ZyXEL 5 Series User Manual

Download

ZyWALL 5/35/70 Series

Internet Security Appliance

User’s Guide

Version 4.01

7/2006

Edition 1

ZyWALL 5/35/70 Series User’s Guide

Copyright

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

ZyWALL 5/35/70 Series User’s Guide

Federal Communications Commission (FCC) Interference Statement

The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

• This device may not cause harmful interference.

• This device must accept any interference received, including interference that may cause undesired operations.

This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

Certifications

1 Reorient or relocate the receiving antenna. 2 Increase the separation between the equipment and the receiver. 3 Connect the equipment into an outlet on a circuit different from that to which the receiver

is connected.

4 Consult the dealer or an experienced radio/TV technician for help.

Notices

Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

This Class B digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.

Viewing Certifications

1 Go to http://www.zyxel.com. 2 Select your product from the drop-down list box on the ZyXEL home page to go to that

product's page.

3 Select the certification you wish to view from this page.

4 Certifications

ZyWALL 5/35/70 Series User’s Guide

Safety Warnings

For your safety, be sure to read and follow all warning notices and instructions.

• Do NOT use this product near water, for example, in a wet basement or near a swimming pool.

• Do NOT expose your device to dampness, dust or corrosive liquids.

• Do NOT store things on the device.

• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.

• Connect ONLY suitable accessories to the device.

• Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.

• Make sure to connect the cables to the correct ports.

• Place connecting cables carefully so that no one will step on them or stumble over them.

• Always disconnect all cables from this device before servicing or disassembling.

• Use ONLY an appropriate power adaptor or cord for your device.

• Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).

• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.

• Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.

• If the power adaptor or cord is damaged, remove it from the power outlet.

• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.

• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.

• CAUTION: RISK OF EXPLOSION IF BATTER Y (on the motherboard) IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Dispose them at the applicable co llect ion point for the recy cli ng of electrical and electronic equipment. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.

• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.

• Fuse Warning! Replace a fuse only with a fuse of the same type and rating.

Safety Warnings 5

ZyWALL 5/35/70 Series User’s Guide

This product is recyclable. Dispose of it properly.

6 Safety Warnings

ZyWALL 5/35/70 Series User’s Guide

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of fai lure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.

To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned pro du cts without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.

Registration

Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.

ZyXEL Limited Warranty 7

ZyWALL 5/35/70 Series User’s Guide

Please have the following information ready when you contact customer support.

• Product model and serial number.

• Warranty Information.

• Date that you received your device.

• Brief description of the problem and the steps you took to solve it.

Customer Support

METHOD

LOCATION

CORPORATE HEADQUARTERS (WORLDWIDE)

COSTA RICA

CZECH REPUBLIC

DENMARK

FINLAND

FRANCE

GERMANY

HUNGARY

KAZAKHSTAN

NORTH AMERICA

SUPPORT E-MAIL TELEPHONE WEB SITE

SALES E-MAIL FAX FTP SITE

support@zyxel.com.tw +886-3-578-3942 www.zyxel.com

www.europe.zyxel.com

sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com

ftp.europe.zyxel.com soporte@zyxel.co.cr +506-2017878 www.zyxel.co.cr ZyXEL Costa Rica sales@zyxel.co.cr +506-2015098 ftp.zyxel.co.cr

info@cz.zyxel.com +420-241-091-350 www.zyxel.cz ZyXEL Communications info@cz.zyxel.com +420-241-091-359

support@zyxel.dk +45-39-55-07-00 www.zyxel.dk ZyXEL Communications A/S sales@zyxel.dk +45-39-55-07-07

support@zyxel.fi +358-9-4780-8411 www.zyxel.fi ZyXEL Communications Oy sales@zyxel.fi +358-9-4780 8448

info@zyxel.fr +33-4-72-52-97-97 www.zyxel.fr ZyXEL France

+33-4-72-52-19-20

support@zyxel.de +49-2405-6909-0 www.zyxel.de ZyXEL Deutschland GmbH. sales@zyxel.de +49-2405-6909-99

support@zyxel.hu +36-1-3361649 www.zyxel.hu ZyXEL Hungary info@zyxel.hu +36-1-3259100

http://zyxel.kz/support +7-3272-590-698 www.zyxel.kz ZyXEL Kazakhstan sales@zyxel.kz +7-3272-590-689

support@zyxel.com 1-800-255-4101

+1-714-632-0882

sales@zyxel.com +1-714-632-0858 ftp.us.zyxel.com

www.us.zyxel.com ZyXEL Communications Inc.

REGULAR MAIL

ZyXEL Communications Corp. 6 Innovation Road II

Science Park Hsinchu 300 Taiwan

Plaza Roble Escazú Etapa El Patio, Tercer Piso San José, Costa Rica

Czech s.r.o. Modranská 621 143 01 Praha 4 - Modrany Ceská Republika

Columbusvej 2860 Soeborg Denmark

Malminkaari 10 00700 Helsinki Finland

1 rue des Vergers Bat. 1 / C 69760 Limonest France

Adenauerstr. 20/A2 D-52146 Wuerselen Germany

48, Zoldlomb Str. H-1025, Budapest Hungary

43, Dostyk ave.,Office 414 Dostyk Business Centre 050010, Almaty Republic of Kazakhstan

1130 N. Miller St. Anaheim CA 92806-2001 U.S.A.

8 Customer Support

ZyWALL 5/35/70 Series User’s Guide

METHOD

LOCATION

NORWAY

POLAND

RUSSIA

SPAIN

SWEDEN

UKRAINE

UNITED KINGDOM

SUPPORT E-MAIL TELEPHONE WEB SITE

SALES E-MAIL FAX FTP SITE

support@zyxel.no +47-22-80-61-80 www.zyxel.no ZyXEL Communications A/S sales@zyxel.no +47-22-80-61-81

info@pl.zyxel.com +48 (22) 333 8250 www.pl.zyxel.com ZyXEL Communications

+48 (22) 333 8251

http://zyxel.ru/support +7-095-542-89-29 www.zyxel.ru ZyXEL Russia sales@zyxel.ru +7-095-542-89-25

support@zyxel.es +34-902-195-420 www.zyxel.es ZyXEL Communications sales@zyxel.es +34-913-005-345

support@zyxel.se +46-31-744-7700 www.zyxel.se ZyXEL Communications A/S sales@zyxel.se +46-31-744-7701

support@ua.zyxel.com +380-44-247-69-78 www.ua.zyxel.com ZyXEL Ukraine sales@ua.zyxel.com +380-44-494-49-32

support@zyxel.co.uk +44-1344 303044

08707 555779 (UK only)

sales@zyxel.co.uk +44-1344 303034 ftp.zyxel.co.uk

www.zyxel.co.uk ZyXEL Communications UK

REGULAR MAIL

Nils Hansens vei 13 0667 Oslo Norway

ul. Okrzei 1A 03-715 Warszawa Poland

Ostrovityanova 37a Str. Moscow, 117279 Russia

Arte, 21 5ª planta 28033 Madrid Spain

Sjöporten 4, 41764 Göteborg Sweden

13, Pimonenko Str. Kiev, 04050 Ukraine

Ltd.,11 The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK)

+” is the (prefix) number you enter to make an international telephone call.

Customer Support 9

ZyWALL 5/35/70 Series User’s Guide

10 Customer Support

ZyWALL 5/35/70 Series User’s Guide

Copyright ..................................................................................................................3

Certifications ............................................................................................................4

Safety Warnings.......................................................................................................5

ZyXEL Limited Warranty..........................................................................................7

Customer Support....................................................................................................8

Table of Contents ...................................................................................................11

List of Figures ........................................................................................................31

List of Tables ..........................................................................................................45

Preface ....................................................................................................................53

Chapter 1

Getting to Know Your ZyWALL.............................................................................55

1.1 ZyWALL Internet Security Appliance Overview ............................. ... ... ... ... .... ... ..55

1.2 ZyWALL Features .................................................. ... ... .... ... ... ... .... .....................55

1.2.1 Physical Features ............................................................ .... ... ... ... ............56

1.2.2 Non-Physical Features .............................................................................57

1.3 Applications for the ZyWALL ..................................... ... .... ... ... ............................63

1.3.1 Secure Broadband Internet Access via Cable or DSL Modem .................63

1.3.2 VPN Application ...................................................... ... ... ... .... ... ..................63

1.3.3 Front Panel Lights ............................... .... ... ... ... .........................................64

Chapter 2

Introducing the Web Configurator........................................................................67

2.1 Web Configurator Overview ... ... ... ... .... ... .......................................................... ..67

2.2 Accessing the ZyWALL Web Configurator .........................................................67

2.3 Resetting the ZyWALL .......................................................................................68

2.3.1 Procedure To Use The Reset Button ........................................................68

2.3.2 Uploading a Configuration File Via Console Port .....................................69

2.4 Navigating the ZyWALL Web Configurator ........................................................69

2.4.1 Title Bar ........................... ... ... .... ... .......................................................... ..70

2.4.2 Main Window ................................................................ ... .... ... ..................71

2.4.3 HOME Screen: Router Mode .................................................................71

2.4.4 HOME Screen: Bridge Mode .......................................................... .... ... ..74

Table of Contents 11

ZyWALL 5/35/70 Series User’s Guide

2.4.5 Navigation Panel .......................................................................................78

2.4.6 Port Statistics ...........................................................................................83

2.4.7 Show Statistics: Line Chart............................................... .... ... ... ... ... .... ... ..84

2.4.8 DHCP Table Screen ................................................................................85

2.4.9 VPN Status....................................................... ... .... ... ...............................86

2.4.10 Bandwidth Monitor ..................................................................................87

Chapter 3

Wizard Setup ..........................................................................................................89

3.1 Wizard Setup Overview .....................................................................................89

3.2 Internet Access .................................................................................................90

3.2.1 ISP Parameters ...................................................................................... ..90

3.2.1.1 Ethernet ........... ........................................................... ... ... ... ... .... .....90

3.2.1.2 PPPoE Encapsulation .....................................................................92

3.2.1.3 PPTP Encapsulation ........................................... ... .... ... ... ... ... .... ... ..93

3.2.2 Internet Access Wizard: Second Screen ...................................................95

3.2.3 Internet Access Wizard: Registration.........................................................96

3.3 VPN Wizard Gateway Setting ............................................................................99

3.4 VPN Wizard Network Setting ...........................................................................101

3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) ...............................................103

3.6 VPN Wizard IPSec Setting (IKE Phase 2) .......................................................104

3.7 VPN Wizard Status Summary ................... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ...106

3.8 VPN Wizard Setup Complete ................................. .......................................... 109

Chapter 4

Tutorial ...................................................................................................................111

4.1 Security Settings for VPN Traffic ...................................................................... 111

4.1.1 IDP for From VPN Traffic Example .........................................................111

4.1.2 IDP for To VPN Traffic Example .............................................. ... ... ... .... ...113

4.2 Firewall Rule for VPN Example ................................................. .... ... ... ... ... .... ...114

4.2.1 Configuring the VPN Rule .......................................................................115

4.2.2 Configuring the Firewall Rules ................................................................118

4.2.2.1 Firewall Rule to Allow Access Example ................................. .... ...119

4.2.2.2 Default Firewall Rule to Block Other Access Example .. ... ... ... .... ...121

Chapter 5

Registration ..........................................................................................................123

5.1 myZyXEL.com overview .................. .... ... ... ... .... ... ... ... .......................................123

5.1.1 Subscription Services Available on the ZyWALL ....................................123

5.2 Registration ............ ... ... .......................................................... ... .... ... ... ... ... .......124

5.3 Service ...................................................... ... .... ................................................126

12 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

Chapter 6

LAN Screens.........................................................................................................129

6.1 LAN, WAN and the ZyWALL ............................................................................129

6.2 IP Address and Subnet Mask ...........................................................................129

6.2.1 Private IP Addresses ..............................................................................130

6.3 DHCP .............. ... .......................................................... .... ... ... ... .... ... ................131

6.3.1 IP Pool Setup ..........................................................................................131

6.4 RIP Setup ............................................ ... ... ... .... ... ... ... ... ....................................131

6.5 Multicast .......... .......................................................... ... .... ................................131

6.6 WINS ......................................... ... ... .... ... ... ... .................................................... 132

6.7 LAN ................................................. .... ... ... ... .... ... .............................................132

6.8 LAN Static DHCP ......... ... ... .... ... .......................................................... ... ... .... ...135

6.9 LAN IP Alias ...................................................................................................136

6.10 LAN Port Roles ..............................................................................................139

Chapter 7

Bridge Screens.....................................................................................................141

7.1 Bridge Loop ...................................................................................................... 141

7.2 Spanning Tree Protocol (STP) ............ .............................................................142

7.2.1 Rapid STP .................................... ... ... .... ... .............................................142

7.2.2 STP Terminology .......................... ... ... .... ... ... ... ... .... ................................142

7.2.3 How STP Works .....................................................................................142

7.2.4 STP Port States ......................... ... ... .......................................................143

7.3 Bridge .............................................. .... ... ... ... .... ... .............................................143

7.4 Bridge Port Roles ............................................................................................145

Chapter 8

WAN Screens........................................................................................................147

8.1 WAN Overview .......................................................................................... .... ...147

8.2 Multiple WAN ................................................ .... ... ... ... ... .... ... ... ... .......................147

8.3 Load Balancing Introduction ................... ... ....................................................... 148

8.4 Load Balancing Algorithms ....................... ... .... ... ... ... ... .... ... .............................148

8.4.1 Least Load First ......................................................................................148

8.4.1.1 Example 1 ................................................. .... ... ... ... .... ... ... ... ... .... ...149

8.4.1.2 Example 2 ................................................. .... ... ... ... .... ... ... ... ... .... ...149

8.4.2 Weighted Round Robin ........................... ... ... ... ... .... ... .............................150

8.4.3 Spillover ........................ ... ... ... .......................................................... .... ...150

8.5 TCP/IP Priority (Metric) ....................................................................................151

8.6 WAN General ............ ... ... ... .... ... .......................................................... ... ... .... ...151

8.7 Configuring Load Balancing ......... ... .... ... ... ... .... ... .............................................155

8.7.1 Least Load First ......................................................................................155

8.7.2 Weighted Round Robin ........................... ... ... ... ... .... ... .............................156

8.7.3 Spillover ........................ ... ... ... .......................................................... .... ...157

Table of Contents 13

ZyWALL 5/35/70 Series User’s Guide

8.8 WAN Route .................................................. .... ... ... ... .......................................157

8.9 WAN IP Address Assignment ................................................. ... .... ... ... ... ... .... ...159

8.10 DNS Server Address Assignment ................................................................159

8.11 WAN MAC Address ........................................................................................160

8.12 WAN .............................................................................................................160

8.12.1 WAN Ethernet Encapsulation ...............................................................160

8.12.2 PPPoE Encapsulation ...........................................................................163

8.12.3 PPTP Encapsulation .............................................................................166

8.13 Traffic Redirect ..........................................................................................170

8.14 Configuring Traffic Redirect ............................................................................170

8.15 Configuring Dial Backup .................................................................................171

8.16 Advanced Modem Setup ..............................................................................175

8.16.1 AT Command Strings ............................................................................175

8.16.2 DTR Signal ...........................................................................................175

8.16.3 Response Strings ..................................................................................175

8.17 Configuring Advanced Modem Setup ............................................................175

Chapter 9

DMZ Screens ........................................................................................................179

9.1 DMZ ...............................................................................................................179

9.2 Configuring DMZ ............. ... .... ... ... ... .................................................................179

9.3 DMZ Static DHCP ..........................................................................................182

9.4 DMZ IP Alias ..................................................................................................183

9.5 DMZ Public IP Address Example .....................................................................185

9.6 DMZ Private and Public IP Address Example .................................. ................186

9.7 DMZ Port Roles .......................... ... .... ... ..........................................................187

Chapter 10

Wireless LAN........................................................................................................189

10.1 Wireless LAN Introduction ..............................................................................189

10.1.1 Additional Installation Requirements for Using 802.1x .........................189

10.2 Configuring WLAN .......................................................................................189

10.3 WLAN Static DHCP ......................................................................................192

10.4 WLAN IP Alias ..............................................................................................193

10.5 WLAN Port Roles ..........................................................................................195

10.6 Wireless Security ...........................................................................................197

10.6.1 Encryption .............................................................................................198

10.6.2 Authentication .......................................................................................198

10.6.3 Restricted Access .................................................................................199

10.6.4 Hide ZyWALL Identity ...........................................................................199

10.7 Security Parameters Summary ......................................................................199

10.8 WEP Encryption .............................................................................................199

10.9 802.1x Overview ............................................................................................200

14 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

10.9.1 Introduction to RADIUS ........................................................................200

10.9.1.1 Types of RADIUS Messages .......................................................200

10.9.2 EAP Authentication Overview ............................... ................................ 201

10.10 Dynamic WEP Key Exchange ......................................................................202

10.11 Introduction to WPA ........ .... ... ... ... .... ... ... ... .... ... ... ... .......................................202

10.11.1 User Aut hent ication ................................................ ... ... .... ...................202

10.11.2 Enc ryption ....................................................... .... ... .............................202

10.12 WPA-PSK Application Example ...................................................................203

10.13 Introduction to RADIUS ................................................................................204

10.14 WPA with RADIUS Application Example ......................................................204

10.15 Wireless Client WPA Supplicants .................................................................205

10.16 Wireless Card .............................................................................................205

10.16.1 Static WEP ..........................................................................................207

10.16.2 WPA-PSK ...........................................................................................208

10.16.3 WPA ....................................................................................................210

10.16.4 IEEE 802.1x + Dynamic WEP ............................................................211

10.16.5 IEEE 802.1x + Static WEP ..................................................................212

10.16.6 IEEE 802.1x + No WEP ......................................................................214

10.16.7 No Access 802.1x + Static WEP .........................................................215

10.16.8 No Access 802.1x + No WEP .............................................................216

10.17 MAC Filter ...................................................................................................217

Chapter 11

Firewall..................................................................................................................219

11.1 Firewall Overview ..........................................................................................219

11.2 Packet Direction Matrix ..................................................................................220

11.3 Packet Direction Examples ............................................................................221

11.3.1 To VPN Packet Direction .......................................................................222

11.3.2 From VPN Packet Direction ..................................................................224

11.3.3 From VPN To VPN Packet Direction .................................................. ...225

11.4 Security Considerations .................................................................................226

11.5 Firewall Rules Example ..................................................................................227

11.6 Asymmetrical Routes .....................................................................................229

11.6.1 Asymmetrical Routes and IP Alias ........ ............................................. ...229

11.7 Firewall Default Rule (Router Mode) ..............................................................230

11.8 Firewall Default Rule (Bridge Mode) ............................................................232

11.9 Firewall Rule Summary .................................................................................234

11.9.1 Firewall Edit Rule ....................................................... .... ... ... .............235

11.10 Anti-Probing ..............................................................................................238

11.11 Firewall Thresholds ....................................................................................239

11.11.1 Threshold Values .................................................................................240

11.12 Threshold Screen ............................................... ... ... .... ... ... ... .... ... ... .............240

11.13 Service .............................. .......................................................... ... ... ... .... ...242

Table of Contents 15

ZyWALL 5/35/70 Series User’s Guide

11.13.1 Firew all Edit Custom Service .................................................... ... .... ...244

11.14 My Service Firewall Rule Example ..... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ...245

Chapter 12

Intrusion Detection and Prevention (IDP).......................................................... 251

12.1 Introduction to IDP ....................................................................................251

12.1.1 Firewalls and Intrusions ........................................ ................................251

12.1.2 IDS and IDP .........................................................................................252

12.1.3 Host IDP ..............................................................................................252

12.1.4 Network IDP .........................................................................................252

12.1.5 Example Intrusions ...............................................................................253

12.1.5.1 SQL Slammer Worm ...................................................................253

12.1.5.2 Blaster W32.Worm ......................................................................253

12.1.5.3 Nimda ..........................................................................................253

12.1.5.4 MyDoom ......................................................................................254

12.1.6 ZyWALL IDP .........................................................................................254

Chapter 13

Configuring IDP....................................................................................................255

13.1 Overview ........................................................................................................255

13.1.1 Interfaces ..............................................................................................255

13.2 General Setup ................................................................................................256

13.3 IDP Signatures ...............................................................................................257

13.3.1 Attack Types .........................................................................................257

13.3.2 Intrusion Severity ..................................................................................259

13.3.3 Signature Actions ..................................... ... ... .......................................259

13.3.4 Configuring IDP Signatures ..................................................................260

13.3.5 Query View ...........................................................................................262

13.3.5.1 Query Example 1 ........................................................................265

13.3.5.2 Query Example 2 ........................................................................266

13.4 Update ...........................................................................................................267

13.4.1 mySecurityZone ....................................................................................267

13.4.2 Configuring IDP Update ........................................................................268

13.5 Backup and Restore .......................................................................................269

Chapter 14

Anti-Virus..............................................................................................................271

