12.1.7.2 Use NAT
If you know the NAT router!s public IP address and SIP port number, you can use the Use
NAT feature to manually configure the ZyXEL Device to use a them in the SIP messages. This
eliminates the need for STUN or a SIP ALG.
You must also configure the NAT router to forward traffic with this port number to the ZyXEL Device.
12.1.7.3 STUN
STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address
Translators) allows the ZyXEL Device to find the presence and types of NAT routers and/or
firewalls between it and the public Internet. STUN also allows the ZyXEL Device to find the
public IP address that NAT assigned, so the ZyXEL Device can embed it in the SIP data
stream. STUN does not work with symmetric NAT routers or firewalls. See RFC 3489 for
details on STUN.
The following figure shows how STUN works.
1 The ZyXEL Device (A) sends SIP packets to the STUN server (B).
2 The STUN server (B) finds the public IP address and port number that the NAT router
used on the ZyXEL Device!s SIP packets and sends them to the ZyXEL Device.
3 The ZyXEL Device uses the public IP address and port number in the SIP packets that it
sends to the SIP server (C).
Figure 102 STUN
Chapter 12SIP
12.1.7.4 Outbound Proxy
Your VoIP service provider may host a SIP outbound proxy server to handle all of the ZyXEL
Device!s VoIP traffic. This allows the ZyXEL Device to work with any type of NAT router and
eliminates the need for STUN or a SIP ALG. Turn off a SIP ALG on a NAT router in front of
the ZyXEL Device to keep it from retranslating the IP address (since this is already handled by
the outbound proxy server).
12.1.8 Voice Coding
A codec (coder/decoder) codes analog voice signals into digital signals and decodes the digital
signals back into voice signals. The ZyXEL Device supports the following codecs.
G.711 is a Pulse Code Modulation (PCM) waveform codec. PCM measures analog signal
amplitudes at regular time intervals (sampling) and converts them into digital bits
(quantization). Quantization "reads# the analog signal and then "writes# it to the nearest
digital value. For this reason, a digital sample is usually slightly different from its analog
original (this difference is known as "quantization noise#).
MAX-200HW2 Series User s Guide
153
Chapter 12SIP
G.711 provides excellent sound quality but requires 64kbps of bandwidth.
G.723 is an Adaptive Differential Pulse Code Modulation (ADPCM) waveform codec.
Differential (or Delta) PCM is similar to PCM, but encodes the audio signal based on the
difference between one sample and a prediction based on previous samples, rather than
encoding the sample!s actual quantized value. Many thousands of samples are taken each
second, and the differences between consecutive samples are usually quite small, so this
saves space and reduces the bandwidth necessary.
However, DPCM produces a high quality signal (high signal-to-noise ratio or SNR) for
high difference signals (where the actual signal is very different from what was predicted)
but a poor quality signal (low SNR) for low difference signals (where the actual signal is
very similar to what was predicted). This is because the level of quantization noise is the
same at all signal levels. Adaptive DPCM solves this problem by adapting the difference
signal!s level of quantization according to the audio signal!s strength. A low difference
signal is given a higher quantization level, increasing its signal-to-noise ratio. This
provides a similar sound quality at all signal levels.
G.723 provides high quality sound and requires 20 or 40 kbps.
G.729 is an Analysis-by-Synthesis (AbS) hybrid waveform codec. It uses a filter based on
information about how the human vocal tract produces sounds. The codec analyzes the
incoming voice signal and attempts to synthesize it using its list of voice elements. It tests
the synthesized signal against the original and, if it is acceptable, transmits details of the
voice elements it used to make the synthesis. Because the codec at the receiving end has
the same list, it can exactly recreate the synthesized audio signal.
G.729 provides good sound quality and reduces the required bandwidth to 8kbps.
12.1.9 PSTN Call Setup Signaling
PSTNs (Public Switched Telephone Networks) use DTMF or pulse dialing to set up telephone
calls.
Dual-Tone Multi-Frequency (DTMF) signaling uses pairs of frequencies (one lower frequency
and one higher frequency) to set up calls. It is also known as Touch Tone? Each of the keys
on a DTMF telephone corresponds to a different pair of frequencies.
Pulse dialing sends a series of clicks to the local phone office in order to dial numbers.
12.1.10 MWI (Message Waiting Indication)
Enable Message Waiting Indication (MWI) enables your phone to give you a message%waiting
(beeping) dial tone when you have one or more voice messages. Your VoIP service provider
must have a messaging system that sends message-waiting-status SIP packets as defined in
RFC 3842.
3.The ZyXEL Device supports DTMF at the time of writing.
3
154
MAX-200HW2 Series User s Guide
12.1.11 Custom Tones (IVR)
IVR (Interactive Voice Response) is a feature that allows you to use your telephone to interact
with the ZyXEL Device. The ZyXEL Device allows you to record custom tones for the Caller
Ringing Tone and On Hold Tone functions. The same recordings apply to both the caller
ringing and on hold tones.
Table 58 Custom Tones Details
LABEL DESCRIPTION
Total Time for All Tones128 seconds for all custom tones combined
Maximum Time per
Individual Tone
Total Number of Tones
Recordable
12.1.11.1 Recording Custom Tones
Use the following steps if you would like to create new tones or change your tones:
1 Pick up the phone and press **** on your phone!s keypad and wait for the message that
says you are in the configuration menu.
2 Press a number from 1101~1108 on your phone followed by the # key.
3 Play your desired music or voice recording into the receiver!s mouthpiece. Press the #
key.
4 You can continue to add, listen to, or delete tones, or you can hang up the receiver when
you are done.
Chapter 12SIP
20 seconds
8
You can record up to eight different custom tones but the total time must
be 128 seconds or less.
12.1.11.2 Listening to Custom Tones
Do the following to listen to a custom tone:
1 Pick up the phone and press **** on your phone!s keypad and wait for the message that
says you are in the configuration menu.
2 Press a number from 1201~1208 followed by the # key to listen to the tone.
3 You can continue to add, listen to, or delete tones, or you can hang up the receiver when
you are done.
12.1.11.3 Deleting Custom Tones
Do the following to delete a custom tone:
1 Pick up the phone and press **** on your phone!s keypad and wait for the message that
says you are in the configuration menu.
2 Press a number from 1301~1308 followed by the # key to delete the tone of your choice.
Press 14 followed by the # key if you wish to clear all your custom tones.
3 You can continue to add, listen to, or delete tones, or you can hang up the receiver when
you are done.
12.1.12 Quality of Service (QoS)
Quality of Service (QoS) refers to both a network's ability to deliver data with minimum delay
and the networking methods used to provide bandwidth for real-time multimedia applications.
MAX-200HW2 Series User s Guide
155
Chapter 12SIP
12.1.12.1 Type Of Service (ToS)
Network traffic can be classified by setting the ToS (Type Of Service) values at the data source
(for example, at the ZyXEL Device) so a server can decide the best method of delivery, that is
the least cost, fastest route and so on.
12.1.12.2 DiffServ
DiffServ is a class of service (CoS) model that marks packets so that they receive specific perhop treatment at DiffServ-compliant network devices along the route based on the application
types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the
level of service desired. This allows the intermediary DiffServ-compliant network devices to
handle the packets differently depending on the code points without the need to negotiate paths
or remember state information for every flow. In addition, applications do not have to request
a particular service or give advanced notice of where the traffic is going.
12.1.12.3 DSCP and Per-Hop Behavior
DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS)
field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which
can define up to 64 service levels. The following figure illustrates the DS field.
Figure 103 DiffServ: Differentiated Service Field
4
DSCP
(6-bit)
DSCP is backward compatible with the three precedence bits in the ToS octet so that nonDiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.
The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each
packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic
can be marked for different priorities of forwarding. Resources can then be allocated
according to the DSCP values and the configured policies.
12.1.12.4 VLAN
Virtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple
logical networks. Only stations within the same group can communicate with each other.
Your ZyXEL Device can add IEEE 802.1Q VLAN ID tags to voice frames that it sends to the
network. This allows the ZyXEL Device to communicate with a SIP server that is a member of
the same VLAN group. Some ISPs use the VLAN tag to identify voice traffic and give it
priority over other traffic.
Unused
(2-bit)
156
4.The ZyXEL Device does not support DiffServ at the time of writing.
MAX-200HW2 Series User s Guide
12.2 SIP Screens
12.2.1 SIP Settings Screen
Use this screen to maintain basic information about each SIP account. Your VoIP service
provider (the company that lets you make phone calls over the Internet) should provide this.
You can also enable and disable each SIP account. To access this screen, click VoIP > SIP >
SIP Settings.
Figure 104 VoIP > SIP > SIP Settings
Chapter 12SIP
Each field is described in the following table.
Table 59 VoIP > SIP > SIP Settings
LABEL DESCRIPTION
SIP Account Select the SIP account you want to see in this screen. If you change this field, the
SIP Settings
Active SIP
Account
NumberEnter your SIP number. In the full SIP URI, this is the part before the @ symbol.
SIP Local PortEnter the ZyXEL Device s listening port number, if your VoIP service provider gave
SIP Server
Address
SIP Server PortEnter the SIP server s listening port number, if your VoIP service provider gave
MAX-200HW2 Series User s Guide
screen automatically refreshes.
Select this if you want the ZyXEL Device to use this account. Clear it if you do not
want the ZyXEL Device to use this account.
You can use up to 127 printable ASCII characters.
you one. Otherwise, keep the default value.
Enter the IP address or domain name of the SIP server provided by your VoIP
service provider. You can use up to 95 printable ASCII characters. It does not
matter whether the SIP server is a proxy, redirect or register server.
you one. Otherwise, keep the default value.
157
Chapter 12SIP
Table 59 VoIP > SIP > SIP Settings
LABEL DESCRIPTION
REGISTER
Server Address
REGISTER
Server Port
SIP Service
Domain
Send Caller IDSelect this if you want to send identification when you make VoIP phone calls.
Authentication
User NameEnter the user name for registering this SIP account, exactly as it was given to
PasswordEnter the user name for registering this SIP account, exactly as it was given to
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
Advanced Setup Click this to edit the advanced settings for this SIP account. The Advanced SIP
Enter the IP address or domain name of the SIP register server, if your VoIP
service provider gave you one. Otherwise, enter the same address you entered in
the SIP Server Address field. You can use up to 95 printable ASCII characters.
Enter the SIP register server s listening port number, if your VoIP service provider
gave you one. Otherwise, enter the same port number you entered in the SIP
Server Port field.
Enter the SIP service domain name. In the full SIP URI, this is the part after the @
symbol. You can use up to 127 printable ASCII Extended set characters.
Clear this if you do not want to send identification.
you. You can use up to 95 printable ASCII characters.
you. You can use up to 95 printable ASCII Extended set characters.
Setup screen appears.
12.2.2 Advanced SIP Setup Screen
Use this screen to maintain advanced settings for each SIP account. To access this screen, click
Advanced Setup in VoIP > SIP > SIP Settings.
158
MAX-200HW2 Series User s Guide
Figure 105 VoIP > SIP > SIP Settings > Advanced
Chapter 12SIP
MAX-200HW2 Series User s Guide
159
Chapter 12SIP
Each field is described in the following table.
Table 60 VoIP > SIP > SIP Settings > Advanced
LABEL DESCRIPTION
SIP AccountThis field displays the SIP account you see in this screen.
SIP Server
Settings
URL TypeSelect whether or not to include the SIP service domain name when the ZyXEL
Expiration
Duration
Register Re-send
timer
Session ExpiresEnter the number of seconds the conversation can last before the call is
Min-SEEnter the minimum number of seconds the ZyXEL Device accepts for a session
RTP Port Range
Start Port
End Port
Voice
Compression
Primary
Compression
Type
Secondary
Compression
Type
Third
Compression
Type
Device sends the SIP number.
SIP - include the SIP service domain name
TEL - do not include the SIP service domain name
Enter the number of seconds your SIP account is registered with the SIP register
server before it is deleted. The ZyXEL Device automatically tries to re-register
your SIP account when one-half of this time has passed. (The SIP register server
might have a different expiration.)
Enter the number of seconds the ZyXEL Device waits before it tries again to
register the SIP account, if the first try failed or if there is no response.
automatically disconnected. Usually, when one-half of this time has passed, the
ZyXEL Device or the other party updates this timer to prevent this from happening.
expiration time when it receives a request to start a SIP session. If the request has
a shorter time, the ZyXEL Device rejects it.
Enter the listening port number(s) for RTP traffic, if your VoIP service provider
gave you this information. Otherwise, keep the default values.
To enter one port number, enter the port number in the Start Port and End Port
fields.
To enter a range of ports,
# enter the port number at the beginning of the range in the Start Port field
# enter the port number at the end of the range in the End Port field.
Select the type of voice coder/decoder (codec) that you want the ZyXEL Device to
use.
G.711 provides high voice quality but requires more bandwidth (64 kbps).
# G.711A is typically used in Europe.
# G.711u is typically used in North America and Japan.
G.723 provides good voice quality, and requires 20 or 40 kbps.
In contrast, G.729 requires only 8 kbps.
The ZyXEL Device must use the same codec as the peer. When two SIP devices
start a SIP session, they must agree on a codec.
Select the ZyXEL Device s first choice for voice coder/decoder.
Select the ZyXEL Device s second choice for voice coder/decoder. Select None if
you only want the ZyXEL Device to accept the first choice.
This field is disabled if Secondary Compression Type is None.
Select the ZyXEL Device s third choice for voice coder/decoder. Select None if
you only want the ZyXEL Device to accept the first or second choice.
160
MAX-200HW2 Series User s Guide
Chapter 12SIP
Table 60 VoIP > SIP > SIP Settings > Advanced
LABEL DESCRIPTION
DTMF Mode Control how the ZyXEL Device handles the tones that your telephone makes
STUN
ActiveSelect this if all of the following conditions are satisfied.
Server AddressEnter the IP address or domain name of the STUN server provided by your VoIP
Server PortEnter the STUN server s listening port, if your VoIP service provider gave you one.
Use NAT
ActiveSelect this if you want the ZyXEL Device to send SIP traffic to a specific NAT
Server AddressEnter the public IP address or domain name of the NAT router.
Server PortEnter the port number that your SIP sessions use with the public IP address of the
Outbound Proxy
ActiveSelect this if your VoIP service provider has a SIP outbound server to handle voice
Server AddressEnter the IP address or domain name of the SIP outbound proxy server.
Server PortEnter the SIP outbound proxy server s listening port, if your VoIP service provider
NAT Keep Alive
ActiveSelect this to stop NAT routers between the ZyXEL Device and SIP server (a SIP
Keep Alive with
SIP Proxy
Keep Alive with
Outbound Proxy
Keep Alive
Interval
MWI (Message
Waiting
Indication)
when you push its buttons. You should use the same mode your VoIP service
provider uses.
RFC 2833 - send the DTMF tones in RTP packets
PCM - send the DTMF tones in the voice data stream. This method works best
when you are using a codec that does not use compression (like G.711). Codecs
that use compression (like G.729) can distort the tones.
SIP INFO - send the DTMF tones in SIP messages
# There is a NAT router between the ZyXEL Device and the SIP server.
# The NAT router is not a SIP ALG.
# Your VoIP service provider gave you an IP address or domain name for a
STUN server.
Otherwise, clear this field.
service provider.
Otherwise, keep the default value.
router. You must also configure the NAT router to forward traffic with the specified
port to the ZyXEL Device. This eliminates the need for STUN or a SIP ALG.
NAT router.
calls. This allows the ZyXEL Device to work with any type of NAT router and
eliminates the need for STUN or a SIP ALG. Turn off any SIP ALG on a NAT router
in front of the ZyXEL Device to keep it from retranslating the IP address (since this
is already handled by the outbound proxy server).
gave you one. Otherwise, keep the default value.
proxy server or outbound proxy server) from dropping the SIP session. The ZyXEL
Device does this by sending SIP notify messages to the SIP server based on the
specified interval.
