ZyXEL Communications 2WE manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications 2WE, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications 2WE one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications 2WE. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of ZyXEL Communications 2WE should contain:
- informations concerning technical data of ZyXEL Communications 2WE
- name of the manufacturer and a year of construction of the ZyXEL Communications 2WE item
- rules of operation, control and maintenance of the ZyXEL Communications 2WE item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications 2WE alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications 2WE, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications 2WE.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications 2WE item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    ZyW ALL 2/2WE Internet Security Gateway User’s Guide Version 3.60 March 2003[...]

  • Page 2

    ZyWALL 2 and ZyWALL 2WE ii Copyright Copyright Copyright © 2003 by Zy XEL Communications Corporation. The contents of this publi cation may not be reproduced i n any part or as a whole, transcribed, st ored in a retrieval system, translated into any langu age, or tr ansmitted in any form or by any means, electronic, mechanical, magnetic, optical, [...]

  • Page 3

    ZyWALL 2 and ZyWALL 2WE FCC iii Federal Communications Commission (FCC) Interference S tatement This device complies with Part 15 of FCC rules. Operation is subject to the following two cond itions: This device m ay not cause harm ful interference. This device must accept any interference received, including interference that may cause undesired op[...]

  • Page 4

    ZyWALL 2 and ZyWALL 2WE iv Information for Canadian Users Information for Canadian Users The Industry Canada label identifies certified equipmen t. This certification means that the equipment meets certain telecommunications network pr otective, op eration, and safety requ irements. The Industry Canada does not guarantee that the equipment w ill op[...]

  • Page 5

    ZyWALL 2 and ZyWALL 2WE Warranty v ZyXEL Limited W arranty ZyXEL warrants to the original end us er (purchaser) that this product is free from any defects in materials or workmanshi p for a peri od of up to two years from the dat e of purchase . During the warrant y period, a nd upon proof of purchase, should the prod uct have indi cations of f ail[...]

  • Page 6

    ZyWALL 2 and ZyWALL 2WE vi Customer Support Customer Support When you contact your cu stomer support r epresenta tive please have t he followi ng inform ation ready: Please have th e following i nformation re ady when you cont act customer support. • Product model and serial num ber. • Information in Menu 24.2.1 – System Informat ion . • Wa[...]

  • Page 7

    ZyWALL 2 and ZyWALL 2WE Table of Contents vii T able of Content s Copyright...................................................................................................................... ................................ii Federal Communications Commission (FCC) Interfer en ce S tatemen t................................................. iii I[...]

  • Page 8

    ZyWALL 2 and ZyWALL 2WE viii Table of Contents 3.2 Accessing the Zy WALL Web Configur ator ............................................................................... 3-1 3.3 Web Configurator Na vigation .................................................................................................... .3 - 2 Chapter 4 Intr oducing the SMT....[...]

  • Page 9

    ZyWALL 2 and ZyWALL 2WE Table of Contents ix 8.2 Levels of Secu rity ............................................................................................................. ......... 8-1 8.3 Data Encryptio n with WEP ....................................................................................................... .8 - 2 8.4 Network A ut[...]

  • Page 10

    ZyWALL 2 and ZyWALL 2WE x Table of Contents 12.5 General NAT Ex amples ...................................................................................................... 12-17 12.6 Trigger Port Fo rwarding ..................................................................................................... 12- 24 Firewall and Co ntent Filters .[...]

  • Page 11

    ZyWALL 2 and ZyWALL 2WE Table of Contents xi 16.7 Creating/Editing A Cu stom Port ........................................................................................ 16-14 16.8 Example Firew a ll Rule ....................................................................................................... 16- 15 Chapter 17 Content Filtering.....[...]

  • Page 12

    ZyWALL 2 and ZyWALL 2WE xii Table of Contents 21.1 Introduction to Sy stem Status ............................................................................................... 21- 1 21.2 System Status .................................................................................................................. ...... 21-1 21.3 System Inf orma[...]

  • Page 13

    ZyWALL 2 and ZyWALL 2WE Table of Contents xiii 25.1 Introduction to Ca ll Scheduling ........................................................................................... 25-1 25.2 Configuring Call Scheduling ................................................................................................ 25-1 25.3 Applying Sche dule Sets ....[...]

  • Page 14

    ZyWALL 2 and ZyWALL 2WE xiv Table of Contents 23.1 Problem s Starting Up the Zy WALL ..................................................................................... 28-1 28.1 Problem s with a LAN Inte rface ............................................................................................ 28-2 28.2 Problem s with the WAN Interface .[...]

  • Page 15

    ZyWALL 2 and ZyWALL 2WE Table of Contents xv Index ............................................................................................................................................................ A[...]

  • Page 16

    ZyWALL 2 and ZyWALL 2WE xvi List of Figures List of Figures Figure 1-1 Secure Internet Access and VP N Application .......................................................................... ..... 1-6 Figure 1-2 ZyW ALL 2WE W i reless LAN Ap plication ................................................................................. .. 1-6 Figure 2-1[...]

  • Page 17

    ZyWALL 2 and ZyWALL 2WE List of Figures xvii Figure 7-7 Menu 3.2. 1: IP Alias Setup .......................................................................................... ................. 7-9 Figure 7-8 R T S Threshold ...................................................................................................... ......................7[...]

  • Page 18

    ZyWALL 2 and ZyWALL 2WE xviii List of Figures Figure 12-1 How NA T W orks ...................................................................................................... ................. 12-3 Figure 12-2 NA T Appli cation With IP Alias ...................................................................................... ........... 12-4 Fi[...]

  • Page 19

    ZyWALL 2 and ZyWALL 2WE List of Figures xix Figure 13-3 SYN Flood .......................................................................................................... ...................... 13-5 Figure 13-4 Smurf Attack ....................................................................................................... ....................[...]

  • Page 20

    ZyWALL 2 and ZyWALL 2WE xx List of Figures Figure 19-3 Menu 21: F ilter and Fire wall Setup................................................................................. .......... 19-4 Figure 19-4 Menu 21.1: Filter Set Conf igurat ion ................................................................................ ......... 19-4 Figure 19-5 Men[...]

  • Page 21

    ZyWALL 2 and ZyWALL 2WE List of Figures xxi Figure 22-4 System Maintenance: S tarting Xmodem Downl oad Screen ..................................................... 22-7 Figure 22-5 Backup Co nfiguration Example ....................................................................................... ........ 22-7 Figure 22-6 Successful B ackup C o nf[...]

  • Page 22

    ZyWALL 2 and ZyWALL 2WE xxii List of Figures Figure 25-3 Applying Schedule Set(s) to a Re mote Node (PPPoE).............................................................. 25-4 Figure 25-4 Applying Schedule Set( s) to a Rem ote Node (PPTP) ............................................................... 25-5 Figure 26-1 Encryp tion and D ecryption ...[...]

  • Page 23

    ZyWALL 2 and ZyWALL 2WE List of T ables xxiii List of T ables T able 2-1 LED Descriptions..................................................................................................... ...................... 2-2 T able 2-2 ZyW ALL Wi reless LAN Coverage ......................................................................................... [...]

  • Page 24

    ZyWALL 2 and ZyWALL 2WE xxiv List of Tables T able 10-6 T raffic Redirect S etup .............................................................................................. ................. 10-12 T able 1 1-1 IP Static Route Menu Fields ......................................................................................... .............. 1 1-[...]

  • Page 25

    ZyWALL 2 and ZyWALL 2WE List of T ables xxv T able 18-7 Report s Specifications.............................................................................................. ................ 18-12 T able 19-1 Abbreviations Used in the Filter Rules Su mmary Me nu ............................................................ 19-5 T able 19-2 Rule Abbr[...]

  • Page 26

    ZyWALL 2 and ZyWALL 2WE xxvi List of Tables T a b l e 2 7 - 8 A d vanc e d IKE VPN Rule Setu p .................................................................................................. . 27 - 1 6 T a b l e 2 7 - 9 M a nual IKE VPN Rule Setup ...................................................................................................[...]

  • Page 27

    ZyWALL 2 and ZyWALL 2WE Preface xxvii Preface Congratulations on your purchase of the ZyWALL 2/2WE Internet Security Gatewa y. About This User's Manual This manual is designed to guide you through the configur ation of your ZyWALL for its various applications. This manual may refer to the ZyWALL 2/2WE Internet Security Ga teway as the Zy WALL.[...]

  • Page 28

    ZyWALL 2 and ZyWALL 2WE xxviii Preface • A single keystroke is in Arial font a nd enclosed i n squa re brackets, for i nstance, [ENTER] means the Enter, or carriage retur n, key; [ESC] m eans the escape key and [SPACE BAR] means the s pace bar. [UP] and [DOWN] are the up and down a rrow keys. • Mouse action s equences are denoted usi ng a com m[...]

  • Page 29

    Overview I Part I: Overview This part covers Getting to Know Y o ur ZyW ALL and Hardware Insta llation.[...]

  • Page 30

    [...]

  • Page 31

    ZyW ALL 2 and ZyW ALL 2WE Getting to Know Y our ZyW ALL 1-1 Chapter 1 Getting to Know Your ZyWALL This chapter introduces the main features and applicat ions of the ZyWALL. 1.1 Introducing the ZyW ALL 2/ 2WE Internet Secu rity Gateway The ZyWALL 2 a nd 2WE (Wirel ess LAN Em bedded) are ideal secure gateways f or all data passin g between the Intern[...]

  • Page 32

    ZyW ALL 2 and ZyW ALL 2WE 1-2 Getting to Know Y our ZyW ALL Auxiliary Port The ZyWALL 2 and 2WE use the same port for console management and for an aux iliary WAN backup. The AUX port ca n be used in rese rve as a traditional dial -up connection when/if ever the broadband connection to the WAN port fails. 1 Time and Date The ZyWALL allows you to ge[...]

  • Page 33

    ZyW ALL 2 and ZyW ALL 2WE Getting to Know Y our ZyW ALL 1-3 RADIUS (RFC2138, 2139) The ZyWALL 2WE uses RADIUS (Remote Authentication Di al In User Service) to have a server handle authentication , authorization and accounting fo r your wireless network. IEEE 802.1x for Network Security The ZyWALL 2WE supports the IE EE 802.1x standard th at works w[...]

  • Page 34

    ZyW ALL 2 and ZyW ALL 2WE 1-4 Getting to Know Y our ZyW ALL PPTP supports on-demand, multi-protocol and virtual pr ivate netwo rking over public networks, such as the Internet. The ZyWALL su pports one PPTP server co nnection at any given time. Dynamic DNS Support With Dynam ic DNS (Dom ain Name System) support , you can have a static hostname alia[...]

  • Page 35

    ZyW ALL 2 and ZyW ALL 2WE Getting to Know Y our ZyW ALL 1-5 DHCP (Dynamic Host Configuration Protocol) DHCP (Dyna mic Host Co nfiguration Protocol) all ows the indi vidual cl ient computers to obtain the T CP/IP configuration at start-up from a centralized DH CP server. The ZyWALL has built-in DHCP server capability, enabled by default, which means[...]

  • Page 36

    ZyW ALL 2 and ZyW ALL 2WE 1-6 Getting to Know Y our ZyW ALL Figure 1-1 Secure Internet Access and VPN Application 1.3.2 Wireless LAN Application The ZyWALL 2WE is an ideal access s o lution for wireless Internet connections for a small office or home environment. A typical Internet access application is shown next. Figure 1-2 ZyWALL 2WE Wireless L [...]

  • Page 37

    ZyW ALL 2 and ZyW ALL 2WE Hardware Inst allation 2-1 Chapter 2 Hardware Installation This chapter explain s the LEDs and ports as well as how to connect the hardware. The wirel ess LAN information applies to the ZyWALL 2WE only. 2.1 Introduction to Hardware Inst allation This chapte r provides graphics of the front and rear pa nels, descript ions o[...]

  • Page 38

    ZyW ALL 2 and ZyW ALL 2WE 2-2 Hardware Installation Figure 2-2 ZyWALL 2 Front Panel 2.3 LED Descriptions The followin g table describes the LED functions. T he SYS and WLAN LEDs apply to th e ZyWALL 2WE. Table 2-1 LED Descriptions LED STATUS LED DESCRIPTION PWR Green Light on Light flashing Green Light off The ZyWALL is on and rec eiving po wer. Th[...]

  • Page 39

    ZyW ALL 2 and ZyW ALL 2WE Hardware Inst allation 2-3 2.4 ZyW ALL Rear Panels and Connections The following f igure shows the rear panels of the ZyWALL. Figure 2-3 ZyWALL 2WE Rear Panel Figure 2-4 ZyWALL 2 Rear Panel 2.5 Hardware Connections This section outlines how to conn ect your ZyWALL. If you want to connect a cable modem, you must connect the[...]

  • Page 40

    ZyW ALL 2 and ZyW ALL 2WE 2-4 Hardware Installation cable modem. Connect a DSL modem to the DSL wall jac k . See the Safety Warn ings and Instruction s Appendix for safety instructions when making co nnections to the ZyWALL. 2.5.1 Connecting a Broadband Modem to the W AN Port You need a cabl e/DSL/wirel ess modem and a n ISP account.  Connecting[...]

  • Page 41

    ZyW ALL 2 and ZyW ALL 2WE Hardware Inst allation 2-5 2.5.6 Antennas The ZyWALL 2 WE is equipp ed with two re verse SMA connectors and two detac h able om ni-directional 2dBi antennas to provide a cl ear radio signal between the wireless stations and the acce ss points. Refer to the Antennas appendix fo r more informati on. The followin g table show[...]

  • Page 42

    [...]

  • Page 43

    Initial Setup and Configuration II Part II: Initial Setup and Configuration This part covers Introducin g the Web Configur ator , Introducing the SMT , SMT Menu 1 General Setup, W A N Setup, LAN Setup, Wirel e ss L A N S e c u rit y and Internet Access.[...]

  • Page 44

    [...]

  • Page 45

    ZyW ALL 2 and ZyW ALL 2WE Introducing the W eb Configurator 3-1 Chapter 3 Introducing the Web Configurator This chapter describes how to access and navigate the ZyWALL web configurator. 3.1 Introduction to the Web Configurator The embedded we b configurat or is easy to navigate an d use to confi gure the Zy WALL. The we b configurator is indepe nde[...]

  • Page 46

    ZyW ALL 2 and ZyW ALL 2WE 3-2 Introducing the W eb Configurator The ZyW ALL automatically times out af ter five minutes of inactivity . Simply log back into the ZyW ALL if this happens to y ou. 3.3 Web Configurator Navigation Click a link o n the navigati on panel on t h e left to o pen a screen or a s ubmenu. Figure 3-2 Web Configurator Main Menu [...]

  • Page 47

    ZyW ALL 2 and ZyW ALL 2WE Introducing the SMT 4-1 Chapter 4 Introducing the SMT This chapter explain s how to perform the initial ZyWALL setup and give s an overview of SMT menus. 4.1 Introduction to the SMT T he ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the consol e [...]

  • Page 48

    ZyW ALL 2 and ZyW ALL 2WE 4-2 Introducing the SMT Please note that if there is no activity for longer than five minut es after y ou log in, y our ZyWALL automatically logs you out and displays a bl ank screen. If you see a blank screen, press [ENTER] to bring u p the login scree n again. Figure 4-2 Password Screen 4.3 Navigating the SMT Interface T[...]

  • Page 49

    ZyW ALL 2 and ZyW ALL 2WE Introducing the SMT 4-3 4.3.1 Main Menu After you enter the password, the SMT displays th e ZyWALL Main Menu , as show n next. Figure 4-3 Main Menu (ZyWALL 2WE) 4.3.2 System Management T erminal Interface Summary Table 4-1 Main Menu Summary NO. MENU TITLE FUNCTION 1 General Setup Use this menu to set up dy namic DNS and ad[...]

  • Page 50

    ZyW ALL 2 and ZyW ALL 2WE 4-4 Introducing the SMT Table 4-1 Main Menu Summary NO. MENU TITLE FUNCTION 23 S ystem Password Change your password in this menu (recom mended). 24 S ystem Maintenance From displaying system st atus to uploading firm ware, this menu provides comprehensive system mainte nance. 26 Sched ule Setup Use this menu to schedule o[...]

  • Page 51

    ZyW ALL 2 and ZyW ALL 2WE Introducing the SMT 4-5 Figure 4-4 Getting Started and Advanced Ap plications SMT Menus (ZyWALL 2WE)[...]