14.1 Anti-Virus Overview .......................................................................................271

14.1.1 Types of Computer Viruses .......................................................... .... ...271

14.1.2 Computer Virus Infection and Prevention ................................ ... ... .... ...271

14.1.3 Types of Anti-Virus Scanner ................................................................272

14.2 Introduction to the ZyWALL Anti-Virus Scanner .............................................272

14.2.1 How the ZyWALL Anti-Virus Scanner Works .......................................273

16 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

14.2.2 Notes About the ZyWALL Anti-Virus .....................................................273

14.3 General Anti-Virus Setup ...............................................................................274

14.4 Signature Searching .......................................................................................276

14.4.1 Signature Search Example ................................... ... ... ... .... ... ................278

14.5 Signature Update .........................................................................................281

14.5.1 mySecurityZone ....................................................................................281

14.5.2 Configuring Anti-virus Update . ... ... ... .... ... .............................................281

14.6 Backup and Restore ......................................................................................283

Chapter 15

Anti-Spam .............................................................................................................285

15.1 Anti-Spam Overview ....................................................................................285

15.1.1 Anti-Spam External Database ...............................................................285

15.1.1.1 SpamBulk Engine ........................................................... .............286

15.1.1.2 SpamRepute Engine ...................................................................286

15.1.1.3 SpamContent Engine ..................................................................286

15.1.1.4 SpamTricks Engine .....................................................................287

15.1.2 Spam Threshold ................................................................. ......... .......... 287

15.1.3 Phishing ................................................................................................287

15.1.4 Whitelist ................................................................................................288

15.1.5 Blacklist .................................................................................................288

15.1.6 SMTP and POP3 ..................................................................................288

15.1.7 MIME Headers ......................................................................................289

15.2 Anti-Spam General Screen ............................................................................289

15.3 Anti-Spam External DB Screen .................................................................292

15.4 Anti-Spam Lists Screen .................................................................................294

15.5 Anti-Spam Lists Edit Screen .........................................................................296

Chapter 16

Content Filtering Screens ...................................................................................299

16.1 Content Filtering Overview .............................................................................299

16.1.1 Restrict Web Features ..........................................................................299

16.1.2 Create a Filter List ................................................................................299

16.1.3 Customize Web Site Access ................................................................299

16.2 Content Filter General Screen .....................................................................299

16.3 Content Filtering with an External Database ........................ ..........................302

16.4 Content Filter Categories ............................................................................303

16.5 Content Filter Customization .......................................................................310

16.6 Customizing Keyword Blocking URL Checking ................. ................... .......... 312

16.6.1 Domain Name or IP Address URL Checking ................. .......................312

16.6.2 Full Path URL Checking .......................................................................312

16.6.3 File Name URL Checking .....................................................................312

16.7 Content Filtering Cache ...............................................................................313

Table of Contents 17

ZyWALL 5/35/70 Series User’s Guide

Chapter 17

Content Filtering Reports....................................................................................315

17.1 Checking Content Filtering Activation ............................................................315

17.2 Viewing Content Filtering Reports ..................................................................315

17.3 Web Site Submission .....................................................................................320

Chapter 18

IPSec VPN.............................................................................................................323

18.1 IPSec VPN Overview ...................................................................................323

18.1.1 IKE SA Overview ..................................................................................324

18.1.1.1 IP Addresses of the ZyWALL and Remote IPSec Router ...........324

18.2 VPN Rules (IKE) ............................................................................................325

18.3 IKE SA Setup ................................................................................................327

18.3.1 IKE SA Proposal ...................................................................................327

18.3.1.1 Diffie-Hellman (DH) Key Exchange .............................................328

18.3.1.2 Authentication .............................................................................328

18.3.1.3 Extended Authentication .............................................................330

18.3.1.4 Negotiation Mode ........................................................................330

18.3.1.5 VPN, NAT, and NAT Traversal .....................................................331

18.4 Additional IPSec VPN Topics .........................................................................332

18.4.1 SA Life Time .. ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... ....................................332

18.4.2 IPSec High Availability ..........................................................................332

18.4.3 Encryption and Authentication Algorithms .................. ... .... ... ... .............333

18.5 VPN Rules (IKE) Gateway Policy Edit .............. ... ... ... .... ... .............................334

18.6 IPSec SA Overview ....................................................................................340

18.6.0.1 Local Network and Remote Network ...........................................340

18.6.0.2 Active Protocol ............................................................................340

18.6.0.3 Encapsulation ..............................................................................341

18.6.0.4 IPSec SA Proposal and Perfect Forward Secrecy ......................341

18.7 VPN Rules (IKE): Network Policy Edit ..........................................................342

18.8 VPN Rules (IKE): Network Policy Move .......................................................346

18.9 IPSec SA Using Manual Keys ....................................................................348

18.9.1 IPSec SA Proposal Using Manual Keys ...............................................348

18.9.2 Authentication and the Security Parameter Index (SPI) .......................348

18.10 VPN Rules (Manual) ....................................................................................348

18.11 VPN Rules (Manual): Edit .........................................................................350

18.12 VPN SA Monitor .........................................................................................353

18.13 VPN Global Setting .....................................................................................354

18.14 Telecommuter VPN/IPSec Examples ...........................................................355

18.14.1 Telecommuters Sharing One VPN Rule Example ..............................355

18.14.2 Telecommuters Using Unique VPN Rules Example ...........................356

18.15 VPN and Remote Management ...................................................................358

18.16 Hub-and-spoke VPN ....................................................................................358

18 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

18.16.1 Hub-and-spoke VPN Example ............................................................359

18.16.2 Hub-and-spoke Example VPN Rule Addresses .................................360

18.16.3 Hub-and-spoke VPN Requirements and Suggestions ........................361

Chapter 19

Certificates............................................................................................................363

19.1 Certificates Overview .....................................................................................363

19.1.1 Advantages of Certificates ....................................................................364

19.2 Self-signed Certificates ..................................................................................364

19.3 Verifying a Certificate .....................................................................................364

19.3.1 Checking the Fingerprint of a Certificate on Your Computer ................364

19.4 Configuration Summary .................................................................................365

19.5 My Certificates ..............................................................................................366

19.6 My Certificate Details ...................................................................................368

19.7 My Certificate Export ..................................................... ... ... ... .... ... ... ... ..........370

19.7.1 Certificate File Export Formats .............................................................370

19.8 My Certificate Import ....................................................................................371

19.8.1 Certificate File Formats .........................................................................372

19.9 My Certificate Create ...................................................................................374

19.10 Trusted CAs ...............................................................................................376

19.1 1 Trusted CA Details ......................................................................................378

19.12 Trusted CA Import ......................................................................................381

19.13 Trusted Remote Hosts ...............................................................................382

19.14 Trusted Remote Hosts Import ....................................................................384

19.15 Trusted Remote Host Certificate Details ....................................................385

19.16 Directory Servers ........................... ... ... ... .... ... ... ... ... .... ................................388

19.17 Directory Server Add or Edit ......................................................................389

Chapter 20

Authentication Server..........................................................................................391

20.1 Authentication Server Overview .....................................................................391

20.1.1 Local User Database ......................................................................... ...391

20.1.2 RADIUS ................................................................................................391

20.2 Local User Database ............................. ... .... ... .............................................391

20.3 RADIUS ........................................................................................................393

Chapter 21

Network Address Translation (NAT)...................................................................395

21.1 NAT Overview ..............................................................................................395

21.1.1 NAT Definitions .....................................................................................395

21.1.2 What NAT Does ....................................................................................396

21.1.3 How NAT Works ...................................................................................396

21.1.4 NAT Application ....................................................................................397

Table of Contents 19

ZyWALL 5/35/70 Series User’s Guide

21.1.5 Port Restricted Cone NAT ....................................................................398

21.1.6 NAT Mapping Types .............................................................................398

21.2 Using NAT ......................................................................................................399

21.2.1 SUA (Single User Account) Versus NAT ..............................................399

21.3 NAT Overview Screen ....................................................................................400

21.4 NAT Address Mapping .................................................................................401

21.4.1 NAT Address Mapping Edit ..................................................................403

21.5 Port Forwarding .............................................................................................404

21.5.1 Default Server IP Address ....................................................................405

21.5.2 Port Forwarding: Services and Port Numbers ......................................405

21.5.3 Configuring Servers Behind Port Forwarding (Example) ......................405

21.5.4 NAT and Multiple WAN .........................................................................406

21.5.5 Port Translation ....................................................................................406

21.6 Port Forwarding Screen .................................................................................407

21.7 Port Triggering ..............................................................................................409

Chapter 22

Static Route ..........................................................................................................413

22.1 IP Static Route ............................................................................................413

22.2 IP Static Route ...............................................................................................413

22.2.1 IP Static Route Edit ..............................................................................415

Chapter 23

Policy Route .........................................................................................................417

23.1 Policy Route ..................................................................................................417

23.2 Benefits ..........................................................................................................417

23.3 Routing Policy ................................................................................................417

23.4 IP Routing Policy Setup .................................................................................418

23.5 Policy Route Edit ...........................................................................................419

Chapter 24

Bandwidth Management......................................................................................423

24.1 Bandwidth Management Overview ...............................................................423

24.2 Bandwidth Classes and Filters .......................................................................423

24.3 Proportional Bandwidth Allocation .................................................................424

24.4 Application-based Bandwidth Management ...................................................424

24.5 Subnet-based Bandwidth Management ............ ... ... ... .... ... ... ..........................424

24.6 Application and Subnet-based Bandwidth Management ...............................425

24.7 Scheduler .......................................................................................................425

24.7.1 Priority-based Scheduler ......................................................................425

24.7.2 Fairness-based Scheduler ....................................................................425

24.7.3 Maximize Bandwidth Usage .................................... .............................425

24.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic ..................... ...426

20 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

24.7.5 Maximize Bandwidth Usage Example ..................................................426

24.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth 427

24.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth ... 427

24.8 Bandwidth Borrowing .....................................................................................428

24.8.1 Bandwidth Borrowing Example .............................................................428

24.9 Maximize Bandwidth Usage With Bandwidth Borrowing ................................429

24.10 Over Allotment of Bandwidth .............................. ....................... ................... 429

24.11 Configuring Summary ...................................... ... ... ... .... ... ... ... .... ... ... ... ... .... ...430

24.12 Configuring Class Setup ............................................................................431

24.12.1 Bandwidth Manager Class Configuration ..........................................433

24.12.2 Bandwidth Management Statistics ...................................................436

24.13 Bandwidth Manager Monitor ......................................................................437

Chapter 25

DNS........................................................................................................................439

25.1 DNS Overview ..............................................................................................439

25.2 DNS Server Address Assignment ..................................................................439

25.3 DNS Servers ..................................................................................................439

25.4 Address Record .............................................................................................440

25.4.1 DNS Wildcard .......................................................................................440

25.5 Name Server Record .....................................................................................440

25.5.1 Private DNS Server ..............................................................................440

25.6 System Screen ...............................................................................................441

25.6.1 Adding an Address Record ..................................................................442

25.6.2 Inserting a Name Server Record .........................................................443

25.7 DNS Cache ..................................................................................................445

25.8 Configure DNS Cache .................................... ................... ................... ..........445

25.9 Configuring DNS DHCP ...............................................................................446

25.10 Dynamic DNS .............................................................................................448

25.10.1 DYNDNS Wildcard ..............................................................................448

25.10.2 High Availability ..................................................................................448

25.11 Configuring Dynamic DNS ........................... ... .............................................448

Chapter 26

Remote Management...........................................................................................451

26.1 Remote Management Overview .....................................................................451

26.1.1 Remote Management Limitations .........................................................451

26.1.2 System Timeout ....................................................................................452

26.2 WWW (HTTP and HTTPS) ...........................................................................452

26.3 WWW .............................................................................................................453

26.4 HTTPS Example ............................................................................................455

26.4.1 Internet Explorer Warning Messages ...................................................455

Table of Contents 21

ZyWALL 5/35/70 Series User’s Guide

26.4.2 Netscape Navigator Warning Messages ...............................................456

26.4.3 Avoiding the Browser Warning Messages ............................................457

26.4.4 Login Screen .........................................................................................457

26.5 SSH .............................................................................................................459

26.6 How SSH Works ............................................................................................460

26.7 SSH Implementation on the ZyWALL .............................................................461

26.7.1 Requirements for Using SSH ................................................................461

26.8 Configuring SSH ............................................................................................461

26.9 Secure Telnet Using SSH Examples ..............................................................462

26.9.1 Example 1: Microsoft Windows .............................................................462

26.9.2 Example 2: Linux ..................................................................................463

26.10 Secure FTP Using SSH Example ................................................................464

26.11 Telnet ................ ... ... .......................................................... ... .... ... ... ... ..........465

26.12 Configuring TELNET ....................................................................................465

26.13 FTP ............................................................................................................466

26.14 SNMP .........................................................................................................467

26.14.1 Supported MIBs .................................................................................469

26.14.2 SNMP Traps .......................................................................................469

26.14.3 REMOTE MANAGEMENT: SNMP ......................................................469

26.15 DNS ............................................................................................................471

26.16 Introducing Vantage CNM ...........................................................................471

26.17 Configuring CNM ..........................................................................................472

Chapter 27

UPnP......................................................................................................................475

27.1 Universal Plug and Play Overview ...............................................................475

27.1.1 How Do I Know If I'm Using UPnP? ...................................... ................475

27.1.2 NAT Traversal .......................................................................................475

27.1.3 Cautions with UPnP ..............................................................................475

27.1.4 UPnP and ZyXEL ..................................................................................476

27.2 Configuring UPnP ..........................................................................................476

27.3 Displaying UPnP Port Mapping ...................................................................477

27.4 Installing UPnP in Windows Example ............................................................478

27.4.1 Installing UPnP in Windows Me ............................................................479

27.4.2 Installing UPnP in Windows XP ............................................................480

27.5 Using UPnP in Windows XP Example ...........................................................480

27.5.1 Auto-discover Your UPnP-enabled Network Device .............................481

27.5.2 Web Configurator Easy Access ..................... ... .... ... ... ... .... ... ... ... ... .......482

Chapter 28

ALG Screen...........................................................................................................485

28.1 ALG Introduction ...........................................................................................485

28.1.1 ALG and NAT ........................................................................................485

22 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

28.1.2 ALG and the Firewall ............................................................................485

28.1.3 ALG and Multiple WAN .........................................................................485

28.2 FTP ................................................................................................................486

28.3 H.323 ..............................................................................................................486

28.4 RTP ................................................................................................................486

28.4.1 H.323 ALG Details ................................................................................486

28.5 SIP .................................................................................................................488

28.5.1 STUN ....................................................................................................488

28.5.2 SIP ALG Details ....................................................................................488

28.5.3 SIP Signaling Session Timeout ............................................................489

28.5.4 SIP Audio Session Timeout ..................................................................489

28.6 ALG Screen ....................................................................................................489

Chapter 29

Reports..................................................................................................................491

29.1 Configuring Reports .......................................................................................491

29.2 System Reports Screen ................................................................................491

29.2.1 Viewing Web Site Hits .............................................................. ... ... .... ...493

29.2.2 Viewing Host IP Address ......................................................................494

29.2.3 Viewing Protocol/Port ...........................................................................495

29.2.4 System Reports Specifications .............................................................496

29.3 IDP Threat Reports Screen ..........................................................................496

29.4 Anti-Virus Threat Reports Screen ...............................................................498

29.5 Anti-Spam Threat Reports Screen ................................................................500

Chapter 30

Logs Screens........................................................................................................503

30.1 Configuring View Log ....................................................................................503

30.2 Log Description Example ...............................................................................504

30.2.1 About the Certificate Not Trusted Log ..................................................505

30.3 Configuring Log Settings ...............................................................................506

30.3.1 Log Descriptions ...................................................................................509

30.4 Syslog Logs ....................................................................................................529

Chapter 31

Maintenance .........................................................................................................531

31.1 Maintenance Overview ...................................................................................531

31.2 General Setup and System Name ............. .... ... ... ... ... .... ... ... ... .......................531

31.2.1 General Setup .......................................................................................531

31.3 Configuring Password ...................................................................................532

31.4 Time and Date ...............................................................................................533

31.5 Pre-defined NTP Time Server Pools ..............................................................536

31.5.1 Resetting the Time ................................................................................536

Table of Contents 23

ZyWALL 5/35/70 Series User’s Guide

31.5.2 Time Server Synchronization ................................................................536

31.6 Introduction To Transparent Bridging .............................................................537

31.7 Transparent Firewalls .....................................................................................538

31.8 Configuring Device Mode (Router) ................................................................539

31.9 Configuring Device Mode (Bridge) ................................................................540

31.10 F/W Upload Screen ........................................................ ... ... .... ... ... ... ... .... ...542

31.11 Backup and Restore ............. ... ............................................................. .... ...544

31.11.1 Bac kup Configuration ................................................... .......................544

31.11.2 Res tore Configuration ......................................................... ... ... ... .... ...545

31.11.3 Back to Factory Defaults ....................................................................546

31.12 Restart Screen ............................................................................................546

Chapter 32

Introducing the SMT ............................................................................................549

32.1 Introduction to the SMT ..................................................................................549

32.2 Accessing the SMT via the Console Port .................................... ...................549

32.2.1 Initial Screen .........................................................................................549

32.2.2 Entering the Password ................................... ....... ...... ....... ...... ...... .......550

32.3 Navigating the SMT Interface .........................................................................550

32.3.1 Main Menu ............................................................................................551

32.3.2 SMT Menus Overview ..........................................................................553

32.4 Changing the System Password ....................................................................555

32.5 Resetting the ZyWALL ...................................................................................556

Chapter 33

SMT Menu 1 - General Setup...............................................................................557

33.1 Introduction to General Setup ........................................................................557

33.2 Configuring General Setup ................................ ................ ................ ............. 557

33.2.1 Configuring Dynamic DNS ....................................................................559

33.2.1.1 Editing DDNS Host ......................... ...................... ....................... 559

Chapter 34

WAN and Dial Backup Setup...............................................................................563

34.1 Introduction to WAN and Dial Backup Setup ..................................................563

34.2 WAN Setup .....................................................................................................563

34.3 Dial Backup ....................................................................................................564

34.4 Configuring Dial Backup in Menu 2 ................................................................564

34.5 Advanced WAN Setup ....................................................................................565

34.6 Remote Node Profile (Backup ISP) ............ .... ... .............................................567

34.7 Editing PPP Options .......................................................................................569

34.8 Editing TCP/IP Options ..................................................................................570

34.9 Editing Login Script ........................................................................................572

34.10 Remote Node Filter ......................................................................................574

24 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

Chapter 35

LAN Setup.............................................................................................................575

35.1 Introduction to LAN Setup ..............................................................................575

35.2 Accessing the LAN Menus ................... ..........................................................575

35.3 LAN Port Filter Setup .....................................................................................575

35.4 TCP/IP and DHCP Ethernet Setup Menu ......................................................576

35.4.1 IP Alias Setup .......................................................................................579

Chapter 36

Internet Access ....................................................................................................581

36.1 Introduction to Internet Access Setup ............................................................581

36.2 Ethernet Encapsulation ..................................................................................581

36.3 Configuring the PPTP Client ..........................................................................583

36.4 Configuring the PPPoE Client ........................................................................583

36.5 Basic Setup Complete ....................................................................................584

Chapter 37

DMZ Setup ............................................................................................................585

37.1 Configuring DMZ Setup ..................................................................................585

37.2 DMZ Port Filter Setup ....................................................................................585

37.3 TCP/IP Setup .................................................................................................585

37.3.1 IP Address ............................................................................................586

37.3.2 IP Alias Setup .......................................................................................587

Chapter 38

Route Setup..........................................................................................................589

38.1 Configuring Route Setup ................................... ............................................. 589

38.2 Route Assessment .........................................................................................589

38.3 Traffic Redirect ...............................................................................................590

38.4 Route Failover ................................................................................................591

Chapter 39

Wireless Setup .....................................................................................................593

39.1 Wireless LAN Setup .......................................................................................593

39.1.1 MAC Address Filter Setup ....................................................................595

39.2 TCP/IP Setup .................................................................................................596

39.2.1 IP Address ............................................................................................596

39.2.2 IP Alias Setup .......................................................................................597

Chapter 40

Remote Node Setup.............................................................................................599

40.1 Introduction to Remote Node Setup ...............................................................599

40.2 Remote Node Setup .......................................................................................599

Table of Contents 25

ZyWALL 5/35/70 Series User’s Guide

40.3 Remote Node Profile Setup .............. ... ... ... .... ................................................600

40.3.1 Ethernet Encapsulation ............................................ ............. ............. ...600

40.3.2 PPPoE Encapsulation ...........................................................................602

40.3.2.1 Outgoing Authentication Protocol ................................................602

40.3.2.2 Nailed-Up Connection .................................................................602

40.3.2.3 Metric ..........................................................................................603

40.3.3 PPTP Encapsulation .............................................................................603

40.4 Edit IP .............................................................................................................604

40.5 Remote Node Filter ........................................................................................606

40.6 Traffic Redirect ...............................................................................................607

Chapter 41

IP Static Route Setup...........................................................................................609

41.1 IP Static Route Setup .....................................................................................609

Chapter 42

Network Address Translation (NAT)...................................................................611

