Series User’s Guide 338 A popup window displays. Specify the new name and/ or file extension in the field provided. Y ou can enter up to 356 characters. Then click Appl y . Note: Make sure th e length of the nam e do es not exceed the maximum allowed on the file server . Y ou may not be able to open[...]

  • Page 339

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Se ries User’s Guide 339 Note: Uploading a file with the same name and file extensio n replac es the e xisti ng file on the file server . No warning message is displayed.[...]

  • Page 340

    Chapter 22 SSL User Screens ZyWALL 110/310/1100 Series User’s Guide 340[...]

  • Page 341

    ZyWALL 110/310/1100 Se ries User’s Guide 341 C HAPTER 23 ZyWALL SecuExtender The Z yWALL automatically loads the Z yWALL SecuExtender client progr am to your com puter after a successful login to an S SL VPN tunnel with ne twork extension support enabled. The ZyW ALL SecuExtender lets you: • Access servers, remote desktops and manage files as i[...]

  • Page 342

    Chapter 23 ZyWALL SecuExtender ZyWALL 110/310/1100 Series User’s Guide 342 Figure 222 ZyW ALL SecuExtender Status The following table describes the labels in this screen. 23.3 V iew Log If you hav e problems with the ZyW ALL SecuExtend er , customer sup port may request you to provide information from the log. Right-click the Z yWALL Se cuExtende[...]

  • Page 343

    Chapter 23 ZyWALL SecuExtender ZyWALL 110/310/1100 Se ries User’s Guide 343 Figure 223 ZyW ALL SecuExtend er Log Example 23.4 Suspend and Resume the Connection When the Z yWALL SecuExtender icon in the system tray is green, you can right -cli ck the icon and select Suspend Connection to keep the SSL VPN tun nel connected but not send any tr affic[...]

  • Page 344

    Chapter 23 ZyWALL SecuExtender ZyWALL 110/310/1100 Series User’s Guide 344 Figure 224 Uninstalling the ZyW A LL Secu Extender Confirmation 3 Windows uninstalls the Z yWA LL SecuExtender . Figure 225 ZyW ALL SecuExtender Uninstallation[...]

  • Page 345

    ZyWALL 110/310/1100 Se ries User’s Guide 345 C HAPTER 24 L2TP VPN 24.1 Overview L2TP VPN uses the L2TP and IPSec client software included in remote users’ Andr oid, iOS, or Windows operating systems for secure connections to the network behind the Z yW ALL. The remote users do not need their own IPSec gateways or third-party VPN client softw ar[...]

  • Page 346

    Chapter 24 L2TP VPN ZyWALL 110/310/1100 Series User’s Guide 346 Using the Default L2 TP VPN Connection The Default_L2TP_VPN_ GW gateway entry is pre-configured to be conv enient to use for L2TP VPN. Edit it as follows: •S e t My Address to the W A N interface domain name or IP address you w ant to use. • Replace the default Pre-Shared Key . C[...]

  • Page 347

    Chapter 24 L2TP VPN ZyWALL 110/310/1100 Se ries User’s Guide 347 24.2 L2TP VPN Screen Click Configuration > VPN > L2TP VPN to open the following screen. Use this screen to configure the Z yWALL’ s L2TP VPN settings. Note: Disconnect an y existing L2TP VPN sessions bef ore modifying L2TP VPN setting s. The remote users must make any needed[...]

  • Page 348

    Chapter 24 L2TP VPN ZyWALL 110/310/1100 Series User’s Guide 348 Authentica tion Server Certificate Select the c erti ficate to use to identify the ZyW ALL for L2TP VPN conne ct ions. Y ou m ust have certificates already configured in the My Certificate s screen (Click My Certificates and see Chapter 33 on page 413 for details). The cert ificate i[...]

  • Page 349

    ZyWALL 110/310/1100 Se ries User’s Guide 349 C HAPTER 25 Bandwidth Management 25.1 Overview Bandwidth management provides a con venient way to manage the use of v arious services on the network. It manages general protocols (for example, HT TP and F TP) and applies traffic prioritization to enhance the performance of delay-sensitiv e applications[...]

  • Page 350

    Chapter 25 Bandwidth Manage ment ZyWALL 110/310/1100 Series User’s Guide 350 Connection and Packet Directions Bandwidth management looks at the connection direction, that is from which interface the connection was initiated and to which interface the connection is going. A connection has outbound and inbound packet flow s. The Zy WALL controls th[...]

  • Page 351

    Chapter 25 Bandwidth Management ZyWALL 110/310/1100 Se ries User’s Guide 351 Figure 230 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps Bandwid th Management Priority • The Z yWA LL gives bandwidth to higher-pr iority tr affic first, until it reaches its configured bandwidth rate. • Then lower-priority traffic gets bandwidth. • The Z yWALL[...]

  • Page 352

    Chapter 25 Bandwidth Manage ment ZyWALL 110/310/1100 Series User’s Guide 352 Figure 231 Bandwidth Management Behavior Configured Rate Effect In the following table the configured r ates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Priority Effect Here the configured r at[...]

  • Page 353

    Chapter 25 Bandwidth Management ZyWALL 110/310/1100 Se ries User’s Guide 353 Priority and Over Allotm ent of Ban dwidth Effect Server A has a configured r ate that equals the total amount of a vailable bandwidth and a higher priority . Y ou should regard extreme over allotment of traffic with different priorities (as shown here) as a configuratio[...]

  • Page 354

    Chapter 25 Bandwidth Manage ment ZyWALL 110/310/1100 Series User’s Guide 354 The following table describes the labels in this screen. See Section 25.2.1 on page 355 for more information as well. T a ble 127 Configuration > Bandwidth Management LABEL DESCRIPTION Enable BWM Select this check bo x to activ ate management bandwidt h. Add Click thi[...]

  • Page 355

    Chapter 25 Bandwidth Management ZyWALL 110/310/1100 Se ries User’s Guide 355 25.2.1 The Bandwid th Ma nagement Add/Edit Screen The Configuration > Bandwi dth Manageme nt Add/Edit screen allows y ou to create a new condition or edit an existing one. T o access this screen, go to the Configuration > Bandwidth Management screen (see Section 25[...]

  • Page 356

    Chapter 25 Bandwidth Manage ment ZyWALL 110/310/1100 Series User’s Guide 356 Figure 234 Configuration > Bandwidth Management > Add/Edit The following table describes the labels in this screen. T a ble 128 Configuration > Bandwidth Management LABEL DESCRIPTION Create n ew Objec t Use to c onfigure any new settings obje cts that you need t[...]

  • Page 357

    Chapter 25 Bandwidth Management ZyWALL 110/310/1100 Se ries User’s Guide 357 Outgoing Interface Select the dest ination in terface of th e traffic to which this polic y applies. Source Select a source add ress or address group for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effec[...]

  • Page 358

    Chapter 25 Bandwidth Manage ment ZyWALL 110/310/1100 Series User’s Guide 358 Outbound kbps T ype how much outbound ban dwidth, in kilobits per second, this policy allows t he traffic to use. Outbound refers to the tra ffic the Z y WAL L sends out from a connec tion’ s initiator . If you enter 0 here, this pol icy does not ap ply bandwidth manag[...]

  • Page 359

    ZyWALL 110/310/1100 Se ries User’s Guide 359 C HAPTER 26 Device HA 26.1 Overview Device HA lets a backup Zy WALL ( B ) automatically take over if the master Z yWALL ( A ) fails. Figure 235 Device HA Backup T aking Over for the Master 26.1.1 What Y ou Can Do in this Chapter •U s e t h e General screen ( Section 26.2 on page 360 ) to configure de[...]

  • Page 360

    Chapter 26 Device HA ZyWALL 110/310/1100 Series User’s Guide 360 Note: Only ZyW ALLs of the sa me model an d firmware version ca n sy nchronize. Otherwise you must manually configure the master Z yWALL’ s settings on the backup (by editing copies of the configuration files in a text editor for example). Finding Out More •S e e Section 26.5 on[...]

  • Page 361

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 361 26.3 The Active-P assive Mode Screen Virtual Router The master and backup Z y WALL form a single ‘virtual router’ . In the following ex ample, master ZyW A L L A and backup ZyW ALL B form a virtual router . Figure 237 Virtual Router Cluster ID Y ou can have multiple Z yWA LL vi[...]

  • Page 362

    Chapter 26 Device HA ZyWALL 110/310/1100 Series User’s Guide 362 Figure 238 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Acti ve-Passive Mode Device HA Y ou can select which interfaces device HA monito rs. If a monitored interf ace on the Z yWALL loses its connection, device HA has the backup Z yWALL take over . Enable monitor[...]