Select this if the SIP server is a SIP proxy server.
Select this if the SIP server is an outbound proxy server. You must enable
Outbound Proxy to use this.
Enter how often (in seconds) the ZyXEL Device should send SIP notify messages
to the SIP server.
MAX-200HW2 Series User s Guide
161
Chapter 12SIP
Table 60 VoIP > SIP > SIP Settings > Advanced
LABEL DESCRIPTION
EnableSelect this if you want to hear a waiting (beeping) dial tone on your phone when
Expiration TimeKeep the default value, unless your VoIP service provider tells you to change it.
Fax OptionThis field controls how the ZyXEL Device handles fax messages.
G.711 Fax
Passthrough
T.38 Fax RelaySelect this if the ZyXEL Device should send fax messages as UDP or TCP/IP
Call Forward
Call Forward
Table
Caller Ringing
EnableCheck this box if you want people to hear a customized recording when they call
Caller Ringing
Tone
On Hold
EnableCheck this box if you want people to hear a customized recording when you put
On Hold ToneSelect the tone you want people to hear when you put them on hold. See Section
<BackClick this to return to the SIP Settings screen without saving your changes.
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
you have at least one voice message. Your VoIP service provider must support
this feature.
Enter the number of seconds the SIP server should provide the message waiting
service each time the ZyXEL Device subscribes to the service. Before this time
passes, the ZyXEL Device automatically subscribes again.
Select this if the ZyXEL Device should use G.711 to send fax messages. The peer
devices must also use G.711.
packets through IP networks. This provides better quality, but it may have interoperability problems. The peer devices must also use T.38.
Select which call forwarding table you want the ZyXEL Device to use for incoming
calls. You set up these tables in VoIP > Phone Book > Incoming Call Policy.
you.
Select the tone you want people to hear when they call you. See Section 12.1.11
on page 155 for information on how to record these tones.
them on hold.
12.1.11 on page 155 for information on how to record these tones.
12.2.3 SIP QoS Screen
Use this screen to maintain ToS and VLAN settings for the ZyXEL Device. To access this
screen, click VoIP > SIP > QoS.
162
MAX-200HW2 Series User s Guide
Chapter 12SIP
Figure 106 VoIP > SIP > QoS
Each field is described in the following table.
Table 61 VoIP > SIP > QoS
LABEL DESCRIPTION
SIP TOS Priority
Setting
RTP TOS Priority
Setting
Voice VLAN IDSelect this if the ZyXEL Device has to be a member of a VLAN to communicate
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
Enter the priority for SIP voice transmissions. The ZyXEL Device creates Type of
Service priority tags with this priority to voice traffic that it transmits.
Enter the priority for RTP voice transmissions. The ZyXEL Device creates Type of
Service priority tags with this priority to RTP traffic that it transmits.
with the SIP server. Ask your network administrator, if you are not sure. Enter the
VLAN ID provided by your network administrator in the field on the right. Your LAN
and gateway must be configured to use VLAN tags.
Otherwise, clear this field.
MAX-200HW2 Series User s Guide
163
Chapter 12SIP
164
MAX-200HW2 Series User s Guide
CHAPTER 13
Phone
Use these screens to configure the phone you use to make phone calls with the ZyXEL Device.
13.1 Phone Overview
You can configure the volume, echo cancellation, VAD settings and custom tones for the
phone port on the ZyXEL Device. You can also select which SIP account to use for making
outgoing calls.
13.1.1 Voice Activity Detection/Silence Suppression/Comfort Noise
Voice Activity Detection (VAD) detects whether or not speech is present. This lets the ZyXEL
Device reduce the bandwidth that a call uses by not transmitting "silent packets# when you are
not speaking.
When using VAD, the ZyXEL Device generates comfort noise when the other party is not
speaking. The comfort noise lets you know that the line is still connected as total silence could
easily be mistaken for a lost connection.
13.1.2 Echo Cancellation
G.168 is an ITU-T standard for eliminating the echo caused by the sound of your voice
reverberating in the telephone receiver while you talk.
13.1.3 Supplementary Phone Services Overview
Supplementary services such as call hold, call waiting, call transfer, etc. are generally
available from your VoIP service provider. The ZyXEL Device supports the following
services:
Call Hold
Call Waiting
Making a Second Call
Call Transfer
Call Forwarding
Three-Way Conference
Internal Calls
Caller ID
CLIP (Calling Line Identification Presentation)
MAX-200HW2 Series User s Guide
165
Chapter 13Phone
CLIR (Calling Line Identification Restriction)
To take full advantage of the supplementary phone services available though
the ZyXEL Device's phone port, you may need to subscribe to the services
from your VoIP service provider.
13.1.3.1 The Flash Key
Flashing means to press the hook for a short period of time (a few hundred milliseconds)
before releasing it. On newer telephones, there should be a "flash" key (button) that generates
the signal electronically. If the flash key is not available, you can tap (press and immediately
release) the hook by hand to achieve the same effect. However, using the flash key is preferred
since the timing is much more precise. The ZyXEL Device may interpret manual tapping as
hanging up if the duration is too long
You can invoke all the supplementary services by using the flash key.
13.1.3.2 Europe Type Supplementary Phone Services
This section describes how to use supplementary phone services with the Europe TypeCall
Service Mode. Commands for supplementary services are listed in the table below.
After pressing the flash key, if you do not issue the sub-command before the default subcommand timeout (2 seconds) expires or issue an invalid sub-command, the current operation
will be aborted.
Table 62 European Type Flash Key Commands
COMMAND SUB-COMMAND DESCRIPTION
Flash Put a current call on hold to place a second call.
Switch back to the call (if there is no second call).
Flash0Drop the call presently on hold or reject an incoming call which is
Flash1Disconnect the current phone connection and answer the
Flash21. Switch back and forth between two calls.
Flash3Create three-way conference connection.
Flash *98#Transfer the call to another phone.
waiting for answer.
incoming call or resume with caller presently on hold.
2. Put a current call on hold to answer an incoming call.
3. Separate the current three-way conference call into two
individual calls (one is on-line, the other is on hold).
13.1.3.2.1 European Call Hold
Call hold allows you to put a call (A) on hold by pressing the flash key.
If you have another call, press the flash key and then "2# to switch back and forth between
caller A and B by putting either one on hold.
Press the flash key and then "0# to disconnect the call presently on hold and keep the current
call on line.
166
MAX-200HW2 Series User s Guide
Press the flash key and then "1# to disconnect the current call and resume the call on hold.
If you hang up the phone but a caller is still on hold, there will be a remind ring.
13.1.3.2.2 European Call Waiting
This allows you to place a call on hold while you answer another incoming call on the same
telephone (directory) number.
If there is a second call to a telephone number, you will hear a call waiting tone. Take one of
the following actions.
Reject the second call.
Press the flash key and then press "0#.
Disconnect the first call and answer the second call.
Either press the flash key and press "1#, or just hang up the phone and then answer the
phone after it rings.
Put the first call on hold and answer the second call.
Press the flash key and then "2#.
13.1.3.2.3 European Call Transfer
Do the following to transfer an incoming call (that you have answered) to another phone.
1 Press the flash key to put the caller on hold.
2 When you hear the dial tone, dial "*98## followed by the number to which you want to
transfer the call. to operate the Intercom.
3 After you hear the ring signal or the second party answers it, hang up the phone.
Chapter 13Phone
13.1.3.2.4 European Three-Way Conference
Use the following steps to make three-way conference calls.
1 When you are on the phone talking to someone, place the flash key to put the caller on
hold and get a dial tone.
2 Dial a phone number directly to make another call.
3 When the second call is answered, press the flash key and press "3# to create a three-way
conversation.
4 Hang up the phone to drop the connection.
5 If you want to separate the activated three-way conference into two individual
connections (one is on-line, the other is on hold), press the flash key and press "2#.
13.1.3.3 USA Type Supplementary Services
This section describes how to use supplementary phone services with the USA TypeCall
Service Mode. Commands for supplementary services are listed in the table below.
MAX-200HW2 Series User s Guide
167
Chapter 13Phone
After pressing the flash key, if you do not issue the sub-command before the default subcommand timeout (2 seconds) expires or issue an invalid sub-command, the current operation
will be aborted.
Table 63 USA Type Flash Key Commands
COMMAND SUB-COMMAND DESCRIPTION
Flash Put a current call on hold to place a second call. After the second
Flash *98#Transfer the call to another phone.
13.1.3.3.1 USA Call Hold
Call hold allows you to put a call (A) on hold by pressing the flash key.
If you have another call, press the flash key to switch back and forth between caller A and B
by putting either one on hold.
If you hang up the phone but a caller is still on hold, there will be a remind ring.
13.1.3.3.2 USA Call Waiting
This allows you to place a call on hold while you answer another incoming call on the same
telephone (directory) number.
If there is a second call to your telephone number, you will hear a call waiting tone.
Press the flash key to put the first call on hold and answer the second call.
call is successful, press the flash key again to have a three-way
conference call.
Put a current call on hold to answer an incoming call.
13.1.3.3.3 USA Call Transfer
Do the following to transfer an incoming call (that you have answered) to another phone.
1 Press the flash key to put the caller on hold.
2 When you hear the dial tone, dial "*98## followed by the number to which you want to
transfer the call. to operate the Intercom.
3 After you hear the ring signal or the second party answers it, hang up the phone.
13.1.3.3.4 USA Three-Way Conference
Use the following steps to make three-way conference calls.
1 When you are on the phone talking to someone, place the flash key to put the caller on
hold and get a dial tone.
2 Dial a phone number directly to make another call.
3 When the second call is answered, press the flash key, wait for the sub-command tone
and press "3# to create a three-way conversation.
4 Hang up the phone to drop the connection.
5 If you want to separate the activated three-way conference into two individual
connections (one is on-line, the other is on hold), press the flash key, wait for the subcommand tone and press "2#.
168
MAX-200HW2 Series User s Guide
13.2 Phone Screens
13.2.1 Analog Phone Screen
Use this screen to control which SIP accounts and PSTN line each phone uses. To access this
screen, click VoIP > Phone > Analog Phone.
Figure 107 VoIP > Phone > Analog Phone
Chapter 13Phone
Each field is described in the following table.
Table 64 VoIP > Phone > Analog Phone
LABEL DESCRIPTION
Phone Port
Settings
Outgoing Call Use
SIP1Select this if you want this phone port to use the SIP1 account when it makes
SIP2Select this if you want this phone port to use the SIP2 account when it makes
Incoming Call
apply to
SIP1Select this if you want to receive phone calls for the SIP1 account on this phone
SIP2Select this if you want to receive phone calls for the SIP2 account on this phone
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
Advanced Setup Click this to edit the advanced settings for this phone port. The Advanced Analog
Select the phone port you want to see in this screen. If you change this field, the
screen automatically refreshes.
calls. If you select both SIP accounts, the ZyXEL Device tries to use SIP2 first.
calls. If you select both SIP accounts, the ZyXEL Device tries to use SIP2 first.
port. If you select more than one source for incoming calls, there is no way to
distinguish between them when you receive phone calls.
port. If you select more than one source for incoming calls, there is no way to
distinguish between them when you receive phone calls.
Phone Setup screen appears.
MAX-200HW2 Series User s Guide
169
Chapter 13Phone
13.2.2 Advanced Analog Phone Setup Screen
Use this screen to edit advanced settings for each phone port. To access this screen, click
Advanced Setup in VoIP > Phone > Analog Phone.
Figure 108 VoIP > Phone > Analog Phone > Advanced
Each field is described in the following table.
Table 65 VoIP > Phone > Analog Phone > Advanced
LABEL DESCRIPTION
Analog Phone This field displays the phone port you see in this screen.
Voice Volume
Control
Speaking VolumeEnter the loudness that the ZyXEL Device uses for speech that it sends to the
Listening VolumeEnter the loudness that the ZyXEL Device uses for speech that it receives from
Echo Cancellation
G.168 ActiveSelect this if you want to eliminate the echo caused by the sound of your voice
Dialing Interval
Select
Dialing Interval
Select
VAD SupportSelect this if the ZyXEL Device should stop transmitting when you are not
<BackClick this to return to the Analog Phone screen without saving your changes.
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Reset Click this to set every field in this screen to its last-saved value.
peer device. -1 is the quietest, and 1 is the loudest.
the peer device. -1 is the quietest, and 1 is the loudest.
reverberating in the telephone receiver while you talk.
Enter the number of seconds the ZyXEL Device should wait after you stop dialing
numbers before it makes the phone call. The value depends on how quickly you
dial phone numbers.
If you select Active Immediate Dial in VoIP > Phone > Common, you can press
the pound key (#) to tell the ZyXEL Device to make the phone call immediately,
regardless of this setting.
speaking. This reduces the bandwidth the ZyXEL Device uses.
170
MAX-200HW2 Series User s Guide
13.2.3 Common Phone Settings Screen
Use this screen to activate and deactivate immediate dialing. To access this screen, click VoIP
> Phone > Common.
Figure 109 VoIP > Phone > Common
Each field is described in the following table.
Table 66 VoIP > Phone > Common
LABEL DESCRIPTION
Active Immediate
Dial
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
Select this if you want to use the pound key (#) to tell the ZyXEL Device to make
the phone call immediately, instead of waiting the number of seconds you selected
in the Dialing Interval Select in VoIP > Phone > Analog Phone.
If you select this, dial the phone number, and then press the pound key if you do
not want to wait. The ZyXEL Device makes the call immediately.
Chapter 13Phone
13.2.4 Phone Region Screen
Use this screen to maintain settings that often depend on which region of the world the ZyXEL
Device is in. To access this screen, click VoIP > Phone > Region.
Figure 110 VoIP > Phone > Region
Each field is described in the following table.
Table 67 VoIP > Phone > Region
LABEL DESCRIPTION
Region Settings Select the place in which the ZyXEL Device is located. Do not select Default.
Call Service Mode Select the mode for supplementary phone services (call hold, call waiting, call
transfer and three-way conference calls) that your VoIP service provider supports.
Europe Type - use supplementary phone services in European mode
USA Type - use supplementary phone services American mode
You might have to subscribe to these services to use them. Contact your VoIP
service provider.
MAX-200HW2 Series User s Guide
171
Chapter 13Phone
Table 67 VoIP > Phone > Region
LABEL DESCRIPTION
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Reset Click this to set every field in this screen to its last-saved value.
172
MAX-200HW2 Series User s Guide
CHAPTER 14
Phone Book
Use these screens to maintain call-forwarding rules and speed-dial settings.
14.1 Phone Book Overview
Speed dial provides shortcuts for dialing frequently used (VoIP) phone numbers. It is also
required if you want to make peer-to-peer calls. In peer-to-peer calls, you call another VoIP
device directly without going through a SIP server. In the ZyXEL Device, you must set up a
speed dial entry in the phone book in order to do this. Select Non-Proxy (Use IP or URL) in
the Type column and enter the callee!s IP address or domain name. The ZyXEL Device sends
SIP INVITE requests to the peer VoIP device when you use the speed dial entry.
You do not need to configure a SIP account in order to make a peer-to-peer VoIP call.
14.2 Phone Book Screens
14.2.1 Incoming Call Policy Screen
Use this screen to maintain rules for handling incoming calls. You can block, redirect, or
accept them. To access this screen, click VoIP > Phone Book > Incoming Call Policy.
MAX-200HW2 Series User s Guide
173
Chapter 14Phone Book
Figure 111 VoIP > Phone Book > Incoming Call Policy
You can create two sets of call-forwarding rules. Each one is stored in a call-forwarding table.
Each field is described in the following table.
