Page 1
ZyWALL 5/35/70 Series
Internet Security Appliance
User’s Guide
Version 4.00
12/2005
Page 2
ZyWALL 5/35/70 Series User’s Guide
Copyright
Copyright © 2005 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed,
stored in a retrieval system, translated into any language, or transmitted in any form or by any
means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or
software described herein. Neither does it convey any license under its patent rights nor the
patent rights of others. ZyXEL further reserves the right to make changes in any products
described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL
Communications, Inc. Other trademarks mentioned in this publication are used for
identification purposes only and may be properties of their respective owners.
Copyright 2
Page 3
ZyWALL 5/35/70 Series User’s Guide
Federal Communications
Commission (FCC) Interference
Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two
conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause
undesired operations.
This equipment has been tested and found to comply with the limits for a Class B digital
device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a commercial environment. This equipment
generates, uses, and can radiate radio frequency energy, and if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver
is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.
This Class B digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.
Certifications
1 Go to www.zyxel.com.
2 Select your product from the drop-down list box on the ZyXEL home page to go to that
product's page.
3 Select the certification you wish to view from this page.
3 Federal Communications Commission (FCC) Interference Statement
Page 4
ZyWALL 5/35/70 Series User’s Guide
Federal Communications Commission (FCC) Interference Statement 4
Page 5
ZyWALL 5/35/70 Series User’s Guide
For your safety, be sure to read and follow all warning notices and instructions.
• Do NOT open the device or unit. Opening or removing covers can expose you to
dangerous high voltage points or other risks. ONLY qualified service personnel can
service the device. Please contact your vendor for further information.
• Connect the power cord to the right supply voltage (110V AC in North America or 230V
AC in Europe).
• Place connecting cables carefully so that no one will step on them or stumble over them.
Do NOT allow anything to rest on the power cord and do NOT locate the product where
anyone can walk on the power cord.
• If you wall mount your device, make sure that no electrical, gas or water pipes will be
damaged.
• Do NOT install nor use your device during a thunderstorm. There may be a remote risk of
electric shock from lightning.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT use this product near water, for example, in a wet basement or near a swimming
pool.
• Make sure to connect the cables to the correct ports.
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your
device.
• Do NOT store things on the device.
• Connect ONLY suitable accessories to the device.
Safety Warnings
5 Safety Warnings
Page 6
ZyWALL 5/35/70 Series User’s Guide
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects
in materials or workmanship for a period of up to two years from the date of purchase. During
the warranty period, and upon proof of purchase, should the product have indications of failure
due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the
defective products or components without charge for either parts or labor, and to whatever
extent it shall deem necessary to restore the product or components to proper operating
condition. Any replacement will consist of a new or re-manufactured functionally equivalent
product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not
apply if the product is modified, misused, tampered with, damaged by an act of God, or
subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the
purchaser. This warranty is in lieu of all other warranties, express or implied, including any
implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind of character to the
purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return
Material Authorization number (RMA). Products must be returned Postage Prepaid. It is
recommended that the unit be insured when shipped. Any returned products without proof of
purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of
ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products
will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty
gives you specific legal rights, and you may also have other rights that vary from country to
country.
ZyXEL Limited Warranty 6
Page 7
ZyWALL 5/35/70 Series User’s Guide
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.
Customer Support
METHOD
LOCATION
CORPORATE
HEADQUARTERS
(WORLDWIDE)
CZECH REPUBLIC
DENMARK
FINLAND
FRANCE
GERMANY
HUNGARY
KAZAKHSTAN
NORTH AMERICA
NORWAY
SUPPORT E-MAIL TELEPHONE
SALES E-MAIL FAX FTP SITE
support@zyxel.com.tw +886-3-578-3942 www.zyxel.com
sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com
info@cz.zyxel.com +420-241-091-350 www.zyxel.cz ZyXEL Communications
info@cz.zyxel.com +420-241-091-359
support@zyxel.dk +45-39-55-07-00 www.zyxel.dk ZyXEL Communications A/S
sales@zyxel.dk +45-39-55-07-07
support@zyxel.fi +358-9-4780-8411 www.zyxel.fi ZyXEL Communications Oy
sales@zyxel.fi +358-9-4780 8448
info@zyxel.fr +33-4-72-52-97-97 www.zyxel.fr ZyXEL France
+33-4-72-52-19-20
support@zyxel.de +49-2405-6909-0 www.zyxel.de ZyXEL Deutschland GmbH.
sales@zyxel.de +49-2405-6909-99
support@zyxel.hu +36-1-3361649 www.zyxel.hu ZyXEL Hungary
info@zyxel.hu +36-1-3259100
http://zyxel.kz/support +7-3272-590-698 www.zyxel.kz ZyXEL Kazakhstan
sales@zyxel.kz +7-3272-590-689
support@zyxel.com 1-800-255-4101
+1-714-632-0882
sales@zyxel.com +1-714-632-0858 ftp.us.zyxel.com
support@zyxel.no +47-22-80-61-80 www.zyxel.no ZyXEL Communications A/S
sales@zyxel.no +47-22-80-61-81
A
WEB SITE
www.europe.zyxel.com
ftp.europe.zyxel.com
www.us.zyxel.com ZyXEL Communications Inc.
REGULAR MAIL
ZyXEL Communications Corp.
6 Innovation Road II
Science Park
Hsinchu 300
Ta iw a n
Czech s.r.o.
Modranská 621
143 01 Praha 4 - Modrany
Ceská Republika
Columbusvej
2860 Soeborg
Denmark
Malminkaari 10
00700 Helsinki
Finland
1 rue des Vergers
Bat. 1 / C
69760 Limonest
France
Adenauerstr. 20/A2 D-52146
Wuerselen
Germany
48, Zoldlomb Str.
H-1025, Budapest
Hungary
43, Dostyk ave.,Office 414
Dostyk Business Centre
050010, Almaty
Republic of Kazakhstan
1130 N. Miller St.
Anaheim
CA 92806-2001
U.S.A.
Nils Hansens vei 13
0667 Oslo
Norway
7 Customer Support
Page 8
ZyWALL 5/35/70 Series User’s Guide
METHOD
LOCATION
POLAND
RUSSIA
SPAIN
SWEDEN
UKRAINE
UNITED KINGDOM
a. “+” is the (prefix) number you enter to make an international telephone call.
SUPPORT E-MAIL TELEPHONE
SALES E-MAIL FAX FTP SITE
info@pl.zyxel.com +48-22-5286603 www.pl.zyxel.com ZyXEL Communications
+48-22-5206701
http://zyxel.ru/support +7-095-542-89-29 www.zyxel.ru ZyXEL Russia
sales@zyxel.ru +7-095-542-89-25
support@zyxel.es +34-902-195-420 www.zyxel.es ZyXEL Communications
sales@zyxel.es +34-913-005-345
support@zyxel.se +46-31-744-7700 www.zyxel.se ZyXEL Communications A/S
sales@zyxel.se +46-31-744-7701
support@ua.zyxel.com +380-44-247-69-78 www.ua.zyxel.com ZyXEL Ukraine
sales@ua.zyxel.com +380-44-494-49-32
support@zyxel.co.uk +44-1344 303044
08707 555779 (UK only)
sales@zyxel.co.uk +44-1344 303034 ftp.zyxel.co.uk
A
WEB SITE
REGULAR MAIL
ul.Emilli Plater 53
00-113 Warszawa
Poland
Ostrovityanova 37a Str.
Moscow, 117279
Russia
Alejandro Villegas 33
1º, 28043 Madrid
Spain
Sjöporten 4, 41764 Göteborg
Sweden
13, Pimonenko Str.
Kiev, 04050
Ukraine
www.zyxel.co.uk ZyXEL Communications UK
Ltd.,11 The Courtyard,
Eastern Road, Bracknell,
Berkshire, RG12 2XB,
United Kingdom (UK)
Customer Support 8
Page 9
ZyWALL 5/35/70 Series User’s Guide
9 Customer Support
Page 10
ZyWALL 5/35/70 Series User’s Guide
Table of Contents
Copyright ..................................................................................................................2
Federal Communications Commission (FCC) Interference Statement ............... 3
Safety Warnings ....................................................................................................... 5
ZyXEL Limited Warranty.......................................................................................... 6
Customer Support.................................................................................................... 7
Table of Contents ................................................................................................... 10
List of Figures ........................................................................................................ 32
List of Tables .......................................................................................................... 44
Preface ....................................................................................................................52
Chapter 1
Getting to Know Your ZyWALL ............................................................................. 54
1.1 ZyWALL Internet Security Appliance Overview ..................................................54
1.2 ZyWALL Features ..............................................................................................54
1.2.1 Physical Features .....................................................................................55
1.2.2 Non-Physical Features .............................................................................56
1.3 Applications for the ZyWALL ..............................................................................62
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem .................62
1.3.2 VPN Application ........................................................................................62
1.3.3 Front Panel LEDs .....................................................................................63
Chapter 2
Introducing the Web Configurator........................................................................ 66
2.1 Web Configurator Overview ...............................................................................66
2.2 Accessing the ZyWALL Web Configurator .........................................................66
2.3 Resetting the ZyWALL .......................................................................................67
2.3.1 Procedure To Use The Reset Button ........................................................68
2.3.2 Uploading a Configuration File Via Console Port .....................................68
2.4 Navigating the ZyWALL Web Configurator ........................................................68
2.4.1 Router Mode ..............................................................................................69
2.4.2 Bridge Mode ..............................................................................................71
2.4.3 Navigation Panel .......................................................................................74
2.4.4 System Statistics........................................................................................79
Table of Contents 10
Page 11
ZyWALL 5/35/70 Series User’s Guide
2.4.5 Show Statistics: Line Chart........................................................................80
2.4.6 DHCP Table Screen ..................................................................................81
2.4.7 VPN Status ................................................................................................82
Chapter 3
Wizard Setup .......................................................................................................... 84
3.1 Wizard Setup Overview ......................................................................................84
3.2 Internet Access .................................................................................................84
3.2.1 ISP Parameters ........................................................................................84
3.2.1.1 Ethernet ...........................................................................................84
3.2.1.2 PPPoE Encapsulation .....................................................................86
3.2.1.3 PPTP Encapsulation .......................................................................87
3.2.2 Internet Access Wizard: Second Screen ...................................................89
3.2.3 Internet Access Wizard: Registration.........................................................90
3.3 VPN Wizard Gateway Setting ............................................................................93
3.4 VPN Wizard Network Setting .............................................................................94
3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) .................................................96
3.6 VPN Wizard IPSec Setting (IKE Phase 2) .........................................................98
3.7 VPN Wizard Status Summary ............................................................................99
3.8 VPN Wizard Setup Complete ...........................................................................102
Chapter 4
Registration ..........................................................................................................104
4.1 myZyXEL.com overview ...................................................................................104
4.1.1 Subscription Services Available on the ZyWALL ....................................104
4.2 Registration ......................................................................................................105
4.3 Service .............................................................................................................107
Chapter 5
LAN Screens......................................................................................................... 110
5.1 LAN Overview .................................................................................................. 110
5.2 DHCP Setup .....................................................................................................110
5.2.1 IP Pool Setup .......................................................................................... 110
5.3 LAN TCP/IP ......................................................................................................110
5.3.1 Factory LAN Defaults .............................................................................. 110
5.3.2 IP Address and Subnet Mask ................................................................. 111
5.3.3 RIP Setup ............................................................................................... 111
5.3.4 Multicast ..................................................................................................112
5.4 DNS Servers .................................................................................................... 112
5.5 LAN ..................................................................................................................112
5.6 LAN Static DHCP .............................................................................................115
5.7 LAN IP Alias .....................................................................................................116
5.8 LAN Port Roles ................................................................................................118
11 Table of Contents
Page 12
ZyWALL 5/35/70 Series User’s Guide
Chapter 6
Bridge Screens.....................................................................................................122
6.1 Bridge Loop ......................................................................................................122
6.2 Spanning Tree Protocol (STP) .........................................................................122
6.2.1 Rapid STP ..............................................................................................123
6.2.2 STP Terminology ....................................................................................123
6.2.3 How STP Works .....................................................................................123
6.2.4 STP Port States ......................................................................................124
6.3 Bridge ...............................................................................................................124
6.4 Bridge Port Roles ............................................................................................126
Chapter 7
WAN Screens........................................................................................................ 130
7.1 WAN Overview .................................................................................................130
7.2 Multiple WAN ....................................................................................................130
7.3 Load Balancing Introduction .............................................................................131
7.4 Load Balancing Algorithms ..............................................................................131
7.4.1 Least Load First ......................................................................................131
7.4.1.1 Example 1 .....................................................................................132
7.4.1.2 Example 2 .....................................................................................132
7.4.2 Weighted Round Robin ...........................................................................133
7.4.3 Spillover ..................................................................................................133
7.5 TCP/IP Priority (Metric) ....................................................................................134
7.6 WAN General ...................................................................................................134
7.7 Configuring Load Balancing .............................................................................137
7.7.1 Least Load First ......................................................................................138
7.7.2 Weighted Round Robin ...........................................................................139
7.7.3 Spillover ..................................................................................................139
7.8 WAN Route ......................................................................................................140
7.9 WAN IP Address Assignment ...........................................................................142
7.10 DNS Server Address Assignment ..................................................................142
7.11 WAN MAC Address ........................................................................................143
7.12 WAN ...............................................................................................................143
7.12.1 WAN Ethernet Encapsulation ...............................................................143
7.12.2 PPPoE Encapsulation ...........................................................................146
7.12.3 PPTP Encapsulation .............................................................................150
7.13 Traffic Redirect ...............................................................................................153
7.14 Configuring Traffic Redirect ............................................................................154
7.15 Configuring Dial Backup .................................................................................155
7.16 Advanced Modem Setup ................................................................................159
7.16.1 AT Command Strings ............................................................................159
7.16.2 DTR Signal ...........................................................................................159
7.16.3 Response Strings ..................................................................................159
Table of Contents 12
Page 13
ZyWALL 5/35/70 Series User’s Guide
7.17 Configuring Advanced Modem Setup ............................................................159
Chapter 8
DMZ Screens ........................................................................................................ 162
8.1 DMZ .................................................................................................................162
8.2 Configuring DMZ ..............................................................................................162
8.3 DMZ Static DHCP ............................................................................................165
8.4 DMZ IP Alias ....................................................................................................167
8.5 DMZ Public IP Address Example .....................................................................168
8.6 DMZ Private and Public IP Address Example ..................................................169
8.7 DMZ Port Roles ................................................................................................170
Chapter 9
Wireless LAN ........................................................................................................ 174
9.1 Wireless LAN Introduction ................................................................................174
9.1.1 Additional Installation Requirements for Using 802.1x ...........................174
9.2 Configuring WLAN ...........................................................................................174
9.3 WLAN Static DHCP ..........................................................................................177
9.4 WLAN IP Alias ..................................................................................................178
9.5 WLAN Port Roles .............................................................................................180
9.6 Wireless Security .............................................................................................182
9.6.1 Encryption ...............................................................................................183
9.6.2 Authentication .........................................................................................183
9.6.3 Restricted Access ...................................................................................184
9.6.4 Hide ZyWALL Identity .............................................................................184
9.7 Security Parameters Summary ........................................................................184
9.8 WEP Encryption ...............................................................................................184
9.9 802.1x Overview ..............................................................................................185
9.9.1 Introduction to RADIUS ..........................................................................185
9.9.1.1 Types of RADIUS Messages .........................................................185
9.9.2 EAP Authentication Overview .................................................................186
9.10 Dynamic WEP Key Exchange ........................................................................186
9.11 Introduction to WPA ........................................................................................187
9.11.1 User Authentication ...............................................................................187
9.11.2 Encryption .............................................................................................187
9.12 WPA-PSK Application Example .....................................................................188
9.13 Introduction to RADIUS ..................................................................................189
9.14 WPA with RADIUS Application Example ........................................................189
9.15 Wireless Client WPA Supplicants ...................................................................190
9.16 Wireless Card .................................................................................................190
9.16.1 Static WEP ............................................................................................192
9.16.2 WPA-PSK .............................................................................................193
9.16.3 WPA ......................................................................................................195
13 Table of Contents
Page 14
ZyWALL 5/35/70 Series User’s Guide
9.16.4 IEEE 802.1x + Dynamic WEP ..............................................................196
9.16.5 IEEE 802.1x + Static WEP ....................................................................197
9.16.6 IEEE 802.1x + No WEP ........................................................................198
9.16.7 No Access 802.1x + Static WEP ...........................................................199
9.16.8 No Access 802.1x + No WEP ...............................................................200
9.17 MAC Filter ......................................................................................................200
Chapter 10
Firewalls................................................................................................................202
10.1 Firewall Overview ...........................................................................................202
10.2 Types of Firewalls ..........................................................................................202
10.2.1 Packet Filtering Firewalls ......................................................................202
10.2.2 Application-level Firewalls ....................................................................202
10.2.3 Stateful Inspection Firewalls .................................................................203
10.3 Introduction to ZyXEL’s Firewall .....................................................................203
10.4 Denial of Service ............................................................................................204
10.4.1 Basics ...................................................................................................204
10.4.2 Types of DoS Attacks ...........................................................................205
10.4.2.1 ICMP Vulnerability ......................................................................207
10.4.2.2 Illegal Commands (NetBIOS and SMTP) ....................................207
10.4.2.3 Traceroute ...................................................................................208
10.5 Stateful Inspection ..........................................................................................208
10.5.1 Stateful Inspection Process ..................................................................209
10.5.2 Stateful Inspection and the ZyWALL .....................................................210
10.5.3 TCP Security .........................................................................................210
10.5.4 UDP/ICMP Security ..............................................................................211
10.5.5 Upper Layer Protocols .......................................................................... 211
10.6 Guidelines For Enhancing Security With Your Firewall ..................................212
10.7 Packet Filtering Vs Firewall ............................................................................212
10.7.1 Packet Filtering: ....................................................................................212
10.7.1.1 When To Use Filtering .................................................................212
10.7.2 Firewall .................................................................................................213
10.7.2.1 When To Use The Firewall ..........................................................213
Chapter 11
Firewall Screens...................................................................................................214
11.1 Access Methods .............................................................................................214
11.2 Firewall Policies Overview ..............................................................................214
11.3 Rule Logic Overview ......................................................................................216
11.3.1 Rule Checklist .......................................................................................216
11.3.2 Security Ramifications ..........................................................................216
11.3.3 Key Fields For Configuring Rules .........................................................216
11.3.3.1 Action ...........................................................................................216
Table of Contents 14
Page 15
ZyWALL 5/35/70 Series User’s Guide
11.3.3.2 Service .........................................................................................217
11.3.3.3 Source Address ...........................................................................217
11.3.3.4 Destination Address ....................................................................217
11.4 Connection Direction Examples .....................................................................217
11.4.1 LAN To WAN Rules ...............................................................................217
11.4.2 WAN To LAN Rules ...............................................................................218
11.5 Alerts ..............................................................................................................218
11.6 Firewall Default Rule (Router Mode) ..............................................................219
11.7 Firewall Default Rule (Bridge Mode) ............................................................220
11.8 Firewall Rule Summary .................................................................................222
11.8.1 Firewall Edit Rule ..............................................................................223
11.9 Anti-Probing ................................................................................................226
11.10 Firewall Threshold .....................................................................................227
11.10.1 Threshold Values ................................................................................227
11.10.2 Half-Open Sessions ............................................................................227
11.10.2.1 TCP Maximum Incomplete and Blocking Time ..........................228
11.11 Service .........................................................................................................230
11.11.1 Firewall Edit Custom Service ..............................................................232
11.11.2 Predefined Services ............................................................................233
11.12 Example Firewall Rule ..................................................................................235
Chapter 12
Intrusion Detection and Prevention (IDP) .......................................................... 240
12.1 Introduction to IDP .......................................................................................240
12.1.1 Firewalls and Intrusions ........................................................................240
12.1.2 IDS and IDP .........................................................................................241
12.1.3 Host IDP ..............................................................................................241
12.1.4 Network IDP .........................................................................................241
12.1.5 Example Intrusions ...............................................................................242
12.1.5.1 SQL Slammer Worm ...................................................................242
12.1.5.2 Blaster W32.Worm ......................................................................242
12.1.5.3 Nimda ..........................................................................................242
12.1.5.4 MyDoom ......................................................................................243
12.1.6 ZyWALL IDP .........................................................................................243
Chapter 13
Configuring IDP....................................................................................................244
13.1 Overview ........................................................................................................244
13.1.1 Interfaces ..............................................................................................244
13.2 General Setup ................................................................................................245
13.3 IDP Signatures ...............................................................................................246
13.3.1 Attack Types .........................................................................................246
13.3.2 Intrusion Severity ..................................................................................248
15 Table of Contents
Page 16
ZyWALL 5/35/70 Series User’s Guide
13.3.3 Signature Actions ..................................................................................248
13.3.4 Configuring IDP Signatures ..................................................................249
13.3.5 Query View ...........................................................................................251
13.3.5.1 Query Example 1 ........................................................................251
13.3.5.2 Query Example 2 ........................................................................253
13.4 Update ...........................................................................................................254
13.4.1 mySecurity Zone ...................................................................................254
13.4.2 Configuring IDP Update ........................................................................255
13.5 Backup and Restore .......................................................................................257
Chapter 14
Anti-Virus .............................................................................................................. 258
14.1 Anti-Virus Overview .......................................................................................258
14.1.1 Types of Computer Viruses .................................................................258
14.1.2 Computer Virus Infection and Prevention .............................................258
14.1.3 Types of Anti-Virus Scanner ................................................................259
14.2 Introduction to the ZyWALL Anti-Virus Scanner .............................................259
14.2.1 How the ZyWALL Anti-Virus Scanner Works .......................................260
14.2.2 Notes About the ZyWALL Anti-Virus .....................................................260
14.3 General Anti-Virus Setup ...............................................................................261
14.4 Signature Update .........................................................................................262
14.4.1 mySecurity Zone ...................................................................................263
14.4.2 Configuring Anti-virus Update ...............................................................263
Chapter 15
Anti-Spam .............................................................................................................266
15.1 Anti-Spam Overview ....................................................................................266
15.1.1 Anti-Spam External Database ...............................................................266
15.1.1.1 SpamBulk Engine ........................................................................267
15.1.1.2 SpamRepute Engine ...................................................................267
15.1.1.3 SpamContent Engine ..................................................................267
15.1.1.4 SpamTricks Engine .....................................................................268
15.1.2 Spam Threshold ....................................................................................268
15.1.3 Phishing ................................................................................................268
15.1.4 Whitelist ................................................................................................269
15.1.5 Blacklist .................................................................................................269
15.1.6 SMTP and POP3 ..................................................................................269
15.1.7 MIME Headers ......................................................................................270