  • Page 363

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 363 26.3.1 Configuring Acti ve-Passive Mode Device HA The Device HA Active -Passive Mode screen lets you configure general active-passiv e mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup Z yWALLs. T o access this screen, click Configura[...]

  • Page 364

    Chapter 26 Device HA ZyWALL 110/310/1100 Series User’s Guide 364 Inactiv ate T o turn off an entry , select it and click Inactivate . # This is the ent ry’s index number in the li st. Status The activ ate (light bulb) icon is lit when the entry is activ e and dimmed when the en try is inactive. Interface This field identifies the interface. At [...]

  • Page 365

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 365 26.4 Configuring an Acti ve-Passive Mode Monitored Interface The Device HA Active -Passive Mode Monitore d Interface Edi t screen lets you enable or disable monitoring of an interface and set the in terface’ s management IP address and subnet mask. T o access this screen, click C[...]

  • Page 366

    Chapter 26 Device HA ZyWALL 110/310/1100 Series User’s Guide 366 The following table describes the labels in this screen. 26.5 Device HA T echnical Reference Active-Passive Mode Device HA with Bridge Interfaces Here are two ways to av oid a broadcast storm wh en you connect the bridge interfaces on two ZyW A L L s . First Option for Connecting th[...]

  • Page 367

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 367 2 Configure the bridge interface on the master Z y WA LL, set the bridge interface as a moni tored interface, and activate device HA. 3 Configure the bridge interface on the backup Z y WALL, set the bridge interface as a monitored interface, and activate device HA. 4 Connect the Z [...]

  • Page 368

    Chapter 26 Device HA ZyWALL 110/310/1100 Series User’s Guide 368 Second Option for Connecting the Bridge Interfaces on T w o ZyW ALLs Another option is to disable the bridge interfaces, connect the bridge interfac es, activate device HA, and finally reactivate the bridge interfaces as shown in the following example. 1 In this case the Z yWALLs ar[...]

  • Page 369

    Chapter 26 Device HA ZyWALL 110/310/1100 Se ries User’s Guide 369 3 Enable the bridge interface on the master Z yWALL and then on the backup Z yWALL. 4 Connect the Z yWALLs. Synchronization During synchronization, the master Z yW A LL sends the following information to the backup Z yWALL. • Startup configuration file ( startup-config.conf ) •[...]

  • Page 370

    Chapter 26 Device HA ZyWALL 110/310/1100 Series User’s Guide 370 • The backup Z yWA LL cannot be the master . This refers to the actual role at the time of synchronization, not the role se tting in the configu ration screen.[...]

  • Page 371

    ZyWALL 110/310/1100 Se ries User’s Guide 371 C HAPTER 27 User/Group 27.1 Overview This chapter describes how to set up user account s, user groups, and use r settings for the ZyW ALL. Y ou can also set up rules that control when users have to log in to the ZyW ALL before the ZyW ALL routes traffic for them . 27.1.1 What Y ou Can Do in this Chapte[...]

  • Page 372

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 372 Note: The de fa ult admin account i s always auth en ticated loc a lly , reg ardless of the authentication method setting. (See Chapt er 32 on page 409 for more information about authentication methods.) Ext-User Account s Set up an ext- user account if the user is authenticated by[...]

  • Page 373

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 373 User A wareness By default, users do not ha ve to log into the Z y WALL to use the network services it provides. The Z yWALL automatically routes packets for everyone. If you want to restrict network services that certain users can use via the Z yWALL, you can require them to log [...]

  • Page 374

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 374 27.2.1 User Add/Edit Screen The User Add/ Edit screen allows you to create a new user account or edit an existing one. 27.2.1.1 Rules for User Names Enter a user name from 1 to 31 char acters. The user name can only contain the following ch aracters: • Alphanum eric A-z 0-9 (ther[...]

  • Page 375

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 375 Figure 243 Configuration > User/Group > User > Add The following table describes the labels in this screen. T a ble 134 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name T ype the user name fo r this user account. Y ou may us e 1-31 alphanumer i[...]

  • Page 376

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 376 27.3 User Group Summary Screen User groups consist of access users and other user groups. Y ou cannot put admin users in user groups. The Grou p screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. T o a ccess this [...]

  • Page 377

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 377 27.3.1 Group Add/Edit Screen The Group Add/Edit screen allows y ou to create a new user group or edit an existing one. T o access this screen, go to the Group screen (see Section 27.3 on page 376 ), and click either the Add icon or an Edit icon. Figure 245 Configuration > User/[...]

  • Page 378

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 378 27.4 The User/Group Setting Screen The Setting screen controls default settings, login se ttings, lockout settings, and other user settings for the Z yWALL. Y ou can also use this screen to specify when users must log in to the Z yWALL before it routes traffic for them. T o access [...]

  • Page 379

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 379 # This field is a sequential value, and it is not as so ciated with a spec ific entry . User T ype These are the kinds of us er account the Z yWALL su pports. • admin - this user can look at and ch ange the configuration of the Zy WA L L • limited -admin - this user ca n look [...]

  • Page 380

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 380 27.4.1 Default User Authenticati on T imeout Settings Edit Screens The Default Authentication Timeout Settings Edit screen allows you to set the default authentication timeout settings for the selected ty pe of user account. These default authentication timeout settings also contro[...]

  • Page 381

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 381 The following table describes the labels in this screen. 27.4.2 User A ware Login Example Access users cannot use the W eb Configurator to br owse the configuration of the Z yWALL. Instead, after access users log into the Z yWALL, the following screen appears. Figure 248 W eb C on[...]

  • Page 382

    Chapter 27 User/Group ZyWALL 110/310/1100 Series User’s Guide 382 The following table describes the labels in this screen. 27.5 User /Group T echnical Reference This section provides some information on users wh o use an external authentication server in order to log in. Setting up User Attributes in an External Server T o set up user attributes,[...]

  • Page 383

    Chapter 27 User/Group ZyWALL 110/310/1100 Se ries User’s Guide 383 Creating a Large Number of Ext-User Account s If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the W eb Configurator , to create the accounts. Extr act the user names from the LDAP or RADIUS server , and create a shell script that c[...]

  • Page 384

    ZyWALL 110/310/1100 Se ries User’s Guide 384 C HAPTER 28 Addresses 28.1 Overview Address objects can represent a single IP address or a range of IP addre sses. Address groups are composed of address objects and other address groups. 28.1.1 What Y ou Can Do in this Chapter •T h e Address screen ( Section 28.2 on page 384 ) provides a summary of [...]

  • Page 385

    Chapter 28 Addresses ZyWALL 110/310/1100 Se ries User’s Guide 385 Figure 251 Configuration > Object > Address > Address The following table describes the labels in this screen. See Section 28.2.1 on page 386 for more information as well. T a ble 141 Configur ation > Object > Address > Address LABEL DESCRIPTION IPv4 Address Confi[...]

  • Page 386

    Chapter 28 Addresses ZyWALL 110/310/1100 Series User’s Guide 386 28.2.1 IPv4 Address Add/Edit Scre en The Configuration > IPv4 Address Add/Edit screen allows you to create a new address or edit an existing one. T o access this screen, go to the Address screen (see Section 28.2 on page 384 ), and click either the Ad d icon or an Edit icon in th[...]

  • Page 387

    Chapter 28 Addresses ZyWALL 110/310/1100 Se ries User’s Guide 387 28.2.2 IPv6 Address Add/Edit Scre en The Configuration > IPv6 Address Add/Edit screen allows you to create a new address or edit an existing one. T o access this screen, go to the Address screen (see Section 28.2 on page 384 ), and click either the Ad d icon or an Edit icon in t[...]

  • Page 388

    Chapter 28 Addresses ZyWALL 110/310/1100 Series User’s Guide 388 28.3 Address Group Summary Screen The Address Group screen provides a summary of all address groups. T o access this screen, click Configuration > Object > Address > Address Group . Click a column’ s heading cell to sort the table entries by that column’ s criteria. Cli[...]

  • Page 389

    Chapter 28 Addresses ZyWALL 110/310/1100 Se ries User’s Guide 389 28.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. T o access this screen, go to the Address Group screen (see Section 28.3 on page 388 ), and click either the Add icon or an Edit icon in the IPv4[...]