42.1 Using NAT ......................................................................................................611

42.1.1 SUA (Single User Account) Versus NAT ..............................................611

42.1.2 Applying NAT ........................................................................................611

42.2 NAT Setup ......................................................................................................613

42.2.1 Address Mapping Sets ..........................................................................614

42.2.1.1 SUA Address Mapping Set ..... .... ... ... ..........................................614

42.2.1.2 User-Defined Address Mapping Sets ..........................................615

42.2.1.3 Ordering Your Rules ....................................................................616

42.3 Configuring a Server behind NAT ..................................................................618

42.4 General NAT Examples ..................................................................................621

42.4.1 Internet Access Only .............................................................................621

42.4.2 Example 2: Internet Access with a Default Server ............. ... ... ... ... .... ...623

42.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............623

42.4.4 Example 4: NAT Unfriendly Application Programs ...............................627

42.5 Trigger Port Forwarding .................................................................................628

42.5.1 Two Point s To Remember About Trigger Ports .................. ... ... ... ... .... ...628

Chapter 43

Introducing the ZyWALL Firewall .......................................................................631

43.1 Using ZyWALL SMT Menus .............................................. .............................631

43.1.1 Activating the Firewall ................................. ....................................... ...631

Chapter 44

Filter Configuration..............................................................................................633

44.1 Introduction to Filters ......................................................................................633

44.1.1 The Filter Structure of the ZyWALL ......................................................634

26 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

44.2 Configuring a Filter Set ..................................................................................636

44.2.1 Configuring a Filter Rule ................................ ... .... ... ... ... .......................637

44.2.2 Configuring a TCP/IP Filter Rule ..........................................................638

44.2.3 Configuring a Generic Filter Rule ............................................ ... ... .......640

44.3 Example Filter ................................................................................................642

44.4 Filter Types and NAT .................. ... .... .............................................................644

44.5 Firewall Versus Filters ....................................................................................644

44.5.1 Packet Filtering: ....................................................................................645

44.5.1.1 When To Use Filtering .................................................................645

44.5.2 Firewall .................................................................................................645

44.5.2.1 When To Use The Firewall ..........................................................645

44.6 Applying a Filter ............................................................................................646

44.6.1 Applying LAN Filters .............................................................................646

44.6.2 Applying DMZ Filters ............................................................................646

44.6.3 Applying Remote Node Filters ..............................................................647

Chapter 45

SNMP Configuration ............................................................................................649

45.1 SNMP Configuration ......................................................................................649

45.2 SNMP Traps ...................................................................................................650

Chapter 46

System Information & Diagnosis........................................................................651

46.1 Introduction to System Status ........................................................................651

46.2 System Status ................................................................................................651

46.3 System Information and Console Port Speed ................................................653

46.3.1 System Information ............................... ................................... .............653

46.3.2 Console Port Speed ..............................................................................654

46.4 Log and Trace ............... ... .... ... ... ... .... ... ..........................................................655

46.4.1 Viewing Error Log .................................................................................655

46.4.2 Syslog Logging .....................................................................................656

46.4.3 Call-Triggering Packet ..........................................................................659

46.5 Diagnostic ......................................................................................................659

46.5.1 WAN DHCP ..........................................................................................660

Chapter 47

Firmware and Configuration File Maintenance.................................................663

47.1 Introduction ....................................................................................................663

47.2 Filename Conventions ...................................................................................663

47.3 Backup Configuration .....................................................................................664

47.3.1 Backup Configuration ...........................................................................664

47.3.2 Using the FTP Command from the Command Line ..............................665

47.3.3 Example of FTP Commands from the Command Line .........................666

Table of Contents 27

ZyWALL 5/35/70 Series User’s Guide

47.3.4 GUI-based FTP Clients .........................................................................666

47.3.5 File Maintenance Over WAN ................................................................666

47.3.6 Backup Configuration Using TFTP .......................................................667

47.3.7 TFTP Command Example ....................................................................667

47.3.8 GUI-based TFTP Clients ......................................................................668

47.3.9 Backup Via Console Port ......................................................................668

47.4 Restore Configuration ....................................................................................669

47.4.1 Restore Using FTP ...............................................................................669

47.4.2 Restore Using FTP Session Example ..................................................671

47.4.3 Restore Via Console Port .....................................................................671

47.5 Uploading Firmware and Configuration Files .................................................672

47.5.1 Firmware File Upload ............................ ...... ... ....... ...... ....... ...... ...... .......672

47.5.2 Configuration File Upload .....................................................................673

47.5.3 FTP File Upload Command from the DOS Prompt Example ................674

47.5.4 FTP Session Example of Firmware File Upload ................... ... ... ... .... ...674

47.5.5 TFTP File Upload ..................................................................................674

47.5.6 TFTP Upload Command Example ........................................................675

47.5.7 Uploading Via Console Port ..................................................................675

47.5.8 Uploading Firmware File Via Console Port ...........................................675

47.5.9 Example Xmodem Firmware Upload Using HyperTerminal ............... ...676

47.5.10 Uploading Configuration File Via Console Port ..................................676

47.5.11 Example Xmodem Configuration Upload Using HyperTerminal .........677

Chapter 48

System Maintenance Menus 8 to 10...................................................................679

48.1 Command Interpreter Mode ...........................................................................679

48.1.1 Command Syntax .................................................................................679

48.1.2 Command Usage ..................................................................................680

48.2 Call Control Support ................................................... .... ... ... ... .... ... ... ... ... .... ...681

48.2.1 Budget Management ............................................................................681

48.2.2 Call History ...........................................................................................682

48.3 Time and Date Setting ....................................................................................683

Chapter 49

Remote Management...........................................................................................687

49.1 Remote Management .....................................................................................687

49.1.1 Remote Management Limitations .........................................................689

Chapter 50

IP Policy Routing..................................................................................................691

50.1 IP Routing Policy Summary ...........................................................................691

50.2 IP Routing Policy Setup .................................................................................692

50.2.1 Applying Policy to Packets ....................................................................694

28 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

50.3 IP Policy Routing Example .............................................................................695

Chapter 51

Call Scheduling ....................................................................................................699

51.1 Introduction to Call Scheduling ......................................................................699

Chapter 52

Troubleshooting ...................................................................................................703

52.1 Problems Starting Up the ZyWALL .................................................................703

52.2 Problems with the LAN Interface .......................... ................... .................... ...703

52.3 Problems with the DMZ Interface ................... ................................................ 704

52.4 Problems with the WAN Interface ..................................................................704

52.5 Problems Accessing the ZyWALL ..................................................................705

52.5.1 Pop-up Windows, JavaScripts and Java Permissions ..........................705

52.5.1.1 Internet Explorer Pop-up Blockers ..............................................706

52.5.1.2 JavaScripts ..................................................................................709

52.5.1.3 Java Permissions ........................................................................ 711

52.6 Packet Flow ....................................................................................................713

Appendix A

Product Specifications ........................................................................................715

Appendix B

Hardware Installation...........................................................................................723

Appendix C

Removing and Installing a Fuse ........................................................................727

Appendix D

Setting up Your Computer’s IP Address............................................................729

Appendix E

IP Addresses and Subnetting.............................................................................745

Appendix F

Common Services...............................................................................................753

Appendix G

Wireless LANs......................................................................................................757

Appendix H

Windows 98 SE/Me Requirements for Anti-Virus Message Display................771

Appendix I

VPN Setup.............................................................................................................775

Appendix J

Table of Contents 29

ZyWALL 5/35/70 Series User’s Guide

Importing Certificates..........................................................................................787

Appendix K

Command Interpreter...........................................................................................799

Appendix L

Firewall Commands .............................................................................................807

Appendix M

NetBIOS Filter Commands ..................................................................................813

Appendix N

Certificates Commands.......................................................................................817

Appendix O

Brute-Force Password Guessing Protection.....................................................821

Appendix P

Boot Commands ..................................................................................................823

Index...................................................................................................................... 825

30 Table of Contents

ZyWALL 5/35/70 Series User’s Guide

List of Figures

Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................ 63

Figure 2 VPN Application .................................................................................................... 64

Figure 3 ZyWALL 70 Front Panel ........................................................................................ 64

Figure 4 ZyWALL 35 Front Panel ........................................................................................ 64

Figure 5 ZyWALL 5 Front Panel .......................................................................................... 64

Figure 6 Change Password Screen .................................................................................... 68

Figure 7 Replace Certificate Screen ................................................................................... 68

Figure 8 Example Xmodem Upload .................................................................................... 69

Figure 9 HOME Screen ....................................................................................................... 70

Figure 10 Web Configurator HOME Screen in Router Mode .............................................. 71

Figure 11 Web Configurator HOME Screen in Bridge Mode ............................................... 75

Figure 12 HOME > Show Statistics ..................................................................................... 83

Figure 13 HOME > Show Statistics > Line Chart ................................................................ 85

Figure 14 HOME > DHCP Table ......................................................................................... 86

Figure 15 HOME > VPN Status ........................................................................................... 87

Figure 16 Home > Bandwidth Monitor .................................... ...... ....... ... ...... ....... ...... ....... ... 88

Figure 17 Wizard Setup Welcome ...................................................................................... 90

Figure 18 ISP Parameters: Ethernet Encapsulation ........................................................... 91

Figure 19 ISP Parameters: PPPoE Encapsulation ............................................................. 92

Figure 20 ISP Parameters: PPTP Encapsulation ............................ .... ... ... ... .... ... ... ... ... .... ... 94

Figure 21 Internet Access Wizard: Second Screen ............................................................ 96

Figure 22 Internet Access Setup Complete ........................................................................ 96

Figure 23 Internet Access Wizard: Registration .................. ......................................... ....... 97

Figure 24 Internet Access Wizard: Registration in Progress ............................................... 98

Figure 25 Internet Access Wizard: Status ........................................................................... 98

Figure 26 Internet Access Wizard: Registration Failed ....................................................... 99

Figure 27 Internet Access Wizard: Registered Device .............. ... ... .... ... ... ... .... ... ................ 99

Figure 28 Internet Access Wizard: Activated Services ....................................................... 99

Figure 29 VPN Wizard: Gateway Setting ............................................................................ 100

Figure 30 VPN Wizard: Network Setting ............................................................................. 102

Figure 31 VPN Wizard: IKE Tunnel Setting ......................................................................... 103

Figure 32 VPN Wizard: IPSec Setting ....................... ............. ............. ............. ............ ....... 105

Figure 33 VPN Wizard: VPN Status .................................................................................... 107

Figure 34 VPN Wizard Setup Complete ....................................... ............. ............. ............. 109

Figure 35 IDP for From VPN Traffic .................................................................................... 112

Figure 36 IDP Configuration for Traffic From VPN ..............................................................112

Figure 37 IDP for To VPN Traffic ............................................................................... ... .... ... 113

Figure 38 IDP Configuration for To VPN Traffic .................................................................. 114

List of Figures 31

ZyWALL 5/35/70 Series User’s Guide

Figure 39 Firewall Rule for VPN ................................... ............. ............. ............. ............. ... 115

Figure 40 SECURITY > VPN > VPN Rules (IKE) ..............................................................115

Figure 41 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy ......................... 116

Figure 42 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example ............ 117

Figure 43 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy ........................... 118

Figure 44 SECURITY > FIREWALL > Rule Summary ..................................... ................... 119

Figure 45 SECURITY > FIREWALL > Rule Summary > Edit: Allow .................................. 120

Figure 46 SECURITY > FIREWALL > Rule Summary: Allow ................................... ... .... ... 121

Figure 47 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN ................... 121

Figure 48 REGISTRATION ................................................................................................. 124

Figure 49 REGISTRATION: Registered Device .................................................................. 126

Figure 50 REGISTRATION > Service ................................................................................. 126

Figure 51 LAN and WAN .................................................................................................... 129

Figure 52 NETWORK > LAN .............................................................................................. 133

Figure 53 NETWORK > LAN > Static DHCP ...................................................................... 136

Figure 54 Physical Network & Partitioned Logical Networks .............................................. 137

Figure 55 NETWORK > LAN > IP Alias .............................................................................. 138

Figure 56 NETWORK > LAN > Port Roles .......................................................................... 140

Figure 57 Port Roles Change Complete ............................................................................. 140

Figure 58 Bridge Loop: Bridge Connected to Wired LAN ............................ .... ... ... ... ... .... ... 141

Figure 59 NETWORK > Bridge ........................................................................................... 144

Figure 60 NETWORK > Bridge > Port Roles ...................................................................... 146

Figure 61 Port Roles Change Complete ............................................................................. 146

Figure 62 Least Load First Example .................................................................................. 149

Figure 63 Weighted Round Robin Algorithm Example ........................................................ 150

Figure 64 Spillover Algorithm Example ............................................................................... 151

Figure 65 NETWORK > WAN (General) ............................................................................ 152

Figure 66 Load Balancing: Least Load First .......................................... ... ... .... ... ... ... ... .... ... 155

Figure 67 Load Balancing: Weighted Round Robin ........................ .... ... ... ... .... ... ... ... ... .... ... 156

Figure 68 Load Balancing: Spillover ................................................................. ... ... ... ... .... ... 157

Figure 69 NETWORK > WAN (Route) ................................................................................ 158

Figure 70 NETWORK > WAN > WAN (Ethernet Encapsulation) ..................................... 161

Figure 71 NETWORK > WAN > WAN (PPPoE Encap s ulation) ......................................... 164

Figure 72 NETWORK > WAN > WAN (PPTP Encapsulation) ............................................ 167

Figure 73 Traffic Redirect WAN Setup ................................................................................ 170

Figure 74 Traffic Redirect LAN Setup .............................................................. ... ... ... ... .... ... 170

Figure 75 NETWORK > WAN > Traffic Redirect ................................................................. 171

Figure 76 NETWORK > WAN > Dial Backup .................................................................... 172

Figure 77 NETWORK > WAN > Dial Backup > Edit .......................................................... 176

Figure 78 NETWORK > DMZ ............................................................................................. 180

Figure 79 NETWORK > DMZ > Static DHCP .................................................................... 183

Figure 80 NETWORK > DMZ > IP Alias ............................................................................ 184

Figure 81 DMZ Public Address Example ............................................................................ 186

32 List of Figures

ZyWALL 5/35/70 Series User’s Guide

Figure 82 DMZ Private and Public Address Example ..................... .... ... ... ... .... ................... 187

Figure 83 NETWORK > DMZ > Port Roles ........................................................................ 188

Figure 84 NETWORK > WLAN .......................................................................................... 190

Figure 85 NETWORK > WLAN > Static DHCP .................................................................. 193

Figure 86 NETWORK > WLAN > IP Alias .......................................................................... 194

Figure 87 WLAN Port Role Example .................................................................................. 196

Figure 88 NETWORK > WLAN > Port Roles ..................................................................... 196

Figure 89 NETWORK > WLAN > Port Roles: Change Complete .......................................197

Figure 90 ZyWALL Wireless Security Levels ...................................................................... 198

Figure 91 EAP Authentication ............................................................................................. 201

Figure 92 WPA-PSK Authentication .................................................................................... 204

Figure 93 WPA with RADIUS Application Example ............................................................ 205

Figure 94 NETWORK > WIRELESS CARD: No Security ................................................... 206

Figure 95 NETWORK > WIRELESS CARD: Static WEP .................................................... 208

Figure 96 NETWORK > WIRELESS CARD: WPA-PSK .....................................................209

Figure 97 NETWORK > WIRELESS CARD: WPA .............................................................. 210

Figure 98 NETWORK > WIRELESS CARD: 802.1x + Dynamic WEP ................................211

Figure 99 NETWORK > WIRELESS CARD: 802.1x + Static WEP .....................................213

Figure 100 NETWORK > WIRELESS CARD: 802.1x + No WEP ....................................... 214

Figure 101 NETWORK > WIRELESS CARD: No Access 802.1x + Static WEP .................216

Figure 102 NETWORK > WIRELESS CARD: MAC Address Filter ..................................... 217

Figure 103 Default Firewall Action ...................................................................................... 219

Figure 104 SECURITY > FIREWALL > Default Rule (Router Mode) .................................. 220

Figure 105 Default Block Traffic From WAN1 to DMZ Example ...................................... 221

Figure 106 From LAN to VPN Example ............................................................................. 223

Figure 107 Block DMZ to VPN Traffic by Default Example .............................................. 223

Figure 108 From VPN to LAN Example ............................................................................. 224

Figure 109 Block VPN to LAN Traffic by Default Example .............................................. 225

Figure 110 From VPN to VPN Example ............................................................................. 226

Figure 111 Block VPN to VPN Traffic by Default Example .............................................. 226

Figure 112 Blocking All LAN to WAN IRC Traffic Example ................................................ 227

Figure 113 Limited LAN to WAN IRC Traffic Example ........................................................ 228

Figure 114 Using IP Alias to Solve the Triangle Route Problem ......................................... 230

Figure 115 SECURITY > FIREWALL > Default Rule (Router Mode) .................................. 230

Figure 116 SECURITY > FIREWALL > Default Rule (Bridge Mode) ................................. 232

Figure 117 SECURITY > FIREWALL > Rule Summary ...................................................... 234

Figure 118 SECURITY > FIREWALL > Rule Summary > Edit .................... .... ... ... ... ... .... ... 236

Figure 119 SECURITY > FIREWALL > Anti-Probing .......................................................... 238

Figure 120 Three-Way Handshake ..................................................................................... 239

Figure 121 SECURITY > FIREWALL > Threshold ........................................................... 240

Figure 122 SECURITY > FIREWALL > Service .................................................................. 243

Figure 123 Firewall Edit Custom Service ............................................................................ 244

Figure 124 My Service Firewall Rule Example: Service .................................................... 245

List of Figures 33

ZyWALL 5/35/70 Series User’s Guide

Figure 125 My Service Firewall Rule Example: Edit Custom Service ................................ 246

Figure 126 My Service Firewall Rule Example: Rule Summary .......................................... 246

Figure 127 My Service Firewall Rule Example: Rule Edit ............................... ... ................ 247

Figure 128 My Service Firewall Rule Example: Rule Configuration .... ... ... ... .... ................... 248

Figure 129 My Service Firewall Rule Example: Rule Summary .......................................... 249

Figure 130 Network Intrusions ........................................................................................... 251

Figure 131 Applying IDP to Interfaces ................................................................................ 255

Figure 132 SECURITY > IDP > General ............................................................................. 256

Figure 133 SECURITY > IDP > Signatures: Attack Types .................................................. 258

Figure 134 SECURITY > IDP > Signature: Actions ............................................................ 260

Figure 135 SECURITY > IDP > Signature: Group View ..................................................... 261

Figure 136 SECURITY > IDP > Signature: Query View ...................................................... 263

Figure 137 SECURITY > IDP > Signature: Query by Partial Name .................................... 265

Figure 138 SECURITY > IDP > Signature: Query by Complete ID ..................................... 266

Figure 139 Signature Query by Attribute. ............................................................................ 267

Figure 140 SECURITY > IDP > Update .............................................................................. 268

Figure 141 SECURITY > IDP > Backup & Restore ............................................................. 270

Figure 142 ZyWALL Anti-virus Example .......................................................................... 273

Figure 143 SECURITY > ANTI-VIRUS > General ............................................................. 275

Figure 144 SECURITY > ANTI-VIRUS > Signature: Query View ....................................... 277

Figure 145 Query Example Search Criteria ........................................................................ 279

Figure 146 Query Example Search Results ........................................................................ 280

Figure 147 SECURITY > ANTI-VIRUS > Update ................................................................ 282

Figure 148 SECURITY > ANTI-VIRUS > Backup and Restore ........................................... 283

Figure 149 Anti-spam External Database Example ............................................................ 287

Figure 150 SECURITY > ANTI-SPAM > General ............................................................... 290

Figure 151 SECURITY > ANTI-SPAM > External DB ......................................................... 292

Figure 152 SECURITY > ANTI-SPAM > Lists .....................................................................295

Figure 153 SECURITY > ANTI-SPAM > Lists > Edit .......................................................... 297

Figure 154 SECURITY > CONTENT FILTER > General .................................................... 300

Figure 155 Content Filtering Lookup Procedure ................................................................. 302

Figure 156 SECURITY > CONTENT FILTER > Categories ................................................ 304

Figure 157 SECURITY > CONTENT FILTER > Customization .......................................... 310

Figure 158 SECURITY > CONTENT FILTER > Cache ....................................................... 313

Figure 159 myZyXEL.com: Login ........................................................................................ 316

Figure 160 myZyXEL.com: Welcome .................................................................................. 316

Figure 161 myZyXEL.com: Service Management ............................................................... 317

Figure 162 Blue Coat: Login ...............................................................................................317

Figure 163 Content Filtering Reports Main Screen ............................................................. 318

Figure 164 Blue Coat: Report Home ................................................................................... 318

Figure 165 Global Report Screen Example ........................................................................ 319

Figure 166 Requested URLs Example ................................................................................ 320

Figure 167 Web Page Review Process Screen .................................................................. 321

34 List of Figures

ZyWALL 5/35/70 Series User’s Guide

Figure 168 VPN: Example ................................................................................................... 323

Figure 169 VPN: IKE SA and IPSec SA ............................................................................. 324

Figure 170 Gateway and Network Policies ........................................................ ................ 325

Figure 171 IPSec Fields Summary ...................................................................................325