15.2 Anti-Spam General Screen ............................................................................270
15.3 Anti-Spam External DB Screen .................................................................271
15.4 Anti-Spam Lists Screen .................................................................................273
15.5 Anti-Spam Rule Edit Screen .........................................................................275
Table of Contents 16
Page 17
ZyWALL 5/35/70 Series User’s Guide
Chapter 16
Content Filtering Screens ...................................................................................278
16.1 Content Filtering Overview .............................................................................278
16.1.1 Restrict Web Features ..........................................................................278
16.1.2 Create a Filter List ................................................................................278
16.1.3 Customize Web Site Access ................................................................278
16.2 Content Filter General .................................................................................278
16.3 Content Filtering with an External Database ..................................................280
16.4 Content Filter Categories ............................................................................281
16.5 Content Filter Customization .......................................................................288
16.6 Customizing Keyword Blocking URL Checking ..............................................290
16.6.1 Domain Name or IP Address URL Checking ........................................290
16.6.2 Full Path URL Checking .......................................................................290
16.6.3 File Name URL Checking .....................................................................290
16.7 Content Filtering Cache .................................................................................291
Chapter 17
Content Filtering Reports....................................................................................294
17.1 Checking Content Filtering Activation ............................................................294
17.2 Viewing Content Filtering Reports ..................................................................294
17.3 Web Site Submission .....................................................................................299
Chapter 18
Introduction to IPSec ........................................................................................... 302
18.1 VPN Overview ................................................................................................302
18.1.1 IPSec ....................................................................................................302
18.1.2 Security Association .............................................................................302
18.1.3 Other Terminology ................................................................................302
18.1.3.1 Encryption ...................................................................................302
18.1.3.2 Data Confidentiality .....................................................................303
18.1.3.3 Data Integrity ...............................................................................303
18.1.3.4 Data Origin Authentication ..........................................................303
18.1.4 VPN Applications ..................................................................................303
18.1.4.1 Linking Two or More Private Networks Together .........................303
18.1.4.2 Accessing Network Resources When NAT Is Enabled ...............303
18.1.4.3 Unsupported IP Applications .......................................................303
18.2 IPSec Architecture .........................................................................................304
18.2.1 IPSec Algorithms ..................................................................................304
18.2.2 Key Management ..................................................................................304
18.3 Encapsulation .................................................................................................304
18.3.1 Transport Mode ....................................................................................305
18.3.2 Tunnel Mode .........................................................................................305
18.4 IPSec and NAT ...............................................................................................305
17 Table of Contents
Page 18
ZyWALL 5/35/70 Series User’s Guide
Chapter 19
VPN Screens.........................................................................................................308
19.1 VPN/IPSec Overview .....................................................................................308
19.2 IPSec Algorithms ............................................................................................308
19.2.1 AH (Authentication Header) Protocol ....................................................308
19.2.2 ESP (Encapsulating Security Payload) Protocol ..................................308
19.3 My ZyWALL ....................................................................................................309
19.4 Remote Gateway Address .............................................................................309
19.4.1 Dynamic Remote Gateway Address .....................................................310
19.5 Nailed Up .......................................................................................................310
19.6 NAT Traversal ................................................................................................310
19.6.1 NAT Traversal Configuration ................................................................. 311
19.7 ID Type and Content ......................................................................................311
19.7.1 ID Type and Content Examples ............................................................312
19.8 IKE Phases ....................................................................................................313
19.8.1 Negotiation Mode ..................................................................................314
19.8.2 Pre-Shared Key ....................................................................................314
19.8.3 Diffie-Hellman (DH) Key Groups ...........................................................315
19.8.4 Perfect Forward Secrecy (PFS) ...........................................................315
19.9 X-Auth (Extended Authentication) ..................................................................315
19.9.1 Authentication Server ...........................................................................315
19.10 VPN Rules (IKE) .........................................................................................316
19.11 VPN Rules (IKE) Gateway Policy Edit .........................................................318
19.12 VPN Rules (IKE): Network Policy Edit ......................................................324
19.13 VPN Rules (IKE): Network Policy Move .....................................................328
19.14 VPN Rules (Manual) ...................................................................................329
19.15 VPN Rules (Manual): Edit .........................................................................331
19.15.1 Security Parameter Index (SPI) ..........................................................331
19.16 VPN SA Monitor .........................................................................................335
19.17 VPN Global Setting .....................................................................................336
19.18 Telecommuter VPN/IPSec Examples ...........................................................337
19.18.1 Telecommuters Sharing One VPN Rule Example ..............................337
19.18.2 Telecommuters Using Unique VPN Rules Example ...........................338
19.19 VPN and Remote Management ...................................................................340
Chapter 20
Certificates............................................................................................................ 342
20.1 Certificates Overview .....................................................................................342
20.1.1 Advantages of Certificates ....................................................................343
20.2 Self-signed Certificates ..................................................................................343
20.3 Configuration Summary .................................................................................343
20.4 My Certificates ..............................................................................................344
20.5 My Certificate Import ....................................................................................346
Table of Contents 18
Page 19
ZyWALL 5/35/70 Series User’s Guide
20.5.1 Certificate File Formats .........................................................................346
20.6 My Certificate Create ...................................................................................347
20.7 My Certificate Details ...................................................................................350
20.8 Trusted CAs .................................................................................................353
20.9 Trusted CA Import ........................................................................................355
20.10 Trusted CA Details ......................................................................................356
20.11 Trusted Remote Hosts ................................................................................359
20.12 Verifying a Trusted Remote Host’s Certificate ..............................................361
20.12.1 Trusted Remote Host Certificate Fingerprints .....................................361
20.13 Trusted Remote Hosts Import ....................................................................362
20.14 Trusted Remote Host Certificate Details ....................................................363
20.15 Directory Servers ........................................................................................366
20.16 Directory Server Add or Edit ......................................................................367
Chapter 21
Authentication Server..........................................................................................370
21.1 Authentication Server Overview .....................................................................370
21.1.1 Local User Database ............................................................................370
21.1.2 RADIUS ................................................................................................370
21.2 Local User Database ....................................................................................370
21.3 RADIUS ........................................................................................................372
Chapter 22
Network Address Translation (NAT)................................................................... 374
22.1 NAT Overview ................................................................................................374
22.1.1 NAT Definitions .....................................................................................374
22.1.2 What NAT Does ....................................................................................375
22.1.3 How NAT Works ...................................................................................375
22.1.4 NAT Application ....................................................................................376
22.1.5 Port Restricted Cone NAT ....................................................................377
22.1.6 NAT Mapping Types .............................................................................377
22.2 Using NAT ......................................................................................................378
22.2.1 SUA (Single User Account) Versus NAT ..............................................378
22.3 NAT Overview ..............................................................................................379
22.4 NAT Address Mapping .................................................................................380
22.4.1 NAT Address Mapping Edit ..................................................................382
22.5 Port Forwarding ..............................................................................................383
22.5.1 Default Server IP Address ....................................................................384
22.5.2 Port Forwarding: Services and Port Numbers ......................................384
22.5.3 Configuring Servers Behind Port Forwarding (Example) ......................384
22.5.4 NAT and Multiple WAN .........................................................................385
22.5.5 Port Translation ....................................................................................385
22.6 Port Forwarding .............................................................................................386
19 Table of Contents
Page 20
ZyWALL 5/35/70 Series User’s Guide
22.7 Port Triggering ..............................................................................................388
Chapter 23
Static Route ..........................................................................................................392
23.1 IP Static Route ............................................................................................392
23.2 IP Static Route ...............................................................................................392
23.2.1 IP Static Route Edit ..............................................................................394
Chapter 24
Policy Route ......................................................................................................... 396
24.1 Policy Route ..................................................................................................396
24.2 Benefits ..........................................................................................................396
24.3 Routing Policy ................................................................................................396
24.4 IP Routing Policy Setup .................................................................................397
24.5 Policy Route Edit ...........................................................................................398
Chapter 25
Bandwidth Management......................................................................................402
25.1 Bandwidth Management Overview ...............................................................402
25.2 Bandwidth Classes and Filters .......................................................................402
25.3 Proportional Bandwidth Allocation .................................................................403
25.4 Application-based Bandwidth Management ...................................................403
25.5 Subnet-based Bandwidth Management .........................................................403
25.6 Application and Subnet-based Bandwidth Management ...............................404
25.7 Scheduler .......................................................................................................404
25.7.1 Priority-based Scheduler ......................................................................404
25.7.2 Fairness-based Scheduler ....................................................................404
25.7.3 Maximize Bandwidth Usage .................................................................404
25.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic ........................405
25.7.5 Maximize Bandwidth Usage Example ..................................................405
25.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth 406
25.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth ...
406
25.8 Bandwidth Borrowing .....................................................................................407
25.8.1 Bandwidth Borrowing Example .............................................................407
25.9 Maximize Bandwidth Usage With Bandwidth Borrowing ................................408
25.10 Configuring Summary ..................................................................................408
25.11 Configuring Class Setup .............................................................................410
25.11.1 Bandwidth Manager Class Configuration ...........................................411
25.11.2 Bandwidth Management Statistics ...................................................414
25.12 Configuring Monitor ...................................................................................415
Table of Contents 20
Page 21
ZyWALL 5/35/70 Series User’s Guide
Chapter 26
DNS........................................................................................................................ 418
26.1 DNS Overview ..............................................................................................418
26.2 DNS Server Address Assignment ..................................................................418
26.3 DNS Servers ..................................................................................................418
26.4 Address Record .............................................................................................419
26.4.1 DNS Wildcard .......................................................................................419
26.5 Name Server Record .....................................................................................419
26.5.1 Private DNS Server ..............................................................................419
26.6 System Screen ...............................................................................................420
26.6.1 Adding an Address Record ..................................................................422
26.6.2 Inserting a Name Server record ...........................................................423
26.7 DNS Cache ..................................................................................................424
26.8 Configure DNS Cache ....................................................................................425
26.9 Configuring DNS DHCP ...............................................................................426
26.10 Dynamic DNS .............................................................................................428
26.10.1 DYNDNS Wildcard ..............................................................................428
26.10.2 High Availability ..................................................................................428
26.11 Configuring Dynamic DNS ...........................................................................428
Chapter 27
Remote Management ........................................................................................... 432
27.1 Remote Management Overview .....................................................................432
27.1.1 Remote Management Limitations .........................................................432
27.1.2 System Timeout ....................................................................................433
27.2 Introduction to HTTPS ....................................................................................433
27.3 WWW ...........................................................................................................434
27.4 HTTPS Example ............................................................................................436
27.4.1 Internet Explorer Warning Messages ...................................................436
27.4.2 Netscape Navigator Warning Messages ...............................................437
27.4.3 Avoiding the Browser Warning Messages ............................................438
27.4.4 Login Screen .........................................................................................438
27.5 SSH .............................................................................................................441
27.6 How SSH works .............................................................................................441
27.7 SSH Implementation on the ZyWALL .............................................................442
27.7.1 Requirements for Using SSH ................................................................443
27.8 Configuring SSH ............................................................................................443
27.9 Secure Telnet Using SSH Examples ..............................................................444
27.9.1 Example 1: Microsoft Windows .............................................................444
27.9.2 Example 2: Linux ..................................................................................444
27.10 Secure FTP Using SSH Example ................................................................445
27.11 Telnet ..........................................................................................................446
27.12 Configuring TELNET ....................................................................................446
21 Table of Contents
Page 22
ZyWALL 5/35/70 Series User’s Guide
27.13 FTP ............................................................................................................447
27.14 SNMP .........................................................................................................448
27.14.1 Supported MIBs .................................................................................450
27.14.2 SNMP Traps .......................................................................................450
27.14.3 REMOTE MANAGEMENT: SNMP ......................................................450
27.15 DNS ............................................................................................................452
27.16 Introducing Vantage CNM ...........................................................................452
27.17 Configuring CNM ..........................................................................................453
Chapter 28
UPnP...................................................................................................................... 456
28.1 Universal Plug and Play Overview ...............................................................456
28.1.1 How Do I Know If I'm Using UPnP? ......................................................456
28.1.2 NAT Traversal .......................................................................................456
28.1.3 Cautions with UPnP ..............................................................................456
28.1.4 UPnP and ZyXEL ..................................................................................457
28.2 Configuring UPnP ..........................................................................................457
28.3 Displaying UPnP Port Mapping ...................................................................458
28.4 Installing UPnP in Windows Example ............................................................459
28.4.1 Installing UPnP in Windows Me ............................................................460
28.4.2 Installing UPnP in Windows XP ............................................................461
28.5 Using UPnP in Windows XP Example ...........................................................461
28.5.1 Auto-discover Your UPnP-enabled Network Device .............................462
28.5.2 Web Configurator Easy Access ............................................................463
Chapter 29
ALG Screen........................................................................................................... 466
29.1 ALG Introduction ...........................................................................................466
29.1.1 ALG and NAT ........................................................................................466
29.1.2 ALG and the Firewall ............................................................................466
29.1.3 ALG and Multiple WAN .........................................................................466
29.2 FTP ................................................................................................................467
29.3 H.323 ..............................................................................................................467
29.4 RTP ................................................................................................................467
29.4.1 H.323 ALG Details ................................................................................467
29.5 SIP .................................................................................................................469
29.5.1 STUN ....................................................................................................469
29.5.2 SIP ALG Details ....................................................................................469
29.5.3 SIP Signaling Session Timeout ............................................................470
29.5.4 SIP Audio Session Timeout ..................................................................470
29.6 ALG Screen ....................................................................................................470
Table of Contents 22
Page 23
ZyWALL 5/35/70 Series User’s Guide
Chapter 30
Logs Screens........................................................................................................ 472
30.1 Configuring View Log ....................................................................................472
30.2 Log Description Example ...............................................................................473
30.2.1 Certificate Not Trusted Log Note ..........................................................474
30.3 Configuring Log Settings ...............................................................................475
30.4 Configuring Reports ......................................................................................478
30.4.1 Viewing Web Site Hits ...........................................................................480
30.4.2 Viewing Protocol/Port ...........................................................................480
30.4.3 Viewing Host IP Address ......................................................................482
30.4.4 Reports Specifications ..........................................................................483
Chapter 31
Maintenance ......................................................................................................... 484
31.1 Maintenance Overview ...................................................................................484
31.2 General Setup ................................................................................................484
31.2.1 General Setup and System Name ........................................................484
31.2.2 General Setup .......................................................................................484
31.3 Configuring Password ...................................................................................485
31.4 Time and Date ...............................................................................................486
31.5 Pre-defined NTP Time Servers List ................................................................489
31.5.1 Resetting the Time ................................................................................489
31.5.2 Time Server Synchronization ................................................................489
31.6 Introduction To Transparent Bridging .............................................................491
31.7 Transparent Firewalls .....................................................................................491
31.8 Configuring Device Mode (Router) ................................................................492
31.9 Configuring Device Mode (Bridge) ................................................................493
31.10 F/W Upload Screen .....................................................................................494
31.11 Backup and Restore ....................................................................................496
31.11.1 Backup Configuration .........................................................................497
31.11.2 Restore Configuration ........................................................................497
31.11.3 Back to Factory Defaults ....................................................................499
31.12 Restart Screen ............................................................................................499
Chapter 32
Introducing the SMT ............................................................................................500
32.1 Introduction to the SMT ..................................................................................500
32.2 Accessing the SMT via the Console Port .......................................................500
32.2.1 Initial Screen .........................................................................................500
32.2.2 Entering the Password ..........................................................................501
32.3 Navigating the SMT Interface .........................................................................501
32.3.1 Main Menu ............................................................................................502
32.3.2 SMT Menus Overview ..........................................................................504
23 Table of Contents
Page 24
ZyWALL 5/35/70 Series User’s Guide
32.4 Changing the System Password ....................................................................506
32.5 Resetting the ZyWALL ...................................................................................507
Chapter 33
SMT Menu 1 - General Setup............................................................................... 508
33.1 Introduction to General Setup ........................................................................508
33.2 Configuring General Setup .............................................................................508
33.2.1 Configuring Dynamic DNS ....................................................................510
33.2.1.1 Editing DDNS Host ......................................................................510
Chapter 34
WAN and Dial Backup Setup ............................................................................... 514
34.1 Introduction to WAN and Dial Backup Setup ..................................................514
34.2 WAN Setup .....................................................................................................514
34.3 Dial Backup ....................................................................................................515
34.4 Configuring Dial Backup in Menu 2 ................................................................515
34.5 Advanced WAN Setup ....................................................................................516
34.6 Remote Node Profile (Backup ISP) ................................................................518
34.7 Editing PPP Options .......................................................................................520
34.8 Editing TCP/IP Options ..................................................................................521
34.9 Editing Login Script ........................................................................................523
34.10 Remote Node Filter ......................................................................................525
Chapter 35
LAN Setup.............................................................................................................526
35.1 Introduction to LAN Setup ..............................................................................526
35.2 Accessing the LAN Menus .............................................................................526
35.3 LAN Port Filter Setup .....................................................................................526
35.4 TCP/IP and DHCP Ethernet Setup Menu ......................................................527
35.4.1 IP Alias Setup .......................................................................................530
Chapter 36
Internet Access .................................................................................................... 532
36.1 Introduction to Internet Access Setup ............................................................532
36.2 Ethernet Encapsulation ..................................................................................532
36.3 Configuring the PPTP Client ..........................................................................534
36.4 Configuring the PPPoE Client ........................................................................534
36.5 Basic Setup Complete ....................................................................................535
Chapter 37
DMZ Setup ............................................................................................................ 536
37.1 Configuring DMZ Setup ..................................................................................536
37.2 DMZ Port Filter Setup ....................................................................................536
Table of Contents 24
Page 25
ZyWALL 5/35/70 Series User’s Guide
37.3 TCP/IP Setup .................................................................................................536
37.3.1 IP Address ............................................................................................537
37.3.2 IP Alias Setup .......................................................................................538
Chapter 38
Route Setup .......................................................................................................... 540
38.1 Configuring Route Setup ................................................................................540
38.2 Route Assessment .........................................................................................540
38.3 Traffic Redirect ...............................................................................................541
38.4 Route Failover ................................................................................................542
Chapter 39
Wireless Setup ..................................................................................................... 544
39.1 Wireless LAN Setup .......................................................................................544
39.1.1 MAC Address Filter Setup ....................................................................546
39.2 TCP/IP Setup .................................................................................................547
39.2.1 IP Address ............................................................................................547
39.2.2 IP Alias Setup .......................................................................................548
Chapter 40
Remote Node Setup ............................................................................................. 550
40.1 Introduction to Remote Node Setup ...............................................................550
40.2 Remote Node Setup .......................................................................................550
40.3 Remote Node Profile Setup ...........................................................................551
40.3.1 Ethernet Encapsulation .........................................................................551
40.3.2 PPPoE Encapsulation ...........................................................................553
40.3.2.1 Outgoing Authentication Protocol ................................................553
40.3.2.2 Nailed-Up Connection .................................................................553
40.3.2.3 Metric ..........................................................................................554
40.3.3 PPTP Encapsulation .............................................................................554
40.4 Edit IP .............................................................................................................555
40.5 Remote Node Filter ........................................................................................557
40.6 Traffic Redirect ...............................................................................................558
Chapter 41
IP Static Route Setup...........................................................................................560