  • Page 52

    ZyW ALL 2 and ZyW ALL 2WE 4-6 Introducing the SMT Figure 4-5 Advanced Management SMT Menus[...]

  • Page 53

    ZyW ALL 2 and ZyW ALL 2WE Introducing the SMT 4-7 Figure 4-6 Schedule Setup and IPSec VPN Configuration SMT Menus 4.4 Changing the System Password Change the def ault system password by followin g the steps shown next . Step 1. Enter 23 in th e main menu to open Menu 23 - System Password as show n next. Figure 4-7 Menu 23: System Pass w ord Step 2.[...]

  • Page 54

    ZyW ALL 2 and ZyW ALL 2WE 4-8 Introducing the SMT 4.5 Resetting the ZyW ALL If you forget your password or ca nnot access the SMT m enu, you will need to reload the factory-default configuration file or use the RESET button th e back of the ZyWALL. Uploading this configuration file replaces the current configura tion file with the factor y-defa ult[...]

  • Page 55

    ZyW ALL 2 and ZyW ALL 2WE Introducing the SMT 4-9 4.5.2 Procedure T o Use The Reset Button Make sure the PWR LED (ZyWALL 2) or SYS LED (ZyWA LL 2WE) is on (not bl inking) bef ore you begin this procedure. Step 1. Press the RESET button for ten seco nds, and the n release it. If the SYS LED begins to blink, the defaults have been restored and the Zy[...]

  • Page 56

    [...]

  • Page 57

    ZyW ALL 2 and ZyW ALL 2WE SMT Menu 1 – Gene ral Setup 5-1 Chapter 5 SMT Menu 1 - General Setup Menu 1 - General Setup contains adm inistrative and system-related information. 5.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. Use the instructions in th is chapter to configure identific[...]

  • Page 58

    ZyW ALL 2 and ZyW ALL 2WE 5-2 SMT Menu 1 – Gene ral Setup To use this service, you m ust register with the Dynamic DNS service provider. The Dynamic DNS service provider will give you a password or key. The ZyWALL supports www.d yndns.org . You can apply to this service provider for Dynam ic DNS service. 5.3.1 DYNDNS Wildcard Enabling the wildcar[...]

  • Page 59

    ZyW ALL 2 and ZyW ALL 2WE SMT Menu 1 – Gene ral Setup 5-3 Table 5-1 General Setup Menu Field FIELD DESCRIPTION EXAMPLE When you have completed thi s menu, press [ENTER] at the prompt “Press ENT ER to Confirm…” to save your configuration, or pre ss [ESC] at any time to cancel. 5.4.1 Configuring Dynamic DNS To configure Dynamic DNS , go to Me[...]

  • Page 60

    ZyW ALL 2 and ZyW ALL 2WE 5-4 SMT Menu 1 – Gene ral Setup Table 5-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE DDNS Type Press [SPACE BAR] and then [ENTER] to select DynamicDN S if you have a dynamic IP address(es). Select StaticDNS if you have a static IP address(s). Select CustomDNS to have dyns.org provide DNS servic e for a d[...]

  • Page 61

    ZyW ALL 2 and ZyW ALL 2WE SMT Menu 1 – Gene ral Setup 5-5 Table 5-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE User Specified IP Addr Press [SPACE BAR] to select Yes and then press [ENTER] to update the IP address of the ho st name(s) to the IP address specified below. Only select Yes if the ZyWALL uses or is behind a static publ[...]

  • Page 62

    [...]

  • Page 63

    ZyW ALL 2 and ZyW ALL 2WE W A N Setup 6-1 Chapter 6 WAN Setup This chapter describes ho w to configure the WAN using menu 2. 6.1 Introduction to W AN Setup This chapte r explains how to configure sett ings for y our WAN port . 6.2 Cloning The MAC Address The MAC address field allows users to confi gure the WAN port 's MAC address by using eith[...]

  • Page 64

    ZyW ALL 2 and ZyW ALL 2WE 6-2 W AN Setup Table 6-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE MAC Address: Assigned By Press [SPACE BAR] and then [ENTER] to choose one of t wo methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP ad dress attached on L AN to use the MAC[...]

  • Page 65

    ZyW ALL 2 and ZyW ALL 2WE LAN Setup 7-1 Chapter 7 LAN Setup This chapter describes ho w to configure the LAN using Menu 3: LAN Se tup . 7.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wirel ess LAN connections. 7.2 Accessing the LAN Menus From the m ain menu, enter 3 to open Menu 3 – LA N Setup . Figur[...]

  • Page 66

    ZyW ALL 2 and ZyW ALL 2WE 7-2 LAN Setup Figure 7-2 Menu 3.1: LAN Port Filter Setup 7.4 TCP/IP and LAN DHCP The ZyWALL has built-in DHCP server capability that as signs IP addresses and DNS servers to systems that support DHCP client capability. 7.4.1 Factory LAN Default s The LAN parameters of the ZyWALL are preset in the factory with the following[...]

  • Page 67

    ZyW ALL 2 and ZyW ALL 2WE LAN Setup 7-3 There a re two ways that an I SP diss eminates the DNS s erver ad dresse s. The first is for an ISP to tell a cust omer the DNS server addresses, usually in the form of an information sheet, when you sign up. If your I SP gives you DNS server addr esses, enter them in the DNS Server fields in DHCP Setup . The[...]

  • Page 68

    ZyW ALL 2 and ZyW ALL 2WE 7-4 LAN Setup Table 7-2 Private IP Address Ranges 10.0.0.0 — 10.255.255.255 172.16.0.0 — 172.31.255.255 192.168.0.0 — 192. 168.25 5.255 You can obt ain your IP a ddress from the IANA, from an ISP or have it assigned by a private network. If y ou belong to a small organization and your Internet access is t hrough an I[...]

  • Page 69

    ZyW ALL 2 and ZyW ALL 2WE LAN Setup 7-5 information about interop erability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236 . The class D IP address is used to identif y host groups and can be in the range 224.0.0.0 to 239.255.255.255. Th e address 224.0.0.0 is not assign ed to any group a nd is used by IP m ulticast c[...]

  • Page 70

    ZyW ALL 2 and ZyW ALL 2WE 7-6 LAN Setup Figure 7-5 Menu 3: TCP/IP and DHCP Setup From m enu 3, select t he submenu opti on TCP/IP an d DHCP Setup and press [ EN TER ]. The screen now displays Me nu 3.2: TCP/IP and DH CP Ethernet Setup , as shown next. Figure 7-6 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.[...]

  • Page 71

    ZyW ALL 2 and ZyW ALL 2WE LAN Setup 7-7 Follow the instructions in the next table on how to con figure the DHCP fields. Table 7-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP T his field enables/disables the DHCP server. If set to Server , your ZyWALL will act as a DHCP server. If set to None , the DHCP server will be disabled. If[...]

  • Page 72

    ZyW ALL 2 and ZyW ALL 2WE 7-8 LAN Setup Table 7-4 LAN TCP/IP Setup Menu Fields FIELD DESCRIPTION EXAMPLE Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are: RIP-1 , RIP-2B or RIP-2M . RIP-1 (default) Multicast IGMP (Internet Group Multic ast Protocol) is a session-layer protocol used to establish member ship in a Mult[...]

  • Page 73

    ZyW ALL 2 and ZyW ALL 2WE LAN Setup 7-9 Figure 7-7 Menu 3.2.1: IP Alias Setup Use the instructions in the following table to configure IP Alias parameters. Table 7-5 IP Alias Setup Menu Fields FIELD DESCRIPTION DEFAULT IP Alias Choose Yes to configure the LAN network for the ZyWALL. Yes IP Address Enter the IP address of your ZyWALL in dotted decim[...]

  • Page 74

    ZyW ALL 2 and ZyW ALL 2WE 7-10 LAN Setup 7.6 Wireless LAN This section introduces the wireless LAN and some basi c configuration. Wireless LANs can be as simple as two comput ers with wirel ess networ k interface cards (NICs ) communi cating in a pee r-to-peer net work or as complex as a num ber of computers with wire less NICs communicating throug[...]

  • Page 75

    ZyW ALL 2 and ZyW ALL 2WE LAN Setup 7-1 1 Figure 7-8 RTS Threshold The RTS Threshold mechanism provides a solu tion to prevent these data collisio ns. When you enable RTS Threshold on a possib le hidden station, this station and its AP will use a Request to Send/Clear to Send protocol (RT S/CTS). The station send an RTS m essage to the AP, informin[...]

  • Page 76

    ZyW ALL 2 and ZyW ALL 2WE 7-12 LAN Setup See section 8.3 for instructions on WEP and section 8.6 for instructions on configuring the MAC address filter. If you are configuring the Zy W ALL from a computer conne cted to the w ireless LAN and you change the Zy W ALL ’ s ESSID or WEP settings, you will lose your wireless connection when you press [E[...]

  • Page 77

    ZyW ALL 2 and ZyW ALL 2WE LAN Setup 7-13 Table 7-6 Wireless LAN Setup Men u Fields FIELD DESCRIPTION EXAMPLE Hide ESSID Press [SPACE BAR] to select Yes to hide the ESSID in the outgoing beacon frame so a station cannot obt ain the ESSID through passive scanning. No (default) Channel ID This allows you to set the op erating frequency/channel d epend[...]

  • Page 78

    [...]

  • Page 79

    ZyW ALL 2 and ZyW ALL 2WE Wireless LAN Security Setup 8-1 Chapter 8 Wireless LAN Security Setup This chapter describes the types of security you can enable on the ZyWALL. Wireless LAN is available on the ZyWALL 2WE. 8.1 Introduction to Wireless LAN Security Wireless security is vital to your network to protect wireless communication betwee n wirele[...]

  • Page 80

    ZyW ALL 2 and ZyW ALL 2WE 8-2 Wireless LAN Security Setup 8.3 Dat a Encryption with WEP WEP encryption scrambles the data transmitted b etween the wireless clients and the access points to keep network com munications private. It e n crypts unicast and multicast communications in a network. Both the wireless clients and the access points m u st use[...]

  • Page 81

    ZyW ALL 2 and ZyW ALL 2WE Wireless LAN Security Setup 8-3 The following table d escribes the WEP related field s in this screen. For wireless L A N field descripti ons refer to section 7.7 . Table 8-1 Wireless LAN FIELD DESCRIPTION EXAMPLE Enable Wireless LAN Before you enable the wireless LAN you shou ld configure some security by setting MAC filt[...]

  • Page 82

    ZyW ALL 2 and ZyW ALL 2WE 8-4 Wireless LAN Security Setup • Authentication Determines the identity of the users. • Authorization Determines the network services available to au thenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchan ge in which yo[...]

  • Page 83

    ZyW ALL 2 and ZyW ALL 2WE Wireless LAN Security Setup 8-5 In order to ensure network security, the acce ss point an d the RADIUS se rver use a shared secret key, which is a password, they both know. The key is not sent over the n etwork. In additio n to the shared key, passw ord information exchanged is also encrypted to protect the net work from u[...]

  • Page 84

    ZyW ALL 2 and ZyW ALL 2WE 8-6 Wireless LAN Security Setup Figure 8-4 Wireless LAN 802.1X Authentica tion The following table describes the fields in this screen. Table 8-2 Wireless LAN 8 02.1X Authentication FIELD DESCRIPTION Authentication Control Select Force Authorized , Force UnAuthorized or Au t o from the drop-d own list box. Select Au t o to[...]

  • Page 85

    ZyW ALL 2 and ZyW ALL 2WE Wireless LAN Security Setup 8-7 Figure 8-5 Authentication RADIUS The following table describes the fields in this screen. Table 8-3 Authentication RA DIUS FIELD DESCRIPTION EXAMPLE Authentication Server Active Select Yes from the drop-down list box to enab le user authentication through an external authentica tion server. [...]

  • Page 86

    ZyW ALL 2 and ZyW ALL 2WE 8-8 Wireless LAN Security Setup Table 8-3 Authentication RA DIUS FIELD DESCRIPTION EXAMPLE Port Number T he default port of the RA DIUS server for authentication is 1812 . You need not change this value unl ess your network administrator instructs you to do so with additional information. 1812 Key Enter a pass word (up to [...]

  • Page 87

    ZyW ALL 2 and ZyW ALL 2WE Wireless LAN Security Setup 8-9 Figure 8-6 Local User Database[...]

  • Page 88

    ZyW ALL 2 and ZyW ALL 2WE 8-10 Wireless LAN Security Setup The following table describes the fields in this screen. Table 8-4 Local User Database FIELD DESCRIPTION Active Select this check box to enable the user pr ofile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Cli[...]

  • Page 89

    ZyW ALL 2 and ZyW ALL 2WE Wireless LAN Security Setup 8-1 1 The following table describes the fields in this menu. Table 8-5 WLAN MAC Address Filter FIELD DESCRIPTION Active Use the drop down list box to enable or disable MAC addre ss filtering. Filter Action Define the filter action for the list of MA C addresses in the MAC addr ess filter table. [...]

  • Page 90

    [...]

  • Page 91

    ZyW ALL 2 and ZyW ALL 2WE Internet Access 9-1 Chapter 9 Internet Access This chapter show s you how to configure your ZyWA LL for Internet access. 9.1 Introduction to Internet Access Setup Use information from your ISP along with the instructio ns in this chapter to set up your ZyWALL to access the Internet. T here are three different menu 4 sc ree[...]

  • Page 92

    ZyW ALL 2 and ZyW ALL 2WE 9-2 Internet Access Table 9-1 Menu 4: Internet Access Setup Menu Fiel ds FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet . The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard , RR-Toshiba (R[...]

  • Page 93

    ZyW ALL 2 and ZyW ALL 2WE Internet Access 9-3 The ZyW ALL support s only one PPTP server connection at any given time. 9.3.1 Configuring the PPTP Client T o configu re a PPTP client, you must configur e the My Login an d Password fields for a PPP connection an d the PPTP parameters for a PPTP connection. After configur ing My Login an d Password fo[...]

  • Page 94

    ZyW ALL 2 and ZyW ALL 2WE 9-4 Internet Access For the se rvice prov ider, PP PoE offers an access and authen tication method that works with ex isting access control system s (for exam ple Radius). PPPoE provide s a login and authe ntication m ethod that the existing Microsoft Dial-Up Netw orking soft ware can activat e, and therefore requires no n[...]

  • Page 95

    ZyW ALL 2 and ZyW ALL 2WE Internet Access 9-5 Table 9-3 New Fields in Menu 4 (PPPoE) screen FIELD DESCRIPTION EX AMPLE Idle Timeout This value specifies the ti me in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server. 100 (default) If you need a PPPoE service name to identify and reach the PPPoE server, please go[...]

  • Page 96

    [...]

  • Page 97

    Advanced Applications III Part III: Advanced Applications This part covers Remote Node Setup, IP S t atic Route Setup and Netw ork Address Translati on (NA T).[...]

  • Page 98

    [...]

  • Page 99

    ZyW ALL 2 and ZyW ALL 2WE Remote Node Setup 10-1 Chapter 10 Remote Node Setup This chapter show s you how to configure a remote node. 10.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and th e network be hind it across a WAN connection. Not e that[...]

  • Page 100

    ZyW ALL 2 and ZyW ALL 2WE 10-2 Remote Node Setup 10.3 Remote Node Profile Setup The followin g explains how to con figure the remote node profile m enu. 10.3.1 Ethernet Encapsulation There are tw o variations of menu 1 1.1 dependi ng on wheth er you choose Ethernet Encapsulation or PPPoE Encapsulation. You must choose the Ethernet option when the W[...]

  • Page 101

    ZyW ALL 2 and ZyW ALL 2WE Remote Node Setup 10-3 Table 10-1 Fields in Menu 11.1 FIELD DESCRIPTION EXAMPLE Service Type Press [SPACE BAR] and then [ENTER] to select from Standard , RR-Toshiba (RoadRunner Toshiba authentication method) or RR- Manager (RoadRunner Manager authentication method). C hoose one of the RoadRunner methods if your ISP is T im[...]

  • Page 102

    ZyW ALL 2 and ZyW ALL 2WE 10-4 Remote Node Setup Encapsulation t o PPPoE, then you will see the next screen. Please see the Appendices for more informati on on PPPoE. Figure 10-3 Menu 11.1: Remote No de Profile for PPPoE Encapsulation Outgoing Authentication Protocol Generally spea king, you should em ploy the stro ngest authen tication prot ocol p[...]

