How it Works
ZyXEL Communications
Loading...
ZyWALL 2 Plus
User Manual
686 pgs22.44 Mb0
Table of contents
Loading...

ZyXEL Communications ZyWALL 2 Plus User Manual

Download
ZyWALL 2 Plus
Internet Security Appliance

User’s Guide

Version 4.03 12/2007 Edition 1
www.zyxel.com
About This User's Guide
Intended Audience
This manual is intended for people who want to configure the ZyWALL using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Related Documentation
• Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains
information on setting up your network and configuring for Internet access.
• Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary
information.
" It is recommended you use the web configurator to configure the ZyWALL.
• Supporting Disk Refer to the included CD for support documents.
• ZyXEL Web Site Please refer to www.zyxel.com
certifications.
User Guide Feedback
Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!
The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
E-mail: techwriters@zyxel.com.tw
for additional support documentation and product
ZyWALL 2 Plus User’s Guide
3

Document Conventions

Document Conventions
Warnings and Notes
These are how warnings and notes are shown in this User’s Guide.
1 Warnings tell you about things that could harm you or your device.
" Notes tell you other important information (for example, other things you may
need to configure or helpful tips) or recommendations.
Syntax Conventions
• The ZyWALL 2 Plus may be referred to as the “ZyWALL”, the “device” or the “system” in this User’s Guide.
• Product labels, screen names, field labels and field choices are all in bold font.
• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the “enter” or “return” key on your keyboard.
• “Enter” means for you to type one or more characters and then press the [ENTER] key. “Select” or “choose” means for you to use one of the predefined choices.
• A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen.
• Units of measurement may denote the “metric” value or the “scientific” value. For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on.
• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.
4
ZyWALL 2 Plus User’s Guide
Document Conventions
Icons Used in Figures
Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.
ZyWALL Computer Notebook computer
Server DSLAM Firewall
Telephone Switch Router
ZyWALL 2 Plus User’s Guide
5

Safety Warnings

Safety Warnings
1 For your safety, be sure to read and follow all warning notices and instructions.
• Do NOT use this product near water, for example, in a wet basement or near a swimming pool.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT store things on the device.
• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
• Connect ONLY suitable accessories to the device.
• Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.
• Make sure to connect the cables to the correct ports.
• Place connecting cables carefully so that no one will step on them or stumble over them.
• Always disconnect all cables from this device before servicing or disassembling.
• Use ONLY an appropriate power adaptor or cord for your device.
• Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).
• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.
• Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.
• If the power adaptor or cord is damaged, remove it from the power outlet.
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.
• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
6
This product is recyclable. Dispose of it properly.
ZyWALL 2 Plus User’s Guide

Contents Overview

Contents Overview
Introduction and Registration ...............................................................................................45
Getting to Know Your ZyWALL .................................................................................................. 47
Introducing the Web Configurator .............................................................................................. 51
Wizard Setup ............................................................................................................................. 69
Tutorials ..................................................................................................................................... 89
Registration ............................................................................................................................. 127
Network ................................................................................................................................. 131
LAN Screens ........................................................................................................................... 133
Bridge Screens ........................................................................................................................ 145
WAN Screens .......................................................................................................................... 151
DMZ Screens ........................................................................................................................... 171
Wireless LAN ........................................................................................................................... 181
Security ................................................................................................................................. 189
Firewall .................................................................................................................................... 191
Content Filtering Screens ........................................................................................................ 223
Content Filtering Reports ......................................................................................................... 245
IPSec VPN ............................................................................................................................... 253
Certificates ............................................................................................................................... 295
Authentication Server .............................................................................................................. 323
Advanced .............................................................................................................................. 329
Network Address Translation (NAT) ........................................................................................ 331
Static Route ............................................................................................................................. 347
Bandwidth Management .......................................................................................................... 351
DNS ......................................................................................................................................... 365
Remote Management ..............................................................................................................377
UPnP ....................................................................................................................................... 399
Custom Application .................................................................................................................. 409
ALG Screen ..............................................................................................................................411
Logs and Maintenance ........................................................................................................ 417
Logs Screens ........................................................................................................................... 419
Maintenance ............................................................................................................................ 447
ZyWALL 2 Plus User’s Guide
7
Contents Overview
SMT ....................................................................................................................................... 465
Introducing the SMT ................................................................................................................ 467
SMT Menu 1 - General Setup .................................................................................................. 475
WAN and Dial Backup Setup ................................................................................................... 481
LAN Setup ............................................................................................................................... 491
Internet Access ........................................................................................................................ 497
DMZ Setup .............................................................................................................................. 501
Wireless Setup ........................................................................................................................ 505
Remote Node Setup ................................................................................................................ 509
IP Static Route Setup .............................................................................................................. 519
Network Address Translation (NAT) ........................................................................................ 521
Introducing the ZyWALL Firewall ............................................................................................. 539
Filter Configuration .................................................................................................................. 541
SNMP Configuration ................................................................................................................ 557
System Information & Diagnosis ............................................................................................. 559
Firmware and Configuration File Maintenance ........................................................................ 571
System Maintenance Menus 8 to 10 ....................................................................................... 587
Remote Management ..............................................................................................................595
Call Scheduling ........................................................................................................................ 599
Troubleshooting and Specifications ..................................................................................603
Troubleshooting ....................................................................................................................... 605
Product Specifications ............................................................................................................. 613
Appendices and Index ......................................................................................................... 619
8
ZyWALL 2 Plus User’s Guide

