How it Works
ZyXEL Communications
Loading...
2 Plus
User Manual
678 pgs22.13 Mb0
Table of contents
Loading...

ZyXEL Communications 2 Plus User Manual

Download
Page 1
ZyWALL 2 Plus
Internet Security Appliance

User’s Guide

Version 4.02 3/2007 Edition 1
www.zyxel.com
Page 2
Page 3
About This User's Guide
Intended Audience
This manual is intended for people who want to configure the ZyWALL using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Related Documentation
• Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains
information on setting up your network and configuring for Internet access.
• Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary
information.
" It is recommended you use the web configurator to configure the ZyWALL.
• Supporting Disk Refer to the included CD for support documents.
• ZyXEL Web Site Please refer to www.zyxel.com
certifications.
User Guide Feedback
Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!
The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
E-mail: techwriters@zyxel.com.tw
for additional support documentation and product
ZyWALL 2 Plus User’s Guide
3
Page 4

Document Conventions

Document Conventions
Warnings and Notes
These are how warnings and notes are shown in this User’s Guide.
1 Warnings tell you about things that could harm you or your device.
" Notes tell you other important information (for example, other things you may
need to configure or helpful tips) or recommendations.
Syntax Conventions
• The ZyWALL 2 Plus may be referred to as the “ZyWALL”, the “device” or the “system” in this User’s Guide.
• Product labels, screen names, field labels and field choices are all in bold font.
• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the “enter” or “return” key on your keyboard.
• “Enter” means for you to type one or more characters and then press the [ENTER] key. “Select” or “choose” means for you to use one of the predefined choices.
• A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen.
• Units of measurement may denote the “metric” value or the “scientific” value. For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on.
• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.
4
ZyWALL 2 Plus User’s Guide
Page 5
Document Conventions
Icons Used in Figures
Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.
ZyWALL Computer Notebook computer
Server DSLAM Firewall
Telephone Switch Router
ZyWALL 2 Plus User’s Guide
5
Page 6

Safety Warnings

Safety Warnings
1 For your safety, be sure to read and follow all warning notices and instructions.
• Do NOT use this product near water, for example, in a wet basement or near a swimming pool.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT store things on the device.
• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
• Connect ONLY suitable accessories to the device.
• Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.
• Make sure to connect the cables to the correct ports.
• Place connecting cables carefully so that no one will step on them or stumble over them.
• Always disconnect all cables from this device before servicing or disassembling.
• Use ONLY an appropriate power adaptor or cord for your device.
• Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).
• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.
• Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.
• If the power adaptor or cord is damaged, remove it from the power outlet.
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.
• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
6
This product is recyclable. Dispose of it properly.
ZyWALL 2 Plus User’s Guide
Page 7

Contents Overview

Contents Overview
Introduction and Registration ...............................................................................................43
Getting to Know Your ZyWALL .................................................................................................. 45
Introducing the Web Configurator .............................................................................................. 49
Wizard Setup ............................................................................................................................. 67
Tutorial ....................................................................................................................................... 85
Registration ..............................................................................................................................117
Network ................................................................................................................................. 121
LAN Screens ........................................................................................................................... 123
Bridge Screens ........................................................................................................................ 135
WAN Screens .......................................................................................................................... 141
DMZ Screens ........................................................................................................................... 161
Wireless LAN ........................................................................................................................... 171
Security ................................................................................................................................. 179
Firewall .................................................................................................................................... 181
Content Filtering Screens .........................................................................................................211
Content Filtering Reports ......................................................................................................... 227
IPSec VPN ............................................................................................................................... 235
Certificates ............................................................................................................................... 275
Authentication Server .............................................................................................................. 301
Advanced .............................................................................................................................. 307
Network Address Translation (NAT) ........................................................................................ 309
Static Route ............................................................................................................................. 325
Bandwidth Management .......................................................................................................... 329
DNS ......................................................................................................................................... 343
Remote Management ..............................................................................................................355
UPnP ....................................................................................................................................... 377
ALG Screen ............................................................................................................................. 387
Logs and Maintenance ........................................................................................................ 393
Logs Screens ........................................................................................................................... 395
Maintenance ............................................................................................................................ 427
SMT and Troubleshooting ...................................................................................................443
Introducing the SMT ................................................................................................................ 445
ZyWALL 2 Plus User’s Guide
7
Page 8
Contents Overview
SMT Menu 1 - General Setup .................................................................................................. 453
WAN and Dial Backup Setup ................................................................................................... 459
LAN Setup ............................................................................................................................... 469
Internet Access ........................................................................................................................ 475
DMZ Setup .............................................................................................................................. 479
Wireless Setup ........................................................................................................................ 483
Remote Node Setup ................................................................................................................ 487
IP Static Route Setup .............................................................................................................. 497
Network Address Translation (NAT) ........................................................................................ 499
Introducing the ZyWALL Firewall ............................................................................................. 517
Filter Configuration .................................................................................................................. 519
SNMP Configuration ................................................................................................................ 535
System Information & Diagnosis ............................................................................................. 537
Firmware and Configuration File Maintenance ........................................................................ 549
System Maintenance Menus 8 to 10 ....................................................................................... 563
Remote Management ..............................................................................................................571
Call Scheduling ........................................................................................................................ 575
Troubleshooting ....................................................................................................................... 579
Appendices and Index ......................................................................................................... 587
8
ZyWALL 2 Plus User’s Guide
Page 9