  • Page 390

    ZyWALL 110/310/1100 Se ries User’s Guide 390 C HAPTER 29 Services 29.1 Overview Use service objects to define TCP applications, UD P applications, and ICMP messages. Y ou can also create service groups to refer to mult iple service objects in other features. 29.1.1 What Y ou Can Do in this Chapter •U s e t h e Service screens ( Section 29.2 on [...]

  • Page 391

    Chapter 29 Services ZyWALL 110/310/1100 Se ries User’s Guide 391 Service Object s and Service Group s Use service objects to define IP protocols. • TCP applications • UDP applications • ICMP messages • user-defined services (for other types of IP protocols) These objects are used in policy routes, firewall rules. Use service groups when y[...]

  • Page 392

    Chapter 29 Services ZyWALL 110/310/1100 Series User’s Guide 392 The following table describes the labels in this screen. 29.2.1 The Service Add/Edit Screen The Se rvice Add/Edit screen allows y ou to create a new service or edit an existing one. T o access this screen, go to the Service screen (see Section 29.2 on page 391 ), and click either the[...]

  • Page 393

    Chapter 29 Services ZyWALL 110/310/1100 Se ries User’s Guide 393 29.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. T o acce ss this screen, log in to the W eb Configur ator , and click Configuration > Obje[...]

  • Page 394

    Chapter 29 Services ZyWALL 110/310/1100 Series User’s Guide 394 29.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. T o access this screen, go to the Service Group screen (see Section 29.3 on page 393 ), and click either the Add icon or an Edit icon. Figure 2[...]

  • Page 395

    Chapter 29 Services ZyWALL 110/310/1100 Se ries User’s Guide 395 Member List The Member list displays the names of the servic e and service group objects that have been added to the service group. The order of members is not important. Select items from th e Available list that you want to be members and m ove them to the Member list. Y ou can do[...]

  • Page 396

    ZyWALL 110/310/1100 Se ries User’s Guide 396 C HAPTER 30 Schedules 30.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules. The Z yWALL supports one-time and recurring schedules. One-time schedules are effective only on ce, while recurring schedules usually repeat. Both types of schedules are based[...]

  • Page 397

    Chapter 30 Schedules ZyWALL 110/310/1100 Se ries User’s Guide 397 30.2 The Schedule Summary Screen The Schedule summary screen prov ides a summary o f all schedules in the Z yWALL. T o access this screen, click Configuration > Object > Schedule . Figure 260 Configuration > Object > Schedule The following table describes the labels in [...]

  • Page 398

    Chapter 30 Schedules ZyWALL 110/310/1100 Series User’s Guide 398 30.2.1 The One-T ime Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. T o ac cess this screen, go to the Schedule screen (see Section 30.2 on page 397 ), and click either the Add icon or an Edit icon in [...]

  • Page 399

    Chapter 30 Schedules ZyWALL 110/310/1100 Se ries User’s Guide 399 30.2.2 The Recurring Sc hedule Add/Edit Screen The Recurring Sche dule Add/Edit screen allows you to define a recurring schedule or edit an existing one. T o ac cess this screen, go to the Schedule screen (see Section 30.2 on page 397 ), and click either the Add icon or an Edit ico[...]

  • Page 400

    ZyWALL 110/310/1100 Se ries User’s Guide 400 C HAPTER 31 AAA Server 31.1 Overview Y ou can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory , LDAP , or RADIUS serv er . Use the AAA Server screens to cre ate and manage objects that contain settings for [...]

  • Page 401

    Chapter 31 AA A Server ZyWALL 110/310/1100 Se ries User’s Guide 401 Figure 264 RADIUS Server Network Example 31.1.3 ASAS ASAS (Authenex Strong Au thentication System) is a RADIUS server that works with the One- Time Password (O TP) feature. Purchase a Z yW ALL O TP pack age in order to use this feature. The package contains server softw are and p[...]

  • Page 402

    Chapter 31 AAA Server ZyWALL 110/310/1100 Series User’s Guide 402 • Directory Service (LDAP/AD) LDAP (Lightweight Directory Access Protocol)/AD (Act ive Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retriev al a[...]

  • Page 403

    Chapter 31 AA A Server ZyWALL 110/310/1100 Se ries User’s Guide 403 Bind DN A bind DN is used to authenticate with an LDAP/AD serv er . For example a bind DN of cn=zywallAdmin allows the Z yWALL to log into the LDAP/AD server using the user name of zywallAdmin . The bind DN is used in conjunction with a bind password. When a bind DN is not specif[...]

  • Page 404

    Chapter 31 AAA Server ZyWALL 110/310/1100 Series User’s Guide 404 Figure 267 Configuration > Object > AAA Serv er > Active Dire ctory (or LDAP) > Add The following table describes the labels in this screen. T a ble 154 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a des[...]

  • Page 405

    Chapter 31 AA A Server ZyWALL 110/310/1100 Se ries User’s Guide 405 Base DN Specify the directory (up to 127 al phanumerical characters) . For example, o=ZyXEL, c=US . This is only for LDAP . Use SSL Select Us e SSL to establish a secure connec tion to the AD or LDAP server(s). Search time limit Specify the timeout period (between 1 and 300 s eco[...]

  • Page 406

    Chapter 31 AAA Server ZyWALL 110/310/1100 Series User’s Guide 406 31.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the Z yWALL can use in authenticating users. Click Configuration > Object > AAA Server > RADIUS to display th e RADIUS screen. Figure 268 Configuration > Object > AAA Server > RA[...]

  • Page 407

    Chapter 31 AA A Server ZyWALL 110/310/1100 Se ries User’s Guide 407 Figure 269 Configuration > Object > AAA Server > RA DIUS > Add The following table describes the labels in this screen. T a ble 156 Configur ation > Object > AAA Server > RADIUS > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanum erica[...]

  • Page 408

    Chapter 31 AAA Server ZyWALL 110/310/1100 Series User’s Guide 408 Group Membership Attribu te A RADIUS server defines attributes for its accounts. S elect the name and num ber of the attribute that the Z yWALL is t o check to dete rmine to which group a user belongs. If it does not display , select user-defined and spe cify th e attribute’s num[...]

  • Page 409

    ZyWALL 110/310/1100 Se ries User’s Guide 409 C HAPTER 32 Authentication Method 32.1 Overview Authentication method objects set how the Z yWALL authenticates wireless, HT TP/HTTPS clients, and peer IPSec routers (extended authentication) c lients. Configure authentication method objects to have the ZyW ALL use the local user database, and/or the a[...]

  • Page 410

    Chapter 32 Authenticatio n Me th od ZyWALL 110/310/1100 Series User’s Guide 410 Figure 270 Example: Using Authentication Method in VPN 32.2 Authentication Method Object s Click Configuration > Object > A uth. Method to display the screen as shown. Note: Y ou can create up to 16 authentication method objects. Figure 271 Configuration > Ob[...]

  • Page 411

    Chapter 32 Authentication Method ZyWALL 110/310/1100 Se ries User’s Guide 41 1 2 Click Add . 3 Specify a descriptive name for identification purposes in the Name field. Y ou may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number . This value is case-sensitiv e. For example, “My_Device” [...]

  • Page 412

    Chapter 32 Authenticatio n Me th od ZyWALL 110/310/1100 Series User’s Guide 412 Move T o change a method’s position in the numbered lis t, select the method an d click Move to display a field to type a number for where yo u want to put it and press [ENTER] to move the rule to th e nu mber that you typed. The ordering of your me thods is importa[...]

  • Page 413

    ZyWALL 110/310/1100 Se ries User’s Guide 413 C HAPTER 33 Certificates 33.1 Overview The Z yWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate co ntains the certificate owner’s identity and public key . Certificates provide a wa y to exchange public keys fo[...]

  • Page 414

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 414 5 Additionally , Jenny uses her own private k ey to sign a message and Tim uses Jenny’ s public key to verify the message. The Z yWALL uses certificates based on public-k ey cryptology to authenticate users attempting to establish a connection, not to encrypt the data th at y [...]

  • Page 415

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 415 • Binary PKCS#12: This is a format for tr ansferring public key and private k ey certificates. The private k ey in a PKCS #12 file is within a passw ord-encrypted envelope. The file’ s password is not connected to your certificate’ s public or private passwor ds. Exporting[...]

  • Page 416

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 416 Figure 274 Certificate Details 4 Use a secure method to v erify that the cert ificate owner has the sa me information in the Thumbprin t Algorith m and Thumbprint fields. The se c ure metho d may very based on yo ur situation. Possible examples would be over th e telephone or th[...]