Table 68 VoIP > Phone Book > Incoming Call Policy
LABEL DESCRIPTION
Table Number Select the call-forwarding table you want to see in this screen. If you change this
Forward to
Number Setup
Unconditional
Forward to
Number
Busy Forward to
Number
No Answer
Forward to
Number
No Answer
Waiting Time
Advanced SetupThe ZyXEL Device checks these rules before it checks the rules in the Forward to
field, the screen automatically refreshes.
The ZyXEL Device checks these rules, in the order in which they appear, after it
checks the rules in the Advanced Setup section.
Select this if you want the ZyXEL Device to forward all incoming calls to the
specified phone number, regardless of other rules in the Forward to Number
section. Specify the phone number in the field on the right.
Select this if you want the ZyXEL Device to forward incoming calls to the specified
phone number if the phone port is busy. Specify the phone number in the field on
the right. If you have call waiting, the incoming call is forwarded to the specified
phone number if you reject or ignore the second incoming call.
Select this if you want the ZyXEL Device to forward incoming calls to the specified
phone number if the call is unanswered. (See No Answer Waiting Time.) Specify
the phone number in the field on the right.
This field is used by the No Answer Forward to Number feature and No Answer
conditions below.
Enter the number of seconds the ZyXEL Device should wait for you to answer an
incoming call before it considers the call is unanswered.
Number section.
174
MAX-200HW2 Series User s Guide
Chapter 14Phone Book
Table 68 VoIP > Phone Book > Incoming Call Policy
LABEL DESCRIPTION
#This field is a sequential value, and it is not associated with a specific rule. The
ActivateSelect this to enable this rule. Clear this to disable this rule.
Incoming Call
Number
Forward to
Number
ConditionSelect the situations in which you want to forward incoming calls from the
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Reset Click this to set every field in this screen to its last-saved value.
sequence is important, however. The ZyXEL Device checks each rule in order,
and it only follows the first one that applies.
Enter the phone number to which this rule applies.
Enter the phone number to which you want to forward incoming calls from the
Incoming Call Number. You may leave this field blank, depending on the
Condition.
Incoming Call Number, or select an alternative action.
Unconditional - The ZyXEL Device immediately forwards any calls from the
Incoming Call Number to the Forward to Number.
Busy - The ZyXEL Device forwards any calls from the Incoming Call Number to
the Forward to Number when your SIP account already has a call connected.
No Answer - The ZyXEL Device forwards any calls from the Incoming Call
Number to the Forward to Number when the call is unanswered. (See No
Answer Waiting Time.)
Block - The ZyXEL Device rejects calls from the Incoming Call Number.
Accept - The ZyXEL Device allows calls from the Incoming Call Number. You
might create a rule with this condition if you do not want incoming calls from
someone to be forwarded by rules in the Forward to Number section.
14.2.2 Speed Dial Screen
You have to create speed-dial entries if you want to make peer-to-peer calls or call SIP
numbers that use letters. You can also create speed-dial entries for frequently-used SIP phone
numbers. Use this screen to add, edit, or remove speed-dial entries. To access this screen, click
VoIP > Phone Book > Speed Dial.
MAX-200HW2 Series User s Guide
175
Chapter 14Phone Book
Figure 112 VoIP > Phone Book > Speed Dial
Each field is described in the following table.
Table 69 VoIP > Phone Book > Speed Dial
LABEL DESCRIPTION
Speed Dial Use this section to create or edit speed-dial entries.
Speed Dial Select the speed-dial number you want to use for this phone number.
NumberEnter the SIP number you want the ZyXEL Device to call when you dial the speed-
NameEnter a name to identify the party you call when you dial the speed-dial number.
TypeSelect Use Proxy if you want to use one of your SIP accounts to call this phone
AddClick this to use the information in the Speed Dial section to update the Speed
Speed Dial Phone
Book
Speed DialThis field displays the speed-dial number you should dial to use this entry. You
NumberThis field displays the SIP number the ZyXEL Device calls when you dial the
NameThis field displays the name of the party you call when you dial the speed-dial
DestinationThis field is blank, if the speed-dial entry uses one of your SIP accounts.
dial number.
You can use up to 127 printable ASCII characters.
number.
Select Non-Proxy (Use IP or URL) if you want to use a different SIP server or if
you want to make a peer-to-peer call. In this case, enter the IP address or domain
name of the SIP server or the other party in the field below.
Dial Phone Book section.
Use this section to look at all the speed-dial entries and to erase them.
should dial the numbers the way they appear in the screen.
speed-dial number.
number.
Otherwise, this field shows the IP address or domain name of the SIP server or
other party. (This field corresponds with the Type field in the Speed Dial section.)
176
MAX-200HW2 Series User s Guide
Chapter 14Phone Book
Table 69 VoIP > Phone Book > Speed Dial
LABEL DESCRIPTION
ModifyUse this field to edit or erase the speed-dial entry.
Click the Edit icon to copy the information for this speed-dial entry into the Speed
Dial section, where you can change it.
Click the Remove icon to erase this speed-dial entry.
Clear Click this to erase all the speed-dial entries.
Reset Click this to set every field in this screen to its last-saved value.
MAX-200HW2 Series User s Guide
177
Chapter 14Phone Book
178
MAX-200HW2 Series User s Guide
CHAPTER 15
Firewall
Use these screens to enable, configure and disable the firewall that protects your ZyXEL
Device and your LAN from unwanted or malicious traffic.
15.1 Firewall Overview
Originally, the term firewall referred to a construction technique designed to prevent the
spread of fire from one room to another. The networking term "firewall" is a system or group
of systems that enforces an access-control policy between two networks. It may also be
defined as a mechanism used to protect a trusted network from an untrusted network. Of
course, firewalls cannot solve every security problem. A firewall is one of the mechanisms
used to establish a network security perimeter in support of a network security policy. It should
never be the only mechanism or method employed. For a firewall to guard effectively, you
must design and deploy it appropriately. This requires integrating the firewall into a broad
information-security policy. In addition, specific policies must be implemented within the
firewall itself.
15.1.1 Stateful Inspection Firewall.
Stateful inspection firewalls restrict access by screening data packets against defined access
rules. They make access control decisions based on IP address and protocol. They also
"inspect" the session data to assure the integrity of the connection and to adapt to dynamic
protocols. These firewalls generally provide the best speed and transparency; however, they
may lack the granular application level access control or caching that some proxies support.
Firewalls, of one type or another, have become an integral part of standard security solutions
for enterprises.
15.1.2 About the ZyXEL Device Firewall
The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against
Denial of Service attacks when activated. The ZyXEL Device's purpose is to allow a private
Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can
be used to prevent theft, destruction and modification of data, as well as log events, which may
be important to the security of your network.
The ZyXEL Device is installed between the LAN and a WiMAX base station connecting to
the Internet. This allows it to act as a secure gateway for all data passing between the Internet
and the LAN.
MAX-200HW2 Series User s Guide
179
Chapter 15Firewall
The ZyXEL Device has one Ethernet (LAN) port. The LAN (Local Area Network) port
attaches to a network of computers, which needs security from the outside world. These
computers will have access to Internet services such as e-mail, FTP and the World Wide Web.
However, "inbound access# is not allowed (by default) unless the remote host is authorized to
use a specific service.
15.1.3 Guidelines For Enhancing Security With Your Firewall
1 Change the default password via web configurator.
2 Think about access control before you connect to the network in any way.
3 Limit who can access your router.
4 Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.
15.1.4 The Firewall, NAT and Remote Management
Figure 113 Firewall Rule Directions
15.1.4.1 LAN-to-WAN rules
LAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all
traffic from your local network to the Internet.
You can block certain LAN-to-WAN traffic in the Services screen (click the Services tab). All
services displayed in the Blocked Services list box are LAN-to-WAN firewall rules that block
those services originating from the LAN.
Blocked LAN-to-WAN packets are considered alerts. Alerts are "higher priority logs# that
include system errors, attacks and attempted access to blocked web sites. Alerts appear in red
in the View Log screen. You may choose to have alerts e-mailed immediately in the Log
Settings screen.
180
MAX-200HW2 Series User s Guide
LAN-to-LAN/ZyXEL Device means the LAN to the ZyXEL Device LAN interface. This is
always allowed, as this is how you manage the ZyXEL Device from your local computer.
15.1.4.2 WAN-to-LAN rules
WAN-to-LAN rules are Internet to your local network firewall rules. The default is to block
all traffic from the Internet to your local network.
How can you forward certain WAN to LAN traffic? You may allow traffic originating from the
WAN to be forwarded to the LAN by:
Configuring NAT port forwarding rules.
Configuring One-to-One and Many-One-to-One NAT mapping rules in the SMT NAT
menus.
Configuring WAN or LAN & WAN access for services in the Remote Management
screens or SMT menus. When you allow remote management from the WAN, you are
actually configuring WAN-to-WAN/ZyXEL Device firewall rules. WAN-to-WAN/ZyXEL
Device firewall rules are Internet to the ZyXEL Device WAN interface firewall rules. The
default is to block all such traffic. When you decide what WAN-to-LAN packets to log,
you are in fact deciding what WAN-to-LAN and WAN-to-WAN/ZyXEL Device packets
to log.
Forwarded WAN-to-LAN packets are not considered alerts.
Chapter 15Firewall
15.2 Triangle Route
When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and
the Internet. In an ideal network topology, all incoming and outgoing network traffic passes
through the ZyXEL Device to protect your LAN against attacks.
Figure 114 Ideal Firewall Setup
15.2.1 The "Triangle Route# Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices.
You may have more than one connection to the Internet (through one or more ISPs). If an
alternate gateway is on the LAN (and its IP address is in the same subnet as the ZyXEL
Device!s LAN IP address), the "triangle route# (also called asymmetrical route) problem may
occur. The steps below describe the "triangle route# problem.
1 A computer on the LAN initiates a connection by sending out a SYN packet to a
receiving server on the WAN.
2 The ZyXEL Device reroutes the SYN packet through Gateway A on the LAN to the
WAN.
MAX-200HW2 Series User s Guide
181
Chapter 15Firewall
3 The reply from the WAN goes directly to the computer on the LAN without going
through the ZyXEL Device.
As a result, the ZyXEL Device resets the connection, as the connection has not been
acknowledged.
Figure 115 !Triangle Route" Problem
15.2.2 Solving the "Triangle Route# Problem
If you have the ZyXEL Device allow triangle route sessions, traffic from the WAN can go
directly to a LAN computer without passing through the ZyXEL Device and its firewall
protection.
Another solution is to use IP alias. IP alias allows you to partition your network into logical
sections over the same Ethernet interface. Your ZyXEL Device supports up to three logical
LAN interfaces with the ZyXEL Device being the gateway for each logical network.
It!s like having multiple LAN networks that actually use the same physical cables and ports.
By putting your LAN and Gateway A in different subnets, all returning network traffic must
pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.
1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving
server on the WAN.
2 The ZyXEL Devicereroutes the packet to Gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the ZyXEL Device.
4 The ZyXEL Device then sends it to the computer on the LAN in Subnet 1.
182
Figure 116 IP Alias
MAX-200HW2 Series User s Guide
15.3 Firewall Screens
15.3.1 General Firewall Screen
Use this screen to configure the basic settings for your firewall. To access this screen, click
Security > Firewall > General.
Figure 117 Security > Firewall > General
Each field is described in the following table.
Table 70 Security > Firewall > General
LABEL DESCRIPTION
Enable Firewall Select this to activate the firewall. The ZyXEL Device controls access and protects
Bypass Triangle
Route
Max NAT/Firewall
Session Per User
Packet Direction This field displays each direction that packets pass through the ZyXEL Device.
Log Select the situations in which you want to create log entries for firewall events.
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
against Denial of Service (DoS) attacks when the firewall is activated.
Select this if you want to let some traffic from the WAN go directly to a computer in
the LAN without passing through the ZyXEL Device. See the appendices for more
information about triangle route topology.
Select the maximum number of NAT rules and firewall rules the ZyXEL Device
enforces at one time. The ZyXEL Device automatically allocates memory for the
maximum number of rules, regardless of whether or not there is a rule to enforce.
This is the same number you enter in Network > NAT > General.
No Log - do not create any log entries
Log Blocked - (LAN to WAN only) create log entries when packets are blocked
Log Forwarded - (WAN to LAN only) create log entries when packets are
forwarded
Log All - create log entries for every packet
Chapter 15Firewall
15.3.2 Firewall Services Screen
Use this screen to enable service blocking, to set up the date and time service blocking is
effective, and to maintain the list of services you want to block. To access this screen, click
Security > Firewall > Services.
MAX-200HW2 Series User s Guide
183
Chapter 15Firewall
Figure 118 Security > Firewall > Services
Each field is described in the following table.
Table 71 Security > Firewall > Services
LABEL DESCRIPTION
Service Setup
Enable Services
Blocking
Available
Services
Blocked Services This is a list of services (ports) that are inaccessible to computers on your LAN
Type Select TCP or UDP, based on which one the custom port uses.
Port Number Enter the range of port numbers that defines the service. For example, suppose
Add Click this to add the selected service in Available Services to the Blocked
Delete Select a service in the Blocked Services, and click this to remove the service
Clear All Click this to remove all the services in the Blocked Services list.
Schedule to Block
Select this to activate service blocking. The Schedule to Block section controls
what days and what times service blocking is actually effective, however.
This is a list of pre-defined services (destination ports) you may prohibit your LAN
computers from using. Select the port you want to block, and click Add to add the
port to the Blocked Services field.
A custom port is a service that is not available in the pre-defined Available
Services list. You must define it using the Type and Port Number fields. See
Appendix F on page 333 for some examples of services.
when service blocking is effective. To remove a service from this list, select the
service, and click Delete.
you want to define the Gnutella service. Select TCP type and enter a port range of
6345-6349.
Services list.
from the list.
184
MAX-200HW2 Series User s Guide
Chapter 15Firewall
Table 71 Security > Firewall > Services
LABEL DESCRIPTION
Day to Block Select which days of the week you want the service blocking to be effective.
Time of Day to
Block
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
Select what time each day you want service blocking to be effective. Enter times in
24-hour format; for example, 3:00pm should be entered as 15:00.
MAX-200HW2 Series User s Guide
185
Chapter 15Firewall
186
MAX-200HW2 Series User s Guide
CHAPTER 16
Certificates
This chapter gives background information about public-key certificates and explains how to
use the Certificates screens.
16.1 Certificates Overview
The ZyXEL Device can use certificates (also called digital IDs) to authenticate users.
Certificates are based on public-private key pairs. A certificate contains the certificate owner!s
identity and public key. Certificates provide a way to exchange public keys for use in
authentication.
A Certification Authority (CA) issues certificates and guarantees the identity of each
certificate owner. There are commercial certification authorities like CyberTrust or VeriSign
and government certification authorities. You can use the ZyXEL Device to generate
certification requests that contain identifying information and public keys and then send the
certification requests to a certification authority.
When using public-key cryptology for authentication, each host has two keys. One key is
public and can be made openly available. The other key is private and must be kept secure.
These keys work like a handwritten signature (in fact, certificates are often referred to as
"digital signatures#). Only you can write your signature exactly as it ought to look. When
people know what your signature ought to look like, they can verify whether something was
signed by you, or by someone else. In the same way, your private key "writes# your digital
signature and your public key allows people to verify whether data was signed by you, or by
someone else. This process works as follows.
1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him,
and that the message content has not been altered by anyone else along the way. Tim
generates a public key pair (one public key and one private key).
2 Tim keeps the private key and makes the public key openly available. This means that
anyone who receives a message seeming to come from Tim can read it and verify
whether it is really from him or not.
3 Tim uses his private key to sign the message and sends it to Jenny.
4 Jenny receives the message and uses Tim!s public key to verify it. Jenny knows that the
message is from Tim, and she knows that although other people may have been able to
read the message, no-one can have altered it (because they cannot re-sign the message
with Tim!s private key).
5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny!s
public key to verify the message.