Table of Contents

Table of Contents
About This User's Guide ..........................................................................................................3
Document Conventions............................................................................................................4
Safety Warnings........................................................................................................................ 6
Contents Overview ...................................................................................................................7
Table of Contents...................................................................................................................... 9
List of Figures ......................................................................................................................... 25
List of Tables...........................................................................................................................37
Part I: Introduction and Registration ................................................... 43
Chapter 1
Getting to Know Your ZyWALL.............................................................................................. 45
1.1 ZyWALL Internet Security Appliance Overview ................................................................... 45
1.2 Applications for the ZyWALL ............................................................................................... 45
1.2.1 Secure Broadband Internet Access via Cable or DSL Modem .................................. 45
1.2.2 VPN Application ......................................................................................................... 46
1.3 Ways to Manage the ZyWALL ............................................................................................. 46
1.4 Good Habits for Managing the ZyWALL .............................................................................. 47
1.5 LEDs .................................................................................................................................... 47
Chapter 2
Introducing the Web Configurator ........................................................................................49
2.1 Web Configurator Overview ................................................................................................. 49
2.2 Accessing the ZyWALL Web Configurator .......................................................................... 49
2.3 Resetting the ZyWALL ......................................................................................................... 51
2.3.1 Procedure To Use The Reset Button ......................................................................... 51
2.3.2 Uploading a Configuration File Via Console Port ....................................................... 51
2.4 Navigating the ZyWALL Web Configurator .......................................................................... 52
2.4.1 Title Bar ...................................................................................................................... 52
2.4.2 Main Window ..............................................................................................................53
2.4.3 HOME Screen: Router Mode ................................................................................. 53
2.4.4 HOME Screen: Bridge Mode .................................................................................... 55
2.4.5 Navigation Panel ........................................................................................................ 58
ZyWALL 2 Plus User’s Guide
9
Page 10
Table of Contents
2.4.6 Port Statistics ........................................................................................................... 62
2.4.7 DHCP Table Screen ................................................................................................ 63
2.4.8 VPN Status ................................................................................................................. 64
2.4.9 Bandwidth Monitor .................................................................................................... 65
Chapter 3
Wizard Setup ...........................................................................................................................67
3.1 Wizard Setup Overview ...................................................................................................... 67
3.2 Internet Access ................................................................................................................... 67
3.2.1 ISP Parameters .......................................................................................................... 68
3.2.2 Internet Access Wizard: Second Screen .................................................................... 72
3.2.3 Internet Access Wizard: Registration ......................................................................... 73
3.3 VPN Wizard Gateway Setting .............................................................................................. 76
3.4 VPN Wizard Network Setting ............................................................................................... 77
3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) ................................................................... 79
3.6 VPN Wizard IPSec Setting (IKE Phase 2) ........................................................................... 80
3.7 VPN Wizard Status Summary .............................................................................................. 82
3.8 VPN Wizard Setup Complete .............................................................................................. 84
Chapter 4
Tutorial ..................................................................................................................................... 85
4.1 Security Settings for VPN Traffic ......................................................................................... 85
4.1.1 Firewall Rule for VPN Example .................................................................................. 85
4.1.2 Configuring the VPN Rule .......................................................................................... 86
4.1.3 Configuring the Firewall Rules ................................................................................... 89
4.2 Using NAT with Multiple Public IP Addresses ...................................................................... 92
4.2.1 Example Parameters and Scenario ........................................................................... 93
4.2.2 Configuring the WAN Connection with a Static IP Address ........................................ 94
4.2.3 Public IP Address Mapping ........................................................................................ 97
4.2.4 Forwarding Traffic from the WAN to a Local Computer ............................................ 102
4.2.5 Allow WAN-to-LAN Traffic through the Firewall ........................................................ 103
4.2.6 Testing the Connections ........................................................................................... 109
4.3 Using NAT with Multiple Game Players ............................................................................. 109
4.4 How to Manage the ZyWALL’s Bandwidth ..........................................................................110
4.4.1 Example Parameters and Scenario ..........................................................................111
4.4.2 Configuring Bandwidth Management Rules ..............................................................111
Chapter 5
Registration........................................................................................................................... 117
10
5.1 myZyXEL.com overview .....................................................................................................117
5.1.1 Content Filtering Subscription Service ......................................................................117
5.2 Registration ........................................................................................................................118
5.3 Service ................................................................................................................................119
ZyWALL 2 Plus User’s Guide
Page 11
Table of Contents
Part II: Network..................................................................................... 121
Chapter 6
LAN Screens.......................................................................................................................... 123
6.1 LAN, WAN and the ZyWALL .............................................................................................. 123
6.2 IP Address and Subnet Mask ............................................................................................ 123
6.2.1 Private IP Addresses ................................................................................................ 124
6.3 DHCP ................................................................................................................................ 125
6.3.1 IP Pool Setup ........................................................................................................... 125
6.4 RIP Setup .......................................................................................................................... 125
6.5 Multicast ............................................................................................................................ 125
6.6 WINS ................................................................................................................................. 126
6.7 LAN .................................................................................................................................... 126
6.8 LAN Static DHCP ............................................................................................................... 129
6.9 LAN IP Alias .................................................................................................................... 130
6.10 LAN Port Roles ................................................................................................................ 132
Chapter 7
Bridge Screens...................................................................................................................... 135
7.1 Bridge Loop ....................................................................................................................... 135
7.2 Spanning Tree Protocol (STP) ........................................................................................... 136
7.2.1 Rapid STP ................................................................................................................136
7.2.2 STP Terminology ...................................................................................................... 136
7.2.3 How STP Works ....................................................................................................... 136
7.2.4 STP Port States ........................................................................................................ 137
7.3 Bridge ................................................................................................................................ 137
7.4 Bridge Port Roles ............................................................................................................. 139
Chapter 8
WAN Screens......................................................................................................................... 141
8.1 WAN Overview .................................................................................................................. 141
8.2 TCP/IP Priority (Metric) ...................................................................................................... 141
8.3 WAN Route ........................................................................................................................ 141
8.4 WAN IP Address Assignment ............................................................................................ 143
8.5 DNS Server Address Assignment ................................................................................... 143
8.6 WAN MAC Address ........................................................................................................... 144
8.7 WAN ................................................................................................................................ 144
8.7.1 WAN Ethernet Encapsulation ................................................................................... 144
8.7.2 PPPoE Encapsulation .............................................................................................. 147
8.7.3 PPTP Encapsulation ................................................................................................ 150
8.8 Traffic Redirect ............................................................................................................. 153
8.9 Configuring Traffic Redirect ...............................................................................................154
8.10 Configuring Dial Backup .................................................................................................. 155
ZyWALL 2 Plus User’s Guide
11
Page 12
Table of Contents
8.11 Advanced Modem Setup ................................................................................................ 158
8.11.1 AT Command Strings ............................................................................................. 158
8.11.2 DTR Signal ............................................................................................................. 159
8.11.3 Response Strings ................................................................................................... 159
8.12 Configuring Advanced Modem Setup .............................................................................. 159
Chapter 9
DMZ Screens ......................................................................................................................... 161
9.1 DMZ ................................................................................................................................. 161
9.2 Configuring DMZ ............................................................................................................... 161
9.3 DMZ Static DHCP ............................................................................................................ 164
9.4 DMZ IP Alias .................................................................................................................... 165
9.5 DMZ Public IP Address Example ...................................................................................... 167
9.6 DMZ Private and Public IP Address Example ................................................................... 167
9.7 DMZ Port Roles ............................................................................................................... 168
Chapter 10
Wireless LAN.........................................................................................................................171
10.1 Wireless LAN Introduction ............................................................................................... 171
10.2 Configuring WLAN ......................................................................................................... 171
10.3 WLAN Static DHCP ....................................................................................................... 174
10.4 WLAN IP Alias ............................................................................................................... 175
10.5 WLAN Port Roles ........................................................................................................... 177
Part III: Security.................................................................................... 179
Chapter 11
Firewall................................................................................................................................... 181
11.1 Firewall Overview ............................................................................................................ 181
11.2 Packet Direction Matrix .................................................................................................... 182
11.3 Packet Direction Examples .............................................................................................. 183
11.3.1 To VPN Packet Direction ........................................................................................ 184
11.3.2 From VPN Packet Direction ................................................................................... 185
11.3.3 From VPN To VPN Packet Direction ...................................................................... 187
11.4 Security Considerations ...................................................................................................188
11.5 Firewall Rules Example ................................................................................................... 188
11.6 Asymmetrical Routes .......................................................................................................190
11.6.1 Asymmetrical Routes and IP Alias ......................................................................... 190
11.7 Firewall Default Rule (Router Mode) ................................................................................ 191
11.8 Firewall Default Rule (Bridge Mode) .............................................................................. 193
11.9 Firewall Rule Summary ................................................................................................... 194
12
ZyWALL 2 Plus User’s Guide
Page 13
Table of Contents
11.9.1 Firewall Edit Rule .............................................................................................. 196
11.10 Anti-Probing ............................................................................................................... 199
11.11 Firewall Thresholds ..................................................................................................... 200
11.11.1 Threshold Values .................................................................................................. 201
11.12 Threshold Screen ........................................................................................................... 201
11.13 Service .......................................................................................................................... 203
11.13.1 Firewall Edit Custom Service .............................................................................. 204
11.14 My Service Firewall Rule Example ................................................................................ 205
Chapter 12
Content Filtering Screens .................................................................................................... 211
12.1 Content Filtering Overview ...............................................................................................211
12.1.1 Restrict Web Features ............................................................................................211
12.1.2 Create a Filter List ...................................................................................................211
12.1.3 Customize Web Site Access ..................................................................................211
12.2 Content Filter General Screen .........................................................................................211
12.3 Content Filtering with an External Database ................................................................... 214
12.4 Content Filter Categories ..............................................................................................214
12.5 Content Filter Customization ........................................................................................ 221
12.6 Customizing Keyword Blocking URL Checking ............................................................... 223
12.6.1 Domain Name or IP Address URL Checking ......................................................... 223
12.6.2 Full Path URL Checking ......................................................................................... 224
12.6.3 File Name URL Checking ....................................................................................... 224
12.7 Content Filtering Cache .................................................................................................224
Chapter 13
Content Filtering Reports.....................................................................................................227
13.1 Checking Content Filtering Activation .............................................................................. 227
13.2 Viewing Content Filtering Reports ................................................................................... 227
13.3 Web Site Submission .......................................................................................................232
Chapter 14
IPSec VPN.............................................................................................................................. 235
14.1 IPSec VPN Overview ..................................................................................................... 235
14.1.1 IKE SA Overview .................................................................................................... 236
14.2 VPN Rules (IKE) .............................................................................................................. 237
14.3 IKE SA Setup .................................................................................................................. 239
14.3.1 IKE SA Proposal .................................................................................................... 239
14.4 Additional IPSec VPN Topics ........................................................................................... 243
14.4.1 SA Life Time ........................................................................................................... 243
14.4.2 IPSec High Availability ........................................................................................... 244
14.4.3 Encryption and Authentication Algorithms ............................................................. 245
14.5 VPN Rules (IKE) Gateway Policy Edit ............................................................................. 245
ZyWALL 2 Plus User’s Guide
13
Page 14
Table of Contents
14.6 IPSec SA Overview .....................................................................................................251
14.6.1 Local Network and Remote Network ...................................................................... 251
14.6.2 Virtual Address Mapping ........................................................................................ 252
14.6.3 Active Protocol ....................................................................................................... 253
14.6.4 Encapsulation ......................................................................................................... 253
14.6.5 IPSec SA Proposal and Perfect Forward Secrecy ................................................. 254
14.7 VPN Rules (IKE): Network Policy Edit ............................................................................ 255
14.8 VPN Rules (IKE): Network Policy Edit: Port Forwarding .............................................. 259
14.9 VPN Rules (IKE): Network Policy Move ........................................................................ 261
14.10 IPSec SA Using Manual Keys ................................................................................... 262
14.10.1 IPSec SA Proposal Using Manual Keys ............................................................... 262
14.10.2 Authentication and the Security Parameter Index (SPI) ....................................... 262
14.11 VPN Rules (Manual) ...................................................................................................... 262
14.12 VPN Rules (Manual): Edit ........................................................................................... 264
14.13 VPN SA Monitor .......................................................................................................... 266
14.14 VPN Global Setting ....................................................................................................... 267
14.15 Telecommuter VPN/IPSec Examples ............................................................................ 269
14.15.1 Telecommuters Sharing One VPN Rule Example ................................................ 269
14.15.2 Telecommuters Using Unique VPN Rules Example ............................................. 269
14.16 VPN and Remote Management ..................................................................................... 271
14.17 Hub-and-spoke VPN ...................................................................................................... 271
14.17.1 Hub-and-spoke VPN Example ............................................................................. 272
14.17.2 Hub-and-spoke Example VPN Rule Addresses ................................................... 273
14.17.3 Hub-and-spoke VPN Requirements and Suggestions ......................................... 273
Chapter 15
Certificates ............................................................................................................................275
15.1 Certificates Overview ....................................................................................................... 275
15.1.1 Advantages of Certificates ..................................................................................... 276
15.2 Self-signed Certificates .................................................................................................... 276
15.3 Verifying a Certificate ....................................................................................................... 276
15.3.1 Checking the Fingerprint of a Certificate on Your Computer .................................. 276
15.4 Configuration Summary ................................................................................................... 277
15.5 My Certificates ................................................................................................................ 278
15.6 My Certificate Details ..................................................................................................... 279
15.7 My Certificate Export ...................................................................................................... 282
15.7.1 Certificate File Export Formats ............................................................................... 282
15.8 My Certificate Import ..................................................................................................... 283
15.8.1 Certificate File Formats .......................................................................................... 284
15.9 My Certificate Create ..................................................................................................... 285
15.10 Trusted CAs ................................................................................................................. 288
15.11 Trusted CA Details ........................................................................................................ 289
15.12 Trusted CA Import ....................................................................................................... 292
14
ZyWALL 2 Plus User’s Guide
Page 15
Table of Contents
15.13 Trusted Remote Hosts ................................................................................................. 293
15.14 Trusted Remote Host Certificate Details ..................................................................... 294
15.15 Trusted Remote Hosts Import ...................................................................................... 297
15.16 Directory Servers .......................................................................................................... 298
15.17 Directory Server Add or Edit ........................................................................................ 299
Chapter 16
Authentication Server...........................................................................................................301
16.1 Authentication Server Overview ...................................................................................... 301
16.1.1 Local User Database .............................................................................................. 301
16.1.2 RADIUS ..................................................................................................................301
16.1.3 Types of RADIUS Messages .................................................................................. 301
16.2 Local User Database .....................................................................................................302
16.3 RADIUS ......................................................................................................................... 304
Part IV: Advanced ................................................................................ 307
Chapter 17
Network Address Translation (NAT).................................................................................... 309
17.1 NAT Overview ................................................................................................................ 309
17.1.1 NAT Definitions ...................................................................................................... 309
17.1.2 What NAT Does ..................................................................................................... 310
17.1.3 How NAT Works ..................................................................................................... 310
17.1.4 NAT Application .......................................................................................................311
17.1.5 Port Restricted Cone NAT .......................................................................................311
17.1.6 NAT Mapping Types ............................................................................................... 312
17.2 Using NAT ........................................................................................................................ 313
17.2.1 SUA (Single User Account) Versus NAT ................................................................ 313
17.3 NAT Overview Screen ..................................................................................................... 313
17.4 NAT Address Mapping ................................................................................................... 315
17.4.1 What NAT Does ..................................................................................................... 315
17.4.2 NAT Address Mapping Edit .................................................................................. 316
17.5 Port Forwarding .............................................................................................................. 317
17.5.1 Default Server IP Address ...................................................................................... 318
17.5.2 Port Forwarding: Services and Port Numbers ........................................................ 318
17.5.3 Configuring Servers Behind Port Forwarding (Example) ....................................... 318
17.5.4 Port Translation ...................................................................................................... 319
17.6 Port Forwarding Screen ................................................................................................... 320
17.7 Port Triggering ............................................................................................................... 321
Chapter 18
Static Route ........................................................................................................................... 325
ZyWALL 2 Plus User’s Guide
15
Page 16
Table of Contents
18.1 IP Static Route .............................................................................................................. 325
18.2 IP Static Route ................................................................................................................. 325
18.2.1 IP Static Route Edit .............................................................................................. 326
Chapter 19
Bandwidth Management.......................................................................................................329
19.1 Bandwidth Management Overview ................................................................................. 329
19.2 Bandwidth Classes and Filters ........................................................................................ 329
19.3 Proportional Bandwidth Allocation ................................................................................... 330
19.4 Application-based Bandwidth Management .................................................................... 330
19.5 Subnet-based Bandwidth Management .......................................................................... 330
19.6 Application and Subnet-based Bandwidth Management ................................................. 330
19.7 Scheduler ........................................................................................................................ 331
19.7.1 Priority-based Scheduler ........................................................................................ 331
19.7.2 Fairness-based Scheduler ..................................................................................... 331
19.7.3 Maximize Bandwidth Usage ................................................................................... 331
19.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic .......................................... 331
19.7.5 Maximize Bandwidth Usage Example .................................................................... 332
19.8 Bandwidth Borrowing .......................................................................................................333
19.8.1 Bandwidth Borrowing Example .............................................................................. 333
19.9 Maximize Bandwidth Usage With Bandwidth Borrowing ................................................. 334
19.10 Over Allotment of Bandwidth ......................................................................................... 334
19.11 Configuring Summary .................................................................................................... 335
19.12 Configuring Class Setup .............................................................................................. 336
19.12.1 Bandwidth Manager Class Configuration ........................................................... 337
19.12.2 Bandwidth Management Statistics ................................................................... 340
19.13 Bandwidth Manager Monitor ........................................................................................ 341
Chapter 20
DNS ........................................................................................................................................ 343
20.1 DNS Overview ............................................................................................................... 343
20.2 DNS Server Address Assignment ................................................................................... 343
20.3 DNS Servers .................................................................................................................... 343
20.4 Address Record ............................................................................................................... 344
20.4.1 DNS Wildcard ......................................................................................................... 344
20.5 Name Server Record ....................................................................................................... 344
20.5.1 Private DNS Server ................................................................................................ 344
20.6 System Screen ................................................................................................................ 345
20.6.1 Adding an Address Record .................................................................................. 346
20.6.2 Inserting a Name Server Record .......................................................................... 347
20.7 DNS Cache .................................................................................................................... 349
20.8 Configure DNS Cache ..................................................................................................... 349
20.9 Configuring DNS DHCP ................................................................................................ 350
16
ZyWALL 2 Plus User’s Guide
Page 17
Table of Contents
20.10 Dynamic DNS .............................................................................................................. 351
20.10.1 DYNDNS Wildcard ............................................................................................... 352
20.11 Configuring Dynamic DNS ............................................................................................. 352
Chapter 21
Remote Management............................................................................................................ 355
21.1 Remote Management Overview ...................................................................................... 355
21.1.1 Remote Management Limitations .......................................................................... 356
21.1.2 System Timeout ..................................................................................................... 356
21.2 WWW (HTTP and HTTPS) ............................................................................................. 356
21.3 WWW Configuration ........................................................................................................ 357
21.4 HTTPS Example .............................................................................................................. 358
21.4.1 Internet Explorer Warning Messages ..................................................................... 359
21.4.2 Netscape Navigator Warning Messages ................................................................ 359
21.4.3 Avoiding the Browser Warning Messages .............................................................. 360
21.4.4 Login Screen .......................................................................................................... 361
21.5 SSH .............................................................................................................................. 363
21.6 How SSH Works .............................................................................................................. 363
21.7 SSH Implementation on the ZyWALL .............................................................................. 364
21.7.1 Requirements for Using SSH ................................................................................. 364
21.8 Configuring SSH .............................................................................................................. 364
21.9 Secure Telnet Using SSH Examples ............................................................................... 365
21.9.1 Example 1: Microsoft Windows .............................................................................. 365
21.9.2 Example 2: Linux .................................................................................................... 366
21.10 Secure FTP Using SSH Example .................................................................................. 367
21.11 Telnet ........................................................................................................................... 368
21.12 Configuring TELNET ..................................................................................................... 368
21.13 FTP .............................................................................................................................. 369
21.14 SNMP .......................................................................................................................... 370
21.14.1 Supported MIBs ................................................................................................... 371
21.14.2 SNMP Traps ......................................................................................................... 371
21.14.3 REMOTE MANAGEMENT: SNMP ....................................................................... 371
21.15 DNS ............................................................................................................................. 373
21.16 Introducing Vantage CNM ............................................................................................. 373
21.17 Configuring CNM ........................................................................................................... 374
Chapter 22
UPnP ...................................................................................................................................... 377
22.1 Universal Plug and Play Overview ................................................................................ 377
22.1.1 How Do I Know If I'm Using UPnP? ....................................................................... 377
22.1.2 NAT Traversal ........................................................................................................ 377
22.1.3 Cautions with UPnP ............................................................................................... 377
22.1.4 UPnP and ZyXEL ................................................................................................... 378
ZyWALL 2 Plus User’s Guide
17
Page 18
Table of Contents
22.2 Configuring UPnP ............................................................................................................ 378
22.3 Displaying UPnP Port Mapping .................................................................................... 379
22.4 Installing UPnP in Windows Example .............................................................................. 380
22.4.1 Installing UPnP in Windows Me ............................................................................. 381
22.4.2 Installing UPnP in Windows XP ............................................................................. 382
22.5 Using UPnP in Windows XP Example ............................................................................. 382
22.5.1 Auto-discover Your UPnP-enabled Network Device .............................................. 383
22.5.2 Web Configurator Easy Access ............................................................................. 384
Chapter 23
ALG Screen ........................................................................................................................... 387
23.1 ALG Introduction ............................................................................................................. 387
23.1.1 ALG and NAT ......................................................................................................... 387
23.1.2 ALG and the Firewall .............................................................................................. 387
23.2 FTP .................................................................................................................................. 388
23.3 H.323 ............................................................................................................................... 388
23.4 RTP .................................................................................................................................. 388
23.4.1 H.323 ALG Details ................................................................................................. 388
23.5 SIP ................................................................................................................................... 389
23.5.1 STUN ..................................................................................................................... 389
23.5.2 SIP ALG Details ..................................................................................................... 389
23.5.3 SIP Signaling Session Timeout .............................................................................. 390
23.5.4 SIP Audio Session Timeout .................................................................................... 390
23.6 ALG Screen ..................................................................................................................... 390
Part V: Logs and Maintenance ............................................................ 393
Chapter 24
Logs Screens ........................................................................................................................395
24.1 Configuring View Log ...................................................................................................... 395
24.2 Log Description Example ................................................................................................. 396
24.2.1 About the Certificate Not Trusted Log .................................................................... 397
24.3 Configuring Log Settings ................................................................................................ 398
24.4 Configuring Reports ....................................................................................................... 401
24.4.1 Viewing Web Site Hits ............................................................................................ 403
24.4.2 Viewing Host IP Address ........................................................................................ 403
24.4.3 Viewing Protocol/Port ............................................................................................. 404
24.4.4 System Reports Specifications ............................................................................... 406
24.5 Log Descriptions .............................................................................................................. 406
24.6 Syslog Logs ..................................................................................................................... 424
18
ZyWALL 2 Plus User’s Guide
Page 19
Table of Contents
Chapter 25
Maintenance ..........................................................................................................................427
25.1 Maintenance Overview .................................................................................................... 427
25.2 General Setup and System Name ................................................................................... 427
25.2.1 General Setup ....................................................................................................... 427
25.3 Configuring Password .................................................................................................... 428
25.4 Time and Date ................................................................................................................ 429
25.5 Pre-defined NTP Time Server Pools ............................................................................... 432
25.5.1 Resetting the Time ................................................................................................. 432
25.5.2 Time Server Synchronization ................................................................................. 432
25.6 Introduction To Transparent Bridging ............................................................................... 433
25.7 Transparent Firewalls ...................................................................................................... 434
25.8 Configuring Device Mode (Router) ................................................................................. 434
25.9 Configuring Device Mode (Bridge) ................................................................................. 436
25.10 F/W Upload Screen ...................................................................................................... 437
25.11 Backup and Restore ..................................................................................................... 439
25.11.1 Backup Configuration ........................................................................................... 440
25.11.2 Restore Configuration .......................................................................................... 440
25.11.3 Back to Factory Defaults ..................................................................................... 441
25.12 Restart Screen .............................................................................................................. 442
Part VI: SMT and Troubleshooting ..................................................... 443
Chapter 26
Introducing the SMT .............................................................................................................445
26.1 Introduction to the SMT ...................................................................................................445
26.2 Accessing the SMT via the Console Port ........................................................................ 445
26.2.1 Initial Screen ..........................................................................................................445
26.2.2 Entering the Password ........................................................................................... 446
26.3 Navigating the SMT Interface .......................................................................................... 446
26.3.1 Main Menu ............................................................................................................. 447
26.3.2 SMT Menus Overview ............................................................................................ 449
26.4 Changing the System Password ..................................................................................... 450
26.5 Resetting the ZyWALL ..................................................................................................... 451
Chapter 27
SMT Menu 1 - General Setup ............................................................................................... 453
27.1 Introduction to General Setup .......................................................................................... 453
27.2 Configuring General Setup .............................................................................................. 453
27.2.1 Configuring Dynamic DNS ..................................................................................... 454
ZyWALL 2 Plus User’s Guide
19
Page 20
Table of Contents
Chapter 28
WAN and Dial Backup Setup................................................................................................ 459
28.1 Introduction to WAN and Dial Backup Setup ................................................................... 459
28.2 WAN Setup ...................................................................................................................... 459
28.3 Dial Backup ..................................................................................................................... 460
28.4 Configuring Dial Backup in Menu 2 ................................................................................. 460
28.5 Advanced WAN Setup ..................................................................................................... 461
28.6 Remote Node Profile (Backup ISP) ................................................................................. 463
28.7 Editing TCP/IP Options ....................................................................................................465
28.8 Editing Login Script .......................................................................................................... 466
28.9 Remote Node Filter ......................................................................................................... 467
Chapter 29
LAN Setup.............................................................................................................................. 469
29.1 Introduction to LAN Setup ............................................................................................... 469
29.2 Accessing the LAN Menus .............................................................................................. 469
29.3 LAN Port Filter Setup ....................................................................................................... 469
29.4 TCP/IP and DHCP Ethernet Setup Menu ........................................................................ 470
29.4.1 IP Alias Setup ......................................................................................................... 473
Chapter 30
Internet Access .....................................................................................................................475
30.1 Introduction to Internet Access Setup .............................................................................. 475
30.2 Ethernet Encapsulation ................................................................................................... 475
30.3 Configuring the PPTP Client ............................................................................................ 477
30.4 Configuring the PPPoE Client ......................................................................................... 477
30.5 Basic Setup Complete ..................................................................................................... 478
Chapter 31
DMZ Setup .............................................................................................................................479
31.1 Configuring DMZ Setup ................................................................................................... 479
31.2 DMZ Port Filter Setup ...................................................................................................... 479
31.3 TCP/IP Setup ................................................................................................................... 480
31.3.1 IP Address ..............................................................................................................480
31.3.2 IP Alias Setup ......................................................................................................... 481
Chapter 32
Wireless Setup ...................................................................................................................... 483
32.1 TCP/IP Setup ................................................................................................................... 483
32.1.1 IP Address ..............................................................................................................483
32.1.2 IP Alias Setup ......................................................................................................... 484
20
ZyWALL 2 Plus User’s Guide
Page 21
Table of Contents
Chapter 33
Remote Node Setup..............................................................................................................487
33.1 Introduction to Remote Node Setup ................................................................................ 487
33.2 Remote Node Setup ........................................................................................................ 487
33.3 Remote Node Profile Setup ............................................................................................. 487
33.3.1 Ethernet Encapsulation .......................................................................................... 488
33.3.2 PPPoE Encapsulation ............................................................................................ 489
33.3.3 PPTP Encapsulation .............................................................................................. 491
33.4 Edit IP .............................................................................................................................. 492
33.5 Remote Node Filter ......................................................................................................... 494
33.6 Traffic Redirect ................................................................................................................ 495
Chapter 34
IP Static Route Setup............................................................................................................ 497
34.1 IP Static Route Setup ...................................................................................................... 497
Chapter 35
Network Address Translation (NAT).................................................................................... 499
35.1 Using NAT ........................................................................................................................ 499
35.1.1 SUA (Single User Account) Versus NAT ................................................................ 499
35.1.2 Applying NAT ......................................................................................................... 499
35.2 NAT Setup ....................................................................................................................... 501
35.2.1 Address Mapping Sets ........................................................................................... 501
35.3 Configuring a Server behind NAT .................................................................................... 506
35.4 General NAT Examples ................................................................................................... 508
35.4.1 Internet Access Only .............................................................................................. 508
35.4.2 Example 2: Internet Access with a Default Server ................................................. 510
35.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............................. 510
35.4.4 Example 4: NAT Unfriendly Application Programs ................................................. 513
35.5 Trigger Port Forwarding ...................................................................................................515
35.5.1 Two Points To Remember About Trigger Ports ...................................................... 515
Chapter 36
Introducing the ZyWALL Firewall ........................................................................................517
36.1 Using ZyWALL SMT Menus ............................................................................................ 517
36.1.1 Activating the Firewall ............................................................................................ 517
Chapter 37
Filter Configuration............................................................................................................... 519
37.1 Introduction to Filters ....................................................................................................... 519
37.1.1 The Filter Structure of the ZyWALL ........................................................................ 520
37.2 Configuring a Filter Set .................................................................................................... 522
37.2.1 Configuring a Filter Rule ........................................................................................ 524
ZyWALL 2 Plus User’s Guide
21
Page 22
Table of Contents
37.2.2 Configuring a TCP/IP Filter Rule ............................................................................ 524
37.2.3 Configuring a Generic Filter Rule ........................................................................... 527
37.3 Example Filter .................................................................................................................. 528
37.4 Filter Types and NAT ....................................................................................................... 530
37.5 Firewall Versus Filters ..................................................................................................... 530
37.5.1 Packet Filtering: ..................................................................................................... 530
37.5.2 Firewall ................................................................................................................... 531
37.6 Applying a Filter .............................................................................................................. 531
37.6.1 Applying LAN Filters ............................................................................................... 532
37.6.2 Applying DMZ Filters .............................................................................................. 532
37.6.3 Applying Remote Node Filters ............................................................................... 533
Chapter 38
SNMP Configuration.............................................................................................................535
38.1 SNMP Configuration ........................................................................................................535
38.2 SNMP Traps .................................................................................................................... 536
Chapter 39
System Information & Diagnosis.........................................................................................537
39.1 Introduction to System Status .......................................................................................... 537
39.2 System Status .................................................................................................................. 537
39.3 System Information and Console Port Speed .................................................................. 539
39.3.1 System Information ................................................................................................ 539
39.3.2 Console Port Speed ............................................................................................... 540
39.4 Log and Trace .................................................................................................................. 540
39.4.1 Viewing Error Log ................................................................................................... 540
39.4.2 Syslog Logging ....................................................................................................... 541
39.4.3 Call-Triggering Packet ............................................................................................ 544
39.5 Diagnostic ........................................................................................................................ 545
39.5.1 WAN DHCP ............................................................................................................ 546
Chapter 40
Firmware and Configuration File Maintenance..................................................................549
40.1 Introduction ...................................................................................................................... 549
40.2 Filename Conventions ..................................................................................................... 549
40.3 Backup Configuration ......................................................................................................550
40.3.1 Backup Configuration ............................................................................................. 550
40.3.2 Using the FTP Command from the Command Line ............................................... 551
40.3.3 Example of FTP Commands from the Command Line .......................................... 552
40.3.4 GUI-based FTP Clients .......................................................................................... 552
40.3.5 File Maintenance Over WAN .................................................................................. 552
40.3.6 Backup Configuration Using TFTP ......................................................................... 553
40.3.7 TFTP Command Example ...................................................................................... 553
22
ZyWALL 2 Plus User’s Guide
Page 23
Table of Contents
40.3.8 GUI-based TFTP Clients ........................................................................................ 553
40.3.9 Backup Via Console Port ....................................................................................... 554
40.4 Restore Configuration ...................................................................................................... 555
40.4.1 Restore Using FTP ................................................................................................. 555
40.4.2 Restore Using FTP Session Example .................................................................... 556
40.4.3 Restore Via Console Port ....................................................................................... 556
40.5 Uploading Firmware and Configuration Files .................................................................. 557
40.5.1 Firmware File Upload ............................................................................................. 557
40.5.2 Configuration File Upload ....................................................................................... 558
40.5.3 FTP File Upload Command from the DOS Prompt Example ................................. 559
40.5.4 FTP Session Example of Firmware File Upload .................................................... 559
40.5.5 TFTP File Upload ................................................................................................... 559
40.5.6 TFTP Upload Command Example ......................................................................... 560
40.5.7 Uploading Via Console Port ................................................................................... 560
40.5.8 Uploading Firmware File Via Console Port ............................................................ 560
40.5.9 Example Xmodem Firmware Upload Using HyperTerminal ................................... 561
40.5.10 Uploading Configuration File Via Console Port .................................................... 561
40.5.11 Example Xmodem Configuration Upload Using HyperTerminal ........................... 562
Chapter 41
System Maintenance Menus 8 to 10....................................................................................563
41.1 Command Interpreter Mode ............................................................................................ 563
41.1.1 Command Syntax ................................................................................................... 564
41.1.2 Command Usage ................................................................................................... 564
41.2 Call Control Support ........................................................................................................ 565
41.2.1 Budget Management .............................................................................................. 565
41.2.2 Call History ............................................................................................................. 566
41.3 Time and Date Setting .....................................................................................................567
Chapter 42
Remote Management............................................................................................................ 571
42.1 Remote Management ...................................................................................................... 571
42.1.1 Remote Management Limitations .......................................................................... 573
Chapter 43
Call Scheduling..................................................................................................................... 575
43.1 Introduction to Call Scheduling ........................................................................................ 575
Chapter 44
Troubleshooting....................................................................................................................579
44.1 Power, Hardware Connections, and LEDs ...................................................................... 579
44.2 ZyWALL Access and Login .............................................................................................. 580
44.3 Internet Access ................................................................................................................ 582
ZyWALL 2 Plus User’s Guide
23
Page 24
Table of Contents
44.4 Wireless Router/AP Troubleshooting ............................................................................... 584
44.5 UPnP ............................................................................................................................... 584
Part VII: Appendices and Index .......................................................... 587
Appendix A Product Specifications.......................................................................................589
Appendix B Setting up Your Computer’s IP Address............................................................ 593
Appendix C Pop-up Windows, JavaScripts and Java Permissions ...................................... 609
Appendix D IP Addresses and Subnetting ........................................................................... 615
Appendix E .......................................................................................................................... 623
Appendix E Common Services............................................................................................ 623
Appendix F Importing Certificates ........................................................................................ 627
Appendix G Command Interpreter .......................................................................................639
Appendix H Firewall Commands ..........................................................................................647
Appendix I NetBIOS Filter Commands .................................................................................653
Appendix J Certificates Commands ..................................................................................... 655
Appendix K Brute-Force Password Guessing Protection.....................................................659
Appendix L Boot Commands................................................................................................ 661
Appendix M Legal Information.............................................................................................. 663
Appendix N Customer Support............................................................................................. 667
Index....................................................................................................................................... 671
24
ZyWALL 2 Plus User’s Guide
Page 25