  • Page 417

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 417 The following table describes the labels in this screen. 33.2.1 The My Certificates Add Screen Click Configuration > Object > Certifi cate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the Z yWALL create a self-s[...]

  • Page 418

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 418 Figure 276 Configuration > Object > Certificate > My Certificates > Add The following table describes the labels in this screen. T a ble 160 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify this [...]

  • Page 419

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 419 If you configured the My Certificate Create screen to have the Z yW ALL enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information i[...]

  • Page 420

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 420 Figure 277 Configuration > Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. T a ble 161 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field dis plays the ide[...]

  • Page 421

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 421 Certifi cate Information These read-only fields display detail ed information about the certific ate. T ype This fiel d displays general info rmation abou t the certifi cate. CA-signed means tha t a Certification Autho rity signed the certi ficate. Self -signed means that the ce[...]

  • Page 422

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 422 33.2.3 The My Certif icates Import Screen Click Configuration > Object > Certifi cate > My Certificates > Import to open the My Certificate Impor t screen. F ollow the instructions in this screen to save an existing certificate to the Z y WALL. Note: Y ou can import [...]

  • Page 423

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 423 The following table describes the labels in this screen. 33.3 The T rusted Cert ificates Screen Click Configuration > Object > Certifi cate > Trusted Certificates to open the Trusted Certificates screen. This screen displays a summary list of certificates that you ha ve[...]

  • Page 424

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 424 33.3.1 The T rusted Ce rtificates Edit Screen Click Configuration > Object > Cert ific ate > Tru sted C ertif ic ates and then a certificate’ s Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, [...]

  • Page 425

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 425 Figure 280 Configuration > Object > Certificate > T rusted Certificates > Edit[...]

  • Page 426

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 426 The following table describes the labels in this screen. T a ble 164 Configuration > Object > Certificate > T rusted Certificate s > Edit LABEL DESCRIPTION Name This field displays the identifyi ng name of this certific ate. Y ou can change the name. Y ou can use up [...]

  • Page 427

    Chapter 33 Certificates ZyWALL 110/310/1100 Se ries User’s Guide 427 33.3.2 The T rusted Cert ificates Import Screen Click Configuration > Object > Certificat e > Trusted Certificates > Import to open the Trusted Certificates Import screen. F ollow the instructions in this screen to sav e a trusted certificate to the Z yWALL. Issuer T[...]

  • Page 428

    Chapter 33 Certificat es ZyWALL 110/310/1100 Series User’s Guide 428 Note: Y ou mus t remove any spaces from t he certificat e’ s filename before you can im port the certificate. Figure 281 Configuration > Object > Certificate > T rusted Certificates > Import The following table describes the labels in this screen. 33.4 Certificates[...]

  • Page 429

    ZyWALL 110/310/1100 Se ries User’s Guide 429 C HAPTER 34 ISP Accounts 34.1 Overview Use ISP accounts to manage Internet Service Prov ider (ISP) account info rmation for PPPoE/PPTP interfaces. An ISP account is a profile of se ttings for Internet access using PPP oE or PPTP . Finding Out More •S e e Section 7.4 on page 125 for information about [...]

  • Page 430

    Chapter 34 ISP Accounts ZyWALL 110/310/1100 Series User’s Guide 430 34.2.1 ISP Account Edit The ISP Account Edit screen lets y ou add information about new accounts and edit information about existing accounts. T o open this window, open the ISP Account screen. (See Section 34.2 on page 429 .) Then, click on an Add icon or Ed it icon to open the [...]

  • Page 431

    Chapter 34 ISP Accounts ZyWALL 110/310/1100 Se ries User’s Guide 431 Authentica tion Ty p e Use the drop-down list box to select an authe n tication protocol for outgo ing calls. Options are: CHAP/PAP - Y our ZyW ALL accepts either CHAP or PAP when requested by this remote node. Chap - Y our ZyW ALL accepts CHAP only . PAP - Y our ZyW ALL accepts[...]

  • Page 432

    ZyWALL 110/310/1100 Se ries User’s Guide 432 C HAPTER 35 SSL Application 35.1 Overview Y ou use SSL application objects in SSL VPN. Configur e an S SL application object to specify the type of application and the address of the local computer , server , or web site SSL users are to be able to access. Y ou can apply one or more SSL application obj[...]

  • Page 433

    Chapter 35 SSL Application ZyWALL 110/310/1100 Se ries User’s Guide 433 The LAN computer to be managed m ust have VNC (Virtual Network Com puting) or RDP (R emote Desktop Protocol) server software in stalled. The remote user’s computer does not use VNC or RDP client software. The Z yWALL works with the fo llowing remote desktop connection softw[...]

  • Page 434

    Chapter 35 SSL Application ZyWALL 110/310/1100 Series User’s Guide 434 Figure 285 Example: SSL Application: Specifying a W eb Site for Access 35.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Configuration > Object > SSL Application in the navigation panel. Figur[...]

  • Page 435

    Chapter 35 SSL Application ZyWALL 110/310/1100 Se ries User’s Guide 435 35.2.1 Creating/Editing an SSL Application Object Y ou can create a web-based application that allows remote users to access an application via standard web browsers. Y ou can also create a file sharing application that specify the name of a folder on a file server (Linux or [...]

  • Page 436

    Chapter 35 SSL Application ZyWALL 110/310/1100 Series User’s Guide 436 Figure 288 Configuration > Object > S SL Application > Add/Edit: File Sharing The following table describes the labels in this screen. T a ble 169 Configuration > Object > SSL App lic ation > Add/Edit: Web Application LABEL DESCRIPTION Create n ew Object Use [...]

  • Page 437

    Chapter 35 SSL Application ZyWALL 110/310/1100 Se ries User’s Guide 437 Preview This fi eld only appears when yo u choose Web Application as the object type. This field displays if the Server Type is set to Web Server , OWA or W eblink . Click Preview to access the URL you specifie d in a new IE web browser . Entry P oint This field only appe ars[...]

  • Page 438

    ZyWALL 110/310/1100 Se ries User’s Guide 438 C HAPTER 36 DHCPv6 36.1 Overview This chapter describes how to configure DHCP v6 request type and lease type objects. 36.1.1 What Y ou Can Do in this Chapter •T h e Request screen (see Section 27.2 on page 373 ) allows you to configure DHCPv6 request type objects. •T h e Le ase screen (see Section [...]

  • Page 439

    Chapter 36 DHCPv6 ZyWALL 110/310/1100 Se ries User’s Guide 439 36.2.1 DHCPv6 Request Add/Edit Screen The Request Add/Edit screen allows you to create a new request object or edit an existing one. T o access this screen, go to the Request screen (see Section 27.2 on page 373 ), and click either the Add icon or an Edit icon. Figure 290 Configuratio[...]

  • Page 440

    Chapter 36 DHCPv6 ZyWALL 110/310/1100 Series User’s Guide 440 Figure 291 Configuration > Object > DHCPv6 > Lease The following table describes the labels in this screen. 36.3.1 DHCPv6 Lease Add/Edit Screen The Lease Add/Ed it screen allows you to create a new lease object or edit an existing one. T o access this screen, go to the Lease s[...]

  • Page 441

    Chapter 36 DHCPv6 ZyWALL 110/310/1100 Se ries User’s Guide 441 The following table describes the labels in this screen. T a ble 173 Configuration > DH CP v6 > Lease > Add LABEL DESCRIPTION Name T ype the name for this lease object. Yo u m a y u s e 1 - 3 1 a l p h anumeric characters, underscores( _ ), or dashe s (-), but the fi rst char[...]

  • Page 442

    Chapter 36 DHCPv6 ZyWALL 110/310/1100 Series User’s Guide 442[...]

  • Page 443

    ZyWALL 110/310/1100 Se ries User’s Guide 443 C HAPTER 37 System 37.1 Overview Use the system screens to configure general Z yWALL settings. 37.1.1 What Y ou Can Do in this Chapter •U s e t h e System > Host Name screen (see Section 37.2 on page 444 ) to configure a unique name for the Z yWALL in you r network. •U s e t h e System > USB [...]

  • Page 444

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 444 37.2 Host Name A host name is the unique name by which a device is k nown on a network. Click Configuration > System > Host Name to open the Host Name screen. Figure 293 Configuration > System > Host Name The following table describes the labels in this screen. 37.3 USB S t[...]

  • Page 445

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 445 Figure 294 Configuration > System > USB Storage The following table describes the labels in this screen. 37.4 Date and T i me For effectiv e scheduling and logging, the Z yWALL system time must be accur ate. The ZyW ALL’ s Real Time Chip (RT C) keeps track of the time and dat[...]