Table of Contents

Table of Contents
About This User's Guide ..........................................................................................................3
Document Conventions............................................................................................................4
Safety Warnings........................................................................................................................ 6
Contents Overview ...................................................................................................................7
Table of Contents...................................................................................................................... 9
List of Figures ......................................................................................................................... 27
List of Tables...........................................................................................................................39
Part I: Introduction and Registration ................................................... 45
Chapter 1
Getting to Know Your ZyWALL.............................................................................................. 47
1.1 ZyWALL Internet Security Appliance Overview ................................................................... 47
1.2 Applications for the ZyWALL ............................................................................................... 47
1.2.1 Secure Broadband Internet Access via Cable or DSL Modem .................................. 47
1.2.2 VPN Application ......................................................................................................... 48
1.3 Ways to Manage the ZyWALL ............................................................................................. 48
1.4 Good Habits for Managing the ZyWALL .............................................................................. 49
1.5 LEDs .................................................................................................................................... 49
Chapter 2
Introducing the Web Configurator ........................................................................................51
2.1 Web Configurator Overview ................................................................................................. 51
2.2 Accessing the ZyWALL Web Configurator .......................................................................... 51
2.3 Resetting the ZyWALL ......................................................................................................... 53
2.3.1 Procedure To Use The Reset Button ......................................................................... 53
2.3.2 Uploading a Configuration File Via Console Port ....................................................... 53
2.4 Navigating the ZyWALL Web Configurator .......................................................................... 54
2.4.1 Title Bar ...................................................................................................................... 54
2.4.2 Main Window ..............................................................................................................55
2.4.3 HOME Screen: Router Mode ................................................................................. 55
2.4.4 HOME Screen: Bridge Mode .................................................................................... 57
2.4.5 Navigation Panel ........................................................................................................ 60
ZyWALL 2 Plus User’s Guide
9
Table of Contents
2.4.6 Port Statistics ........................................................................................................... 64
2.4.7 DHCP Table Screen ................................................................................................ 65
2.4.8 VPN Status ................................................................................................................. 66
2.4.9 Bandwidth Monitor .................................................................................................... 67
Chapter 3
Wizard Setup ...........................................................................................................................69
3.1 Wizard Setup Overview ...................................................................................................... 69
3.2 Internet Access ................................................................................................................... 70
3.2.1 ISP Parameters .......................................................................................................... 70
3.2.2 Internet Access Wizard: Second Screen .................................................................... 75
3.2.3 Internet Access Wizard: Registration ......................................................................... 76
3.3 VPN Wizard Gateway Setting .............................................................................................. 79
3.4 VPN Wizard Network Setting ............................................................................................... 80
3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) ................................................................... 82
3.6 VPN Wizard IPSec Setting (IKE Phase 2) ........................................................................... 83
3.7 VPN Wizard Status Summary .............................................................................................. 85
3.8 VPN Wizard Setup Complete .............................................................................................. 87
Chapter 4
Tutorials ................................................................................................................................... 89
4.1 Security Settings for VPN Traffic ......................................................................................... 89
4.1.1 Firewall Rule for VPN Example .................................................................................. 89
4.1.2 Configuring the VPN Rule .......................................................................................... 90
4.1.3 Configuring the Firewall Rules ................................................................................... 93
4.2 Using NAT with Multiple Public IP Addresses ...................................................................... 97
4.2.1 Example Parameters and Scenario ........................................................................... 97
4.2.2 Configuring the WAN Connection with a Static IP Address ........................................ 98
4.2.3 Public IP Address Mapping ...................................................................................... 101
4.2.4 Forwarding Traffic from the WAN to a Local Computer ............................................ 105
4.2.5 Allow WAN-to-LAN Traffic through the Firewall ........................................................ 107
4.2.6 Testing the Connections ............................................................................................114
4.3 Using NAT with Multiple Game Players ..............................................................................114
4.4 How to Manage the ZyWALL’s Bandwidth ..........................................................................115
4.4.1 Example Parameters and Scenario ..........................................................................115