  • Page 103

    ZyW ALL 2 and ZyW ALL 2WE Remote Node Setup 10-5 Metric The metric sets the priority for the ZyWALL’s routes to the Internet. If the two routes have the same metric, the ZyWALL uses the following pre-d efined priorities: 1. Normal route: design ated by t h e ISP (see Re mote Node Setup chapter) or a static route (see the IP Static Route Setup cha[...]

  • Page 104

    ZyW ALL 2 and ZyW ALL 2WE 10-6 Remote Node Setup Table 10-2 Fields in Menu 11. 1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION EXAMPLE Session Options Idle Timeout Type the length of idle ti me (when there is no traffic from the ZyWALL to the remote node) in seconds t hat can elapse before the ZyWA LL automatically disconnects the PPPo E connect[...]

  • Page 105

    ZyW ALL 2 and ZyW ALL 2WE Remote Node Setup 10-7 Table 10-3 Fields in Menu 11.1 (PPTP Encapsulation) My IP Addr Enter the IP address of the WAN Ethernet p ort. 10.0.0.140 My IP Mask Enter the subn et mask of the WAN Ethernet por t. 255.255.255.0 Server IP Addr Enter the IP addr ess of the ANT modem. 10.0.0.138 Connection ID/Name Enter the connectio[...]

  • Page 106

    ZyW ALL 2 and ZyW ALL 2WE 10-8 Remote Node Setup Table 10-4 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE IP Address Assignment If your ISP did not assign you an explicit IP address, press [SPACE BAR] and then [ENTER] to select Dynamic ; otherwise select Static and enter the IP address & subnet mask in the following f[...]

  • Page 107

    ZyW ALL 2 and ZyW ALL 2WE Remote Node Setup 10-9 Table 10-4 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Multicast IGMP (Internet Group Multicast Pr otocol) is a session-layer protocol used to establish membership in a Multic ast group. The ZyWALL supports both IGMP version 1 ( IGMP-v1 ) and version 2 ( IGMP-v2) . Press [...]

  • Page 108

    ZyW ALL 2 and ZyW ALL 2WE 10-10 Remote Node Setup Figure 10-7 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 10.6 T raffic Redirect Traffic redirect forwards WA N traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backu p gateway on the WAN so that the ZyWALL still provide[...]

  • Page 109

    ZyW ALL 2 and ZyW ALL 2WE Remote Node Setup 10-1 1 subnet (Subnet 1 in the followi ng figure) a nd the backu p gateway i n another s u bnet (Subn et 2). Configure a LAN to LAN/ZyWALL firewall rule that forwards pa ckets from the prot ected LAN (Subnet 1) to the backup gateway (Subnet 2) . Figure 10-9 Traffic Redirect LAN Se tup To configure t he pa[...]

  • Page 110

    ZyW ALL 2 and ZyW ALL 2WE 10-12 Remote Node Setup Table 10-5 Menu 11.1: Remote No de Profile (Traffic Redirect Field) FIELD DESCRIPTION EXAMPLE Edit Traf fic Redirect Press [SPACE BAR] to select Yes or No . Select No (default) if you do not want to configure this feature. Select Yes and press [ENTER] to configure Menu 11.6 — T raffic Redirect Set[...]

  • Page 111

    ZyW ALL 2 and ZyW ALL 2WE Remote Node Setup 10-13 Table 10-6 Traffic Redirect Setu p FIELD DESCRIPTION EXAMPLE Configuration: Backup Gateway IP Address Enter the IP address of your backup gateway in dotted deci mal notation. The ZyWALL automatically forwards traffic to this IP address if the ZyWALL’s Internet connection terminates. 0.0.0.0 Metric[...]

  • Page 112

    [...]

  • Page 113

    ZyW ALL 2 and ZyW ALL 2WE IP S tatic Route Setup 1 1-1 Chapter 11 IP Static Route Setup This chapter show s you how to configure static routes with your ZyWALL . 11.1 Introduction to S t atic Route Static routes tell the ZyWALL routing information that it ca nnot learn a utomati cally through other m eans. This can arise in cases whe r e RIP is dis[...]

  • Page 114

    ZyW ALL 2 and ZyW ALL 2WE 1 1-2 IP S tatic Route Setup 11.2 IP St atic Route Setup Enter 12 fr om the m ain menu. Sel ect on e of the IP static routes as s h own next to confi gure IP static routes in menu 12. 1. Figure 11-2 Menu 12: IP Static Route Setup Now, enter the ind ex number of the static route that you want to con figure. Menu 12 - IP Sta[...]

  • Page 115

    ZyW ALL 2 and ZyW ALL 2WE IP S tatic Route Setup 1 1-3 Figure 11-3 Menu 12. 1: Edit IP Static Route `The followi ng table de scribes the IP Static Rout e Menu fiel ds. T able 1 1-1 IP S tatic Route Menu Fields FIELD DESCRIPTION Route # This is the index number of the static route that y ou ch ose in menu 12. Route Name Enter a descriptive name for [...]

  • Page 116

    ZyW ALL 2 and ZyW ALL 2WE 1 1-4 IP S tatic Route Setup T able 1 1-1 IP S tatic Route Menu Fields FIELD DESCRIPTION Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes , this route is kept privat e and not included in RIP broadcast. If No , the route to this remote node will[...]

  • Page 117

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-1 Chapter 12 Network Address Translation (NAT) This chapter discusses h ow to configure NAT on the ZyWALL . 12.1 Introduction to NA T NAT (Network Address Tran slation - NAT, RFC 1631) is the translation of the IP addr ess of a host in a packet. For example, the so urce address of a n outgoing packet, used wit hin [...]

  • Page 118

    ZyW ALL 2 and ZyW ALL 2WE 12-2 NA T NA T never changes the IP address (either local or global) of an outside host. 12.1.2 What NA T Does In the simplest form, NAT changes the source IP address in a packet recei ved from a subscriber (the inside local address) t o another (the inside global address ) before forwarding t he packet to t he WAN side. W[...]

  • Page 119

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-3 Figure 12-1 How NAT Works[...]

  • Page 120

    ZyW ALL 2 and ZyW ALL 2WE 12-4 NA T 12.1.4 NA T Application The following figure illu strates a possible NAT applica tion, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WA N networks. More exam ples follow at the end of this chapter. Figure 12-2 NAT Application With IP Alias 12.1.5 NA T [...]

  • Page 121

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-5 2. Many t o One : In M any-to-One m ode, the ZyWALL maps m ultiple local IP addresses to one global IP address. This is equivale nt to SUA (i.e., P AT, po rt address translation), Zy XEL’s Single User Account feature (the S UA Only option). 3. Many to Many Overload : In Many-to-Many Overload mode, the ZyWALL ma[...]

  • Page 122

    ZyW ALL 2 and ZyW ALL 2WE 12-6 NA T T able 12-2 NA T Mapping T ypes TYPE IP MAPPING SMT ABBREVIATION Server Server 1 IP ÅÆ IGA1 Server 2 IP ÅÆ IGA1 Server 3 IP ÅÆ IGA1 Server 12.2 Using NA T Y ou must create a firewall rule in addition to setting up SUA/NA T , to allow traffic from the W AN to be forwarded through the ZyW ALL. 12.2.1 SUA (Sin[...]

  • Page 123

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-7 . Figure 12-3 Menu 4: Apply ing NAT for Internet Access The following fig u re shows how you appl y NAT to the rem ote node in menu 11.1. Step 1. Enter 11 from the main me nu. Step 2. Move the cursor to t he Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node [...]

  • Page 124

    ZyW ALL 2 and ZyW ALL 2WE 12-8 NA T Figure 12-4 Menu 11.3: Apply ing NAT to the Remote Node The following table describes the op tions for Network Address Translation. Table 12-3 Applying NAT in Menus 4 & 11.3 FIELD DESCRIPTION OPTIONS When you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see section 12.3.1 for further[...]

  • Page 125

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-9 will use Set 1 , which supports all mapp ing types as outlined in Table 12-2. When you select SUA Only , the SMT will use the pre-configured Set 255 (read only). The server set is a list of LA N servers mapped to external ports. T o use this set, a server rule must be set up inside the NAT address m apping set. P[...]

  • Page 126

    ZyW ALL 2 and ZyW ALL 2WE 12-10 NA T Figure 12-7 Menu 15.1.255: SUA Add ress Mapping Rules The following table explains th e fields in this screen. Menu 15.1.255 is read-only . Table 12-4 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set yo u selected in menu 15.1 or enter the name of a new set you want to cre[...]

  • Page 127

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-1 1 Table 12-4 SUA Address Mapping Rules Once you have finished config uring a rule in this menu, press [ENTER] at the message “Press ENT ER to Confirm…” to save your configurat ion, or press [ESC] to cancel. User-Defined Address M apping Sets Now look at option 1 in menu 15.1. Enter 1 to br ing up this menu.[...]

  • Page 128

    ZyW ALL 2 and ZyW ALL 2WE 12-12 NA T up by that number of empty rules. For example, if you have already conf igured rules 1 to 6 in your curren t set and now you configure rule number 9. In the set su mmary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4[...]

  • Page 129

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-13 Figure 12-9 Menu 15.1.1.1: Editing/Conf iguring an Indiv idual Rule in a Set Table 12-6 Menu 15.1.1.1: Editing/Configuring an Indiv idual Rule in a Set FIELD DESCRIPTION EXAMPLE Type Press [SPACE BAR] and then [ENT ER] to select from a total of five types. These are the mapping types discussed in T able 12-2. Se[...]

  • Page 130

    ZyW ALL 2 and ZyW ALL 2WE 12-14 NA T 12.4 NA T Server Set s – Port Forwarding A NAT server set is a list of inside (behind NAT on th e LAN) se rvers, for example, web or FTP, that you can make accessible to t he outside world even though NAT makes your whole inside network appear as a single machine to the ou tside world. Use Menu 15 - NAT Setup [...]

  • Page 131

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-15 T able 12-7 Services & Port Numbers SERVICES PORT NUMBER POP3 (Post Office Protocol) 110 NNTP (Network News Transport Protocol) 119 SNMP (Simple Network Management Protocol) 161 SNMP trap 162 PPTP (Point-to-Point Tunnelin g Protocol) 1723 12.4.1 Configuring a Server behind NA T Follow these steps to c onfigu[...]

  • Page 132

    ZyW ALL 2 and ZyW ALL 2WE 12-16 NA T Figure 12-10 Menu 15.2: NAT Serv er Setup Figure 12-11 Multiple Servers Behind NAT Ex ample Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- 1. Default Default 0.0.0.0 2. 21 25 192.168.1.33 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6.[...]

  • Page 133

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-17 12.5 General NA T Examples The following are some exampl es of NAT configurati on. 12.5.1 Internet Access Only In the following Internet access ex am ple, you only need one rule wh ere all your ILAs (Inside Local addresses) map t o one dynam ic IGA (Inside Global A ddress) assigne d by you r ISP. Figure 12-12 NA[...]

  • Page 134

    ZyW ALL 2 and ZyW ALL 2WE 12-18 NA T From m enu 4 shown a bove, sim ply choose the SUA Only option from the Network Address Translation field. This i s the Many -to-One m apping discussed in sect ion 12.5. The SUA On ly read-only optio n from the Network Address Translation fiel d in menus 4 and 11.3 is s pecifi cally pre-configured to ha ndle this[...]

  • Page 135

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-19 Figure 12-15 Menu 15.2: Specifying an Inside Serv er 12.5.3 Example 3: Multiple Public IP Addresses With Inside Servers In this exam ple, there are 3 IGAs from our ISP. There are m any departme nts but two have their own FTP server. All departments share the same router. The ex ample will reserve one IGA for eac[...]

  • Page 136

    ZyW ALL 2 and ZyW ALL 2WE 12-20 NA T Figure 12-16 NAT Example 3 Step 1. In this case you need to c onfigure A ddress Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in m enu 4 or menu 11. 3) in Figure 12-17 . Step 2. Then enter 15 from the main menu. [...]

  • Page 137

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-21 Figure 12-17 Example 3: Menu 11.3 The following figure shows ho w to con figure the firs t rule. Figure 12-18 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.1 End = N/A Press ENTER to Confirm or ESC to Cancel: Press[...]

  • Page 138

    ZyW ALL 2 and ZyW ALL 2WE 12-22 NA T Figure 12-19 Example 3: Final Menu 15.1.1 Now conf igure th e IGA3 to map to our web ser ver and ma il serv er on the LA N. Step 8. Enter 15 from the main me nu. Step 9. Now enter 2 fro m this menu and configure it as shown in Figure 12-20 . Figure 12-20 Example 3: Menu 15.2 Menu 15.1.1 - Address Mapping Rules S[...]

  • Page 139

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-23 12.5.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NAT Mapping using TC P or UDP port address translation. In this case it is better to use Many -One-to-One m apping as port num bers do not change for Many-One-to-One (and One-to-One ) NAT m app ing types. The following figur[...]

  • Page 140

    ZyW ALL 2 and ZyW ALL 2WE 12-24 NA T Figure 12-22 Example 4: Menu 15.1.1.1: Ad dress Mapping Rule After you’ve configured your rule, you should b e able to check the settings in menu 15.1.1 as shown next. Figure 12-23 Example 4: Menu 15.1.1: Address Ma pping Rules 12.6 T rigger Port Forwarding Some services use a dedicated range of po rts on the [...]

  • Page 141

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-25 the server on the WAN) to the IP ad dress of a com puter on the client side (LAN). The problem is that port forwarding onl y forwards a service to a si ngle LAN IP address. In order t o use the same service on a different LAN com puter, you have to manuall y replace the LAN com puter's IP address in the for[...]

  • Page 142

    ZyW ALL 2 and ZyW ALL 2WE 12-26 NA T 5. Only Jane can connect to the Real Audio serv er until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (Use r Datagram Protocol) or two hours w ith TCP/IP (Transfer Co ntrol Protoc ol/Internet Pr otocol). 12.6.2 T wo Point s T o Remember About T rigger Ports 1. Trigger eve[...]

  • Page 143

    ZyW ALL 2 and ZyW ALL 2WE NA T 12-27 T able 12-8 Menu 15.3—T rigger Port Setup Description FIELD DESCRIPTION EX AMPLE Rule This is the rule index number. 1 Name Enter a unique name for id entification purposes. You ma y enter up to 15 characters in this field. All characters are permitted - includ ing spaces. Real Audio Incoming Incoming is a por[...]

  • Page 144

    [...]

  • Page 145

    Firewall and Content Filters IV Part IV: Firewall and Content Filters This part introduces fire walls in general and the ZyW ALL firewall. It also explains custom ports and gives example firewall rules and an ov erview of content filtering.[...]

  • Page 146

    [...]

  • Page 147

    ZyWALL 2 and ZyWALL 2WE Firewalls 13-1 Chapter 13 Firewalls This chapter gives som e background information on firewalls and explai ns how to get started with the ZyWALL firewall. 13.1 Introduction to Firewalls Originally, the term firewall referred to a construction techn ique designed to preven t the spread of fire from one room to another. The n[...]

  • Page 148

    ZyWALL 2 and ZyWALL 2WE 13-2 Firewalls i. Information hi ding preve nts the name s of internal syst ems from bei ng made kno wn via DNS t o outside system s, since the app lication gate way is the onl y host whose name must be made known t o outside systems. ii. Ro bust authenticatio n and logging pre-authenticat es app lication traffic before it r[...]

  • Page 149

    ZyWALL 2 and ZyWALL 2WE Firewalls 13-3 Figure 13-1 ZyWALL Fire w all Application 13.4 Denial of Service Denials of Service (DoS) attacks are aim ed at devices and networks with a connection to the Internet. T heir goal is not to steal information, but to disable a devi ce or network so users no longer have access to network resources. The ZyWALL is[...]

  • Page 150

    ZyWALL 2 and ZyWALL 2WE 13-4 Firewalls for use over a sing le port, such as Web on por t 80, other ports are also activ e. If the person configu ring or managing t he computer i s not careful , a hacker c ould attack i t over an un protected port . Some of the m o st comm on IP ports are: Table 13-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTT P [...]

  • Page 151

    ZyWALL 2 and ZyWALL 2WE Firewalls 13-5 Figure 13-2 Three-Way Handshake Under normal circumstances, the application that initiate s a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (ack nowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). Af ter this h an[...]

  • Page 152

    ZyWALL 2 and ZyWALL 2WE 13-6 Firewalls 2-b In a LAND Atta ck , hackers flood S YN packets into th e network with a spoofed source IP address of the targeted system. Th is makes it appear as if the host computer sent t h e packets to itself, making the system unavailable while the target system tries to respond to itself. 3. A brute-force attack, su[...]