List of Figures

List of Figures
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................................... 46
Figure 2 VPN Application ....................................................................................................................... 46
Figure 3 Front Panel .............................................................................................................................. 47
Figure 4 Change Password Screen ........................................................................................................ 50
Figure 5 Replace Certificate Screen ....................................................................................................... 50
Figure 6 Example Xmodem Upload ........................................................................................................ 51
Figure 7 HOME Screen .......................................................................................................................... 52
Figure 8 Web Configurator HOME Screen in Router Mode ................................................................... 53
Figure 9 Web Configurator HOME Screen in Bridge Mode .................................................................... 56
Figure 10 HOME > Show Statistics ........................................................................................................ 62
Figure 11 HOME > DHCP Table ............................................................................................................. 63
Figure 12 HOME > VPN Status .............................................................................................................. 64
Figure 13 Home > Bandwidth Monitor .................................................................................................... 65
Figure 14 Wizard Setup Welcome .......................................................................................................... 67
Figure 15 ISP Parameters: Ethernet Encapsulation ...............................................................................68
Figure 16 ISP Parameters: PPPoE Encapsulation ................................................................................. 69
Figure 17 ISP Parameters: PPTP Encapsulation ...................................................................................71
Figure 18 Internet Access Wizard: Second Screen ................................................................................72
Figure 19 Internet Access Setup Complete ............................................................................................ 73
Figure 20 Internet Access Wizard: Registration ..................................................................................... 74
Figure 21 Internet Access Wizard: Registration in Progress .................................................................. 75
Figure 22 Internet Access Wizard: Status .............................................................................................. 75
Figure 23 Internet Access Wizard: Registration Failed ..........................................................................75
Figure 24 Internet Access Wizard: Registered Device ........................................................................... 76
Figure 25 Internet Access Wizard: Activated Services ...........................................................................76
Figure 26 VPN Wizard: Gateway Setting ............................................................................................... 77
Figure 27 VPN Wizard: Network Setting ................................................................................................ 78
Figure 28 VPN Wizard: IKE Tunnel Setting ............................................................................................ 79
Figure 29 VPN Wizard: IPSec Setting .................................................................................................... 81
Figure 30 VPN Wizard: VPN Status ....................................................................................................... 82
Figure 31 VPN Wizard Setup Complete ................................................................................................. 84
Figure 32 Firewall Rule for VPN ............................................................................................................. 86
Figure 33 SECURITY > VPN > VPN Rules (IKE) .................................................................................. 86
Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy ............................................. 87
Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example ................................ 88
Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy ............................................... 89
Figure 37 SECURITY > FIREWALL > Rule Summary ........................................................................... 90
Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow ..................................................... 91
ZyWALL 2 Plus User’s Guide
25
Page 26
List of Figures
Figure 39 SECURITY > FIREWALL > Rule Summary: Allow ................................................................. 92
Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN ...................................... 92
Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses ............................................... 93
Figure 42 Tutorial Example: WAN Connection with a Static Public IP Address ..................................... 94
Figure 43 Tutorial Example: WAN Screen ............................................................................................. 95
Figure 44 Tutorial Example: DNS > System ........................................................................................... 95
Figure 45 Tutorial Example: DNS > System Edit-1 ...............................................................................96
Figure 46 Tutorial Example: DNS > System Edit-2 ...............................................................................96
Figure 47 Tutorial Example: DNS > System: Done ............................................................................... 97
Figure 48 Tutorial Example: Status ......................................................................................................... 97
Figure 49 Tutorial Example: Mapping Multiple Public IP Addresses to Inside Servers .......................... 98
Figure 50 Tutorial Example: NAT > NAT Overview ................................................................................99
Figure 51 Tutorial Example: NAT > Address Mapping ............................................................................ 99
Figure 52 Tutorial Example: NAT Address Mapping Edit: One-to-One (1) .......................................... 100
Figure 53 Tutorial Example: NAT Address Mapping Edit: One-to-One (2) .......................................... 100
Figure 54 Tutorial Example: NAT Address Mapping Edit: Many-to-One ............................................. 101
Figure 55 Tutorial Example: NAT Address Mapping Done ................................................................. 101
Figure 56 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer .......................... 102
Figure 57 Tutorial Example: NAT Address Mapping Edit: Server ....................................................... 102
Figure 58 Tutorial Example: NAT Port Forwarding ............................................................................... 103
Figure 59 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer .......................... 103
Figure 60 Tutorial Example: Firewall Default Rule .............................................................................. 104
Figure 61 Tutorial Example: Firewall Rule: WAN to LAN .................................................................... 104
Figure 62 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Web Server ...................... 105
Figure 63 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Web Server ....................... 105
Figure 64 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Mail Server ....................... 106
Figure 65 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Mail Server ........................ 107
Figure 66 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for FTP Server ....................... 108
Figure 67 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server ........................ 108
Figure 68 Tutorial Example: Firewall Rule Summary ........................................................................... 109
Figure 69 Tutorial Example: NAT Address Mapping Done: Game Playing .........................................110
Figure 70 Tutorial Example: Bandwidth Management ...........................................................................111
Figure 71 Tutorial Example: Bandwidth Management Summary .........................................................112
Figure 72 Tutorial Example: Bandwidth Management Class Setup ......................................................112
Figure 73 Tutorial Example: Bandwidth Management Class Setup: VoIP .............................................113
Figure 74 Tutorial Example: Bandwidth Management Class Setup: FTP .............................................113
Figure 75 Tutorial Example: Bandwidth Management Class Setup: WWW .........................................114
Figure 76 Tutorial Example: Bandwidth Management Class Setup Done .............................................114
Figure 77 Tutorial Example: Bandwidth Management Monitor ..............................................................115
Figure 78 REGISTRATION ....................................................................................................................118
Figure 79 REGISTRATION: Registered Device ....................................................................................119
Figure 80 REGISTRATION > Service ................................................................................................... 120
Figure 81 LAN and WAN ..................................................................................................................... 123
26
ZyWALL 2 Plus User’s Guide
Page 27
List of Figures
Figure 82 NETWORK > LAN ................................................................................................................ 127
Figure 83 NETWORK > LAN > Static DHCP ........................................................................................ 129
Figure 84 Physical Network & Partitioned Logical Networks ................................................................ 130
Figure 85 NETWORK > LAN > IP Alias ................................................................................................ 131
Figure 86 NETWORK > LAN > Port Roles ...........................................................................................132
Figure 87 Port Roles Change Complete ............................................................................................... 133
Figure 88 Bridge Loop: Bridge Connected to Wired LAN ..................................................................... 135
Figure 89 NETWORK > Bridge ............................................................................................................. 138
Figure 90 NETWORK > Bridge > Port Roles ........................................................................................140
Figure 91 Port Roles Change Complete ............................................................................................... 140
Figure 92 NETWORK > WAN Route ................................................................................................... 142
Figure 93 NETWORK > WAN > WAN (Ethernet Encapsulation) ....................................................... 145
Figure 94 NETWORK > WAN > WAN (PPPoE Encapsulation) ........................................................... 148
Figure 95 NETWORK > WAN > WAN (PPTP Encapsulation) ............................................................. 151
Figure 96 Traffic Redirect WAN Setup .................................................................................................. 154
Figure 97 Traffic Redirect LAN Setup ................................................................................................... 154
Figure 98 NETWORK > WAN > Traffic Redirect .................................................................................. 154
Figure 99 NETWORK > WAN > Dial Backup ..................................................................................... 156
Figure 100 NETWORK > WAN > Dial Backup > Edit ......................................................................... 159
Figure 101 NETWORK > DMZ ............................................................................................................ 162
Figure 102 NETWORK > DMZ > Static DHCP ................................................................................... 164
Figure 103 NETWORK > DMZ > IP Alias ............................................................................................ 166
Figure 104 DMZ Public Address Example ............................................................................................ 167
Figure 105 DMZ Private and Public Address Example ........................................................................ 168
Figure 106 NETWORK > DMZ > Port Roles ....................................................................................... 169
Figure 107 NETWORK > WLAN .......................................................................................................... 172
Figure 108 NETWORK > WLAN > Static DHCP ................................................................................. 174
Figure 109 NETWORK > WLAN > IP Alias ......................................................................................... 176
Figure 110 WLAN Port Role Example ................................................................................................. 177
Figure 111 NETWORK > WLAN > Port Roles ..................................................................................... 178
Figure 112 NETWORK > WLAN > Port Roles: Change Complete ....................................................... 178
Figure 113 Default Firewall Action ........................................................................................................ 181
Figure 114 SECURITY > FIREWALL > Default Rule (Router Mode) ................................................... 182
Figure 115 Default Block Traffic From WAN to DMZ Example ......................................................... 183
Figure 116 From LAN to VPN Example ............................................................................................... 185
Figure 117 Block DMZ to VPN Traffic by Default Example ................................................................ 185
Figure 118 From VPN to LAN Example ............................................................................................... 186
Figure 119 Block VPN to LAN Traffic by Default Example ............................................................... 186
Figure 120 From VPN to VPN Example .............................................................................................. 187
Figure 121 Block VPN to VPN Traffic by Default Example ............................................................... 187
Figure 122 Blocking All LAN to WAN IRC Traffic Example .................................................................. 188
Figure 123 Limited LAN to WAN IRC Traffic Example .......................................................................... 189
Figure 124 Using IP Alias to Solve the Triangle Route Problem .......................................................... 191
ZyWALL 2 Plus User’s Guide
27
Page 28
List of Figures
Figure 125 SECURITY > FIREWALL > Default Rule (Router Mode) ................................................... 191
Figure 126 SECURITY > FIREWALL > Default Rule (Bridge Mode) .................................................... 193
Figure 127 SECURITY > FIREWALL > Rule Summary ....................................................................... 195
Figure 128 SECURITY > FIREWALL > Rule Summary > Edit ............................................................ 197
Figure 129 SECURITY > FIREWALL > Anti-Probing ........................................................................... 199
Figure 130 Three-Way Handshake ....................................................................................................... 200
Figure 131 SECURITY > FIREWALL > Threshold ............................................................................ 201
Figure 132 SECURITY > FIREWALL > Service ................................................................................... 203
Figure 133 Firewall Edit Custom Service ............................................................................................. 204
Figure 134 My Service Firewall Rule Example: Service ...................................................................... 205
Figure 135 My Service Firewall Rule Example: Edit Custom Service ................................................. 205
Figure 136 My Service Firewall Rule Example: Rule Summary ........................................................... 206
Figure 137 My Service Firewall Rule Example: Rule Edit ................................................................... 206
Figure 138 My Service Firewall Rule Example: Rule Configuration ..................................................... 208
Figure 139 My Service Firewall Rule Example: Rule Summary ........................................................... 209
Figure 140 SECURITY > CONTENT FILTER > General ...................................................................... 212
Figure 141 Content Filtering Lookup Procedure ................................................................................... 214
Figure 142 SECURITY > CONTENT FILTER > Categories ................................................................. 215
Figure 143 SECURITY > CONTENT FILTER > Customization ............................................................ 222
Figure 144 SECURITY > CONTENT FILTER > Cache ........................................................................ 225
Figure 145 myZyXEL.com: Login ......................................................................................................... 228
Figure 146 myZyXEL.com: Welcome ................................................................................................... 228
Figure 147 myZyXEL.com: Service Management ................................................................................ 229
Figure 148 Blue Coat: Login ................................................................................................................. 229
Figure 149 Content Filtering Reports Main Screen .............................................................................. 230
Figure 150 Blue Coat: Report Home .................................................................................................... 230
Figure 151 Global Report Screen Example .......................................................................................... 231
Figure 152 Requested URLs Example ................................................................................................. 232
Figure 153 Web Page Review Process Screen ................................................................................... 233
Figure 154 VPN: Example .................................................................................................................... 235
Figure 155 VPN: IKE SA and IPSec SA .............................................................................................. 236
Figure 156 Gateway and Network Policies .......................................................................................... 237
Figure 157 IPSec Fields Summary ..................................................................................................... 237
Figure 158 SECURITY > VPN > VPN Rules (IKE) .............................................................................. 238
Figure 159 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal ......................................... 239
Figure 160 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange ...................................... 240
Figure 161 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication ............................................. 240
Figure 162 VPN/NAT Example ............................................................................................................. 243
Figure 163 IPSec High Availability ....................................................................................................... 244
Figure 164 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ......................................... 246
Figure 165 Local and Remote Network IP Address Overlap ................................................................ 252
Figure 166 Virtual Mapping of Local and Remote Network IP Addresses ............................................ 253
Figure 167 VPN: Transport and Tunnel Mode Encapsulation .............................................................. 254
28
ZyWALL 2 Plus User’s Guide
Page 29
List of Figures
Figure 168 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ........................................... 255
Figure 169 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding ............. 260
Figure 170 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ........................................ 261
Figure 171 SECURITY > VPN > VPN Rules (Manual) ........................................................................ 263
Figure 172 SECURITY > VPN > VPN Rules (Manual) > Edit .............................................................. 264
Figure 173 SECURITY > VPN > SA Monitor ...................................................................................... 267
Figure 174 SECURITY > VPN > Global Setting ................................................................................. 267
Figure 175 Telecommuters Sharing One VPN Rule Example .............................................................. 269
Figure 176 Telecommuters Using Unique VPN Rules Example ........................................................... 270
Figure 177 VPN for Remote Management Example ............................................................................ 271
Figure 178 VPN Topologies .................................................................................................................. 272
Figure 179 Hub-and-spoke VPN Example ...........................................................................................273
Figure 180 Certificates on Your Computer ........................................................................................... 276
Figure 181 Certificate Details .............................................................................................................. 277
Figure 182 Certificate Configuration Overview ..................................................................................... 277
Figure 183 SECURITY > CERTIFICATES > My Certificates ............................................................... 278
Figure 184 SECURITY > CERTIFICATES > My Certificates > Details ................................................. 280
Figure 185 SECURITY > CERTIFICATES > My Certificates > Export ................................................. 283
Figure 186 SECURITY > CERTIFICATES > My Certificates > Import ................................................. 284
Figure 187 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 ............................... 285
Figure 188 SECURITY > CERTIFICATES > My Certificates > Create ................................................. 286
Figure 189 SECURITY > CERTIFICATES > Trusted CAs ................................................................... 288
Figure 190 SECURITY > CERTIFICATES > Trusted CAs > Details .................................................... 290
Figure 191 SECURITY > CERTIFICATES > Trusted CAs > Import ..................................................... 292
Figure 192 SECURITY > CERTIFICATES > Trusted Remote Hosts .................................................... 293
Figure 193 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ..................................... 295
Figure 194 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ..................................... 297
Figure 195 SECURITY > CERTIFICATES > Directory Servers ............................................................ 298
Figure 196 SECURITY > CERTIFICATES > Directory Server > Add ................................................... 299
Figure 197 SECURITY > AUTH SERVER > Local User Database ...................................................... 303
Figure 198 SECURITY > AUTH SERVER > RADIUS .......................................................................... 304
Figure 199 How NAT Works ................................................................................................................. 310
Figure 200 NAT Application With IP Alias .............................................................................................311
Figure 201 Port Restricted Cone NAT Example ................................................................................... 312
Figure 202 ADVANCED > NAT > NAT Overview .................................................................................. 314
Figure 203 ADVANCED > NAT > Address Mapping ............................................................................. 315
Figure 204 ADVANCED > NAT > Address Mapping > Edit .................................................................. 317
Figure 205 Multiple Servers Behind NAT Example .............................................................................. 319
Figure 206 Port Translation Example ................................................................................................... 319
Figure 207 ADVANCED > NAT > Port Forwarding ............................................................................... 320
Figure 208 Trigger Port Forwarding Process: Example ........................................................................ 322
Figure 209 ADVANCED > NAT > Port Triggering ................................................................................. 322
Figure 210 Example of Static Routing Topology ................................................................................... 325
ZyWALL 2 Plus User’s Guide
29
Page 30
List of Figures
Figure 211 ADVANCED > STATIC ROUTE > IP Static Route .............................................................. 326
Figure 212 ADVANCED > STATIC ROUTE > IP Static Route > Edit .................................................... 327
Figure 213 Subnet-based Bandwidth Management Example .............................................................. 330
Figure 214 ADVANCED > BW MGMT > Summary .............................................................................. 335
Figure 215 ADVANCED > BW MGMT > Class Setup .......................................................................... 336
Figure 216 ADVANCED > BW MGMT > Class Setup > Add Sub-Class .............................................. 338
Figure 217 ADVANCED > BW MGMT > Class Setup > Statistics ........................................................ 340
Figure 218 ADVANCED > BW MGMT > Monitor ................................................................................. 341
Figure 219 Private DNS Server Example ............................................................................................. 345
Figure 220 ADVANCED > DNS > System DNS ................................................................................... 345
Figure 221 ADVANCED > DNS > Add (Address Record) .................................................................... 347
Figure 222 ADVANCED > DNS > Insert (Name Server Record) .......................................................... 348
Figure 223 ADVANCED > DNS > Cache ............................................................................................. 349
Figure 224 ADVANCED > DNS > DHCP .............................................................................................. 350
Figure 225 ADVANCED > DNS > DDNS .............................................................................................. 352
Figure 226 Secure and Insecure Remote Management From the WAN .............................................. 355
Figure 227 HTTPS Implementation ...................................................................................................... 357
Figure 228 ADVANCED > REMOTE MGMT > WWW .......................................................................... 357
Figure 229 Security Alert Dialog Box (Internet Explorer) ...................................................................... 359
Figure 230 Security Certificate 1 (Netscape) ........................................................................................ 360
Figure 231 Security Certificate 2 (Netscape) ........................................................................................ 360
Figure 232 Example: Lock Denoting a Secure Connection ................................................................. 361
Figure 233 Replace Certificate ............................................................................................................. 362
Figure 234 Device-specific Certificate .................................................................................................. 362
Figure 235 Common ZyWALL Certificate ............................................................................................. 362
Figure 236 SSH Communication Over the WAN Example .................................................................. 363
Figure 237 How SSH Works ................................................................................................................. 363
Figure 238 ADVANCED > REMOTE MGMT > SSH ............................................................................. 365
Figure 239 SSH Example 1: Store Host Key ........................................................................................ 366
Figure 240 SSH Example 2: Test ........................................................................................................ 366