Figure 172 SECURITY > VPN > VPN Rules (IKE) ............................................................ 326

Figure 173 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal ....................... 327

Figure 174 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange ..................... 328

Figure 175 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication ........................... 328

Figure 176 VPN/NAT Example ............................................................................................ 331

Figure 177 IPSec High Availability ...................................................................................... 333

Figure 178 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ....................... 335

Figure 179 VPN: Transport and Tunnel Mode Encapsulation ............................................. 341

Figure 180 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ......................... 343

Figure 181 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ....................... 347

Figure 182 SECURITY > VPN > VPN Rules (Manual) ...................................................... 349

Figure 183 SECURITY > VPN > VPN Rules (Manual) > Edit ............................................ 350

Figure 184 SECURITY > VPN > SA Monitor .................................................................... 353

Figure 185 SECURITY > VPN > Global Setting ............ .......... ............. ............. ............. ... 354

Figure 186 Telecommuters Sharing One VPN Rule Example ............................................. 356

Figure 187 Telecommuters Using Unique VPN Rules Example ......................................... 357

Figure 188 VPN for Remote Management Example ........................... ................................ 358

Figure 189 VPN Topologies ................................................................................................ 359

Figure 190 Hub-and-spoke VPN Example .......................................................................... 360

Figure 191 Certificates on Your Computer .......................................................................... 364

Figure 192 Certificate Details ............................................................................................. 365

Figure 193 Certificate Configuration Overview ...................................................................365

Figure 194 SECURITY > CERTIFICATES > My Certificates ............................................. 366

Figure 195 SECURITY > CERTIFICATES > My Certificates > Details ............................... 368

Figure 196 SECURITY > CERTIFICATES > My Certificates > Export ................................ 371

Figure 197 SECURITY > CERTIFICATES > My Certificates > Import ................................ 373

Figure 198 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 ..............373

Figure 199 SECURITY > CERTIFICATES > My Certificates > Create ............................... 374

Figure 200 SECURITY > CERTIFICATES > Trusted CAs .................................................. 377

Figure 201 SECURITY > CERTIFICATES > Trusted CAs > Details ................................... 379

Figure 202 SECURITY > CERTIFICATES > Trusted CAs > Import .................................... 382

Figure 203 SECURITY > CERTIFICATES > Trusted Remote Hosts .................................. 383

Figure 204 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import .................... 384

Figure 205 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ................... 386

Figure 206 SECURITY > CERTIFICATES > Directory Servers .......................................... 388

Figure 207 SECURITY > CERTIFICATES > Directory Server > Add ................................. 389

Figure 208 SECURITY > AUTH SERVER > Local User Database ..................................... 392

Figure 209 SECURITY > AUTH SERVER > RADIUS ........................................................ 393

Figure 210 How NAT Works ................................................................................................ 396

List of Figures 35

ZyWALL 5/35/70 Series User’s Guide

Figure 211 NAT Application With IP Alias ........................................................................... 397

Figure 212 Port Restricted Cone NAT Example .................................................................. 398

Figure 213 ADVANCED > NAT > NAT Overview ................................................................ 400

Figure 214 ADVANCED > NAT > Address Mapping ........................................................... 402

Figure 215 ADVANCED > NAT > Address Mapping > Edit ................................................. 403

Figure 216 Multiple Servers Behind NAT Example ............................................. ... ... ... ....... 406

Figure 217 Port Translation Example .................................................................................. 407

Figure 218 ADVANCED > NAT > Port Forwarding .............................................................. 408

Figure 219 Trigger Port Forwarding Process: Example ...................................................... 409

Figure 220 ADVANCED > NAT > Port Triggering ............................................................... 410

Figure 221 Example of Static Routing Topology ................................................................. 413

Figure 222 ADVANCED > STATIC ROUTE > IP S tatic Route ............................................ 414

Figure 223 ADVANCED > STATIC ROUTE > IP Static Route > Edit .................................. 415

Figure 224 ADVANCED > POLICY ROUTE > Policy Route Summary ............................... 418

Figure 225 Edit IP Policy Route .......................................................................................... 420

Figure 226 Subnet-based Bandwidth Management Example ............................................. 424

Figure 227 ADVANCED > BW MGMT > Summary ............................................................. 430

Figure 228 ADVANCED > BW MGMT > Class Setup ......................................................... 432

Figure 229 ADVANCED > BW MGMT > Class Setup > Add Sub-Class ............................. 434

Figure 230 ADVANCED > BW MGMT > Class Setup > Statistics ....................................... 437

Figure 231 ADVANCED > BW MGMT > Monitor ............................................................... 438

Figure 232 Private DNS Server Example ............................................................................ 441

Figure 233 ADVANCED > DNS > System DNS .................................................................. 441

Figure 234 ADVANCED > DNS > Add (Address Record) ................................................... 443

Figure 235 ADVANCED > DNS > Insert (Name Server Record) ........................................ 444

Figure 236 ADVANCED > DNS > Cache ............................................................................ 445

Figure 237 ADVANCED > DNS > DHCP ............................................................................ 447

Figure 238 ADVANCED > DNS > DDNS ............................................................................ 449

Figure 239 HTTPS Implementation ........................................ ................... ................... ....... 453

Figure 240 ADVANCED > REMOTE MGMT > WWW ........................................................ 454

Figure 241 Security Alert Dialog Box (Internet Explorer) .................................................... 455

Figure 242 Security Certificate 1 (Netscape) ...................................................................... 456

Figure 243 Security Certificate 2 (Netscape) ...................................................................... 456

Figure 244 Example: Lock Denoting a Secure Connection ................................................ 458

Figure 245 Replace Certificate ............................................................................................ 458

Figure 246 Device-specific Certificate ................................................................................. 459

Figure 247 Common ZyWALL Certificate ............................................................................ 459

Figure 248 SSH Communication Example .......................................................................... 460

Figure 249 How SSH Works ............................................................................................... 460

Figure 250 ADVANCED > REMOTE MGMT > SSH ........................................................... 462

Figure 251 SSH Example 1: Store Host Key ....................................................................... 463

Figure 252 SSH Example 2: Test ....................................................................................... 463

Figure 253 SSH Example 2: Log in ..................................................................................... 464

36 List of Figures

ZyWALL 5/35/70 Series User’s Guide

Figure 254 Secure FTP: Firmware Upload Example .......................................................... 465

Figure 255 Telnet Configuration on a TCP/IP Network ....................................................... 465

Figure 256 ADVANCED > REMOTE MGMT > Telnet ......................................................... 466

Figure 257 ADVANCED > REMOTE MGMT > FTP ............................................................ 467

Figure 258 SNMP Management Model ............................................................................... 468

Figure 259 ADVANCED > REMOTE MGMT > SNMP ........................................................ 470

Figure 260 ADVANCED > REMOTE MGMT > DNS ........................................................... 471

Figure 261 ADVANCED > REMOTE MGMT > CNM .......................................................... 472

Figure 262 ADVANCED > UPnP .........................................................................................476

Figure 263 ADVANCED > UPnP > Ports ............................................................................ 477

Figure 264 H.323 ALG Example ........................................................................................ 487

Figure 265 H.323 with Multiple WAN IP Addresses Figure 266 H.323 Calls from the WAN

Figure 267 SIP ALG Example ............................................................................................ 489

Figure 268 ADVANCED > ALG .......................................................................................... 490

Figure 269 REPORTS > SYSTEM REPORTS ................................................................... 492

Figure 270 REPORTS > SYSTEM REPORTS: Web Site Hits Example ............................. 493

Figure 271 REPORTS > SYSTEM REPORTS: Host IP Address Example ........................ 494

Figure 272 REPORTS > SYSTEM REPORTS: Protocol/Port Example .............................. 495

Figure 273 REPORTS > THREAT REPOR TS > IDP ......................................................... 496

Figure 274 REPORTS > THREAT REPORTS > IDP > Source ......................................... 498

Figure 275 REPORTS > THREAT REPORTS > IDP > Destination ................................... 498

Figure 276 REPORTS > THREAT REPORTS > Anti-Virus .............................................. 498

Figure 277 REPORTS > THREAT REPORTS > Anti-Virus > Source ................................ 499

Figure 278 REPORTS > THREAT REPORTS > Anti-Virus > Destination ......................... 500

Figure 279 REPORTS > THREAT REPORTS > Anti-Spam ............................................. 500

Figure 280 REPORTS > THREAT REPORTS > Anti-Spam > Source ............................... 502

Figure 281 REPORTS > THREAT REPORTS > Anti-Spam > Score Distribution .............. 502

Figure 282 LOGS > View Log ......................................................................................... 503

Figure 283 myZyXEL.com: Download Center ..................................................................... 505

Figure 284 myZyXEL.com: Certificate Download ............................................................... 506

Figure 285 LOGS > Log Settings ........................................................................................ 507

Figure 286 MAINTENANCE > General Setup .................................................................... 532

Figure 287 MAINTENANCE > Password ........................................................................... 533

Figure 288 MAINTENANCE > Time and Date ....................................................................534

Figure 289 Synchronization in Process ..................... ............. ............. ............. ............ ....... 536

Figure 290 Synchronization is Successful .......................................................................... 537

Figure 291 Synchronization Fail .......................................................................................... 537

Figure 292 MAINTENANCE > Device Mode (Router Mode) ........................ .... ... ... ............. 539

Figure 293 MAINTENANCE > Device Mode (Bridge Mode) ............................................... 541

Figure 294 MAINTENANCE > Firmware Upload ................................................................ 542

Figure 295 Firmware Upload In Process ............................................................................. 543

Figure 296 Network Temporarily Disconnected .................................................................. 543

with Multiple Outgoing Calls .................................. 488

.................................... ....................... 487

List of Figures 37

ZyWALL 5/35/70 Series User’s Guide

Figure 297 Firmware Upload Error ...................................................................................... 543

Figure 298 MAINTENANCE > Backup and Restore ........................................................... 544

Figure 299 Configuration Upload Successful ...................................................................... 545

Figure 300 Network Temporarily Disconnected .................................................................. 545

Figure 301 Configuration Upload Error ............................................................................... 546

Figure 302 Reset Warning Message ................................................... ................................ 546

Figure 303 MAINTENANCE > Restart ............................................................................... 547

Figure 304 Initial Screen ..................................................................................................... 550

Figure 305 Password Screen ............................................................................................. 550

Figure 306 Main Menu (Router Mode) ................................................................................ 552

Figure 307 Main Menu (Bridge Mode) ................................................................................ 552

Figure 308 Menu 23: System Password ............................................................................. 556

Figure 309 Menu 1: General Setup (Router Mode) ............................................................. 557

Figure 310 Menu 1: General Setup (Bridge Mode) ............................................................. 558

Figure 311 Menu 1.1: Configure Dynamic DNS .................................................................. 559

Figure 312 Menu 1.1.1: DDNS Host Summary ................................................................... 560

Figure 313 Menu 1.1.1: DDNS Edit Host ............................................................................ 561

Figure 314 MAC Address Cloning in WAN Setup ............................................................... 563

Figure 315 Menu 2: Dial Backup Setup ............................................................................565

Figure 316 Menu 2.1: Advanced WAN Setup .............................................................. .... ... 566

Figure 317 Menu 11.3: Remote Node Profile (Backup ISP) ........................................ .... ... 568

Figure 318 Menu 11.3.1: Remote Node PPP Options ........................................................ 570

Figure 319 Menu 11.3.2: Remote Node Network Layer Options ........................................ 571

Figure 320 Menu 11.3.3: Remote Node Script .................................................................... 573

Figure 321 Menu 11.3.4: Remote Node Filter ..................................................................... 574

Figure 322 Menu 3: LAN Setup ........................................................................................... 575

Figure 323 Menu 3.1: LAN Port Filter Setup ....................................................................... 576

Figure 324 Menu 3: TCP/IP and DHCP Setup ................................................................... 576

Figure 325 Menu 3.2: TCP/IP and DHCP Ethernet Setup .................................................. 577

Figure 326 Menu 3.2.1: IP Alias Setup ............................................................................... 579

Figure 327 Menu 4: Internet Access Setup (Ethernet) ........................................................ 581

Figure 328 Internet Access Setup (PPTP) .......................................................................... 583

Figure 329 Internet Access Setup (PPPoE) ........................................................................ 584

Figure 330 Menu 5: DMZ Setup ......................................................................................... 585

Figure 331 Menu 5.1: DMZ Port Filter Setup ...................................................................... 585

Figure 332 Menu 5: DMZ Setup .......................................................................................... 586

Figure 333 Menu 5.2: TCP/IP and DHCP Ethernet Setup .................................................. 586

Figure 334 Menu 5.2.1: IP Alias Setup ............................................................................... 587

Figure 335 Menu 6: Route Setup ........................................................................................ 589

Figure 336 Menu 6.1: Route Assessment ........................................................................... 589

Figure 337 Menu 6.2: Traffic Redirect ................................................................................. 590

Figure 338 Menu 6.3: Route Failover .................................................................................. 591

Figure 339 Menu 7.1: Wireless Setup ................................................................................. 593

38 List of Figures

ZyWALL 5/35/70 Series User’s Guide

Figure 340 Menu 7.1.1: WLAN MAC Address Filter ........................................................... 595

Figure 341 Menu 7: WLAN Setup ....................................................................................... 596

Figure 342 Menu 7.2: TCP/IP and DHCP Ethernet Setup .................................................. 597

Figure 343 Menu 7.2.1: IP Alias Setup ............................................................................... 598

Figure 344 Menu 11: Remote Node Setup .......................................................................... 600

Figure 345 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........................... 600

Figure 346 Menu 11.1: Remote Node Profile for PPPoE Encapsulation .............................602

Figure 347 Menu 11.1: Remote Node Profile for PPTP Encapsulation ............................... 604

Figure 348 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation

605

Figure 349 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) ............................. 607

Figure 350 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) ................ 607

Figure 351 Menu 11.1.5: Traffic Redirect Setup ........ ... ... .... ... ... ... ... .... ... ... .......................... 608

Figure 352 Menu 12: IP Static Route Setup ....................................................................... 609

Figure 353 Menu 12. 1: Edit IP Static Route ....................................................................... 610

Figure 354 Menu 4: Applying NAT for Internet Access ....... ... ... ... ... .... ... ... .......................... 612

Figure 355 Menu 11.1.2: Applying NAT to the Remote Node ............................................. 612

Figure 356 Menu 15: NAT Setup ......................................................................................... 613

Figure 357 Menu 15.1: Address Mapping Sets ................................................ ... ... ... ... .... ... 614

Figure 358 Menu 15.1.255: SUA Address Mapping Rules ................................................. 614

Figure 359 Menu 15.1.1: First Set ....................................................................................... 616

Figure 360 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ........................ 617

Figure 361 Menu 15.2: NAT Server Sets ............................................................................ 618

Figure 362 Menu 15.2.1: NAT Server Sets ......................................................................... 619

Figure 363 15.2.1.2: NAT Server Configuration .................................................................. 620

Figure 364 Menu 15.2.1: NAT Server Setup ...................................................................... 621

Figure 365 Server Behind NAT Example ............................................................................ 621

Figure 366 NAT Example 1 ................................................................................................. 622

Figure 367 Menu 4: Internet Access & NAT Example ......................................................... 622

Figure 368 NAT Example 2 ................................................................................................. 623

Figure 369 Menu 15.2.1: Specifying an Inside Server ........................................................ 623

Figure 370 NAT Example 3 ................................................................................................. 624

Figure 371 Example 3: Menu 11.1.2 ................................................................................... 625

Figure 372 Example 3: Menu 15.1.1.1 ................................................................................ 625

Figure 373 Example 3: Final Menu 15.1.1 .......................................................................... 626

Figure 374 Example 3: Menu 15.2.1 ................................................................................... 626

Figure 375 NAT Example 4 ................................................................................................. 627

Figure 376 Example 4: Menu 15.1.1.1: Address Mapping Rule .......................................... 627

Figure 377 Example 4: Menu 15.1.1: Address Mapping Rules ........................................... 628

Figure 378 Menu 15.3.1: Trigger Port Setup ....................................................................... 629

Figure 379 Menu 21: Filter and Firewall Setup ................................................................... 631

Figure 380 Menu 21.2: Firewall Setup ................................................................................ 632

Figure 381 Outgoing Packet Filtering Process .................................................................... 633

List of Figures 39

ZyWALL 5/35/70 Series User’s Guide

Figure 382 Filter Rule Process ............................... ............. ............ ............. ............. .......... 635

Figure 383 Menu 21: Filter and Firewall Setup ................................................................... 636

Figure 384 Menu 21.1: Filter Set Configuration .................................................................. 636

Figure 385 Menu 21.1.1.1: TCP/IP Filter Rule .................................................................... 638

Figure 386 Executing an IP Filter ........................................................................................ 640

Figure 387 Menu 21.1.1.1: Generic Filter Rule ......................... .......................................... 641

Figure 388 Telnet Filter Example ........................................................................................ 642

Figure 389 Example Filter: Menu 21.1.3.1 .......................................................................... 643

Figure 390 Example Filter Rules Summary: Menu 21.1.3 .................................................. 643

Figure 391 Protocol and Device Filter Sets ......................................................................... 644

Figure 392 Filtering LAN Traffic .......................................................................................... 646

Figure 393 Filtering DMZ Traffic .......................................................................................... 647

Figure 394 Filtering Remote Node Traffic ........................................................................... 647

Figure 395 Menu 22: SNMP Configuration ......................................................................... 649

Figure 396 Menu 24: System Maintenance ........................................................................ 651

Figure 397 Menu 24.1: System Maintenance: Status ........................................................652

Figure 398 Menu 24.2: System Information and Console Port Speed ................................ 653

Figure 399 Menu 24.2.1: System Maintenance: Information ............................................ 654

Figure 400 Menu 24.2.2: System Maintenance: Change Console Port Speed ................... 655

Figure 401 Menu 24.3: System Maintenance: Log and Trace ............................................ 655

Figure 402 Examples of Error and Information Messages .................................................. 656

Figure 403 Menu 24.3.2: System Maintenance: Syslog Logging ........................................ 656

Figure 404 Call-Triggering Packet Example ........................................................................ 659

Figure 405 Menu 24.4: System Maintenance: Diagnostic ................................................... 660

Figure 406 WAN & LAN DHCP ........................................................................................... 660

Figure 407 Telnet into Menu 24.5 ........................................................................................ 665

Figure 408 FTP Session Example ...................................................................................... 666

Figure 409 System Maintenance: Backup Configuration .................................................... 668

Figure 410 System Maintenance: Starting Xmodem Download Screen ............................. 668

Figure 411 Backup Configuration Example ......................................................................... 669

Figure 412 Successful Backup Confirmation Screen .......................................................... 669

Figure 413 Telnet into Menu 24.6 ........................................................................................ 670

Figure 414 Restore Using FTP Session Example ............................................................... 671

Figure 415 System Maintenance: Restore Configuration ................................................... 671

Figure 416 System Maintenance: Starting Xmodem Download Screen ............................. 671

Figure 417 Restore Configuration Example ........................................................................ 671

Figure 418 Successful Restoration Confirmation Screen ............... .... ................................ 672

Figure 419 Telnet Into Menu 24.7.1: Upload System Firmware ...... .... ... ... ... .... ... ... ... ... .... ... 673

Figure 420 Telnet Into Menu 24.7.2: System Maintenance ................................... ... ... ....... 673

Figure 421 FTP Session Example of Firmware File Upload ............................................... 674

Figure 422 Menu 24.7.1 As Seen Using the Console Port ................................................. 676

Figure 423 Example Xmodem Upload ................................................................................ 676

Figure 424 Menu 24.7.2 As Seen Using the Console Port ................................................ 677

40 List of Figures

ZyWALL 5/35/70 Series User’s Guide

Figure 425 Example Xmodem Upload ................................................................................ 677

Figure 426 Command Mode in Menu 24 ............................................................................. 679

Figure 427 Valid Commands ............................................................................................... 680

Figure 428 Call Control ....................................................................................................... 681

Figure 429 Budget Management ......................................................................................... 682

Figure 430 Call History ........................................................................................................683

Figure 431 Menu 24: System Maintenance ........................................................................ 684

Figure 432 Menu 24.10 System Maintenance: Time and Date Setting ............................... 684

Figure 433 Menu 24.11 – Remote Management Control .................................................... 688

Figure 434 Menu 25: Sample IP Routing Policy Summary ................................................. 691

Figure 435 Menu 25.1: IP Routing Policy Setup ................................................................. 693

Figure 436 Menu 25.1.1: IP Routing Policy Setup .............................................................. 695

Figure 437 Example of IP Policy Routing ............................................................................ 696

Figure 438 IP Routing Policy Example 1 ............................................................................. 697

Figure 439 IP Routing Policy Example 2 ............................................................................. 698

Figure 440 Schedule Setup ................................................................................................. 699

Figure 441 Schedule Set Setup .......................................................................................... 700

Figure 442 Applying Schedule Set(s) to a Remote Node (PPPoE) .................................... 701

Figure 443 Applying Schedule Set(s) to a Remote Node (PPTP) ............. ... .... ... ... ... ... .... ... 702

Figure 444 Pop-up Blocker ................................................................................................. 706