MAX-200HW2 Series User s Guide
187
Chapter 16Certificates
The ZyXEL Device uses certificates based on public-key cryptology to authenticate users
attempting to establish a connection, not to encrypt the data that you send after establishing a
connection. The method used to secure the data that you send through an established
connection depends on the type of connection. For example, a VPN tunnel might use the triple
DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the
certification authority!s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a
certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has
expired or been revoked.
Certification authorities maintain directory servers with databases of valid and revoked
certificates. A directory of certificates that have been revoked before the scheduled expiration
is called a CRL (Certificate Revocation List). The ZyXEL Device can check a peer!s
certificate against a directory server!s list of revoked certificates. The framework of servers,
software, procedures and policies that handles keys is called PKI (public-key infrastructure).
16.1.1 Advantages of Certificates
Certificates offer the following benefits.
The ZyXEL Device only has to store the certificates of the certification authorities that
you decide to trust, no matter how many devices you need to authenticate.
Key distribution is simple and very secure since you can freely distribute public keys and
you never need to transmit private keys.
16.2 Self-signed Certificates
You can have the ZyXEL Device act as a certification authority and sign its own certificates.
16.3 Factory Default Certificate
The ZyXEL Device generates its own unique self-signed certificate when you first turn it on.
This certificate is referred to in the GUI as the factory default certificate.
16.3.1 Certificate File Formats
Any certificate that you want to import has to be in one of these file formats:
Binary X.509: This is an ITU-T recommendation that defines the formats for X.509
certificates.
PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase
letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable
form.
188
MAX-200HW2 Series User s Guide
Binary PKCS#7: This is a standard that defines the general syntax for data (including
digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key
certificate. The private key is not included. The ZyXEL Device currently allows the
importation of a PKS#7 file that contains a single certificate.
PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses
lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate
into a printable form.
Be careful to not convert a binary file to text during the transfer process. It is
easy for this to occur since many programs use text files by default.
16.4 Certificate Configuration Screens Summary
This section summarizes how to manage certificates on the ZyXEL Device.
Use the My Certificate screens to generate and export self-signed certificates or certification
requests and import the ZyXEL Device!s CA-signed certificates.
Use the Trusted CAs screens to save CA certificates and trusted remote host certificates to the
ZyXEL Device. The ZyXEL Device will trust any valid certificate that you have imported as a
trusted certificate. It will also trust any valid certificate signed by any of the certificates that
you have imported as a trusted certificate.
Chapter 16Certificates
16.5 Verifying a Certificate
Before you import a certificate into the ZyXEL Device, you should verify that you have the
correct certificate. This is especially true of trusted certificates since the ZyXEL Device also
trusts any valid certificate signed by any of the imported trusted certificates.
16.5.1 Checking the Fingerprint of a Certificate on Your Computer
A certificate!s fingerprints are message digests calculated using the MD5 or SHA1 algorithms.
The following procedure describes how to check a certificate!s fingerprint to verify that you
have the actual certificate.
1 Browse to where you have the certificate saved on your computer.
2 Make sure that the certificate has a ".cer# or ".crt# file name extension.
Figure 119 Remote Host Certificates
MAX-200HW2 Series User s Guide
189
Chapter 16Certificates
3 Double-click the certificate!s icon to open the Certificate window. Click the Details tab
and scroll down to the Thumbprint Algorithm and Thumbprint fields.
Figure 120 Certificate Details
4 Use a secure method to verify that the certificate owner has the same information in the
Thumbprint Algorithm and Thumbprint fields. The secure method may very based
on your situation. Possible examples would be over the telephone or through an HTTPS
connection.
16.6 My Certificates Screen
Click Security > Certificates > My Certificates to open the My Certificates screen. This is
the ZyXEL Device!s summary list of certificates and certification requests.
190
MAX-200HW2 Series User s Guide
Chapter 16Certificates
Figure 121 Security > Certificates > My Certificates
The following table describes the labels in this screen.
Table 72 Security > Certificates > My Certificates
LABEL DESCRIPTION
PKI Storage
Space in Use
#This field displays the certificate index number. The certificates are listed in
NameThis field displays the name used to identify this certificate. It is recommended that
TypeThis field displays what kind of certificate this is.
SubjectThis field displays identifying information about the certificate s owner, such as CN
IssuerThis field displays identifying information about the certificate s issuing certification
Valid FromThis field displays the date that the certificate becomes applicable.
Valid ToThis field displays the date that the certificate expires. The text displays in red and
This bar displays the percentage of the ZyXEL Device s PKI storage space that is
currently in use. When the storage space is almost full, you should consider
deleting expired or unnecessary certificates before adding more certificates.
alphabetical order.
you give each certificate a unique name.
REQ represents a certification request and is not yet a valid certificate. Send a
certification request to a certification authority, which then issues a certificate. Use
the My Certificate Import screen to import the certificate and replace the request.
SELF represents a self-signed certificate.
*SELF represents the default self-signed certificate which signs the imported
remote host certificates.
CERT represents a certificate issued by a certification authority.
(Common Name), OU (Organizational Unit or department), O (Organization or
company) and C (Country). It is recommended that each certificate have unique
subject information.
authority, such as a common name, organizational unit or department,
organization or company and country. With self-signed certificates, this is the
same information as in the Subject field.
includes an Expired! message if the certificate has expired.
MAX-200HW2 Series User s Guide
191
Chapter 16Certificates
Table 72 Security > Certificates > My Certificates (continued)
LABEL DESCRIPTION
ModifyClick the Details icon to open a screen with an in-depth list of information about
ImportClick Import to open a screen where you can save a certificate to the ZyXEL
CreateClick Create to go to the screen where you can have the ZyXEL Device generate
RefreshClick Refresh to display the current validity status of the certificates.
the certificate.
Click the Export icon to save a copy of the certificate without its private key.
Browse to the location you want to use and click Save.
Click the Remove icon to delete a certificate. A window displays asking you to
confirm that you want to delete the certificate. Subsequent certificates move up by
one when you take this action.
The ZyXEL Device keeps all of your certificates unless you specifically delete
them. Uploading new firmware or default configuration file does not delete your
certificates.
You cannot delete certificates that any of the ZyXEL Device s features are
configured to use.
Device.
a certificate or a certification request.
16.6.1 My Certificates Create Screen
Click Security > Certificates > My Certificates and then the Create icon to open the My
Certificates Create screen. Use this screen to have the ZyXEL Device create a self-signed
certificate, enroll a certificate with a certification authority or generate a certification request.
192
MAX-200HW2 Series User s Guide
Figure 122 Security > Certificates > My Certificates > Create
Chapter 16Certificates
The following table describes the labels in this screen.
Table 73 Security > Certificates > My Certificates > Create
LABEL DESCRIPTION
Certificate NameType a name to identify this certificate. You can use up to 31 alphanumeric
Subject InformationUse these fields to record information that identifies the owner of the
Common Name Select a radio button to identify the certificate s owner by IP address, domain
Organizational UnitIdentify the organizational unit or department to which the certificate owner
OrganizationIdentify the company or group to which the certificate owner belongs. You can
and ;$~!@#$%^&()_+[]{} ,.=- characters.
certificate. You do not have to fill in every field, although the Common Name
is mandatory. The certification authority may add fields (such as a serial
number) to the subject information when it issues a certificate. It is
recommended that each certificate have unique subject information.
name or e-mail address. Type the IP address (in dotted decimal notation),
domain name or e-mail address in the field provided. The domain name or email address is for identification purposes only and can be any string.
A domain name can be up to 255 characters. You can use alphanumeric
characters, the hyphen and periods.
An e-mail address can be up to 63 characters. You can use alphanumeric
characters, the hyphen, the @ symbol, periods and the underscore.
belongs. You can use up to 63 characters. You can use alphanumeric
characters, the hyphen and the underscore.
use up to 63 characters. You can use alphanumeric characters, the hyphen
and the underscore.
MAX-200HW2 Series User s Guide
193
Chapter 16Certificates
Table 73 Security > Certificates > My Certificates > Create
LABEL DESCRIPTION
CountryIdentify the state in which the certificate owner is located. You can use up to
Key LengthSelect a number from the drop-down list box to determine how many bits the
Enrollment OptionsThese radio buttons deal with how and when the certificate is to be generated.
Create a self-signed
certificate
Create a certification
request and save it
locally for later
manual enrollment
Create a certification
request and enroll for
a certificate
immediately online
Enrollment ProtocolThis field applies when you select Create a certification request and enroll
CA Server Address This field applies when you select Create a certification request and enroll
CA CertificateThis field applies when you select Create a certification request and enroll
31 characters. You can use alphanumeric characters, the hyphen and the
underscore.
key should use (512 to 2048). The longer the key, the more secure it is. A
longer key also uses more PKI storage space.
Select Create a self-signed certificate to have the ZyXEL Device generate
the certificate and act as the Certification Authority (CA) itself. This way you do
not need to apply to a certification authority for certificates.
Select Create a certification request and save it locally for later manual
enrollment to have the ZyXEL Device generate and store a request for a
certificate. Use the My Certificate Details screen to view the certification
request and copy it to send to the certification authority.
Copy the certification request from the My Certificate Details screen (see
Section 16.6.2 on page 195) and then send it to the certification authority.
Select Create a certification request and enroll for a certificate
immediately online to have the ZyXEL Device generate a request for a
certificate and apply to a certification authority for a certificate.
You must have the certification authority s certificate already imported in the
Trusted CAs screen.
When you select this option, you must select the certification authority s
enrollment protocol and the certification authority s certificate from the dropdown list boxes and enter the certification authority s server address. You also
need to fill in the Reference Number and Key if the certification authority
requires them.
for a certificate immediately online. Select the certification authority s
enrollment protocol from the drop-down list box.
Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment
protocol that was developed by VeriSign and Cisco.
Certificate Management Protocol (CMP) is a TCP-based enrollment
protocol that was developed by the Public Key Infrastructure X.509 working
group of the Internet Engineering Task Force (IETF) and is specified in RFC
2510.
for a certificate immediately online. Enter the IP address (or URL) of the
certification authority server.
For a URL, you can use up to 511 of the following characters. a-zA-Z0-9'()+,/
:.=?;!*#@$_%-
for a certificate immediately online. Select the certification authority s
certificate from the CA Certificate drop-down list box.
You must have the certification authority s certificate already imported in the
Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen
where you can view (and manage) the ZyXEL Device's list of certificates of
trusted certification authorities.
194
MAX-200HW2 Series User s Guide
Table 73 Security > Certificates > My Certificates > Create
LABEL DESCRIPTION
Request
Authentication
ApplyClick Apply to begin certificate or certification request generation.
CancelClick Cancel to quit and return to the My Certificates screen.
When you select Create a certification request and enroll for a certificate
immediately online, the certification authority may want you to include a
reference number and key to identify you when you send a certification
request.
Fill in both the Reference Number and the Key fields if your certification
authority uses CMP enrollment protocol. Just the Key field displays if your
certification authority uses the SCEP enrollment protocol.
For the reference number, use 0 to 99999999.
For the key, use up to 31 of the following characters. a-zA-Z0-
9;|`~!@#$%^&*()_+\{}':,./<>=-
If you configured the My Certificate Create screen to have the ZyXEL Device enroll a
certificate and the certificate enrollment is not successful, you see a screen with a Return
button that takes you back to the My Certificate Create screen. Click Return and check your
information in the My Certificate Create screen. Make sure that the certification authority
information is correct and that your Internet connection is working properly if you want the
ZyXEL Device to enroll a certificate online.
16.6.2 My Certificate Details Screen
Chapter 16Certificates
Click Security > Certificates > My Certificates and then the Details iconto open the My
Certificate Details screen. You can use this screen to view in-depth certificate information
and change the certificate!s name.
MAX-200HW2 Series User s Guide
195
Chapter 16Certificates
Figure 123 Security > Certificates > My Certificates > Details
196
The following table describes the labels in this screen.
Table 74 Security > Certificates > My Certificates > Details
LABEL DESCRIPTION
NameThis field displays the identifying name of this certificate. You can use up to 31
PropertySelect Default self-signed certificate which signs the imported remote host
Certification PathThis field displays for a certificate, not a certification request.
RefreshClick Refresh to display the certification path.
Certificate
Information
alphanumeric and ;$~!@#$%^&()_+[]{} ,.=- characters.
certificates to use this certificate to sign the remote host certificates you upload
in the Security > Certificates > Trusted CAs screen.
Click the Refresh button to have this read-only text box display the hierarchy of
certification authorities that validate the certificate (and the certificate itself).
If the issuing certification authority is one that you have imported as a trusted
certification authority, it may be the only certification authority in the list (along
with the certificate itself). If the certificate is a self-signed certificate, the
certificate itself is the only one in the list. The ZyXEL Device does not trust the
certificate and displays !Not trusted" in this field if any certificate on the path has
expired or been revoked.
These read-only fields display detailed information about the certificate.
MAX-200HW2 Series User s Guide
Chapter 16Certificates
Table 74 Security > Certificates > My Certificates > Details
LABEL DESCRIPTION
TypeThis field displays general information about the certificate. CA-signed means
VersionThis field displays the X.509 version number. !
Serial NumberThis field displays the certificate s identification number given by the certification
SubjectThis field displays information that identifies the owner of the certificate, such as
IssuerThis field displays identifying information about the certificate s issuing
Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. The
Valid FromThis field displays the date that the certificate becomes applicable. !none"
Valid ToThis field displays the date that the certificate expires. The text displays in red
Key AlgorithmThis field displays the type of algorithm that was used to generate the
Subject Alternative
Name
Key UsageThis field displays for what functions the certificate s key can be used. For
Basic ConstraintThis field displays general information about the certificate. For example,
MD5 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using
SHA1 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using
that a Certification Authority signed the certificate. Self-signed means that the
certificate s owner signed the certificate (not a certification authority). !X.509"
means that this certificate was created and signed according to the ITU-T X.509
recommendation that defines the formats for public-key certificates.
authority or generated by the ZyXEL Device.
Common Name (CN), Organizational Unit (OU), Organization (O) and Country
(C).
certification authority, such as Common Name, Organizational Unit,
Organization and Country.
With self-signed certificates, this is the same as the Subject Name field.
!none" displays for a certification request.
ZyXEL Device uses rsa-pkcs1-sha1 (RSA public-private key encryption
algorithm and the SHA1 hash algorithm). Some certification authorities may use
rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash
algorithm).
displays for a certification request.
and includes an Expired! message if the certificate has expired. !none" displays
for a certification request.
certificate s key pair (the ZyXEL Device uses RSA encryption) and the length of
the key set in bits (1024 bits for example).
This field displays the certificate owner$s IP address (IP), domain name (DNS)
or e-mail address (EMAIL).
example, !DigitalSignature" means that the key can be used to sign certificates
and !KeyEncipherment" means that the key can be used to encrypt text.
Subject Type=CA means that this is a certification authority s certificate and
!Path Length Constraint=1" means that there can only be one certification
authority in the certificate s path. This field does not display for a certification
request.
the MD5 algorithm.
the SHA1 algorithm.
MAX-200HW2 Series User s Guide
197
Chapter 16Certificates
Table 74 Security > Certificates > My Certificates > Details
LABEL DESCRIPTION
Certificate in PEM
(Base-64) Encoded
Format
ApplyClick Apply to save your changes back to the ZyXEL Device. You can only
CancelClick Cancel to quit and return to the My Certificates screen.
This read-only text box displays the certificate or certification request in Privacy
Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters
and numerals to convert the binary certificate into a printable form.
You can copy and paste a certification request into a certification authority s web
page, an e-mail that you send to the certification authority or a text editor and
save the file on a management computer for later manual enrollment.
You can copy and paste a certificate into an e-mail to send to friends or
colleagues or you can copy and paste a certificate into a text editor and save the
file on a management computer for later distribution (via floppy disk for
example).
change the name.