  • Page 446

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 446 Figure 295 Configuration > System > Date and Time The following table describes the labels in this screen. T a ble 176 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your Z yWALL. Current D[...]

  • Page 447

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 447 Get from Time Serve r Select this radio button to have th e Z yWALL get the t ime and dat e from the ti me serv er you specify below . The ZyWALL requests time and date settings from the time serv er under the following circumstances. • When the ZyW ALL starts up. • When you clic[...]

  • Page 448

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 448 37.4.1 Pre-define d NTP Time Serv ers List When you turn on the Z yWALL for the first time, the date and time start at 2003-01-01 00:00:00. The Z yWALL then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers. The Z yWALL conti[...]

  • Page 449

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 449 7 Click Apply . T o get the ZyW ALL date and time from a time serv er 1 Click System > Date/Time . 2 Select Get from T ime Server under Time and Date Setup . 3 Under Time Zone Setup , select y our Time Zone from the list. 4 As an option you can select the Enable Daylight Saving ch[...]

  • Page 450

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 450 37.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, y ou must know the IP address of a machine before you can access it. 37.6.1 DNS Server Address Assignment Th[...]

  • Page 451

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 451 The following table describes the labels in this screen. T a ble 179 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Rec or d This record spe cifies the ma ppin g of a Full y-Qualified Domai n Name (FQDN) to an IP address. An FQDN consists of a host and domain name. [...]

  • Page 452

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 452 37.6.3 Address Record An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and doma in name. F or example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “z yxel” is the second-leve[...]

  • Page 453

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 453 37.6.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/ PTR record. Figure 299 Configuration > System > DNS > Address/PTR R ecord Edit The following table describes the labels in this screen. 37.6.6 Domain Zone Forwarder A do[...]

  • Page 454

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 454 Figure 300 Configuration > System > DNS > Domain Z one Forw arder Add The following table describes the labels in this screen. 37.6.8 MX Record A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is[...]

  • Page 455

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 455 Figure 301 Configuration > System > DNS > MX R ecord Add The following table describes the labels in this screen. 37.6.10 Adding a DN S Service Control Rule Click the Add icon in the Service Contro l table to add a service control rule. Figure 302 Configuration > System &[...]

  • Page 456

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 456 37.7 WWW Overview The following figure shows secure and insecure management of the Z yWALL coming in from the W AN. HTTPS and S SH access are se cure. HTTP and T elnet access are not secure. Note: T o allow the Z yWALL to be accessed fr om a specified computer using a service, make sur[...]

  • Page 457

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 457 It relies upon certificates, public keys, and priv ate keys (see Chapter 33 on page 413 for more information). HT TPS on the Z yWALL is u sed so that you can securely access the Z yWALL using the W eb Configurator . The SSL protocol specifies that the HT TPS server (the Z yWALL) must[...]

  • Page 458

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 458 Figure 304 Configuration > System > WWW > Service Control The following table describes the labels in this screen. T a ble 184 Configuration > System > WWW > Service Control LABEL DESCRIPTION HT TPS Enable Select the check box to al low or disallow the comp uter with [...]

  • Page 459

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 459 Authenticate Cl ient Certifi cates Select Authenticate Cl ie nt Certificates (optional) to require the SSL client to authenticate it se lf to the Z yWALL by se n din g th e Z yWALL a certi fic ate . T o do that the SSL client must have a CA-signed certi f icat e from a CA that has be[...]

  • Page 460

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 460 37.7.5 Service Control Rules Click Add or Edit in the Service Cont rol table in a WWW , SSH , Telnet , FTP or SNMP screen to add a service control rule. Figure 305 Configuration > System > Service Control Rule > Edit Edit Double-click an ent ry or select it and click Edit to b[...]

  • Page 461

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 461 The following table describes the labels in this screen. 37.7.6 Customizing the WWW Login Page Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the W eb Configurator login screen. Y ou can also customize the page tha[...]

  • Page 462

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 462 Figure 306 Configuration > System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages.[...]

  • Page 463

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 463 Figure 307 Login Page Customization Figure 308 Access Page Customization Y ou can specify colors in one of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color . Logo Ti t l e Message Note Message Bac[...]

  • Page 464

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 464 • Enter a pound sign (#) followed by the six -d igit hexadecimal number th at represents the desired color . For example, use “#000000” for black. • Enter “rgb” followed by red , green, and blue va lues in parenthesis and separate by commas. F or example, use “rgb(0,0,0)?[...]

  • Page 465

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 465 37.7.7 HTTPS Example If you haven’t changed the default HT TPS port on the ZyW ALL, then in your browser enter “https:// Z yWALL IP Address/” as the web site address where “Z yWALL IP Address” is the IP address or domain name of the ZyW ALL you wish to access. 37.7.7.1 Inte[...]

  • Page 466

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 466 Figure 310 Security Certificate 1 (Firefox) Figure 311 Security Certificate 2 (Firefox) 37.7.7.3 A voiding Browser W arning Messages Here are the main reasons your browser displa ys warnings about the Z yWALL’ s HTTPS server certificate and what you can do to av oid seeing the warnin[...]

  • Page 467

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 467 Figure 312 Login Screen (Internet Explorer) 37.7.7.5 Enrolling and Impor ting SSL Client Certifica tes The SSL client needs a certificate if Authenticate Client Certificates is selected on the Z y WALL. Y ou must have imported at least one trusted CA to the Z yWALL in order for the A[...]

  • Page 468

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 468 Figure 314 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 37.7.7.5.2 Installing Y our Personal Certificate(s) Y ou need a password in advance. The CA may issu e the password or you may have to specify it during the enrollment[...]

  • Page 469

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 469 Figure 315 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you do uble-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 316 Personal Certificate Import Wizard 2 3 Enter t[...]

  • Page 470

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 470 Figure 317 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be sav ed on y our computer or select Place all cert ificates i n the fo llowing st ore and choose a different location. Figure 318 Personal Certificate Import Wizard 4 5 Click Fini[...]

  • Page 471

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 471 Figure 319 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the certificate is correctly installed on your compu ter . Figure 320 Personal Certificate Import Wizard 6 37.7.7.6 Using a Certificate Wh en Accessing the ZyW ALL Example Use the following pr[...]

  • Page 472

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 472 Figure 322 SSL Client Authentication 3 Y ou next see the W eb Configurator login screen. Figure 323 Secure W eb Configurator Login Screen 37.8 SSH Y ou can use SSH (Secure SHell) to securely access the Z yWALL’ s command line interface. Specify which zones allow SSH access and from w[...]

  • Page 473

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 473 Figure 324 SSH Communication Over the W AN Example 37.8.1 How SSH Works The following figure is an example of how a secure connection is estab lished between two remote hosts using SSH v1. Figure 325 How SSH v1 W orks Example 1 Host Identification The SSH client sends a connection re[...]

  • Page 474

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 474 37.8.2 SSH Implementation on the ZyW ALL Y our Z yW ALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour , and Blowfish). The SSH server is implemented on the ZyW ALL for management using port 22 (by default). 37.8.3 Requirement s [...]

  • Page 475

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 475 37.8.5 Secure T eln et Using SSH Examples This section shows two examples using a command interface and a gr aphical interface SSH client program to remotely access the Z yWALL. The conf iguration and connection steps are similar for most SSH client programs. R efer to your SSH clien[...]

  • Page 476

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 476 37.8.5.2 Example 2: Linux This section describes how to access the Z yWALL using the OpenSSH client progr am that comes with most Linux distributions. 1 T est whe ther the SSH service is av ailable on the Z yWALL. Enter “ telnet 192.168.1.1 22 ” at a terminal pr ompt and press [ENT[...]

  • Page 477

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 477 Figure 330 Configuration > System > TELNET The following table describes the labels in this screen. T a ble 188 Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disall ow t he computer wit h th e IP address that m a tc hes the IP a[...]

  • Page 478

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 478 37.10 FTP Y ou can upload and download the Z y WALL’ s firmware and configuration files using FTP . T o use this feature, your computer must hav e an FTP client. Please see Chapter 39 on page 499 for more information about firmware and configuration files. 37.10.1 Configuring FTP T o[...]

  • Page 479

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 479 37.1 1 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Y our Z yWALL supports SN MP agent functionality , which allows a manager station to manage and monitor the Z yWALL through the network. The Z yWALL suppor[...]

  • Page 480

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 480 Figure 332 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager . An agent is a management software module that reside s in a managed device (the ZyW A LL). An agent translates the local management information from the managed devi[...]