4.4.2 Configuring Bandwidth Management Rules ..............................................................116
4.5 Configuring Content Filtering ............................................................................................. 120
4.5.1 Enable Content Filtering ........................................................................................... 120
4.5.2 Block Categories of Web Content ............................................................................ 121
4.5.3 Assign Bob’s Computer a Specific IP Address ......................................................... 123
4.5.4 Create a Content Filter Policy for Bob ...................................................................... 123
4.5.5 Set the Content Filter Schedule ............................................................................... 124
4.5.6 Block Categories of Web Content for Bob ............................................................... 125
10
ZyWALL 2 Plus User’s Guide
Table of Contents
Chapter 5
Registration........................................................................................................................... 127
5.1 myZyXEL.com overview .................................................................................................... 127
5.1.1 Content Filtering Subscription Service ..................................................................... 127
5.2 Registration ....................................................................................................................... 128
5.3 Service ............................................................................................................................... 129
Part II: Network..................................................................................... 131
Chapter 6
LAN Screens.......................................................................................................................... 133
6.1 LAN, WAN and the ZyWALL .............................................................................................. 133
6.2 IP Address and Subnet Mask ............................................................................................ 133
6.2.1 Private IP Addresses ................................................................................................ 134
6.3 DHCP ................................................................................................................................ 135
6.3.1 IP Pool Setup ........................................................................................................... 135
6.4 RIP Setup .......................................................................................................................... 135
6.5 Multicast ............................................................................................................................ 135
6.6 WINS ................................................................................................................................. 136
6.7 LAN .................................................................................................................................... 136
6.8 LAN Static DHCP ............................................................................................................... 139
6.9 LAN IP Alias .................................................................................................................... 140
6.10 LAN Port Roles ................................................................................................................ 142
Chapter 7
Bridge Screens...................................................................................................................... 145
7.1 Bridge Loop ....................................................................................................................... 145
7.2 Spanning Tree Protocol (STP) ........................................................................................... 146
7.2.1 Rapid STP ................................................................................................................146
7.2.2 STP Terminology ...................................................................................................... 146
7.2.3 How STP Works ....................................................................................................... 146
7.2.4 STP Port States ........................................................................................................ 147
7.3 Bridge ................................................................................................................................ 147
7.4 Bridge Port Roles ............................................................................................................. 149
Chapter 8
WAN Screens......................................................................................................................... 151
8.1 WAN Overview .................................................................................................................. 151
8.2 TCP/IP Priority (Metric) ...................................................................................................... 151
8.3 WAN Route ........................................................................................................................ 151
8.4 WAN IP Address Assignment ............................................................................................ 153
ZyWALL 2 Plus User’s Guide
11
Table of Contents
8.5 DNS Server Address Assignment ................................................................................... 153
8.6 WAN MAC Address ........................................................................................................... 154
8.7 WAN ................................................................................................................................ 154
8.7.1 WAN Ethernet Encapsulation ................................................................................... 154
8.7.2 PPPoE Encapsulation .............................................................................................. 157
8.7.3 PPTP Encapsulation ................................................................................................ 160
8.8 Traffic Redirect ................................................................................................................ 163
8.9 Configuring Traffic Redirect ...............................................................................................164
8.10 Configuring Dial Backup .................................................................................................. 165
8.11 Advanced Modem Setup ................................................................................................ 168
8.11.1 AT Command Strings ............................................................................................. 168
8.11.2 DTR Signal ............................................................................................................. 168
8.11.3 Response Strings ................................................................................................... 169
8.12 Configuring Advanced Modem Setup .............................................................................. 169
Chapter 9
DMZ Screens ......................................................................................................................... 171