41.1 IP Static Route Setup .....................................................................................560
Chapter 42
Network Address Translation (NAT)................................................................... 562
42.1 Using NAT ......................................................................................................562
42.1.1 SUA (Single User Account) Versus NAT ..............................................562
42.1.2 Applying NAT ........................................................................................562
25 Table of Contents
Page 26
ZyWALL 5/35/70 Series User’s Guide
42.2 NAT Setup ......................................................................................................564
42.2.1 Address Mapping Sets ..........................................................................565
42.2.1.1 SUA Address Mapping Set .........................................................565
42.2.1.2 User-Defined Address Mapping Sets ..........................................566
42.2.1.3 Ordering Your Rules ....................................................................567
42.3 Configuring a Server behind NAT ..................................................................569
42.4 General NAT Examples ..................................................................................572
42.4.1 Internet Access Only .............................................................................572
42.4.2 Example 2: Internet Access with an Default Server ..............................574
42.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............574
42.4.4 Example 4: NAT Unfriendly Application Programs ...............................578
42.5 Trigger Port Forwarding .................................................................................579
42.5.1 Two Points To Remember About Trigger Ports .....................................579
Chapter 43
Introducing the ZyWALL Firewall .......................................................................582
43.1 Using ZyWALL SMT Menus ...........................................................................582
43.1.1 Activating the Firewall ...........................................................................582
Chapter 44
Filter Configuration..............................................................................................584
44.1 Introduction to Filters ......................................................................................584
44.1.1 The Filter Structure of the ZyWALL ......................................................585
44.2 Configuring a Filter Set ..................................................................................587
44.2.1 Configuring a Filter Rule .......................................................................588
44.2.2 Configuring a TCP/IP Filter Rule ..........................................................589
44.2.3 Configuring a Generic Filter Rule .........................................................591
44.3 Example Filter ................................................................................................593
44.4 Filter Types and NAT ......................................................................................595
44.5 Firewall Versus Filters ....................................................................................595
44.6 Applying a Filter ............................................................................................596
44.6.1 Applying LAN Filters .............................................................................596
44.6.2 Applying DMZ Filters ............................................................................596
44.6.3 Applying Remote Node Filters ..............................................................597
Chapter 45
SNMP Configuration ............................................................................................598
45.1 SNMP Configuration ......................................................................................598
45.2 SNMP Traps ...................................................................................................599
Chapter 46
System Information & Diagnosis........................................................................ 600
46.1 Introduction to System Status ........................................................................600
Table of Contents 26
Page 27
ZyWALL 5/35/70 Series User’s Guide
46.2 System Status ................................................................................................600
46.3 System Information and Console Port Speed ................................................602
46.3.1 System Information ...............................................................................602
46.3.2 Console Port Speed ..............................................................................603
46.4 Log and Trace ................................................................................................604
46.4.1 Viewing Error Log .................................................................................604
46.4.2 Syslog Logging .....................................................................................605
46.4.3 Call-Triggering Packet ..........................................................................608
46.5 Diagnostic ......................................................................................................608
46.5.1 WAN DHCP ..........................................................................................609
Chapter 47
Firmware and Configuration File Maintenance ................................................. 612
47.1 Introduction ....................................................................................................612
47.2 Filename Conventions ...................................................................................612
47.3 Backup Configuration .....................................................................................613
47.3.1 Backup Configuration ...........................................................................613
47.3.2 Using the FTP Command from the Command Line ..............................614
47.3.3 Example of FTP Commands from the Command Line .........................615
47.3.4 GUI-based FTP Clients .........................................................................615
47.3.5 File Maintenance Over WAN ................................................................615
47.3.6 Backup Configuration Using TFTP .......................................................616
47.3.7 TFTP Command Example ....................................................................616
47.3.8 GUI-based TFTP Clients ......................................................................617
47.3.9 Backup Via Console Port ......................................................................617
47.4 Restore Configuration ....................................................................................618
47.4.1 Restore Using FTP ...............................................................................618
47.4.2 Restore Using FTP Session Example ..................................................620
47.4.3 Restore Via Console Port .....................................................................620
47.5 Uploading Firmware and Configuration Files .................................................621
47.5.1 Firmware File Upload ............................................................................621
47.5.2 Configuration File Upload .....................................................................622
47.5.3 FTP File Upload Command from the DOS Prompt Example ................623
47.5.4 FTP Session Example of Firmware File Upload ...................................623
47.5.5 TFTP File Upload ..................................................................................623
47.5.6 TFTP Upload Command Example ........................................................624
47.5.7 Uploading Via Console Port ..................................................................624
47.5.8 Uploading Firmware File Via Console Port ...........................................624
47.5.9 Example Xmodem Firmware Upload Using HyperTerminal ..................625
47.5.10 Uploading Configuration File Via Console Port ..................................625
47.5.11 Example Xmodem Configuration Upload Using HyperTerminal .........626
27 Table of Contents
Page 28
ZyWALL 5/35/70 Series User’s Guide
Chapter 48
System Maintenance Menus 8 to 10...................................................................628
48.1 Command Interpreter Mode ...........................................................................628
48.1.1 Command Syntax .................................................................................628
48.1.2 Command Usage ..................................................................................629
48.2 Call Control Support .......................................................................................630
48.2.1 Budget Management ............................................................................630
48.2.2 Call History ...........................................................................................631
48.3 Time and Date Setting ....................................................................................632
Chapter 49
Remote Management ........................................................................................... 636
49.1 Remote Management .....................................................................................636
49.1.1 Remote Management Limitations .........................................................638
Chapter 50
IP Policy Routing.................................................................................................. 640
50.1 IP Routing Policy Summary ...........................................................................640
50.2 IP Routing Policy Setup .................................................................................641
50.2.1 Applying Policy to Packets ....................................................................643
50.3 IP Policy Routing Example .............................................................................644
Chapter 51
Call Scheduling ....................................................................................................648
51.1 Introduction to Call Scheduling ......................................................................648
Chapter 52
Troubleshooting ...................................................................................................652
52.1 Problems Starting Up the ZyWALL .................................................................652
52.2 Problems with the LAN Interface ....................................................................652
52.3 Problems with the DMZ Interface ...................................................................653
52.4 Problems with the WAN Interface ..................................................................653
52.5 Problems Accessing the ZyWALL ..................................................................654
52.5.1 Pop-up Windows, JavaScripts and Java Permissions ..........................654
52.5.1.1 Internet Explorer Pop-up Blockers ..............................................655
52.5.1.2 JavaScripts ..................................................................................658
52.5.1.3 Java Permissions ........................................................................660
52.6 Packet Flow ....................................................................................................662
Appendix A
Product Specifications ........................................................................................ 664
Appendix B
Table of Contents 28
Page 29
ZyWALL 5/35/70 Series User’s Guide
Hardware Installation........................................................................................... 672
Appendix C
Removing and Installing a Fuse ........................................................................ 676
Appendix D
Setting up Your Computer’s IP Address............................................................ 678
Appendix E
IP Subnetting ........................................................................................................ 694
Appendix F
PPPoE ................................................................................................................... 702
Appendix G
PPTP......................................................................................................................704
Appendix H
Wireless LANs ...................................................................................................... 708
Appendix I
Triangle Route ...................................................................................................... 722
Appendix J
Windows 98 SE/Me Requirements for Anti-Virus Message Display................ 726
Appendix K
VPN Setup............................................................................................................. 730
Appendix L
Importing Certificates .......................................................................................... 742
Appendix M
Command Interpreter........................................................................................... 754
Appendix N
Firewall Commands ............................................................................................. 756
Appendix O
NetBIOS Filter Commands .................................................................................. 762
Appendix P
Certificates Commands ....................................................................................... 766
Appendix Q
Brute-Force Password Guessing Protection..................................................... 770
Appendix R
Boot Commands ..................................................................................................772
29 Table of Contents
Page 30
ZyWALL 5/35/70 Series User’s Guide
Appendix S
Log Descriptions.................................................................................................. 774
Index...................................................................................................................... 798
Table of Contents 30
Page 31
ZyWALL 5/35/70 Series User’s Guide
31 Table of Contents
Page 32
ZyWALL 5/35/70 Series User’s Guide
List of Figures
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................ 62
Figure 2 VPN Application .................................................................................................... 63
Figure 3 ZyWALL 70 Front Panel ........................................................................................ 63
Figure 4 ZyWALL 35 Front Panel ........................................................................................ 63
Figure 5 ZyWALL 5 Front Panel .......................................................................................... 63
Figure 6 Change Password Screen .................................................................................... 67
Figure 7 Replace Certificate Screen ................................................................................... 67
Figure 8 Example Xmodem Upload .................................................................................... 68
Figure 9 Web Configurator HOME Screen in Router Mode ................................................ 69
Figure 10 Web Configurator HOME Screen in Bridge Mode .............................................. 72
Figure 11 Home : Show Statistics ....................................................................................... 79
Figure 12 Home : Show Statistics: Line Chart ..................................................................... 80
Figure 13 Home : DHCP Table ............................................................................................ 81
Figure 14 Home : VPN Status ............................................................................................. 83
Figure 15 ISP Parameters : Ethernet Encapsulation .......................................................... 85
Figure 16 ISP Parameters : PPPoE Encapsulation ............................................................ 86
Figure 17 ISP Parameters: PPTP Encapsulation ................................................................ 88
Figure 18 Internet Access Wizard: Second Screen ............................................................ 89
Figure 19 Internet Access Setup Complete ........................................................................ 90
Figure 20 Internet Access Wizard: Registration .................................................................. 90
Figure 21 Internet Access Wizard: Registration in Progress ............................................... 91
Figure 22 Internet Access Wizard: Status ........................................................................... 92
Figure 23 Internet Access Wizard: Registration Failed ....................................................... 92
Figure 24 Internet Access Wizard: Registered Device ........................................................ 92
Figure 25 Internet Access Wizard: Activated Services ....................................................... 93
Figure 26 VPN Wizard: Gateway Setting ............................................................................ 93
Figure 27 VPN Wizard: Network Setting ............................................................................. 95
Figure 28 VPN Wizard: IKE Tunnel Setting ......................................................................... 96
Figure 29 VPN Wizard: IPSec Setting ................................................................................. 98
Figure 30 VPN Wizard: VPN Status .................................................................................... 100
Figure 31 VPN Wizard Setup Complete .............................................................................. 102
Figure 32 Registration .........................................................................................................105
Figure 33 Registration: Registered Device ......................................................................... 107
Figure 34 Registration: Service ........................................................................................... 107
Figure 35 LAN ..................................................................................................................... 113
Figure 36 LAN Static DHCP ................................................................................................ 115
Figure 37 Physical Network & Partitioned Logical Networks .............................................. 116
Figure 38 LAN IP Alias ........................................................................................................ 117
List of Figures 32
Page 33
ZyWALL 5/35/70 Series User’s Guide
Figure 39 WLAN Port Role Example .................................................................................. 118
Figure 40 LAN Port Roles ................................................................................................... 119
Figure 41 Port Roles Change Complete ............................................................................. 120
Figure 42 Bridge Loop: Bridge Connected to Wired LAN ................................................... 122
Figure 43 Bridge .................................................................................................................. 125
Figure 44 WLAN Port Role Example .................................................................................. 127
Figure 45 Bridge Port Roles ................................................................................................ 127
Figure 46 Port Roles Change Complete ............................................................................. 128
Figure 47 Least Load First Example .................................................................................. 132
Figure 48 Weighted Round Robin Algorithm Example ........................................................ 133
Figure 49 Spillover Algorithm Example ............................................................................... 134
Figure 50 WAN General ...................................................................................................... 135
Figure 51 Load Balancing: Least Load First ....................................................................... 138
Figure 52 Load Balancing: Weighted Round Robin ............................................................ 139
Figure 53 Load Balancing: Spillover .................................................................................... 140
Figure 54 WAN Route ......................................................................................................... 141
Figure 55 WAN: Ethernet Encapsulation ............................................................................. 144
Figure 56 WAN: PPPoE Encapsulation ............................................................................... 147
Figure 57 WAN: PPTP Encapsulation ................................................................................. 150
Figure 58 Traffic Redirect WAN Setup ................................................................................ 153
Figure 59 Traffic Redirect LAN Setup ................................................................................. 154
Figure 60 Traffic Redirect .................................................................................................... 154
Figure 61 Dial Backup ......................................................................................................... 156
Figure 62 Advanced Setup .................................................................................................. 160
Figure 63 DMZ .................................................................................................................... 163
Figure 64 DMZ Static DHCP ............................................................................................... 166
Figure 65 DMZ: IP Alias ...................................................................................................... 167
Figure 66 DMZ Public Address Example ............................................................................ 169
Figure 67 DMZ Private and Public Address Example ......................................................... 170
Figure 68 WLAN Port Role Example .................................................................................. 171
Figure 69 DMZ: Port Roles ................................................................................................. 172
Figure 70 WLAN .................................................................................................................. 175
Figure 71 WLAN Static DHCP ............................................................................................. 178
Figure 72 WLAN IP Alias .................................................................................................... 179
Figure 73 WLAN Port Role Example .................................................................................. 180
Figure 74 WLAN Port Roles ................................................................................................ 181
Figure 75 WLAN Port Roles Change Complete .................................................................. 182
Figure 76 ZyWALL Wireless Security Levels ...................................................................... 183
Figure 77 EAP Authentication ............................................................................................. 186
Figure 78 WPA-PSK Authentication .................................................................................... 189
Figure 79 WPA with RADIUS Application Example ............................................................ 190
Figure 80 Wireless Card: No Security ................................................................................. 191
Figure 81 Wireless Card: Static WEP ................................................................................. 193
33 List of Figures
Page 34
ZyWALL 5/35/70 Series User’s Guide
Figure 82 Wireless Card: WPA-PSK ................................................................................... 194
Figure 83 Wireless Card: WPA ........................................................................................... 195
Figure 84 Wireless Card: 802.1x + Dynamic WEP ............................................................. 196
Figure 85 Wireless Card: 802.1x + Static WEP ................................................................... 197
Figure 86 Wireless Card: 802.1x + No WEP ....................................................................... 198
Figure 87 Wireless Card: No Access 802.1x + Static WEP ................................................ 199
Figure 88 Wireless Card: MAC Address Filter .................................................................... 201
Figure 89 ZyWALL Firewall Application .............................................................................. 204
Figure 90 Three-Way Handshake ....................................................................................... 205
Figure 91 SYN Flood ........................................................................................................... 206
Figure 92 Smurf Attack ....................................................................................................... 207
Figure 93 Stateful Inspection ............................................................................................... 209
Figure 94 LAN to WAN Traffic ............................................................................................. 218
Figure 95 WAN to LAN Traffic ............................................................................................. 218
Figure 96 Default Rule (Router Mode) ................................................................................ 219
Figure 97 Default Rule (Bridge Mode) ................................................................................ 221
Figure 98 Rule Summary .................................................................................................... 222
Figure 99 Firewall Edit Rule ................................................................................................ 224
Figure 100 Anti-Probing ...................................................................................................... 226
Figure 101 Firewall Threshold ............................................................................................. 229
Figure 102 Firewall Service ................................................................................................. 231
Figure 103 Firewall Edit Custom Service ............................................................................ 232
Figure 104 Service .............................................................................................................. 236
Figure 105 Edit Custom Service Example .......................................................................... 236
Figure 106 Rule Summary .................................................................................................. 237
Figure 107 Rule Edit Example ............................................................................................ 237
Figure 108 My Service Rule Configuration ......................................................................... 238
Figure 109 My Service Example Rule Summary ................................................................ 239
Figure 110 Network Intrusions ........................................................................................... 240
Figure 111 Applying IDP to Interfaces ................................................................................. 245
Figure 112 IDP: General ..................................................................................................... 246
Figure 113 Attack Types ...................................................................................................... 247
Figure 114 Signature Actions .............................................................................................. 249
Figure 115 IDP: Signatures ................................................................................................. 250
Figure 116 Signature Query by Partial Name ..................................................................... 252
Figure 117 Signature Query by Complete ID ...................................................................... 253
Figure 118 Signature Query by Attribute. ............................................................................ 254
Figure 119 Signatures Update ............................................................................................ 255
Figure 120 IDP: Backup & Restore ..................................................................................... 257
Figure 121 ZyWALL Anti-virus Example .......................................................................... 260
Figure 122 Anti-Virus: General ........................................................................................... 261
Figure 123 Anti-Virus: Update ............................................................................................. 264
Figure 124 Anti-spam External Database Example ............................................................ 268
List of Figures 34
Page 35
ZyWALL 5/35/70 Series User’s Guide
Figure 125 Anti-Spam: General ........................................................................................... 270
Figure 126 Anti-Spam: External DB .................................................................................... 272
Figure 127 Anti-Spam: Lists ................................................................................................ 274
Figure 128 Anti-Spam Rule Edit ......................................................................................... 275
Figure 129 Content Filter : General ..................................................................................... 279
Figure 130 Content Filtering Lookup Procedure ................................................................. 281
Figure 131 Content Filter : Categories ................................................................................ 282
Figure 132 Content Filter: Customization ............................................................................ 288
Figure 133 Content Filter: Cache ........................................................................................ 291
Figure 134 myZyXEL.com: Login ........................................................................................ 295
Figure 135 myZyXEL.com: Welcome .................................................................................. 295
Figure 136 myZyXEL.com: Service Management ............................................................... 296
Figure 137 Blue Coat: Login ............................................................................................... 296
Figure 138 Content Filtering Reports Main Screen ............................................................. 297
Figure 139 Blue Coat: Report Home ................................................................................... 297
Figure 140 Global Report Screen Example ........................................................................ 298
Figure 141 Requested URLs Example ................................................................................ 299
Figure 142 Web Page Review Process Screen .................................................................. 300
Figure 143 Encryption and Decryption ................................................................................ 303
Figure 144 IPSec Architecture ............................................................................................ 304
Figure 145 Transport and Tunnel Mode IPSec Encapsulation ............................................ 305
Figure 146 NAT Router Between IPSec Routers ................................................................ 311
Figure 147 Two Phases to Set Up the IPSec SA ................................................................ 313
Figure 148 VPN Rules (IKE) ............................................................................................... 316
Figure 149 Gateway and Network Policies ........................................................................ 317
Figure 150 IPSec Fields Summary ................................................................................... 317
Figure 151 VPN Rules (IKE): Gateway Policy: Edit .......................................................... 319
Figure 152 VPN Rules (IKE): Network Policy Edit ............................................................. 325
Figure 153 VPN Rules (IKE): Network Policy Move ........................................................... 329
Figure 154 VPN Rules (Manual) ........................................................................................ 330
Figure 155 VPN Rules (Manual): Edit ................................................................................ 332
Figure 156 VPN: SA Monitor ............................................................................................... 335
Figure 157 VPN: Global Setting .......................................................................................... 336
Figure 158 Telecommuters Sharing One VPN Rule Example ............................................. 338
Figure 159 Telecommuters Using Unique VPN Rules Example ......................................... 339
Figure 160 Certificate Configuration Overview ................................................................... 343
Figure 161 My Certificates ................................................................................................. 344
Figure 162 My Certificate Import ......................................................................................... 347
Figure 163 My Certificate Create ........................................................................................ 348
Figure 164 My Certificate Details ........................................................................................ 351
Figure 165 Trusted CAs ...................................................................................................... 354
Figure 166 Trusted CA Import ............................................................................................. 355
Figure 167 Trusted CA Details ............................................................................................ 357
35 List of Figures
Page 36
ZyWALL 5/35/70 Series User’s Guide
Figure 168 Trusted Remote Hosts ...................................................................................... 360
Figure 169 Remote Host Certificates .................................................................................. 361
Figure 170 Certificate Details ............................................................................................. 362
Figure 171 Trusted Remote Host Import ............................................................................. 363
Figure 172 Trusted Remote Host Details ............................................................................ 364
Figure 173 Directory Servers .............................................................................................. 366
Figure 174 Directory Server Add ......................................................................................... 367
Figure 175 Local User Database ........................................................................................ 371
Figure 176 RADIUS ............................................................................................................ 372
Figure 177 How NAT Works ................................................................................................ 376
Figure 178 NAT Application With IP Alias ........................................................................... 376
Figure 179 Port Restricted Cone NAT Example .................................................................. 377
Figure 180 NAT Overview ................................................................................................... 379
Figure 181 NAT Address Mapping ...................................................................................... 381
Figure 182 NAT Address Mapping Edit ............................................................................... 382
Figure 183 Multiple Servers Behind NAT Example ............................................................. 385