Figure 241 SSH Example 2: Log in ...................................................................................................... 367
Figure 242 Secure FTP: Firmware Upload Example ............................................................................ 367
Figure 243 ADVANCED > REMOTE MGMT > TELNET ..................................................................... 368
Figure 244 ADVANCED > REMOTE MGMT > FTP ............................................................................. 369
Figure 245 SNMP Management Model ................................................................................................ 370
Figure 246 ADVANCED > REMOTE MGMT > SNMP .......................................................................... 372
Figure 247 ADVANCED > REMOTE MGMT > DNS ............................................................................. 373
Figure 248 ADVANCED > REMOTE MGMT > CNM ............................................................................ 374
Figure 249 ADVANCED > UPnP .......................................................................................................... 378
Figure 250 ADVANCED > UPnP > Ports .............................................................................................. 379
Figure 251 H.323 ALG Example .......................................................................................................... 388
Figure 252 SIP ALG Example ............................................................................................................. 389
Figure 253 ADVANCED > ALG ........................................................................................................... 390
30
ZyWALL 2 Plus User’s Guide
Page 31
List of Figures
Figure 254 LOGS > View Log ........................................................................................................... 395
Figure 255 myZyXEL.com: Download Center ...................................................................................... 397
Figure 256 myZyXEL.com: Certificate Download ................................................................................. 398
Figure 257 LOGS > Log Settings ......................................................................................................... 399
Figure 258 LOGS > Reports ................................................................................................................ 402
Figure 259 LOGS > Reports: Web Site Hits Example .......................................................................... 403
Figure 260 LOGS > Reports: Host IP Address Example ...................................................................... 404
Figure 261 LOGS > Reports: Protocol/Port Example ........................................................................... 405
Figure 262 MAINTENANCE > General Setup ...................................................................................... 428
Figure 263 MAINTENANCE > Password ............................................................................................ 429
Figure 264 MAINTENANCE > Time and Date ...................................................................................... 430
Figure 265 Synchronization in Process ................................................................................................ 432
Figure 266 Synchronization is Successful ............................................................................................ 433
Figure 267 Synchronization Fail ........................................................................................................... 433
Figure 268 MAINTENANCE > Device Mode (Router Mode) ................................................................ 435
Figure 269 MAINTENANCE > Device Mode (Bridge Mode) ................................................................ 436
Figure 270 MAINTENANCE > Firmware Upload .................................................................................. 438
Figure 271 Firmware Upload In Process .............................................................................................. 438
Figure 272 Network Temporarily Disconnected ....................................................................................439
Figure 273 Firmware Upload Error ....................................................................................................... 439
Figure 274 MAINTENANCE > Backup and Restore ............................................................................. 440
Figure 275 Configuration Upload Successful ....................................................................................... 441
Figure 276 Network Temporarily Disconnected ....................................................................................441
Figure 277 Configuration Upload Error ................................................................................................. 441
Figure 278 Reset Warning Message .................................................................................................... 442
Figure 279 MAINTENANCE > Restart ................................................................................................. 442
Figure 280 Initial Screen ....................................................................................................................... 446
Figure 281 Password Screen .............................................................................................................. 446
Figure 282 Main Menu (Router Mode) ................................................................................................. 447
Figure 283 Main Menu (Bridge Mode) .................................................................................................. 448
Figure 284 Menu 23: System Password ............................................................................................... 450
Figure 285 Menu 1: General Setup (Router Mode) .............................................................................. 453
Figure 286 Menu 1: General Setup (Bridge Mode) .............................................................................. 454
Figure 287 Menu 1.1: Configure Dynamic DNS ................................................................................... 455
Figure 288 Menu 1.1.1: DDNS Host Summary .................................................................................... 456
Figure 289 Menu 1.1.1: DDNS Edit Host .............................................................................................. 457
Figure 290 MAC Address Cloning in WAN Setup ................................................................................. 459
Figure 291 Menu 2: Dial Backup Setup .............................................................................................. 461
Figure 292 Menu 2.1: Advanced WAN Setup ....................................................................................... 462
Figure 293 Menu 11.2: Remote Node Profile (Backup ISP) ................................................................ 463
Figure 294 Menu 11.2.2: Remote Node Network Layer Options .......................................................... 465
Figure 295 Menu 11.2.3: Remote Node Script .....................................................................................467
Figure 296 Menu 11.2.4: Remote Node Filter ...................................................................................... 468
ZyWALL 2 Plus User’s Guide
31
Page 32
List of Figures
Figure 297 Menu 3: LAN Setup ............................................................................................................ 469
Figure 298 Menu 3.1: LAN Port Filter Setup ........................................................................................ 470
Figure 299 Menu 3: TCP/IP and DHCP Setup .................................................................................... 470
Figure 300 Menu 3.2: TCP/IP and DHCP Ethernet Setup .................................................................... 471
Figure 301 Menu 3.2.1: IP Alias Setup ................................................................................................. 473
Figure 302 Menu 4: Internet Access Setup (Ethernet) ......................................................................... 475
Figure 303 Internet Access Setup (PPTP) ........................................................................................... 477
Figure 304 Internet Access Setup (PPPoE) ......................................................................................... 478
Figure 305 Menu 5: DMZ Setup .......................................................................................................... 479
Figure 306 Menu 5.1: DMZ Port Filter Setup ........................................................................................ 479
Figure 307 Menu 5: DMZ Setup ........................................................................................................... 480
Figure 308 Menu 5.2: TCP/IP and DHCP Ethernet Setup .................................................................... 480
Figure 309 Menu 5.2.1: IP Alias Setup ................................................................................................. 481
Figure 310 Menu 7: WLAN Setup ......................................................................................................... 483
Figure 311 Menu 7.2: TCP/IP and DHCP Ethernet Setup .................................................................... 484
Figure 312 Menu 7.2.1: IP Alias Setup ................................................................................................. 485
Figure 313 Menu 11: Remote Node Setup ........................................................................................... 487
Figure 314 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ............................................ 488
Figure 315 Menu 11.1: Remote Node Profile for PPPoE Encapsulation .............................................. 490
Figure 316 Menu 11.1: Remote Node Profile for PPTP Encapsulation ................................................ 492
Figure 317 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation ............... 493
Figure 318 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) .............................................. 494
Figure 319 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) ................................. 495
Figure 320 Menu 11.1.5: Traffic Redirect Setup ................................................................................... 495
Figure 321 Menu 12: IP Static Route Setup ........................................................................................ 497
Figure 322 Menu 12. 1: Edit IP Static Route ........................................................................................ 498
Figure 323 Menu 4: Applying NAT for Internet Access ......................................................................... 500
Figure 324 Menu 11.1.2: Applying NAT to the Remote Node ............................................................... 500
Figure 325 Menu 15: NAT Setup .......................................................................................................... 501
Figure 326 Menu 15.1: Address Mapping Sets .................................................................................... 502
Figure 327 Menu 15.1.255: SUA Address Mapping Rules ................................................................... 502
Figure 328 Menu 15.1.1: First Set ........................................................................................................ 504
Figure 329 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ......................................... 505
Figure 330 Menu 15.2: NAT Server Sets .............................................................................................. 506
Figure 331 15.2.1: NAT Server Configuration ...................................................................................... 507
Figure 332 Menu 15.2: NAT Server Setup .......................................................................................... 508
Figure 333 Server Behind NAT Example .............................................................................................. 508
Figure 334 NAT Example 1 .................................................................................................................. 509
Figure 335 Menu 4: Internet Access & NAT Example .......................................................................... 509
Figure 336 NAT Example 2 .................................................................................................................. 510
Figure 337 Menu 15.2: Specifying an Inside Server ............................................................................. 510
Figure 338 NAT Example 3 ...................................................................................................................511
Figure 339 Example 3: Menu 11.1.2 ......................................................................................................511
32
ZyWALL 2 Plus User’s Guide
Page 33
List of Figures
Figure 340 Example 3: Menu 15.1.1.1 ................................................................................................. 512
Figure 341 Example 3: Final Menu 15.1.1 ............................................................................................ 512
Figure 342 Example 3: Menu 15.2. ...................................................................................................... 513
Figure 343 NAT Example 4 .................................................................................................................. 513
Figure 344 Example 4: Menu 15.1.1.1: Address Mapping Rule ........................................................... 514
Figure 345 Example 4: Menu 15.1.1: Address Mapping Rules ............................................................ 514
Figure 346 Menu 15.3.1: Trigger Port Setup ........................................................................................ 516
Figure 347 Menu 21: Filter and Firewall Setup ..................................................................................... 517
Figure 348 Menu 21.2: Firewall Setup .................................................................................................. 518
Figure 349 Outgoing Packet Filtering Process ..................................................................................... 519
Figure 350 Filter Rule Process ............................................................................................................. 521
Figure 351 Menu 21: Filter and Firewall Setup ..................................................................................... 522
Figure 352 Menu 21.1: Filter Set Configuration .................................................................................... 522
Figure 353 Menu 21.1.1: Filter Rules Summary ...................................................................................523
Figure 354 Menu 21.1.1.1: TCP/IP Filter Rule ..................................................................................... 524
Figure 355 Executing an IP Filter ......................................................................................................... 526
Figure 356 Menu 21.1.1.1: Generic Filter Rule .................................................................................... 527
Figure 357 Telnet Filter Example .......................................................................................................... 528
Figure 358 Example Filter: Menu 21.1.3.1 ........................................................................................... 529
Figure 359 Example Filter Rules Summary: Menu 21.1.3 .................................................................... 529
Figure 360 Protocol and Device Filter Sets .......................................................................................... 530
Figure 361 Filtering LAN Traffic ............................................................................................................ 532
Figure 362 Filtering DMZ Traffic ........................................................................................................... 532
Figure 363 Filtering Remote Node Traffic ............................................................................................. 533
Figure 364 Menu 22: SNMP Configuration ........................................................................................... 535
Figure 365 Menu 24: System Maintenance .......................................................................................... 537
Figure 366 Menu 24.1: System Maintenance: Status .......................................................................... 538
Figure 367 Menu 24.2: System Information and Console Port Speed ................................................. 539
Figure 368 Menu 24.2.1: System Maintenance: Information .............................................................. 539
Figure 369 Menu 24.2.2: System Maintenance: Change Console Port Speed .................................... 540
Figure 370 Menu 24.3: System Maintenance: Log and Trace .............................................................. 541
Figure 371 Examples of Error and Information Messages ................................................................... 541
Figure 372 Menu 24.3.2: System Maintenance: Syslog Logging ......................................................... 541
Figure 373 Call-Triggering Packet Example ......................................................................................... 545
Figure 374 Menu 24.4: System Maintenance: Diagnostic .................................................................... 546
Figure 375 WAN & LAN DHCP ............................................................................................................. 546
Figure 376 Telnet into Menu 24.5 ......................................................................................................... 551
Figure 377 FTP Session Example ........................................................................................................ 552
Figure 378 System Maintenance: Backup Configuration ..................................................................... 554
Figure 379 System Maintenance: Starting Xmodem Download Screen ............................................... 554
Figure 380 Backup Configuration Example .......................................................................................... 554
Figure 381 Successful Backup Confirmation Screen ........................................................................... 555
Figure 382 Telnet into Menu 24.6 ......................................................................................................... 555
ZyWALL 2 Plus User’s Guide
33
Page 34
List of Figures
Figure 383 Restore Using FTP Session Example ................................................................................ 556
Figure 384 System Maintenance: Restore Configuration ..................................................................... 556
Figure 385 System Maintenance: Starting Xmodem Download Screen ............................................... 556
Figure 386 Restore Configuration Example ......................................................................................... 557
Figure 387 Successful Restoration Confirmation Screen ..................................................................... 557
Figure 388 Telnet Into Menu 24.7.1: Upload System Firmware ........................................................... 558
Figure 389 Telnet Into Menu 24.7.2: System Maintenance ................................................................. 558
Figure 390 FTP Session Example of Firmware File Upload ................................................................. 559
Figure 391 Menu 24.7.1 As Seen Using the Console Port ................................................................... 561
Figure 392 Example Xmodem Upload .................................................................................................. 561
Figure 393 Menu 24.7.2 As Seen Using the Console Port .................................................................. 562
Figure 394 Example Xmodem Upload .................................................................................................. 562
Figure 395 Command Mode in Menu 24 .............................................................................................. 563
Figure 396 Valid Commands ................................................................................................................ 564
Figure 397 Call Control ......................................................................................................................... 565
Figure 398 Budget Management .......................................................................................................... 565
Figure 399 Call History ......................................................................................................................... 566
Figure 400 Menu 24: System Maintenance .......................................................................................... 567
Figure 401 Menu 24.10 System Maintenance: Time and Date Setting ................................................ 568
Figure 402 Menu 24.11 – Remote Management Control ..................................................................... 572
Figure 403 Schedule Setup .................................................................................................................. 575
Figure 404 Schedule Set Setup ............................................................................................................ 576
Figure 405 Applying Schedule Set(s) to a Remote Node (PPPoE) ...................................................... 577
Figure 406 Applying Schedule Set(s) to a Remote Node (PPTP) ........................................................ 578
Figure 407 Console/Dial Backup Cable DB-9 End Pin Layout ............................................................. 591
Figure 408 WIndows 95/98/Me: Network: Configuration ...................................................................... 594
Figure 409 Windows 95/98/Me: TCP/IP Properties: IP Address .......................................................... 595
Figure 410 Windows 95/98/Me: TCP/IP Properties: DNS Configuration .............................................. 596
Figure 411 Windows XP: Start Menu .................................................................................................... 597
Figure 412 Windows XP: Control Panel ............................................................................................... 597
Figure 413 Windows XP: Control Panel: Network Connections: Properties ......................................... 598
Figure 414 Windows XP: Local Area Connection Properties ............................................................... 598
Figure 415 Windows XP: Internet Protocol (TCP/IP) Properties .......................................................... 599
Figure 416 Windows XP: Advanced TCP/IP Properties ....................................................................... 600
Figure 417 Windows XP: Internet Protocol (TCP/IP) Properties .......................................................... 601
Figure 418 Macintosh OS 8/9: Apple Menu .......................................................................................... 602
Figure 419 Macintosh OS 8/9: TCP/IP ................................................................................................. 602
Figure 420 Macintosh OS X: Apple Menu ............................................................................................ 603
Figure 421 Macintosh OS X: Network .................................................................................................. 604
Figure 422 Red Hat 9.0: KDE: Network Configuration: Devices ......................................................... 605
Figure 423 Red Hat 9.0: KDE: Ethernet Device: General .................................................................. 605
Figure 424 Red Hat 9.0: KDE: Network Configuration: DNS ............................................................... 606
Figure 425 Red Hat 9.0: KDE: Network Configuration: Activate ........................................................ 606
34
ZyWALL 2 Plus User’s Guide
Page 35
List of Figures
Figure 426 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 ............................................... 607
Figure 427 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 ................................................... 607
Figure 428 Red Hat 9.0: DNS Settings in resolv.conf ........................................................................ 607
Figure 429 Red Hat 9.0: Restart Ethernet Card ................................................................................. 607
Figure 430 Red Hat 9.0: Checking TCP/IP Properties ....................................................................... 608
Figure 431 Pop-up Blocker ................................................................................................................... 609
Figure 432 Internet Options ................................................................................................................. 610
Figure 433 Internet Options ...................................................................................................................611
Figure 434 Pop-up Blocker Settings ......................................................................................................611
Figure 435 Internet Options .................................................................................................................. 612
Figure 436 Security Settings - Java Scripting ....................................................................................... 613
Figure 437 Security Settings - Java ...................................................................................................... 613
Figure 438 Java (Sun) .......................................................................................................................... 614
Figure 439 Network Number and Host ID ............................................................................................ 616
Figure 440 Subnetting Example: Before Subnetting ............................................................................ 618
Figure 441 Subnetting Example: After Subnetting ............................................................................... 619
Figure 442 Security Certificate ............................................................................................................. 627
Figure 443 Login Screen ...................................................................................................................... 628
Figure 444 Certificate General Information before Import .................................................................... 628
Figure 445 Certificate Import Wizard 1 ................................................................................................. 629
Figure 446 Certificate Import Wizard 2 ................................................................................................. 629
Figure 447 Certificate Import Wizard 3 ................................................................................................. 630
Figure 448 Root Certificate Store ......................................................................................................... 630
Figure 449 Certificate General Information after Import ....................................................................... 631
Figure 450 ZyWALL Trusted CA Screen .............................................................................................. 632
Figure 451 CA Certificate Example ...................................................................................................... 633
Figure 452 Personal Certificate Import Wizard 1 .................................................................................. 634
Figure 453 Personal Certificate Import Wizard 2 .................................................................................. 634
Figure 454 Personal Certificate Import Wizard 3 .................................................................................. 635
Figure 455 Personal Certificate Import Wizard 4 .................................................................................. 635
Figure 456 Personal Certificate Import Wizard 5 .................................................................................. 636
Figure 457 Personal Certificate Import Wizard 6 .................................................................................. 636
Figure 458 Access the ZyWALL Via HTTPS ........................................................................................ 636
Figure 459 SSL Client Authentication ................................................................................................... 637
Figure 460 ZyWALL Secure Login Screen ........................................................................................... 637
Figure 461 Displaying Log Categories Example .................................................................................. 640
Figure 462 Displaying Log Parameters Example ................................................................................. 640
Figure 463 Routing Command Example .............................................................................................. 642
Figure 464 Backup Gateway ................................................................................................................ 643
Figure 465 Managing the Bandwidth of an IPSec SA .......................................................................... 644
Figure 466 Managing the Bandwidth of an IKE SA .............................................................................. 644
Figure 467 Routing Command Example .............................................................................................. 645
Figure 468 Option to Enter Debug Mode .............................................................................................. 661
ZyWALL 2 Plus User’s Guide
35
Page 36
List of Figures
Figure 469 Boot Module Commands .................................................................................................... 662
36
ZyWALL 2 Plus User’s Guide
Page 37