16.6.3 My Certificate Import Screen
Click Security > Certificates > My Certificates > Import to open the My Certificate
Import screen. Follow the instructions in this screen to upload an existing certificate to the
ZyXEL Device.
You can import a certificate that matches a corresponding certification request
that was generated by the ZyXEL Device.
The certificate you import replaces the corresponding request in the My Certificates screen.
You must remove any spaces from the certificate!s filename before you can import it.
198
MAX-200HW2 Series User s Guide
Chapter 16Certificates
Figure 124 Security > Certificates > My Certificates > Import
The following table describes the labels in this screen.
Table 75 Security > Certificates > My Certificates > Import
LABEL DESCRIPTION
File Path Type in the location of the file you want to upload in this field or click Browse to find it.
You cannot import a certificate with the same name as a certificate that is already in the
ZyXEL Device.
Browse Click Browse to find the certificate file you want to upload.
ApplyClick Apply to save the certificate on the ZyXEL Device.
CancelClick Cancel to quit and return to the My Certificates screen.
16.7 Trusted CAs
Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. This screen
displays a summary list of certificates of the certification authorities that you have set the
ZyXEL Device to accept as trusted. The ZyXEL Device accepts any valid certificate signed by
a certification authority on this list as being trustworthy; thus you do not need to import any
certificate that is signed by one of these certification authorities.
MAX-200HW2 Series User s Guide
199
Chapter 16Certificates
Figure 125 Security > Certificates > Trusted CAs
The following table describes the labels in this screen.
Table 76 Security > Certificates > Trusted CAs
LABEL DESCRIPTION
PKI Storage
Space in Use
#This field displays the certificate index number. The certificates are listed in
NameThis field displays the name used to identify this certificate.
SubjectThis field displays identifying information about the certificate s owner, such as CN
IssuerThis field displays identifying information about the certificate s issuing certification
Valid FromThis field displays the date that the certificate becomes applicable. The text
Valid ToThis field displays the date that the certificate expires. The text displays in red and
CRL IssuerThis field displays Yes if the certification authority issues CRL (Certificate
ModifyClick the Details icon to open a screen with an in-depth list of information about
This bar displays the percentage of the ZyXEL Device s PKI storage space that is
currently in use. When the storage space is almost full, you should consider
deleting expired or unnecessary certificates before adding more certificates.
alphabetical order.
(Common Name), OU (Organizational Unit or department), O (Organization or
company) and C (Country). It is recommended that each certificate have unique
subject information.
authority, such as a common name, organizational unit or department,
organization or company and country. With self-signed certificates, this is the
same information as in the Subject field.
displays in red and includes a Not Yet Valid! message if the certificate has not yet
become applicable.
includes an Expiring! or Expired! message if the certificate is about to expire or
has already expired.
Revocation Lists) for the certificates that it has issued and you have selected the
Check incoming certificates issued by this CA against a CRL check box in the
certificate s details screen to have the ZyXEL Device check the CRL before
trusting any certificates issued by the certification authority. Otherwise the field
displays No.
the certificate.
Use the Export icon to save the certificate to a computer. Click the icon and then
Save in the File Download screen. The Save As screen opens, browse to the
location that you want to use and click Save.
Click the Remove icon to delete the certificate. A window displays asking you to
confirm that you want to delete the certificate. Note that subsequent certificates
move up by one when you take this action.
200
MAX-200HW2 Series User s Guide
Table 76 Security > Certificates > Trusted CAs (continued)
LABEL DESCRIPTION
ImportClick Import to open a screen where you can save the certificate of a certification
authority that you trust, from your computer to the ZyXEL Device.
RefreshClick this button to display the current validity status of the certificates.
16.8 Trusted CA Details
Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. Click the
details icon to open the Trusted CA Details screen. Use this screen to view in-depth
information about the certification authority!s certificate, change the certificate!s name and set
whether or not you want the ZyXEL Device to check a certification authority!s list of revoked
certificates before trusting a certificate issued by the certification authority.
Figure 126 Security > Certificates > Trusted CAs > Details
Chapter 16Certificates
MAX-200HW2 Series User s Guide
201
Chapter 16Certificates
The following table describes the labels in this screen.
Table 77 Security > Certificates > Trusted CAs > Details
LABEL DESCRIPTION
NameThis field displays the identifying name of this certificate. If you want to change
Property
Check incoming
certificates issued
by this CA against a
CRL
Certification PathClick the Refresh button to have this read-only text box display the end entity s
RefreshClick Refresh to display the certification path.
Certificate
Information
TypeThis field displays general information about the certificate. CA-signed means
VersionThis field displays the X.509 version number.
Serial NumberThis field displays the certificate s identification number given by the certification
SubjectThis field displays information that identifies the owner of the certificate, such as
IssuerThis field displays identifying information about the certificate s issuing
Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate.
Valid FromThis field displays the date that the certificate becomes applicable. The text
Valid ToThis field displays the date that the certificate expires. The text displays in red
Key AlgorithmThis field displays the type of algorithm that was used to generate the
the name, type up to 31 characters to identify this key certificate. You may use
any character (not including spaces).
Select this check box to have the ZyXEL Device check incoming certificates that
are issued by this certification authority against a Certificate Revocation List
(CRL).
Clear this check box to have the ZyXEL Device not check incoming certificates
that are issued by this certification authority against a Certificate Revocation List
(CRL).
certificate and a list of certification authority certificates that shows the hierarchy
of certification authorities that validate the end entity s certificate. If the issuing
certification authority is one that you have imported as a trusted certification
authority, it may be the only certification authority in the list (along with the end
entity s own certificate). The ZyXEL Device does not trust the end entity s
certificate and displays !Not trusted" in this field if any certificate on the path has
expired or been revoked.
These read-only fields display detailed information about the certificate.
that a Certification Authority signed the certificate. Self-signed means that the
certificate s owner signed the certificate (not a certification authority). X.509
means that this certificate was created and signed according to the ITU-T X.509
recommendation that defines the formats for public-key certificates.
authority.
Common Name (CN), Organizational Unit (OU), Organization (O) and Country
(C).
certification authority, such as Common Name, Organizational Unit,
Organization and Country.
With self-signed certificates, this is the same information as in the Subject
Name field.
Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key
encryption algorithm and the SHA1 hash algorithm). Other certification
authorities may use rsa-pkcs1-md5 (RSA public-private key encryption
algorithm and the MD5 hash algorithm).
displays in red and includes a Not Yet Valid! message if the certificate has not
yet become applicable.
and includes an Expiring! or Expired! message if the certificate is about to expire
or has already expired.
certificate s key pair (the ZyXEL Device uses RSA encryption) and the length of
the key set in bits (1024 bits for example).
202
MAX-200HW2 Series User s Guide
Table 77 Security > Certificates > Trusted CAs > Details (continued)
LABEL DESCRIPTION
MD5 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using
SHA1 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using
Certificate in PEM
(Base-64) Encoded
Format
ApplyClick Apply to save your changes back to the ZyXEL Device. You can only
CancelClick Cancel to quit and return to the Trusted CAs screen.
the MD5 algorithm. You can use this value to verify with the certification
authority (over the phone for example) that this is actually their certificate.
the SHA1 algorithm. You can use this value to verify with the certification
authority (over the phone for example) that this is actually their certificate.
This read-only text box displays the certificate or certification request in Privacy
Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters
and numerals to convert the binary certificate into a printable form.
You can copy and paste the certificate into an e-mail to send to friends or
colleagues or you can copy and paste the certificate into a text editor and save
the file on a management computer for later distribution (via floppy disk for
example).
change the name and/or set whether or not you want the ZyXEL Device to
check the CRL that the certification authority issues before trusting a certificate
issued by the certification authority.
16.9 Trusted CA Import
Chapter 16Certificates
Click Security > Certificates > Trusted CAs to open the Trusted CAs screen and then click
Import to open the Trusted CA Import screen. Follow the instructions in this screen to save
a trusted certification authority!s certificate from a computer to the ZyXEL Device. The
ZyXEL Device trusts any valid certificate signed by any of the imported trusted CA
certificates.
You must remove any spaces from the certificate s filename before you can
import the certificate.
MAX-200HW2 Series User s Guide
203
Chapter 16Certificates
Figure 127 Security > Certificates > Trusted CAs > Import
The following table describes the labels in this screen.
Table 78 Security > Certificates > Trusted CAs Import
LABEL DESCRIPTION
File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Choose... Click Choose... to find the certificate file you want to upload.
ApplyClick Apply to save the certificate on the ZyXEL Device.
CancelClick Cancel to quit and return to the Trusted CAs screen.
204
MAX-200HW2 Series User s Guide
CHAPTER 17
Content Filter
Use these screens to create and enforce policies that restrict access to the Internet based on
content.
17.1 Content Filtering Overview
Internet content filtering allows you to create and enforce Internet access policies tailored to
their needs. Content filtering is the ability to block certain web features or specific URL
keywords.
The ZyXEL Device can block web features such as ActiveX controls, Java applets, cookies
and disable web proxies. The ZyXEL Device also allows you to define time periods and days
during which the ZyXEL Device performs content filtering.
17.2 Content Filtering Screens
17.2.1 Content Filter Screen
Use this screen to set up a trusted IP address, which web features are restricted, and which
keywords are blocked when content filtering is effective. To access this screen, click Security
> Content Filter > Filter.
MAX-200HW2 Series User s Guide
205
Chapter 17Content Filter
Figure 128 Security > Content Filter > Filter
Each field is described in the following table.
Table 79 Security > Content Filter > Filter
LABEL DESCRIPTION
Trusted IP Setup
Trusted Computer
IP Address
Restrict Web
Features
Keyword Blocking
Enable URL
Keyword Blocking
Keyword Type a keyword you want to block in this field. You can use up to 64 printable
Add Click this to add the specified Keyword to the Keyword List. You can enter up to
Keyword List This field displays the keywords that are blocked when Enable URL Keyword
You can allow a specific computer to access all Internet resources without the
restrictions you set in these screens. Enter the IP address of the trusted computer.
Select the web features you want to disable. If a user downloads a page with a
restricted feature, that part of the web page appears blank or grayed out.
ActiveX - This is a tool for building dynamic and active Web pages and distributed
object applications. When you visit an ActiveX Web site, ActiveX controls are
downloaded to your browser, where they remain in case you visit the site again.
Java - This is used to build downloadable Web components or Internet and
intranet business applications of all kinds.
Cookies - This is used by Web servers to track usage and to provide service
based on ID.
Web Proxy - This is a server that acts as an intermediary between a user and the
Internet to provide security, administrative control, and caching service. When a
proxy server is located on the WAN, it is possible for LAN users to avoid content
filtering restrictions.
Select this if you want the ZyXEL Device to block Web sites based on words in the
web site address. For example, if you block the keyword bad, http://
www.website.com/bad.html is blocked.
ASCII characters. There is no wildcard character, however.
64 keywords.
Blocking is selected. To delete a keyword, select it, click Delete, and click Apply.
206
MAX-200HW2 Series User s Guide
Table 79 Security > Content Filter > Filter
LABEL DESCRIPTION
Delete Click Delete to remove the selected keyword in the Keyword List. The keyword
Clear All Click this button to remove all of the keywords in the Keyword List.
Denied Access
Message
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Cancel Click this to set every field in this screen to its last-saved value.
disappears after you click Apply.
Enter the message that is displayed when the ZyXEL Device s content filter
feature blocks access to a web site.
17.2.2 Content Filter Schedule Screen
Use this screen to set up the schedule when content filtering is effective. To access this screen,
click Security > Content Filter > Schedule.
Figure 129 Security > Content Filter > Schedule
Chapter 17Content Filter
Each field is described in the following table.
Table 80 Security > Content Filter > Schedule
LABEL DESCRIPTION
Day to Block Select which days of the week you want content filtering to be effective.
Time of Day to
Block
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
MAX-200HW2 Series User s Guide
Select what time each day you want content filtering to be effective. Enter times in
24-hour format; for example, 3:00pm should be entered as 15:00.
207
Chapter 17Content Filter
208
MAX-200HW2 Series User s Guide
CHAPTER 18
Static Route
Use these screens to configure static routes on the ZyXEL Device.
18.1 Static Route Overview
Each remote node specifies only the network to which the gateway is directly connected, and
the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL
Device knows about network N2 in the following figure through remote node Router 1.
However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't
know that there is a route through the same remote node Router 1 (via gateway Router 2). The
static routes are for you to tell the ZyXEL Device about the networks beyond the remote
nodes.
Figure 130 Example of Static Routing Topology
18.2 Static Route Screens
18.2.1 IP Static Route Screen
Use this screen to look at static routes in the ZyXEL Device. To access this screen, click
Management > Static Route > IP Static Route.
MAX-200HW2 Series User s Guide
209
Chapter 18Static Route
The first static route is the default route and cannot be modified or deleted.
Figure 131 Management > Static Route > IP Static Route
Each field is described in the following table.
Table 81 Management > Static Route > IP Static Route
LABEL DESCRIPTION
# This field is a sequential value, and it is not associated with a specific rule. The
Name This field displays the name that describes the static route.
Active This field shows whether this static route is active (Yes) or not (No).
Destination This field displays the destination IP address(es) that this static route affects.
Gateway This field displays the IP address of the gateway to which the ZyXEL Device
Modify Use this field to edit or erase the static route.
sequence is important, however. The ZyXEL Device checks each rule in order,
and it follows only the first one that applies.
should send packets for the specified Destination. The gateway is a router or a
switch on the same network segment as the device's LAN or WAN port. The
gateway helps forward packets to their destinations.
Click the Edit icon to open the IP Static Route Edit screen for this static route.
Click the Remove icon to erase this static route.
18.2.2 IP Static Route Edit Screen
Use this screen to edit a static route in the ZyXEL Device. To access this screen, click an Edit
icon in Management > Static Route > IP Static Route.
210
MAX-200HW2 Series User s Guide
Chapter 18Static Route
Figure 132 Management > Static Route > IP Static Route > Edit
Each field is described in the following table.
Table 82 Management > Static Route > IP Static Route > Edit
LABEL DESCRIPTION
Route Name Enter the name of the static route.
Active Select this if you want the static route to be used. Clear this if you do not want the
Private Select this if you do not want the ZyXEL Device to tell other routers about this
Destination IP
Address
IP Subnet Mask Enter the subnet mask that defines the range of destination IP addresses that this
Gateway IP
Address
Metric Usually, you should keep the default value. This field is related to RIP. See
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Cancel Click this to return to the previous screen without saving your changes.
static route to be used.
static route. For example, you might select this if the static route is in your LAN.
Clear this if you want the ZyXEL Device to tell other routers about this static route.
Enter one of the destination IP addresses that this static route affects.
static route affects. If this static route affects only one IP address, enter
255.255.255.255.
Enter the IP address of the gateway to which the ZyXEL Device should send
packets for the specified Destination. The gateway is a router or a switch on the
same network segment as the device's LAN or WAN port. The gateway helps
forward packets to their destinations.
Chapter 9 on page 119 for more information.
The metric represents the "cost of transmission". A router determines the best
route for transmission by choosing a path with the lowest "cost". The smaller the
metric, the lower the "cost". RIP uses hop count as the measurement of cost,
where 1 is for a directly-connected network. The metric must be 1-15; if you use a
value higher than 15, the routers assume the link is down.
MAX-200HW2 Series User s Guide
211
Chapter 18Static Route
212
MAX-200HW2 Series User s Guide
CHAPTER 19
Remote MGMT
Use these screens to control which computers can use which services to access the ZyXEL
Device on each interface.
19.1 Remote Management Overview
Remote management allows you to determine which services/protocols can access which
ZyXEL Device interface (if any) from which computers.
You may manage your ZyXEL Device from a remote location via:
Table 83
# Internet (WAN only) # ALL (LAN and WAN)
# LAN only # Neither (Disable).
To disable remote management of a service, select Disable in the corresponding Server
Access field.