  • Page 481

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 481 statistical data and monitor status and performa nce. Y ou can download the Z yWALL’ s MIBs from www .zyxel.com. 37.1 1.2 SNMP T rap s The Z yWALL will send traps to the SNMP manager when any one of the following events occurs. 37.1 1.3 Configuring SNMP T o change your Z yWALL’ s[...]

  • Page 482

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 482 Figure 333 Configuration > System > SNMP The following table describes the labels in this screen. T a ble 191 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the I P address that matches the IP address( es) [...]

  • Page 483

    Chapter 37 Sys tem ZyWALL 110/310/1100 Se ries User’s Guide 483 37.12 Language Screen Click Configuration > System > Language to open the following screen. Use th is screen to select a display language for the Z yWALL’ s W eb Configurato r screens. Figure 334 Configuration > S ystem > Language The following table describes the label[...]

  • Page 484

    Chapter 37 System ZyWALL 110/310/1100 Series User’s Guide 484 Figure 335 Configuration > Sy stem > IPv6 The following table describes the labels in this screen. T a ble 193 Configuration > System > IPv6 LABEL DESCRIPTION Enable IPv6 Select this to have the Z yWALL support IPv6 and make IPv6 se ttings be available on the screens that t[...]

  • Page 485

    ZyWALL 110/310/1100 Se ries User’s Guide 485 C HAPTER 38 Log and Report 38.1 Overview Use these screens to configure daily reporting and log settings. 38.1.1 What Y ou Can Do In this Chapter •U s e t h e Email Daily Re port screen ( Section 38.2 on page 485 ) t o configure where and how t o send daily reports and what reports to send. •U s e [...]

  • Page 486

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 486 Figure 336 Configuration > Log & R eport > Email Daily Report The following table describes the labels in this screen. T a ble 194 Configuration > Log & Report > Email Daily R eport LABEL DESCRIPTION Enable Email Daily Report Select this to send repo rts by [...]

  • Page 487

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 487 38.3 Log Setting Screens The Log Setting screens control log messages and alerts. A log message stores the information for viewing or regular e-mailing later , and an alert is e-mailed immediately . Usually , alerts are used for events that require more serious attention, such[...]

  • Page 488

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 488 Figure 337 Configuration > Log & Report > Log Setting The following table describes the labels in this screen. T a ble 195 Configuration > Log & Report > Lo g Setting LABEL DESCRIPTION Edit Double-cli ck an entry or select it and click Edit to open a screen [...]

  • Page 489

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 489 38.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 38.3.1 on page 487 ), and click the system log Edit icon. Figure [...]

  • Page 490

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 490 The following table describes the labels in this screen. T a ble 196 Configur ation > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in thi s section[...]

  • Page 491

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 491 38.3.3 Edit Log on USB S torage Setting The Edit Log on USB Storage Set ting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 38.3.1 on page 487 ), and click the USB storage Edit icon. E-[...]

  • Page 492

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 492 Figure 339 Configuration > Log & Repo rt > Log Setting > Edit (USB Stor age)[...]

  • Page 493

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 493 The following table describes the labels in this screen. 38.3.4 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 38.3.1 on page 487 ), and [...]

  • Page 494

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 494 Figure 340 Configuration > Log & Report > Log Setting > Edit (R emote Server)[...]

  • Page 495

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 495 The following table describes the labels in this screen. 38.3.5 Log Category Settings Screen The Log Category Settings screen allows you to view and to edit what information is included in the system log, USB storage, e-mail profiles, and re mote servers at the same time. It d[...]

  • Page 496

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 496 Figure 341 Log Category Settings This screen provides a different view and a different wa y of indicating which messages are included in each log and each alert. Please see Section 38.3.2 on pag e 489 , where this process is discussed. (The Default category includes debugging m[...]

  • Page 497

    Chapter 38 Log and Report ZyWALL 110/310/1100 Se ries User’s Guide 497 The following table describes the fields in this screen. T a ble 199 Configur ation > Log & Report > Log Setting > Log Category Settings LABEL DESCRIPTION System L og U se the System Log drop-down list to change the log se ttings for all of the log categories. dis[...]

  • Page 498

    Chapter 38 Log and Report ZyWALL 110/310/1100 Series User’s Guide 498 System Log S el ect which events you want to l og by Log Category . There are three choi ces: disable all logs (red X) - do not log any information from this category enable normal logs (green check mark) - create lo g messages and al erts from this category enable normal logs [...]

  • Page 499

    ZyWALL 110/310/1100 Se ries User’s Guide 499 C HAPTER 39 File Manager 39.1 Overview Configuration files define the Z yWALL’ s settings. Shell scripts are files of commands that you can store on the Z yW ALL and run when you need th em. Y ou can apply a configuration file or run a shell script without the Z yW ALL restarting. Y ou can store mult[...]

  • Page 500

    Chapter 39 File Manager ZyWALL 110/310/1100 Series User’s Guide 500 These files have the same syntax, which is also identical to the way y ou run CLI commands manually . An example is shown below . While configuration files and shell scripts have th e same syntax, the Z yWALL applies configuration files differently than it runs shell scripts. Thi[...]

  • Page 501

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 501 Line 3 in the following exam ple exits sub command mode. Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. Lines 1 and 2 are comments. Line 5 exits sub command mode. Errors in Configuration Files or Shell Script s When you apply a configur at[...]

  • Page 502

    Chapter 39 File Manager ZyWALL 110/310/1100 Series User’s Guide 502 Configuration File Flow at Rest art • If there is not a startup-config.conf when you restart the Z yWALL (whether through a management interface or by physically turning th e power off and back on), the ZyW ALL uses the system-default.conf configur ation file with the Zy WALL?[...]

  • Page 503

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 503 The following table describes the labels in this screen. T a ble 201 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Ren am e Use this button to chan ge the label of a configu ration file on the Z yWALL. Y ou can only rename manually saved configuratio n [...]

  • Page 504

    Chapter 39 File Manager ZyWALL 110/310/1100 Series User’s Guide 504 Apply Use this but ton to have the ZyWALL use a specific co n figuration file. Click a configuration file ’s row to select it and cl ick Apply to have the ZyWALL use that configuration file. The Z yWALL does not have to restart in order to use a different configuration file , a[...]

  • Page 505

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 505 39.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware v ersion and upload firmware to the Z yWALL. Note: The W eb Configur ator is the recomme[...]

  • Page 506

    Chapter 39 File Manager ZyWALL 110/310/1100 Series User’s Guide 506 Figure 347 Maintenance > File Manager > Firmware P ackage The following table describes the labels in this screen. After you see the Firmware Upload in Process screen, wait tw o minutes before logging into the Z yWALL again. Figure 348 Firmware Upload In Process Note: The Z[...]

  • Page 507

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 507 Figure 350 Firmware Upload Error 39.4 The Shell Script Screen Use shell script files to have the Z yWALL use command s that you specify . Use a text editor to create the shell script files. They must use a “.zysh” filename extension. Click Maintenance > File Manager > [...]

  • Page 508

    Chapter 39 File Manager ZyWALL 110/310/1100 Series User’s Guide 508 Each field is described in the following table. T a ble 203 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Ren am e Use this button to change the label of a shell script file on the Z yWALL. Y ou cannot rename a shell scri pt to the name of another shell script[...]

  • Page 509

    Chapter 39 File Manager ZyWALL 110/310/1100 Se ries User’s Guide 509 Upload Shell Script The bottom part of the screen allows you to upload a new or previously saved shell script file from your computer to your Z yWALL. File Pat h T ype in the location of the file you wa nt to upload in this field or click Browse ... to find it. Browse... Click B[...]

  • Page 510

    ZyWALL 110/310/1100 Se ries User’s Guide 510 C HAPTER 40 Diagnostics 40.1 Overview Use the diagnostics screens for troubleshooting. 40.1.1 What Y ou Can Do in this Chapter •U s e t h e Diagnostics screen (see Section 40.2 on page 510 ) to generate a file containin g the Z yWALL’ s configuration and diagnostic information if you need to provid[...]

  • Page 511

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Se ries User’s Guide 51 1 The following table describes the labels in this screen. 40.2.1 The Diagnostics Files Screen Click Maintenance > Diagnostics > Files to open the diagnostic files screen. This screen lists the files of diagnostic information the Z yWALL has co llected and stored in a connec[...]

  • Page 512

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Series User’s Guide 512 40.3 The Packet Capture Screen Use this screen to capture network traffic going throu gh the Z yWALL’ s interfaces. Studying these packet captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. No[...]