Figure 445 Internet Options: Privacy ................................................................................... 707

Figure 446 Internet Options: Privacy ................................................................................... 708

Figure 447 Pop-up Blocker Settings ................................................................................... 709

Figure 448 Internet Options: Security ................................................................................. 710

Figure 449 Security Settings - Java Scripting ..................................................................... 711

Figure 450 Security Settings - Java .................................................................................... 712

Figure 451 Java (Sun) ......................................................................................................... 713

Figure 452 WLAN Card Installation ................................. .................... ................... ............. 720

Figure 453 Console/Dial Backup Port Pin Layout ........... .... ... ... ... ... .... ... ... .......................... 720

Figure 454 Ethernet Cable Pin Assignments ...................................................................... 721

Figure 455 Attaching Rubber Feet .................................................................................... 724

Figure 456 Attaching Mounting Brackets and Screws ........................................................ 725

Figure 457 Rack Mounting .................................................................................................. 725

Figure 458 WIndows 95/98/Me: Network: Configuration ........... ............. ............. ............. ... 730

Figure 459 Windows 95/98/Me: TCP/IP Properties: IP Address ......................................... 731

Figure 460 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............................ 732

Figure 461 Windows XP: Start Menu .................................................................................. 733

Figure 462 Windows XP: Control Panel .............................................................................. 733

Figure 463 Windows XP: Control Panel: Network Connections: Properties ....................... 734

Figure 464 Windows XP: Local Area Connection Properties ....... ....................................... 734

Figure 465 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 735

Figure 466 Windows XP: Advanced TCP/IP Properties ......... ............. ............. ............ ....... 736

Figure 467 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 737

List of Figures 41

ZyWALL 5/35/70 Series User’s Guide

Figure 468 Macintosh OS 8/9: Apple Menu ........................................................................ 738

Figure 469 Macintosh OS 8/9: TCP/IP ................................................................................ 738

Figure 470 Macintosh OS X: Apple Menu ........................................................................... 739

Figure 471 Macintosh OS X: Network ................................................................................. 740

Figure 472 Red Hat 9.0: KDE: Network Configuration: Devices ........................................ 741

Figure 473 Red Hat 9.0: KDE: Ethernet Device: General . ... ... ... ... .... ... ... ... .... ... ... ... .......... 741

Figure 474 Red Hat 9.0: KDE: Network Configuration: DNS ............................................. 742

Figure 475 Red Hat 9.0: KDE: Network Configuration: Activate .......................... ............. 742

Figure 476 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 .............................. 743

Figure 477 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 .................................. 743

Figure 478 Red Hat 9.0: DNS Settings in resolv.conf ...................................................... 743

Figure 479 Red Hat 9.0: Restart Ethernet Card ................................................................ 744

Figure 480 Red Hat 9.0: Checking TCP/IP Properties ...................................................... 744

Figure 481 Peer-to-Peer Communication in an Ad-hoc Network ........................................ 757

Figure 482 Basic Service Set .............................................................................................. 758

Figure 483 Infrastructure WLAN ......................................................................................... 759

Figure 484 RTS/CTS ........................................................................................................... 760

Figure 485 EAP Authentication ........................................................................................... 763

Figure 486 WEP Authentication Steps ................................................................................ 766

Figure 487 Roaming Example ............................................................................................. 769

Figure 488 Windows 98 SE: WinPopup ............................................................................ 771

Figure 489 WIndows 98 SE: Program Task Bar ............ .......... ............. ............. ............. ... 771

Figure 490 Windows 98 SE: Task Bar Properties .......................................................... 772

Figure 491 Windows 98 SE: StartUp ................................................................................. 772

Figure 492 Windows 98 SE: Startup: Create Shortcut ..................................................... 773

Figure 493 Windows 98 SE: Startup: Select a Title for the Program ................................ 773

Figure 494 Windows 98 SE: Startup: Shortcut .................................................................. 774

Figure 495 VPN Rules ........................................................................................................ 776

Figure 496 Headquarters Gateway Policy Edit ...................................................... ... ... .... ... 777

Figure 497 Branch Office Gateway Policy Edit ................................................... ... ... ... .... ... 778

Figure 498 Headquarters VPN Rule ................................................................................... 779

Figure 499 Branch Office VPN Rule ................................................................................... 779

Figure 500 Headquarters Network Policy Edit .................................................................... 780

Figure 501 Branch Office Network Policy Edit .................................................................... 781

Figure 502 VPN Rule Configured ........................... ......... ....... ......... .......... .......... ......... ....... 782

Figure 503 VPN Dial ........................................................................................................... 782

Figure 504 VPN Tunnel Established ................................................................................... 782

Figure 505 VPN Log Example ............................................................................................ 784

Figure 506 IKE/IPSec Debug Example ..............................................................................785

Figure 507 Security Certificate ............................................................................................ 787

Figure 508 Login Screen ..................................................................................................... 788

Figure 509 Certificate General Information before Import ................................................... 788

Figure 510 Certificate Import Wizard 1 ............................................................................... 789

42 List of Figures

ZyWALL 5/35/70 Series User’s Guide

Figure 511 Certificate Import Wizard 2 ................................................................................ 789

Figure 512 Certificate Import Wizard 3 ............................................................................... 790

Figure 513 Root Certificate Store ........................................................................................ 790

Figure 514 Certificate General Information after Import ...................................................... 791

Figure 515 ZyWALL Trusted CA Screen ............................................................................. 792

Figure 516 CA Certificate Example ..................................................................................... 793

Figure 517 Personal Certificate Import Wizard 1 ................................................................ 794

Figure 518 Personal Certificate Import Wizard 2 ................................................................ 794

Figure 519 Personal Certificate Import Wizard 3 ................................................................ 795

Figure 520 Personal Certificate Import Wizard 4 ................................................................ 795

Figure 521 Personal Certificate Import Wizard 5 ................................................................ 796

Figure 522 Personal Certificate Import Wizard 6 ................................................................ 796

Figure 523 Access the ZyWALL Via HTTPS ....................................................................... 796

Figure 524 SSL Client Authentication ................................................................................. 797

Figure 525 ZyWALL Secure Login Screen .......................................................................... 797

Figure 526 Displaying Log Categories Example ................................................................. 800

Figure 527 Displaying Log Parameters Example ................................................................ 800

Figure 528 Routing Command Example ............................................................................. 802

Figure 529 Backup Gateway ............................................................................................... 803

Figure 530 Managing the Bandwidth of an IPSec SA ......................................................... 804

Figure 531 Managing the Bandwidth of an IKE SA ......................... .................................... 804

Figure 532 Routing Command Example ............................................................................. 805

Figure 533 Option to Enter Debug Mode ............................................................................ 823

Figure 534 Boot Module Commands ..................................................................................824

List of Figures 43

ZyWALL 5/35/70 Series User’s Guide

44 List of Figures

ZyWALL 5/35/70 Series User’s Guide

List of Tables

Table 1 ZyWALL Model Specific Features ......................................................................... 55

Table 2 Front Panel Lights ................................................................................................. 64

Table 3 Title Bar: Web Configurator Icons .......................................................................... 70

Table 4 Web Configurator HOME Screen in Router Mode ................................................. 71

Table 5 Web Configurator HOME Screen in Bridge Mode ................................................. 75

Table 6 Bridge and Router Mode Features Comparison .......................................... ... .... ... 78

Table 7 Screens Summary ................................................................................................. 79

Table 8 HOME > Show Statistics ....................................................................................... 84

Table 9 HOME > Show Statistics > Line Chart ................................................................... 85

Table 10 HOME > DHCP Table .......................................................................................... 86

Table 11 HOME > VPN Status ............................................................................................ 87

Table 12 ISP Parameters: Ethernet Encapsulation ............................................................ 91

Table 13 ISP Parameters: PPPoE Encapsulation .............................................................. 92

Table 14 ISP Parameters: PPTP Encapsulation ................................................................ 94

Table 15 Internet Access Wizard: Registration .................................................................. 97

Table 16 VPN Wizard: Gateway Setting ............................................................................. 100

Table 17 VPN Wizard: Network Setting .............................................................................. 102

Table 18 VPN Wizard: IKE Tunnel Setting ......................................................................... 104

Table 19 VPN Wizard: IPSec Setting ................................................................................. 105

Table 20 VPN Wizard: VPN Status ..................................................................................... 107

Table 21 REGISTRATION .................................................................................................. 125

Table 22 REGISTRATION > Service .................................................................................. 127

Table 23 NETWORK > LAN ............................................................................................... 133

Table 24 NETWORK > LAN > Static DHCP ....................................................................... 136

Table 25 NETWORK > LAN > IP Alias ............................................................................... 138

Table 26 NETWORK > LAN > Port Roles .......................................................................... 140

Table 27 STP Path Costs ................................................................................................... 142

Table 28 STP Port States ................................................................................................... 143

Table 29 NETWORK > Bridge ............................................................................................ 144

Table 30 NETWORK > Bridge > Port Roles ....................................................................... 146

Table 31 Least Load First: Example 1 ................................................................................ 149

Table 32 Least Load First: Example 2 ................................................................................ 149

Table 33 NETWORK > WAN (General) .............................................................................. 153

Table 34 Load Balancing: Least Load First ........................................................................ 155

Table 35 Load Balancing: Weighted Round Robin ............................. ... ... ... .... ... ... ... ... .... ... 156

Table 36 Load Balancing: Spillover .......................... ... ... .... ... ... ... ... .... ... ... ... ....................... 157

Table 37 NETWORK > WAN (Route) ................................................................................. 158

Table 38 Private IP Address Ranges ................................................................................. 159

List of Tables 45

ZyWALL 5/35/70 Series User’s Guide

Table 39 Example of Network Properties for LAN Servers with Fixed IP Addresses ......... 160

Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) ......................................... 161

Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) ........................................... 165

Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) ............................................. 168

Table 43 NETWORK > WAN > Traffic Redirect .................................................................. 171

Table 44 NETWORK > WAN > Dial Backup ....................................................... ................ 173

Table 45 NETWORK > WAN > Dial Backup > Edit ............................................................ 176

Table 46 NETWORK > DMZ .............................................................................................. 180

Table 47 NETWORK > DMZ > Static DHCP ...................................................................... 183

Table 48 NETWORK > DMZ > IP Alias .............................................................................. 184

Table 49 NETWORK > DMZ > Port Roles ......................................................................... 188

Table 50 NETWORK > WLAN ............................................................................................ 190

Table 51 NETWORK > WLAN > Static DHCP .................................................................... 193

Table 52 NETWORK > WLAN > IP Alias ........................................................................... 194

Table 53 NETWORK > WLAN > Port Roles ....................................................................... 197

Table 54 Wireless Security Relational Matrix ..................... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... 199

Table 55 NETWORK > WIRELESS CARD: No Security .................................................... 206

Table 56 NETWORK > WIRELESS CARD: Static WEP .................................................... 208

Table 57 NETWORK > WIRELESS CARD: WPA-PSK ......................................................209

Table 58 NETWORK > WIRELESS CARD: WPA .............................................................. 210

Table 59 NETWORK > WIRELESS CARD: 802.1x + Dynamic WEP ................................ 212

Table 60 NETWORK > WIRELESS CARD: 802.1x + Static WEP ..................................... 213

Table 61 NETWORK > WIRELESS CARD: 802.1x + No WEP .......................................... 215

Table 62 NETWORK > WIRELESS CARD: No Access 802.1x + Static WEP ...................216

Table 63 NETWORK > WIRELESS CARD: MAC Address Filter ....................................... 217

Table 64 Blocking All LAN to WAN IRC Traffic Example .................................................... 227

Table 65 Limited LAN to WAN IRC Traffic Example ........................................................... 228

Table 66 SECURITY > FIREWALL > Default Rule (Router Mode) .................................... 231

Table 67 SECURITY > FIREWALL > Default Rule (Bridge Mode) ..................................... 233

Table 68 SECURITY > FIREWALL > Rule Summary ......................................................... 234

Table 69 SECURITY > FIREWALL > Rule Summary > Edit ..............................................237

Table 70 SECURITY > FIREWALL > Anti-Probing ............................................................. 239

Table 71 SECURITY > FIREWALL > Threshold ................................................................ 241

Table 72 SECURITY > FIREWALL > Service .................................................................... 243

Table 73 SECURITY > FIREWALL > Service > Add .......................................................... 244

Table 74 SECURITY > IDP > General Setup ..................................................................... 256

Table 75 SECURITY > IDP > Signature: Attack Types ...................................................... 258

Table 76 SECURITY > IDP > Signature: Intrusion Severity ............................................... 259

Table 77 SECURITY > IDP > Signature: Actions ............................................................... 260

Table 78 SECURITY > IDP > Signature: Group View ........................................................ 261

Table 79 SECURITY > IDP > Signature: Query View ........................................................ 263

Table 80 SECURITY > IDP > Update ................................................................................. 268

Table 81 Common Computer Virus Types ......................................................................... 271

46 List of Tables

ZyWALL 5/35/70 Series User’s Guide

Table 82 SECURITY > ANTI-VIRUS > General ................................................................. 275

Table 83 SECURITY > ANTI-VIRUS > Signature: Query View .......................................... 277

Table 84 SECURITY > ANTI-SPAM > General .................................................................. 290

Table 85 SECURITY > ANTI-SPAM > External DB ............................................................ 293

Table 86 SECURITY > ANTI-SPAM > Lists ........................................................................ 295

Table 87 SECURITY > ANTI-SPAM > Lists > Edit ............................................................. 297

Table 88 SECURITY > CONTENT FILTER > General ....................................................... 300

Table 89 SECURITY > CONTENT FILTER > Categories .................................................. 304

Table 90 SECURITY > CONTENT FILTER > Customization ............................................. 311

Table 91 SECURITY > CONTENT FILTER > Cache ......................................................... 314

Table 92 SECURITY > VPN > VPN Rules (IKE) ................................................................ 326

Table 93 VPN Example: Matching ID Type and Content .................................................... 329

Table 94 VPN Example: Mismatching ID Type and Content .............................................. 329

Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ............................ 336

Table 96 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ............................. 344

Table 97 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy .......................... 347

Table 98 SECURITY > VPN > VPN Rules (Manual) .......................................................... 349

Table 99 SECURITY > VPN > VPN Rules (Manual) > Edit ................................................ 351

Table 100 SECURITY > VPN > SA Monitor ....................................................................... 353

Table 101 SECURITY > VPN > Global Setting .................................................................. 354

Table 102 Telecommuters Sharing One VPN Rule Example ............................................. 356

Table 103 Telecommuters Using Unique VPN Rules Example .......................................... 357

Table 104 SECURITY > CERTIFICATES > My Certificates ............................................... 366

Table 105 SECURITY > CERTIFICATES > My Certificates > Details ................................ 369

Table 106 SECURITY > CERTIFICATES > My Certificates > Export ................................ 371

Table 107 SECURITY > CERTIFICATES > My Certificates > Import ................................ 373

Table 108 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 ............... 374

Table 109 SECURITY > CERTIFICATES > My Certificates > Create ................................ 375

Table 110 SECURITY > CERTIFICATES > Trusted CAs ................................................... 377

Table 111 SECURITY > CERTIFICATES > Trusted CAs > Details .................................... 379

Table 112 SECURITY > CERTIFICATES > Trusted CAs Import ........................................ 382

Table 113 SECURITY > CERTIFICATES > Trusted Remote Hosts ................................... 383

Table 114 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ..................... 385

Table 115 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details .................... 386

Table 116 SECURITY > CERTIFICATES > Directory Servers ........................................... 389

Table 117 SECURITY > CERTIFICATES > Directory Server > Add .................................. 390

Table 118 SECURITY > AUTH SERVER > Local User Database ..................................... 393

Table 119 SECURITY > AUTH SERVER > RADIUS ......................................................... 394

Table 120 NAT Definitions .................................................................................................. 395

Table 121 NAT Mapping Types .......................................................................................... 399

Table 122 ADVANCED > NAT > NAT Overview .................................................................400

Table 123 ADVANCED > NAT > Address Mapping ............................................................ 402

Table 124 ADVANCED > NAT > Address Mapping > Edit ................................................. 404

List of Tables 47

ZyWALL 5/35/70 Series User’s Guide

Table 125 Services and Port Numbers ............................................................................... 405

Table 126 ADVANCED > NAT > Port Forwarding .............................................................. 408

Table 127 ADVANCED > NAT > Port Triggering ................................................................ 410

Table 128 ADVANCED > STATIC ROUTE > IP Static Route ............................................. 414

Table 129 ADVANCED > STATIC ROUTE > IP Static Route > Edit ................................... 415

Table 130 ADVANCED > POLICY ROUTE > Policy Route Summary ............................... 419

Table 131 ADVANCED > POLICY ROUTE > Edit .............................................................. 420

Table 132 Application and Subnet-based Bandwidth Management Example .................... 425

Table 133 Maximize Bandwidth Usage Example ............................................................... 426

Table 134 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example ....... 427

Table 135 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example .... 427

Table 136 Bandwidth Borrowing Example .......................................................................... 428

Table 137 Over Allotment of Bandwidth Example .............................................................. 429

Table 138 ADVANCED > BW MGMT > Summary ............................................................. 430

Table 139 ADVANCED > BW MGMT > Class Setup ......................................................... 432

Table 140 ADVANCED > BW MGMT > Class Setup > Add Sub-Class ............................. 434

Table 141 Services and Port Numbers ............................................................................... 436

Table 142 ADVANCED > DNS > Add (Address Record) ................................................... 443

Table 143 ADVANCED > REMOTE MGMT > WWW ......................................................... 454

Table 144 ADVANCED > REMOTE MGMT > SSH ............................................................ 462

Table 145 ADVANCED > REMOTE MGMT > Telnet .......................................................... 466

Table 146 ADVANCED > REMOTE MGMT > FTP ............................................................ 467

Table 147 SNMP Traps ...................................................................................................... 469

Table 148 ADVANCED > REMOTE MGMT > SNMP ......................................................... 470

Table 149 ADVANCED > REMOTE MGMT > DNS ............................................................ 471

Table 150 ADVANCED > REMOTE MGMT > CNM ........................................................... 472

Table 151 ADVANCED > UPnP ......................................................................................... 476

Table 152 ADVANCED > UPnP > Ports ............................................................................. 478

Table 153 ADVANCED > ALG ............................................................................................ 490

Table 154 REPORTS > SYSTEM REPORTS .................................................................... 492

Table 155 REPORTS > SYSTEM REPORTS: Web Site Hits Report ................................. 493

Table 156 REPORTS > SYSTEM REPORTS: Host IP Address ........................................ 494

Table 157 REPORTS > SYSTEM REPORTS: Protocol/ Port ............................................ 495

Table 158 Report Specifications ......................................................................................... 496

Table 159 REPORTS > THREAT REPORTS > IDP ........................................................... 497

Table 160 REPORTS > THREAT REPORTS > Anti-Virus .................................................499

Table 161 REPORTS > THREAT REPORTS > Anti-Spam ................................................ 500

Table 162 LOGS > View Log .............................................................................................. 504

Table 163 Log Description Example ................................................................................... 504

Table 164 LOGS > Log Settings ........................................................................................ 508

Table 165 System Maintenance Logs ................................................................................ 509

Table 166 System Error Logs ............................................................................................. 511

Table 167 Access Control Logs .......................................................................................... 511

48 List of Tables

ZyWALL 5/35/70 Series User’s Guide

Table 168 TCP Reset Logs ................................................................................................ 512

Table 169 Packet Filter Logs .............................................................................................. 513

Table 170 ICMP Logs ......................................................................................................... 513

Table 171 CDR Logs .......................................................................................................... 513

Table 172 PPP Logs ........................................................................................................... 514

Table 173 UPnP Logs ........................................................................................................ 514

Table 174 Content Filtering Logs ....................................................................................... 514

Table 175 Attack Logs ........................................................................................................ 515

Table 176 Remote Management Logs ............................................................................... 516

Table 177 Wireless Logs .................................................................................................... 517

Table 178 IPSec Logs ........................................................................................................ 517

Table 179 IKE Logs ............................................................................................................518

Table 180 PKI Logs ............................................................................................................521

Table 181 802.1X Logs ...................................................................................................... 522

Table 182 ACL Setting Notes ............................................................................................. 523

Table 183 ICMP Notes ....................................................................................................... 524

Table 184 IDP Logs ............................................................................................................525

Table 185 AV Logs .............................................................................................................526

Table 186 AS Logs .............................................................................................................527

Table 187 Syslog Logs ....................................................................................................... 529

Table 188 RFC-2408 ISAKMP Payload Types ................................................................... 530

Table 189 MAINTENANCE > General Setup ..................................................................... 532

Table 190 MAINTENANCE > Password ............................................................................ 533

Table 191 MAINTENANCE > Time and Date ..................................................................... 534

Table 192 MAC-address-to-port Mapping Table ................................................................. 537

Table 193 MAINTENANCE > Device Mode (Router Mode) ............................................... 539

Table 194 MAINTENANCE > Device Mode (Bridge Mode) ............................................... 541

Table 195 MAINTENANCE > Firmware Upload ................................................................. 542

Table 196 Restore Configuration ........................................................................................ 545

Table 197 Main Menu Commands .............................. ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... 550