  • Page 153

    ZyWALL 2 and ZyWALL 2WE Firewalls 13-7  Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the fo llowing - all others are illegal. Table 13-3 Legal NetBIOS Command s MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal excep t for th ose displayed in the following tables. Table 13-4 Legal[...]

  • Page 154

    ZyWALL 2 and ZyWALL 2WE 13-8 Firewalls all communications to th e Internet th at originate from the LAN, and bl ocks all traffic to the LAN that originates from the In ternet. In summary, st ateful inspection:  Allows all sessions originating from the LA N (local network) to the WAN (Internet).  Denies all sessions originatin g from the WAN t[...]

  • Page 155

    ZyWALL 2 and ZyWALL 2WE Firewalls 13-9 1. The packet travels from the firewall's LAN to the WAN. 2. The packet is evaluated against the interface' s existing outbound access list, and the packet is permitted (a denied packet would simply be dropped at this point). 3. The packet is inspected by a firewall rule to de term ine and record inf[...]

  • Page 156

    ZyWALL 2 and ZyWALL 2WE 13-10 Fire walls These custom rules work by evaluating the network traf fic’s Source IP address, De stination IP address, IP protocol ty pe, and comparing these t o rules set by t he administrat or. The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall prot[...]

  • Page 157

    ZyWALL 2 and ZyWALL 2WE Firewalls 13-1 1 A similar situation exists for ICMP, except that the ZyWALL is even more restrictive. S p ecifically, only outgoing echoes will allow incoming echo replies, outgoing addr ess mask requests will allow incoming address m ask replies, a n d outgoi ng timestamp requests will allow incom ing timest amp replies. N[...]

  • Page 158

    ZyWALL 2 and ZyWALL 2WE 13-12 Fire walls 7. Keep the firewall in a secured (l ocked) r oom. 13.7 Packet Filtering Vs Firewall Below are some comparisons between th e Zy WALL’s filtering and firewall functions. 13.7.1 Packet Filtering:  The router filters packets as they pass through the rou ter’s interface according to the filter ru les you [...]

  • Page 159

    ZyWALL 2 and ZyWALL 2WE Firewalls 13-1 3 When To Use The Fire wall 1. To prev ent DoS attack s and prev ent hackers cracking your network. 2. A range of source and dest ination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when co mplex rules are required. 3. To selectivel y block[...]

  • Page 160

    [...]

  • Page 161

    ZyWALL 2 and ZyWALL 2WE Introducing the ZyWALL Firewall 14-1 Chapter 14 Introducing the ZyWALL Firewall This chapter show s you how to get started with the Z yWALL firewall. 14.1 Introduction to the ZyW ALL Firewall The ZyWALL provides a configurable stateful insp ection firewall. The firewall is also sometimes referred to as Access Control and the[...]

  • Page 162

    ZyWALL 2 and ZyWALL 2WE 14-2 Introducing the ZyWALL Firewall 14.4.1 Activating the Firew all Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active fiel d to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the web configu[...]

  • Page 163

    ZyWALL 2 and ZyWALL 2WE Firewall Configuration 15-1 Chapter 15 Firewall Configuration This chapter show s you how to configure your fire wall with the web configurator. 15.1 Introduction to Firewall Configuration Use the ZyWALL we b configurator, to c onfigure your firewall . Refer to t he Introducin g the Web Configur ator chapter for det ails on [...]

  • Page 164

    ZyWALL 2 and ZyWALL 2WE 15-2 Firewall Configuration Figure 15-1 Enabling the Fire wall 15.2.1 Alert s Alerts are reports on ev ents, such as attacks, that you may wa nt to know about right aw ay. You can choose to generate an alert when an attack is detected in the Attack Alert scree n (Figur e 15-2 - check th e Generate alert when attack detected [...]

  • Page 165

    ZyWALL 2 and ZyWALL 2WE Firewall Configuration 15-3 15.3 Att ack Alert Attack alerts are the first defe nse against DOS attacks. In the Attack Alert screen, shown later, you may choose to gene rate an alert whenever an attack is de tected. For DoS attacks, the ZyWALL uses threshol ds to determine when to drop sessions that do not become fully estab[...]

  • Page 166

    ZyWALL 2 and ZyWALL 2WE 15-4 Firewall Configuration When the rate of new c onnection atte mpts rises abo ve a threshold ( one-minute high ), the ZyWALL starts deleting half -open sessions as required to accom modate ne w connection requests. T he ZyWALL cont inues to delete half-open sessions as necessary, until the rate of new connection attempts [...]

  • Page 167

    ZyWALL 2 and ZyWALL 2WE Firewall Configuration 15-5 Figure 15-2 Attack Alert The following table describes the fields in this screen. Table 15-1 Attack Alert FIELD DESCRIPTION DEFAULT VALUES Generate alert when attack detected A detected attack automatically generates a log entry. Check this box to generate an alert (as well as a log) whenever an a[...]

  • Page 168

    ZyWALL 2 and ZyWALL 2WE 15-6 Firewall Configuration Table 15-1 Attack Alert FIELD DESCRIPTION DEFAULT VALUES One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of ne w connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to[...]

  • Page 169

    ZyWALL 2 and ZyWALL 2WE Firewall Configuration 15-7 Table 15-1 Attack Alert FIELD DESCRIPTION DEFAULT VALUES Blocking Time When TCP Maximum Incomplete is reached you can choose if the ne xt session should be allo wed or blocked. If you check Blocking Time any new sessions will be blocked for the length of time you specify in the next field (min) a [...]

  • Page 170

    [...]

  • Page 171

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-1 Chapter 16 Creating Custom Rules This chapter contains in structions for defining both Local Network and Internet rules. 16.1 Introduction to Custom Rules Firewall rules are grouped based on the direction of travel of packets to whi ch they appl y: • LAN to LAN/ZyWALL • WAN to LAN • LAN to WA[...]

  • Page 172

    ZyWALL 2 and ZyWALL 2WE 16-2 Creating Custom Rules ♦ Allow everyone except your competitors to access a Web server. ♦ Restrict use of certain prot ocols, such a s Telnet, to authorized users on the LAN. These custom rules work by comparing t he Source IP a ddress, Desti nation IP ad dress and IP pr otocol type of network traffic to rules set by[...]

  • Page 173

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-3 Once these que stions have been answ ered, addin g rules is si mply a ma tter of pl ugging the informati on into the correct fields in the we b configurator screens. 16.2.3 Key Fields For Configuring Rules Action Should the action be t o Block or Forward ? “Block” means the fire w all silently [...]

  • Page 174

    ZyWALL 2 and ZyWALL 2WE 16-4 Creating Custom Rules Figure 16-1 LAN to WAN Traffic 16.3.2 W AN to LAN Rules The default rule for WAN to LAN traffic blocks all in coming conn ections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure. Figure 16-2 [...]

  • Page 175

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-5 16.4 Rule Summary Click Firewall and the Summar y tab to display the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very import ant as rules are applied in turn. Figure 16-3 Fire wall Rules Summary: First[...]

  • Page 176

    ZyWALL 2 and ZyWALL 2WE 16-6 Creating Custom Rules Table 16-1 Firewall Rules Summary: First Scre en FIELD DESCRIPTION Bypass Triangle Route Select this check box to have the ZyWALL fi re wall ignore the use of triangle route topology on the net work. See the appendices for more on trian gle route topology. Total Configured Rules This read-only numb[...]

  • Page 177

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-7 Table 16-1 Firewall Rules Summary: First Scre en FIELD DESCRIPTION Log This field sho ws you if a log is creat ed for packets that match the rule ( Match ), don't match the rule ( Not Match ), both ( Both ) or no log is created ( None ). Alert This field tells you whether this rule ge nerates [...]

  • Page 178

    ZyWALL 2 and ZyWALL 2WE 16-8 Creating Custom Rules Table 16-2 Predefined Services SERVICE DESCRIPTION BOOTP_CLIENT(UDP:68) DHCP Client. BOOTP_SERVER(UDP:67) DHCP Server. CU- SEEME(TCP/UDP:7648, 24032) A popular videoconferenci ng solution from White Pines Soft ware. DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. www.zyxe[...]

  • Page 179

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-9 Table 16-2 Predefined Services SERVICE DESCRIPTION NFS(UDP:2049) Net work File System - NFS is a client/server distribut ed file service that provides transparent file sharing for net work environments. NNTP(TCP:119) Network News Transport Protoc ol is the delivery mechanis m for the USENET newsgro[...]

  • Page 180

    ZyWALL 2 and ZyWALL 2WE 16-10 Creating Custom Rules Table 16-2 Predefined Services SERVICE DESCRIPTION STRM WORKS(UDP:1558) Stream Works Protocol. SYSLOG(UDP:514) Syslog allows you to send system logs to a UNIX server. TACACS(UDP:49) Login Host Protocol used for (Terminal Access Controller Access Control System). TELNET(T CP:23) T elnet is the logi[...]

  • Page 181

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-11 Figure 16-4 Creating/Editing A Fire w all Rule Table 16-3 Creating/Editing A Fire w all Rule FIELD DESCRIPTION OPTIONS Active Check the Act i ve check box to have the ZyWALL use this rule. Leave it unchecked if yo u do not want the ZyWALL to use the rule after you apply it Packet Direction Use the[...]

  • Page 182

    ZyWALL 2 and ZyWALL 2WE 16-12 Creating Custom Rules Table 16-3 Creating/Editing A Fire w all Rule FIELD DESCRIPTION OPTIONS Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. Plea se see the next section for more information on add ing and editing source addresses. SrcAdd SrcEdit SrcDelete [...]

  • Page 183

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-13 16.5.2 Source and Destination Addresses To add a ne w source or de stination a d dress, clic k SrcAdd or DestAdd from the previous screen. To edit an existing source or destination addres s, select it from the box and click SrcEdit or DestEdit from the previous screen . Either action displays the [...]

  • Page 184

    ZyWALL 2 and ZyWALL 2WE 16-14 Creating Custom Rules Table 16-4 Adding/Editing Source and Destination Addresse s FIELD DESCRIPTION OPTIONS Subnet Mask Enter the subnet mask here, if applicable. When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML[...]

  • Page 185

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-15 The next tabl e describes the fi elds in this screen. Table 16-5 Creating/Editing A Custo m Port FIELD DESCRIPTION OPTIONS Service Name Enter a unique name for your custom port. Service Type Choose the IP port ( TCP , UDP or Both ) that defines your customized port from the drop down list box. TCP[...]

  • Page 186

    ZyWALL 2 and ZyWALL 2WE 16-16 Creating Custom Rules Step 3. Click Insert to display the firewall rule configuration screen. Figure 16-7 Fire wall Rule Configuration Screen Example Step 4. Click Any in the Source Address box and then click ScrDelete . Step 5. Click ScrAdd under the Source Ad dress box. Step 6. Configu re the Firewall IP Config scree[...]

  • Page 187

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-17 Figure 16-8 Fire wall IP Config Screen Example Step 7. In the firewall rule con figuration screen, click Add under Custom Port to open the Custom Port Configuration screen. Configure it as follows and click Apply .[...]

  • Page 188

    ZyWALL 2 and ZyWALL 2WE 16-18 Creating Custom Rules Figure 16-9 Custom Port Example Step 7. The firewall rule configuration screen dis plays, use the arrows bet ween Available Serv i ces and Selected Services to configure it as follows. Click Apply when you are done. Custom port s show up with an “*” before their names in the Services list box [...]

  • Page 189

    ZyWALL 2 and ZyWALL 2WE Creating Custom Rules 16-19 Figure 16-10 Rule Configuration Exa mple Click Ap pl y when finished. This is the address range of the “MyService” servers. This is your “ MyService” custom port.[...]

  • Page 190

    ZyWALL 2 and ZyWALL 2WE 16-20 Creating Custom Rules Step 8. On completing th e configuration procedu re for this Internet firewall rule, the Rule Summary screen should look lik e the following. Remember to click Apply whe n you have finishe d configuring your rule(s) to sav e your settings back to the ZyWA LL. Figure 16-11 Rule Summary Example Rule[...]

  • Page 191

    ZyWALL 2 and ZyWALL 2WE Content Filtering 17-1 Chapter 17 Content Filtering This chapter provides a brief overview o f content filtering using the web embedded configurator. 17.1 Introduction to Content Filtering Internet content filtering allows you to c reate and enforce Internet access policies tailored to their needs. Content filtering is the a[...]

  • Page 192

    ZyWALL 2 and ZyWALL 2WE 17-2 Content Filtering Figure 17-1Content Filter Table 17-1 Content Filter LABEL DESCRIPTION Restrict Web Features Select the box(es) to restrict a feat ure. When you do wnload a page containing a restricted feature, that part of the web page will appear blank or grayed out.[...]

  • Page 193

    ZyWALL 2 and ZyWALL 2WE Content Filtering 17-3 Table 17-1 Content Filter LABEL DESCRIPTION ActiveX A tool for building dynamic and active Web pages and d istributed object applicatio ns. When you visit an ActiveX Web site, Active X controls are downloaded to your browser, where the y remain in case you visit the site again. Java A programming langu[...]

  • Page 194

    ZyWALL 2 and ZyWALL 2WE 17-4 Content Filtering Table 17-1 Content Filter LABEL DESCRIPTION Time of Day to Block Enter the time period, in 24-hour format, during which content filtering will be enforced. Select the All Day check box to have content filtering al ways active on the days selected in Day to Block with time of day limitations not enforce[...]

  • Page 195

    Logs, Filter Configurati on, and SNMP Configuration V Part V: Logs, Filter Configuration, and SNMP Configuration This part prov ides information and configuration instructions for the logs, filters, and SNMP .[...]

  • Page 196

    [...]

  • Page 197

    ZyW ALL 2 and ZyW ALL 2WE Centralized Logs 18-1 Chapter 18 Centralized Logs This chapter contains info rmation about configuring general log settings an d viewing the ZyWALL’s logs. Refer to the appendi ces for example log m essage explanations and how to view the logs via the SMT command interp reter interface. 18.1 Introduction to Centralized L[...]

  • Page 198

    ZyW ALL 2 and ZyW ALL 2WE 18-2 Centralized Logs Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort th e entries. A triangl e indicates ascending or descending sort order. Figure 18-1 View Log Table 18-1 View Log LABEL DESCRIPTION Display The categories that [...]

  • Page 199

    ZyW ALL 2 and ZyW ALL 2WE Centralized Logs 18-3 Table 18-1 View Log LABEL DESCRIPTION Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet. Destination This field lists the destinati on IP address and the port number of the incoming pack et. Notes This field displ[...]

  • Page 200

    ZyW ALL 2 and ZyW ALL 2WE 18-4 Centralized Logs Figure 18-2 Log Settings[...]

  • Page 201

    ZyW ALL 2 and ZyW ALL 2WE Centralized Logs 18-5 Table 18-2 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP addr ess of the mail server for the e-mail address es specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in t[...]

  • Page 202

    ZyW ALL 2 and ZyW ALL 2WE 18-6 Centralized Logs Table 18-2 Log Settings LABEL DESCRIPTION Day for Sending Log Use the drop do wn list box to select wh ich day of the week to send the logs. Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equ als 11:00 pm) to send the logs. Log Select the categories of logs that y [...]

  • Page 203

    ZyW ALL 2 and ZyW ALL 2WE Centralized Logs 18-7 The web site hit count may not be 100% accurate because sometimes when an individual web page loads, it may cont ain references to other web sites that also get counted as hit s. The ZyWALL records web site hits by counting the HTTP GET packets. Ma ny web sites include HTTP GET references to other web[...]

  • Page 204

    ZyW ALL 2 and ZyW ALL 2WE 18-8 Centralized Logs Table 18-3 Reports LABEL DESCRIPTION Report Type Use the drop-do wn list box to select the type of reports to display. Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited. Protocol/Port displays the protocols or service port[...]

  • Page 205

    ZyW ALL 2 and ZyW ALL 2WE Centralized Logs 18-9 Figure 18-4 Web Site Hits Report Exa mple Table 18-4 Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN. The names are ranked b y the number of visits to each web site and listed in descending order with the [...]

  • Page 206

    ZyW ALL 2 and ZyW ALL 2WE 18-10 Centralized Logs Figure 18-5 Protocol/Port Report Exa mple Table 18-5 Protocol/Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or service port s for which the most traffic has gone through the ZyWALL. The prot ocols or servic e ports are listed in d escending order with the most used proto[...]