  • Page 513

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Se ries User’s Guide 513 The following table describes the labels in this screen. T a ble 206 Maintenance > Diagnostics > P acket Capture LABEL DESCRIPTION Interfaces Enabled interface s (except for virtual in terfaces) appear under Availabl e Interfaces . Select inte rfaces for which to capt ure p[...]

  • Page 514

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Series User’s Guide 514 40.3.1 The Packet Capture Files Screen Click Maintenance > Diagnostics > Packet Capture > File s to open the packet capture files screen. This screen lists the files of packet captures stored on the ZyW ALL or a connected USB storage device. Y ou can download the files to[...]

  • Page 515

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Se ries User’s Guide 515 The following table describes the labels in this screen. 40.4 Core Dump Screen Use the Core Dump screen to have the Z yWALL save a process’ s core dump to an attached USB storage device if the process terminates abnormally (crashes). Y ou may need to send this file to customer [...]

  • Page 516

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Series User’s Guide 516 40.4.1 Core Dump Files Screen Click Maintenance > Diagnostics > Core Dump > Files to open the core dump files screen. This screen lists the core dump files stored on the Z y W ALL or a connected USB stor age device. Y ou may need to send these files to customer support fo[...]

  • Page 517

    Chapter 40 Diagnostics ZyWALL 110/310/1100 Se ries User’s Guide 517 Figure 360 Maintenance > Diagnostics > System Log The following table describes the labels in this screen. T a ble 210 Maintenance > Diagnostics > System Log LABEL DESCRIPTION Rem ov e Select files an d cli ck Remove to delete them from the ZyW ALL. Use the [Shift] an[...]

  • Page 518

    ZyWALL 110/310/1100 Se ries User’s Guide 518 C HAPTER 41 Packet Flow Explore 41.1 Overview Use this to get a clear picture on how the Z yWALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all y our routing and SNA T settings an[...]

  • Page 519

    Chapter 41 Packet Flow Explore ZyWALL 110/310/1100 Se ries User’s Guide 519 Figure 361 Maintenance > P acket Flow Explore > Routing Status (Direct R oute) Figure 362 Maintenance > P acket Flow Explore > Routing Status (P olicy Route) Figure 363 Maintenance > P acket Flow Explore > Routing Status (1-1 SNA T) Figure 364 Maintenanc[...]

  • Page 520

    Chapter 41 Packet Flow Exp lore ZyWALL 110/310/1100 Series User’s Guide 520 Figure 365 Maintenance > P acket Flow Explore > Routing Status (Dynamic VPN) Figure 366 Maintenance > P acket Flow Explore > Routing Status (Static -Dynamic R oute) Figure 367 Maintenance > P acket Flow Explore > Routing Status (Defau lt WAN T runk) Figu[...]

  • Page 521

    Chapter 41 Packet Flow Explore ZyWALL 110/310/1100 Se ries User’s Guide 521 The following table describes the labels in this screen. T a ble 211 Maintena nce > Packet Flow Explore > Routing Status LABEL DESCRIPTION Rou ti n g F l ow This section shows you the flow of how the Z yWALL determines wher e to route a pa cket. Click a function box[...]

  • Page 522

    Chapter 41 Packet Flow Exp lore ZyWALL 110/310/1100 Series User’s Guide 522 41.3 The SNA T St atus Screen The SNAT Status screen allows you to view and quickly link to specific source NA T (SNA T) settings. Click a function box in the SNAT Flow section, the related SNA T rules (activ ated) will display in the SNAT Table section. T o access this s[...]

  • Page 523

    Chapter 41 Packet Flow Explore ZyWALL 110/310/1100 Se ries User’s Guide 523 Figure 370 Maintenance > Pack et Flow Expl ore > SNA T Status (1-1 SNA T) Figure 371 Maintenance > P acket Flow Explor e > SNA T Status (Loopback SNA T) Figure 372 Maintenance > P acket Flow Explore > SNA T Status (Default SNA T ) The following table des[...]

  • Page 524

    Chapter 41 Packet Flow Exp lore ZyWALL 110/310/1100 Series User’s Guide 524 Destination This is the original destinat ion IP address(es). Outgoing This is the outgoing interface that the SNA T rule uses to transmit packets. SNA T This is the sou rce IP address(es ) that the SNA T rule uses finally . The following fields are a vailable if you clic[...]

  • Page 525

    ZyWALL 110/310/1100 Se ries User’s Guide 525 C HAPTER 42 Reboot 42.1 Overview Use this to restart the device (for example, if the device begins beha ving erratically). See also Section on page 31 for information on different ways to start an d stop the Z yWALL. 42.1.1 What Y ou Need T o Know If you applied changes in the W eb configurator , these[...]

  • Page 526

    ZyWALL 110/310/1100 Se ries User’s Guide 526 C HAPTER 43 Shutdown 43.1 Overview Use this to shutdown the device in preparation for disconnecting the power . See also Section on page 31 for information on different ways to start and stop the Z yWALL. Always use the Maintenance > Shut down > Shut down screen or the “shut down” command bef[...]

  • Page 527

    ZyWALL 110/310/1100 Se ries User’s Guide 527 C HAPTER 44 Troubleshooting This chapter offers some suggestions to solve problems you might encounter . • Y ou can also refer to the logs (see Chapter 6 on page 100 ). • For the order in which the Z yWALL applies its features and checks, see Chapter 41 on page 518 . None of the LEDs turn on. Make [...]

  • Page 528

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Series User’s Guide 528 I configured securi ty settings but the Z yWALL i s not applying them for certain interfaces. Many security settings are usually applied to zones. Make su re you assign the interfaces to the appropriate zones. When you create an interface, there is no security applied on it un[...]

  • Page 529

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Se ries User’s Guide 529 The interface’ s IP address may have changed. T o av oid this create an IP address object based on the interface. This way the Z yW ALL automatically upda tes every rule or setting that u ses the object whenever the interface’ s IP address settings change. For example, if[...]

  • Page 530

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Series User’s Guide 530 The Z yWALL is deleting some zi pped files. The Z yWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Z yWA LL can concurrently unzip. The Z yWALL routes and applies SNA T for tr affi [...]

  • Page 531

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Se ries User’s Guide 531 subnets. See Asymmetrical Routes on page 268 and the chapter about interfaces for more information. I cannot set up an IPSec VPN tunnel to anot her device. If the IPSec tunnel does not build properly , the problem is likely a configuration error at one of the IPSec routers. L[...]

  • Page 532

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Series User’s Guide 532 • Make sure regular firew all rules allow traffic betw een the VPN tunnel and the rest of the network. R egular firewall rules check packets the Z yWALL sends before the Z yWALL encrypts them and check packets the Z yWALL receives after the Z yWALL decrypts them. This depend[...]

  • Page 533

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Se ries User’s Guide 533 The default admin account is always authenticated locally , regardless of the authentication method setting. (See Chapter 31 on page 400 for more inform ation about authentication methods.) The Z yWALL fails to authentication the ext -user user accounts I configured. An exter[...]

  • Page 534

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Series User’s Guide 534 • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. • Binary PKCS#12: This is a format for tr ansferri ng public key and private key cer[...]

  • Page 535

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Se ries User’s Guide 535 • Y our configuration files or shell scripts can use “e xit” or a command line consisting of a single “! ” to have the Z yWALL exit sub command mode. •I n c l u d e write commands in your scripts. Otherwise the changes will be lost when the Z yWALL restarts. Y ou [...]

  • Page 536

    Chapter 44 Troubleshooting ZyWALL 110/310/1100 Series User’s Guide 536 If you want to reboot the device withou t changing the current configuration, see Chapter 42 on page 525 . 1 Make sure the SYS LED is on and not blinking. 2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about fiv e seconds.) 3 Releas[...]

  • Page 537

    ZyWALL 110/310/1100 Se ries User’s Guide 537 A PPENDIX A Legal Information Copyright Copyright © 2013 b y ZyXEL Communi cations Corpor ation. Th e co n te n t s o f th i s p u b li ca t i on m ay n ot b e r e p ro d uc e d i n an y pa r t o r as a w ho l e, t ra ns c ri b e d, s to r ed i n a r e tr i ev al s ys t e m, t r anslated into any lang[...]

  • Page 538

    Appendix A Legal Information ZyWALL 110/310/1100 Series User’s Guide 538 T a iwanese BSMI (Bureau of St andards, Metrology and Inspectio n) A W arning: Notices Changes or modific ations not exp ressly approved by the party re sp onsible f or complianc e could vo id the user's au thority to ope r ate the equipment. Cet appareil numériqu e de[...]