You may only have one remote management session running at a time. The ZyXEL Device
automatically disconnects a remote management session of lower priority when another
remote management session of higher priority starts. The priorities for the different types of
remote management sessions are as follows.
1 Telnet
2 HTTP
19.1.1 Remote Management Limitations
Remote management over LAN or WAN will not work when:
1 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet,
FTP or Web service.
2 You have disabled that service in one of the remote management screens.
3 The IP address in the Secured Client IP field does not match the client IP address. If it
does not match, the ZyXEL Device will disconnect the session immediately.
4 There is already another remote management session with an equal or higher priority
running. You may only have one remote management session running at one time.
19.1.2 Remote Management and NAT
When NAT is enabled:
MAX-200HW2 Series User s Guide
213
Chapter 19Remote MGMT
Use the ZyXEL Device!s WAN IP address when configuring from the WAN.
Use the ZyXEL Device!s LAN IP address when configuring from the LAN.
19.1.3 System Timeout
There is a default system management idle timeout of five minutes (three hundred seconds).
The ZyXEL Device automatically logs you out if the management session remains idle for
longer than this timeout period. The management session does not time out when a statistics
screen is polling. You can change the timeout period in the Maintenance > System > General
screen.
19.2 Remote Management Screens
19.2.1 WWW Screen
Use this screen to control HTTP access to your ZyXEL Device. To access this screen, click
Management > Remote MGMT > WWW.
Figure 133 Management > Remote MGMT > WWW
Each field is described in the following table.
Table 84 Management > Remote MGMT > WWW
LABEL DESCRIPTION
Server Port Enter the port number this service can use to access the ZyXEL Device. The
Server Access Select the interface(s) through which a computer may access the ZyXEL Device
Secured Client IP
Address
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its default value.
19.2.2 Telnet Screen
Use this screen to control Telnet access to your ZyXEL Device. To access this screen, click
Management > Remote MGMT > Telnet.
214
computer must use the same port number.
using this service.
Select All to allow any computer to access the ZyXEL Device using this service.
Select Selected to only allow the computer with the IP address that you specify to
access the ZyXEL Device using this service.
MAX-200HW2 Series User s Guide
Chapter 19Remote MGMT
Figure 134 Management > Remote MGMT > Telnet
Each field is described in the following table.
Table 85 Management > Remote MGMT > Telnet
LABEL DESCRIPTION
Server Port Enter the port number this service can use to access the ZyXEL Device. The
Server Access Select the interface(s) through which a computer may access the ZyXEL Device
Secured Client IP
Address
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its default value.
computer must use the same port number.
using this service.
Select All to allow any computer to access the ZyXEL Device using this service.
Select Selected to only allow the computer with the IP address that you specify to
access the ZyXEL Device using this service.
19.2.3 FTP Screen
Use this screen to control FTP access to your ZyXEL Device. To access this screen, click
Management > Remote MGMT > FTP.
Figure 135 Management > Remote MGMT > FTP
Each field is described in the following table.
Table 86 Management > Remote MGMT > FTP
LABEL DESCRIPTION
Server Port Enter the port number this service can use to access the ZyXEL Device. The
Server Access Select the interface(s) through which a computer may access the ZyXEL Device
computer must use the same port number.
using this service.
MAX-200HW2 Series User s Guide
215
Chapter 19Remote MGMT
Table 86 Management > Remote MGMT > FTP
LABEL DESCRIPTION
Secured Client IP
Address
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Reset Click this to set every field in this screen to its default value.
19.3 SNMP
Simple Network Management Protocol (SNMP) is a protocol used for exchanging
management information between network devices. SNMP is a member of the TCP/IP
protocol suite. Your ZyXEL Device supports SNMP agent functionality, which allows a
manager station to manage and monitor the ZyXEL Device through the network. The ZyXEL
Device supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure
illustrates an SNMP management operation.
SNMP is only available if TCP/IP is configured.
Select All to allow any computer to access the ZyXEL Device using this service.
Select Selected to only allow the computer with the IP address that you specify to
access the ZyXEL Device using this service.
Figure 136 SNMP Management Model
An SNMP managed network consists of two main types of component: agents and a manager.
An agent is a management software module that resides in a managed device (the ZyXEL
Device). An agent translates the local management information from the managed device into
a form compatible with SNMP. The manager is the console through which network
administrators perform network management functions. It executes applications that control
and monitor managed devices.
216
MAX-200HW2 Series User s Guide
The managed devices contain object variables/managed objects that define each piece of
information to be collected about a device. Examples of variables include such as number of
packets received, node port status etc. A Management Information Base (MIB) is a collection
of managed objects. SNMP allows a manager and agents to communicate for the purpose of
accessing these objects.
SNMP itself is a simple request/response protocol based on the manager/agent model. The
manager issues a request and the agent returns responses using the following protocol
operations:
Get - Allows the manager to retrieve an object variable from the agent.
GetNext - Allows the manager to retrieve the next object variable from a table or list
within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table
from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Set - Allows the manager to set values for object variables within an agent.
Trap - Used by the agent to inform the manager of some events.
19.3.1 Supported MIBs
The ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of
the MIBs is to let administrators collect statistical data and monitor status and performance.
Chapter 19Remote MGMT
19.3.2 SNMP Traps
The ZyXEL Device will send traps to the SNMP manager when any one of the following
events occurs:
Table 87 SNMP Traps
TRAP #
0 coldStart (defined in RFC-1215) A trap is sent after booting (power on).
1 warmStart (defined in RFC-1215) A trap is sent after booting (software reboot).
4 authenticationFailure (defined in
6 whyReboot (defined in ZYXEL-
6a For intentional reboot: A trap is sent with the message "System reboot by
6b For fatal error: A trap is sent with the message of the fatal code if the
TRAP NAME DESCRIPTION
RFC-1215)
MIB)
19.3.3 Configuring SNMP
To change your ZyXEL Device!s SNMP settings, click Advanced > Remote MGMT >
SNMP. The screen appears as shown.
Use this screen to control FTP access to your ZyXEL Device. To access this screen, click
Management > Remote MGMT > SNMP.
A trap is sent to the manager when receiving any
SNMP get or set requirements with the wrong
community (password).
A trap is sent with the reason of restart before
rebooting when the system is going to restart (warm
start).
user!" if reboot is done intentionally, (for example,
download new files, CI command "sys reboot", etc.).
system reboots because of fatal errors.
MAX-200HW2 Series User s Guide
217
Chapter 19Remote MGMT
Figure 137 Management > Remote MGMT > SNMP
The following table describes the labels in this screen.
Table 88 Remote Management: SNMP
LABEL DESCRIPTION
SNMP Configuration
Get Community Enter the Get Community, which is the password for the incoming Get and
Set Community Enter the Set community, which is the password for incoming Set requests
Trap Community Enter the trap community, which is the password sent with each trap to the
Trap Destination Enter the IP address of the station to send your SNMP traps to.
SNMP
Port You may change the server port number for a service if needed, however you
Access Status Select the interface(s) through which a computer may access the ZyXEL Device
Secured Client IP A secured client is a !trusted" computer that is allowed to communicate with the
Apply Click this button to save your customized settings and exit this screen.
Reset Click this button to set each field in this screen to its default value.
GetNext requests from the management station. The default is public and
allows all requests.
from the management station. The default is public and allows all requests.
SNMP manager. The default is public and allows all requests.
must use the same port number in order to use that service for remote
management.
using this service.
ZyXEL Device using this service.
Select All to allow any computer to access the ZyXEL Device using this service.
Choose Selected to just allow the computer with the IP address that you specify
to access the ZyXEL Device using this service.
19.3.4 DNS Screen
Use this screen to control DNS access to your ZyXEL Device. To access this screen, click
Management > Remote MGMT > DNS.
218
MAX-200HW2 Series User s Guide
Chapter 19Remote MGMT
Figure 138 Management > Remote MGMT > DNS
Each field is described in the following table.
Table 89 Management > Remote MGMT > DNS
LABEL DESCRIPTION
Server Port This field is read-only. This field displays the port number this service uses to
Server Access Select the interface(s) through which a computer may access the ZyXEL Device
Secured Client IP
Address
Apply Click this to save your changes.
Reset Click this to set every field in this screen to its last-saved value.
access the ZyXEL Device. The computer must use the same port number.
using this service.
Select All to allow any computer to access the ZyXEL Device using this service.
Select Selected to only allow the computer with the IP address that you specify to
access the ZyXEL Device using this service.
19.3.5 Security Screen
Use this screen to control how your ZyXEL Device responds to other types of requests. To
access this screen, click Management > Remote MGMT > Security.
Figure 139 Management > Remote MGMT > Security
MAX-200HW2 Series User s Guide
219
Chapter 19Remote MGMT
Each field is described in the following table.
Table 90 Management > Remote MGMT > Security
LABEL DESCRIPTION
Respond to Ping onSelect the interface(s) on which the ZyXEL Device should respond to incoming
Do not respond to
requests for
unauthorized
services
Apply Click this to save your changes.
Cancel Click this to set every field in this screen to its default value.
ping requests.
Disable - the ZyXEL Device does not respond to any ping requests.
LAN - the ZyXEL Device only responds to ping requests received from the LAN.
WAN - the ZyXEL Device only responds to ping requests received from the WAN.
LAN & WAN - the ZyXEL Device responds to ping requests received from the
LAN or the WAN.
Select this to prevent outsiders from discovering your ZyXEL Device by sending
requests to unsupported port numbers. If an outside user attempts to probe an
unsupported port on your ZyXEL Device, an ICMP response packet is
automatically returned. This allows the outside user to know the ZyXEL Device
exists. Your ZyXEL Device supports anti-probing, which prevents the ICMP
response packet from being sent. This keeps outsiders from discovering your
ZyXEL Device when unsupported ports are probed.
If you clear this, your ZyXEL Device replies with an ICMP Port Unreachable
packet for a port probe on unused UDP ports and with a TCP Reset packet for a
port probe on unused TCP ports.
220
MAX-200HW2 Series User s Guide
CHAPTER 20
UPnP
Use this screen to set up UPnP.
20.1 Introducing Universal Plug and Play
Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP
for simple peer-to-peer network connectivity between devices. A UPnP device can
dynamically join a network, obtain an IP address, convey its capabilities and learn about other
devices on the network. In turn, a device can leave a network smoothly and automatically
when it is no longer in use.
20.1.1 How do I know if I'm using UPnP?
UPnP hardware is identified as an icon in the Network Connections folder (Windows XP).
Each UPnP compatible device installed on your network will appear as a separate icon.
Selecting the icon of a UPnP device will allow you to access the information and properties of
that device.
20.1.2 NAT Traversal
UPnP NAT traversal automates the process of allowing an application to operate through NAT.
UPnP network devices can automatically configure network addressing, announce their
presence in the network to other UPnP devices and enable exchange of simple product and
service descriptions. NAT traversal allows the following:
Dynamic port mapping
Learning public IP addresses
Assigning lease times to mappings
Windows Messenger is an example of an application that supports NAT traversal and UPnP.
See Chapter 10 on page 129 for further information about NAT.
20.1.3 Cautions with UPnP
The automated nature of NAT traversal applications in establishing their own services and
opening firewall ports may present network security issues. Network information and
configuration may also be obtained and modified by users in some network environments.
All UPnP-enabled devices may communicate freely with each other without additional
configuration. Disable UPnP if this is not your intention.
MAX-200HW2 Series User s Guide
221
Chapter 20UPnP
20.1.4 UPnP and ZyXEL
ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates
UPnP& Implementors Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0
(Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports
Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being
tested.
The ZyXEL Device only sends UPnP multicasts to the LAN.
See later sections for examples of installing UPnP in Windows XP and Windows Me as well as
an example of using UPnP in Windows.
20.2 UPnP Examples
20.2.1 Installing UPnP in Windows Example
This section shows how to install UPnP in Windows Me and Windows XP.
20.2.1.1 Installing UPnP in Windows Me
Follow the steps below to install the UPnP in Windows Me.
1 Click Start and Control Panel. Double-click Add/Remove Programs.
2 Click on the Windows Setup tab and select Communication in the Components
selection box. Click Details.
Figure 140 Add/Remove Programs: Windows Setup: Communication
222
MAX-200HW2 Series User s Guide
Chapter 20UPnP
3 In the Communications window, select the Universal Plug and Play check box in the
Components selection box.
Figure 141 Add/Remove Programs: Windows Setup: Communication Components
4 Click OK to go back to the Add/Remove Programs Properties window and click Next.
5 Restart the computer when prompted.
20.2.1.2 Installing UPnP in Windows XP
Follow the steps below to install the UPnP in Windows XP.
1 Click Start and Control Panel.
2 Double-click Network Connections.
3 In the Network Connections window, click Advanced in the main menu and select
Optional Networking Components .
Figure 142 Network Connections
4 The Windows Optional Networking Components Wizard window displays. Select
Networking Service in the Components selection box and click Details.
MAX-200HW2 Series User s Guide
223
Chapter 20UPnP
Figure 143 Windows Optional Networking Components Wizard
5 In the Networking Services window, select the Universal Plug and Play check box.
Figure 144 Networking Services
6 Click OK to go back to the Windows Optional Networking Component Wizard
window and click Next.
224
MAX-200HW2 Series User s Guide
20.2.2 Using UPnP in Windows XP Example
This section shows you how to use the UPnP feature in Windows XP. You must already have
UPnP installed in Windows XP and UPnP activated on the ZyXEL Device.
Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your
computer and the ZyXEL Device.
20.2.2.1 Auto-discover Your UPnP-enabled Network Device
1 Click Start and Control Panel. Double-click Network Connections. An icon displays
under Internet Gateway.
2 Right-click the icon and select Properties.
Figure 145 Network Connections
Chapter 20UPnP
3 In the Internet Connection Properties window, click Settings to see the port mappings
there were automatically created.
MAX-200HW2 Series User s Guide
225
Chapter 20UPnP
Figure 146 Internet Connection Properties
4 You may edit or delete the port mappings or click Add to manually add port mappings.
226
MAX-200HW2 Series User s Guide
Figure 147 Internet Connection Properties: Advanced Settings
Chapter 20UPnP
Figure 148 Internet Connection Properties: Advanced Settings: Add
5 When the UPnP-enabled device is disconnected from your computer, all port mappings
will be deleted automatically.
6 Select Show icon in notification area when connected option and click OK. An icon
displays in the system tray.
MAX-200HW2 Series User s Guide
227
Chapter 20UPnP
Figure 149 System Tray Icon
7 Double-click on the icon to display your current Internet connection status.
Figure 150 Internet Connection Status
20.2.2.2 Web Configurator Easy Access
With UPnP, you can access the web-based configurator on the ZyXEL Device without finding
out the IP address of the ZyXEL Device first. This becomes helpful if you do not know the IP
address of the ZyXEL Device.
Follow the steps below to access the web configurator.
1 Click Start and then Control Panel.
2 Double-click Network Connections.
3 Select My Network Places under Other Places.
228
MAX-200HW2 Series User s Guide
Figure 151 Network Connections
Chapter 20UPnP
4 An icon with the description for each UPnP-enabled device displays under Local
Network.
5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator
login screen displays.
MAX-200HW2 Series User s Guide
229
Chapter 20UPnP
Figure 152 Network Connections: My Network Places
6 Right-click on the icon for your ZyXEL Device and select Properties. A properties
Figure 153 Network Connections: My Network Places: Properties: Example
window displays with basic information about the ZyXEL Device.
230
MAX-200HW2 Series User s Guide
20.3 UPnP Screen
Use this screen to set up UPnP in your ZyXEL Device. To access this screen, click
Management > UPnP.
Figure 154 Management > UPnP
Each field is described in the following table.
Table 91 Management > UPnP
LABEL DESCRIPTION
Device Name This field identifies your device in UPnP applications.