  • Page 207

    ZyW ALL 2 and ZyW ALL 2WE Centralized Logs 18-1 1 18.4.3 LAN IP Ad dress In the Reports scree n, select LAN IP Address from the Report Type drop-dow n list box to have the ZyWALL record and display the LAN IP addresses that t he most traffi c has been se nt to and/ or from and how much traf fic has been se nt to and/or from those IP addresses. Comp[...]

  • Page 208

    ZyW ALL 2 and ZyW ALL 2WE 18-12 Centralized Logs 18.4.4 Report s Specifications The following table lists detailed specifications on the reports feature. Table 18-7 Reports Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: 20 Hit count limit: Up to 2 32 hits can be counted per web site. The count starts ov[...]

  • Page 209

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-1 Chapter 19 Filter Configuration This chapter shows you how to create and appl y filters. 19.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow pa ssage of a data packet and/or to make a call. There are two types of filter applications : data filtering and call filtering.[...]

  • Page 210

    ZyW ALL 2 and ZyW ALL 2WE 19-2 Filter Configuration Figure 19-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL ap plies data f ilters only. Packets are p rocessed depending upon whether a match is found. The following sections describ e how to configure filter sets. 19.1.1 The Filter Structure of the ZyW ALL A filter set consis[...]

  • Page 211

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set Next Filter Set Available? Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule Figure 19-2[...]

  • Page 212

    ZyW ALL 2 and ZyW ALL 2WE 19-4 Filter Configuration You can apply up to four filter sets to a particular port to block multiple typ es of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single por t. 19.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by d[...]

  • Page 213

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-5 Step 3. Select the filter set you wish to configure (1-1 2) and press [ENTER] . Step 4. Enter a d escriptive name or comment in the Edit Comments field and press [ENTER] . Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary . This screen shows t[...]

  • Page 214

    ZyW ALL 2 and ZyW ALL 2WE 19-6 Filter Configuration Table 19-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION IP Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destin ation Port number GEN Off Offset Len Length Refer to the next section for information on configuring the filter ru les. 19.2.1 Configuring a Filter Ru[...]

  • Page 215

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-7 To configure TCP/IP rules, select TCP/IP Fi lter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.x.x - TCP/IP Filt er Rule , as shown next. Figure 19-5 Menu 21.1.1.1: TCP/IP Filter Rul e The following table describes how to con figure your TCP/IP filter rule. Table 19-3 TCP/IP [...]

  • Page 216

    ZyW ALL 2 and ZyW ALL 2WE 19-8 Filter Configuration Table 19-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS IP Mask Enter the IP mask to appl y to the Destination: IP Addr . 0.0.0.0 Port # Enter the desti nation port of t he packets that you wish to filter. The range of this field is 0 to 6553 5. This field is ignor ed if it is 0. 0-655[...]

  • Page 217

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-9 Table 19-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Log Press [SPACE BAR] and then [ENTER] to select a logging option from the following: None – No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packe[...]

  • Page 218

    ZyW ALL 2 and ZyW ALL 2WE 19-10 Filter Configuration Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Chec[...]

  • Page 219

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-1 1 19.2.3 Configuring a Generic Filter Rule This section shows you how to co nfigure a generic filte r rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Zy WALL treats a packet as a byte s[...]

  • Page 220

    ZyW ALL 2 and ZyW ALL 2WE 19-12 Filter Configuration Table 19-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Type Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters displayed belo w[...]

  • Page 221

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-13 19.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Figure 19-8 Telnet Filter Example Step 1. Enter 21 from the main m enu to open Menu 21 - Filter and Firewall Setup . Step 2. Enter 1 t[...]

  • Page 222

    ZyW ALL 2 and ZyW ALL 2WE 19-14 Filter Configuration Step 6. Enter 1 to configure th e first filter rule (the only filter rule of this set). Make the entries in this menu as sho wn in the f ollowing fi gure. Figure 19-9 Example Filter: Menu 21. 1.3.1 When you press [ENTER] to confirm, you will see the following sc reen. Note that there is only one [...]

  • Page 223

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-15 Figure 19-10 Example Filter Rules Summary : Menu 21.1.3 After you’ve created the filter set, you must apply it. Step 1. Enter 11 from the main m enu to go t o menu 11 . Step 2. Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER] . Step 3. This brings you to menu [...]

  • Page 224

    ZyW ALL 2 and ZyW ALL 2WE 19-16 Filter Configuration 19.4 Filter T ypes and SUA/NA T There are two classe s of filter rules, Generic Filter (Device) rules and protocol filter ( TCP/ IP ) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in [...]

  • Page 225

    ZyW ALL 2 and ZyW ALL 2WE Filter Configuration 19-17 19.6 Apply ing a Filter and Factory Default s This section shows you wh ere to apply the filter( s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggeri ng calls, and blo ck incoming telnet, FTP and HTTP connections. If you do not activate the fire w[...]

  • Page 226

    ZyW ALL 2 and ZyW ALL 2WE 19-18 Filter Configuration Figure 19-13 Filtering Remote Node T raffic Menu 11.5 – Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel:[...]

  • Page 227

    ZyW ALL 2 and ZyW ALL 2WE SNMP Co nfiguration 20-1 Chapter 20 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 20.1 Introduction to SNMP Simple Netw ork Managem ent Protocol is a p rotocol use d for excha nging m anagement i nformation between network de vices. SNMP is a mem ber of[...]

  • Page 228

    ZyW ALL 2 and ZyW ALL 2WE 20-2 SNMP Co nfiguration Figure 20-1 SNMP Management Mod el An SNMP m a naged netwo rk consists of two m ain types of c omponent : agents and a manager. An agent is a managem ent software m odule that resides i n a managed device (the Zy WALL). An agent translates the local management information from the managed device in[...]

  • Page 229

    ZyW ALL 2 and ZyW ALL 2WE SNMP Co nfiguration 20-3 • GetNext - Allows the manager to retrieve the next obj ect variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all el ements of a table from an agent, it initiates a Get operation, foll owed by a series of GetNext operatio ns. • Set - Allows the manager t[...]

  • Page 230

    ZyW ALL 2 and ZyW ALL 2WE 20-4 SNMP Co nfiguration Table 20-1 SNMP Configuration Menu Fields FIELD DESCRIPTION EXAMPLE Set Community Type the Set community, wh ich is the password for incoming Set requests from the management station. Public Trusted Host If you enter a trusted hos t, your ZyWALL will only respond to SNMP messages from this address.[...]

  • Page 231

    System Information and Diagnosis and Firm ware and Configuration File Maintenance VI Part VI: System Information and Diagnosis and Firmware and Configuration File Maintenance This part prov ides information on system information and diagnosis and maintaini ng the firmware and configuration files.[...]

  • Page 232

    [...]

  • Page 233

    ZyW ALL 2 and ZyW ALL 2WE System Information and Diagnosis 21-1 Chapter 21 System Information & Diagnosis This chapter cove rs SMT menus 24.1 to 24.4. Wireless LAN applies to the ZyWALL 2WE. 21.1 Introduction to System S tatus This chapter covers the diagnostic tools th at help you to maintain your ZyWALL. These tools include updates on system [...]

  • Page 234

    ZyW ALL 2 and ZyW ALL 2WE 21-2 System Information and Diagnosis monitor your Z yWALL. Specifically, it gives you inform ation on your system firm ware version, number of packets sent and number of pa ckets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenan ce . Step 2. In this menu, enter 1 to open Sy[...]

  • Page 235

    ZyW ALL 2 and ZyW ALL 2WE System Information and Diagnosis 21-3 Table 21-1 System Maintenance: Sta tus Menu Fields FIELD DESCRIPTION TxPkts The number of transmitted packets on this port. RxPkts The number of received packets on this port. Cols The number of collis ions on this port. Tx B/s Shows the transmission speed in Bytes per second on this p[...]

  • Page 236

    ZyW ALL 2 and ZyW ALL 2WE 21-4 System Information and Diagnosis Figure 21-3 Menu 24.2: System Information and Console Port Speed 21.3.1 System Information System Information gives you in formation abou t your system as shown below. More specif ically, it gives you inform ation on your routi ng protocol , Ethernet a ddress, IP address, et c. Figure [...]

  • Page 237

    ZyW ALL 2 and ZyW ALL 2WE System Information and Diagnosis 21-5 Table 21-2 Fields in System Maintenance: Info rmation FIELD DESCRIPTION Name This is the ZyWALL's system name + dom ain name assigned in menu 1. For example, System Name= xxx; D omain Name = baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. Z[...]

  • Page 238

    ZyW ALL 2 and ZyW ALL 2WE 21-6 System Information and Diagnosis 21.4 Log and T race There are two logging facilities in t he ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX sysl og facility for m essage logging. 21.4.1 Viewing Error Log The first place you should look for clues when som eth ing [...]

  • Page 239

    ZyW ALL 2 and ZyW ALL 2WE System Information and Diagnosis 21-7 Figure 21-7 Examples of Error and Information Messages 21.4.2 UNIX Syslog The ZyWALL uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and ac counting can be configured in Menu 24.3.2 - System Maintenance - Unix Syslog , as[...]

  • Page 240

    ZyW ALL 2 and ZyW ALL 2WE 21-8 System Information and Diagnosis You need to co nfigure the U NIX syslog p arameters desc ribed in the following table to activate syslog then choose what you want to log. Table 21-3 System Maintenance Men u Syslog Parameters PARAMETER DESCRIPTION UNIX Syslog: Active Press [SPACE BAR] and then [ENT ER] to turn syslog [...]

  • Page 241

    ZyW ALL 2 and ZyW ALL 2WE System Information and Diagnosis 21-9 2. Packet triggere d Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul [...]

  • Page 242

    ZyW ALL 2 and ZyW ALL 2WE 21-10 System Information and Diagnosis 5. Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Addre[...]

  • Page 243

    ZyW ALL 2 and ZyW ALL 2WE System Information and Diagnosis 21-1 1 Figure 21-9 Call-Triggering Packet Example 21.5 Diagnostic The diagnostic facility allows you to test the diffe rent aspects of your ZyWALL to determine if it is working properly. M enu 24.4 all ows you to choose among various t ypes of di agnostic tes ts to evaluate your system, as [...]

  • Page 244

    ZyW ALL 2 and ZyW ALL 2WE 21-12 System Information and Diagnosis Step 2. From this menu, select optio n 4. Diagnostic. This will open Menu 24.4 - System Mainte nance - Diagnostic . Figure 21-10 Menu 24.4: Sy stem Maintenance: Diagnostic 21.5.1 W AN DHCP DHCP functionality can be en abled on the LAN or W AN as shown in Figure 21-11 . LAN DHCP has al[...]

  • Page 245

    ZyW ALL 2 and ZyW ALL 2WE System Information and Diagnosis 21-13 Figure 21-11 WAN & LAN DHCP The following table describes the diagnostic tests av ailable in menu 24.4 for your ZyWALL and associa ted connections. Table 21-4 System Maintenance Men u Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping an y machine (with an IP addr ess) on your[...]

  • Page 246

    [...]

  • Page 247

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-1 Chapter 22 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configurati on file as well as upload new firmware and a new configuration file. 22.1 Filename Conventions The configu ration file ( often calle d the romfil e or r[...]

  • Page 248

    ZyW ALL 2 and ZyW ALL 2WE 22-2 Firmware and Configuration File Maintenan ce local network or FTP site and so the name (but not the exte nsion) m ay vary. Afte r uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - Sy stem Ma intenance - Information to confirm that you have upl oaded the correct firm ware version. The AT co mmand[...]

  • Page 249

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-3 22.2.1 Backup Configuration Follow the instructions as shown in the next screen. Figure 22-1 Telnet into Menu 24.5 22.2.2 Using the FTP Command from the Command Line Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space a nd the IP ad[...]

  • Page 250

    ZyW ALL 2 and ZyW ALL 2WE 22-4 Firmware and Configuration File Maintenan ce Figure 22-2 FTP Session Example 22.2.4 GUI-based FTP Client s The followin g table describes some of the comma nds that you m ay see in GUI-base d FTP client s. Table 22-2 General Commands for GUI-based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the h[...]

  • Page 251

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-5 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow a ccess from the WAN). 2. You ha ve disabled Telnet servi ce in menu 24. 1 1. 3. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service. 4. Th[...]

  • Page 252

    ZyW ALL 2 and ZyW ALL 2WE 22-6 Firmware and Configuration File Maintenan ce 22.2.7 TFTP Command Example The following is an exam ple TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binary image tra nsfer mode (use t his mode when transferring binary files), “host” is the ZyWALL IP address, “get” transfers the file [...]

  • Page 253

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-7 Figure 22-3 System Maintena nce: Backup Configuration Step 2. The following screen indi cates that the Xm odem download has starte d. Figure 22-4 System Maintena nce: Starting Xmodem Do w nload Screen Step 3. Run the HyperTerm inal program by cl icking Transfer , then Recei[...]

  • Page 254

    ZyW ALL 2 and ZyW ALL 2WE 22-8 Firmware and Configuration File Maintenan ce 22.3 Restore Configuration This section sh ows you ho w to restore a pre viously save d configuration. Note that this function erases the current confi guration before restorin g a prev ious back u p configuratio n; please do not attem p t to restore unless you have a backu[...]

  • Page 255

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-9 Figure 22-7 Telnet into Menu 24.6 Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space a nd the IP address of y our ZyWALL. Step 3. Press [ENTER] when prompted for a username. Step 4. Enter your password as requested (t he default is[...]

  • Page 256

    ZyW ALL 2 and ZyW ALL 2WE 22-10 Firmware and Configuration File Mainte nance 22.3.2 Restore Using FTP Session Example Figure 22-8 Restore Usi ng FTP Session Example Refer to section 22 .2.5 to read about configurations that disallow TFTP and FTP over WAN. 22.3.3 Restore Via Console Port Restore confi guration vi a console po rt by followi ng the Hy[...]

  • Page 257

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-1 1 Figure 22-11 Restore Configuration Example Step 4. After a successful restoration you will see the fo llowing screen. Press any key to restart t h e ZyWALL and return to the SMT menu . Figure 22-12 Successful Restoration Confirmation Screen 22.4 Uploading Firmware and Con[...]

  • Page 258

    ZyW ALL 2 and ZyW ALL 2WE 22-12 Firmware and Configuration File Mainte nance When you telnet into the ZyWALL, you will see the following screens for uploading firmware and the configuration file using FTP. Figure 22-13 Telnet Into Menu 24.7.1: Upload System Firm w are 22.4.2 Configuration File Upload You see the following screen when you telnet int[...]

  • Page 259

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-13 Figure 22-14 Telnet Into Menu 24.7.2: System Maintenance To upload the firmware and the conf iguration file, follow these examples 22.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed [...]

  • Page 260

    ZyW ALL 2 and ZyW ALL 2WE 22-14 Firmware and Configuration File Mainte nance Step 7. Enter “qu it” to exit the ftp prompt. 22.4.4 FTP Session Example of Firmware File Upload Figure 22-15 FTP Session Example of Firmware File Upload More comm ands (found in G UI-based FTP clie nts) are listed earlier in this chapter. Refer to section 22 .2.5 to r[...]

  • Page 261

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-15 Step 4. Launch the TFTP client on your computer and co nnect to the ZyWALL. Set the transfer m o de to binary be fore starti ng data transfe r. Step 5. Use the TFTP client (see the example below) to transfer fil es between the ZyWALL and the computer. The file name for the[...]

  • Page 262

    ZyW ALL 2 and ZyW ALL 2WE 22-16 Firmware and Configuration File Mainte nance Figure 22-16 Menu 24.7.1 as seen using the Cons ole Port Step 2. After the "Starting Xmodem upload" m essage appears, acti v ate the Xmod em protocol on you r computer. Fol low the p rocedure as s hown previ ously for the HyperTerm inal program. The procedure fo [...]

  • Page 263

    ZyW ALL 2 and ZyW ALL 2WE Firmware and Configuration File Mainte nance 22-17 22.4.10 Uploading Configuration File Via Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to disp lay Menu 24.7.2 - System Mai ntenance - Upload System C onfiguration File . Follow the instructions as shown in the next screen. Figure [...]

  • Page 264

    ZyW ALL 2 and ZyW ALL 2WE 22-18 Firmware and Configuration File Mainte nance Figure 22-19 Example Xmodem Upload After the co nfiguration upload process has c o mpleted, rest art the Zy WALL by e ntering “a tgo”. Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send .[...]

  • Page 265

    System Maintenance and Information an d Remote Management VII Part VII: System Maintenance and Information and Remote Management This part prov ides information on the system ma intenance a nd information functions and how to configure remote managem ent.[...]

  • Page 266

    [...]