  • Page 539

    Appendix A Legal Information ZyWALL 110/310/1100 Se ries User’s Guide 539 • CAUTION: RISK OF EXPLOSION IF BAT TERY (on the mother boar d) IS REPLACED BY AN INCORREC T TYPE. DISPOSE OF USED BA TTERIES ACCORDING TO T HE INSTRUCTIONS. Di spose them at the applicable collec tion point for t he recycling of el ectrical and electronic eq uipment. F o[...]

  • Page 540

    Appendix A Legal Information ZyWALL 110/310/1100 Series User’s Guide 540[...]

  • Page 541

    Index ZyWALL 110/310/1100 Se ries User’s Guide 541 Index Symbols Numbers 3322 Dynamic DNS 215 3DES 306 3G see also cellular 13 2 6in4 tunneling 140 6to4 tunneling 141 A AAA Base DN 40 2 Bind DN 403 , 405 directory structure 402 Distinguished Name, see DN DN 402 , 403 , 405 password 405 port 404 , 407 search time limit 405 SSL 405 AAA server 400 A[...]

  • Page 542

    Index ZyWALL 110/310/1100 Series User’s Guide 542 address record 452 admin user troubleshooting 533 admin users 371 multiple logins 37 9 see also users 37 1 Advanced Encryption Standard, see AES AES 306 AF 197 AH 289 , 310 and transport mode 31 1 alerts 490 , 491 , 493 , 495 , 496 , 497 ALG 233 , 23 8 and firewall 233 , 235 and NA T 233 , 235 and[...]

  • Page 543

    Index ZyWALL 110/310/1100 Se ries User’s Guide 543 signal quality 94 , 95 SIM card 137 status 96 system 94 , 95 troubleshooting 529 certificate troubleshooting 533 Certificate Authority (CA) see certificates Certificate Revocation List (CRL) 414 vs OCSP 428 certificates 413 advantages of 414 and CA 414 and FTP 478 and HT TPS 457 and IKE SA 310 an[...]

  • Page 544

    Index ZyWALL 110/310/1100 Series User’s Guide 544 access user page 461 login page 461 D Data Encryption Standard, see DES date 445 daylight savings 447 DDNS 215 backup mail exchanger 219 mail exchanger 21 9 service providers 215 troubleshooting 530 Dead Peer Detection, see DPD default firewall behavior 265 Default_L2TP_VPN_Connection 346 Default_[...]

  • Page 545

    Index ZyWALL 110/310/1100 Se ries User’s Guide 545 E egress bandwidth 137 , 146 e-mail daily statistics report 48 5 Encapsulating Security Pa yload, see ESP encapsulation and active protocol 31 1 IPSec 289 transport mode 31 1 tunnel mode 31 1 VPN 31 1 encryption IPSec 289 RSA 421 encryption algorithms 306 3DES 306 AES 306 and active protocol 306 [...]

  • Page 546

    Index ZyWALL 110/310/1100 Series User’s Guide 546 and address groups 479 and address objects 479 and certificates 478 and zones 479 signaling port 237 with T ransport Lay er Security (TLS) 478 full tunnel mode 317 , 32 1 Fully-Qualified Domain Name, see FQDN G Generic Ro uting Encapsulation, see GRE. global SSL setting 322 user portal logo 323 GR[...]

  • Page 547

    Index ZyWALL 110/310/1100 Se ries User’s Guide 547 status 72 , 84 , 85 troubleshooting 528 interfaces 103 and DNS servers 174 and HT TP redirect 232 and layer-3 virtualization 104 and NA T 224 and physical ports 104 and policy routes 194 and static routes 197 and VPN gateways 285 and zones 104 as DHCP relays 174 as DHCP servers 174 , 444 backup, [...]

  • Page 548

    Index ZyWALL 110/310/1100 Series User’s Guide 548 and to-Z yWALL firewall 531 authentication algorithms 306 authentication key (manual keys) 312 destination NA T for inbound traffic 313 encapsulation 31 1 encryption algorithms 306 encryption key (manual keys) 312 local policy 310 manual keys 312 NA T for inbound traff ic 312 NA T for outbound tra[...]

  • Page 549

    Index ZyWALL 110/310/1100 Se ries User’s Guide 549 Lightweight Directory Access Protocol, see LDAP load balancing 177 algorithms 178 , 182 , 18 4 DNS inbound 247 least load first 178 round robin 179 see also trunks 17 7 session-oriented 178 spillover 180 weighted round robin 179 local user database 401 log troubleshooting 534 log messages categor[...]

  • Page 550

    Index ZyWALL 110/310/1100 Series User’s Guide 550 port translation, see NA T tra versal 309 NBNS 120 , 157 , 169 , 174 , 321 NetBIOS Broad c ast over I PSec 288 Name Server , see NBNS. NetBIOS Name Server , see NBNS NetMeeting 238 see also H.323 Netscape Navigator 20 network access mode 18 full tunnel 317 Network Address T ranslation, see NA T ne[...]

  • Page 551

    Index ZyWALL 110/310/1100 Se ries User’s Guide 551 PIN code 137 PIN generator 401 pointer record 452 Po int-to-P oint Protocol over Ethernet, see PPP oE. Po int-to-P oint T unneling Protocol, see PPTP policy enforcement in IPSec 289 policy route troubleshooting 528 policy routes 188 actions 189 and address objects 194 and ALG 23 5 , 238 and HT TP[...]

  • Page 552

    Index ZyWALL 110/310/1100 Series User’s Guide 552 FTP , s ee FT P see also service control 456 Te l n e t 476 to-Z yWALL firewall 266 WWW , se e WWW remote network 281 remote user screen links 432 replay detection 288 reports collecting data 87 daily 485 daily e-mail 485 specifications 89 traffic statistics 86 reset 535 vs reboot 525 RESET button[...]

  • Page 553

    Index ZyWALL 110/310/1100 Se ries User’s Guide 553 SHA1 306 shell script troubleshooting 534 shell scripts 499 and users 383 downloading 508 editing 507 how applied 500 managing 507 syntax 500 uploading 509 shutdown 526 signal quality 94 , 95 SIM card 137 Simple Network Management Protocol, see SNMP Simple T rav ersal of UDP through NA T , see ST[...]

  • Page 554

    Index ZyWALL 110/310/1100 Series User’s Guide 554 full tunnel mode 317 network access mode 18 remote desktop connections 432 see also SSL 317 troubleshooting 532 weblink 433 stac compression 431 startup-config.conf 505 and synchronization (device HA) 369 if errors 502 missing at restart 502 present at restart 502 startup-config-bad.conf 502 stati[...]

  • Page 555

    Index ZyWALL 110/310/1100 Se ries User’s Guide 555 management access 534 packet capture 535 policy route 528 PPP 529 RADIUS server 532 routing 530 schedules 533 security settings 52 8 shell scripts 534 SNA T 530 SSL 532 SSL V PN 532 throughput rate 534 VLAN 529 VPN 532 zipped files 529 trunks 104 , 177 and ALG 23 8 and policy routes 177 , 194 mem[...]

  • Page 556

    Index ZyWALL 110/310/1100 Series User’s Guide 556 Guest (type) 371 lease time 376 limited-admin (type) 371 lockout 380 reauthentication time 376 types of 371 user (type) 37 1 user names 374 V Va n t a g e Re p o r t ( V R P T ) 488 , 495 virtual interfaces 104 , 17 0 basic characteristics 104 not DHCP clients 17 2 types of 170 vs asymmetrical rou[...]

  • Page 557

    Index ZyWALL 110/310/1100 Se ries User’s Guide 557 WINS server 120 , 348 Wizard Setup 33 , 43 WWW 457 and address groups 461 and address objects 461 and authentication method objects 460 and certificates 459 and zones 461 see also HTTP , HT TPS 457 Z zipped files troubleshooting 529 zones 21 1 and firewall 265 , 271 and FTP 479 and interfaces 21 [...]

  • Page 558

    Index ZyWALL 110/310/1100 Series User’s Guide 558[...]

  • Page 559

    Index ZyWALL 110/310/1100 Se ries User’s Guide 559[...]

  • Page 560

    Index ZyWALL 110/310/1100 Series User’s Guide 560[...]

  • Page 561

    Index ZyWALL 110/310/1100 Se ries User’s Guide 561[...]

  • Page 562

    Index ZyWALL 110/310/1100 Series User’s Guide 562[...]