Enable the
Universal Plug
and Play (UPnP)
Feature
Allow users to
make
configuration
changes through
UPnP
Allow UPnP to
pass through
Firewall
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Cancel Click this to set every field in this screen to its default value.
Chapter 20UPnP
Select this to activate UPnP. Be aware that anyone could use a UPnP application
to open the web configurator's login screen without entering the ZyXEL Device's
IP address. You still have to enter the password, however.
Select this to allow UPnP-enabled applications to automatically configure the
ZyXEL Device so that they can communicate through the ZyXEL Device. For
example, using NAT traversal, UPnP applications automatically reserve a NAT
forwarding port in order to communicate with another UPnP enabled device; this
eliminates the need to manually configure port forwarding for the UPnP enabled
application.
Select this to allow traffic from UPnP-enabled applications to bypass the firewall.
Clear this if you want the firewall to check UPnP application packets (for example,
MSN packets).
MAX-200HW2 Series User s Guide
231
Chapter 20UPnP
232
MAX-200HW2 Series User s Guide
CHAPTER 21
System
Use this screen to set up general system settings, change the system mode, change the
password, configure the DDNS server settings, and set the current date and time.
21.1 System Features Overview
21.1.1 System Name
System Name is for identification purposes. However, because some ISPs check this name
you should enter your computer's "Computer Name".
In Windows 95/98 click Start, Settings, Control Panel, Network. Click the
Identification tab, note the entry for the Computer Name field and enter it as the System
Name.
In Windows 2000, click Start, Settings and Control Panel and then double-click System.
Click the Network Identification tab and then the Properties button. Note the entry for
the Computer name field and enter it as the System Name.
In Windows XP, click Start, My Computer, View system information and then click the
Computer Name tab. Note the entry in the Full computer name field and enter it as the
ZyXEL Device System Name.
21.1.2 Domain Name
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave
this blank, the domain name obtained by DHCP from the ISP is used. While you must enter
the host name (System Name) on each individual computer, the domain name can be assigned
from the ZyXEL Device via DHCP.
21.1.3 DNS Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and
vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is
extremely important because without it, you must know the IP address of a computer before
you can access it.
The ZyXEL Device can get the DNS server addresses in the following ways.
1 The ISP tells you the DNS server addresses, usually in the form of an information sheet,
when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS
Server fields in the SYSTEM General screen.
MAX-200HW2 Series User s Guide
233
Chapter 21System
2 If the ISP did not give you DNS server information, leave the DNS Server fields in the
SYSTEM General screen set to 0.0.0.0 for the ISP to dynamically assign the DNS
server IP addresses.
21.1.4 Dynamic DNS
Dynamic DNS allows you to update your current dynamic IP address with one or many
dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You
can also access your FTP server or Web site on your own computer using a domain name (for
instance myhost.dhs.org, where myhost is a name of your choice) that will never change
instead of using an IP address that changes each time you reconnect. Your friends or relatives
will always be able to call you even if they don't know your IP address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is
for people with a dynamic IP from their ISP or DHCP server that would still like to have a
domain name. The Dynamic DNS service provider will give you a password or key.
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the
same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use,
for example, www.yourhost.dyndns.org and still reach your hostname.
If you have a private WAN IP address, then you cannot use Dynamic DNS.
21.1.5 Pre-defined NTP Time Servers List
The ZyXEL Device uses the following pre-defined list of NTP time servers if you do not
specify a time server or it cannot synchronize with the time server you specified.
The ZyXEL Device can use this pre-defined list of time servers regardless of
the Time Protocol you select.
When the ZyXEL Device uses the pre-defined list of NTP time servers, it randomly selects
one server and tries to synchronize with it. If the synchronization fails, then the ZyXEL
Device goes through the rest of the list in order from the first one tried until either it is
successful or all the pre-defined NTP time servers have been tried.
Table 92 Pre-defined NTP Time Servers
ntp1.cs.wisc.edu
ntp1.gbg.netnod.se
ntp2.cs.wisc.edu
tock.usno.navy.mil
ntp3.cs.wisc.edu
ntp.cs.strath.ac.uk
234
MAX-200HW2 Series User s Guide
Table 92 Pre-defined NTP Time Servers
ntp1.sp.se
time1.stupi.se
tick.stdtime.gov.tw
tock.stdtime.gov.tw
time.stdtime.gov.tw
21.1.6 Resetting the Time
The ZyXEL Device resets the time in the following instances:
When the ZyXEL Device starts up.
When you click Apply in the Time Setting Screen.
24-hour intervals after starting.
21.2 System Screens
21.2.1 General System Screen
Chapter 21System
Use this screen to change the ZyXEL Device!s mode, set up the ZyXEL Device!s system
name, domain name, idle timeout, and administrator password. To access this screen, click
Maintenance > System > General.
Figure 155 Maintenance > System > General
Each field is described in the following table.
Table 93 Maintenance > System > General
LABEL DESCRIPTION
System Setup
System NameEnter your computer's "Computer Name". This is for identification purposes, but
some ISPs also check this field. This name can be up to 30 alphanumeric
characters long. Spaces are not allowed, but dashes !-" and underscores "_" are
accepted.
MAX-200HW2 Series User s Guide
235
Chapter 21System
Table 93 Maintenance > System > General
LABEL DESCRIPTION
Domain NameEnter the domain name entry that is propagated to DHCP clients on the LAN. If
Administrator
Inactivity Timer
Password Setup
Old PasswordEnter the current password you use to access the ZyXEL Device.
New PasswordEnter the new password for the ZyXEL Device. You can use up to 30 characters.
Retype to ConfirmEnter the new password again.
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Reset Click this to set every field in this screen to its default value.
you leave this blank, the domain name obtained from the ISP is used. Use up to
38 alphanumeric characters. Spaces are not allowed, but dashes !-" and periods
"." are accepted.
Enter the number of minutes a management session can be left idle before the
session times out. After it times out, you have to log in again. A value of "0" means
a management session never times out, no matter how long it has been left idle.
This is not recommended. Long idle timeouts may have security risks. The default
is five minutes.
As you type the password, the screen displays an asterisk (*) for each character
you type.
21.2.2 Dynamic DNS Screen
Use this screen to set up the ZyXEL Device as a dynamic DNS client. To access this screen,
click Maintenance > System > Dynamic DNS.
Figure 156 Maintenance > System > Dynamic DNS
236
MAX-200HW2 Series User s Guide
Chapter 21System
Each field is described in the following table.
Table 94 Maintenance > System > Dynamic DNS
LABEL DESCRIPTION
Dynamic DNS
Setup
Enable Dynamic
DNS
Service Provider Select the name of your Dynamic DNS service provider.
Dynamic DNS
Type
Host Name Enter the host name. You can specify up to two host names, separated by a
User Name Enter your user name.
Password Enter the password assigned to you.
Enable Wildcard
Option
Enable offline
option
IP Address
Update Policy
Use WAN IP
Address
Dynamic DNS
server auto detect
IP address
Select this to use dynamic DNS.
Select the type of service that you are registered for from your Dynamic DNS
service provider.
comma (",").
Select this to enable the DynDNS Wildcard feature.
This field is available when CustomDNS is selected in the DDNS Type field.
Select this if your Dynamic DNS service provider redirects traffic to a URL that you
can specify while you are off line. Check with your Dynamic DNS service provider.
Select this if you want the ZyXEL Device to update the domain name with the
WAN port's IP address.
Select this if you want the DDNS server to update the IP address of the host
name(s) automatically. Select this optionwhen there are one or more NAT routers
between the ZyXEL Device and the DDNS server.
Note: The DDNS server may not be able to detect the proper IP
address if there is an HTTP proxy server between the ZyXEL
Device and the DDNS server.
Use specified IP
address
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Reset Click this to set every field in this screen to its default value.
Select this if you want to use the specified IP address with the host name(s). Then,
specify the IP address. Use this option if you have a static IP address.
21.2.3 Time Setting Screen
Use this screen to set the date, time, and time zone in the ZyXEL Device. To access this
screen, click Maintenance > System > Time Setting.
MAX-200HW2 Series User s Guide
237
Chapter 21System
Figure 157 Maintenance > System > Time Setting
Each field is described in the following table.
Table 95 Maintenance > System > Time Setting
LABEL DESCRIPTION
Current Time and
Date
Time and Date
Setup
Manual Select this if you want to specify the current date and time in the fields below.
New Time Enter the new time in this field, and click Apply.
New Date Enter the new date in this field, and click Apply.
Get from Time
Server
Time ProtocolSelect the time service protocol that your time server uses.Check with your ISP or
Time Server
Address
Time Zone Setup
Time ZoneSelect the time zone at your location.
Daylight SavingsSelect this if your location uses daylight savings time. Daylight savings is a period
This section displays the current date and time.
Select this if you want to use a time server to update the current date and time in
the ZyXEL Device.
network administrator, or use trial-and-error to find a protocol that works.
Daytime (RFC 867) - This format is day/month/year/time zone.
Time (RFC 868) - This format displays a 4-byte integer giving the total number of
seconds since 1970/1/1 at 0:0:0.
NTP (RFC 1305) - This format is similar to Time (RFC 868).
Enter the IP address or URL of your time server. Check with your ISP or network
administrator if you are unsure of this information.
from late spring to early fall when many places set their clocks ahead of normal
local time by one hour to give more daytime light in the evening.
238
MAX-200HW2 Series User s Guide
Chapter 21System
Table 95 Maintenance > System > Time Setting
LABEL DESCRIPTION
Start DateEnter which hour on which day of which week of which month daylight-savings
End DateEnter which hour on the which day of which week of which month daylight-savings
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Reset Click this to set every field in this screen to its last-saved value.
time starts.
time ends.
MAX-200HW2 Series User s Guide
239
Chapter 21System
240
MAX-200HW2 Series User s Guide
CHAPTER 22
Logs
Use these screens to look at log entries and alerts and to configure the ZyXEL Device!s log
and alert settings.
22.1 Logs Overview
For a list of log messages, see Section 22.3 on page 245.
22.1.1 Alerts
An alert is a type of log that warrants more serious attention. Some categories such as System
Errors consist of both logs and alerts.
22.1.2 Syslog Logs
There are two types of syslog: event logs and traffic logs. The device generates an event log
when a system event occurs, for example, when a user logs in or the device is under attack.
The device generates a traffic log when a "session" is terminated. A traffic log summarizes the
session's type, when it started and stopped the amount of traffic that was sent and received and
so on. An external log analyzer can reconstruct and analyze the traffic flowing through the
device after collecting the traffic logs.
MAX-200HW2 Series User s Guide
241
Chapter 22Logs
Table 96 Syslog Logs
LOG MESSAGE DESCRIPTION
Event Log: <Facility*8 + Severity>Mon
dd hr:mm:ss hostname
src="<srcIP:srcPort>"
dst="<dstIP:dstPort>" msg="<msg>"
note="<note>" devID="<mac address>"
cat="<category>"
Traffic Log: <Facility*8 + Severity>Mon
dd hr:mm:ss hostname
src="<srcIP:srcPort>"
dst="<dstIP:dstPort>" msg="Traffic Log"
note="Traffic Log" devID="<mac
address>" cat="Traffic Log"
duration=seconds sent=sentBytes
rcvd=receiveBytes dir="<from:to>"
protoID=IPProtocolID
proto="serviceName" trans="IPSec/
Normal"
The following table shows RFC-2408 ISAKMP payload types that the log displays. Please
refer to the RFC for detailed information on each type.
Table 97 RFC-2408 ISAKMP Payload Types
LOG DISPLAY PAYLOAD TYPE
SA Security Association
PROP Proposal
TRANS Transform
KE Key Exchange
ID Identification
CER Certificate
CER_REQ Certificate Request
HASH Hash
SIG Signature
NONCE Nonce
NOTFY Notification
DEL Delete
VID Vendor ID
This message is sent by the system ("RAS" displays as the
system name if you haven t configured one) when the
router generates a syslog. The facility is defined in the Log
Settings screen. The severity is the log s syslog class. The
definition of messages and notes are defined in the various
log charts throughout this appendix. The !devID" is the
MAC address of the router s LAN port. The !cat" is the
same as the category in the router s logs.
This message is sent by the device when the connection
(session) is closed. The facility is defined in the Log
Settings screen. The severity is the traffic log type. The
message and note always display "Traffic Log". The "proto"
field lists the service name. The "dir" field lists the incoming
and outgoing interfaces ("LAN:LAN", "LAN:WAN",
"LAN:DEV" for example).
242
MAX-200HW2 Series User s Guide
22.2 Logs Screens
22.2.1 Log Viewer Screen
Use this screen to look at log entries and alerts. Alerts are written in red. To access this screen,
click Maintenance > Logs > View Log.
Figure 158 Maintenance > Logs > View Log
Click a column header to sort log entries in descending (later-to-earlier) order. Click again to
sort in ascending order. The small triangle next to a column header indicates how the table is
currently sorted (pointing downward is descending; pointing upward is ascending). Each field
is described in the following table.
Table 98 Maintenance > Logs > View Log
LABEL DESCRIPTION
Display Select a category whose log entries you want to view. To view all logs, select All
Logs. The list of categories depends on what log categories are selected in the
Log Settings page.
Email Log Now Click this to send the log screen to the e-mail address specified in the Log
Settings page.
Refresh Click Refresh to renew the log screen.
Clear Log Click Clear Log to clear all the log entries, regardless of what is shown on the log
screen.
# This field is a sequential value, and it is not associated with a specific log entry.
Time This field displays the time the log entry was recorded.
Message This field displays the reason for the log entry. See Section 22.3 on page 245.
Source This field displays the source IP address and the port number of the incoming
packet. In many cases, some or all of this information may not be available.
Destination This field lists the destination IP address and the port number of the incoming
packet. In many cases, some or all of this information may not be available.
Note This field displays additional information about the log entry.
Chapter 22Logs
22.2.2 Log Settings Screen
Use this screen to configure where the ZyXEL Device sends logs and alerts, the schedule for
sending logs, and which logs and alerts are sent or recorded.
To access this screen, click Maintenance > Logs > Log Settings.
MAX-200HW2 Series User s Guide
243
Chapter 22Logs
Figure 159 Maintenance > Logs > Log Settings
244
Each field is described in the following table.
Table 99 Maintenance > Logs > Log Settings
LABEL DESCRIPTION
E-mail Log
Settings
Mail Server Enter the server name or the IP address of the mail server the ZyXEL Device
should use to e-mail logs and alerts. Leave this field blank if you do not want to
send logs or alerts by e-mail.
Mail Subject Enter the subject line used in e-mail messages the ZyXEL Device sends.
Send Log to Enter the e-mail address to which log entries are sent by e-mail. Leave this field
blank if you do not want to send logs by e-mail.
Send Alerts to Enter the e-mail address to which alerts are sent by e-mail. Leave this field blank if
you do not want to send alerts by e-mail.
MAX-200HW2 Series User s Guide
Chapter 22Logs
Table 99 Maintenance > Logs > Log Settings
LABEL DESCRIPTION
Log Schedule Select the frequency with which the ZyXEL Device should send log messages by
Day for Sending
Log
Time for Sending
Log
Clear log after
sending mail
Syslog Logging Syslog logging sends a log to an external syslog server used to store logs.
Active Select this to enable syslog logging.
Syslog Server IP
Address
Log Facility Select a location. The log facility allows you to log the messages in different files in
Active Log and
Alert
Log Select the categories of logs that you want to record.
Send immediate
alert
Apply Click this to save your changes and to apply them to the ZyXEL Device.
Cancel Click this to set every field in this screen to its last-saved value.
e-mail.
# Daily
# Weekly
# Hourly
# When Log is Full
# None.
If the Weekly or the Daily option is selected, specify a time of day when the E-mail
should be sent. If the Weekly option is selected, then also specify which day of the
week the E-mail should be sent. If the When Log is Full option is selected, an
alert is sent when the log fills up. If you select None, no log messages are sent.