  • Page 267

    ZyW ALL 2 and ZyW ALL 2WE System Maintenance & Information 23-1 Chapter 23 System Maintenance & Information This chapter leads yo u through SMT menus 24.8 to 24.10. 23.1 Command Interpreter Mode The Command I nterpreter (CI) is a part o f the main rout er firm ware. The CI pr ovides much of t h e same functionality as the SMT, while adding [...]

  • Page 268

    ZyW ALL 2 and ZyW ALL 2WE 23-2 System Maintenance & Information Figure 23-2 Valid Commands 23.2 Call Control Support The ZyWALL pr ovides two cal l control func tions: budget managem ent and call history. Please not e that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in m enu 4 or menu 11. 1. The budget management fun[...]

  • Page 269

    ZyW ALL 2 and ZyW ALL 2WE System Maintenance & Information 23-3 Menu 24.9.1 shows the budget management statistics for ou tgoing calls. Enter 1 from Menu 24. 9 - System Maintenance - Call Contro l to br ing up th e fo llow ing men u. Figure 23-4 Budget Managemen t The total budget is the time limit on the accum u lated time for outgoing calls t[...]

  • Page 270

    ZyW ALL 2 and ZyW ALL 2WE 23-4 System Maintenance & Information 23.2.2 Call History This is the second option in Menu 24.9 - System Main tenance - Call Control . It displ ays information about past incom ing and outgoing calls . Enter 2 from Menu 24.9 - System M aintenance - Call Control to bring up the following menu. Figure 23-5 Call History [...]

  • Page 271

    ZyW ALL 2 and ZyW ALL 2WE System Maintenance & Information 23-5 23.3 T ime and Date Setting The ZyWALL has a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL. Menu 24.10 allows you to update th e time and date settings of your ZyWALL. The real time is then displaye[...]

  • Page 272

    ZyW ALL 2 and ZyW ALL 2WE 23-6 System Maintenance & Information Table 23-3 Time and Date Setting Fields FIELD DESCRIPTION Enter the time service protocol that your timeserver sends when you turn on the ZyWALL. Not all timeservers support all pr otocols, so you may have to che ck with your ISP/network administrator or use trial and error to find[...]

  • Page 273

    ZyW ALL 2 and ZyW ALL 2WE System Maintenance & Information 23-7 ii. When the ZyWALL starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting.[...]

  • Page 274

    [...]

  • Page 275

    ZyW ALL 2 and ZyW ALL 2WE Remote Management 24-1 Chapter 24 Remote Management This chapter cove rs remote management found in SMT m enu 24.11. 24.1 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still ne ed to configure a firewall rule to allow access. See the fire wall chap ters for de[...]

  • Page 276

    ZyW ALL 2 and ZyW ALL 2WE 24-2 Remote Management 24.3 FTP You can upl oad and downl oad the ZyWALL’s firm ware and configuration files using F TP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP cl ient. 24.4 Web You can use the ZyWALL’s e mbedded web configu[...]

  • Page 277

    ZyW ALL 2 and ZyW ALL 2WE Remote Management 24-3  LAN only ,  Neither ( Disable ). When you Choose WAN only or ALL (LAN & W AN), you still need to configure a firewall rule to allow access. To disable remot e managem ent of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 –[...]

  • Page 278

    ZyW ALL 2 and ZyW ALL 2WE 24-4 Remote Management Table 24-1 Menu 24.11 – Remote Managemen t Control FIELD DESCRIPTION EX AMPLE Secured Client IP The default 0.0.0.0 allo ws any client to use this service to remotely manage the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address. 0.0.0.0 Once you have filled in th[...]

  • Page 279

    ZyW ALL 2 and ZyW ALL 2WE Remote Management 24-5 24.9 System T imeout There is a syst em tim eout of five minutes (three hun dred seconds) for eith er the console port or telnet/web/FTP connections. Your ZyWALL automatically logs you out if you do nothing in this timeout period, except when it is contin uously updating the status in menu 24 .1 or w[...]

  • Page 280

    [...]

  • Page 281

    Call Scheduling and VPN/IPSec VIII Part VIII: Call Scheduling and VPN/IPSec This part provides informati on on how to configure call sch eduling and VPN/IPSec.[...]

  • Page 282

    [...]

  • Page 283

    ZyW ALL 2 and ZyW ALL 2WE Call Scheduling 25-1 Chapter 25 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 25.1 Introduction to Call Scheduling The call schedul ing feature all ows the ZyWALL to m anage a remote node and dictat e when a remote node should be called and fo r how long. This f[...]

  • Page 284

    ZyW ALL 2 and ZyW ALL 2WE 25-2 Call Scheduling and 4 as the ZyWALL, by default, applies the lowe st numbered set first. Set 2 will take precedence over set 3 and 4, and so on. You can desi gn up to 1 2 schedule set s but you can o nly apply up t o four sc hedule sets fo r a remote no de. T o delete a schedule set, enter the set number and press [SP[...]

  • Page 285

    ZyW ALL 2 and ZyW ALL 2WE Call Scheduling 25-3 Table 25-1Schedule Set Setup Fields FIELD DESCRIPTION OPTIONS How Often Should this schedule set recur weekly or be used just once only? Press [SPACE BAR] and then [ENTER] to select Once or Weekly . Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A . When[...]

  • Page 286

    ZyW ALL 2 and ZyW ALL 2WE 25-4 Call Scheduling Figure 25-3 Applying Schedule Set( s) to a Remote Node (PPPoE) You can ap ply up to f our schedule sets, separat ed by comm as, for one remote no de. Chang e the schedul e set numbers to your pref erence(s). Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PP[...]

  • Page 287

    ZyW ALL 2 and ZyW ALL 2WE Call Scheduling 25-5 Figure 25-4 Apply ing Schedule Set( s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= 1,2,3,[...]

  • Page 288

    [...]

  • Page 289

    ZyW ALL 2 and ZyW ALL 2WE Introduction to IPSec 26-1 Chapter 26 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 26.1 VPN Overview A VPN (Virt u al Private Net work) provi des secure communicati ons between sit es without the expense of leased site-to-site lines. A secure VPN is a com b ination of tunn eling, encryption, auth[...]

  • Page 290

    ZyW ALL 2 and ZyW ALL 2WE 26-2 Introduction to IPSec Figure 26-1 Encryption and Dec ryption  Data Confidentiality The IPSec sender can enc rypt packets befo re transm itt ing them across a network.  Data Integrity The IPSec receiver ca n validate pack ets sent by the IPSec sender t o en sure that the data has not been altered durin g transmi [...]

  • Page 291

    ZyW ALL 2 and ZyW ALL 2WE Introduction to IPSec 26-3 Figure 26-2 VPN Application 26.2 IPSec Architecture The overall IPSec architect ure is shown as follows.[...]

  • Page 292

    ZyW ALL 2 and ZyW ALL 2WE 26-4 Introduction to IPSec Figure 26-3 IPSec Architecture 26.2.1 IPSec Algorithms The ESP (Encapsulat ing Securit y Payload) Protocol (RFC 2406) and AH (A uthenticat ion Header) prot ocol (RFC 2402) describe the packet formats and the default stand ards for packet structure (includ ing implementation algorithms). The Encry[...]

  • Page 293

    ZyW ALL 2 and ZyW ALL 2WE Introduction to IPSec 26-5 26.3 Encap sulation The two modes of ope ration for IPSec VPNs are Transport mode and Tunnel m ode. Figure 26-4 Transport and Tunnel Mo de IPSec Encapsulation 26.3.1 T ransport Mode Transport m ode is used to protect u pper lay er protocol s and only affects the data in the I P packet. In Transpo[...]

  • Page 294

    ZyW ALL 2 and ZyW ALL 2WE 26-6 Introduction to IPSec A NAT device in between the IPSec endpoints will rewrite either the source or des tination address with one of its own choosing. The VPN device at the receivi ng en d will verify the integrity of the incom ing packet by computing its own has h value, and complain that the hash value appended to t[...]

  • Page 295

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-1 Chapter 27 VPN/IPSec Setup This chapter introduces the VPN web confi gurator screens. See the Logs chapter an d the appendices for inform ation on IPSec logs. 27.1 VPN/IPSec Overview Use the screens docum ented in th is chapter to configure rules f or VPN co nnections and manage VPN connections. 27.2 I[...]

  • Page 296

    ZyW ALL 2 and ZyW ALL 2WE 27-2 VPN/IPSec Setup Table 27-1 AH and ESP ESP AH DES (default) Data Encryption Standard (D ES) is a widely used method of data encryption using a pr ivate (secret) key. DES applies a 56-bit key to each 64-bit block of dat a. MD5 (default) MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data. 3DES T[...]

  • Page 297

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-3 The Secure Gateway IP Address ma y be configured as 0.0.0.0 only w hen using IKE key management and not Manual key management. 27.5 Summary Screen The following figure helps explain the main fields in th e web configurator. Figure 27-1 IPSec Summary Fields Local and remote IP addresses m u st be static[...]

  • Page 298

    ZyW ALL 2 and ZyW ALL 2WE 27-4 VPN/IPSec Setup Table 27-2 VPN Summary LA BEL DESCRIPTION # This field displays the VPN rule number. Active Y signifies that this VPN rule is active. Local Addr. This field displays the IP address of the co mputer using the VPN I PSec feature of your ZyWALL. Remote Addr. This field displays IP address (in a range) of [...]

  • Page 299

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-5 When there is outbound traffic w ith no inbound traffic, the ZyW ALL automatically drop s the tunnel after t w o minutes. 27.7 NA T T raversal NAT traversal allows you to set up a VPN connectio n when there are NAT routers between the two IPSec routers. Figure 27-3 NAT Router Between IPSec Routers Norm[...]

  • Page 300

    ZyW ALL 2 and ZyW ALL 2WE 27-6 VPN/IPSec Setup addresses. Telecommuters can use separate passwords to si multaneously connect to the ZyWALL from IPSec routers with dynam ic IP addresses (see section 27.16.2 for a telecommuter configu ration example). Wi th mai n mo d e (s ee section 27.10.1 ), the ID type and content are en cr ypted to provide iden[...]

  • Page 301

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-7 27.8.1 ID T ype and Content Examples Two IPSec rout ers must have matching ID type and co ntent config uration in order to set u p a VPN tunne l. The two ZyWALLs in this example can complete negotiation an d establish a VPN tunnel. Table 27-5 Matching ID Ty pe and Content Configuration Example ZYWALL A[...]

  • Page 302

    ZyW ALL 2 and ZyW ALL 2WE 27-8 VPN/IPSec Setup Figure 27-4 Basic IKE VPN Rule Setup Table 27-7 Basic IKE VPN Rule Setup LABEL DESCRIPTION Active Select this check box to activate this VPN tunnel. This opti on determines whether a VPN rule is applied before a packet leaves the fire wall.[...]

  • Page 303

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-9 Table 27-7 Basic IKE VPN Rule Setup LABEL DESCRIPTION Keep Alive Select this check box to turn on the keep alive feature for this SA. Turn on keep alive to have the Z yWALL automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also ha[...]

  • Page 304

    ZyW ALL 2 and ZyW ALL 2WE 27-10 VPN/IPSec Setup Table 27-7 Basic IKE VPN Rule Setup LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL. The Z yWALL uses its current WAN IP address (static or dynamic) in setting up th e VPN tunnel if you leave this field as 0.0.0.0 . The VPN tunnel has to be rebuilt if this IP address change s. [...]

  • Page 305

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-1 1 Table 27-7 Basic IKE VPN Rule Setup LABEL DESCRIPTION Peer Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to hav e the ZyWALL automatically use the address in the Secure Gateway field. When[...]

  • Page 306

    ZyW ALL 2 and ZyW ALL 2WE 27-12 VPN/IPSec Setup Table 27-7 Basic IKE VPN Rule Setup LABEL DESCRIPTION Encryption Algorithm Select DES , 3DES or NULL from the drop-down list box. When DES is used for data communications, both sender and receiver mus t know the same secret key, which can be used to encrypt a nd decrypt the message or to generate and [...]

  • Page 307

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-13  Choose a negot iation m ode.  Authenticate the connection by en tering a pre-sh ared key.  Choo se an en cryption a lgorith m.  Choose an authentication algorithm.  Choose a D iffie-Hellman public-key cryp tography key group ( DH1 or DH2 ) .  Set the IKE SA lifetime. This field allo[...]

  • Page 308

    ZyW ALL 2 and ZyW ALL 2WE 27-14 VPN/IPSec Setup 27.10.3 Diffie-Hellman (DH) Key Group s Diffie-Hellman (DH) is a public-key cryptography protoc ol that allows two parties to establish a shared secret over an unsecured com munications ch annel. Diffie- Hellman is used withi n IKE SA setu p to establi sh session keys. 768-bit (Group 1 - DH1 ) and 102[...]

  • Page 309

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-15 Figure 27-6 Advanced IKE VPN Rule Setup[...]

  • Page 310

    ZyW ALL 2 and ZyW ALL 2WE 27-16 VPN/IPSec Setup Table 27-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Active Select this check box to activate this VPN/IPSec policy. Keep Alive Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the Z yWALL automatically reinitiate the SA after the SA lifetime times o[...]

  • Page 311

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-17 Table 27-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Local Port End Enter a port number in this field to def ine a port range. This port numb er must be greater than that specified in the prev ious fiel d (or equal to it for configuring an ind ividual port). Remote Address Start Enter the beginni[...]

  • Page 312

    ZyW ALL 2 and ZyW ALL 2WE 27-18 VPN/IPSec Setup Table 27-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Secure Gateway Address Type the WAN IP address or the URL (up to 31 characters) of the remote secure gateway with which you're ma king the VPN conn ection. Set this field to 0.0. 0.0 if the remote secure gateway has a dynamic WAN IP addres[...]

  • Page 313

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-19 Table 27-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION SA Life Time Define the length of time before an IKE SA autom atically renegotiates i n this field. It may range from 60 to 3,000,000 seconds (almost 35 da ys). A short SA Life Time increases security by forcing the t wo VPN gateways to update [...]

  • Page 314

    ZyW ALL 2 and ZyW ALL 2WE 27-20 VPN/IPSec Setup Table 27-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Authentication Algorithm Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorith ms used to authenticate packet data. The SHA1 algorithm is generally consi dered st ronger than M[...]

  • Page 315

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-21 Select Manual in the Key Manage ment field to display the m anual VPN rule setup screen. Figure 27-7 Manual IKE VPN Rule Setup Table 27-9 Manual IKE VPN Rule Setup LA BEL DESCRIPTION Active Select this check box to activate this VPN/IPSec policy .[...]

  • Page 316

    ZyW ALL 2 and ZyW ALL 2WE 27-22 VPN/IPSec Setup Table 27-9 Manual IKE VPN Rule Setup LA BEL DESCRIPTION IPSec Keying Mode Select IKE or Manual from the drop-down list box. IKE is the preferred choice as the key is generated automatically; Manual is useful for troubleshooting. Make sure the remote gateway has the same configuration in this field. Pr[...]

  • Page 317

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-23 Table 27-9 Manual IKE VPN Rule Setup LA BEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL. The Z yWALL uses its current WAN IP address (static or dynamic) in setting up th e VPN tunnel if you leave this field as 0.0.0.0. The VPN tunnel has to be rebu ilt if this IP address changes.[...]

  • Page 318

    ZyW ALL 2 and ZyW ALL 2WE 27-24 VPN/IPSec Setup Table 27-9 Manual IKE VPN Rule Setup LA BEL DESCRIPTION Authentication Algorithm Select SHA1 or MD5 from the drop-down list bo x. The ZyWALL's authentication algorithm should be identical to the secu re re mote gateway. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are has h algorithms [...]

  • Page 319

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-25 Figure 27-8 VPN SA Monitor Table 27-10 VPN SA Monitor LA BEL DESCRIPTION # This is the security association ind ex number. Name This field displays the identifi cation name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security[...]

  • Page 320

    ZyW ALL 2 and ZyW ALL 2WE 27-26 VPN/IPSec Setup Table 27-10 VPN SA Monitor LA BEL DESCRIPTION Next Page (if applicable) Click Next Page to view more items in the summa ry (if you have a summa ry list that exceeds this page) 27.15 Global Settings In the web configurator, click VPN on the navigat ion panel and the Gl obal Setting tab. Use this screen[...]

  • Page 321

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-27 27.16 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters from remote IPSec router s that use dynam ic WAN IP addresses. 27.16.1 T elecommuters Sharing One VPN Rule Example Multiple telecommuters can use on[...]