Table 198 Main Menu Summary .............................. ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... 552

Table 199 SMT Menus Overview ....................................................................................... 553

Table 200 Menu 1: General Setup (Router Mode) ............................................................. 557

Table 201 Menu 1: General Setup (Bridge Mode) ................. ............. ............. ............ ....... 558

Table 202 Menu 1.1: Configure Dynamic DNS .................................................................. 559

Table 203 Menu 1.1.1: DDNS Host Summary ....................................................................560

Table 204 Menu 1.1.1: DDNS Edit Host ............................................................................. 561

Table 205 MAC Address Cloning in WAN Setup ................................................................ 564

Table 206 Menu 2: Dial Backup Setup ............................................................................... 565

Table 207 Advanced WAN Port Setup: AT Commands Fields ........................................... 566

Table 208 Advanced WAN Port Setup: Call Control Parameters ....................................... 567

Table 209 Menu 11.3: Remote Node Profile (Backup ISP) ... ... ... ... .................................... 568

Table 210 Menu 11.3.1: Remote Node PPP Options ......................................................... 570

List of Tables 49

ZyWALL 5/35/70 Series User’s Guide

Table 211 Menu 11.3.2: Remote Node Network Layer Options ......................................... 571

Table 212 Menu 11.3.3: Remote Node Script .................................................................... 574

Table 213 Menu 3.2: DHCP Ethernet Setup Fields ............................................................ 577

Table 214 Menu 3.2: LAN TCP/IP Setup Fields ................................................................. 578

Table 215 Menu 3.2.1: IP Alias Setup ................................................................................ 579

Table 216 Menu 4: Internet Access Setup (Ethernet) ....................................................... 582

Table 217 New Fields in Menu 4 (PPTP) Screen ............................................................... 583

Table 218 New Fields in Menu 4 (PPPoE) screen ............................................................. 584

Table 219 Menu 6.1: Route Assessment ........................................................................... 590

Table 220 Menu 6.2: Traffic Redirect ................................................................................. 590

Table 221 Menu 6.3: Route Failover .................................................................................. 591

Table 222 Menu 7.1: Wireless Setup ................................................................................. 594

Table 223 Menu 7.1.1: WLAN MAC Address Filter ............................................................ 595

Table 224 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........................... 601

Table 225 Fields in Menu 11.1 (PPPoE Encapsulation Specific) .......................................603

Table 226 Menu 11.1: Remote Node Profile for PPTP Encapsulation ............................... 604

Table 227 Remote Node Network Layer Options Menu Fields .......................................... 605

Table 228 Menu 11.1.5: Traffic Redirect Setup .................................................................. 608

Table 229 Menu 12. 1: Edit IP Static Route ........................................................................ 610

Table 230 Applying NAT in Menus 4 & 11.1.2 .................................................................... 613

Table 231 SUA Address Mapping Rules ............................................................................ 615

Table 232 Fields in Menu 15.1.1 ........................................................................................ 616

Table 233 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ........................ 617

Table 234 15.2.1.2: NAT Server Configuration ................................................................... 620

Table 235 Menu 15.3.1: Trigger Port Setup ....................................................................... 629

Table 236 Abbreviations Used in the Filter Rules Summary Menu .................................... 637

Table 237 Rule Abbreviations Used ................................................................................... 637

Table 238 Menu 21.1.1.1: TCP/IP Filter Rule ..................................................................... 638

Table 239 Generic Filter Rule Menu Fields ........................................................................ 641

Table 240 SNMP Configuration Menu Fields ..................................................................... 649

Table 241 SNMP Traps ...................................................................................................... 650

Table 242 System Maintenance: Status Menu Fields ........................................................ 652

Table 243 Fields in System Maintenance: Information ....................................................... 654

Table 244 System Maintenance Menu Syslog Parameters ................................................ 656

Table 245 System Maintenance Menu Diagnostic ............................................................. 661

Table 246 Filename Conventions ....................................................................................... 664

Table 247 General Commands for GUI-based FTP Clients ............................................... 666

Table 248 General Commands for GUI-based TFTP Clients ............................................. 668

Table 249 Valid Commands ............................................................................................... 680

Table 250 Budget Management ......................................................................................... 682

Table 251 Call History ........................................................................................................683

Table 252 Menu 24.10 System Maintenance: Time and Date Setting ............................... 685

Table 253 Menu 24.11 – Remote Management Control ..................................................... 688

50 List of Tables

ZyWALL 5/35/70 Series User’s Guide

Table 254 Menu 25: Sample IP Routing Policy Summary .................................................. 691

Table 255 IP Routing Policy Setup ..................................................................................... 692

Table 256 Menu 25.1: IP Routing Policy Setup .................................................................. 693

Table 257 Menu 25.1.1: IP Routing Policy Setup ............................................................... 695

Table 258 Schedule Set Setup ........................................................................................... 700

Table 259 Troubleshooting the Start-Up of Your ZyWALL .................................................. 703

Table 260 Troubleshooting the LAN Interface .................................................................... 703

Table 261 Troubleshooting the DMZ Interface ................................................................... 704

Table 262 Troubleshooting the WAN Interface ................................................................... 704

Table 263 Troubleshooting Accessing the ZyWALL ........................................................... 705

Table 264 Device Specifications ......................................................................................... 715

Table 265 Performance ...................................................................................................... 716

Table 266 Firmware Features ............................................................................................ 716

Table 267 Feature Specifications ....................................................................................... 718

Table 268 Compatible ZyXEL WLAN Cards and Security Features .................................. 719

Table 269 Console/Dial Backup Port Pin Assignments ...................................................... 721

Table 270 Classes of IP Addresses ................................................................................... 746

Table 271 Allowed IP Address Range By Class .................................................................746

Table 272 “Natural” Masks ................................................................................................ 747

Table 273 Alternative Subnet Mask Notation ..................................................................... 747

Table 274 Two Subnets Example ....................................................................................... 748

Table 275 Subnet 1 ............................................................................................................748

Table 276 Subnet 2 ............................................................................................................749

Table 277 Subnet 1 ............................................................................................................749

Table 278 Subnet 2 ............................................................................................................750

Table 279 Subnet 3 ............................................................................................................750

Table 280 Subnet 4 ............................................................................................................750

Table 281 Eight Subnets .................................................................................................... 751

Table 282 Class C Subnet Planning ................................................................................... 751

Table 283 Class B Subnet Planning ................................................................................... 752

Table 284 Commonly Used Services ....................................................... ... .... ... ... ... ... .... ... 753

Table 285 IEEE802.11g ...................................................................................................... 761

Table 286 Comparison of EAP Authentication Types ......................................................... 767

Table 287 Wireless Security Relational Matrix ................................................................... 768

Table 288 Firewall Commands ........................................................................................... 807

Table 289 NetBIOS Filter Default Settings ......................................................................... 814

Table 290 Certificates Commands ..................................................................................... 817

Table 291 Brute-Force Password Guessing Protection Commands .................................. 821

List of Tables 51

ZyWALL 5/35/70 Series User’s Guide

52 List of Tables

ZyWALL 5/35/70 Series User’s Guide

Preface

Congratulations on your purchase of the ZyWALL.

Note: Register your product online to receive e-mail no tices of firmware upgrades and

information at www.zyxel.com North American products.

Your ZyWALL is easy to install and configure.

About This User's Guide

This manual is designed to guide you through the configuration of your ZyWALL for its various applications. The web configurator parts of this guide contain background information on features configurable by web configurator. The SMT parts of this guide contain background information solely on features not configurable by web configurator.

Note: Use the web configurator, System Management Terminal (SMT) or command

interpreter interface to configure your ZyWALL. Not all features can be configured through all interfaces.

for global products, or at www.us.zyxel.com for

Getting to Know Your ZyWALL

This chapter introduces the main features and applications of the ZyWALL.

1.1 ZyWALL Internet Security Appliance Overview

The ZyWALL is loaded with security features including VPN, firewall, content filtering, antispam, IDP (Intrusion Detection and Prevention), anti-virus and certificates. The ZyWALL’s De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting publicly accessible servers. The ZyWALL 70 and ZyWALL 35 are designed for small and medium sized business that need the increased throughput and reliability of dual WAN ports and load balancing. The ZyWALL 35 and ZyWALL 5 provide the option to change port roles from LAN to DMZ.

You can also deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration.

The ZyWALL provides bandwidth management, NAT, port forwarding, policy routing (not available for the ZyWALL 5), DHCP server and many other powerful features.

You can add a IEEE 802.11b/g-compliant wireless LAN by either inserting a wireless LAN card into the PCMCIA/CardBus slot or connecting an access point (AP) to an Ethernet port in a WLAN port role. If you insert a wireless LAN card to add a WLAN, the ZyWALL offers highly secured wireless connectivity to your wired network with IEEE 802.1x, WEP data encryption, WPA (Wi-Fi Protected Access) and MAC address filtering. You can use the wireless card as part of the LAN, DMZ or WLAN.

1.2 ZyWALL Features

The following table lists model specific features.

Note: See the product specifications in the appendix for detailed features and

standards support.

Table 1 ZyWALL Model Specific Features

MODEL # FEATURE

Multiple WAN O O Load Balancing O O

Chapter 1 Getting to Know Your ZyWALL 55

70 35 5

ZyWALL 5/35/70 Series User’s Guide

Table 1 ZyWALL Model Specific Features

MODEL # FEATURE

Changing Port Roles between the LAN and DMZ O O Policy Route O O

Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.

1.2.1 Physical Features

LAN Port

The 10/100 Mbps auto-negotiating Ethernet LAN port(s) allows the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfers of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network. The ports are also auto-crossover (MDI/MDI-X) meaning they automatically adjust to either a crossover or straight-through Ethernet cable.

DMZ Ports

70 35 5

Public servers (Web, FTP, etc.) attached to a DeMilitarized Zone (DMZ) port are visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death) and can also be accessed from the secure LAN.

The 10/100 Mbps auto-negotiating Ethernet ports allow the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention. They allow data transfers of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network. The ports are also auto-crossover (MDI/MDI-X) meaning they automatically adjust to either a crossover or straight-through Ethernet cable.

WLAN Ports

You can set some of the Ethernet ports to a WLAN port role. This allows you to connect wireless LAN Access Points (APs) to extend the ZyWALL’s wireless LAN coverage area.

Dual Auto-negotiating 10/100 Mbps Ethernet WAN (Single on the ZyWALL 5)

The Ethernet WAN ports connect to the Internet via broadband modem or router. You can use a second connection for load sharing to increase overall network throughput or as a backup to enhance network reliability.

56 Chapter 1 Getting to Know Your ZyWALL

ZyWALL 5/35/70 Series User’s Guide

Dial Backup WAN

The dial backup port can be used in reserve as a traditional dial-up connection when/if ever the WAN, (or WAN 1, 2) and traffic redirect connections fail.

Time and Date

The ZyWALL allows you to get the current time and date from an external server when you turn on your ZyWALL. You can also set the time manually. The Real Time Chip (RTC) keeps track of the time and date.

Reset Button

Use the reset button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33.

Dual PCMCIA and CardBus Slot

The dual PCMCIA and CardBus slot provides the option of a wireless LAN. You can alternatively insert a ZyWALL Turbo Card to use the anti-virus and IDP features.

IEEE 802.11 b/g Wireless LAN

The optional wireless LAN card provides mobility and a fast network environment for small and home offices. Users can connect to the local area network without any wiring efforts and enjoy reliable high-speed connectivity .

1.2.2 Non-Physical Features

Load Balancing

The ZyWALL improves quality of service and maximizes bandwidth utilization by dividing traffic loads between the two WAN interfaces (or ports).

Transparent Firewall

Transparent firewall is also known as a bridge firewall. The ZyWALL can act as a bridge and still have the capability of filtering and inspecting the packets between a router and the LAN, or two routers. You do not need to do any other changes to your existing network.

Chapter 1 Getting to Know Your ZyWALL 57

ZyWALL 5/35/70 Series User’s Guide

SIP Passthrough

The ZyWALL includes a SIP Application Layer Gateway (ALG). It allows VoIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream.

STP (Spanning Tree Protocol) / RSTP (Rapid STP)

When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP -compliant bridges in your network to ensure that only one path exists between any two stations on the network.

Bandwidth Management

Bandwidth management allows you to allocate network resources according to defined policies. This policy-based bandwidth allocation helps your network to better handle real-time applications such as Voice-over-IP (VoIP).

IPSec VPN Capability

Establish a Virtual Private Network (VPN) to connect with business partners and branch offices using data encryption and the Internet to provide secure communications without the expense of leased site-to-site lines. The ZyWALL VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products.

X-Auth (Extended Authentication)

X-Auth provides added security for VPN by requiring each VPN client to use a username and password.

Certificates

The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.

SSH

The ZyWALL uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.

HTTPS

HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol that encrypts and decrypts web sessions. Use HTTPS for secure web configurator access to the ZyWALL

58 Chapter 1 Getting to Know Your ZyWALL

ZyWALL 5/35/70 Series User’s Guide

Firewall

The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyWALL firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.

Content Filtering

The ZyWALL can block web features such as ActiveX controls, Java applets and cookies, as well as disable web proxies. The ZyWALL can block or allow access to web sites that you specify. The ZyWALL can also block access to web sites containing keywords that you specify. You can define time periods and days during which content filtering is enabled and include or exclude a range of users on the LAN from content filtering.

You can also subscribe to category-based content filtering that allows your ZyWALL to check web sites against an external database of dynamically updated ratings of millions of web sites.

Anti-Spam

The ZyWALL’s anti-spam feature helps detect and mark or discard junk e-mail (spam). he ZyWALL has a whitelist for identifying legitimate e-mail and a blacklist for identifying spam email. You can also subscribe to an anti-spam external database service that checks e-mail against more than a million know spam patterns.

Anti-Virus Scanner

With the anti-virus packet scanner , your ZyWALL scans files transmitting through the enabled interfaces into the network. The ZyWALL helps stop threats at the network edge before they reach the local host computers.

Intrusion Detection and Prevention (IDP)

IDP can detect and take actions on malicious or suspicious packets and traffic flows.

ZyWALL Turbo Card

ZyWALL Turbo Card is a co-processor accelerator that is used in conjunction with your ZyWALL for fast, efficient IDP (Intrusion Detection and Prevention) and AV (Anti Virus) traffic inspection.

Universal Plug and Play (UPnP)

Using the standard TCP/IP protocol, the ZyWALL and other UPnP-enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.

Chapter 1 Getting to Know Your ZyWALL 59

ZyWALL 5/35/70 Series User’s Guide

RADIUS (RFC2138, 2139)

The ZyWALL can work with a RADIUS (Remote Authentication Dial In User Service) server for user authentication, authorization and accounting.

IEEE 802.1x for Network Security

The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication. With the local user profile, the ZyWALL allows you to configure user profiles without a network authentication server. In addition, centralized user and accounting management is possible on an optional network authentication server.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption.

Wireless LAN MAC Address Filtering

Your ZyWALL can check the MAC addresses of wireless stations against a list of allowed or denied MAC addresses.

WEP Encryption

WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.

Packet Filtering

The packet filtering mechanism blocks unwanted traffic from entering/leaving your network.

Call Scheduling

Configure call time periods to restrict and allow access for users on remote nodes.

PPPoE

PPPoE facilitates the interaction of a host with an Internet modem to achieve access to highspeed data networks via a familiar "dial-up networking" user interface.

PPTP Encapsulation

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network.

60 Chapter 1 Getting to Know Your ZyWALL

ZyWALL 5/35/70 Series User’s Guide

PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time.

Dynamic DNS Support

With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.

IP Multicast

Deliver IP packets to a specific group of hosts using IP multicast. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The latest version is version 2 (see RFC 2236); the ZyWALL supports both versions 1 and 2.

IP Alias

IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN, WLAN and/or DMZ interfaces via its single physical Ethernet LAN, WLAN and/or DMZ interface with the ZyWALL itself as the gateway for each network.

IP Policy Routing

IP Policy Routing provides a mechanism to override the default routing behavior and alter packet forwarding based on the policies defined by the network administrator.

Central Network Management

Central Network Management (CNM) allows an enterprise or service provider network administrator to manage your ZyWALL. The enterprise or service provider network administrator can configure your ZyWALL, perform firmware upgrades and do troubleshooting for you.

SNMP

SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1).

Chapter 1 Getting to Know Your ZyWALL 61

ZyWALL 5/35/70 Series User’s Guide

Network Address Translation (NAT

Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).

T raffic Redirect

Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyWALL cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.

Port Forwarding

Use this feature to forward incoming service requests to a server on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.

DHCP (Dynamic Host Configuration Protocol)

DHCP (Dynamic Host Configuration Protocol) allows the individual client computers to obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyWALL has built-in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway and DNS servers to all systems that support the DHCP client. The ZyWALL can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.

Full Network Management

The embedded web configurator is an all-platform web-based utility that allows you to easily access the ZyWALL’s management settings and configure the firewall. Most functions of the ZyWALL are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.

RoadRunner Support

In addition to standard cable modem services, the ZyWALL supports Time Warner’s RoadRunner Service.

Logging and Tracing

Built-in message logging and packet tracing.

Syslog facility support.

62 Chapter 1 Getting to Know Your ZyWALL

ZyWALL 5/35/70 Series User’s Guide

Upgrade ZyWA LL Firmware via LAN

The firmware of the ZyWALL can be upgraded via the LAN.

Embedded FTP and TFTP Servers

The ZyWALL’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration.

1.3 Applications for the ZyWALL

Here are some examples of what you can do with your ZyWALL.

1.3.1 Secure Broadband Internet Access via Cable or DSL Modem

You can connect a cable modem, DSL or wireless modem to the ZyWALL for broadband Internet access via Ethernet or wireless port on the modem. The ZyW ALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.

Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem

1.3.2 VPN Application

ZyWALL VPN is an ideal cost-effective way to connect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites.

Chapter 1 Getting to Know Your ZyWALL 63

ZyWALL 5/35/70 Series User’s Guide

Figure 2 VPN Application

1.3.3 Front Panel Lights

Figure 3 ZyWALL 70 Front Panel

Figure 4 ZyWALL 35 Front Panel

Figure 5 ZyWALL 5 Front Panel

The following table describes the lights.

Table 2 Front Panel Lights

LED COLOR STATUS DESCRIPTION PWR Off The ZyWALL is turned off.

Green On The ZyWALL is turned on. Red On The po wer to the ZyWALL is too low.

SYS Green Off The ZyWALL is not ready or has failed.

On The ZyWALL is ready and running. Flashing The ZyWALL is restarting.

ACT Green Off The backup port is not connected.

Flashing The backup port is sending or receiving packets.

64 Chapter 1 Getting to Know Your ZyWALL

ZyWALL 5/35/70 Series User’s Guide

Table 2 Front Panel Lights (continued)

LED COLOR STATUS DESCRIPTION CARD Green Off The wireless LAN is not ready, or has failed.

On The wireless LAN is ready. Flashing The wireless LAN is sending or receiving packets.

LAN 10/100

(ZyWALL 70 only)

WAN1/2 10/100

WAN 10/100

DMZ 10/100

(ZyWALL 70 only)

LAN/DMZ 10/ 100

(ZyWALL 35 and ZyWALL 5)

Green On The ZyWALL has a successful 10Mbps Ethernet connection.

Orange On The ZyWALL has a successful 100Mbps Ethernet

Green On The ZyWALL has a successful 10Mbps WAN connection.

Orange On The ZyWALL has a successful 100Mbps WAN connection.

Green On The ZyWALL has a successful 10Mbps Ethernet connection.

Orange On The ZyWALL has a successful 100Mbps Ethernet

Green On The ZyWALL has a successful 10Mbps Ethernet connection.

Orange On The ZyWALL has a successful 100Mbps Ethernet

Off The LAN/DMZ is not connected.

Flashing The 10M LAN is sending or receiving packets.

connection. Flashing The 100M LAN is sending or receiving packets. Off The WAN connection is not ready, or has failed.

Flashing The 10M WAN is sending or receiving packets.

Flashing The 100M WAN is sending or receiving packets. Off The LAN/DMZ is not connected.

Flashing The 10M LAN is sending or receiving packets.

connection. Flashing The 100M LAN is sending or receiving packets. Off The LAN/DMZ is not connected.

Flashing The 10M LAN is sending or receiving packets.

connection. Flashing The 100M LAN is sending or receiving packets.

Chapter 1 Getting to Know Your ZyWALL 65

ZyWALL 5/35/70 Series User’s Guide

66 Chapter 1 Getting to Know Your ZyWALL

Introducing the Web

This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens.

2.1 Web Configurator Overview

The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.

ZyWALL 5/35/70 Series User’s Guide

CHAPTER 2

Configurator

In order to use the web configurator you need to allow:

• Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2.

• JavaScripts (enabled by default).

• Java permissions (enabled by default).

See the Troubleshooting chapter if you want to make sure these functions are allowed in Internet Explorer or Netscape Navigator.

2.2 Accessing the ZyWALL Web Configurator

Note: By default, the packets from WLAN to WLAN/ZyWALL are dropped and users

cannot configure the ZyWALL wirelessly.