Figure 184 Port Translation Example .................................................................................. 386
Figure 185 Port Forwarding ................................................................................................ 387
Figure 186 Trigger Port Forwarding Process: Example ...................................................... 388
Figure 187 Port Triggering .................................................................................................. 389
Figure 188 Example of Static Routing Topology ................................................................. 392
Figure 189 IP Static Route .................................................................................................. 393
Figure 190 IP Static Route Edit ........................................................................................... 394
Figure 191 Policy Route Summary ..................................................................................... 397
Figure 192 Edit IP Policy Route .......................................................................................... 399
Figure 193 Subnet-based Bandwidth Management Example ............................................. 403
Figure 194 Bandwidth Management: Summary .................................................................. 409
Figure 195 Bandwidth Management: Class Setup .............................................................. 410
Figure 196 Bandwidth Management: Edit Class ................................................................. 412
Figure 197 Bandwidth Management: Statistics ................................................................... 415
Figure 198 Bandwidth Management: Monitor .................................................................... 416
Figure 199 Private DNS Server Example ............................................................................ 420
Figure 200 System DNS ..................................................................................................... 421
Figure 201 System DNS: Add Address Record .................................................................. 422
Figure 202 System DNS: Insert Name Server Record ........................................................ 423
Figure 203 DNS Cache ....................................................................................................... 425
Figure 204 DNS DHCP ....................................................................................................... 427
Figure 205 DDNS ................................................................................................................429
Figure 206 HTTPS Implementation ..................................................................................... 434
Figure 207 WWW ................................................................................................................ 435
Figure 208 Security Alert Dialog Box (Internet Explorer) .................................................... 436
Figure 209 Security Certificate 1 (Netscape) ...................................................................... 437
Figure 210 Security Certificate 2 (Netscape) ...................................................................... 437
List of Figures 36
Page 37
ZyWALL 5/35/70 Series User’s Guide
Figure 211 Login Screen (Internet Explorer) ....................................................................... 439
Figure 212 Login Screen (Netscape) .................................................................................. 439
Figure 213 Replace Certificate ............................................................................................ 440
Figure 214 Device-specific Certificate ................................................................................. 440
Figure 215 Common ZyWALL Certificate ............................................................................ 441
Figure 216 SSH Communication Example .......................................................................... 441
Figure 217 How SSH Works ............................................................................................... 442
Figure 218 SSH ................................................................................................................... 443
Figure 219 SSH Example 1: Store Host Key ....................................................................... 444
Figure 220 SSH Example 2: Test ....................................................................................... 445
Figure 221 SSH Example 2: Log in ..................................................................................... 445
Figure 222 Secure FTP: Firmware Upload Example .......................................................... 446
Figure 223 Telnet Configuration on a TCP/IP Network ....................................................... 446
Figure 224 Telnet ................................................................................................................ 447
Figure 225 FTP ................................................................................................................... 448
Figure 226 SNMP Management Model ............................................................................... 449
Figure 227 SNMP ................................................................................................................451
Figure 228 DNS .................................................................................................................. 452
Figure 229 CNM .................................................................................................................. 453
Figure 230 UPnP ................................................................................................................. 457
Figure 231 UPnP Ports ....................................................................................................... 458
Figure 232 H.323 ALG Example ........................................................................................ 468
Figure 233 H.323 with Multiple WAN IP Addresses
Figure 234 H.323 Calls from the WAN
Figure 235 SIP ALG Example ............................................................................................ 470
Figure 236 ALG .................................................................................................................. 471
Figure 237 View Log ........................................................................................................... 472
Figure 238 myZyXEL.com: Download Center ..................................................................... 474
Figure 239 myZyXEL.com: Certificate Download ............................................................... 475
Figure 240 Log Settings ...................................................................................................... 476
Figure 241 Reports .............................................................................................................479
Figure 242 Web Site Hits Report Example ......................................................................... 480
Figure 243 Protocol/Port Report Example .......................................................................... 481
Figure 244 Host IP Address Report Example ..................................................................... 482
Figure 245 General Setup ................................................................................................... 485
Figure 246 Password Setup ................................................................................................ 486
Figure 247 Time and Date ................................................................................................... 487
Figure 248 Synchronization in Process ............................................................................... 490
Figure 249 Synchronization is Successful .......................................................................... 490
Figure 250 Synchronization Fail .......................................................................................... 490
Figure 251 Device Mode (Router Mode) ............................................................................. 492
Figure 252 Device Mode (Bridge Mode) ............................................................................. 493
Figure 253 Firmware Upload ............................................................................................... 495
........................................................... 468
with Multiple Outgoing Calls .................................. 469
37 List of Figures
Page 38
ZyWALL 5/35/70 Series User’s Guide
Figure 254 Firmware Upload In Process ............................................................................. 495
Figure 255 Network Temporarily Disconnected .................................................................. 496
Figure 256 Firmware Upload Error ...................................................................................... 496
Figure 257 Backup and Restore ......................................................................................... 497
Figure 258 Configuration Upload Successful ...................................................................... 498
Figure 259 Network Temporarily Disconnected .................................................................. 498
Figure 260 Configuration Upload Error ............................................................................... 498
Figure 261 Reset Warning Message ................................................................................... 499
Figure 262 Restart Screen .................................................................................................. 499
Figure 263 Initial Screen ..................................................................................................... 501
Figure 264 Password Screen ............................................................................................. 501
Figure 265 Main Menu (Router Mode) ................................................................................ 503
Figure 266 Main Menu (Bridge Mode) ................................................................................ 503
Figure 267 Menu 23: System Password ............................................................................. 507
Figure 268 Menu 1: General Setup (Router Mode) ............................................................. 508
Figure 269 Menu 1: General Setup (Bridge Mode) ............................................................. 509
Figure 270 Menu 1.1: Configure Dynamic DNS .................................................................. 510
Figure 271 Menu 1.1.1: DDNS Host Summary ................................................................... 511
Figure 272 Menu 1.1.1: DDNS Edit Host ............................................................................ 512
Figure 273 MAC Address Cloning in WAN Setup ............................................................... 514
Figure 274 Menu 2: Dial Backup Setup ............................................................................ 516
Figure 275 Menu 2.1: Advanced WAN Setup ..................................................................... 517
Figure 276 Menu 11.3: Remote Node Profile (Backup ISP) ............................................... 519
Figure 277 Menu 11.3.1: Remote Node PPP Options ........................................................ 521
Figure 278 Menu 11.3.2: Remote Node Network Layer Options ........................................ 522
Figure 279 Menu 11.3.3: Remote Node Script .................................................................... 524
Figure 280 Menu 11.3.4: Remote Node Filter ..................................................................... 525
Figure 281 Menu 3: LAN Setup ........................................................................................... 526
Figure 282 Menu 3.1: LAN Port Filter Setup ....................................................................... 527
Figure 283 Menu 3: TCP/IP and DHCP Setup ................................................................... 527
Figure 284 Menu 3.2: TCP/IP and DHCP Ethernet Setup .................................................. 528
Figure 285 Menu 3.2.1: IP Alias Setup ............................................................................... 530
Figure 286 Menu 4: Internet Access Setup (Ethernet) ........................................................ 532
Figure 287 Internet Access Setup (PPTP) .......................................................................... 534
Figure 288 Internet Access Setup (PPPoE) ........................................................................ 535
Figure 289 Menu 5: DMZ Setup ......................................................................................... 536
Figure 290 Menu 5.1: DMZ Port Filter Setup ...................................................................... 536
Figure 291 Menu 5: DMZ Setup .......................................................................................... 537
Figure 292 Menu 5.2: TCP/IP and DHCP Ethernet Setup .................................................. 537
Figure 293 Menu 5.2.1: IP Alias Setup ............................................................................... 538
Figure 294 Menu 6: Route Setup ........................................................................................ 540
Figure 295 Menu 6.1: Route Assessment ........................................................................... 540
Figure 296 Menu 6.2: Traffic Redirect ................................................................................. 541
List of Figures 38
Page 39
ZyWALL 5/35/70 Series User’s Guide
Figure 297 Menu 6.3: Route Failover .................................................................................. 542
Figure 298 Menu 7.1: Wireless Setup ................................................................................. 544
Figure 299 Menu 7.1.1: WLAN MAC Address Filter ........................................................... 546
Figure 300 Menu 7: WLAN Setup ....................................................................................... 547
Figure 301 Menu 7.2: TCP/IP and DHCP Ethernet Setup .................................................. 548
Figure 302 Menu 7.2.1: IP Alias Setup ............................................................................... 549
Figure 303 Menu 11: Remote Node Setup .......................................................................... 551
Figure 304 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........................... 551
Figure 305 Menu 11.1: Remote Node Profile for PPPoE Encapsulation ............................. 553
Figure 306 Menu 11.1: Remote Node Profile for PPTP Encapsulation ............................... 555
Figure 307 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation
556
Figure 308 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) ............................. 558
Figure 309 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) ................ 558
Figure 310 Menu 11.1.5: Traffic Redirect Setup .................................................................. 559
Figure 311 Menu 12: IP Static Route Setup ....................................................................... 560
Figure 312 Menu 12. 1: Edit IP Static Route ....................................................................... 561
Figure 313 Menu 4: Applying NAT for Internet Access ....................................................... 563
Figure 314 Menu 11.1.2: Applying NAT to the Remote Node ............................................. 563
Figure 315 Menu 15: NAT Setup ......................................................................................... 564
Figure 316 Menu 15.1: Address Mapping Sets ................................................................... 565
Figure 317 Menu 15.1.255: SUA Address Mapping Rules ................................................. 565
Figure 318 Menu 15.1.1: First Set ....................................................................................... 567
Figure 319 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ........................ 568
Figure 320 Menu 15.2: NAT Server Sets ............................................................................ 569
Figure 321 Menu 15.2.1: NAT Server Sets ......................................................................... 570
Figure 322 15.2.1.2: NAT Server Configuration .................................................................. 571
Figure 323 Menu 15.2.1: NAT Server Setup ...................................................................... 572
Figure 324 Server Behind NAT Example ............................................................................ 572
Figure 325 NAT Example 1 ................................................................................................. 573
Figure 326 Menu 4: Internet Access & NAT Example ......................................................... 573
Figure 327 NAT Example 2 ................................................................................................. 574
Figure 328 Menu 15.2.1: Specifying an Inside Server ........................................................ 574
Figure 329 NAT Example 3 ................................................................................................. 575
Figure 330 Example 3: Menu 11.1.2 ................................................................................... 576
Figure 331 Example 3: Menu 15.1.1.1 ................................................................................ 576
Figure 332 Example 3: Final Menu 15.1.1 .......................................................................... 577
Figure 333 Example 3: Menu 15.2.1 ................................................................................... 577
Figure 334 NAT Example 4 ................................................................................................. 578
Figure 335 Example 4: Menu 15.1.1.1: Address Mapping Rule .......................................... 578
Figure 336 Example 4: Menu 15.1.1: Address Mapping Rules ........................................... 579
Figure 337 Menu 15.3.1: Trigger Port Setup ....................................................................... 580
Figure 338 Menu 21: Filter and Firewall Setup ................................................................... 582
39 List of Figures
Page 40
ZyWALL 5/35/70 Series User’s Guide
Figure 339 Menu 21.2: Firewall Setup ................................................................................ 583
Figure 340 Outgoing Packet Filtering Process .................................................................... 584
Figure 341 Filter Rule Process ............................................................................................ 586
Figure 342 Menu 21: Filter and Firewall Setup ................................................................... 587
Figure 343 Menu 21.1: Filter Set Configuration .................................................................. 587
Figure 344 Menu 21.1.1.1: TCP/IP Filter Rule .................................................................... 589
Figure 345 Executing an IP Filter ........................................................................................ 591
Figure 346 Menu 21.1.1.1: Generic Filter Rule ................................................................... 592
Figure 347 Telnet Filter Example ........................................................................................ 593
Figure 348 Example Filter: Menu 21.1.3.1 .......................................................................... 594
Figure 349 Example Filter Rules Summary: Menu 21.1.3 .................................................. 594
Figure 350 Protocol and Device Filter Sets ......................................................................... 595
Figure 351 Filtering LAN Traffic .......................................................................................... 596
Figure 352 Filtering DMZ Traffic .......................................................................................... 597
Figure 353 Filtering Remote Node Traffic ........................................................................... 597
Figure 354 Menu 22: SNMP Configuration ......................................................................... 598
Figure 355 Menu 24: System Maintenance ........................................................................ 600
Figure 356 Menu 24.1: System Maintenance: Status ........................................................ 601
Figure 357 Menu 24.2: System Information and Console Port Speed ................................ 602
Figure 358 Menu 24.2.1: System Maintenance: Information ............................................ 603
Figure 359 Menu 24.2.2: System Maintenance: Change Console Port Speed ................... 604
Figure 360 Menu 24.3: System Maintenance: Log and Trace ............................................ 604
Figure 361 Examples of Error and Information Messages .................................................. 605
Figure 362 Menu 24.3.2: System Maintenance: Syslog Logging ........................................ 605
Figure 363 Call-Triggering Packet Example ........................................................................ 608
Figure 364 Menu 24.4: System Maintenance: Diagnostic ................................................... 609
Figure 365 WAN & LAN DHCP ........................................................................................... 609
Figure 366 Telnet into Menu 24.5 ........................................................................................ 614
Figure 367 FTP Session Example ...................................................................................... 615
Figure 368 System Maintenance: Backup Configuration .................................................... 617
Figure 369 System Maintenance: Starting Xmodem Download Screen ............................. 617
Figure 370 Backup Configuration Example ......................................................................... 618
Figure 371 Successful Backup Confirmation Screen .......................................................... 618
Figure 372 Telnet into Menu 24.6 ........................................................................................ 619
Figure 373 Restore Using FTP Session Example ............................................................... 620
Figure 374 System Maintenance: Restore Configuration ................................................... 620
Figure 375 System Maintenance: Starting Xmodem Download Screen ............................. 620
Figure 376 Restore Configuration Example ........................................................................ 620
Figure 377 Successful Restoration Confirmation Screen ................................................... 621
Figure 378 Telnet Into Menu 24.7.1: Upload System Firmware .......................................... 622
Figure 379 Telnet Into Menu 24.7.2: System Maintenance ................................................ 622
Figure 380 FTP Session Example of Firmware File Upload ............................................... 623
Figure 381 Menu 24.7.1 As Seen Using the Console Port ................................................. 625
List of Figures 40
Page 41
ZyWALL 5/35/70 Series User’s Guide
Figure 382 Example Xmodem Upload ................................................................................ 625
Figure 383 Menu 24.7.2 As Seen Using the Console Port ................................................ 626
Figure 384 Example Xmodem Upload ................................................................................ 626
Figure 385 Command Mode in Menu 24 ............................................................................. 628
Figure 386 Valid Commands ............................................................................................... 629
Figure 387 Call Control ....................................................................................................... 630
Figure 388 Budget Management ......................................................................................... 631
Figure 389 Call History ........................................................................................................632
Figure 390 Menu 24: System Maintenance ........................................................................ 633
Figure 391 Menu 24.10 System Maintenance: Time and Date Setting ............................... 633
Figure 392 Menu 24.11 – Remote Management Control .................................................... 637
Figure 393 Menu 25: Sample IP Routing Policy Summary ................................................. 640
Figure 394 Menu 25.1: IP Routing Policy Setup ................................................................. 642
Figure 395 Menu 25.1.1: IP Routing Policy Setup .............................................................. 644
Figure 396 Example of IP Policy Routing ............................................................................ 645
Figure 397 IP Routing Policy Example 1 ............................................................................. 645
Figure 398 IP Routing Policy Example 2 ............................................................................. 646
Figure 399 Schedule Setup ................................................................................................. 648
Figure 400 Schedule Set Setup .......................................................................................... 649
Figure 401 Applying Schedule Set(s) to a Remote Node (PPPoE) .................................... 650
Figure 402 Applying Schedule Set(s) to a Remote Node (PPTP) ....................................... 651
Figure 403 Pop-up Blocker ................................................................................................. 655
Figure 404 Internet Options: Privacy ................................................................................... 656
Figure 405 Internet Options: Privacy ................................................................................... 657
Figure 406 Pop-up Blocker Settings ................................................................................... 658
Figure 407 Internet Options: Security ................................................................................. 659
Figure 408 Security Settings - Java Scripting ..................................................................... 660
Figure 409 Security Settings - Java .................................................................................... 661
Figure 410 Java (Sun) ......................................................................................................... 662
Figure 411 WLAN Card Installation ..................................................................................... 669
Figure 412 Console/Dial Backup Port Pin Layout ............................................................... 669
Figure 413 Ethernet Cable Pin Assignments ...................................................................... 670
Figure 414 Attaching Rubber Feet .................................................................................... 673
Figure 415 Attaching Mounting Brackets and Screws ........................................................ 674
Figure 416 Rack Mounting .................................................................................................. 674
Figure 417 WIndows 95/98/Me: Network: Configuration ..................................................... 679
Figure 418 Windows 95/98/Me: TCP/IP Properties: IP Address ......................................... 680
Figure 419 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............................ 681
Figure 420 Windows XP: Start Menu .................................................................................. 682
Figure 421 Windows XP: Control Panel .............................................................................. 682
Figure 422 Windows XP: Control Panel: Network Connections: Properties ....................... 683
Figure 423 Windows XP: Local Area Connection Properties .............................................. 683
Figure 424 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 684
41 List of Figures
Page 42
ZyWALL 5/35/70 Series User’s Guide
Figure 425 Windows XP: Advanced TCP/IP Properties ...................................................... 685
Figure 426 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 686
Figure 427 Macintosh OS 8/9: Apple Menu ........................................................................ 687
Figure 428 Macintosh OS 8/9: TCP/IP ................................................................................ 687
Figure 429 Macintosh OS X: Apple Menu ........................................................................... 688
Figure 430 Macintosh OS X: Network ................................................................................. 689
Figure 431 Red Hat 9.0: KDE: Network Configuration: Devices ........................................ 690
Figure 432 Red Hat 9.0: KDE: Ethernet Device: General ................................................. 690
Figure 433 Red Hat 9.0: KDE: Network Configuration: DNS ............................................. 691
Figure 434 Red Hat 9.0: KDE: Network Configuration: Activate ....................................... 691
Figure 435 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 .............................. 692
Figure 436 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 .................................. 692
Figure 437 Red Hat 9.0: DNS Settings in resolv.conf ...................................................... 692
Figure 438 Red Hat 9.0: Restart Ethernet Card ................................................................ 693
Figure 439 Red Hat 9.0: Checking TCP/IP Properties ...................................................... 693
Figure 440 Single-Computer per Router Hardware Configuration ...................................... 703
Figure 441 ZyWALL as a PPPoE Client .............................................................................. 703
Figure 442 Transport PPP frames over Ethernet ............................................................... 704
Figure 443 PPTP Protocol Overview .................................................................................. 705
Figure 444 Example Message Exchange between Computer and an ANT ........................ 706
Figure 445 Peer-to-Peer Communication in an Ad-hoc Network ........................................ 708
Figure 446 Basic Service Set .............................................................................................. 709
Figure 447 Infrastructure WLAN ......................................................................................... 710
Figure 448 RTS/CTS ........................................................................................................... 711
Figure 449 EAP Authentication ........................................................................................... 714
Figure 450 WEP Authentication Steps ................................................................................ 717
Figure 451 Roaming Example ............................................................................................. 720
Figure 452 Ideal Setup ........................................................................................................ 722
Figure 453 “Triangle Route” Problem .................................................................................. 723
Figure 454 IP Alias .............................................................................................................. 724
Figure 455 Gateways on the WAN Side .............................................................................. 724
Figure 456 Windows 98 SE: WinPopup ............................................................................ 726
Figure 457 WIndows 98 SE: Program Task Bar ................................................................ 727
Figure 458 Windows 98 SE: Task Bar Properties .......................................................... 727
Figure 459 Windows 98 SE: StartUp ................................................................................. 728
Figure 460 Windows 98 SE: Startup: Create Shortcut ..................................................... 728
Figure 461 Windows 98 SE: Startup: Select a Title for the Program ................................ 729
Figure 462 Windows 98 SE: Startup: Shortcut .................................................................. 729
Figure 463 VPN Rules ........................................................................................................ 731
Figure 464 Headquarters Gateway Policy Edit ................................................................... 732
Figure 465 Branch Office Gateway Policy Edit ................................................................... 733
Figure 466 Headquarters VPN Rule ................................................................................... 734
Figure 467 Branch Office VPN Rule ................................................................................... 734
List of Figures 42
Page 43
ZyWALL 5/35/70 Series User’s Guide
Figure 468 Headquarters Network Policy Edit .................................................................... 735
Figure 469 Branch Office Network Policy Edit .................................................................... 736
Figure 470 VPN Rule Configured ........................................................................................ 737
Figure 471 VPN Dial ........................................................................................................... 737
Figure 472 VPN Tunnel Established ................................................................................... 737
Figure 473 VPN Log Example ............................................................................................ 739
Figure 474 IKE/IPSec Debug Example .............................................................................. 740
Figure 475 Security Certificate ............................................................................................ 742
Figure 476 Login Screen ..................................................................................................... 743
Figure 477 Certificate General Information before Import ................................................... 743
Figure 478 Certificate Import Wizard 1 ............................................................................... 744
Figure 479 Certificate Import Wizard 2 ............................................................................... 744
Figure 480 Certificate Import Wizard 3 ............................................................................... 745
Figure 481 Root Certificate Store ........................................................................................ 745
Figure 482 Certificate General Information after Import ...................................................... 746
Figure 483 ZyWALL Trusted CA Screen ............................................................................. 747
Figure 484 CA Certificate Example ..................................................................................... 748
Figure 485 Personal Certificate Import Wizard 1 ................................................................ 749
Figure 486 Personal Certificate Import Wizard 2 ................................................................ 749
Figure 487 Personal Certificate Import Wizard 3 ................................................................ 750
Figure 488 Personal Certificate Import Wizard 4 ................................................................ 750
Figure 489 Personal Certificate Import Wizard 5 ................................................................ 751
Figure 490 Personal Certificate Import Wizard 6 ................................................................ 751
Figure 491 Access the ZyWALL Via HTTPS ....................................................................... 751
Figure 492 SSL Client Authentication ................................................................................. 752
Figure 493 ZyWALL Secure Login Screen .......................................................................... 752
Figure 494 Option to Enter Debug Mode ............................................................................ 772
Figure 495 Boot Module Commands .................................................................................. 773