List of Tables

List of Tables
Table 1 Front Panel LEDs ...................................................................................................................... 47
Table 2 Title Bar: Web Configurator Icons ............................................................................................. 52
Table 3 Web Configurator HOME Screen in Router Mode .................................................................... 53
Table 4 Web Configurator HOME Screen in Bridge Mode .................................................................... 56
Table 5 Bridge and Router Mode Features Comparison ....................................................................... 58
Table 6 Screens Summary .................................................................................................................... 59
Table 7 HOME > Show Statistics ........................................................................................................... 62
Table 8 HOME > DHCP Table ............................................................................................................... 63
Table 9 HOME > VPN Status ................................................................................................................. 64
Table 10 ADVANCED > BW MGMT > Monitor ...................................................................................... 65
Table 11 ISP Parameters: Ethernet Encapsulation ................................................................................ 68
Table 12 ISP Parameters: PPPoE Encapsulation ................................................................................. 70
Table 13 ISP Parameters: PPTP Encapsulation .................................................................................... 71
Table 14 Internet Access Wizard: Registration ...................................................................................... 74
Table 15 VPN Wizard: Gateway Setting ................................................................................................ 77
Table 16 VPN Wizard: Network Setting ................................................................................................. 78
Table 17 VPN Wizard: IKE Tunnel Setting ............................................................................................. 80
Table 18 VPN Wizard: IPSec Setting ..................................................................................................... 81
Table 19 VPN Wizard: VPN Status ........................................................................................................ 83
Table 20 REGISTRATION ....................................................................................................................118
Table 21 REGISTRATION > Service ................................................................................................... 120
Table 22 NETWORK > LAN ................................................................................................................. 127
Table 23 NETWORK > LAN > Static DHCP ........................................................................................ 130
Table 24 NETWORK > LAN > IP Alias ................................................................................................ 131
Table 25 NETWORK > LAN > Port Roles ............................................................................................ 132
Table 26 STP Path Costs .................................................................................................................... 136
Table 27 STP Port States .................................................................................................................... 137
Table 28 NETWORK > Bridge ............................................................................................................. 138
Table 29 NETWORK > Bridge > Port Roles ........................................................................................140
Table 30 NETWORK > WAN Route ..................................................................................................... 142
Table 31 Private IP Address Ranges ................................................................................................... 143
Table 32 Example of Network Properties for LAN Servers with Fixed IP Addresses .......................... 144
Table 33 NETWORK > WAN > WAN (Ethernet Encapsulation) .......................................................... 145
Table 34 NETWORK > WAN > WAN (PPPoE Encapsulation) ............................................................ 148
Table 35 NETWORK > WAN > WAN (PPTP Encapsulation) ............................................................... 151
Table 36 NETWORK > WAN > Traffic Redirect ................................................................................... 155
Table 37 NETWORK > WAN > Dial Backup ........................................................................................ 156
Table 38 NETWORK > WAN > Dial Backup > Edit .............................................................................. 160
ZyWALL 2 Plus User’s Guide
37
Page 38
List of Tables
Table 39 NETWORK > DMZ ................................................................................................................ 162
Table 40 NETWORK > DMZ > Static DHCP ........................................................................................ 165
Table 41 NETWORK > DMZ > IP Alias ............................................................................................... 166
Table 42 NETWORK > DMZ > Port Roles ...........................................................................................169
Table 43 NETWORK > WLAN ............................................................................................................. 172
Table 44 NETWORK > WLAN > Static DHCP ..................................................................................... 175
Table 45 NETWORK > WLAN > IP Alias ............................................................................................. 176
Table 46 NETWORK > WLAN > Port Roles ........................................................................................ 178
Table 47 .............................................................................................................................................. 182
Table 48 Blocking All LAN to WAN IRC Traffic Example ..................................................................... 189
Table 49 Limited LAN to WAN IRC Traffic Example ............................................................................ 189
Table 50 SECURITY > FIREWALL > Default Rule (Router Mode) ...................................................... 192
Table 51 SECURITY > FIREWALL > Default Rule (Bridge Mode) ...................................................... 194
Table 52 SECURITY > FIREWALL > Rule Summary .......................................................................... 195
Table 53 SECURITY > FIREWALL > Rule Summary > Edit ................................................................ 198
Table 54 SECURITY > FIREWALL > Anti-Probing .............................................................................. 200
Table 55 SECURITY > FIREWALL > Threshold .................................................................................. 202
Table 56 SECURITY > FIREWALL > Service ...................................................................................... 203
Table 57 SECURITY > FIREWALL > Service > Add ........................................................................... 204
Table 58 SECURITY > CONTENT FILTER > General ........................................................................ 212
Table 59 SECURITY > CONTENT FILTER > Categories .................................................................... 216
Table 60 SECURITY > CONTENT FILTER > Customization .............................................................. 222
Table 61 SECURITY > CONTENT FILTER > Cache ........................................................................... 225
Table 62 SECURITY > VPN > VPN Rules (IKE) ................................................................................. 238
Table 63 VPN Example: Matching ID Type and Content ..................................................................... 241
Table 64 VPN Example: Mismatching ID Type and Content ............................................................... 241
Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ............................................. 247
Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy .............................................. 256
Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding ................. 260
Table 68 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ............................................ 261
Table 69 SECURITY > VPN > VPN Rules (Manual) ........................................................................... 263
Table 70 SECURITY > VPN > VPN Rules (Manual) > Edit ................................................................. 264
Table 71 SECURITY > VPN > SA Monitor ..........................................................................................267
Table 72 SECURITY > VPN > Global Setting ......................................................................................268
Table 73 Telecommuters Sharing One VPN Rule Example ................................................................. 269
Table 74 Telecommuters Using Unique VPN Rules Example ............................................................. 270
Table 75 SECURITY > CERTIFICATES > My Certificates .................................................................. 278
Table 76 SECURITY > CERTIFICATES > My Certificates > Details ................................................... 280
Table 77 SECURITY > CERTIFICATES > My Certificates > Export .................................................... 283
Table 78 SECURITY > CERTIFICATES > My Certificates > Import .................................................... 284
Table 79 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 .................................. 285
Table 80 SECURITY > CERTIFICATES > My Certificates > Create ................................................... 286
Table 81 SECURITY > CERTIFICATES > Trusted CAs ...................................................................... 288
38
ZyWALL 2 Plus User’s Guide
Page 39
List of Tables
Table 82 SECURITY > CERTIFICATES > Trusted CAs > Details ....................................................... 290
Table 83 SECURITY > CERTIFICATES > Trusted CAs Import ........................................................... 292
Table 84 SECURITY > CERTIFICATES > Trusted Remote Hosts ...................................................... 293
Table 85 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ....................................... 295
Table 86 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ........................................ 297
Table 87 SECURITY > CERTIFICATES > Directory Servers .............................................................. 298
Table 88 SECURITY > CERTIFICATES > Directory Server > Add ..................................................... 299
Table 89 SECURITY > AUTH SERVER > Local User Database ......................................................... 303
Table 90 SECURITY > AUTH SERVER > RADIUS ............................................................................ 304
Table 91 NAT Definitions ..................................................................................................................... 309
Table 92 NAT Mapping Types .............................................................................................................. 313
Table 93 ADVANCED > NAT > NAT Overview .................................................................................... 314
Table 94 ADVANCED > NAT > Address Mapping ............................................................................... 316
Table 95 ADVANCED > NAT > Address Mapping > Edit ..................................................................... 317
Table 96 ADVANCED > NAT > Port Forwarding .................................................................................. 321
Table 97 ADVANCED > NAT > Port Triggering ................................................................................... 323
Table 98 ADVANCED > STATIC ROUTE > IP Static Route ................................................................ 326
Table 99 ADVANCED > STATIC ROUTE > IP Static Route > Edit ...................................................... 327
Table 100 Application and Subnet-based Bandwidth Management Example ..................................... 330
Table 101 Maximize Bandwidth Usage Example ................................................................................. 332
Table 102 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example ........................ 332
Table 103 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example ..................... 333
Table 104 Bandwidth Borrowing Example ........................................................................................... 334
Table 105 Over Allotment of Bandwidth Example ............................................................................... 334
Table 106 ADVANCED > BW MGMT > Summary ............................................................................... 335
Table 107 ADVANCED > BW MGMT > Class Setup ........................................................................... 337
Table 108 ADVANCED > BW MGMT > Class Setup > Add Sub-Class ............................................... 338
Table 109 Services and Port Numbers ................................................................................................ 340
Table 110 ADVANCED > BW MGMT > Class Setup > Statistics ......................................................... 341
Table 111 ADVANCED > BW MGMT > Monitor ................................................................................... 342
Table 112 ADVANCED > DNS > System DNS .................................................................................... 346
Table 113 ADVANCED > DNS > Add (Address Record) ..................................................................... 347
Table 114 ADVANCED > DNS > Insert (Name Server Record) ........................................................... 348
Table 115 ADVANCED > DNS > Cache ..............................................................................................349
Table 116 ADVANCED > DNS > DHCP ...............................................................................................351
Table 117 ADVANCED > DNS > DDNS ...............................................................................................352
Table 118 ADVANCED > REMOTE MGMT > WWW ........................................................................... 358
Table 119 ADVANCED > REMOTE MGMT > SSH .............................................................................. 365
Table 120 ADVANCED > REMOTE MGMT > TELNET ....................................................................... 368
Table 121 ADVANCED > REMOTE MGMT > FTP .............................................................................. 369
Table 122 SNMP Traps ........................................................................................................................ 371
Table 123 ADVANCED > REMOTE MGMT > SNMP .......................................................................... 372
Table 124 ADVANCED > REMOTE MGMT > DNS ............................................................................. 373
ZyWALL 2 Plus User’s Guide
39
Page 40
List of Tables
Table 125 ADVANCED > REMOTE MGMT > CNM ............................................................................. 374
Table 126 ADVANCED > UPnP ........................................................................................................... 378
Table 127 ADVANCED > UPnP > Ports .............................................................................................. 379
Table 128 ADVANCED > ALG ............................................................................................................. 391
Table 129 LOGS > View Log ............................................................................................................... 396
Table 130 Log Description Example .................................................................................................... 396
Table 131 LOGS > Log Settings .......................................................................................................... 400
Table 132 LOGS > Reports ................................................................................................................. 402
Table 133 LOGS > Reports: Web Site Hits Report .............................................................................. 403
Table 134 LOGS > Reports: Host IP Address .....................................................................................404
Table 135 LOGS > Reports: Protocol/ Port .......................................................................................... 405
Table 136 Report Specifications .......................................................................................................... 406
Table 137 System Maintenance Logs .................................................................................................. 406
Table 138 System Error Logs .............................................................................................................. 408
Table 139 Access Control Logs ........................................................................................................... 408
Table 140 TCP Reset Logs .................................................................................................................. 409
Table 141 Packet Filter Logs ............................................................................................................... 409
Table 142 ICMP Logs .......................................................................................................................... 409
Table 143 CDR Logs ........................................................................................................................... 410
Table 144 PPP Logs ............................................................................................................................ 410
Table 145 UPnP Logs .......................................................................................................................... 410
Table 146 Content Filtering Logs ..........................................................................................................411
Table 147 Attack Logs ..........................................................................................................................411
Table 148 Remote Management Logs ................................................................................................. 413
Table 149 IPSec Logs .......................................................................................................................... 413
Table 150 IKE Logs ............................................................................................................................. 414
Table 151 PKI Logs ............................................................................................................................. 417
Table 152 Certificate Path Verification Failure Reason Codes ............................................................ 418
Table 153 ACL Setting Notes .............................................................................................................. 418
Table 154 ICMP Notes ......................................................................................................................... 419
Table 155 IDP Logs ............................................................................................................................. 420
Table 156 AV Logs ............................................................................................................................... 421
Table 157 AS Logs .............................................................................................................................. 422
Table 158 Syslog Logs ........................................................................................................................ 424
Table 159 RFC-2408 ISAKMP Payload Types .................................................................................... 425
Table 160 MAINTENANCE > General Setup ....................................................................................... 428
Table 161 MAINTENANCE > Password ..............................................................................................429
Table 162 MAINTENANCE > Time and Date ...................................................................................... 430
Table 163 MAC-address-to-port Mapping Table .................................................................................. 433
Table 164 MAINTENANCE > Device Mode (Router Mode) ................................................................. 435
Table 165 MAINTENANCE > Device Mode (Bridge Mode) ................................................................. 436
Table 166 MAINTENANCE > Firmware Upload .................................................................................. 438
Table 167 Restore Configuration ......................................................................................................... 440
40
ZyWALL 2 Plus User’s Guide
Page 41
List of Tables
Table 168 Main Menu Commands ....................................................................................................... 446
Table 169 Main Menu Summary .......................................................................................................... 448
Table 170 SMT Menus Overview ......................................................................................................... 449
Table 171 Menu 1: General Setup (Router Mode) ............................................................................... 453
Table 172 Menu 1: General Setup (Bridge Mode) ............................................................................... 454
Table 173 Menu 1.1: Configure Dynamic DNS .................................................................................... 455
Table 174 Menu 1.1.1: DDNS Host Summary ..................................................................................... 456
Table 175 Menu 1.1.1: DDNS Edit Host .............................................................................................. 457
Table 176 MAC Address Cloning in WAN Setup ................................................................................. 460
Table 177 Menu 2: Dial Backup Setup ................................................................................................ 461
Table 178 Advanced WAN Port Setup: AT Commands Fields ............................................................ 462
Table 179 Advanced WAN Port Setup: Call Control Parameters ........................................................ 463
Table 180 Menu 11.3: Remote Node Profile (Backup ISP) .................................................................. 464
Table 181 Menu 11.2.2: Remote Node Network Layer Options .......................................................... 465
Table 182 Menu 11.2.3: Remote Node Script ...................................................................................... 467
Table 183 Menu 3.2: DHCP Ethernet Setup Fields ............................................................................. 471
Table 184 Menu 3.2: LAN TCP/IP Setup Fields .................................................................................. 472
Table 185 Menu 3.2.1: IP Alias Setup ................................................................................................. 473
Table 186 Menu 4: Internet Access Setup (Ethernet) ......................................................................... 476
Table 187 New Fields in Menu 4 (PPTP) Screen ................................................................................ 477
Table 188 New Fields in Menu 4 (PPPoE) screen ............................................................................... 478
Table 189 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ............................................. 488
Table 190 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ......................................................... 491
Table 191 Menu 11.1: Remote Node Profile for PPTP Encapsulation ................................................. 492
Table 192 Remote Node Network Layer Options Menu Fields ............................................................ 493
Table 193 Menu 11.1.5: Traffic Redirect Setup .................................................................................... 495
Table 194 Menu 12. 1: Edit IP Static Route ......................................................................................... 498
Table 195 Applying NAT in Menus 4 & 11.1.2 ...................................................................................... 501
Table 196 SUA Address Mapping Rules ............................................................................................. 503
Table 197 Fields in Menu 15.1.1 .......................................................................................................... 504
Table 198 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set .......................................... 505
Table 199 15.2.1: NAT Server Configuration ....................................................................................... 507
Table 200 Menu 15.3: Trigger Port Setup ............................................................................................ 516
Table 201 Abbreviations Used in the Filter Rules Summary Menu ..................................................... 523
Table 202 Rule Abbreviations Used .................................................................................................... 523
Table 203 Menu 21.1.1.1: TCP/IP Filter Rule ...................................................................................... 525
Table 204 Generic Filter Rule Menu Fields ......................................................................................... 527
Table 205 SNMP Configuration Menu Fields ....................................................................................... 535
Table 206 SNMP Traps ........................................................................................................................ 536
Table 207 System Maintenance: Status Menu Fields .......................................................................... 538
Table 208 Fields in System Maintenance: Information ........................................................................ 540
Table 209 System Maintenance Menu Syslog Parameters ................................................................. 542
Table 210 System Maintenance Menu Diagnostic ............................................................................... 546
ZyWALL 2 Plus User’s Guide
41
Page 42
List of Tables
Table 211 Filename Conventions ........................................................................................................ 550
Table 212 General Commands for GUI-based FTP Clients ................................................................ 552
Table 213 General Commands for GUI-based TFTP Clients .............................................................. 553
Table 214 Valid Commands ................................................................................................................. 564
Table 215 Budget Management ........................................................................................................... 566
Table 216 Call History .......................................................................................................................... 566
Table 217 Menu 24.10 System Maintenance: Time and Date Setting ................................................. 568
Table 218 Menu 24.11 – Remote Management Control ...................................................................... 572
Table 219 Schedule Set Setup ............................................................................................................ 576
Table 220 Hardware Specifications ..................................................................................................... 589
Table 221 Firmware Specifications ...................................................................................................... 589
Table 222 Feature Specifications ......................................................................................................... 591
Table 223 Performance ....................................................................................................................... 591
Table 224 Console Cable Pin Assignments ......................................................................................... 592
Table 225 Console Cable Pin Assignments ......................................................................................... 592
Table 226 Ethernet Cable Pin Assignments ........................................................................................ 592
Table 227 ............................................................................................................................................ 616
Table 228 Subnet Masks ..................................................................................................................... 617
Table 229 Maximum Host Numbers .................................................................................................... 617
Table 230 Alternative Subnet Mask Notation ....................................................................................... 617
Table 231 Subnet 1 .............................................................................................................................. 619
Table 232 Subnet 2 .............................................................................................................................. 620
Table 233 Subnet 3 .............................................................................................................................. 620
Table 234 Subnet 4 .............................................................................................................................. 620
Table 235 Eight Subnets ...................................................................................................................... 620
Table 236 24-bit Network Number Subnet Planning ............................................................................ 621
Table 237 16-bit Network Number Subnet Planning ............................................................................ 621
Table 238 Commonly Used Services ................................................................................................... 623
Table 239 Firewall Commands ............................................................................................................ 647
Table 240 NetBIOS Filter Default Settings .......................................................................................... 654
Table 241 Certificates Commands ....................................................................................................... 655
Table 242 Brute-Force Password Guessing Protection Commands ................................................... 659
42
ZyWALL 2 Plus User’s Guide
Page 43
PART I
Introduction and
Registration
Getting to Know Your ZyWALL (45)
Introducing the Web Configurator (49)
Wizard Setup (67)
Tutorial (85)
Registration (117)
43
Page 44
44
Page 45
CHAPTER 1