  • Page 322

    ZyW ALL 2 and ZyW ALL 2WE 27-28 VPN/IPSec Setup Figure 27-10 Telecommuters Sharing One VPN Ru le Example 27.16.2 T elecommuters Using Unique VPN Rules Example With aggressiv e negotiati on mode (see section 27.10.1 ), the ZyWALL ca n use the ID ty pes and conte nts to distinguish between VPN rules. Tel ecommuters can each use a separate VP N rule t[...]

  • Page 323

    ZyW ALL 2 and ZyW ALL 2WE VPN/IPSec Setup 27-29 Figure 27-11 Telecommuters Using Unique VPN Rules Example[...]

  • Page 324

    [...]

  • Page 325

    T roubleshooting IX Part IX: Troubleshooting This part provides possible reme dies for potential problems.[...]

  • Page 326

    [...]

  • Page 327

    ZyW ALL 2 and ZyW ALL 2WE T roubleshooting 28-1 Chapter 28 Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see the included disk for further information. 23.1 Problems S t arting Up the ZyW ALL T able[...]

  • Page 328

    ZyW ALL 2 and ZyW ALL 2WE 28-2 T roubleshooting 28.1 Problems with a LAN Interface Table 28-2 Troubleshooti ng the LAN Interface PROBLEM CORRECTIVE ACTION Check your Ethernet cable t ype and connections. Refer to the Rear Pan el and Connections section for LAN connectio n instructions. Cannot access the ZyWALL from the LAN. Make sure your Ethernet [...]

  • Page 329

    ZyW ALL 2 and ZyW ALL 2WE T roubleshooting 28-3 28.3 Problems with Internet Access Table 28-4 Troubleshooti ng Internet Access PROBLEM CORRECTIVE A CTION Connect your cable/DSL mod em with the ZyWALL using appropri ate cable. Check with the manufacturer of your cabl e/DSL devic e about your cable requireme nt because some devices may requir e cross[...]

  • Page 330

    [...]

  • Page 331

    General Appendice s X Part X: General Appendices This part prov ides background information abo ut setting up your computer ’s IP address, antennas, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP , hardware specifications, Universal Plug and Play , IP subnetting and safety warnings.[...]

  • Page 332

    [...]

  • Page 333

    ZyWALL 2 and ZyWALL 2WE Setting Up Y our Computer ’s IP Address 1 Appendix A Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethe rnet adapter card and TCP/IP installed. Windows 95/ 98/Me/NT/2 000/XP, Maci ntosh OS 7 and later operating system s and all versio ns of UNIX/LINU X include the software components y ou ne[...]

  • Page 334

    ZyWALL 2 and ZyWALL 2WE Setting Up Your Computer’s IP Address 2 2. The Networ k window Configurati on tab displays a list of installe d component s. You nee d a networ k adapter, the T CP/IP protocol and C lient fo r Microsoft Networks. If yo u need th e adap ter: a. In the Network window, click Add . b. Select Ad ap t e r and then click Ad d . c[...]

  • Page 335

    ZyWALL 2 and ZyWALL 2WE Setting Up Y our Computer ’s IP Address 3 1. Click the IP Address tab. -To have your computer assigned a d ynamic IP address, select Obtain an IP address automatically . -To give your computer a static IP address, select Specify an IP address and t ype your information into the IP Address and Subnet Mask fields. 2. Click t[...]

  • Page 336

    ZyWALL 2 and ZyWALL 2WE Setting Up Your Computer’s IP Address 4 3. Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gate ways. -If you have a gateway IP address, type it in the Ne w ga te way fie ld and click Add . 4. Click OK to save and close the TCP/IP Properties win d o w. 5. Click OK to clos[...]

  • Page 337

    ZyWALL 2 and ZyWALL 2WE Setting Up Y our Computer ’s IP Address 5 3. Select your net work adapter. You should see your computer's (static) IP address, subnet mask and default gateway in this screen. Verif y that your computer’s static IP address is in the correct subnet (192.168. 1.2 to 192.168.1.254 if using the default ZyWALL LAN IP addr[...]

  • Page 338

    ZyWALL 2 and ZyWALL 2WE Setting Up Your Computer’s IP Address 6 Windows 2000/NT/XP 1. In Windo ws XP, click start , Control Panel . In Windows 2000/NT, click Start , Settings , Control Panel . 2. In Windo ws XP, click Network Connections . In Windows 2000/NT, click Netwo rk and Dial-up Connections . 3. Right-click Local A rea Connection and then [...]

  • Page 339

    ZyWALL 2 and ZyWALL 2WE Setting Up Y our Computer ’s IP Address 7 4. Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties .[...]

  • Page 340

    ZyWALL 2 and ZyWALL 2WE Setting Up Your Computer’s IP Address 8 5. T he Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). - To have your computer assigned a d ynamic IP address, click Obtain an IP address automatically . -If you have a static IP address click Use the following IP Address and fill in the IP address [...]

  • Page 341

    ZyWALL 2 and ZyWALL 2WE Setting Up Y our Computer ’s IP Address 9 6. -If you do not kno w your gateway's IP address, remove any previously installed gate ways in the IP Settin gs tab and click OK . Do one or more of the following if you want to configure additional IP addres ses: -In the IP Settings tab, in IP addresses, click Add . -In TCP/[...]

  • Page 342

    ZyWALL 2 and ZyWALL 2WE Setting Up Your Computer’s IP Address 10 7. In the Internet Protocol TCP/IP Properties window (the Gene ral t ab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the follow ing DNS server addresses , and [...]

  • Page 343

    ZyWALL 2 and ZyWALL 2WE Setting Up Y our Computer ’s IP Address 1 1 Macintosh OS 8/9 1. Click the Apple menu, Control Pa nel and double-click TCP/IP to open the TCP/IP Control Panel . 2. Select Ethernet built-in from the Connect v i a list.[...]

  • Page 344

    ZyWALL 2 and ZyWALL 2WE Setting Up Your Computer’s IP Address 12 3. For dynamicall y assigned settings, select Using DHCP Server from the Configure: list. 4. For statically assigned settin gs, do the following: -From the Configure box, select Manually . -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -T[...]

  • Page 345

    ZyWALL 2 and ZyWALL 2WE Setting Up Y our Computer ’s IP Address 13 2. Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. 3. For dynamically assigned settings, sel ect Using DHCP from the Configure list. 4. For statically assigned settings, do the followi[...]

  • Page 346

    ZyWALL 2 and ZyWALL 2WE Antennas 14 Appendix B Antennas This appendix prov ides information abou t antenna selection and po sitioning. The access points in a wireless LAN send a radio frequency (RF) signal to the ante nnas, which propaga te and capture the RF signal. Choosing th e right antennas and positioning them properly increases the range and[...]

  • Page 347

    ZyWALL 2 and ZyWALL 2WE Antennas 15 • Directional antennas conce ntrate the RF signal in a beam , like a flashlight. The angle of the beam width determ ines the direction of the covera ge pattern; typically ranges from 20 degrees (less directional) t o 90 degrees (very directio nal). Th e directi onal antennas are ideal for hallways and outdoor p[...]

  • Page 348

    ZyWALL 2 and ZyWALL 2WE Triangle Route 16 Appendix C Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Intern et. In an ideal network top ology, all i ncoming and outgoing network traffic pas ses through the ZyWALL to protect your LAN against attacks. Diagram C-1 Ideal Setup The ?[...]

  • Page 349

    ZyWALL 2 and ZyWALL 2WE T riangle Route 17 Diagram C-2 “Triangle Route” Problem The “T riangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logi cal sections over the same Ethernet interface. Your ZyWALL supports up to three logic[...]

  • Page 350

    ZyWALL 2 and ZyWALL 2WE Triangle Route 18 Gateways on the W AN Side A second sol ution to the “triangle route” probl em is to put all of you r network g ateways on t he WAN s ide as the following fig ure shows. This en sures that all incoming netwo rk traffic p asses through your ZyWALL to your LAN. Therefo re your LAN is protected. Diagram C-4[...]

  • Page 351

    ZyWALL 2 and ZyWALL 2WE The Big Picture 19 Appendix D The Big Picture The following figure giv es an overview of ho w filtering, the firewall, VPN and NAT are related. Diagram D-1 Big Picture— Filt ering, Firewall, VPN and NAT[...]

  • Page 352

    ZyWALL 2 and ZyWALL 2WE Wireless LAN and IEEE 802.11 20 Appendix E Wireless LAN and IEEE 802.11 A wireless LAN (WLA N) provides a flexi ble data commun ications system that y ou can use to access various services (navigating the Internet, em ail, prin ter services, etc.) without the use of a ca bled connection. In effect a wireless LAN environment [...]

  • Page 353

    ZyWALL 2 and ZyWALL 2WE Wireless LAN and IEEE 802.1 1 21 The IEEE 802.11 specifies three di ffere nt transmission m ethods for th e PHY, the layer responsible for transferring dat a between nodes. T w o of the m ethods use sp read spectrum RF signals, Dir ect Sequence Spread Spectrum (DSSS) an d Fre quency-Hopping Spread Spectrum (FHSS), in the 2.4[...]

  • Page 354

    ZyWALL 2 and ZyWALL 2WE Wireless LAN and IEEE 802.11 22 Infrastructure Wireless LAN Configuration For Infrastructure WLANs, m ultiple Access Points (APs) link the WLAN to the wired network and al low users to efficiently share network resources. The A ccess Points not only provide c ommunication with the wired network but also me diate wireless net[...]

  • Page 355

    ZyWALL 2 and ZyWALL 2WE Wireless LAN with IEEE 802.1x 23 Appendix F Wireless LAN With IEEE 802.1x As wireless networks becom e popular for both portable com puting and c orporate networks, security is now a priority. Security Flaws wi th IEEE 802.1 1 Wireless networks based on the o riginal IEEE 802 .11 have a poor reputatio n for safe ty. The IEEE[...]

  • Page 356

    ZyWALL 2 and ZyWALL 2WE Wireless LAN with IEEE 802.1x 24 • Support for RADIUS (Rem o te Au thentication Dial In User Service, RFC 2138, 2139) for centralized use r profile a nd accountin g managem ent on a ne twork RADIUS server. • Support for EAP (Extensi ble Authentication Prot ocol, RFC 2486) that al lows additi onal authentication methods t[...]

  • Page 357

    ZyWALL 2 and ZyWALL 2WE Wireless LAN with IEEE 802.1x 25[...]

  • Page 358

    [...]

  • Page 359

    ZyWALL 2 and ZyWALL 2WE PPPoE 27 Appendix G PPPoE PPPoE in Action An ADSL m odem bridges a PPP session over Ether net (PPP ove r Ethernet , RFC 2516) f rom your PC to an ATM PVC (Pe rmanent Virt ual Circuit), which con nects to a DSL Ac cess Concentrator where the PPP session terminates (see the next figure). One PVC can suppor t any number of PPP [...]

  • Page 360

    ZyWALL 2 and ZyWALL 2WE 28 PPPoE How PPPoE W orks The PPPoE driver m akes the Ethernet appear as a serial link to the PC an d the PC runs PPP over it, while the modem bridges the Et hernet frames to the Access Concen trator (AC). Bet ween the AC and an ISP, the AC is acting as a L2TP (Layer 2 T unneling Protocol) LAC (L 2TP Access Concentrator) and[...]

  • Page 361

    ZyWALL 2 and ZyWALL 2WE PPTP 29 Appendix H PPTP What is PPTP? PPTP (Point -to-Point T unneling Prot ocol) is a Microsoft proprietary protocol (R FC 2637 f o r PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Ne twork Termi n[...]

  • Page 362

    ZyWALL 2 and ZyWALL 2WE 30 PPTP PPTP Protocol Overview PPTP is very si milar to L2TP, since L2T P is based on both PPTP a nd L2F (Cisco’s Layer 2 Forwardi ng). Conceptually, there are three parties in PPTP, name ly the PNS (PPTP Network Serve r), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and [...]

  • Page 363

    ZyWALL 2 and ZyWALL 2WE PPTP 31 Diagram H-3 Example Message Exchange bet w een PC and an ANT PPP Data Connection The PPP frames are tunneled betwee n the PNS and PAC over GRE (General Ro uting Encapsulation, RFC 1701, 1702). The indiv idual calls within a tunnel are distingu ished using the Call ID field in the GRE header.[...]

  • Page 364

    ZyWALL 2 and ZyWALL 2WE 32 Hardware Specifications Appendix I Hardware Specifications Chart I-1 General Specification s Power Specification I/P AC 120V / 60Hz; O/P DC 12V 1200 mA MTBF 100000 hrs (Mean T ime Between Failures) Operation Temperature 0º C ~ 40º C Ethernet Specification for WAN 10/100Mbps Half / Full Auto-negotiation Ethernet Specific[...]

  • Page 365

    ZyWALL 2 and ZyWALL 2WE Hardware Specifications 33 Chart I-2 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M Pin 1 = NON Pin 2 = DCE-TXD Pin 3 = DCE –RXD Pin 4 = DCE –DSR Pin 5 = GND Pin 6 = DCE –DTR Pin 7 = DCE –CTS Pin 8 = DCE –RTS PIN 9 = NON Pin 1 = NON Pin 2 = DTE-RX[...]

  • Page 366

    ZyWALL 2 and ZyWALL 2WE 34 Hardware Specifications Power Adaptor Sp ecifications Chart I-4 North American AC Po w er Adaptor Specifications AC Power Adapter model AD48-12 01200DUY Input power: AC120Volts/60Hz/0.25A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: North American standards Safety standards: UL, CUL (UL 1950, CSA C22.2 No.2 [...]

  • Page 367

    ZyWALL 2 and ZyWALL 2WE Hardware Specifications 35 Chart I-5 European Union AC Po w er Adaptor Specifications Safety standards: TUV, CE (EN 60950) Chart I-6 UK AC Po w er Adaptor Specifications AC Power Adapter model AD-12012 00DK Input power: AC230Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: United Kingdom standar ds [...]

  • Page 368

    ZyWALL 2 and ZyWALL 2WE 36 UPnP Appendix J Universal Plug and Play What is Universal Plug and Play? Universal Plug and Play (UPnP) is a di stributed, open networki ng standard that uses TCP/IP for simple peer- to-peer networ k connectivity between devices. A UPn P device can dy namically join a net work, obtai n an IP address, convey its capabiliti[...]

  • Page 369

    ZyWALL 2 and ZyWALL 2WE UPnP 37 Are ther e any cautions about UPnP? The automated nature of NAT Traversal app lications in establishing t h eir own services a nd opening firewal l ports may present networ k security issues. Networ k informat ion and confi g uration m ay also be obtai ned and modified by users in s ome network enviro nments. All UPn[...]

  • Page 370

    ZyWALL 2 and ZyWALL 2WE 38 UPnP Chart J-1 UPnP LA BEL DESCRIPTION Enable the Universal Plug and Play (UPnP) feature Select this checkbox to activate UPnP. Be aware that anyone could u se a UPnP app lication to open the web configurator's login screen without entering t he ZyWALL's IP address (although you must still enter the password to [...]

  • Page 371

    ZyWALL 2 and ZyWALL 2WE UPnP 39 Step 1. Click Start and Control Panel . Double-click Add/Remove Programs . Step 2. Click the Windows Setup tab and select Communication in the Components selection box. Click Details . Step 3. In the Communications window, select the Universal Plug and Play chec k box in the Co mponents selection box. Step 4. Click O[...]

  • Page 372

    ZyWALL 2 and ZyWALL 2WE 40 UPnP Components Wizard window displays. Step 4. Select Networking Service in the Components selection b ox and click Details . Step 5. In the Networ king Services window, select the Universal Plu g and Play check box. Step 6. Click OK to go back to the Windows Optional Ne tworking Component Wizard window and click Next . [...]

  • Page 373

    ZyWALL 2 and ZyWALL 2WE UPnP 41 Step 1. Click start and Contro l Panel . Double-click Network Connections . A n icon displays under Inter net Gateway. Step 2. Right-click t he icon and select Properties . Step 3. In the Internet Connection P roperties window, click Settings to see the port mappings that were aut omatically created. Step 4. You may [...]

  • Page 374

    ZyWALL 2 and ZyWALL 2WE 42 UPnP When the UPnP-enabled device is disconn ected from your computer , all port mappings will be deleted automaticall y . Step 5. Select Show icon in notificati on area when connected option and click OK . An icon displays in the system tray. Step 6. Double-click the icon to display your current Internet conne ction stat[...]