Figure 496 Displaying Log Categories Example ................................................................. 796
Figure 497 Displaying Log Parameters Example ................................................................ 796
43 List of Figures
Page 44
ZyWALL 5/35/70 Series User’s Guide
List of Tables
Table 1 Model Specific Features ........................................................................................ 54
Table 2 Front Panel LEDs .................................................................................................. 64
Table 3 Web Configurator HOME Screen in Router Mode ................................................. 70
Table 4 Web Configurator HOME Screen in Bridge Mode ................................................. 72
Table 5 Bridge and Router Mode Features Comparison .................................................... 74
Table 6 Screens Summary ................................................................................................. 75
Table 7 Home: Show Statistics ........................................................................................... 79
Table 8 Home: Show Statistics: Line Chart ........................................................................ 81
Table 9 Home: DHCP Table ............................................................................................... 82
Table 10 Home : VPN Status .............................................................................................. 83
Table 11 ISP Parameters : Ethernet Encapsulation ........................................................... 85
Table 12 ISP Parameters: PPPoE Encapsulation .............................................................. 86
Table 13 ISP Parameters : PPTP Encapsulation ............................................................... 88
Table 14 Internet Access Wizard: Registration .................................................................. 91
Table 15 VPN Wizard: Gateway Setting ............................................................................. 94
Table 16 VPN Wizard : Network Setting ............................................................................. 95
Table 17 VPN Wizard: IKE Tunnel Setting ......................................................................... 97
Table 18 VPN Wizard: IPSec Setting ................................................................................. 98
Table 19 VPN Wizard: VPN Status ..................................................................................... 100
Table 20 Registration .........................................................................................................106
Table 21 Service ................................................................................................................. 108
Table 22 LAN ...................................................................................................................... 113
Table 23 LAN Static DHCP ................................................................................................. 115
Table 24 LAN IP Alias ........................................................................................................ 117
Table 25 LAN Port Roles .................................................................................................... 119
Table 26 STP Path Costs ................................................................................................... 123
Table 27 STP Port States ................................................................................................... 124
Table 28 Bridge .................................................................................................................. 125
Table 29 Bridge Port Roles ................................................................................................ 127
Table 30 Least Load First: Example 1 ................................................................................ 132
Table 31 Least Load First: Example 2 ................................................................................ 132
Table 32 WAN General ....................................................................................................... 136
Table 33 Load Balancing: Least Load First ........................................................................ 138
Table 34 Load Balancing: Weighted Round Robin ............................................................. 139
Table 35 Load Balancing: Spillover .................................................................................... 140
Table 36 WAN Route .......................................................................................................... 141
Table 37 Private IP Address Ranges ................................................................................. 142
Table 38 Example of Network Properties for LAN Servers with Fixed IP Addresses ......... 143
List of Tables 44
Page 45
ZyWALL 5/35/70 Series User’s Guide
Table 39 WAN: Ethernet Encapsulation ............................................................................. 144
Table 40 WAN: PPPoE Encapsulation ............................................................................... 148
Table 41 WAN: PPTP Encapsulation ................................................................................. 151
Table 42 Traffic Redirect .................................................................................................... 154
Table 43 Dial Backup ......................................................................................................... 157
Table 44 Advanced Setup .................................................................................................. 160
Table 45 DMZ ..................................................................................................................... 163
Table 46 DMZ Static DHCP ................................................................................................ 166
Table 47 DMZ: IP Alias ....................................................................................................... 167
Table 48 DMZ: Port Roles .................................................................................................. 172
Table 49 WLAN .................................................................................................................. 175
Table 50 WLAN Static DHCP ............................................................................................. 178
Table 51 WLAN IP Alias ..................................................................................................... 179
Table 52 WLAN Port Roles ................................................................................................ 181
Table 53 Wireless Security Relational Matrix ..................................................................... 184
Table 54 Wireless Card: No Security ................................................................................. 191
Table 55 Wireless Card: Static WEP .................................................................................. 193
Table 56 Wireless Card: WPA-PSK .................................................................................... 194
Table 57 Wireless Card: WPA ............................................................................................ 195
Table 58 Wireless Card: 802.1x + Dynamic WEP .............................................................. 196
Table 59 Wireless Card: 802.1x + Static WEP ................................................................... 197
Table 60 Wireless Card: 802.1x + No WEP ....................................................................... 199
Table 61 Wireless Card: No Access 802.1x + Static WEP ................................................. 200
Table 62 Wireless Card: MAC Address Filter ..................................................................... 201
Table 63 Common IP Ports ................................................................................................ 204
Table 64 ICMP Commands That Trigger Alerts .................................................................. 207
Table 65 Legal NetBIOS Commands ................................................................................. 207
Table 66 Legal SMTP Commands ..................................................................................... 208
Table 67 Default Rule (Router Mode) ................................................................................. 219
Table 68 Default Rule (Bridge Mode) ................................................................................. 221
Table 69 Rule Summary ..................................................................................................... 222
Table 70 Firewall Edit Rule ................................................................................................. 225
Table 71 Anti-Probing .........................................................................................................226
Table 72 Firewall Threshold ............................................................................................... 229
Table 73 Firewall Service ................................................................................................... 231
Table 74 Firewall Edit Custom Service ............................................................................... 232
Table 75 Predefined Services ............................................................................................ 233
Table 76 IDP: General Setup ............................................................................................. 246
Table 77 Attack Types ........................................................................................................ 247
Table 78 Intrusion Severity ................................................................................................. 248
Table 79 Signature Actions ................................................................................................ 249
Table 80 IDP Signatures: Group View ................................................................................ 250
Table 81 Signatures Update ............................................................................................... 256
45 List of Tables
Page 46
ZyWALL 5/35/70 Series User’s Guide
Table 82 Common Computer Virus Types ......................................................................... 258
Table 83 Anti-Virus: General .............................................................................................. 262
Table 84 Anti-Virus: Update ............................................................................................... 264
Table 85 Anti-Spam: General ............................................................................................. 271
Table 86 Anti-Spam: External DB ....................................................................................... 272
Table 87 Anti-Spam: Lists ................................................................................................... 274
Table 88 Anti-Spam Rule Edit ............................................................................................ 276
Table 89 Content Filter : General ....................................................................................... 279
Table 90 Content Filter: Categories .................................................................................... 282
Table 91 Content Filter: Customization .............................................................................. 289
Table 92 Content Filter: Cache ........................................................................................... 292
Table 93 VPN and NAT ...................................................................................................... 306
Table 94 ESP and AH ........................................................................................................ 309
Table 95 Local ID Type and Content Fields ....................................................................... 312
Table 96 Peer ID Type and Content Fields ........................................................................ 312
Table 97 Matching ID Type and Content Configuration Example ....................................... 312
Table 98 Mismatching ID Type and Content Configuration Example ................................. 313
Table 99 IPSec Fields Summary ........................................................................................ 316
Table 100 VPN screen Icons Key ....................................................................................... 317
Table 101 VPN Rules (IKE): Gateway Policy: Edit ............................................................. 320
Table 102 VPN Rules (IKE): Network Policy Edit ............................................................... 326
Table 103 VPN Rules (IKE): Network Policy Move ............................................................ 329
Table 104 VPN Rules (Manual) .......................................................................................... 330
Table 105 VPN Rules (Manual) Edit ................................................................................... 332
Table 106 VPN: SA Monitor ............................................................................................... 335
Table 107 VPN: Global Setting ........................................................................................... 336
Table 108 Telecommuters Sharing One VPN Rule Example ............................................. 338
Table 109 Telecommuters Using Unique VPN Rules Example .......................................... 339
Table 110 My Certificates ................................................................................................... 344
Table 111 My Certificate Import .......................................................................................... 347
Table 112 My Certificate Create ......................................................................................... 348
Table 113 My Certificate Details ......................................................................................... 352
Table 114 Trusted CAs ....................................................................................................... 354
Table 115 Trusted CA Import .............................................................................................. 356
Table 116 Trusted CA Details ............................................................................................. 357
Table 117 Trusted Remote Hosts ....................................................................................... 360
Table 118 Trusted Remote Host Import .............................................................................. 363
Table 119 Trusted Remote Host Details ............................................................................. 364
Table 120 Directory Servers ............................................................................................... 367
Table 121 Directory Server Add ......................................................................................... 368
Table 122 Local User Database ......................................................................................... 372
Table 123 RADIUS ............................................................................................................. 373
Table 124 NAT Definitions .................................................................................................. 374
List of Tables 46
Page 47
ZyWALL 5/35/70 Series User’s Guide
Table 125 NAT Mapping Types .......................................................................................... 378
Table 126 NAT Overview .................................................................................................... 379
Table 127 NAT Address Mapping ....................................................................................... 381
Table 128 NAT Address Mapping Edit ............................................................................... 383
Table 129 Services and Port Numbers ............................................................................... 384
Table 130 Port Forwarding ................................................................................................. 387
Table 131 Port Triggering ................................................................................................... 389
Table 132 IP Static Route ................................................................................................... 393
Table 133 IP Static Route Edit ............................................................................................ 394
Table 134 Policy Route Summary ...................................................................................... 398
Table 135 Edit IP Policy Route ........................................................................................... 399
Table 136 Application and Subnet-based Bandwidth Management Example .................... 404
Table 137 Maximize Bandwidth Usage Example ............................................................... 405
Table 138 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example ....... 406
Table 139 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example .... 406
Table 140 Bandwidth Borrowing Example .......................................................................... 407
Table 141 Bandwidth Management: Summary .................................................................. 409
Table 142 Bandwidth Management: Class Setup .............................................................. 410
Table 143 Bandwidth Management: Edit Class .................................................................. 412
Table 144 Services and Port Numbers ............................................................................... 414
Table 145 Bandwidth Management: Statistics .................................................................... 415
Table 146 Bandwidth Management: Monitor ...................................................................... 416
Table 147 System DNS ...................................................................................................... 421
Table 148 System DNS: Add Address Record ................................................................... 423
Table 149 System DNS: Insert Name Server Record ........................................................ 424
Table 150 DNS Cache ........................................................................................................ 425
Table 151 DNS DHCP ........................................................................................................ 427
Table 152 DDNS ................................................................................................................429
Table 153 WWW ................................................................................................................ 435
Table 154 SSH ................................................................................................................... 443
Table 155 Telnet ................................................................................................................. 447
Table 156 FTP .................................................................................................................... 448
Table 157 SNMP Traps ...................................................................................................... 450
Table 158 SNMP ................................................................................................................451
Table 159 DNS ................................................................................................................... 452
Table 160 CNM .................................................................................................................. 453
Table 161 UPnP ................................................................................................................. 457
Table 162 UPnP Ports ........................................................................................................ 459
Table 163 ALG ................................................................................................................... 471
Table 164 View Log ............................................................................................................473
Table 165 Example Log Description ................................................................................... 473
Table 166 Log Settings ....................................................................................................... 477
Table 167 Reports .............................................................................................................. 479
47 List of Tables
Page 48
ZyWALL 5/35/70 Series User’s Guide
Table 168 Web Site Hits Report ......................................................................................... 480
Table 169 Protocol/ Port Report ......................................................................................... 481
Table 170 Host IP Address Report ..................................................................................... 482
Table 171 Report Specifications ......................................................................................... 483
Table 172 General Setup ................................................................................................... 485
Table 173 Password Setup ................................................................................................ 486
Table 174 Time and Date ................................................................................................... 487
Table 175 Default Time Servers ......................................................................................... 489
Table 176 MAC-address-to-port Mapping Table ................................................................. 491
Table 177 Device Mode (Router Mode) ............................................................................. 492
Table 178 Device Mode (Bridge Mode) .............................................................................. 493
Table 179 Firmware Upload ............................................................................................... 495
Table 180 Restore Configuration ........................................................................................ 497
Table 181 Main Menu Commands ..................................................................................... 501
Table 182 Main Menu Summary ........................................................................................ 503
Table 183 SMT Menus Overview ....................................................................................... 504
Table 184 Menu 1: General Setup (Router Mode) ............................................................. 508
Table 185 Menu 1: General Setup (Bridge Mode) .............................................................. 509
Table 186 Menu 1.1: Configure Dynamic DNS .................................................................. 510
Table 187 Menu 1.1.1: DDNS Host Summary .................................................................... 511
Table 188 Menu 1.1.1: DDNS Edit Host ............................................................................. 512
Table 189 MAC Address Cloning in WAN Setup ................................................................ 515
Table 190 Menu 2: Dial Backup Setup ............................................................................... 516
Table 191 Advanced WAN Port Setup: AT Commands Fields ........................................... 517
Table 192 Advanced WAN Port Setup: Call Control Parameters ....................................... 518
Table 193 Menu 11.3: Remote Node Profile (Backup ISP) ................................................ 519
Table 194 Menu 11.3.1: Remote Node PPP Options ......................................................... 521
Table 195 Menu 11.3.2: Remote Node Network Layer Options ......................................... 522
Table 196 Menu 11.3.3: Remote Node Script .................................................................... 525
Table 197 Menu 3.2: DHCP Ethernet Setup Fields ............................................................ 528
Table 198 Menu 3.2: LAN TCP/IP Setup Fields ................................................................. 529
Table 199 Menu 3.2.1: IP Alias Setup ................................................................................ 530
Table 200 Menu 4: Internet Access Setup (Ethernet) ....................................................... 533
Table 201 New Fields in Menu 4 (PPTP) Screen ............................................................... 534
Table 202 New Fields in Menu 4 (PPPoE) screen ............................................................. 535
Table 203 Menu 6.1: Route Assessment ........................................................................... 541
Table 204 Menu 6.2: Traffic Redirect ................................................................................. 541
Table 205 Menu 6.3: Route Failover .................................................................................. 542
Table 206 Menu 7.1: Wireless Setup ................................................................................. 545
Table 207 Menu 7.1.1: WLAN MAC Address Filter ............................................................ 546
Table 208 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........................... 552
Table 209 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ....................................... 554
Table 210 Menu 11.1: Remote Node Profile for PPTP Encapsulation ............................... 555
List of Tables 48
Page 49
ZyWALL 5/35/70 Series User’s Guide
Table 211 Remote Node Network Layer Options Menu Fields .......................................... 556
Table 212 Menu 11.1.5: Traffic Redirect Setup .................................................................. 559
Table 213 Menu 12. 1: Edit IP Static Route ........................................................................ 561
Table 214 Applying NAT in Menus 4 & 11.1.2 .................................................................... 564
Table 215 SUA Address Mapping Rules ............................................................................ 566
Table 216 Fields in Menu 15.1.1 ........................................................................................ 567
Table 217 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ........................ 568
Table 218 15.2.1.2: NAT Server Configuration ................................................................... 571
Table 219 Menu 15.3.1: Trigger Port Setup ....................................................................... 580
Table 220 Abbreviations Used in the Filter Rules Summary Menu .................................... 588
Table 221 Rule Abbreviations Used ................................................................................... 588
Table 222 Menu 21.1.1.1: TCP/IP Filter Rule ..................................................................... 589
Table 223 Generic Filter Rule Menu Fields ........................................................................ 592
Table 224 SNMP Configuration Menu Fields ..................................................................... 598
Table 225 SNMP Traps ...................................................................................................... 599
Table 226 System Maintenance: Status Menu Fields ........................................................ 601
Table 227 Fields in System Maintenance: Information ....................................................... 603
Table 228 System Maintenance Menu Syslog Parameters ................................................ 605
Table 229 System Maintenance Menu Diagnostic ............................................................. 610
Table 230 Filename Conventions ....................................................................................... 613
Table 231 General Commands for GUI-based FTP Clients ............................................... 615
Table 232 General Commands for GUI-based TFTP Clients ............................................. 617
Table 233 Valid Commands ............................................................................................... 629
Table 234 Budget Management ......................................................................................... 631
Table 235 Call History ........................................................................................................632
Table 236 Menu 24.10 System Maintenance: Time and Date Setting ............................... 634
Table 237 Menu 24.11 – Remote Management Control ..................................................... 637
Table 238 Menu 25: Sample IP Routing Policy Summary .................................................. 640
Table 239 IP Routing Policy Setup ..................................................................................... 641
Table 240 Menu 25.1: IP Routing Policy Setup .................................................................. 642
Table 241 Menu 25.1.1: IP Routing Policy Setup ............................................................... 644
Table 242 Schedule Set Setup ........................................................................................... 649
Table 243 Troubleshooting the Start-Up of Your ZyWALL .................................................. 652
Table 244 Troubleshooting the LAN Interface .................................................................... 652
Table 245 Troubleshooting the DMZ Interface ................................................................... 653
Table 246 Troubleshooting the WAN Interface ................................................................... 653
Table 247 Troubleshooting Accessing the ZyWALL ........................................................... 654
Table 248 Device Specifications ......................................................................................... 664
Table 249 Performance ...................................................................................................... 665
Table 250 Firmware Features ............................................................................................ 665
Table 251 Feature Specifications ....................................................................................... 667
Table 252 Compatible ZyXEL WLAN Cards and Security Features .................................. 668
Table 253 Console/Dial Backup Port Pin Assignments ...................................................... 670
49 List of Tables
Page 50
ZyWALL 5/35/70 Series User’s Guide
Table 254 Classes of IP Addresses ................................................................................... 694
Table 255 Allowed IP Address Range By Class ................................................................. 695
Table 256 “Natural” Masks ................................................................................................ 695
Table 257 Alternative Subnet Mask Notation ..................................................................... 696
Table 258 Two Subnets Example ....................................................................................... 696
Table 259 Subnet 1 ............................................................................................................697
Table 260 Subnet 2 ............................................................................................................697
Table 261 Subnet 1 ............................................................................................................698
Table 262 Subnet 2 ............................................................................................................698
Table 263 Subnet 3 ............................................................................................................698
Table 264 Subnet 4 ............................................................................................................699
Table 265 Eight Subnets .................................................................................................... 699
Table 266 Class C Subnet Planning ................................................................................... 699
Table 267 Class B Subnet Planning ................................................................................... 700
Table 268 IEEE802.11g ...................................................................................................... 712
Table 269 Comparison of EAP Authentication Types ......................................................... 718
Table 270 Wireless Security Relational Matrix ................................................................... 719
Table 271 Firewall Commands ........................................................................................... 756
Table 272 NetBIOS Filter Default Settings ......................................................................... 763
Table 273 Certificates Commands ..................................................................................... 766
Table 274 Brute-Force Password Guessing Protection Commands .................................. 770
Table 275 System Maintenance Logs ................................................................................ 774
Table 276 System Error Logs ............................................................................................. 775
Table 277 Access Control Logs .......................................................................................... 776
Table 278 TCP Reset Logs ................................................................................................ 777
Table 279 Packet Filter Logs .............................................................................................. 777
Table 280 ICMP Logs ......................................................................................................... 778
Table 281 CDR Logs .......................................................................................................... 778
Table 282 PPP Logs ........................................................................................................... 778
Table 283 UPnP Logs ........................................................................................................ 779
Table 284 Content Filtering Logs ....................................................................................... 779
Table 285 Attack Logs ........................................................................................................ 780
Table 286 Remote Management Logs ............................................................................... 781
Table 287 Wireless Logs .................................................................................................... 782
Table 288 IPSec Logs ........................................................................................................ 782
Table 289 IKE Logs ............................................................................................................783
Table 290 PKI Logs ............................................................................................................786
Table 291 Certificate Path Verification Failure Reason Codes ........................................... 787
Table 292 802.1X Logs ...................................................................................................... 787
Table 293 ACL Setting Notes ............................................................................................. 788
Table 294 ICMP Notes ....................................................................................................... 789
Table 295 IDP Logs ............................................................................................................790
Table 296 AV Logs .............................................................................................................791
List of Tables 50
Page 51
ZyWALL 5/35/70 Series User’s Guide
Table 297 AS Logs .............................................................................................................792
Table 298 Syslog Logs ....................................................................................................... 794
Table 299 RFC-2408 ISAKMP Payload Types ................................................................... 795
51 List of Tables
Page 52
ZyWALL 5/35/70 Series User’s Guide
Preface
Congratulations on your purchase of the ZyWALL.