Getting to Know Your ZyWALL

This chapter introduces the main features and applications of the ZyWALL.
1.1 ZyWALL Internet Security Appliance Overview
The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates. The ZyWALL’s De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting publicly accessible servers. The ZyWALL provides the option to change port roles from LAN to DMZ.
You can also deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration.
The ZyWALL provides bandwidth management, NAT, port forwarding, DHCP server and many other powerful features.
You can add a IEEE 802.11b/g-compliant wireless LAN by connecting an access point (AP) to an Ethernet port in a WLAN port role.
See Appendix A on page 589 for a complete list of features.
1.2 Applications for the ZyWALL
Here are some examples of what you can do with your ZyWALL.
1.2.1 Secure Broadband Internet Access via Cable or DSL Modem
For Internet access, connect the WAN Ethernet port to your existing Internet access gateway (company network, or your cable or DSL modem for example). Connect computers or servers to the LAN ports for shared Internet access.
The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.
ZyWALL 2 Plus User’s Guide
45
Page 46
Chapter 1 Getting to Know Your ZyWALL
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem
1.2.2 VPN Application
ZyWALL VPN is an ideal cost-effective way to connect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites.
Figure 2 VPN Application
1.3 Ways to Manage the ZyWALL
Use any of the following methods to manage the ZyWALL.
• Web Configurator. This is recommended for everyday management of the ZyWALL using a (supported) web browser.
• Command Line Interface. Line commands are mostly used for troubleshooting by service engineers.
• SMT. System Management Terminal is a text-based configuration menu that you can use to configure your device.
• FTP for firmware upgrades and configuration backup/restore (Chapter 40 on page 549)
• SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this User’s Guide.
• Vantage CNM (Centralized Network Management). The device can be remotely managed using a Vantage CNM server.
46
ZyWALL 2 Plus User’s Guide
Page 47
Chapter 1 Getting to Know Your ZyWALL
1.4 Good Habits for Managing the ZyWALL
Do the following things regularly to make the ZyWALL more secure and to manage the ZyWALL more effectively.
• Change the password. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.
• Write down the password and put it in a safe place.
• Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the ZyWALL to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the ZyWALL. You could simply restore your last configuration.
1.5 LEDs
Figure 3 Front Panel
The following table describes the lights.
Table 1 Front Panel LEDs
LED COLOR STATUS DESCRIPTION
PWR Off The ZyWALL is turned off.
Green On The ZyWALL is ready and running.
Flashing The ZyWALL is restarting.
Red On The power to the ZyWALL is too low.
ACT Green Off The backup port is not connected.
On The backup port is connected.
Flashing The backup port is sending or receiving packets.
LAN 10/100 Off The LAN/DMZ/WLAN is not connected.
Green On The ZyWALL has a successful 10Mbps Ethernet connection.
Flashing The 10M LAN/DMZ/WLAN is sending or receiving packets.
Orange On The ZyWALL has a successful 100Mbps Ethernet
Flashing The 100M LAN/DMZ/WLAN is sending or receiving packets.
connection.
ZyWALL 2 Plus User’s Guide
47
Page 48
Chapter 1 Getting to Know Your ZyWALL
Table 1 Front Panel LEDs (continued)
LED COLOR STATUS DESCRIPTION
WAN 10/100 Off The WAN connection is not ready, or has failed.
Green On The ZyWALL has a successful 10Mbps WAN connection.
Flashing The 10M WAN is sending or receiving packets.
Orange On The ZyWALL has a successful 100Mbps WAN connection.
Flashing The 100M WAN is sending or receiving packets.
48
ZyWALL 2 Plus User’s Guide
Page 49
CHAPTER 2
Introducing the Web
Configurator
This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens.
2.1 Web Configurator Overview
The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
In order to use the web configurator you need to allow:
• Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2.
• JavaScripts (enabled by default).
• Java permissions (enabled by default).
See the Troubleshooting chapter if you want to make sure these functions are allowed in Internet Explorer or Netscape Navigator.
2.2 Accessing the ZyWALL Web Configurator
" By default, the packets from WLAN to WLAN/ZyWALL are dropped and users
cannot configure the ZyWALL wirelessly.
1 Make sure your ZyWALL hardware is properly connected and prepare your computer/
computer network to connect to the ZyWALL (refer to the Quick Start Guide).
2 Launch your web browser. 3 Type "192.168.1.1" as the URL. 4 Type "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
ZyWALL 2 Plus User’s Guide
49
Page 50
Chapter 2 Introducing the Web Configurator
5 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore.
Figure 4 Change Password Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your
ZyWALL’s MAC address that will be specific to this device.
" If you do not replace the default certificate here or in the CERTIFICATES
screen, this screen displays every time you access the web configurator.
Figure 5 Replace Certificate Screen
7 You should now see the HOME screen (see Figure 8 on page 53).
" The management session automatically times out when the time period set in
the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you.
50
ZyWALL 2 Plus User’s Guide
Page 51
2.3 Resetting the ZyWALL
If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory­default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234, also.
2.3.1 Procedure To Use The Reset Button
Make sure the PWR LED is on (not blinking) before you begin this procedure.
1 Press the RESET button for ten seconds, and then release it. If the PWR LED begins to
blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.
2 Turn the ZyWALL off. 3 While pressing the RESET button, turn the ZyWALL on. 4 Continue to hold the RESET button. The PWR LED will begin to blink and flicker very
quickly after about 20 seconds. This indicates that the defaults have been restored and the ZyWALL is now restarting.
5 Release the RESET button and wait for the ZyWALL to finish restarting.
Chapter 2 Introducing the Web Configurator
2.3.2 Uploading a Configuration File Via Console Port
1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in
a folder.
2 Turn off the ZyWALL, begin a terminal emulation software session and turn on the
ZyWALL again. When you see the message "Press Any key to enter Debug Mode within 3 seconds", press any key to enter debug mode.
3 Enter "y" at the prompt below to go into debug mode. 4 Enter "atlc" after "Enter Debug Mode" message. 5 Wait for "Starting XMODEM upload" message before activating Xmodem upload on
your terminal. This is an example Xmodem configuration upload using HyperTerminal.
Figure 6 Example Xmodem Upload
Type the configuration file’s location, or click Browse to search for it.
Choose the Xmodem protocol.
Then click Send.
6 After successful firmware upload, enter "atgo" to restart the router.
ZyWALL 2 Plus User’s Guide
51
Page 52
Chapter 2 Introducing the Web Configurator
A
2.4 Navigating the ZyWALL Web Configurator
The following summarizes how to navigate the web configurator from the HOME screen. This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for different ZyWALL models.
Figure 7 HOME Screen
B
As illustrated above, the main screen is divided into these parts:
A - title bar
B - navigation panel
C - main window
D - status bar
2.4.1 Title Bar
The title bar provides some icons in the upper right corner.
The icons provide the following functions.
Table 2 Title Bar: Web Configurator Icons
ICON DESCRIPTION
C
D
Wizards: Click this icon to open one of the web configurator wizards. See Chapter 3
on page 67 for more information.
Help: Click this icon to open the help page for the current screen.
52
ZyWALL 2 Plus User’s Guide
Page 53
2.4.2 Main Window
The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document.
Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE > Device Mode screen.

2.4.3 HOME Screen: Router Mode

The following screen displays when the ZyWALL is set to router mode. This screen displays general status information about the ZyWALL. The ZyWALL is set to router mode by default.
Figure 8 Web Configurator HOME Screen in Router Mode
Chapter 2 Introducing the Web Configurator
The following table describes the labels in this screen.
Table 3 Web Configurator HOME Screen in Router Mode
LABEL DESCRIPTION
Automatic Refresh Interval
Refresh Click this button to update the status screen statistics immediately.
System Information
System Name This is the System Name you enter in the MAINTENANCE > General screen. It
Model This is the model name of your ZyWALL.
ZyWALL 2 Plus User’s Guide
Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
53
Page 54
Chapter 2 Introducing the Web Configurator
Table 3 Web Configurator HOME Screen in Router Mode (continued)
LABEL DESCRIPTION
Bootbase Version This is the bootbase version and the date created.
Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's
Up Time This field displays how long the ZyWALL has been running since it last started up.
System Time This field displays your ZyWALL’s present date (in yyyy-mm-dd format) and time
Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the
Firewall This displays whether or not the ZyWALL’s firewall is activated. Click the field
System Resources
Flash The first number shows how many megabytes of the flash the ZyWALL is using.
Memory The first number shows how many megabytes of the heap memory the ZyWALL
Sessions The first number shows how many sessions are currently open on the ZyWALL.
CPU This field displays what percentage of the ZyWALL’s processing ability is
Interfaces This is the port type.
Status For the LAN, DMZ and WLAN ports, this displays the port speed and duplex
IP/Netmask This shows the port’s IP address and subnet mask.
proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE > Restart), or when you reset it (see Section 2.3 on page 51).
(in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field label to go to the screen where you can modify the ZyWALL’s date and time settings.
field label to go to the screen where you can configure the ZyWALL as a router or a bridge.
label to go to the screen where you can turn the firewall on or off.
is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in megabytes). The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
This includes all sessions that are currently traversing the ZyWALL, terminating at the ZyWALL or Initiated from the ZyWALL.
The second number is the maximum number of sessions that can be open at one time.
The bar displays what percent of the maximum number of sessions is in use. The bar turns from green to red when the maximum is being approached.
currently used. When this percentage is close to 100%, the ZyWALL is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications (for example, using bandwidth management.
Click "+" to expand or "-" to collapse the IP alias drop-down lists.
setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full­duplex refers to a device's ability to send and receive simultaneously, while half­duplex indicates that traffic can flow in only one direction at a time. The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect.
For the WAN and Dial Backup ports, it displays the port speed and duplex setting if you’re using Ethernet encapsulation and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
54
ZyWALL 2 Plus User’s Guide
Page 55
Chapter 2 Introducing the Web Configurator
Table 3 Web Configurator HOME Screen in Router Mode (continued)
LABEL DESCRIPTION
IP Assignment For the WAN, if the ZyWALL gets its IP address automatically from an ISP, this
displays DHCP client when you’re using Ethernet encapsulation and IPCP Client when you’re using PPPoE or PPTP encapsulation. Static displays if the WAN port is using a manually entered static (fixed) IP address.
For the LAN, DHCP server displays when the ZyWALL is set to automatically give IP address information to the computers connected to the LAN. DHCP relay displays when the ZyWALL is set to forward IP address assignment requests to another DHCP server. Static displays if the LAN port is using a manually entered static (fixed) IP address. In this case, you must have another DHCP server on your LAN, or else the computers must be manually configured.
For the dial backup port, this shows N/A when dial backup is disabled and IPCP client when dial backup is enabled.
Renew If you are using Ethernet encapsulation and the WAN port is configured to get the
IP address automatically from the ISP, click Renew to release the WAN port’s dynamically assigned IP address and get the IP address afresh. Click Dial to dial up the PPTP, PPPoE or dial backup connection. Click Drop to disconnect the PPTP, PPPoE or dial backup connection.
Security Services
Content Filter Expiration Date
Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last
Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL. You can
Date/Time This is the date and time the alert was recorded.
Message This is the reason for the alert.
System Status
Port Statistics Click Port Statistics to see router performance statistics such as the number of
DHCP Table Click DHCP Table to show current DHCP client information.
VPN Click VPN to display the active VPN connections.
Bandwidth Click Bandwidth to view the ZyWALL’s bandwidth usage and allotments.
This is the date the category-based content filtering service subscription expires. Click the field label to go to the screen where you can update your service subscription.
started up. N/A displays when the service subscription has expired.
see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets.
packets sent and number of packets received for each port.