1 Make sure your ZyWALL hardware is properly connected and prepare your computer/

computer network to connect to the ZyWALL (refer to the Quick Start Guide).

2 Launch your web browser. 3 Type "192.168.1.1" as the URL. 4 Type "1234" (default) as the password and click Login. In some versions, the default

password appears automatically - if this is the case, click Login.

5 You should see a screen asking you to change your password (highly recommended) as

shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore.

Chapter 2 Introducing the Web Configurator 67

ZyWALL 5/35/70 Series User’s Guide

Figure 6 Change Password Screen

6 Click Apply in the Replace Certificate screen to create a certificate using your

ZyWALL’s MAC address that will be specific to this device.

Note: If you do not replace the default certificate here or in the CERTIFICATES

screen, this screen displays every time you access the web configurator.

Figure 7 Replace Certificate Screen

7 You should now see the HOME screen (see Figure 10 on page 71).

Note: The management session automatically times out when the time period set in

the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you.

2.3 Resetting the ZyWALL

If you forget your password or cannot access the web configurator , you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factorydefault configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234, also.

2.3.1 Procedure To Use The Reset Button

Make sure the SYS LED is on (not blinking) before you begin this procedure.

68 Chapter 2 Introducing the Web Configurator

ZyWALL 5/35/70 Series User’s Guide

1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to

blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.

2 Turn the ZyWALL off. 3 While pressing the RESET button, turn the ZyWALL on. 4 Continue to hold the RESET button. The SYS LED will begin to blink and flicker very

quickly after about 20 seconds. This indicates that the defaults have been restored and the ZyWALL is now restarting.

5 Release the RESET button and wait for the ZyWALL to finish restarting.

2.3.2 Uploading a Configuration File Via Console Port

1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in

a folder.

2 Turn off the ZyWALL, begin a terminal emulation software session and turn on the

ZyWALL again. When you see the message "Press Any key to enter Debug Mode within 3 seconds", press any key to enter debug mode.

3 Enter "y" at the prompt below to go into debug mode. 4 Enter "atlc" after "Enter Debug Mode" message. 5 Wait for "Starting XMODEM upload" message before activating Xmodem upload on

your terminal. This is an example Xmodem configuration upload using HyperTerminal.

Figure 8 Example Xmodem Upload

Type the configuration file’s location, or click Browse to search for it.

Choose the Xmodem protocol.

Then click Send.

6 After successful firmware upload, enter "atgo" to restart the router.

2.4 Navigating the ZyWALL Web Configurator

The following summarizes how to navigate the web configurator from the HOME screen. This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for different ZyWALL models.

Chapter 2 Introducing the Web Configurator 69

ZyWALL 5/35/70 Series User’s Guide

Figure 9 HOME Screen

As illustrated above, the main screen is divided into these parts:

• A - title bar

• B - navigation panel

• C - main window

• D - status bar

2.4.1 Title Bar

The title bar provides some icons in the upper right corner.

The icons provide the following functions.

Table 3 Title Bar: Web Configurator Icons

ICON DESCRIPTION

Wizards: Click this icon to open one of the web configurator wizards. See Chapter 3

on page 89 for more information.

Help: Click this icon to open the help page for the current screen.

70 Chapter 2 Introducing the Web Configurator

2.4.2 Main Window

The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document.

Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE > Device Mode screen.

2.4.3 HOME Screen: Router Mode

The following screen displays when the ZyWALL is set to router mode. This screen displays general status information about the ZyWALL. The ZyWALL is set to router mode by default. Not all fields are available on all models.

Figure 10 Web Configurator HOME Screen in Router Mode

ZyWALL 5/35/70 Series User’s Guide

The following table describes the labels in this screen.

Table 4 Web Configurator HOME Screen in Router Mode

LABEL DESCRIPTION

Automatic Refresh Interval

Refresh Click this button to update the status screen statistics immediately. System Information

Chapter 2 Introducing the Web Configurator 71

Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.

ZyWALL 5/35/70 Series User’s Guide

Table 4 Web Configurator HOME Screen in Router Mode (continued)

LABEL DESCRIPTION

System Name This is the System Name you enter in the MAINTENANCE > General screen. It is

for identification purposes. Click the field label to go to the screen where you can

specify a name for this ZyWALL. Model This is the model name of your ZyWALL. Bootbase Version This is the bootbase version and the date created. Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's

Up Time This field displays how long the ZyW ALL has been running since it last started up.

System Time This field displays your ZyWALL’s present date (in yyyy-mm -dd format) and time

Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the

Firewall This displays whether or not the ZyWALL’s firewall is activated. Click the field

System Resources Flash The first number shows how many megabytes of the flash the ZyWALL is using. Memory The first number shows how many megabytes of the heap memory the ZyWALL is

Sessions The first number shows how many sessions are currently open on the ZyWALL.

CPU This field displays what percentage of the ZyWALL’s processing ability is currently

Interfaces This is the port type.

proprietary Network Operating System design. Click the field label to go to the

screen where you can upload a new firmware file.

The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE >

Restart), or when you reset it (see Section 2.3 on page 68).

(in hh:mm:ss format) along with the difference from the Greenwich Mean Time

(GMT) zone. The difference from GMT is based on the time zone. It is also

adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field

label to go to the screen where you can modify the ZyWALL’s date and time

settings.

field label to go to the screen where you can configure the ZyWALL as a router or

a bridge.

label to go to the screen where you can turn the firewall on or off.

using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL

Network Operating System) and is thus available for running processes like NAT,

VPN and the firewall.

The second number shows the ZyWALL's total heap memory (in megabytes).

The bar displays what percent of the ZyWALL's heap memory is in use. The bar

turns from green to red when the maximum is being approached.

This includes all sessions that are currently traversing the ZyWALL, terminating at

the ZyWALL or Initiated from the ZyWALL

The second number is the maximum number of sessions that can be open at one

time.

The bar displays what percent of the maximum number of sessions is in use. The

bar turns from green to red when the maximum is being approached.

used. When this percentage is close to 100%, the ZyWALL is running at full load,

and the throughput is not going to improve anymore. If you want some

applications to have more throughput, you should turn off other applications (for

example, using bandwidth management.

Click "+" to expand or "-" to collapse the IP alias drop-down lists.

Hold your cursor over an interface’s label to display the interface’s MAC Address.

Click an interface’s label to go to the screen where you can configure settings for

that interface.

72 Chapter 2 Introducing the Web Configurator

ZyWALL 5/35/70 Series User’s Guide

Table 4 Web Configurator HOME Screen in Router Mode (continued)

LABEL DESCRIPTION

Status For the LAN, DMZ and WLAN ports, this displays the port speed and duplex

setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full-

duplex refers to a device's ability to send and receive simultaneously, while half-

duplex indicates that traffic can flow in only one direction at a time. The Ethernet

port must use the same speed or duplex mode setting as the peer Ethernet port in

order to connect.

For the WAN and Dial Backup ports, it displays the port speed and duplex setting

if you’re using Ethernet encapsulation and Down (line is down or not connected),

Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if

you’re using PPPoE encapsulation.

For the WLAN card, it displays the transmission rate when a wireless LAN card is

inserted and WLAN is enabled or Down when a wireless LAN card is not inserted

or WLAN is disabled. IP/Netmask This shows the port’s IP address and subnet mask. IP Assignment For the WAN, if the ZyWALL gets its IP address automatically from an ISP, this

Renew If you are using Ethernet encapsulation and the WAN port is configured to get the

Security Services Turbo Card This field displays whether or not a ZyWALL Turbo Card is installed.

displays DHCP client when you’re using Ethernet encapsulation and IPCP Client

when you’re using PPPoE or PPTP encapsulation. Static displays if the WAN port

is using a manually entered static (fixed) IP address.

For the LAN, WLAN or DMZ, DHCP server displays when the ZyWALL is set to

automatically give IP address information to the computers connected to the LAN.

DHCP relay displays when the ZyWALL is set to forward IP address assignment

requests to another DHCP server. Static displays if the LAN port is using a

manually entered static (fixed) IP address. In this case, you must have another

DHCP server on your LAN, or else the computers must be manually configured.

For the dial backup port, this shows N/A when dial backup is disabled and IPCP

client when dial backup is enabled.

IP address automatically from the ISP, click Renew to release the WAN port’s

dynamically assigned IP address and get the IP address afresh. Click Dial to dial

up the PPTP, PPPoE or dial backup connection. Click Drop to disconnect the

PPTP, PPPoE or dial backup connection.

Note: The ZyWALL must have a Turbo Card installed and a valid

service subscription to use the IDP and anti-virus features.

IDP/Anti-Virus Definitions

IDP/Anti-Virus Expiration Date

Anti-Spam Expiration Date

Content Filter Expiration Date

Intrusion Detected This displays how many intrusions the ZyWALL has detected since it last started

Chapter 2 Introducing the Web Configurator 73

This is the version number of the signatures set that the ZyWALL is using and the

date and time that the set was released. Click the field label to go to the screen

where you can update the signatures. N/A displays when there is no Turbo Card

installed or the service subscription has expired.

This is the date the IDP/anti-virus service subscription expires. Click the field label

to go to the screen where you can update your service subscription.

This is the date the anti-spam service subscription expires. Click the field label to

go to the screen where you can update your service subscription.

This is the date the category-based content filtering service subscription expires.

Click the field label to go to the screen where you can update your service

subscription.

up. N/A displays when there is no Turbo Card installed or the service subscription

has expired.

ZyWALL 5/35/70 Series User’s Guide

Table 4 Web Configurator HOME Screen in Router Mode (continued)

LABEL DESCRIPTION

Virus Detected This displays how many virus-infected files the ZyWALL has detected since it last

started up. It also displays the percentage of virus-infected files out of the total

number of files that the ZyWALL has scanned (since it last started up). N/A

displays when there is no Turbo Card installed or the service subscription has

expired. Spam Mail

Detected

Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last started

Top 5 Intrusion & Virus Detections

Rank This is the ranking number of an intrusion or virus. This is an intrusion’s or virus’s

Intrusion Detected This is the name of a signature for which the ZyWALL has detected matching

Virus Detected This is the name of the virus that the ZyWALL has detected. Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL. You can

Date/Time This is the date and time the alert was recorded. Message This is the reason for the alert. System Status Port Statistics Click Port Statistics to see router performa nce statistics such as the number of

DHCP Table Click DHCP Table to show current DHCP client information. VPN Click VPN to display the active VPN connections. Bandwidth Click Bandwidth to view the ZyWALL’s bandwidth usage and allotments.

This displays how many spam e-mails the ZyWALL has detected since it last

started up. It also displays the percentage of spam e-mail out of the total number

of e-mails that the ZyWALL has scanned (since it last started up). N/A displays

when the service subscription has expired.

up. N/A displays when the service subscription has expired.

The following is a list of the five intrusions or viruses that the ZyWALL has most

frequently detected since it last started up.

place in the list of most common intrusions or viruses.

packets. The number in brackets indicates how many times the signature has

been matched.

Click the hyperlink for more detailed information on the intrusion.

see more information in the View Log screen, such as the source and destination

IP addresses and port numbers of the incoming packets.

packets sent and number of packets received for each port.

2.4.4 HOME Screen: Bridge Mode

The following screen displays when the ZyWALL is set to bridge mode. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.

In bridge mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL.

74 Chapter 2 Introducing the Web Configurator

ZyWALL 5/35/70 Series User’s Guide

You can use the firewall and VPN in bridge mode.

Figure 11 Web Configurator HOME Screen in Bridge Mode

The following table describes the labels in this screen.

Table 5 Web Configurator HOME Screen in Bridge Mode

LABEL DESCRIPTION

Automatic Refresh Interval

Refresh Click this button to update the screen’s statistics immediately. System

Information System Name This is the System Name you enter in the MAINTENANCE > General screen. It is

Model This is the model name of your ZyWALL. Bootbase Version This is the bootbase version and the date created. Firmware Version Th is is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's

Up Time This field displays how long the ZyWALL has been running since it last started up.

Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.

for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.

proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.

The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE > Restart), or when you reset it (see Section 2.3 on page 68).

Chapter 2 Introducing the Web Configurator 75

ZyWALL 5/35/70 Series User’s Guide

Table 5 Web Configurator HOME Screen in Bridge Mode (continued)

LABEL DESCRIPTION

System Time This field displays your ZyWALL’s present date (in yyyy-mm-dd format) and time (in

hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL t o use it. Click the field label to go to the screen where you can modify the ZyWALL’s date and time settings.

Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the

Firewall This displays whether or not the ZyWALL’s firewall is activated. Click the field label

System Resources

Flash The first number shows how many megabytes of the flash the ZyWALL is using. Memory The first number shows how many megabytes of the heap memory the ZyWALL is

Sessions The first number shows how many sessions are currently open on the ZyWALL.

CPU This field displays what percentage of the ZyWALL’s processing ability is currently

Network Status IP/Netmask

Address Gateway IP

Address Rapid Spanning

Tree Protocol Bridge Priority This is the bridge priority of the ZyWALL. The bridge (or switch) with the lowest

Bridge Hello Time This is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge. Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU)

Forward Delay This is the forward delay interval. Bridge Port This is the port type. Port types are: WAN (or WAN1, WAN2), LAN, Wireless Card,

field label to go to the screen where you can configure the ZyWALL as a router or a bridge.

to go to the screen where you can turn the firewall on or off.

using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.

The second number shows the ZyWALL's total heap memory (in megabytes). The bar displays what percent of the ZyWALL's heap memory is in use. The bar

turns from green to red when the maximum is being approached.

This includes all sessions that are currently traversing the ZyWALL, terminating at the ZyWALL or initiated from the ZyWALL

The second number is the maximum number of sessions that can be open at one time.

The bar displays what percent of the maximum number of sessions is in use. The bar turns from green to red when the maximum is being approached.

used. When this percentage is close to 100%, the ZyWALL is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications (for example, using bandwidth management.

This is the IP address and subnet mask of your ZyWALL in dotted decimal notation.

This is the gateway IP address.

This shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The following labels or values relative to RSTP do not apply when RSTP is disabled.

bridge priority value in the network is the root bridge (the base of the spanning tree).

from the root bridge.

DMZ and WLAN Interface.

76 Chapter 2 Introducing the Web Configurator

ZyWALL 5/35/70 Series User’s Guide

Table 5 Web Configurator HOME Screen in Bridge Mode (continued)

LABEL DESCRIPTION

Port Status For the WAN, LAN, DMZ, and WLAN Interfaces, this displays the port speed and

duplex setting. For the WAN port, it displays Down when the link is not ready or has failed. For the wireless card, it displays the transmission rate when a wireless LAN card is inserted and WLAN is enabled or Down when a wireless LAN is not inserted

or WLAN is disabled. RSTP Status This is the RSTP status of the corresponding port. RSTP Active This shows whether or not RSTP is active on the corresponding port. RSTP Priority This is the RSTP priority of the corresponding port. RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding

Security Services Turbo Card This field displays whether or not a ZyWALL Turbo Card is installed.

port.

Note: The ZyWALL must have a Turbo Card installed and a valid

service subscription to use the IDP and anti-virus features.

IDP/Anti-Virus Definitions

IDP/Anti-Virus Expiration Date

Anti-Spam Expiration Date

Content Filter Expiration Date

Intrusion Detected

Virus Detected This displays how many virus-infected files the ZyWALL has dete cted since it last

Spam Mail Detected

Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last started

Top 5 Intrusion & Virus Detections

Rank This is the ranking number of an intrusion or virus. This is an intrusion’s or virus’s

Intrusion Detected

Virus Detected This is the name of the virus that the ZyWALL has detected.

This is the version number of the signatures set that the ZyWALL is using and the

date and time that the set was released. Click the field label to go to the screen

where you can update the signatures. N/A displays when there is no Turbo Card

installed or the service subscription has expired.

This is the date the IDP/anti-virus service subscription expires. Click th e field label

to go to the screen where you can update your service subscription.

This is the date the anti-spam service subscription expires. Click the field label to go

to the screen where you can update your service subscription.

This is the date the category-based content filtering service subscription expires.

Click the field label to go to the screen where you can update your service

subscription.

This displays how many intrusions the ZyWALL has detected since it last started

up. N/A displays when there is no Turbo Card installed or the service subscription

has expired.

started up. It also displays the percentage of virus-infected files out of the total

number of files that the ZyWALL has scanned (since it last started up). N/A displays

when there is no Turbo Card installed or the service subscription has expired.

This displays how many spam e-mails the ZyWALL has detected since it last

started up. It also displays the percentage of spam e-mail out of the total number of

e-mails that the ZyWALL has scanned (since it last started up). N/A displays when

the service subscription has expired.

up. N/A displays when the service subscription has expired.

The following is a list of the five intrusions or viruses that the ZyWALL has most

frequently detected since it last started up.

place in the list of most common intrusions or viruses.

This is the name of a signature for which the ZyWALL has detected matching

packets. The number in brackets indicates how many times the signature has been

matched.

Click the hyperlink for more detailed information on the intrusion.

Chapter 2 Introducing the Web Configurator 77

ZyWALL 5/35/70 Series User’s Guide

Table 5 Web Configurator HOME Screen in Bridge Mode (continued)

LABEL DESCRIPTION

Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL. You can

see more information in the View Log screen, such as the source and destination

IP addresses and port numbers of the incoming packets. Date/Time This is the date and time the alert was recorded. Message This is the reason for the alert. System Status Port Statistics Click Port Statistics to see router performance statistics such as the number of

packets sent and number of packets received for each port. VPN Click VPN to display the active VPN connections. Bandwidth Click Bandwidth to view the ZyWALL’s bandwidth usage and allotments.

2.4.5 Navigation Panel

After you enter the password, use the sub-menus on the navigation panel to configure ZyWALL features.

The following table lists the features available for each device mode. Not all ZyWALLs have all features listed in this table.

Table 6 Bridge and Router Mode Features Comparison

FEATURE BRIDGE MODE ROUTER MODE

Internet Access Wizard O VPN Wizard O O DHCP Table O System Statistics O O Registration O O LAN O WAN O DMZ O Bridge O WLAN O Wireless Card O O Firewall O O IDP O O Anti-Virus O O Anti-Spam O O Content Filter O O VPN O O Certificates O O Authentication Server O O

78 Chapter 2 Introducing the Web Configurator

ZyWALL 5/35/70 Series User’s Guide

Table 6 Bridge and Router Mode Features Comparison

FEATURE BRIDGE MODE ROUTER MODE

NAT O Static Route O Policy Route O Bandwidth Management O O DNS O Remote Management O O UPnP O ALG O O Logs O O Maintenance O O

Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.

The following table describes the sub-menus.

Table 7 Screens Summary

LINK TAB FUNCTION

HOME This screen shows the ZyWALL’s general device and network

status information. Use this screen to access the wizards, statistics and DHCP table.

REGISTRATION Registration Use this screen to register your ZyWALL and activate the trial

service subscriptions.

Service Use this to manage and update the service status and license

NETWORK LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.

Static DHCP Use this screen to assign fixed IP addresses on the LAN. IP Alias Use this screen to partition your LAN interface into subnets. Port Roles

(ZyWALL 5 and ZyWALL

35)

BRIDGE Bridge Use this screen to change the bridge settings on the ZyWALL.

Port Roles Use this screen to change the DMZ/WLAN port roles on the

information.

Use this screen to change the LAN/DMZ/WLAN port roles.

ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or ZyWALL 35.

Chapter 2 Introducing the Web Configurator 79

ZyWALL 5/35/70 Series User’s Guide

Table 7 Screens Summary (continued)

LINK TAB FUNCTION

WAN General This screen allows you to configure load balancing, route priority

Route (ZyWALL 5 only)

WAN (ZyWALL 5 only)

WAN1 (ZyWALL 35 and ZyWALL

70) WAN2

(ZyWALL 35 and ZyWALL

70) Traffic Redirect Use this screen to configure your traffic redirect properties and

Dial Backup Use this screen to configure the backup WAN dial-up connection.

DMZ DMZ Use this screen to configure your DMZ connection.

Static DHCP Use this screen to assign fixed IP addresses on the DMZ. IP Alias Use this screen to partition your DMZ interface into subnets. Port Roles Use this screen to change the DMZ/WLAN port roles on the

WLAN WLAN Use this screen to configure your WLAN connection.

Static DHCP Use this screen to assign fixed IP addresses on the WLAN. IP Alias Use this screen to partition your WLAN interface into subnets. Port Roles Use this screen to change the DMZ/WLAN port roles on the

WIRELESS CARD

SECURITY FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction

Wireless Card Use this screen to configure the wireless LAN settings and WLAN

MAC Filter Use this screen to change MAC filter settings on the ZyWALL

Rule Summary This screen shows a summary of the firewall rules, and allows you

Anti-Probing Use this screen to change your anti-probing settings. Threshold Use this screen to configure the threshold for DoS attacks. Service Use this screen to configure custom services.

and traffic redirect properties. This screen allows you to configure route priority.

Use this screen to configure the WAN port for internet access.

Use this screen to configure the WAN1 port for Internet access.

Use this screen to configure the WAN2 port for Internet access.

parameters.

ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or ZyWALL 35.

authentication/security settings.

of network traffic to which to apply the rule

to edit/add a firewall rule.