Note: Register your product online to receive e-mail notices of firmware upgrades and
information at
North American products.
Your ZyWALL is easy to install and configure.
About This User's Guide
This manual is designed to guide you through the configuration of your ZyWALL for its
various applications. The web configurator parts of this guide contain background information
on features configurable by web configurator. The SMT parts of this guide contain
background information solely on features not configurable by web configurator.
Note: Use the web configurator, System Management Terminal (SMT) or command
interpreter interface to configure your ZyWALL. Not all features can be
configured through all interfaces.
www.zyxel.com for global products, or at www.us.zyxel.com for
Related Documentation
• Supporting Disk
Refer to the included CD for support documents.
• Quick Start Guide
The Quick Start Guide is designed to help you get up and running right away. It contains
a detailed easy-to-follow connection diagram, default settings, handy checklists and
information on setting up your network and configuring for Internet access.
• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary
information.
• ZyXEL Glossary and Web Site
Please refer to www.zyxel.com for an online glossary of networking terms and additional
support documentation.
User Guide Feedback
Help us help you. E-mail all User Guide-related comments, questions or suggestions for
improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing
Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park,
Hsinchu, 300, Taiwan. Thank you!
Preface 52
Page 53
ZyWALL 5/35/70 Series User’s Guide
Syntax Conventions
• “Enter” means for you to type one or more characters. “Select” or “Choose” means for
you to use one predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field
choices are in Bold Arial font. Command and arrow keys are enclosed in square
brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key
and [SPACE BAR] means the Space Bar.
• Mouse action sequences are denoted using a comma. For example, “In Windows, click
Start, Settings and then Control Panel” means first click the Start button, then point
your mouse pointer to Settings and then click Control Panel.
• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.
Graphics Icons Key
ZyWALL Computer Notebook computer
Server DSLAM Firewall
Telephone Switch Router
Wireless Signal
53 Preface
Page 54
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 1
Getting to Know Your ZyWALL
This chapter introduces the main features and applications of the ZyWALL.
1.1 ZyWALL Internet Security Appliance Overview
The ZyWALL is loaded with security features including VPN, firewall, content filtering, antispam, IDP (Intrusion Detection and Prevention), anti-virus and certificates. The ZyWALL’s
De-Militarized Zone (DMZ) increases LAN security by providing separate ports for
connecting publicly accessible servers. The ZyWALL 70 and ZyWALL 35 are designed for
medium sized business that need the increased throughput and reliability of dual WAN ports
and load balancing. The ZyWALL 35 and ZyWALL 5 provide the option to change port roles
from LAN to DMZ.
You can also deploy the ZyWALL as a transparent firewall in an existing network with
minimal configuration.
The ZyWALL provides bandwidth management, NAT, port forwarding, policy routing (not
available for the ZyWALL 5), DHCP server and many other powerful features.
The PCMCIA/CardBus slot allows you to add a 802.11b/g-compliant wireless LAN. You can
use the wireless card as part of the LAN, DMZ or WLAN. The ZyWALL offers highly secured
wireless connectivity to your wired network with IEEE 802.1x, WEP data encryption, WPA
(Wi-Fi Protected Access) and MAC address filtering.
1.2 ZyWALL Features
The following table lists model specific features.
Note: See the product specifications in the appendix for detailed features and
standards support.
Table 1 Model Specific Features
MODEL
FEATURE
ZyWALL 5 ZyWALL 35 ZyWALL 70
Multiple WAN O O
Load Balancing O O
Changing Port Roles between the LAN
and DMZ
Policy Route O O
Chapter 1 Getting to Know Your ZyWALL 54
O O
Page 55
ZyWALL 5/35/70 Series User’s Guide
Table Key: An O in a mode’s column shows that the device mode has the specified feature.
The information in this table was correct at the time of writing, although it may be subject to
change.
1.2.1 Physical Features
LAN Port
The 10/100 Mbps auto-negotiating Ethernet LAN port allows the ZyWALL to detect the speed
of incoming transmissions and adjust appropriately without manual intervention. It allows data
transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending
on your Ethernet network. The port is also auto-crossover (MDI/MDI-X) meaning it
automatically adjusts to either a crossover or straight-through Ethernet cable.
DMZ Ports
Public servers (Web, FTP, etc.) attached to a DeMilitarized Zone (DMZ) port are visible to the
outside world (while still being protected from DoS (Denial of Service) attacks such as SYN
flooding and Ping of Death) and can also be accessed from the secure LAN.
The 10/100 Mbps auto-negotiating Ethernet ports allow the ZyWALL to detect the speed of
incoming transmissions and adjust appropriately without manual intervention. It allows data
transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending
on your Ethernet network. The ports are also auto-crossover (MDI/MDI-X) meaning they
automatically adjust to either a crossover or straight-through Ethernet cable.
WLAN Ports
You can set some of the Ethernet ports to a WLAN port role. This allows you to connect
wireless LAN Access Points (APs) to extend the ZyWALL’s wireless LAN coverage area.
Dual Auto-negotiating 10/100 Mbps Ethernet WAN (single on the ZyWALL 5)
The Ethernet WAN ports connect to the Internet via broadband modem or router. You can use
a second connection for load sharing to increase overall network throughput or as a backup to
enhance network reliability.
The 10/100 Mbps auto-negotiating Ethernet ports allow the ZyWALL to detect the speed of
incoming transmissions and adjust appropriately without manual intervention. They allow data
transfers of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending
on your Ethernet network. The ports are also auto-crossover (MDI/MDI-X) meaning they
automatically adjust to either a crossover or straight-through Ethernet cable.
Dial Backup WAN
The dial backup port can be used in reserve as a traditional dial-up connection when/if ever the
WAN, (or WAN 1, 2) and traffic redirect connections fail.
55 Chapter 1 Getting to Know Your ZyWALL
Page 56
ZyWALL 5/35/70 Series User’s Guide
Time and Date
The ZyWALL allows you to get the current time and date from an external server when you
turn on your ZyWALL. You can also set the time manually. The Real Time Chip (RTC) keeps
track of the time and date.
Reset Button
Use the reset button to restore the factory default password to 1234; IP address to 192.168.1.1,
subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses
starting at 192.168.1.33.
Dual PCMCIA and CardBus Slot
The dual PCMCIA and CardBus slot provides the option of a wireless LAN. You can
alternatively insert a ZyWALL Turbo Card to use the anti-virus and IDP features.
IEEE 802.11 b/g Wireless LAN
The optional wireless LAN card provides mobility and a fast network environment for small
and home offices. Users can connect to the local area network without any wiring efforts and
enjoy reliable high-speed connectivity.
1.2.2 Non-Physical Features
Load Balancing
The ZyWALL improves quality of service and maximizes bandwidth utilization by dividing
traffic loads between the two WAN interfaces (or ports).
Transparent Firewall
Transparent firewall is also known as a bridge firewall. The ZyWALL can act as a bridge and
still have the capability of filtering and inspecting the packets between a router and the LAN,
or two routers. You do not need to do any other changes to your existing network.
SIP Passthrough
The ZyWALL includes a SIP Application Layer Gateway (ALG). It allows VoIP calls to pass
through NAT by examining and translating IP addresses embedded in the data stream. Use the
ALG screen to enable or disable the SIP ALG.
STP (Spanning Tree Protocol) / RSTP (Rapid STP)
When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and
provides backup links between switches, bridges or routers. It allows a bridge to interact with
other (R)STP -compliant bridges in your network to ensure that only one path exists between
any two stations on the network.
Chapter 1 Getting to Know Your ZyWALL 56
Page 57
ZyWALL 5/35/70 Series User’s Guide
Bandwidth Management
Bandwidth management allows you to allocate network resources according to defined
policies. This policy-based bandwidth allocation helps your network to better handle real-time
applications such as Voice-over-IP (VoIP).
IPSec VPN Capability
Establish a Virtual Private Network (VPN) to connect with business partners and branch
offices using data encryption and the Internet to provide secure communications without the
expense of leased site-to-site lines. The ZyWALL VPN is based on the IPSec standard and is
fully interoperable with other IPSec-based VPN products.
X-Auth (Extended Authentication)
X-Auth provides added security for VPN by requiring each VPN client to use a username and
password.
Certificates
The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates
are based on public-private key pairs. Certificates provide a way to exchange public keys for
use in authentication.
SSH
The ZyWALL uses the SSH (Secure Shell) secure communication protocol to provide secure
encrypted communication between two hosts over an unsecured network.
HTTPS
HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol
that encrypts and decrypts web sessions. Use HTTPS for secure web configurator access to the
ZyWALL
Firewall
The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By
default, when the firewall is activated, all incoming traffic from the WAN to the LAN is
blocked unless it is initiated from the LAN. The ZyWALL firewall supports TCP/UDP
inspection, DoS detection and prevention, real time alerts, reports and logs.
57 Chapter 1 Getting to Know Your ZyWALL
Page 58
ZyWALL 5/35/70 Series User’s Guide
Content Filtering
The ZyWALL can block web features such as ActiveX controls, Java applets and cookies, as
well as disable web proxies. The ZyWALL can block or allow access to web sites that you
specify. The ZyWALL can also block access to web sites containing keywords that you
specify. You can define time periods and days during which content filtering is enabled and
include or exclude a range of users on the LAN from content filtering.
You can also subscribe to category-based content filtering that allows your ZyWALL to check
web sites against an external database of dynamically updated ratings of millions of web sites.
Anti-Spam
The ZyWALL’s anti-spam feature helps detect and mark or discard junk e-mail (spam). The
ZyWALL has a whitelist for identifying legitimate e-mail and a blacklist for identifying spam
email. You can also subscribe to an anti-spam external database service that checks e-mail
against more than a million know spam patterns.
Anti-Virus Scanner
With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled
interfaces into the network. The ZyWALL helps stop threats at the network edge before they
reach the local host computers.
Intrusion Detection and Prevention (IDP)
IDP can detect and take actions on malicious or suspicious packets and traffic flows.
ZyWALL Turbo Card
ZyWALL Turbo Card is a co-processor accelerator that is used in conjunction with your
ZyWALL for fast, efficient IDP (Intrusion Detection and Prevention) and AV (Anti Virus)
traffic inspection.
Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the ZyWALL and other UPnP-enabled devices can
dynamically join a network, obtain an IP address and convey its capabilities to other devices
on the network.
RADIUS (RFC2138, 2139)
RADIUS (Remote Authentication Dial In User Service) server enables user authentication,
authorization and accounting.
Chapter 1 Getting to Know Your ZyWALL 58
Page 59
ZyWALL 5/35/70 Series User’s Guide
IEEE 802.1x for Network Security
The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance
user authentication. With the local user profile, the ZyWALL allows you to configure up 32
user profiles without a network authentication server. In addition, centralized user and
accounting management is possible on an optional network authentication server.
Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft.
Key differences between WPA and WEP are user authentication and improved data
encryption.
Wireless LAN MAC Address Filtering
Your ZyWALL can check the MAC addresses of wireless stations against a list of allowed or
denied MAC addresses.
WEP Encryption
WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless
network to help keep network communications private.
Packet Filtering
The packet filtering mechanism blocks unwanted traffic from entering/leaving your network.
Call Scheduling
Configure call time periods to restrict and allow access for users on remote nodes.
PPPoE
PPPoE facilitates the interaction of a host with an Internet modem to achieve access to highspeed data networks via a familiar "dial-up networking" user interface.
PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of
data from a remote client to a private server, creating a Virtual Private Network (VPN) using a
TCP/IP-based network.
PPTP supports on-demand, multi-protocol and virtual private networking over public
networks, such as the Internet. The ZyWALL supports one PPTP server connection at any
given time.
59 Chapter 1 Getting to Know Your ZyWALL
Page 60
ZyWALL 5/35/70 Series User’s Guide
Dynamic DNS Support
With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for
a dynamic IP address, allowing the host to be more easily accessible from various locations on
the Internet. You must register for this service with a Dynamic DNS service provider.
IP Multicast
Deliver IP packets to a specific group of hosts using IP multicast. IGMP (Internet Group
Management Protocol) is the protocol used to support multicast groups. The latest version is
version 2 (see RFC 2236); the ZyWALL supports both versions 1 and 2.
IP Alias
IP Alias allows you to partition a physical network into logical networks over the same
Ethernet interface. The ZyWALL supports three logical LAN, WLAN and/or DMZ interfaces
via its single physical Ethernet LAN, WLAN and/or DMZ interface with the ZyWALL itself
as the gateway for each network.
IP Policy Routing
IP Policy Routing provides a mechanism to override the default routing behavior and alter
packet forwarding based on the policies defined by the network administrator.
Central Network Management
Central Network Management (CNM) allows an enterprise or service provider network
administrator to manage your ZyWALL. The enterprise or service provider network
administrator can configure your ZyWALL, perform firmware upgrades and do
troubleshooting for you.
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging
management information between network devices. SNMP is a member of the TCP/IP
protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager
station to manage and monitor the ZyWALL through the network. The ZyWALL supports
SNMP version one (SNMPv1).
Network Address Translation (NAT)
Network Address Translation (NAT) allows the translation of an Internet protocol address
used within one network (for example a private IP address used in a local network) to a
different IP address known within another network (for example a public IP address used on
the Internet).
Chapter 1 Getting to Know Your ZyWALL 60
Page 61
ZyWALL 5/35/70 Series User’s Guide
Traffic Redirect
Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyWALL
cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN
connection fails.
Port Forwarding
Use this feature to forward incoming service requests to a server on your local network. You
may enter a single port number or a range of port numbers to be forwarded, and the local IP
address of the desired server.
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol) allows the individual client computers to
obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyWALL has
built-in DHCP server capability, enabled by default, which means it can assign IP addresses,
an IP default gateway and DNS servers to all systems that support the DHCP client. The
ZyWALL can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address
assignment from the actual real DHCP server to the clients.
Full Network Management
The embedded web configurator is an all-platform web-based utility that allows you to easily
access the ZyWALL’s management settings and configure the firewall. Most functions of the
ZyWALL are also software configurable via the SMT (System Management Terminal)
interface. The SMT is a menu-driven interface that you can access from a terminal emulator
through the console port or over a telnet connection.
RoadRunner Support
In addition to standard cable modem services, the ZyWALL supports Time Warner’s
RoadRunner Service.
Logging and Tracing
Built-in message logging and packet tracing.
Syslog facility support.
Upgrade ZyWALL Firmware via LAN
The firmware of the ZyWALL can be upgraded via the LAN.
Embedded FTP and TFTP Servers
The ZyWALL’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as
configuration file backups and restoration.
61 Chapter 1 Getting to Know Your ZyWALL
Page 62
ZyWALL 5/35/70 Series User’s Guide
1.3 Applications for the ZyWALL
Here are some examples of what you can do with your ZyWALL.
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem
You can connect a cable modem, DSL or wireless modem to the ZyWALL for broadband
Internet access via Ethernet or wireless port on the modem. The ZyWALL guarantees not only
high speed Internet access, but secure internal network protection and traffic management as
well.
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem
1.3.2 VPN Application
ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners
over the Internet without the need (and expense) for leased lines between sites.
Chapter 1 Getting to Know Your ZyWALL 62
Page 63
ZyWALL 5/35/70 Series User’s Guide
Figure 2 VPN Application
1.3.3 Front Panel LEDs
Figure 3 ZyWALL 70 Front Panel
Figure 4 ZyWALL 35 Front Panel
Figure 5 ZyWALL 5 Front Panel
63 Chapter 1 Getting to Know Your ZyWALL
Page 64
ZyWALL 5/35/70 Series User’s Guide
The following table describes the LEDs.
Table 2 Front Panel LEDs
LED COLOR STATUS DESCRIPTION
PWR Off The ZyWALL is turned off.
Green On The ZyWALL is turned on.
Red On The power to the ZyWALL is too low.
SYS Green Off The ZyWALL is not ready or has failed.
On The ZyWALL is ready and running.
Flashing The ZyWALL is restarting.
ACT Green Off The backup port is not connected.
Flashing The backup port is sending or receiving packets.
CARD Green Off The wireless LAN is not ready, or has failed.
On The wireless LAN is ready.
Flashing The wireless LAN is sending or receiving packets.
LAN 10/100
(ZyWALL 70
only)
WAN1/2 10/100
or
WAN 10/100
DMZ 10/100
(ZyWALL 70
only)
LAN/DMZ 10/
100
(ZyWALL 35
and ZyWALL 5)
Green On The ZyWALL has a successful 10Mbps Ethernet connection.
Orange On The ZyWALL has a successful 100Mbps Ethernet
Green On The ZyWALL has a successful 10Mbps WAN connection.
Orange On The ZyWALL has a successful 100Mbps WAN connection.