2.4.4 HOME Screen: Bridge Mode

The following screen displays when the ZyWALL is set to bridge mode. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.
In bridge mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL.
ZyWALL 2 Plus User’s Guide
55
Page 56
Chapter 2 Introducing the Web Configurator
You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other features that are available in bridge mode.
Figure 9 Web Configurator HOME Screen in Bridge Mode
The following table describes the labels in this screen.
Table 4 Web Configurator HOME Screen in Bridge Mode
LABEL DESCRIPTION
Automatic Refresh Interval
Refresh Click this button to update the screen’s statistics immediately.
System Information
System Name This is the System Name you enter in the MAINTENANCE > General screen. It is
Model This is the model name of your ZyWALL.
Bootbase Ver si on
Firmware Ver si on
Up Time This field displays how long the ZyWALL has been running since it last started up.
Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
This is the bootbase version and the date created.
This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE >
Restart), or when you reset it (see Section 2.3 on page 51).
56
ZyWALL 2 Plus User’s Guide
Page 57
Chapter 2 Introducing the Web Configurator
Table 4 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL DESCRIPTION
System Time This field displays your ZyWALL’s present date (in yyyy-mm-dd format) and time
(in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field label to go to the screen where you can modify the ZyWALL’s date and time settings.
Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the
field label to go to the screen where you can configure the ZyWALL as a router or a bridge.
Firewall This displays whether or not the ZyWALL’s firewall is activated. Click the field label
to go to the screen where you can turn the firewall on or off.
System Resources
Flash The first number shows how many megabytes of the flash the ZyWALL is using.
Memory The first number shows how many megabytes of the heap memory the ZyWALL is
Sessions The first number shows how many sessions are currently open on the ZyWALL.
CPU This field displays what percentage of the ZyWALL’s processing ability is currently
Network Status
IP/Netmask Address
Gateway IP Address
Rapid Spanning Tree Protocol
Bridge Priority This is the bridge priority of the ZyWALL. The bridge (or switch) with the lowest
Bridge Hello Time
Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU)
Forward Delay This is the forward delay interval.
Bridge Port This is the port type. Port types are: WAN, LAN, DMZ and WLAN.
using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in megabytes). The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
This includes all sessions that are currently traversing the ZyWALL, terminating at the ZyWALL or initiated from the ZyWALL
The second number is the maximum number of sessions that can be open at one time.
The bar displays what percent of the maximum number of sessions is in use. The bar turns from green to red when the maximum is being approached.
used. When this percentage is close to 100%, the ZyWALL is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications (for example, using bandwidth management.
This is the IP address and subnet mask of your ZyWALL in dotted decimal notation.
This is the gateway IP address.
This shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The following labels or values relative to RSTP do not apply when RSTP is disabled.
bridge priority value in the network is the root bridge (the base of the spanning tree).
This is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge.
from the root bridge.
ZyWALL 2 Plus User’s Guide
57
Page 58
Chapter 2 Introducing the Web Configurator
Table 4 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL DESCRIPTION
Port Status For the WAN, LAN, DMZ, and WLAN Interfaces, this displays the port speed and
duplex setting. For the WAN port, it displays Down when the link is not ready or has failed.
RSTP Status This is the RSTP status of the corresponding port.
RSTP Active This shows whether or not RSTP is active on the corresponding port.
RSTP Priority This is the RSTP priority of the corresponding port.
RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding
port.
Security Services
Content Filter Expiration Date
Web Site Blocked
Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL. You can
Date/Time This is the date and time the alert was recorded.
Message This is the reason for the alert.
System Status
Port Statistics Click Port Statistics to see router performance statistics such as the number of
VPN Click VPN to display the active VPN connections.
Bandwidth Click Bandwidth to view the ZyWALL’s bandwidth usage and allotments.
This is the date the category-based content filtering service subscription expires. Click the field label to go to the screen where you can update your service subscription.
This displays how many web site hits the ZyWALL has blocked since it last started up. N/A displays when the service subscription has expired.
see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets.
packets sent and number of packets received for each port.
2.4.5 Navigation Panel
After you enter the password, use the sub-menus on the navigation panel to configure ZyWALL features.
The following table lists the features available for each device mode. Not all ZyWALLs have all features listed in this table.
Table 5 Bridge and Router Mode Features Comparison
FEATURE BRIDGE MODE ROUTER MODE
Internet Access Wizard O
VPN Wizard O O
DHCP Table O
System Statistics O O
Registration O O
LAN O
WAN O
DMZ O
Bridge O
58
ZyWALL 2 Plus User’s Guide
Page 59
Chapter 2 Introducing the Web Configurator
Table 5 Bridge and Router Mode Features Comparison
FEATURE BRIDGE MODE ROUTER MODE
WLAN O
Firewall O O
Content Filter O O
VPN O O
Certificates O O
Authentication Server O O
NAT O
Static Route O
Bandwidth Management O O
DNS O
Remote Management O O
UPnP O
ALG O O
Logs O O
Maintenance O O
Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
The following table describes the sub-menus.
Table 6 Screens Summary
LINK TAB FUNCTION
HOME This screen shows the ZyWALL’s general device and network
REGISTRATIONRegistration Use this screen to register your ZyWALL and activate the trial
Service Use this to manage and update the service status and license
NETWORK
LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.
Static DHCP Use this screen to assign fixed IP addresses on the LAN.
IP Alias Use this screen to partition your LAN interface into subnets.
Port Roles Use this screen to change the LAN/DMZ/WLAN port roles.
BRIDGE Bridge Use this screen to change the bridge settings on the ZyWALL.
Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the
status information. Use this screen to access the wizards, statistics and DHCP table.
service subscriptions.
information.
ZyWALL.
ZyWALL 2 Plus User’s Guide
59
Page 60
Chapter 2 Introducing the Web Configurator
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
WAN Route This screen allows you to configure route priority.
WAN Use this screen to configure the WAN port for internet access.
Traffic Redirect
Dial Backup Use this screen to configure the backup WAN dial-up connection.
DMZ DMZ Use this screen to configure your DMZ connection.
Static DHCP Use this screen to assign fixed IP addresses on the DMZ.
IP Alias Use this screen to partition your DMZ interface into subnets.
Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the
WLAN WLAN Use this screen to configure your WLAN connection.
Static DHCP Use this screen to assign fixed IP addresses on the WLAN.
IP Alias Use this screen to partition your WLAN interface into subnets.
Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the
SECURITY
FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction
Rule Summary This screen shows a summary of the firewall rules, and allows you
Anti-Probing Use this screen to change your anti-probing settings.
Threshold Use this screen to configure the threshold for DoS attacks.
Service Use this screen to configure custom services.
CONTENT FILTER
VPN VPN Rules
CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage
General This screen allows you to enable content filtering and block certain
Categories Use this screen to select which categories of web pages to filter
Customization Use this screen to customize the content filter list.
Cache Use this screen to view and configure the ZyWALL’s URL caching.
(IKE)
VPN Rules (Manual)
SA Monitor Use this screen to display and manage active VPN connections.
Global Setting Use this screen to configure the IPSec timer settings.
Trusted CAs Use this screen to view and manage the list of the trusted CAs.
Trusted Remote Hosts
Directory Servers
Use this screen to configure your traffic redirect properties and parameters.
ZyWALL.
ZyWALL.
of network traffic to which to apply the rule
to edit/add a firewall rule.
web features.
out, as well as to register for external database content filtering and view reports.
Use this screen to configure VPN connections using IKE key management and view the rule summary.
Use this screen to configure VPN connections using manual key management and view the rule summary.
certificates and certification requests.
Use this screen to view and manage the certificates belonging to the trusted remote hosts.
Use this screen to view and manage the list of the directory servers.
60
ZyWALL 2 Plus User’s Guide
Page 61
Chapter 2 Introducing the Web Configurator
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
AUTH SERVER Local User
Database
RADIUS Configure this screen to use an external server to authenticate
ADVANCED
NAT NAT Overview Use this screen to enable NAT.
Address Mapping
Port Forwarding
Port Triggering
STATIC ROUTE IP Static Route Use this screen to configure IP static routes.
BW MGMT Summary Use this screen to enable bandwidth management on an interface.
Class Setup Use this screen to set up the bandwidth classes.
Monitor Use this screen to view the ZyWALL’s bandwidth usage and
DNS System Use this screen to configure the address and name server
Cache Use this screen to configure the DNS resolution cache.
DHCP Use this screen to configure LAN/DMZ/WLAN DNS information.
DDNS Use this screen to set up dynamic DNS.
REMOTE MGMT
UPnP UPnP Use this screen to enable UPnP on the ZyWALL.
ALG ALG Use this screen to allow certain applications to pass through the
WWW Use this screen to configure through which interface(s) and from
SSH Use this screen to configure through which interface(s) and from
TELNET Use this screen to configure through which interface(s) and from
FTP Use this screen to configure through which interface(s) and from
SNMP Use this screen to configure your ZyWALL’s settings for Simple
DNS Use this screen to configure through which interface(s) and from
CNM Use this screen to configure and allow your ZyWALL to be
Ports Use this screen to view the NAT port mapping rules that UPnP
Use this screen to configure the local user account(s) on the ZyWALL.
wireless and/or VPN users.
Use this screen to configure network address translation mapping rules.
Use this screen to configure servers behind the ZyWALL.
Use this screen to change your ZyWALL’s port triggering settings.
allotments.
records.
which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL.
which IP address(es) users can use Secure Shell to manage the ZyWALL.
which IP address(es) users can use Telnet to manage the ZyWALL.
which IP address(es) users can use FTP to access the ZyWALL.
Network Management Protocol management.
which IP address(es) users can send DNS queries to the ZyWALL.
managed by the Vantage CNM server.
creates on the ZyWALL.
ZyWALL.
ZyWALL 2 Plus User’s Guide
61
Page 62
Chapter 2 Introducing the Web Configurator
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
LOGS View Log Use this screen to view the logs for the categories that you
Log Settings Use this screen to change your ZyWALL’s log settings.
Reports Use this screen to have the ZyWALL record and display network
MAINTENANCE General This screen contains administrative.
Password Use this screen to change your password.
Time and Date Use this screen to change your ZyWALL’s time and date.
Device Mode Use this screen to configure and have your ZyWALL work as a
F/W Upload Use this screen to upload firmware to your ZyWALL
Backup & Restore
Restart This screen allows you to reboot the ZyWALL without turning the
LOGOUT Click this label to exit the web configurator.
selected.
usage reports.
router or a bridge.
Use this screen to backup and restore the configuration or reset the factory defaults to your ZyWALL.
power off.

2.4.6 Port Statistics

Click Port Statistics in the HOME screen. Read-only information here includes port status and packet specific statistics. The Poll Interval(s) field is configurable.
Figure 10 HOME > Show Statistics
The following table describes the labels in this screen.
Table 7 HOME > Show Statistics
LABEL DESCRIPTION
Port These are the ZyWALL’s interfaces.
Status For the WAN and dial backup ports, this displays the port speed and duplex setting
TxPkts This is the number of transmitted packets on this port.
if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation. Dial backup is not available in bridge mode.
For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting.
62
ZyWALL 2 Plus User’s Guide
Page 63
Table 7 HOME > Show Statistics (continued)
LABEL DESCRIPTION
RxPkts This is the number of received packets on this port.
Collisions This is the number of collisions on this port.
Tx B/s This displays the transmission speed in bytes per second on this port.
Rx B/s This displays the reception speed in bytes per second on this port.
Up Time This is the total amount of time the line has been up.
System Up Time This is the total time the ZyWALL has been on.
Poll Interval(s) Enter a number of seconds to update all screen statistics automatically at the end of
every time interval.
Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s)
field.
Stop Click Stop to stop refreshing statistics.

2.4.7 DHCP Table Screen

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.
Chapter 2 Introducing the Web Configurator
Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyWALL’s DHCP server.
Figure 11 HOME > DHCP Table
The following table describes the labels in this screen.
Table 8 HOME > DHCP Table
LABEL DESCRIPTION
Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the
# This is the index number of the host computer.
IP Address This field displays the IP address relative to the # field listed above.
Host Name This field displays the computer host name.
specified interface.
ZyWALL 2 Plus User’s Guide
63
Page 64
Chapter 2 Introducing the Web Configurator
Table 8 HOME > DHCP Table (continued)
LABEL DESCRIPTION
MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area
Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is
assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.
Reserve Select the check box in the heading row to automatically select all check boxes or
select the check box(es) in each entry to have the ZyWALL always assign the selected entry(ies)’s IP address(es) to the corresponding MAC address(es) (and host name(s)). You can select up to 32 entries in this table. After you click Apply, the MAC address and IP address also display in the Static DHCP screen (where you can edit them) for the specified interface.
Refresh Click Refresh to reload the DHCP table.

2.4.8 VPN Status

Click VPN in the HOME screen when the ZyWALL is set to router mode. This screen displays read-only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel.
Figure 12 HOME > VPN Status
The following table describes the labels in this screen.
Table 9 HOME > VPN Status
LABEL DESCRIPTION
# This is the security association index number.
Name This field displays the identification name for this VPN policy.
Local Network This field displays the IP address of the computer using the VPN IPSec feature of
your ZyWALL.
Remote Network This field displays IP address (in a range) of computers on the remote network
behind the remote IPSec router.
64
ZyWALL 2 Plus User’s Guide
Page 65
Table 9 HOME > VPN Status
LABEL DESCRIPTION
Encapsulation This field displays Tun nel or Transport mode.
IPSec Algorithm This field displays the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
Poll Interval(s) Enter a number of seconds to update all screen statistics automatically at the end of
every time interval.
Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s)
field.
Stop Click Stop to stop refreshing statistics.

2.4.9 Bandwidth Monitor

Click Bandwidth in the HOME screen to display the bandwidth monitor. This screen displays the device’s bandwidth usage and allotments.
Figure 13 Home > Bandwidth Monitor
Chapter 2 Introducing the Web Configurator
The following table describes the labels in this screen.
Table 10 ADVANCED > BW MGMT > Monitor
LABEL DESCRIPTION
Interface Select an interface from the drop-down list box to view the bandwidth usage
Class This field displays the name of the bandwidth class.
Budget (kbps) This field displays the amount of bandwidth allocated to the bandwidth class.
Current Usage (kbps) This field displays the amount of bandwidth that each bandwidth class is
ZyWALL 2 Plus User’s Guide
of its bandwidth classes.
A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes. If you do not enable maximize bandwidth usage on an interface, the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes.
using.
A
65
Page 66
Chapter 2 Introducing the Web Configurator
Table 10 ADVANCED > BW MGMT > Monitor
LABEL DESCRIPTION
Poll Interval(s) Enter a number of seconds to update all screen statistics automatically at the
end of every time interval.
Set Interval Click this button to apply the new poll interval you entered in the Poll
Interval(s) field.
Stop Update Click Stop Update to stop refreshing statistics.
A.If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class).
66
ZyWALL 2 Plus User’s Guide
Page 67
CHAPTER 3

Wizard Setup

This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode.

3.1 Wizard Setup Overview

The web configurator's setup wizards help you configure Internet and VPN connection settings.
In the HOME screen, click the Wizard icon The following summarizes the wizards you can select:
• Internet Access Setup
Click this link to open a wizard to set up an Internet connection for the WAN port.
• VPN Setup
Use VPN Setup to configure a VPN connection that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. See Section
3.3 on page 76.
Figure 14 Wizard Setup Welcome
to open the Wizard Setup Welcome screen.

3.2 Internet Access

The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
ZyWALL 2 Plus User’s Guide
67
Page 68
Chapter 3 Wizard Setup
3.2.1 ISP Parameters
The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field.
3.2.1.1 Ethernet
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number.
Choose Ethernet when the WAN port is used as a regular Ethernet.
Figure 15 ISP Parameters: Ethernet Encapsulation
68
The following table describes the labels in this screen.
Tabl e 11 ISP Parameters: Ethernet Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation You must choose the Ethernet option when the WAN port is used as a regular
WAN IP Address Assignment
IP Address Assignment
Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.
Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.
ZyWALL 2 Plus User’s Guide
Page 69
Tabl e 11 ISP Parameters: Ethernet Encapsulation
LABEL DESCRIPTION
My WAN IP Address
My WAN IP Subnet Mask
Gateway IP Address
First DNS Server Second DNS
Server
Back Click Back to return to the previous wizard screen.
Apply Click Apply to save your changes and go to the next screen.
Enter your WAN IP address in this field.
Enter the IP subnet mask in this field.
Enter the gateway IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to access it.
3.2.1.2 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.
Chapter 3 Wizard Setup
Figure 16 ISP Parameters: PPPoE Encapsulation
ZyWALL 2 Plus User’s Guide
69
Page 70
Chapter 3 Wizard Setup
The following table describes the labels in this screen.
Table 12 ISP Parameters: PPPoE Encapsulation
LABEL DESCRIPTION
ISP Parameter for Internet Access
Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet
Service Name Type the name of your service provider. This field is optional.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Retype to Confirm
Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
WAN IP Address Assignment
IP Address Assignment
My WAN IP Address
First DNS Server Second DNS
Server
Back Click Back to return to the previous wizard screen.
Apply Click Apply to save your changes and go to the next screen.
forms a dial-up connection.
Type your password again for confirmation.
from the PPPoE server. The default time is 100 seconds.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.
Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.
Enter your WAN IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to access it.
3.2.1.3 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/ IP-based networks.
PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet.
" The ZyWALL supports one PPTP server connection at any given time.
70
ZyWALL 2 Plus User’s Guide
Page 71
Figure 17 ISP Parameters: PPTP Encapsulation
Chapter 3 Wizard Setup
The following table describes the labels in this screen.
Table 13 ISP Parameters: PPTP Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must
User Name Type the user name given to you by your ISP.
Password Type the password associated with the User Name above.
Retype to Confirm Type your password again for confirmation.
Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout Type the time in seconds that elapses before the router automatically
PPTP Configuration
My IP Address Type the (static) IP address assigned to you by your ISP.
ZyWALL 2 Plus User’s Guide
configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
disconnects from the PPTP server.
71
Page 72
Chapter 3 Wizard Setup
Table 13 ISP Parameters: PPTP Encapsulation
LABEL DESCRIPTION
My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Server IP Address Type the IP address of the PPTP server.
Connection ID/ Name
WAN IP Address Assignment
IP Address Assignment
My WAN IP Address
First DNS Server Second DNS
Server
Back Click Back to return to the previous wizard screen.
Apply Click Apply to save your changes and go to the next screen.
Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your xDSL modem.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.
Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.
Enter your WAN IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do
not configure a DNS server, you must know the IP address of a machine in order to access it.
3.2.2 Internet Access Wizard: Second Screen
Click Next to go to the screen where you can register your ZyWALL and activate the free content filtering trial application. Otherwise, click Skip to display the congratulations screen and click Close to complete the Internet access setup.
Figure 18 Internet Access Wizard: Second Screen
72
ZyWALL 2 Plus User’s Guide
Page 73
Figure 19 Internet Access Setup Complete
Chapter 3 Wizard Setup
3.2.3 Internet Access Wizard: Registration
If you clicked Next in the previous screen (see Figure 18 on page 72), the following screen displays.
Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial application of service like content filtering.
" If you want to activate a standard service with your iCard’s PIN number (license
key), use the REGISTRATION > Service screen.
ZyWALL 2 Plus User’s Guide
73
Page 74
Chapter 3 Wizard Setup
Figure 20 Internet Access Wizard: Registration
The following table describes the labels in this screen.
Table 14 Internet Access Wizard: Registration
LABEL DESCRIPTION
Device Registration If you select Existing myZyXEL.com account, only the User Name and
New myZyXEL.com account
Existing myZyXEL.com account
User Name Enter a user name for your myZyXEL.com account. The name should be
Check Click this button to check with the myZyXEL.com database to verify the user
Password Enter a password of between six and 20 alphanumeric characters (and the
Confirm Password Enter the password again for confirmation.
E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters
Country Select your country from the drop-down box list.
Back Click Back to return to the previous screen.
Next Click Next to continue.
Password fields are available.
If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL.
If you already have an account at myZyXEL.com, select this option and enter your user name and password in the fields below to register your ZyWALL.
from six to 20 alphanumeric characters (and the underscore). Spaces are not allowed.
name you entered has not been used.
underscore). Spaces are not allowed.
(periods and the underscore are also allowed) without spaces.
74
After you fill in the fields and click Next, the following screen shows indicating the registration is in progress. Wait for the registration progress to finish.
ZyWALL 2 Plus User’s Guide
Page 75
Chapter 3 Wizard Setup
Figure 21 Internet Access Wizard: Registration in Progress
Click Close to leave the wizard screen when the registration and activation are done.
Figure 22 Internet Access Wizard: Status
The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings.
Figure 23 Internet Access Wizard: Registration Failed
If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.
ZyWALL 2 Plus User’s Guide
75
Page 76
Chapter 3 Wizard Setup
Figure 24 Internet Access Wizard: Registered Device
Figure 25 Internet Access Wizard: Activated Services

3.3 VPN Wizard Gateway Setting

Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel.
Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 67) to open the VPN configuration wizard. The first screen displays as shown next.
76
ZyWALL 2 Plus User’s Guide
Page 77
Chapter 3 Wizard Setup
Figure 26 VPN Wizard: Gateway Setting
The following table describes the labels in this screen.
Table 15 VPN Wizard: Gateway Setting
LABEL DESCRIPTION
Gateway Policy Property
Name Type up to 32 characters to identify this VPN gateway policy. You may use any
character, including spaces, but the ZyWALL drops trailing spaces.
Gateway Policy Setting
My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name
Remote Gateway Address
Back Click Back to return to the previous screen.
Next Click Next to continue.
of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the
VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect.
The VPN tunnel has to be rebuilt if this IP address changes. When the ZyWALL is in bridge mode, this field is read-only and displays the
ZyWALL’s IP address.
Enter the WAN IP address or domain name of the remote IPSec router (secure gateway) in the field below to identify the remote IPSec router by its IP address or a domain name. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.