This field is only available when you select Weekly in the Log Schedule field.
Select which day of the week to send the logs.
This field is only available when you select Daily or Weekly in the Log Schedule
field.
Enter the time of day in 24-hour format (for example 23:00 equals 11:00 pm) to
send the logs.
Select this to clear all logs and alert messages after logs are sent by e-mail.
Enter the server name or IP address of the syslog server that logs the selected
categories of logs.
the syslog server. See the documentation of your syslog for more details.
Select the categories of alerts that you want the ZyXEL Device to send
immediately.
22.3 Log Message Descriptions
The following tables provide descriptions of example log messages.
Table 100 System Error Logs
LOG MESSAGE DESCRIPTION
WAN connection is down. The WAN connection is down. You cannot access the network
%s exceeds the max.
number of session per
host!
MAX-200HW2 Series User s Guide
through this interface.
This attempt to create a NAT session exceeds the maximum
number of NAT session table entries allowed to be created per
host.
245
Chapter 22Logs
Table 101 System Maintenance Logs
LOG MESSAGE DESCRIPTION
Time calibration is
successful
Time calibration failed The device failed to get information from the time server.
WAN interface gets IP: %s The WAN interface got a new IP address from the DHCP or
DHCP client gets %s A DHCP client got a new IP address from the DHCP server.
DHCP client IP expired A DHCP client's IP address has expired.
DHCP server assigns %s The DHCP server assigned an IP address to a client.
Successful WEB login Someone has logged on to the device's web configurator
WEB login failed Someone has failed to log on to the device's web configurator
TELNET Login Successfully Someone has logged on to the router via telnet.
TELNET Login Fail Someone has failed to log on to the router via telnet.
Successful FTP login Someone has logged on to the device via ftp.
FTP login failed Someone has failed to log on to the device via ftp.
NAT Session Table is Full! The maximum number of NAT session table entries has been
Time initialized by Daytime
Server
Time initialized by Time
server
Time initialized by NTP
server
Connect to Daytime server
fail
Connect to Time server fail The device was not able to connect to the Time server.
Connect to NTP server fail The device was not able to connect to the NTP server.
Too large ICMP packet has
been dropped
Configuration Change: PC =
0x%x, Task ID = 0x%x
The device has adjusted its time based on information from
the time server.
PPPoE server.
interface.
interface.
exceeded and the table is full.
The device got the time and date from the Daytime server.
The device got the time and date from the time server.
The device got the time and date from the NTP server.
The device was not able to connect to the Daytime server.
The device dropped an ICMP packet that was too large.
The device is saving configuration changes.
246
Table 102 Access Control Logs
LOG MESSAGE DESCRIPTION
Firewall default policy: [ TCP |
UDP | IGMP | ESP | GRE | OSPF ]
<Packet Direction>
Firewall rule [NOT] match:[ TCP
| UDP | IGMP | ESP | GRE | OSPF
] <Packet Direction>, <rule:%d>
Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access
matched the default policy and was blocked or forwarded
according to the default policy s setting.
Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access
matched (or did not match) a configured firewall rule
(denoted by its number) and was blocked or forwarded
according to the rule.
MAX-200HW2 Series User s Guide
Chapter 22Logs
Table 102 Access Control Logs (continued)
LOG MESSAGE DESCRIPTION
Triangle route packet forwarded:
[ TCP | UDP | IGMP | ESP | GRE |
OSPF ]
Packet without a NAT table entry
blocked: [ TCP | UDP | IGMP |
ESP | GRE | OSPF ]
Router sent blocked web site
message: TCP
Exceed maximum sessions per host (%d).The device blocked a session because the host's
Firewall allowed a packet that matched a
NAT session: [ TCP | UDP ]
The firewall allowed a triangle route session to pass
through.
The router blocked a packet that didn't have a
corresponding NAT table entry.
The router sent a message to notify a user that the router
blocked access to a web site that the user requested.
connections exceeded the maximum sessions per host.
A packet from the WAN (TCP or UDP) matched a cone
NAT session and the device forwarded it to the LAN.
Table 103 TCP Reset Logs
LOG MESSAGE DESCRIPTION
Under SYN flood attack,
sent TCP RST
Exceed TCP MAX
incomplete, sent TCP RST
Peer TCP state out of
order, sent TCP RST
Firewall session time
out, sent TCP RST
Exceed MAX incomplete,
sent TCP RST
Access block, sent TCP
RST
The router sent a TCP reset packet when a host was under a SYN
flood attack (the TCP incomplete count is per destination host.)
The router sent a TCP reset packet when the number of TCP
incomplete connections exceeded the user configured threshold.
(the TCP incomplete count is per destination host.)
The router sent a TCP reset packet when a TCP connection state
was out of order.Note: The firewall refers to RFC793 Figure 6 to
check the TCP state.
The router sent a TCP reset packet when a dynamic firewall
session timed out.
The default timeout values are as follows:
ICMP idle timeout: 3 minutes
UDP idle timeout: 3 minutes
TCP connection (three way handshaking) timeout: 270 seconds
TCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in
the TCP header).
TCP idle (established) timeout (s): 150 minutes
TCP reset timeout: 10 seconds
The router sent a TCP reset packet when the number of
incomplete connections (TCP and UDP) exceeded the userconfigured threshold. (Incomplete count is for all TCP and UDP
connections through the firewall.)Note: When the number of
incomplete connections (TCP + UDP) > !Maximum Incomplete
High", the router sends TCP RST packets for TCP connections
and destroys TOS (firewall dynamic sessions) until incomplete
connections < !Maximum Incomplete Low".
The router sends a TCP RST packet and generates this log if you
turn on the firewall TCP reset mechanism (via CI command: sys
firewall tcprst).
MAX-200HW2 Series User s Guide
247
Chapter 22Logs
Table 104 Packet Filter Logs
LOG MESSAGE DESCRIPTION
[ TCP | UDP | ICMP | IGMP |
Generic ] packet filter
matched (set: %d, rule: %d)
For type and code details, see Table 112 on page 251.
Table 105 ICMP Logs
LOG MESSAGE DESCRIPTION
Firewall default policy: ICMP
<Packet Direction>, <type:%d>,
<code:%d>
Firewall rule [NOT] match: ICMP
<Packet Direction>, <rule:%d>,
<type:%d>, <code:%d>
Triangle route packet forwarded:
ICMP
Packet without a NAT table entry
blocked: ICMP
Unsupported/out-of-order ICMP:
ICMP
Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.
Attempted access matched a configured filter rule (denoted
by its set and rule number) and was blocked or forwarded
according to the rule.
ICMP access matched the default policy and was
blocked or forwarded according to the user's setting.
ICMP access matched (or didn t match) a firewall rule
(denoted by its number) and was blocked or forwarded
according to the rule.
The firewall allowed a triangle route session to pass
through.
The router blocked a packet that didn t have a
corresponding NAT table entry.
The firewall does not support this kind of ICMP packets
or the ICMP packets are out of order.
Table 106 CDR Logs
LOG MESSAGE DESCRIPTION
board %d line %d channel %d,
call %d, %s C01 Outgoing Call
dev=%x ch=%x %s
board %d line %d channel %d,
call %d, %s C02 OutCall
Connected %d %s
board %d line %d channel %d,
call %d, %s C02 Call
Terminated
The router received the setup requirements for a call. !call" is
the reference (count) number of the call. !dev" is the device
type (3 is for dial-up, 6 is for PPPoE). "channel" or !ch" is the
call channel ID.For example, "board 0 line 0 channel 0, call 3,
C01 Outgoing Call dev=6 ch=0 "Means the router has dialed
to the PPPoE server 3 times.
The PPPoE or dial-up call is connected.
The PPPoE or dial-up call was disconnected.
Table 107 PPP Logs
LOG MESSAGE DESCRIPTION
ppp:LCP Starting The PPP connection s Link Control Protocol stage has started.
ppp:LCP Opening The PPP connection s Link Control Protocol stage is opening.
ppp:CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is
ppp:IPCP
Starting
opening.
The PPP connection s Internet Protocol Control Protocol stage is starting.
248
MAX-200HW2 Series User s Guide
Chapter 22Logs
Table 107 PPP Logs (continued)
LOG MESSAGE DESCRIPTION
ppp:IPCP Opening The PPP connection s Internet Protocol Control Protocol stage is opening.
ppp:LCP Closing The PPP connection s Link Control Protocol stage is closing.
ppp:IPCP Closing The PPP connection s Internet Protocol Control Protocol stage is closing.
Table 108 UPnP Logs
LOG MESSAGE DESCRIPTION
UPnP pass through Firewall UPnP packets can pass through the firewall.
Table 109 Content Filtering Logs
LOG MESSAGE DESCRIPTION
%s: Keyword blocking The content of a requested web page matched a user defined
%s: Not in trusted web
list
%s: Forbidden Web site The web site is in the forbidden web site list.
%s: Contains ActiveX The web site contains ActiveX.
%s: Contains Java
applet
%s: Contains cookie The web site contains a cookie.
%s: Proxy mode
detected
%s: Trusted Web site The web site is in a trusted domain.
%s When the content filter is not on according to the time schedule.
Waiting content filter
server timeout
DNS resolving failed The ZyXEL Device cannot get the IP address of the external content
Creating socket failed The ZyXEL Device cannot issue a query because TCP/IP socket
Connecting to content
filter server fail
License key is invalid The external content filtering license key is invalid.
keyword.
The web site is not in a trusted domain, and the router blocks all traffic
except trusted domain sites.
The web site contains a Java applet.
The router detected proxy mode in the packet.
The external content filtering server did not respond within the timeout
period.
filtering via DNS query.
creation failed, port:port number.
The connection to the external content filtering server failed.
For type and code details, see Table 112 on page 251.
Table 110 Attack Logs
LOG MESSAGE DESCRIPTION
attack [ TCP | UDP | IGMP
| ESP | GRE | OSPF ]
attack ICMP (type:%d,
code:%d)
land [ TCP | UDP | IGMP |
ESP | GRE | OSPF ]
MAX-200HW2 Series User s Guide
The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.
The firewall detected an ICMP attack.
The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land
attack.
249
Chapter 22Logs
Table 110 Attack Logs (continued)
LOG MESSAGE DESCRIPTION
land ICMP (type:%d,
code:%d)
ip spoofing - WAN [ TCP |
UDP | IGMP | ESP | GRE |
OSPF ]
ip spoofing - WAN ICMP
(type:%d, code:%d)
icmp echo : ICMP
(type:%d, code:%d)
syn flood TCP The firewall detected a TCP syn flood attack.
ports scan TCP The firewall detected a TCP port scan attack.
teardrop TCP The firewall detected a TCP teardrop attack.
teardrop UDP The firewall detected an UDP teardrop attack.
teardrop ICMP (type:%d,
code:%d)
illegal command TCP The firewall detected a TCP illegal command attack.
NetBIOS TCP The firewall detected a TCP NetBIOS attack.
ip spoofing - no routing
entry [ TCP | UDP | IGMP
| ESP | GRE | OSPF ]
ip spoofing - no routing
entry ICMP (type:%d,
code:%d)
vulnerability ICMP
(type:%d, code:%d)
traceroute ICMP (type:%d,
code:%d)
ports scan UDPThe firewall detected a UDP port scan attack.
Firewall sent TCP packet in
response to DoS attack TCP
ICMP Source Quench ICMPThe firewall detected an ICMP Source Quench attack.
ICMP Time Exceed ICMPThe firewall detected an ICMP Time Exceed attack.
ICMP Destination Unreachable
ICMP
ping of death. ICMPThe firewall detected an ICMP ping of death attack.
smurf ICMPThe firewall detected an ICMP smurf attack.
The firewall detected an ICMP land attack.
The firewall detected an IP spoofing attack on the WAN port.
The firewall detected an ICMP IP spoofing attack on the WAN
port.
The firewall detected an ICMP echo attack.
The firewall detected an ICMP teardrop attack.
The firewall classified a packet with no source routing entry as an
IP spoofing attack.
The firewall classified an ICMP packet with no source routing
entry as an IP spoofing attack.
The firewall detected an ICMP vulnerability attack.
The firewall detected an ICMP traceroute attack.
The firewall sent TCP packet in response to a DoS attack
The firewall detected an ICMP Destination Unreachable attack.
250
Table 111 Remote Management Logs
LOG MESSAGE DESCRIPTION
Remote Management: FTP deniedAttempted use of FTP service was blocked according to
remote management settings.
Remote Management: TELNET deniedAttempted use of TELNET service was blocked according
to remote management settings.
MAX-200HW2 Series User s Guide
Chapter 22Logs
Table 111 Remote Management Logs
LOG MESSAGE DESCRIPTION
Remote Management: HTTP or UPnP
denied
Remote Management: WWW deniedAttempted use of WWW service was blocked according to
Remote Management: HTTPS deniedAttempted use of HTTPS service was blocked according to
Remote Management: SSH deniedAttempted use of SSH service was blocked according to
Remote Management: ICMP Ping
response denied
Remote Management: DNS deniedAttempted use of DNS service was blocked according to
Attempted use of HTTP or UPnP service was blocked
according to remote management settings.
remote management settings.
remote management settings.
remote management settings.
Attempted use of ICMP service was blocked according to
remote management settings.
remote management settings.
Table 112 ICMP Notes
TYPE CODE DESCRIPTION
0 Echo Reply
0 Echo reply message
3 Destination Unreachable
0 Net unreachable
1 Host unreachable
2 Protocol unreachable
3 Port unreachable
4 A packet that needed fragmentation was dropped because it was set to Don't
5 Source route failed
4 Source Quench
0 A gateway may discard internet datagrams if it does not have the buffer space
5 Redirect
0 Redirect datagrams for the Network
1 Redirect datagrams for the Host
2 Redirect datagrams for the Type of Service and Network
3 Redirect datagrams for the Type of Service and Host
8 Echo
0 Echo message
11 Time Exceeded
0 Time to live exceeded in transit
1 Fragment reassembly time exceeded
12 Parameter Problem
0 Pointer indicates the error
Fragment (DF)
needed to queue the datagrams for output to the next network on the route to
the destination network.
MAX-200HW2 Series User s Guide
251
Chapter 22Logs
Table 112 ICMP Notes (continued)
TYPE CODE DESCRIPTION
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
Table 113 SIP Logs
LOG MESSAGE DESCRIPTION
SIP Registration Success
by SIP:SIP Phone Number
SIP Registration Fail by
SIP:SIP Phone Number
SIP UnRegistration
Success by SIP:SIP Phone
Number
SIP UnRegistration Fail
by SIP:SIP Phone Number
0 Timestamp request message
0 Timestamp reply message
0 Information request message
0 Information reply message
The listed SIP account was successfully registered with a SIP
register server.
An attempt to register the listed SIP account with a SIP register
server was not successful.
The listed SIP account s registration was deleted from the SIP
register server.
An attempt to delete the listed SIP account s registration from the
SIP register server failed.
Table 114 RTP Logs
LOG MESSAGE DESCRIPTION
Error, RTP init fail The initialization of an RTP session failed.
Error, Call fail: RTP
connect fail
Error, RTP connection
cannot close
A VoIP phone call failed because the RTP session could not be
established.
The termination of an RTP session failed.
Table 115 FSM Logs: Caller Side
LOG MESSAGE DESCRIPTION
VoIP Call Start Ph[Phone
Port Number] <- Outgoing
Call Number
VoIP Call Established
Ph[Phone Port] ->
Outgoing Call Number
VoIP Call End Phone[Phone
Port]
Someone used a phone connected to the listed phone port to
initiate a VoIP call to the listed destination.
Someone used a phone connected to the listed phone port to
make a VoIP call to the listed destination.
A VoIP phone call made from a phone connected to the listed
phone port has terminated.
252
MAX-200HW2 Series User s Guide
Loading...