Green On The ZyWALL has a successful 10Mbps Ethernet connection.
Orange On The ZyWALL has a successful 100Mbps Ethernet
Green On The ZyWALL has a successful 10Mbps Ethernet connection.
Orange On The ZyWALL has a successful 100Mbps Ethernet
Off The LAN/DMZ is not connected.
Flashing The 10M LAN is sending or receiving packets.
connection.
Flashing The 100M LAN is sending or receiving packets.
Off The WAN connection is not ready, or has failed.
Flashing The 10M WAN is sending or receiving packets.
Flashing The 100M WAN is sending or receiving packets.
Off The LAN/DMZ is not connected.
Flashing The 10M LAN is sending or receiving packets.
connection.
Flashing The 100M LAN is sending or receiving packets.
Off The LAN/DMZ is not connected.
Flashing The 10M LAN is sending or receiving packets.
connection.
Flashing The 100M LAN is sending or receiving packets.
Chapter 1 Getting to Know Your ZyWALL 64
Page 65
ZyWALL 5/35/70 Series User’s Guide
65 Chapter 1 Getting to Know Your ZyWALL
Page 66
Introducing the Web
This chapter describes how to access the ZyWALL web configurator and provides an
overview of its screens.
2.1 Web Configurator Overview
The web configurator is an HTML-based management interface that allows easy ZyWALL
setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape
Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 2
Configurator
In order to use the web configurator you need to allow:
• Web browser pop-up windows from your device. Web pop-up blocking is enabled by
default in Windows XP SP (Service Pack) 2.
• JavaScripts (enabled by default).
• Java permissions (enabled by default).
See the Troubleshooting chapter if you want to make sure these functions are allowed in
Internet Explorer or Netscape Navigator.
2.2 Accessing the ZyWALL Web Configurator
Note: By default, the packets from WLAN to WLAN/ZyWALL are dropped and users
cannot configure the ZyWALL wirelessly.
1 Make sure your ZyWALL hardware is properly connected and prepare your computer/
computer network to connect to the ZyWALL (refer to the Quick Start Guide).
2 Launch your web browser.
3 Type "192.168.1.1" as the URL.
4 Type "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
5 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click
Ignore.
Chapter 2 Introducing the Web Configurator 66
Page 67
ZyWALL 5/35/70 Series User’s Guide
Figure 6 Change Password Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your
ZyWALL’s MAC address that will be specific to this device.
Note: If you do not replace the default certificate here or in the CERTIFICATES
screen, this screen displays every time you access the web configurator.
Figure 7 Replace Certificate Screen
7 You should now see the HOME screen (see Figure 9 on page 69).
Note: The management session automatically times out when the time period set in
the Administrator Inactivity Timer field expires (default five minutes). Simply
log back into the ZyWALL if this happens to you.
2.3 Resetting the ZyWALL
If you forget your password or cannot access the web configurator, you will need to reload the
factory-default configuration file or use the RESET button on the back of the ZyWALL.
Uploading this configuration file replaces the current configuration file with the factorydefault configuration file. This means that you will lose all configurations that you had
previously and the speed of the console port will be reset to the default of 9600bps with 8 data
bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234,
also.
67 Chapter 2 Introducing the Web Configurator
Page 68
ZyWALL 5/35/70 Series User’s Guide
2.3.1 Procedure To Use The Reset Button
Make sure the SYS LED is on (not blinking) before you begin this procedure.
1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to
blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.
2 Turn the ZyWALL off.
3 While pressing the RESET button, turn the ZyWALL on.
4 Continue to hold the RESET button. The SYS LED will begin to blink and flicker very
quickly after about 20 seconds. This indicates that the defaults have been restored and the
ZyWALL is now restarting.
5 Release the RESET button and wait for the ZyWALL to finish restarting.
2.3.2 Uploading a Configuration File Via Console Port
1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in
a folder.
2 Turn off the ZyWALL, begin a terminal emulation software session and turn on the
ZyWALL again. When you see the message "Press Any key to enter Debug Mode within
3 seconds", press any key to enter debug mode.
3 Enter "y" at the prompt below to go into debug mode.
4 Enter "atlc" after "Enter Debug Mode" message.
5 Wait for "Starting XMODEM upload" message before activating Xmodem upload on
your terminal. This is an example Xmodem configuration upload using HyperTerminal.
Figure 8 Example Xmodem Upload
Type the configuration file’s location,
or click Browse to search for it.
Choose the Xmodem protocol.
Then click Send.
6 After successful firmware upload, enter "atgo" to restart the router.
2.4 Navigating the ZyWALL Web Configurator
The following summarizes how to navigate the web configurator from the HOME screen.
This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for
different ZyWALL models.
Chapter 2 Introducing the Web Configurator 68
Page 69
ZyWALL 5/35/70 Series User’s Guide
Note: Follow the instructions you see in the HOME screen or click the icon.
The screen varies according to the device mode you select in the MAINTENANCE Device
Mode screen.
2.4.1 Router Mode
The following screen displays when the ZyWALL is set to router mode. The ZyWALL is set to
router mode by default. Not all fields are available on all models.
Figure 9 Web Configurator HOME Screen in Router Mode
Use submenus to configure
ZyWALL features.
Click LOGOUT at
any time to exit the
web configurator.
69 Chapter 2 Introducing the Web Configurator
Page 70
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 3 Web Configurator HOME Screen in Router Mode
LABEL DESCRIPTION
Wizards for WAN 1
(WAN) and VPN
Quick Setup
Internet Access Click Internet Access to use the initial configuration wizard. This configures
VPN Click VPN to create VPN policies.
Device Information
System Name This is the System Name you enter in the MAINTENANCE General screen. It is
Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's
Routing Protocol This shows the routing protocol - IP for which the ZyWALL is configured. This field
Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.
Firewall This displays whether or not the ZyWALL’s firewall is activated.
System Time This field displays your ZyWALL’s present date and time along with the difference
Memory The first number shows how many kilobytes of the heap memory the ZyWALL is
Sessions The first number shows how many sessions are currently open on the ZyWALL.
Policy Routes The first number shows how many policy routes you have configured.
Network Status
WAN1 on a ZyWALL with multiple WAN ports or the WAN port on a ZyWALL with
a single WAN port.
for identification purposes.
proprietary Network Operating System design.
is not configurable.
from the Greenwich Mean Time (GMT) zone. The difference from GMT is based
on the time zone. It is also adjusted for Daylight Saving Time if you set the
ZywALL to use it.
using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL
Network Operating System) and is thus available for running processes like NAT,
VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in kilobytes).
The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
This includes all sessions that are currently:
• Traversing the ZyWALL
• Terminating at the ZyWALL
• Initiated from the ZyWALL
The second number is the maximum number of sessions that can be open at one
time.
The bar displays what percent of the maximum number of sessions is in use. The
bar turns from green to red when the maximum is being approached.
The second number shows the maximum number of policy routes that you can
configure on the ZyWALL.
The bar displays what percent of the ZyWALL's possible policy routes are
configured. The bar turns from green to red when the maximum is being
approached.
Chapter 2 Introducing the Web Configurator 70
Page 71
ZyWALL 5/35/70 Series User’s Guide
Table 3 Web Configurator HOME Screen in Router Mode (continued)
LABEL DESCRIPTION
Interface This is the port type.
Port types for a ZyWALL with multiple WAN ports are: WAN1, WAN2, Dial
Backup, LAN, WLAN and DMZ.
Port types for a ZyWALL with a single WAN port are: WA N, Dial Backup, LAN,
WLAN and DMZ.
Click "+" to expand or "-" to collapse the LAN, WLAN (when the wireless card is
part of the WLAN in the Port Roles screen), and DMZ IP alias drop-down lists.
Status For the LAN and DMZ ports, this displays the port speed and duplex setting.
For the WAN and Dial Backup ports, it displays the port speed and duplex setting
if you’re using Ethernet encapsulation and Down (line is down or not connected),
Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if
you’re using PPPoE encapsulation.
For the WLAN port, it displays the transmission rate when a wireless LAN card is
inserted and WLAN is enabled or Down when a wireless LAN card is not inserted
or WLAN is disabled.
IP Address This shows the port’s IP address.
Subnet Mask This shows the port’s subnet mask.
IP Assignment This shows the WAN port’s DHCP role - DHCP Client or Static.
This shows the LAN, WLAN or DMZ port’s DHCP role - DHCP Server, DHCP
Relay or Static.
This shows N/A for the Dial Backup port and the WLAN port when you set the
wireless card to be part of the DMZ or LAN in the Port Roles screen.
Renew If you are using Ethernet encapsulation and the WAN port is configured to get the
IP address automatically from the ISP, click Renew to release the WAN port’s
dynamically assigned IP address and get the IP address afresh. Click Dial to dial
up the PPTP, PPPoE or dial backup connection.
Show Statistics Click Show Statistics to see router performance statistics such as the number of
Show DHCP Table Click Show DHCP Table to show current DHCP client information.
VPN Status Click VPN Status to display the active VPN connections.
packets sent and number of packets received for each port, including WAN (or
WAN1, WAN2), Dial Backup, LAN, WLAN and DMZ.
2.4.2 Bridge Mode
The following screen displays when the ZyWALL is set to bridge mode. While in bridge
mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and
WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the
ZyWALL's IP address in order to access the ZyWALL for management. If you connect your
computer directly to the ZyWALL, you also need to assign your computer a static IP address in
the same subnet as the ZyWALL's IP address in order to access the ZyWALL.
The ZyWALL bridges traffic traveling between the ZyWALL's interfaces.
You can use the firewall in bridge mode (refer to the firewall chapters for details on
configuring the firewall).
71 Chapter 2 Introducing the Web Configurator
Page 72
ZyWALL 5/35/70 Series User’s Guide
Figure 10 Web Configurator HOME Screen in Bridge Mode
The following table describes the labels in this screen.
Table 4 Web Configurator HOME Screen in Bridge Mode
LABEL DESCRIPTION
Wizards for VPN
Quick Setup
VPN Click VPN to create VPN policies.
Device
Information
System Name This is the System Name you enter in the MAINTENANCE General screen. It is for
identification purposes.
Chapter 2 Introducing the Web Configurator 72
Page 73
ZyWALL 5/35/70 Series User’s Guide
Table 4 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL DESCRIPTION
Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's
proprietary Network Operating System design.
Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.
Firewall This displays whether or not the ZyWALL’s firewall is activated.
System Time This field displays your ZyWALL’s present date and time along with the difference
from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on
the time zone. It is also adjusted for Daylight Saving Time if you set the ZywALL to
use it.
Memory The first number shows how many kilobytes of the heap memory the ZyWALL is
Sessions The first number shows how many sessions are currently open on the ZyWALL.
Network Status
IP Address This is the IP address of your ZyWALL in dotted decimal notation.
Subnet Mask This is the IP subnet mask of the ZyWALL.
Gateway IP
Address
Rapid Spanning
Tree Protocol
Bridge Priority This is the bridge priority of the ZyWALL.
Bridge Hello Time This is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge.
Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU)
Forward Delay This is the forward delay interval.
Bridge Port This is the port type. Port types are: WA N (or WAN1, WAN2), LAN, Wireless Card,
Port Status For the WAN, LAN, DMZ, and WLAN Interfaces, this displays the port speed and
RSTP Status This is the RSTP status of the corresponding port.
RSTP Active This shows whether or not RSTP is active on the corresponding port.
RSTP Priority This is the RSTP priority of the corresponding port.
using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL
Network Operating System) and is thus available for running processes like NAT,
VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in kilobytes).
The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
This includes all sessions that are currently:
• Traversing the ZyWALL
• Terminating at the ZyWALL
• Initiated from the ZyWALL
The second number is the maximum number of sessions that can be open at one
time.
The bar displays what percent of the maximum number of sessions is in use. The
bar turns from green to red when the maximum is being approached.
This is the gateway IP address.
This shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The
following labels or values relative to RSTP do not apply when RSTP is disabled.
from the root bridge.
DMZ and WLAN Interface.
duplex setting. For the WAN port, it displays Down when the link is not ready or has
failed. For the wireless card, it displays the transmission rate when a wireless LAN
card is inserted and WLAN is enabled or Down when a wireless LAN is not inserted
or WLAN is disabled.
73 Chapter 2 Introducing the Web Configurator
Page 74
Table 4 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL DESCRIPTION
RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding
port.
Show Statistics Click Show Statistics to see bridge performance statistics such as the number of
packets sent and number of packets received for each port, including WAN (or
WAN1, WAN2), Dial Backup, LAN, WLAN and DMZ.
VPN Status Click VPN Status to display the active VPN connections.
2.4.3 Navigation Panel
After you enter the password, use the sub-menus on the navigation panel to configure
ZyWALL features.
The following table lists the features available for each device mode. Not all ZyWALLs have
all features listed in this table.
Table 5 Bridge and Router Mode Features Comparison
ZyWALL 5/35/70 Series User’s Guide
FEATURE BRIDGE MODE ROUTER MODE
Internet Access Wizard O
VPN Wizard O O
DHCP Table O
System Statistics O O
Registration O O
LAN O
WAN O
DMZ O
Bridge O
WLAN O
Wireless Card O O
Firewall O O
IDP O O
Anti-Virus O O
Anti-Spam O O
Content Filter O O
VPN O O
Certificates O O
Authentication Server O O
NAT O
Static Route O
Policy Route O
Bandwidth Management O O
Chapter 2 Introducing the Web Configurator 74
Page 75
ZyWALL 5/35/70 Series User’s Guide
Table 5 Bridge and Router Mode Features Comparison
FEATURE BRIDGE MODE ROUTER MODE
DNS O
Remote Management O O
UPnP O
ALG O O
Logs O O
Maintenance O O
Table Key: An O in a mode’s column shows that the device mode has the specified feature.
The information in this table was correct at the time of writing, although it may be subject to
change.
The following table describes the sub-menus.
Table 6 Screens Summary
LINK TAB FUNCTION
HOME This screen shows the ZyWALL’s general device and network
REGISTRATION Registration Use this screen to register your ZyWALL and activate the trial
Service Use this to manage and update the service status and license
NETWORK
LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.
Static DHCP Use this screen to assign fixed IP addresses on the LAN.
IP Alias Use this screen to partition your LAN interface into subnets.
Port Roles
(ZyWALL 5
and ZyWALL
35)
BRIDGE Bridge Use this screen to change the bridge settings on the ZyWALL.
Port Roles Use this screen to change the DMZ/WLAN port roles on the
status information. Use this screen to access the wizards, statistics
and DHCP table.
service subscriptions.
information.
Use this screen to change the LAN/DMZ/WLAN port roles.
ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or
ZyWALL 35.
75 Chapter 2 Introducing the Web Configurator
Page 76
ZyWALL 5/35/70 Series User’s Guide
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
WAN General This screen allows you to configure load balancing, route priority
and traffic redirect properties.
Route
(ZyWALL 5
only)
WAN (ZyWALL
5 only)
WAN1
(ZyWALL 35
and ZyWALL
70)
WAN2
(ZyWALL 35
and ZyWALL
70)
Traffic Redirect Use this screen to configure your traffic redirect properties and
Dial Backup Use this screen to configure the backup WAN dial-up connection.
DMZ DMZ Use this screen to configure your DMZ connection.
Static DHCP Use this screen to assign fixed IP addresses on the DMZ.
IP Alias Use this screen to partition your DMZ interface into subnets.
Port Roles Use this screen to change the DMZ/WLAN port roles on the
WLAN WLAN Use this screen to configure your WLAN connection.
Static DHCP Use this screen to assign fixed IP addresses on the WLAN.
IP Alias Use this screen to partition your WLAN interface into subnets.
Port Roles Use this screen to change the DMZ/WLAN port roles on the
WIRELESS
CARD
SECURITY
FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction
Wireless Card Use this screen to configure the wireless LAN settings and WLAN
MAC Filter Use this screen to change MAC filter settings on the ZyWALL
Rule Summary This screen shows a summary of the firewall rules, and allows you
Anti-Probing Use this screen to change your anti-probing settings.
Threshold Use this screen to configure the threshold for DoS attacks.
This screen allows you to configure route priority.
Use this screen to configure the WAN port for internet access.
Use this screen to configure the WAN1 port for Internet access.
Use this screen to configure the WAN2 port for Internet access.
parameters.
ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or
ZyWALL 35.
ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or
ZyWALL 35.
authentication/security settings.
of network traffic to which to apply the rule
to edit/add a firewall rule.
Chapter 2 Introducing the Web Configurator 76
Page 77
ZyWALL 5/35/70 Series User’s Guide
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
IDP General Use this screen to enable IDP on the ZyWALL and choose what
Signature Use these screens to view signatures by attack type or search for
Update Use this screen to download new signature downloads. It is
Backup &
Restore
ANTI-VIRUS General Use this screen to activate AV scanning on the interface(s) and
Update Use this screen to view the version number of the current
ANTI-SPAM General Use this screen to turn the anti-spam feature on or off and set how
External DB Use this screen to enable or disable the use of the anti-spam
Customization Use this screen to configure the whitelist to identify legitimate e-
CONTENT
FILTER
VPN VPN Rules
CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage
AUTH SERVER Local User
ADVANCED
General This screen allows you to enable content filtering and block certain
Categories Use this screen to select which categories of web pages to filter
Customization Use this screen to customize the content filter list.
Cache Use this screen to view and configure the ZyWALL’s URL caching.
(IKE)
VPN Rules
(Manual)
SA Monitor Use this screen to display and manage active VPN connections.
Global Setting Use this screen to configure the IPSec timer settings.
Trusted CAs Use this screen to view and manage the list of the trusted CAs.
Trusted
Remote Hosts
Directory
Servers
Database
RADIUS Configure this screen to use an external server to authenticate
interface(s) you want to protect from intrusions.
signatures by signature name, ID, severity, target operating
system, action etc. You can also configure signature actions here.
important to do this as new intrusions evolve.
Use this screen to back up, restore or revert to the default
signatures’ actions.
specify actions when a virus is detected.
signatures and configure the signature update schedule.
the ZyWALL treats spam.
external database.
mail and configure the blacklist to identify spam e-mail.
web features.
out, as well as to register for external database content filtering and
view reports.
Use this screen to configure VPN connections using IKE key
management and view the rule summary.
Use this screen to configure VPN connections using manual key
management and view the rule summary.
certificates and certification requests.
Use this screen to view and manage the certificates belonging to
the trusted remote hosts.
Use this screen to view and manage the list of the directory
servers.
Use this screen to configure the local user account(s) on the
ZyWALL.
wireless and/or VPN users.
77 Chapter 2 Introducing the Web Configurator
Page 78
ZyWALL 5/35/70 Series User’s Guide
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
NAT NAT Overview Use this screen to enable NAT.
Address
Mapping
Port
Forwarding
Port Triggering Use this screen to change your ZyWALL’s port triggering settings.
STATIC ROUTE IP Static Route Use this screen to configure IP static routes.
POLICY ROUTE Policy Rout
Summary
BW MGMT Summary Use this screen to enable bandwidth management on an interface.
Class Setup Use this screen to set up the bandwidth classes.
Monitor Use this screen to view the ZyWALL’s bandwidth usage and
DNS System Use this screen to configure the address and name server records.
Cache Use this screen to configure the DNS resolution cache.
DHCP Use this screen to configure LAN/DMZ/WLAN DNS information.
DDNS Use this screen to set up dynamic DNS.
REMOTE MGMT WWW Use this screen to configure through which interface(s) and from
SSH Use this screen to configure through which interface(s) and from
TELNET Use this screen to configure through which interface(s) and from
FTP Use this screen to configure through which interface(s) and from
SNMP Use this screen to configure your ZyWALL’s settings for Simple
DNS Use this screen to configure through which interface(s) and from
CNM Use this screen to configure and allow your ZyWALL to be
UPnP UPnP Use this screen to enable UPnP on the ZyWALL.
Ports Use this screen to view the NAT port mapping rules that UPnP
ALG ALG Use this screen to allow certain applications to pass through the
LOGS View Log Use this screen to view the logs for the categories that you
Log Settings Use this screen to change your ZyWALL’s log settings.
Reports Use this screen to have the ZyWALL record and display the
Use this screen to configure network address translation mapping
rules.
Use this screen to configure servers behind the ZyWALL.