3.4 VPN Wizard Network Setting

Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec routers at either end of a VPN tunnel.
ZyWALL 2 Plus User’s Guide
77
Page 78
Chapter 3 Wizard Setup
Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Figure 27 VPN Wizard: Network Setting
The following table describes the labels in this screen.
Table 16 VPN Wizard: Network Setting
LABEL DESCRIPTION
Network Policy Property
Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build
Name Type up to 32 characters to identify this VPN network policy. You may use any
Network Policy Setting
Local Network Local IP addresses must be static and correspond to the remote IPSec router's
Starting IP Address
Ending IP Address/ Subnet Mask
the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not
apply the policy. Packets for the tunnel do not trigger the tunnel.
character, including spaces, but the ZyWALL drops trailing spaces.
configured remote IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
When the Local Network field is configured to Single, enter a (static) IP address on the LAN behind your ZyWALL. When the Local Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a (static) IP address on the LAN behind your ZyWALL.
When the Local Network field is configured to Single, this field is N/A. When the Local Network field is configured to Range IP, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL.
78
ZyWALL 2 Plus User’s Guide
Page 79
Table 16 VPN Wizard: Network Setting
LABEL DESCRIPTION
Remote Network
Starting IP Address
Ending IP Address/ Subnet Mask
Back Click Back to return to the previous screen.
Next Click Next to continue.
Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
When the Remote Network field is configured to Single, enter a (static) IP address on the network behind the remote IPSec router. When the Remote Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Network field is configured to Subnet, enter a (static) IP address on the network behind the remote IPSec router
When the Remote Network field is configured to Single, this field is N/A. When the Remote Network field is configured to Range IP, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Network field is configured to Subnet, enter a subnet mask on the network behind the remote IPSec router.
Chapter 3 Wizard Setup

3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1)

Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA.
Figure 28 VPN Wizard: IKE Tunnel Setting
ZyWALL 2 Plus User’s Guide
79
Page 80
Chapter 3 Wizard Setup
The following table describes the labels in this screen.
Table 17 VPN Wizard: IKE Tunnel Setting
LABEL DESCRIPTION
Negotiation Mode
Encryption Algorithm
Authentication Algorithm
Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
SA Life Time (Seconds)
Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a
Back Click Back to return to the previous screen.
Next Click Next to continue.
Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
Note: Multiple SAs (security associations) connecting
through a secure gateway must have the same negotiation mode.
When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.
Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero x), which is not counted as part of the 16 to 62 character range for the key. For example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre­shared key is not used on both ends.

3.6 VPN Wizard IPSec Setting (IKE Phase 2)

Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA.
80
ZyWALL 2 Plus User’s Guide
Page 81
Chapter 3 Wizard Setup
Figure 29 VPN Wizard: IPSec Setting
The following table describes the labels in this screen.
Table 18 VPN Wizard: IPSec Setting
LABEL DESCRIPTION
Encapsulation Mode Tunnel is compatible with NAT, Transport is not.
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption. Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
IPSec Protocol Select the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
Encryption Algorithm When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES. Select NULL to set up a tunnel without encryption. When you select NULL, you do not enter an encryption key.
Authentication Algorithm
SA Life Time (Seconds)
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
ZyWALL 2 Plus User’s Guide
81
Page 82
Chapter 3 Wizard Setup
Table 18 VPN Wizard: IPSec Setting (continued)
LABEL DESCRIPTION
Perfect Forward Secret (PFS)
Back Click Back to return to the previous screen.
Next Click Next to continue.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower).

3.7 VPN Wizard Status Summary

This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct.
Figure 30 VPN Wizard: VPN Status
82
ZyWALL 2 Plus User’s Guide
Page 83
Chapter 3 Wizard Setup
The following table describes the labels in this screen.
Table 19 VPN Wizard: VPN Status
LABEL DESCRIPTION
Gateway Policy Property
Name This is the name of this VPN gateway policy.
Gateway Policy Setting
My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router
mode or the ZyWALL’s IP address in bridge mode.
Remote Gateway Address
Network Policy Property
Active This displays whether this VPN network policy is enabled or not.
Name This is the name of this VPN network policy.
Network Policy Setting
Local Network
Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/ Subnet Mask
Remote Network
Starting IP Address This is a (static) IP address on the network behind the remote IPSec router.
Ending IP Address/ Subnet Mask
IKE Tunnel Setting (IKE Phase 1)
Negotiation Mode This shows Main Mode or Aggressive Mode. Multiple SAs connecting through
Encryption Algorithm
Authentication Algorithm
Key Group This is the key group you chose for phase 1 IKE setup.
SA Life Time (Seconds)
Pre-Shared Key This is a pre-shared key identifying a communicating party during a phase 1 IKE
IPSec Setting (IKE Phase 2)
Encapsulation Mode This shows Tunn el mode or Transport mode.
This is the IP address or the domain name used to identify the remote IPSec router.
When the local network is configured for a single IP address, this field is N/A. When the local network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the local network is configured for a subnet, this is a subnet mask on the LAN behind your ZyWALL.
When the remote network is configured for a single IP address, this field is N/A. When the remote network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the remote network is configured for a subnet, this is a subnet mask on the network behind the remote IPSec router.
a secure gateway must have the same negotiation mode.
This is the method of data encryption. Options can be DES, 3DES or AES.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
This is the length of time before an IKE SA automatically renegotiates.
negotiation.
ZyWALL 2 Plus User’s Guide
83
Page 84
Chapter 3 Wizard Setup
Table 19 VPN Wizard: VPN Status (continued)
LABEL DESCRIPTION
IPSec Protocol ESP or AH are the security protocols used for an SA.
Encryption Algorithm
Authentication Algorithm
SA Life Time (Seconds)
Perfect Forward Secret (PFS)
Back Click Back to return to the previous screen.
Finish Click Finish to complete and save the wizard setup.
This is the method of data encryption. Options can be DES, 3DES, AES or
NULL.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.
This is the length of time before an IKE SA automatically renegotiates.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA setup. Otherwise, DH1 or DH2 are selected to enable PFS.

3.8 VPN Wizard Setup Complete

Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule.
Figure 31 VPN Wizard Setup Complete
84
ZyWALL 2 Plus User’s Guide
Page 85
CHAPTER 4

Tutorial

This chapter describes how to apply security settings to VPN traffic, how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP and how to allocate bandwidth and apply priorities to traffic that flows out through the ZyWALL’s WAN port.
4.1 Security Settings for VPN Traffic
The ZyWALL can apply the firewall and content filtering to the traffic going to or from the ZyWALL’s VPN tunnels. The ZyWALL applies the security settings to the traffic before encrypting VPN traffic that it sends out or after decrypting received VPN traffic.
" The security settings apply to VPN traffic going to or from the ZyWALL’s VPN
tunnels. They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways (VPN pass-through traffic).
You can turn on content filtering for all of the ZyWALL’s VPN traffic (regardless of its direction of travel). You can apply firewall security to VPN traffic based on its direction of travel. The following examples show how you do this for the firewall.
4.1.1 Firewall Rule for VPN Example
The firewall provides even more fine-tuned control for VPN tunnels. You can configure default and custom firewall rules for VPN packets.
Take the following example. You have a LAN FTP server with IP address 192.168.1.4 behind device A. You could configure a VPN rule to allow the network behind device B to access your LAN FTP server through a VPN tunnel. Now, if you don’t want other services like chat or e-mail going to the FTP server, you can configure firewall rules that allow only FTP traffic to come from VPN tunnels to the FTP server. Furthermore, you can configure the firewall rule so that only the network behind device B can access the FTP server through a VPN tunnel (not other remote networks that have VPN tunnels with the ZyWALL).
ZyWALL 2 Plus User’s Guide
85
Page 86
Chapter 4 Tutorial
Figure 32 Firewall Rule for VPN
4.1.2 Configuring the VPN Rule
This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B.
1 Click Security > VPN to open the following screen. Click the Add Gateway Policy
icon.
Figure 33 SECURITY > VPN > VPN Rules (IKE)
2 Use this screen to set up the connection between the routers. Configure the fields that are
circled as follows and click Apply.
86
ZyWALL 2 Plus User’s Guide
Page 87
Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy
Chapter 4 Tutorial
3 Click the Add Network Policy icon.
ZyWALL 2 Plus User’s Guide
87
Page 88
Chapter 4 Tutorial
Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example
4 Use this screen to specify which computers behind the routers can use the VPN tunnel.
Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers. This is due to the following reasons.
• While FTP uses a control session on port 20, the port for the data session is not fixed. So this example uses the firewall’s FTP application layer gateway (ALG) to handle this instead of specifying port numbers in this VPN network policy.
• The firewall provides better security because it operates at layer 4 and checks traffic sessions. The VPN network policy only operates at layer 3 and just checks IP addresses and port numbers.
88
ZyWALL 2 Plus User’s Guide
Page 89
Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy
Chapter 4 Tutorial
4.1.3 Configuring the Firewall Rules
Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions.
4.1.3.1 Firewall Rule to Allow Access Example
Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server.
ZyWALL 2 Plus User’s Guide
89
Page 90
Chapter 4 Tutorial
1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Insert.
Figure 37 SECURITY > FIREWALL > Rule Summary
3 Configure the rule as follows and click Apply. The source addresses are the VPN rule’s
remote network and the destination address is the LAN FTP server.
90
ZyWALL 2 Plus User’s Guide
Page 91
Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow
Chapter 4 Tutorial
4 The rule displays in the summary list of VPN to LAN firewall rules.
ZyWALL 2 Plus User’s Guide
91
Page 92
Chapter 4 Tutorial
Figure 39 SECURITY > FIREWALL > Rule Summary: Allow
4.1.3.2 Default Firewall Rule to Block Other Access Example
Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN.
1 Click SECURITY > FIREWALL > Default Rule. 2 Configure the screen as follows and click Apply.
Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN
4.2 Using NAT with Multiple Public IP Addresses
92
This section shows you examples of how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP.
ZyWALL 2 Plus User’s Guide
Page 93
4.2.1 Example Parameters and Scenario
The following table shows the public IP addresses from your ISP and your ZyWALL’s LAN IP address.
Public IP Addresses 1.2.3.4 to 1.2.3.7
ZyWALL’s LAN IP Address 192.168.1.1
The following figure shows the network you want to set up in this example.
• Assign the first public address (1.2.3.4) to the ZyWALL’s WAN port.
• Map the second and third public IP addresses (1.2.3.5 and 1.2.3.6) to the web and mail servers (192.168.1.12 and 192.168.1.13) respectively for traffic in both directions.
• Map the first public address (1.2.3.4) to outgoing traffic from other local computers.
• Map the first public address (1.2.3.4) to incoming traffic from the WAN.
• Forward FTP traffic using port 21 from the WAN to a specific local computer (192.168.1.39).
• The last public IP address (1.2.3.7) is not mapped to any device and is reserved for future use.
Chapter 4 Tutorial
Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses
To set up this network, we are going to:
1 Configure the WAN connection to use the first public IP address (1.2.3.4).
2 Configure NAT address mapping for other public IP addresses (1.2.3.5 and 1.2.3.6).
3 Configure NAT port forwarding to forward FTP traffic from the WAN to a specific
computer on your local network.
ZyWALL 2 Plus User’s Guide
93
Page 94
Chapter 4 Tutorial
4.2.2 Configuring the WAN Connection with a Static IP Address
The following table shows the information your ISP gave you for Internet connection.
Encapsulation PPPoE
Public IP Addresses 1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
Gateway IP Address 1.2.3.89
Subnet Mask 255.255.255.0
User Name exampleuser
Password abcd1234
DNS Server 1.2.1.1
1.2.1.2
Follow the steps below to configure your ZyWALL for Internet access using PPPoE in this example.
Figure 42 Tutorial Example: WAN Connection with a Static Public IP Address
1 Click NETWORK > WAN > WAN.
2 Select PPPoE (PPP over Ethernet) from the Encapsulation drop-down list box.
3 In the ISP Parameters for Internet Access section, enter the information (such as the
user name and password) provided by your ISP. If your ISP didn’t give you the service name, leave the field blank.
4 In the WA N IP Address Assignment section, select Use Fixed IP Address and enter the
first fixed public IP address (1.2.3.4 in this example).
5 Click Apply.
94
ZyWALL 2 Plus User’s Guide
Page 95
Figure 43 Tutorial Example: WAN Screen
Chapter 4 Tutorial
6 Click ADVANCED > DNS.
7 The System screen displays. Click the Insert button to configure the IP address of the
DNS server the ZyWALL can query to resolve domain names.
Figure 44 Tutorial Example: DNS > System
8 Select Public DNS Server and enter the first DNS server’s IP address given by your ISP.
Click Apply.
ZyWALL 2 Plus User’s Guide
95
Page 96
Chapter 4 Tutorial
Figure 45 Tutorial Example: DNS > System Edit-1
9 Enter the rule number (2) where you want to put the second record and click the Insert
Note: To resolve a domain name, theZyWALL checks it against the name server
button to configure the second DNS server’s IP address as follows. Click Apply.
record entries in the order that they appear in this list.
Figure 46 Tutorial Example: DNS > System Edit-2
10The DNS > System screen should look as shown.
96
ZyWALL 2 Plus User’s Guide
Page 97
Chapter 4 Tutorial
Figure 47 Tutorial Example: DNS > System: Done
11Go to the Home screen to check your WAN connection status. Make sure the status is not
down.
Figure 48 Tutorial Example: Status
4.2.3 Public IP Address Mapping
To have the local computers and servers use specific WAN IP addresses, you need to map static public IP addresses to them.
ZyWALL 2 Plus User’s Guide
97
Page 98
Chapter 4 Tutorial
Note: The one-to-one NAT address mapping rules are for both incoming and
In this example, you create two one-to-one rules to map the internal web server (192.168.1.12) and mail server (192.168.1.13) to different static public IP addresses. The many-to-one rule maps a public IP address (1.2.3.4, that is, the ZyWALL’s WAN IP address) to outgoing LAN traffic. It allows other local computers on the same subnet as the ZyWALL’s LAN IP address to use this IP address to access the Internet.
Figure 49 Tutorial Example: Mapping Multiple Public IP Addresses to Inside Servers
outgoing connections. The ZyWALL forwards traffic that is initiated from either the LAN or the WAN to the destination IP address.
The many-to-one or many-to-many NAT address mapping rules are for outgoing connections only. That means only traffic initiated from the LAN or returned packets are allowed to go through the ZyWALL.
Note: The ZyWALL applies the rules in the order that you specify. You should put any
one-to-one rules before a many-to-one rule.
1 Click ADVANCED > NAT.
2 Enable NAT and select Full Feature as you have multiple public IP addresses to map to
private IP addresses. Click Apply.
98
ZyWALL 2 Plus User’s Guide
Page 99
Chapter 4 Tutorial
Figure 50 Tutorial Example: NAT > NAT Overview
3 Click the Address Mapping tab.
4 Click the first rule’s Edit icon ( ) in the Modify column to display the Address
Mapping Rule screen.
Figure 51 Tutorial Example: NAT > Address Mapping
5 Map a public IP address to the web server.
ZyWALL 2 Plus User’s Guide
99
Page 100
Chapter 4 Tutorial
Figure 52 Tutorial Example: NAT Address Mapping Edit: One-to-One (1)
6 Click the second rule’s Edit icon ( ).
7 Map a public IP address to the mail server.
Select the One-to-One type and enter 192.168.1.12 as the local start IP address and
1.2.3.5 as the global start IP address. Click Apply.
Select the One-to-One type and enter 192.168.1.13 as the local start IP address and
1.2.3.6 as the global start IP address. Click Apply.
Figure 53 Tutorial Example: NAT Address Mapping Edit: One-to-One (2)
8 Click the third rule’s Edit icon ( ).
9 Map a public IP address to other outgoing LAN traffic.
Select the Many-to-One type and enter 192.168.1.1 as the local start IP address,
192.168.1.254 as the local end IP address and 1.2.3.4 as the global start IP address. Click Apply.
100
ZyWALL 2 Plus User’s Guide
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use