  • Page 375

    ZyWALL 2 and ZyWALL 2WE UPnP 43 Step 1. Click start and then Cont rol Panel . Step 2. Double-click Network Connections . Step 3. Select My Network Pl aces under Other Places . Step 4. An icon with the description for each UPnP-enabled device displays under Local Network . Step 5. Right-clic k the ic on for yo ur ZyXEL device and select In voke . Th[...]

  • Page 376

    ZyWALL 2 and ZyWALL 2WE 44 UPnP Step 6. Right-click on the icon for your ZyXEL device and sele ct Properties . A properties window displays with basic informati on about the Zy XEL device.[...]

  • Page 377

    ZyWALL 2 and ZyWALL 2WE IP Subnetting 45 Appendix K IP Subnetting IP Addressing Routers “route” base d on the network num ber. The rout er that delivers the data packet to the correct destination hos t uses the host ID. IP Classes An IP address is made up of four octets (ei ght bits), written in dotted deci mal notation, for ex ample, 192.168.1[...]

  • Page 378

    ZyWALL 2 and ZyWALL 2WE 46 IP Subnetting  A class “B” address (1 6 host bit s) can have 2 16 –2 or 65534 hosts. A class “A” address (24 host bits) can have 2 24 –2 hosts (app roximately 16 m illion hosts). Since the first octet of a class “A” IP addre ss must c ontain a “0”, the first octet of a class “A” ad dress can hav[...]

  • Page 379

    ZyWALL 2 and ZyWALL 2WE IP Subnetting 47 With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of ho st ID. With subnetting, some of the ho st ID bits are converted into netwo rk number bits. By convention, subn et masks always consist of a conti[...]

  • Page 380

    ZyWALL 2 and ZyWALL 2WE 48 IP Subnetting The first three octets of the a ddress make up the netwo rk num ber (class “C”). You wa nt to have two sepa rate networks. Divide the network 19 2.168.1.0 i nto two se parate subnets by con verting one of the host ID bits o f the IP address to a networ k number bit. The “bor rowed” host ID bit can be[...]

  • Page 381

    ZyWALL 2 and ZyWALL 2WE IP Subnetting 49 192.168.1.0 with mask 255.255.255 .128 is the subnet its elf, and 192.168.1.1 27 with mask 255.255.255.12 8 is the directed broadcast addre ss for the first subnet. Theref ore, the lowest IP address t hat can be assigned to an actual host for the first subn et is 192.168.1.1 and the highest is 192.168.1 .126[...]

  • Page 382

    ZyWALL 2 and ZyWALL 2WE 50 IP Subnetting Chart K-9 Subnet 3 NETWORK NUMBER LAST OCTET BIT V ALUE IP Address 192.168.1. 128 IP Address (Binary) 11000000.10101000.00000001. 10 000000 Subnet Mask (Binary) 11111111.11111111.1 1111111. 11 0 00000 Subnet Address: 192. 168.1.128 Lo west Ho st ID: 192.168.1.129 Broadcast Address: 192.168. 1.191 Hig hest Ho[...]

  • Page 383

    ZyWALL 2 and ZyWALL 2WE IP Subnetting 51 Chart K-11 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROA DCAST ADDRESS 8 224 223 254 255 The following table is a summary for class “C” subnet planning . Chart K-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 1 255.255.255.128 (/[...]

  • Page 384

    ZyWALL 2 and ZyWALL 2WE 52 IP Subnetting Chart K-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 4 255.255.240.0 (/20) 16 4094 5 255.255.248.0 (/21) 32 2046 6 255.255.252.0 (/22) 64 1022 7 255.255.254.0 (/23) 128 510 8 255.255.255.0 (/24) 256 254 9 255.255.255.128 (/25) 512 126 10 255.255.255.192[...]

  • Page 385

    ZyWALL 2 and ZyWALL 2WE Safety Warnings and Instructions 53 Appendix L Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The m aximum recom mended am bient temperature for t he ZyWALL i s 40º Cel sius (104º Fah renheit). Care must be taken to allow sufficient air circ ulation or space betwee n[...]

  • Page 386

    [...]

  • Page 387

    Command and Log Appen dices XI Part XI: Command and Log Appendices This part prov ides information on the command line interface, fire wall and NetBIOS commands, logs and password p rotection.[...]

  • Page 388

    [...]

  • Page 389

    ZyWALL 2 and ZyWALL 2WE Command Interpreter 57 Appendix M Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system m a intenance m enu. Enter 8 to go to Menu 24.8 - Comm and Interpreter Mode . See the included disk or zyxel.c om for more detail ed informat ion on these commands[...]

  • Page 390

    ZyWALL 2 and ZyWALL 2WE 58 Firewall Commands Appendix N Firewall Commands The following descri bes the firewall comm a nds. See the Command Interpreter appendix fo r information on the command structure. Chart N-1 Fire wall Commands FUNCTION COMMAND DESCRIPTION F F i i r r e e w w a a l l l l S S e e t t - - U U p p config edit firewall active <[...]

  • Page 391

    ZyWALL 2 and ZyWALL 2WE Firewall Commands 59 Chart N-1 Fire wall Commands FUNCTION COMMAND DESCRIPTION config display firewall e-mail This command sho ws all of the e-mail settings. config display firewall ? This command shows all of the available firewall sub commands. E E d d i i t t E E - - m m a a i i l l config edit firewall e-mail mail- serve[...]

  • Page 392

    ZyWALL 2 and ZyWALL 2WE 60 Firewall Commands Chart N-1 Fire wall Commands FUNCTION COMMAND DESCRIPTION A A t t t t a a c c k k config edit firewall attack send- alert <yes | no> This command enables or disables the immediate sending of DOS attack notification e-mail messages. config edit firewall attack block <yes | no> Set this command[...]

  • Page 393

    ZyWALL 2 and ZyWALL 2WE Firewall Commands 61 Chart N-1 Fire wall Commands FUNCTION COMMAND DESCRIPTION S S e e t t s s config edit firewall set <set #> name <desired name> This command sets a name to identify a specified set. Config edit firewall set <set #> default-permit <forward | block> This command sets whether a packet[...]

  • Page 394

    ZyWALL 2 and ZyWALL 2WE 62 Firewall Commands Chart N-1 Fire wall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> rule <rule #> active <yes | no> This command sets whether a rule is enabled or not. Config edit firewall set <set #> rule <rule #> protocol <integer protocol value > This command[...]

  • Page 395

    ZyWALL 2 and ZyWALL 2WE Firewall Commands 63 Chart N-1 Fire wall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> rule <rule #> destaddr-range <start ip address> <end ip address> This command sets a rule to have the ZyWALL check for traffic going to this range of addresses. config edit firewall set <[...]

  • Page 396

    ZyWALL 2 and ZyWALL 2WE 64 Firewall Commands[...]

  • Page 397

    ZyWALL 2 and ZyWALL 2WE NetBIOS Filter Commands 65 Appendix O NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the comm and structure. Introduction NetBIOS (Network Basic Input/Output System ) are TCP or UDP broadcast pa c k ets that enable a com puter to con[...]

  • Page 398

    ZyWALL 2 and ZyWALL 2WE 66 NetBIOS Filter Commands Chart O-1 NetBIOS Filter Def ault Settings NAME DESCRIPTION EXAMPLE LAN to WAN This field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN. Forward WAN to LAN This field displays whether NetBIOS packets are blocked or forwarded from the WAN to the LAN. Forward IPSec[...]

  • Page 399

    ZyWALL 2 and ZyWALL 2WE NetBIOS Filter Commands 67 Command: sys filter netbios config 1 off This command f orwards WAN to LAN NetB IOS packets Command: sys filter netbios config 6 on This comm and blocks IPSec NetBIOS packets Command: sys filter netbios config 7 off This command stops NetBIOS commands from initiatin g calls.[...]

  • Page 400

    ZyWALL 2 and ZyWALL 2WE 68 Boot Commands Appendix P Boot Commands The BootMod ule AT comm an ds execute from within the router’s bootu p software, w hen debug m ode is selected before the m ain router firm ware (ZyNOS) is started. When you st art up your ZyWALL, you are given a choi ce to go int o debug m ode by pressi ng a key at th e prompt sho[...]

  • Page 401

    ZyWALL 2 and ZyWALL 2WE Boot Commands 69 Diagram P-2 Boot Module Commands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) chan[...]

  • Page 402

    ZyWALL 2 and ZyWALL 2WE 70 Log Descriptions Appendix Q Log Descriptions Chart Q-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table ent ries allo wed to be created per host. Chart Q-2 System Mainte nance Logs LOG MESS[...]

  • Page 403

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 71 Chart Q-2 System Mainte nance Logs TELNET Login Fail Someone has failed to log on to the router vi a telnet. FTP Login Successfully Someone has logged on to the router via ftp. FTP Login Fail Someone has failed to log on to the router via ftp. NAT Session Table is Full! The maximum number of SUA/NAT sessi[...]

  • Page 404

    ZyWALL 2 and ZyWALL 2WE 72 Log Descriptions Chart Q-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE a ttack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an ICMP att[...]

  • Page 405

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 73 Chart Q-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a T CP syn flood attack. ports scan TCP T he firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardr op attack. teardrop ICMP (type[...]

  • Page 406

    ZyWALL 2 and ZyWALL 2WE 74 Log Descriptions Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default policy: TCP (set:%d) TCP access matched the default po licy of the listed ACL set and the ZyWALL blocked or for warded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access matched the default polic y [...]

  • Page 407

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 75 Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: IGMP (set:%d, rule:%d) IGMP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration. Firewall rule match: ESP (set:%d, rule:%d) ESP access matched the listed firewall rule and [...]

  • Page 408

    ZyWALL 2 and ZyWALL 2WE 76 Log Descriptions Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT match: OSPF (set:%d, rule:%d) OSPF access did not match the listed firewall rule and the Z yWALL logged it. Firewall rule NOT match: (set:%d, rule:%d) Access did not match the listed firewall rule and the Z yWALL logged it. Filter default pol[...]

  • Page 409

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 77 Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP <set %d/rule %d> ICMP access matched the listed filter rule and the Z yWALL dropped the packet to block access. Filter match DROP <set %d/rule %d> Access matched the listed filter rule an d the ZyWALL droppe d the packet to block [...]

  • Page 410

    ZyWALL 2 and ZyWALL 2WE 78 Log Descriptions Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP reset packets The firewall sent out TCP reset packets. Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA/NAT table entr y. Out of order TCP handshake packet blocked The router blocked a[...]

  • Page 411

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 79 Chart Q-8 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachabl e 0 Net unreachable 1 Host unrea chable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) 5 Source route failed 4 So[...]

  • Page 412

    ZyWALL 2 and ZyWALL 2WE 80 Log Descriptions Chart Q-8 ICMP Notes TYPE CODE DESCRIPTION 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Chart Q-9 Sys log LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname src=&quo[...]

  • Page 413

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 81 Diagram Q-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following f igure shows a typ ical log from the VPN connection pee r. Diagram Q-2 Example VPN Responder IPSec Log This menu is useful f or troubleshoot ing. A lo g index num ber, the date and tim e the log was creat ed and a log messa[...]

  • Page 414

    ZyWALL 2 and ZyWALL 2WE 82 Log Descriptions A PYLD_MALFORMED packe t usually means that the t w o ends of the VPN tunnel are not using the same pre-shared k ey . Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> The ZyWALL has started negotia[...]

  • Page 415

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 83 Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Invalid IP <IP start>/<IP end> The peer’s “Local IP Addr” range is inval id. !! Remote IP <IP start> / <IP end> conflicts If the security gateway is “0.0.0.0”, the ZyWALL will use the peer’s “Local Add[...]

  • Page 416

    ZyWALL 2 and ZyWALL 2WE 84 Log Descriptions Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an inco ming packet does not match the peer IP address type or IP address configured on the loc al router. The log displays this router’s configur ed local IP address type[...]

  • Page 417

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 85 The following table shows RFC-2408 I SAKMP payload types that the log displays. Please r efer to the RFC for detailed information on each type. Chart Q-12 RFC-2408 ISAKMP Payload Ty pes LOG DISPLAY P AYLOAD TYPE SA Securit y Association PROP Proposal TRANS T ransform KE Ke y Exchange ID Identificati on CE[...]

  • Page 418

    ZyWALL 2 and ZyWALL 2WE 86 Log Descriptions Chart Q-13 Log Categories and Av aila ble Settings LOG CATEGORIES AVAILABLE PA RAMETERS attack 0, 1, 2, 3 error 0, 1, 2, 3 ike 0, 1, 2, 3 ipsec 0, 1, 2, 3 javablocked 0, 1, 2, 3 mten 0, 1 upnp 0, 1 urlblocked 0, 1, 2, 3 urlforward 0, 1 Use 0 to not record logs for that category, 1 to record onl y logs for[...]

  • Page 419

    ZyWALL 2 and ZyWALL 2WE Log Descriptions 87 # .time source destination notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |172.21.255.255:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1 |224.0.1.60 |[...]

  • Page 420

    ZyWALL 2 and ZyWALL 2WE 88 Brute-Force Password Guessing Protection Appendix R Brute-Force Password Guessing Protection The followin g describes t he commands for enabling, disabling and con figuring t he brute-f orce password guessing pr otection m echanism for the password . See the Command Interpreter appendix for inform ation on the command str[...]

  • Page 421

    Index XII Part XII: Index This part prov ides an Index of key terms.[...]

  • Page 422

    [...]

  • Page 423

    ZyWALL 2 and ZyWALL 2WE Index A Index 1 10/100 Mbps Ethernet WA N ........................... 1-1 4 4-Port Switch ................................................... 1-1 A Access Point ................................................... 7-12 Action for Matched Packets ......................... 16-12 Active ..........................................[...]

  • Page 424

    ZyWALL 2 and ZyWALL 2WE B Index Canada ................................................................ iv Caution................................................................ iv Central Network Managem ent ......................... 1-4 Certifica tions ..................................................... iii Changing the Password...............[...]

  • Page 425

    ZyWALL 2 and ZyWALL 2WE Index C DIAL BACKUP ................................................ 33 Direct Sequence Spread S p ectrum .................... 21 Disclaimer ........................................................... ii Distribution System........................................... 22 DNS ................................................. 5-[...]

  • Page 426

    ZyWALL 2 and ZyWALL 2WE D Index NAT ......................................................... 19-16 Remote Node ........................................... 19-17 Structure..................................................... 19- 2 TCP/IP Rule ............................................... 19-7 Filters Executing a Filt er Rule .....................[...]

  • Page 427

    ZyWALL 2 and ZyWALL 2WE Index E Hardware Connections ..................................... 2-3 Hardware Installation ....................................... 2-1 Hidden Menus .................................................. 4-2 Hidden Node problem .................................... 7-10 Host ......................................................[...]

  • Page 428

    ZyWALL 2 and ZyWALL 2WE F Index Destination IP Address .............................. 11-3 IP Subnet Mas k .......................................... 11-3 Name.......................................................... 11-3 Route Number............................................ 11-3 IP Subnet Mas k ................................................ [...]

  • Page 429

    ZyWALL 2 and ZyWALL 2WE Index G N Nailed-up Conn ection .................................... 10-4 Nailed-Up Conn ection ................................... 10-5 Nailed-Up Conn ections .................................. 10-7 NAT .................................................... 10-8, 19-16 Application .............................................[...]

  • Page 430

    ZyWALL 2 and ZyWALL 2WE H Index Protocol Filters................................................. 7-9 Incoming ...................................................... 7-9 Outgoing ...................................................... 7-9 Protocol/Port ......................................... 18-8, 18-9 Q Quick Start Guide .........................[...]

  • Page 431

    ZyWALL 2 and ZyWALL 2WE Index I S Safety Instructions ............................................ 53 Saving the State.............................................. 13-7 Schedule Sets Duration ..................................................... 25-2 Schedules .............................................. 10-5, 10-7 Security Ramifi cations ......[...]

  • Page 432

    ZyWALL 2 and ZyWALL 2WE J Index TCP/IP 7-2, 7-5, 7-7, 10-7, 13 -3, 13-4, 19-6, 19-7, 19-9, 19-12, 19 -16, 24-1 Setup ............................................................ 7-7 TCP/IP and DHCP Set up ................................. 7-6 TCP/IP filter rule ........................................... 19-6 Teardrop...............................[...]

  • Page 433

    ZyWALL 2 and ZyWALL 2WE Index K V View Log ....................................................... 18-1 VPN ................................................................. 9-2 VT100 .............................................................. 4-1 W WAN DHCP ..................................... 21-12, 21-13 WAN Setup ...........................[...]