Use this screen to view a summary list of all the policies and
configure policies for use in IP policy routing.
allotments.
which IP address(es) users can use HTTPS or HTTP to manage
the ZyWALL.
which IP address(es) users can use Secure Shell to manage the
ZyWALL.
which IP address(es) users can use Telnet to manage the
ZyWALL.
which IP address(es) users can use FTP to access the ZyWALL.
Network Management Protocol management.
which IP address(es) users can send DNS queries to the ZyWALL.
managed by the Vantage CNM server.
creates on the ZyWALL.
ZyWALL.
selected.
network usage reports.
Chapter 2 Introducing the Web Configurator 78
Page 79
ZyWALL 5/35/70 Series User’s Guide
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
MAINTENANCE General This screen contains administrative.
Password Use this screen to change your password.
Time and Date Use this screen to change your ZyWALL’s time and date.
Device Mode Use this screen to configure and have your ZyWALL work as a
F/W Upload Use this screen to upload firmware to your ZyWALL
Backup &
Restore
Restart This screen allows you to reboot the ZyWALL without turning the
LOGOUT Click this label to exit the web configurator.
2.4.4 System Statistics
Click Show Statistics in the HOME screen. Read-only information here includes port status
and packet specific statistics. Also provided is "Up Time" and "poll interval(s)". The Poll
Interval(s) field is configurable. Not all fields are available on all models.
router or a bridge.
Use this screen to backup and restore the configuration or reset
the factory defaults to your ZyWALL.
power off.
Figure 11 Home : Show Statistics
The following table describes the labels in this screen.
Table 7 Home: Show Statistics
LABEL DESCRIPTION
Click the icon to display the chart of throughput statistics.
Port These are the ZyWALL’s interfaces.
79 Chapter 2 Introducing the Web Configurator
Page 80
ZyWALL 5/35/70 Series User’s Guide
Table 7 Home: Show Statistics (continued)
LABEL DESCRIPTION
Status For the LAN and DMZ ports, this displays the port speed and duplex setting.
For the WAN and Dial Backup ports, this displays the port speed and duplex setting
if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle),
Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE
encapsulation.
For the WLAN port, it displays the transmission rate when a wireless LAN card is
inserted and WLAN is enabled or Down when a wireless LAN is not inserted or
WLAN is disabled.
TxPkts This is the number of transmitted packets on this port.
RxPkts This is the number of received packets on this port.
Tx B/s This displays the transmission speed in bytes per second on this port.
Rx B/s This displays the reception speed in bytes per second on this port.
Up Time This is the total amount of time the line has been up.
System Up Time This is the total time the ZyWALL has been on.
Poll Interval(s) Enter the time interval for refreshing statistics in this field.
Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s)
field.
Stop Click Stop to stop refreshing statistics.
2.4.5 Show Statistics: Line Chart
Click the icon in the Show Statistics screen. This screen shows you the line chart of each
port’s throughput statistics.
Figure 12 Home : Show Statistics: Line Chart
Chapter 2 Introducing the Web Configurator 80
Page 81
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 8 Home: Show Statistics: Line Chart
LABEL DESCRIPTION
Click the icon to go back to the Show Statistics screen.
Port Select the check box(es) to display the throughput statistics of the corresponding
B/s Specify the direction of the traffic for which you want to show throughput statistics in
Throughput
Range
port(s).
this table.
Select Tx to display transmitted traffic throughput statistics and the amount of traffic
(in bytes). Select Rx to display received traffic throughput statistics and the amount
of traffic (in bytes).
Set the range of the throughput (in B/s, KB/s or MB/s) to display.
Click Set Range to save this setting back to the ZyWALL.
2.4.6 DHCP Table Screen
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the
ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides
the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another
DHCP server on your LAN, or else the computer must be manually configured.
Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode.
Read-only information here relates to your DHCP status. The DHCP table shows current
DHCP client information (including IP Address, Host Name and MAC Address) of all
network clients using the ZyWALL’s DHCP server.
Figure 13 Home : DHCP Table
81 Chapter 2 Introducing the Web Configurator
Page 82
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 9 Home: DHCP Table
LABEL DESCRIPTION
Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the
specified interface.
# This is the index number of the host computer.
IP Address This field displays the IP address relative to the # field listed above.
Host Name This field displays the computer host name.
MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network)
is unique to your computer (six pairs of hexadecimal notation).
A network interface card such as an Ethernet adapter has a hardwired address that is
assigned at the factory. This address follows an industry standard that ensures no
other adapter has a similar address.
Reserve Select the check box in the heading row to automatically select all check boxes or
select the check box(es) in each entry to have the ZyWALL always assign the
selected entry(ies)’s IP address(es) to the corresponding MAC address(es) (and host
name(s)). You can select up to 128 entries in this table. After you click Apply, the
MAC address and IP address also display in the LAN Static DHCP screen (where you
can edit them).
Refresh Click Refresh to reload the DHCP table.
2.4.7 VPN Status
Click VPN Status in the HOME screen when the ZyWALL is set to router mode. Read-only
information here includes encapsulation mode and security protocol. The Poll Interval(s)
field is configurable.
Chapter 2 Introducing the Web Configurator 82
Page 83
ZyWALL 5/35/70 Series User’s Guide
Figure 14 Home : VPN Status
The following table describes the labels in this screen.
Table 10 Home : VPN Status
LABEL DESCRIPTION
# This is the security association index number.
Name This field displays the identification name for this VPN policy.
Local Network This field displays the IP address of the computer using the VPN IPSec feature of
Remote Network This field displays IP address (in a range) of computers on the remote network
Encapsulation This field displays Tun nel or Transport mode.
IPSec Algorithm This field displays the security protocols used for an SA.
Poll Interval(s) Enter the time interval for refreshing statistics in this field.
Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s)
Stop Click Stop to stop refreshing statistics.
your ZyWALL.
behind the remote IPSec router.
Both AH and ESP increase ZyWALL processing requirements and communications
latency (delay).
field.
83 Chapter 2 Introducing the Web Configurator
Page 84
This chapter provides information on the Wizard Setup screens in the web configurator. The
Internet access wizard is only applicable when the ZyWALL is in router mode.
3.1 Wizard Setup Overview
The web configurator's setup wizards help you configure WAN1 on a ZyWALL with multiple
WAN ports or the WAN port on a ZyWALL with a single WAN port to access the Internet and
edit VPN policies and configure IKE settings to establish a VPN tunnel.
3.2 Internet Access
ZyWALL 5/35/70 Series User’s Guide
CHAPTER 3
Wizard Setup
The Internet access wizard screen has three variations depending on what encapsulation type
you use. Refer to information provided by your ISP to know what to enter in each field. Leave
a field blank if you don’t have that information.
3.2.1 ISP Parameters
The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
The wizard screen varies according to the type of encapsulation that you select in the
Encapsulation field.
3.2.1.1 Ethernet
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still
online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your
ISP to find the correct port number.
Choose Ethernet when the WAN port is used as a regular Ethernet.
Chapter 3 Wizard Setup 84
Page 85
ZyWALL 5/35/70 Series User’s Guide
Figure 15 ISP Parameters : Ethernet Encapsulation
The following table describes the labels in this screen.
Table 11 ISP Parameters : Ethernet Encapsulation
LABEL DESCRIPTION
ISP Parameters
for Internet
Access
Encapsulation You must choose the Ethernet option when the WAN port is used as a regular
Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
WAN IP Address
Assignment
IP Address
Assignment
My WAN IP
Address
My WAN IP
Subnet Mask
Gateway IP
Address
First DNS Server
Second DNS
Server
Apply Click Apply to save your changes and go to the next screen.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.
Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.
Enter your WAN IP address in this field.
Enter the IP subnet mask in this field.
Enter the gateway IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to
access it.
85 Chapter 3 Wizard Setup
Page 86
3.2.1.2 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an
IETF (Internet Engineering Task Force) standard specifying how a host personal computer
interacts with a broadband modem (for example xDSL, cable, wireless, etc.) to achieve access
to high-speed data networks.
Figure 16 ISP Parameters : PPPoE Encapsulation
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 12 ISP Parameters: PPPoE Encapsulation
LABEL DESCRIPTION
ISP Parameter for
Internet Access
Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet
forms a dial-up connection.
Service Name Type the name of your service provider.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Retype to Confirm Type your password again for confirmation.
Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
from the PPPoE server. The default time is 100 seconds.
WAN IP Address
Assignment
Chapter 3 Wizard Setup 86
Page 87
ZyWALL 5/35/70 Series User’s Guide
Table 12 ISP Parameters: PPPoE Encapsulation (continued)
LABEL DESCRIPTION
IP Address
Assignment
My WAN IP
Address
First DNS Server
Second DNS
Server
Apply Click Apply to save your changes and go to the next screen.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.
Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.
Enter your WAN IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to
access it.
3.2.1.3 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data
from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/
IP-based networks.
PPTP supports on-demand, multi-protocol, and virtual private networking over public
networks, such as the Internet.
Refer to Appendix G on page 704 for more information on PPTP.
Note: The ZyWALL supports one PPTP server connection at any given time.
87 Chapter 3 Wizard Setup
Page 88
Figure 17 ISP Parameters: PPTP Encapsulation
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 13 ISP Parameters : PPTP Encapsulation
LABEL DESCRIPTION
ISP Parameters for
Internet Access
Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must
configure the User Name and Password fields for a PPP connection and the
PPTP parameters for a PPTP connection.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the User Name above.
Retype to Confirm Type your password again for confirmation.
Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
PPTP Configuration
My IP Address Type the (static) IP address assigned to you by your ISP.
My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Server IP Address Type the IP address of the PPTP server.
from the PPTP server.
Chapter 3 Wizard Setup 88
Page 89
ZyWALL 5/35/70 Series User’s Guide
Table 13 ISP Parameters : PPTP Encapsulation
LABEL DESCRIPTION
Connection ID/
Name
WAN IP Address
Assignment
IP Address
Assignment
My WAN IP
Address
First DNS Server
Second DNS
Server
Apply Click Apply to save your changes and go to the next screen.
Enter the connection ID or connection name in this field. It must follow the "c:id"
and "n:name" format. For example, C:12 or N:My ISP.
This field is optional and depends on the requirements of your xDSL modem.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.
Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.
Enter your WAN IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do
not configure a DNS server, you must know the IP address of a machine in order
to access it.
3.2.2 Internet Access Wizard: Second Screen
Click Next to go to the screen where you can register your ZyWALL and activate the free
content filtering, anti-spam, anti-virus and IDP trial applications. Otherwise, click Skip to
display the congratulations screen and click Close to complete the Internet access setup.
Note: Make sure you have installed the ZyWALL Turbo Card before you activate the
IDP and anti-virus subscription services.
Turn the ZyWALL off before you install or remove the ZyWALL Turbo Card.
Figure 18 Internet Access Wizard: Second Screen
89 Chapter 3 Wizard Setup
Page 90
Figure 19 Internet Access Setup Complete
ZyWALL 5/35/70 Series User’s Guide
3.2.3 Internet Access Wizard: Registration
If you clicked Next in the previous screen (see Figure 18 on page 89), the following screen
displays.
Note: If you want to activate a standard service with your iCard’s PIN number (license
key), use the REGISTRATION Service screen.
Figure 20 Internet Access Wizard: Registration
Chapter 3 Wizard Setup 90
Page 91
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 14 Internet Access Wizard: Registration
LABEL DESCRIPTION
Device Registration If you select Existing myZyXEL.com account, only the User Name and
New myZyXEL.com
account
Existing myZyXEL.com
account
User Name Enter a user name for your myZyXEL.com account. The name should be
Check Click this button to check with the myZyXEL.com database to verify the user
Password Enter a password of between six and 20 alphanumeric characters (and the
Confirm Password Enter the password again for confirmation.
E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters
Country Select your country from the drop-down box list.
Back Click Back to return to the previous screen.
Next Click Next to continue.
Password fields are available.
If you haven’t created an account at myZyXEL.com, select this option and
configure the following fields to create an account and register your ZyWALL.
If you already have an account at myZyXEL.com, select this option and enter
your user name and password in the fields below to register your ZyWALL.
from six to 20 alphanumeric characters (and the underscore). Spaces are not
allowed.
name you entered has not been used.
underscore). Spaces are not allowed.
(periods and the underscore are also allowed) without spaces.
After you fill in the fields and click Next, the following screen shows indicating the
registration is in progress. Wait for the registration progress to finish.
Figure 21 Internet Access Wizard: Registration in Progress
Click Close to leave the wizard screen when the registration and activation are done.
91 Chapter 3 Wizard Setup
Page 92
ZyWALL 5/35/70 Series User’s Guide
Figure 22 Internet Access Wizard: Status
The following screen appears if the registration was not successful. Click Return to go back to
the Device Registration screen and check your settings.
Figure 23 Internet Access Wizard: Registration Failed
If the ZyWALL has been registered, the Device Registration screen is read-only and the
Service Activation screen appears indicating what trial applications are activated after you
click Next.
Figure 24 Internet Access Wizard: Registered Device
Chapter 3 Wizard Setup 92
Page 93
ZyWALL 5/35/70 Series User’s Guide
Figure 25 Internet Access Wizard: Activated Services
3.3 VPN Wizard Gateway Setting
Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key. If you want to
set the rule to use a certificate, please go to the VPN screens for configuration.
Click VPN Wizard in the HOME screen to open the VPN configuration wizard. The first
screen displays as shown next.
Figure 26 VPN Wizard: Gateway Setting
93 Chapter 3 Wizard Setup
Page 94
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 15 VPN Wizard: Gateway Setting
LABEL DESCRIPTION
Gateway Policy
Property
Name Type up to 32 characters to identify this VPN gateway policy. You may use any
character, including spaces, but the ZyWALL drops trailing spaces.
My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name
of your ZyWALL or leave the field set to 0.0.0.0.
For a ZyWALL with multiple WAN ports, the following applies if the My ZyWALL field
is configured as 0.0.0.0:
• When the WAN port operation mode is set to Active/Passive, the ZyWALL uses
the IP address (static or dynamic) of the WAN port that is in use.
• When the WAN port operation mode is set to Active/Active, the ZyWALL uses
the IP address (static or dynamic) of the primary (highest priority) WAN port to set
up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is
up. If the corresponding WAN1 or WAN2 connection goes down, the ZyWALL
uses the IP address of the other WAN port.
• If both WAN connections go down, the ZyWALL uses the dial backup IP address
for the VPN tunnel when using dial backup or the LAN IP address when using
traffic redirect. See the chapter on WAN for details on dial backup and traffic
redirect.
A ZyWALL with a single WAN port uses its current WAN IP address (static or
dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN
connection goes down, the ZyWALL uses the dial backup IP address for the VPN
tunnel when using dial backup or the LAN IP address when using traffic redirect.
The VPN tunnel has to be rebuilt if this IP address changes.
When the ZyWALL is in bridge mode, this field is read-only and displays the
ZyWALL’s IP address.
Remote
Gateway
Address
Next Click Next to continue.
Enter the WAN IP address or domain name of the remote IPSec router (secure
gateway) in the field below to identify the remote IPSec router by its IP address or a
domain name. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN
IP address.
3.4 VPN Wizard Network Setting
Two active SAs cannot have the local and remote IP address(es) both the same. Two active
SAs can have the same local or remote IP address, but not both. You can configure multiple
SAs between the same local and remote IP addresses, as long as only one is active at any time.
Chapter 3 Wizard Setup 94
Page 95
ZyWALL 5/35/70 Series User’s Guide
Figure 27 VPN Wizard: Network Setting
The following table describes the labels in this screen.
Table 16 VPN Wizard : Network Setting
LABEL DESCRIPTION
Network Policy
Property
Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build
the tunnel.
Clear the Active check box to turn the network policy off. The ZyWALL does not apply
the policy. Packets for the tunnel do not trigger the tunnel.
Name Type up to 32 characters to identify this VPN network policy. You may use any
Network Policy
Setting
Local Network Local IP addresses must be static and correspond to the remote IPSec router's
Starting IP
Address
Ending IP
Address/
Subnet Mask
character, including spaces, but the ZyWALL drops trailing spaces.
configured remote IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
When the Local Network field is configured to Single, enter a (static) IP address on
the LAN behind your ZyWALL. When the Local Network field is configured to Range
IP, enter the beginning (static) IP address, in a range of computers on the LAN behind
your ZyWALL. When the Local Network field is configured to Subnet, this is a (static)
IP address on the LAN behind your ZyWALL.
When the Local Network field is configured to Single, this field is N/A. When the
Local Network field is configured to Range IP, enter the end (static) IP address, in a
range of computers on the LAN behind your ZyWALL. When the Local Network field
is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL.
95 Chapter 3 Wizard Setup
Page 96
Table 16 VPN Wizard : Network Setting
LABEL DESCRIPTION
ZyWALL 5/35/70 Series User’s Guide
Remote
Network
Starting IP
Address
Ending IP
Address/
Subnet Mask
Back Click Back to return to the previous screen.
Next Click Next to continue.
Remote IP addresses must be static and correspond to the remote IPSec router's
configured local IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
When the Remote Network field is configured to Single, enter a (static) IP address
on the network behind the remote IPSec router. When the Remote Network field is
configured to Range IP, enter the beginning (static) IP address, in a range of
computers on the network behind the remote IPSec router. When the Remote
Network field is configured to Subnet, enter a (static) IP address on the network
behind the remote IPSec router
When the Remote Network field is configured to Single, this field is N/A. When the
Remote Network field is configured to Range IP, enter the end (static) IP address, in
a range of computers on the network behind the remote IPSec router. When the
Remote Network field is configured to Subnet, enter a subnet mask on the network
behind the remote IPSec router.
3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1)
Figure 28 VPN Wizard: IKE Tunnel Setting
Chapter 3 Wizard Setup 96
Page 97
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 17 VPN Wizard: IKE Tunnel Setting
LABEL DESCRIPTION
Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow
more incoming connections from dynamic IP addresses to use separate
passwords.
Note: Multiple SAs (security associations) connecting through a
Encryption Algorithm When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES.
Authentication
Algorithm
Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
SA Life Time
(Seconds)
Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a
Back Click Back to return to the previous screen.
Next Click Next to continue.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero
x), which is not counted as part of the 16 to 62 character range for the key. For
example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal
and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key
is not used on both ends.
secure gateway must have the same negotiation mode.
97 Chapter 3 Wizard Setup
Page 98
ZyWALL 5/35/70 Series User’s Guide
3.6 VPN Wizard IPSec Setting (IKE Phase 2)
Figure 29 VPN Wizard: IPSec Setting
The following table describes the labels in this screen.
Table 18 VPN Wizard: IPSec Setting
LABEL DESCRIPTION
Encapsulation Mode Tun nel is compatible with NAT, Transport is not.
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel
mode is required for gateway services to provide access to internal systems.
Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
Transport mode is used to protect upper layer protocols and only affects the
data in the IP packet. In Transport mode, the IP packet contains the security
protocol (AH or ESP) located after the original IP header and options, but before
any upper layer protocols contained in the packet (such as TCP and UDP).
IPSec Protocol Select the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and
communications latency (delay).
Encryption Algorithm When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES. Select NULL to set up a tunnel without encryption. When you select
NULL, you do not enter an encryption key.
Authentication
Algorithm
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
Chapter 3 Wizard Setup 98
Page 99
ZyWALL 5/35/70 Series User’s Guide
Table 18 VPN Wizard: IPSec Setting (continued)
LABEL DESCRIPTION
SA Life Time
(Seconds)
Perfect Forward
Secret (PFS)
Back Click Back to return to the previous screen.
Next Click Next to continue.
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768
bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb)
random number (more secure, yet slower).
3.7 VPN Wizard Status Summary
This read-only screen shows the status of the current VPN setting. Use the summary table to
check whether what you have configured is correct.
99 Chapter 3 Wizard Setup
Page 100
Figure 30 VPN Wizard: VPN Status
ZyWALL 5/35/70 Series User’s Guide
The following table describes the labels in this screen.
Table 19 VPN Wizard: VPN Status
LABEL DESCRIPTION
Gateway Policy
Property
Name This is the name of this VPN gateway policy.
Gateway Policy
Setting
My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router mode
Remote Gateway
Address
Network Policy
Property
Active This displays whether this VPN network policy is enabled or not.
Chapter 3 Wizard Setup 100
or the ZyWALL’s IP address in bridge mode.
This is the IP address or the domain name used to identify the remote IPSec
router.
Loading...