80 Chapter 2 Introducing the Web Configurator

ZyWALL 5/35/70 Series User’s Guide

Table 7 Screens Summary (continued)

LINK TAB FUNCTION

IDP General Use this screen to enable IDP on the ZyWALL and choose what

interface(s) you want to protect from intrusions.

Signature Use these screens to view signatures by attack type or search for

signatures by signature name, ID, severity, target operating system, action etc. You can also configure signature actions here.

Update Use this screen to download new signature downloads. It is

Backup & Restore

ANTI-VIRUS General Use this screen to activate AV scanning on the interface(s) and

Signature Use these screens to search for signatures by signature name or

Update Use this screen to view the version number of the current

Backup & Restore

ANTI-SPAM General Use this screen to turn the anti-spam feature on or off and set how

External DB Use this screen to enable or disable the use of the anti-spam

Lists Use this screen to configure the whitelist to identify legitimate e-

CONTENT FILTER

VPN VPN Rules

CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage

General This screen allows you to enable content filtering and block certain

Categories Use this screen to select which categories of web pages to filter

Customization Use this screen to customize the content filter list. Cache Use this screen to view and configure the ZyWALL’s URL caching.

(IKE) VPN Rules

(Manual) SA Monitor Use this screen to display and manage active VPN connections. Global Setting Use this screen to configure the IPSec timer settings.

Trusted CAs Use this screen to view and manage the list of the trusted CAs. Trusted

Remote Hosts Directory

Servers

important to do this as new intrusions evolve. Use this screen to back up, restore or revert to the default

signatures’ actions.

specify actions when a virus is detected.

attributes and configure how the ZyWALL uses them.

signatures and configure the signature update schedule. Use this screen to back up, restore or revert to the default

signatures’ actions.

the ZyWALL treats spam.

external database.

mail and configure the blacklist to identify spam e-mail.

web features.

out, as well as to register for external database content filtering and view reports.

Use this screen to configure VPN connections using IKE key management and view the rule summary.

Use this screen to configure VPN connections using manual key management and view the rule summary.

certificates and certification requests.

Use this screen to view and manage the certificates belonging to the trusted remote hosts.

Use this screen to view and manage the list of the directory servers.

Chapter 2 Introducing the Web Configurator 81

ZyWALL 5/35/70 Series User’s Guide

Table 7 Screens Summary (continued)

LINK TAB FUNCTION

AUTH SERVER Local User

Database RADIUS Configure this screen to use an external server to authenticate

ADVANCED NAT NAT Overview Use this screen to enable NAT.

Address Mapping

Port Forwarding

Port Triggering Use this screen to change your ZyWALL’s port triggering settings. STATIC ROUTE IP Static Route Use this screen to configure IP static routes. POLICY ROUTE Policy Route

Summary BW MGMT Summary Use this screen to enable bandwidth management on an interface.

Class Setup Use this screen to set up the bandwidth classes.

Monitor Use this screen to view the ZyWALL’s bandwidth usage and

DNS System Use this screen to configure the address and name server records.

Cache Use this screen to configure the DNS resolution cache.

DHCP Use this screen to configure LAN/DMZ/WLAN DNS information .

DDNS Use this screen to set up dynamic DNS. REMOTE MGMT WWW Use this screen to configure through which interface(s) and from

SSH Use this screen to configure through which interface(s) and from

TELNET Use this screen to configure through which interface(s) and from

FTP Use this screen to configure through which interface(s) and from

SNMP Use this screen to configure your ZyWALL’s settings for Simple

DNS Use this screen to configure through which interface(s) and from

CNM Use this screen to configure and allow your ZyWALL to be

UPnP UPnP Use this screen to enable UPnP on the ZyWALL.

Ports Use this screen to view the NAT port mapping rules that UPnP

ALG ALG Use this screen to allow certain applications to pass through the

REPORTS

Use this screen to configure the local user account(s) on the ZyWALL.

wireless and/or VPN users.

Use this screen to configure network address translation mapping rules.

Use this screen to configure servers behind the ZyWALL.

Use this screen to view a summary list of all the policies and configure policies for use in IP policy routing.

allotments.

which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL.

which IP address(es) users can use Secure Shell to manage the ZyWALL.

which IP address(es) users can use Telnet to manage the ZyWALL.

which IP address(es) users can use FTP to access the ZyWALL.

Network Management Protocol management.

which IP address(es) users can send DNS queries to the ZyWALL.

managed by the Vantage CNM server.

creates on the ZyWALL.

ZyWALL.

82 Chapter 2 Introducing the Web Configurator

Table 7 Screens Summary (continued)

LINK TAB FUNCTION

ZyWALL 5/35/70 Series User’s Guide

SYSTEM REPORTS

THREAT REPORTS

LOGS View Log Use this screen to view the logs for the categories that you

MAINTENANCE General This screen contains administrative.

LOGOUT Click this label to exit the web configurator.

Reports Use this screen to have the ZyWALL record and display network

usage reports.

IDP Use this screen to collect and display statistics on the intrusions

that the ZyWALL has detected.

Anti-Virus Use this screen to collect and display statistics on the viruses that

the ZyWALL has detected.

Anti-Spam Use this screen to collect and display statistics on spam mail that

the ZyWALL has detected.

selected.

Log Settings Use this screen to change your ZyWALL’s log settings.

Password Use this screen to change your password.

Time and Date Use this screen to change your ZyWALL’s time and date.

Device Mode Use this screen to configure and have your ZyWALL work as a

F/W Upload Use this screen to upload firmware to your ZyWALL

Backup &

Restore

Restart This screen allows you to reboot the ZyWALL without turning the

router or a bridge.

Use this screen to backup and restore the configuration or reset the factory defaults to your ZyWALL.

power off.

2.4.6 Port Statistics

Click Port Statistics in the HOME screen. Read-only information here includes port status and packet specific statistics. The Poll Interval(s) field is configurable. Not all items described are available on all models.

Figure 12 HOME > Show Statistics

Chapter 2 Introducing the Web Configurator 83

ZyWALL 5/35/70 Series User’s Guide

The following table describes the labels in this screen.

Table 8 HOME > Show Statistics

LABEL DESCRIPTION

Click the icon to display the chart of throughput statistics. Port These are the ZyWALL’s interfaces.

Status For the WAN and dial backup ports, this displays the port speed and duplex setting if

you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle),

Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE

encapsulation. Dial backup is not available in bridge mode.

For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting.

For the WLAN card, this displays the transmission rate when a wireless LAN card is

inserted and WLAN is enabled or Down when a wireless LAN is not inserted or

WLAN is disabled. TxPkts This is the number of transmitted packets on this port. RxPkts This is the number of received packets on this port. Tx B/s This displays the transmission speed in bytes per second on this port. Rx B/s This displays the reception speed in bytes per second on this port. Up Time This is the total amount of time the line has been up. System Up Time This is the total time the ZyWALL has been on. Automatic

Refresh Interval

Refresh Click this button to update the screen’s statistics immediately.

Select a number of seconds or None from the drop-down list box to update all

screen statistics automatically at the end of every time interval or to not update the

screen statistics.

2.4.7 Show Statistics: Line Chart

Click the icon in the Show Statistics screen. This screen shows you a line chart of each port’s throughput statistics.

84 Chapter 2 Introducing the Web Configurator

Figure 13 HOME > Show Statistics > Line Chart

The following table describes the labels in this screen.

Table 9 HOME > Show Statistics > Line Chart

ZyWALL 5/35/70 Series User’s Guide

LABEL DESCRIPTION

Click the icon to go back to the Show Statistics screen.

Port Select the check box(es) to display the throughput statistics of the corresponding

B/s Specify the direction of the traffic for which you want to show throughput statistics in

Throughput Range

port(s).

this table.

Select Tx to display transmitted traffic throughput statistics and the amount of traffic

(in bytes). Select Rx to display received traffic throughput statistics and the amount

of traffic (in bytes).

Set the range of the throughput (in B/s, KB/s or MB/s) to display.

Click Set Range to save this setting back to the ZyWALL.

2.4.8 DHCP Table Screen

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.

Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyWALL’s DHCP server.

Chapter 2 Introducing the Web Configurator 85

ZyWALL 5/35/70 Series User’s Guide

Figure 14 HOME > DHCP Table

The following table describes the labels in this screen.

Table 10 HOME > DHCP Table

LABEL DESCRIPTION

Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the

specified interface. # This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name. MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network)

is unique to your computer (six pairs of hexadecimal notation).

A network interface card such as an Ethernet adapter has a hardwired address that is

assigned at the factory. This address follows an industry standard that ensures no

other adapter has a similar address. Reserve Select the check box in the heading row to automatically select all check boxes or

select the check box(es) in each entry to have the ZyWALL always assign the

selected entry(ies)’s IP address(es) to the corresponding MAC address(es) (and host

name(s)). You can select up to 128 entries in this table. After you click Apply, the

MAC address and IP address also display in the corresponding LAN, DMZ or WLAN

Static DHCP screen (where you can edit them). Refresh Click Refresh to reload the DHCP table.

2.4.9 VPN Status

Click VPN in the HOME screen when the ZyWALL is set to router mode. This screen displays read-only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel.

86 Chapter 2 Introducing the Web Configurator

Figure 15 HOME > VPN Status

The following table describes the labels in this screen.

ZyWALL 5/35/70 Series User’s Guide

Table 11 HOME > VPN Status

LABEL DESCRIPTION

# This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of

your ZyWALL.

Remote Network This field displays IP address (in a range) of computers on the remote network

behind the remote IPSec router. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA.

Both AH and ESP increase ZyWALL processing requirements and communications

latency (delay). Automatic

Refresh Interval

Refresh Click this button to update the screen’s statistics immediately.

Select a number of seconds or None from the drop-down list box to update all

screen statistics automatically at the end of every time interval or to not update the

screen statistics.

2.4.10 Bandwidth Monitor

Click Bandwidth in the HOME screen to display the bandwidth monitor. This screen displays the device’s bandwidth usage and allotments.

Chapter 2 Introducing the Web Configurator 87

ZyWALL 5/35/70 Series User’s Guide

Figure 16 Home > Bandwidth Monitor

The following table describes the labels in this screen.

LABEL DESCRIPTION

Interface Select an interface from the drop-down list box to view the bandwidth usage of

its bandwidth classes.

Class This field displays the name of the bandwidth class.

A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes. If you do not enable maximize bandwidth usage on an interface, the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth

classes. Budget (kbps) This field displays the amount of bandwidth allocated to the bandwidth class. Current Usage (kbps) This field displays the amount of bandwidth that each bandwidth class is

using. Automatic Refresh

Interval

Refresh Click this button to update the screen’s statistics immediately.

a.If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class).

Select a number of seconds or None from the drop-down list box to update all

screen statistics automatically at the end of every time interval or to not update

the screen statistics.

88 Chapter 2 Introducing the Web Configurator

This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode.

3.1 Wizard Setup Overview

The web configurator's setup wizards help you co nfig ure Intern et and VPN co nn ection settings.

ZyWALL 5/35/70 Series User’s Guide

CHAPTER 3

Wizard Setup

In the HOME screen, click the Wizard icon The following summarizes the wizards you can select:

• Internet Access Setup

Click this link to open a wizard to set up an Internet connection for WAN1 on a ZyWALL with multiple WAN ports or the WAN port on a ZyWALL with a single WAN port.

• VPN Setup

Use VPN SETUP to configure a VPN connection that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. See

Section 3.3 on page 99.

to open the Wizard Setup Welcome screen.

Chapter 3 Wizard Setup 89

ZyWALL 5/35/70 Series User’s Guide

Figure 17 Wizard Setup Welcome

3.2 Internet Access

The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.

3.2.1 ISP Parameters

The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.

The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field.

3.2.1.1 Ethernet

For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number.

Choose Ethernet when the WAN port is used as a regular Ethernet.

90 Chapter 3 Wizard Setup

Figure 18 ISP Parameters: Ethernet Encapsulation

ZyWALL 5/35/70 Series User’s Guide

The following table describes the labels in this screen.

Table 12 ISP Parameters: Ethernet Encapsulation

LABEL DESCRIPTION

ISP Parameters for Internet Access

Encapsulation You must choose the Ethernet option when the WAN port is used as a regular

Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.

WAN IP Address Assignment

IP Address Assignment

My WAN IP Address

My WAN IP Subnet Mask

Gateway IP Address

First DNS Server Second DNS

Server

Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.

Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.

Enter your WAN IP address in this field.

Enter the IP subnet mask in this field.

Enter the gateway IP address in this field.

Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not

configure a DNS server, you must know the IP address of a machine in order to access it.

Chapter 3 Wizard Setup 91

ZyWALL 5/35/70 Series User’s Guide

Table 12 ISP Parameters: Ethernet Encapsulation

LABEL DESCRIPTION

Back Click Back to return to the previous wizard screen. Apply Click Apply to save your changes and go to the next screen.

3.2.1.2 PPPoE Encapsulation

Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.

Figure 19 ISP Parameters: PPPoE Encapsulation

The following table describes the labels in this screen.

Table 13 ISP Parameters: PPPoE Encapsulation

LABEL DESCRIPTION

ISP Parameter for Internet Access

Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet

92 Chapter 3 Wizard Setup

forms a dial-up connection.

ZyWALL 5/35/70 Series User’s Guide

Table 13 ISP Parameters: PPPoE Encapsulation (continued)

LABEL DESCRIPTION

Service Name Type the name of your service provider. User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Confirm Type your password again for confirmation. Nailed-Up Select Nailed-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically disconnects

WAN IP Address Assignment

IP Address Assignment

My WAN IP Address

First DNS Server Second DNS

Server

Back Click Back to return to the previous wizard screen. Apply Click Apply to save your changes and go to the next screen.

from the PPPoE server. The default time is 100 seconds.

Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.

Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.

Enter your WAN IP address in this field.

Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not

configure a DNS server, you must know the IP address of a machine in order to access it.

3.2.1.3 PPTP Encapsulation

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/ IP-based networks.

PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet.

Chapter 3 Wizard Setup 93

ZyWALL 5/35/70 Series User’s Guide

Note: The ZyWALL supports one PPTP server connection at any given time.

Figure 20 ISP Parameters: PPTP Encapsulation

The following table describes the labels in this screen.

Table 14 ISP Parameters: PPTP Encapsulation

LABEL DESCRIPTION

ISP Parameters for Internet Access

Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must

configure the User Name and Password fields for a PPP connection and the

PPTP parameters for a PPTP connection. User Name Type the user name given to you by your ISP. Password Type the password associated with the User Name above. Retype to Confirm Type your password again for confirmation. Nailed-Up Select Nailed-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically disconnects

94 Chapter 3 Wizard Setup

from the PPTP server.

ZyWALL 5/35/70 Series User’s Guide

Table 14 ISP Parameters: PPTP Encapsulation

LABEL DESCRIPTION

PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP . My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server. Connection ID/

Name

WAN IP Address Assignment

IP Address Assignment

My WAN IP Address

First DNS Server Second DNS

Server

Back Click Back to return to the previous wizard screen. Apply Click Apply to save your changes and go to the next screen.

Enter the connection ID or connection name in this field. It must follow the "c:id"

and "n:name" format. For example, C:12 or N:My ISP.

This field is optional and depends on the requirements of your xDSL modem.

Select Dynamic If your ISP did not assign you a fixed IP address. This is the

default selection.

Select Static If the ISP assigned a fixed IP address.

The fields below are available only when you select Static.

Enter your WAN IP address in this field.

Enter the DNS server's IP address(es) in the field(s) to the right.

Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do

not configure a DNS server, you must know the IP address of a machine in order

to access it.

3.2.2 Internet Access Wizard: Second Screen

Click Next to go to the screen where you can register your ZyWALL and activate the free content filtering, anti-spam, anti-virus and IDP trial applications. Otherwise, click Skip to display the congratulations screen and click Close to complete the Internet access setup.

Note: Make sure you have installed the ZyWALL Turbo Card before you activate the

IDP and anti-virus subscription services. Turn the ZyWALL off before you install or remove the ZyWALL Turbo Card.

Chapter 3 Wizard Setup 95

ZyWALL 5/35/70 Series User’s Guide

Figure 21 Internet Access Wizard: Second Screen

Figure 22 Internet Access Setup Complete

3.2.3 Internet Access Wizard: Registration

If you clicked Next in the previous screen (see Figure 21 on page 96), the following screen displays.

Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial applications of services like content filtering, antispam, anti-virus and IDP.

Note: If you want to activate a st andard service with your iCa rd’s PIN numb er (license

key), use the REGISTRATION > Service screen.

96 Chapter 3 Wizard Setup

Figure 23 Internet Access Wizard: Registration

The following table describes the labels in this screen.

Table 15 Internet Access Wizard: Registration

ZyWALL 5/35/70 Series User’s Guide

LABEL DESCRIPTION Device Registration If you sele ct Existing myZyXEL.com account, only the User Name and

Password fields are available.

New myZyXEL.com account

Existing myZyXEL.com account

User Name Enter a user name for your myZyXEL.com account. The name should be

Check Click this button to check with the myZyXEL.com database to verify the user

Password Enter a password of between six and 20 alphanumeric characters (and the

Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters

Country Select your country from the drop-down box list. Back Click Back to return to the previous screen. Next Click Next to continue.

If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL.

If you already have an account at myZyXEL.com, select this option and enter your user name and password in the fields below to register your ZyWALL.

from six to 20 alphanumeric characters (and the underscore). S paces are not allowed.

name you entered has not been used.

underscore). Spaces are not allowed.

(periods and the underscore are also allowed) without spaces.

After you fill in the fields and click Next, the following screen shows indicating the registration is in progress. Wait for the registration progress to finish.

Chapter 3 Wizard Setup 97

ZyWALL 5/35/70 Series User’s Guide

Figure 24 Internet Access Wizard: Registration in Progress

Click Close to leave the wizard screen when the registration and activation are done.

Figure 25 Internet Access Wizard: Status

The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings.

98 Chapter 3 Wizard Setup

ZyWALL 5/35/70 Series User’s Guide

Figure 26 Internet Access Wizard: Registration Failed

If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.

Figure 27 Internet Access Wizard: Registered Device

Figure 28 Internet Access Wizard: Activated Services

3.3 VPN Wizard Gateway Setting

Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel.

Chapter 3 Wizard Setup 99

ZyWALL 5/35/70 Series User’s Guide

Click VPN Setup in the Wizard Setup Welcome screen (Figure 17 on page 90) to open the VPN configuration wizard. The first screen displays as shown next.

Figure 29 VPN Wizard: Gateway Setting

The following table describes the labels in this screen.

Table 16 VPN Wizard: Gateway Setting

LABEL DESCRIPTION

Gateway Policy Property

Name Type up to 32 characters to identify this VPN gateway policy. You may use any

character, including spaces, but the ZyWALL drops trailing spaces.

My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name

of your ZyWALL or leave the field set to 0.0.0.0. For a ZyWALL with multiple WAN ports, the following applies if the My ZyWALL field

is configured as 0.0.0.0: When the WAN port operation mode is set to Active/Passive, the ZyWALL uses the

IP address (static or dynamic) of the WAN port that is in use. When the WAN port operation mode is set to Active/Active, the ZyWALL uses the IP

address (static or dynamic) of the primary (highest priority) WAN port to set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up. If the corresponding WAN1 or WAN2 connection goes down, the ZyWALL uses the IP address of the other WAN port.

If both WAN connections go down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect. See the chapter on WAN for details on dial backup and traffic redirect.

A ZyWALL with a single WAN port uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect.

The VPN tunnel has to be rebuilt if this IP address changes. When the ZyWALL is in bridge mode, this field is read-only and displays the

ZyWALL’s IP address.

100 Chapter 3 Wizard Setup

ZyXEL 5 Series User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

ZyWALL 5/35/70 Series

Copyright

Certifications

Safety Warnings

ZyXEL Limited Warranty

Customer Support

Table of Contents

List of Figures

List of Tables

Preface

Getting to Know Your ZyWALL

1.1 ZyWALL Internet Security Appliance Overview

1.2 ZyWALL Features

1.2.1 Physical Features

1.2.2 Non-Physical Features

1.3 Applications for the ZyWALL

1.3.1 Secure Broadband Internet Access via Cable or DSL Modem

1.3.2 VPN Application

1.3.3 Front Panel Lights

2.1 Web Configurator Overview

2.2 Accessing the ZyWALL Web Configurator

2.3 Resetting the ZyWALL

2.3.1 Procedure To Use The Reset Button

2.3.2 Uploading a Configuration File Via Console Port

2.4 Navigating the ZyWALL Web Configurator

2.4.1 Title Bar

2.4.2 Main Window

2.4.3 HOME Screen: Router Mode

2.4.4 HOME Screen: Bridge Mode

2.4.5 Navigation Panel

2.4.6 Port Statistics

2.4.7 Show Statistics: Line Chart

2.4.8 DHCP Table Screen

2.4.9 VPN Status

2.4.10 Bandwidth Monitor

3.1 Wizard Setup Overview

Wizard Setup

3.2 Internet Access

3.2.1 ISP Parameters

3.2.2 Internet Access Wizard: Second Screen

3.2.3 Internet Access Wizard: Registration

3.3 VPN Wizard Gateway Setting