9.1 DMZ ................................................................................................................................. 171
9.2 Configuring DMZ ............................................................................................................... 171
9.3 DMZ Static DHCP ............................................................................................................ 174
9.4 DMZ IP Alias .................................................................................................................... 175
9.5 DMZ Public IP Address Example ...................................................................................... 177
9.6 DMZ Private and Public IP Address Example ................................................................... 177
9.7 DMZ Port Roles ............................................................................................................... 178
Chapter 10
Wireless LAN.........................................................................................................................181
10.1 Wireless LAN Introduction ............................................................................................... 181
10.2 Configuring WLAN ......................................................................................................... 181
10.3 WLAN Static DHCP ....................................................................................................... 184
10.4 WLAN IP Alias ............................................................................................................... 185
10.5 WLAN Port Roles ........................................................................................................... 187
Part III: Security.................................................................................... 189
Chapter 11
Firewall................................................................................................................................... 191
12
11.1 Firewall Overview ............................................................................................................ 191
11.2 Packet Direction Matrix .................................................................................................... 192
11.3 Packet Direction Examples .............................................................................................. 193
11.3.1 To VPN Packet Direction ........................................................................................ 195
ZyWALL 2 Plus User’s Guide
Table of Contents
11.3.2 From VPN Packet Direction ................................................................................... 196
11.3.3 From VPN To VPN Packet Direction ...................................................................... 198
11.4 Security Considerations ...................................................................................................199
11.5 Firewall Rules Example ................................................................................................... 200
11.6 Asymmetrical Routes .......................................................................................................201
11.6.1 Asymmetrical Routes and IP Alias ......................................................................... 202
11.7 Firewall Default Rule (Router Mode) ................................................................................ 202
11.8 Firewall Default Rule (Bridge Mode) .............................................................................. 204
11.9 Firewall Rule Summary ................................................................................................... 206
11.9.1 Firewall Edit Rule ................................................................................................. 208
11.10 Anti-Probing ..................................................................................................................211
11.11 Firewall Thresholds ..................................................................................................... 212
11.11.1 Threshold Values .................................................................................................. 213
11.12 Threshold Screen ........................................................................................................... 213
11.13 Service .......................................................................................................................... 215
11.13.1 Firewall Edit Custom Service .............................................................................. 216
11.14 My Service Firewall Rule Example ................................................................................ 217
Chapter 12
Content Filtering Screens ....................................................................................................223
12.1 Content Filtering Overview .............................................................................................. 223
12.1.1 Restrict Web Features ........................................................................................... 223
12.1.2 Create a Filter List .................................................................................................. 223
12.1.3 Customize Web Site Access ................................................................................. 223
12.2 Content Filtering with an External Database ................................................................... 223
12.3 Content Filter General Screen ........................................................................................ 224
12.4 Content Filter Policy ..................................................................................................... 227
12.5 Content Filter Policy: General ......................................................................................... 229
12.6 Content Filter Policy: External Database ........................................................................ 230
12.7 Content Filter Policy: Customization ............................................................................... 237
12.8 Content Filter Policy: Schedule ...................................................................................... 239
12.9 Content Filter Object ..................................................................................................... 240
12.10 Customizing Keyword Blocking URL Checking ............................................................. 242
12.10.1 Domain Name or IP Address URL Checking ....................................................... 242
12.10.2 Full Path URL Checking ....................................................................................... 243
12.10.3 File Name URL Checking ..................................................................................... 243
12.11 Content Filtering Cache ............................................................................................... 243
Chapter 13
Content Filtering Reports.....................................................................................................245
13.1 Checking Content Filtering Activation .............................................................................. 245
13.2 Viewing Content Filtering Reports ................................................................................... 245
13.3 Web Site Submission .......................................................................................................250
ZyWALL 2 Plus User’s Guide
13
Table of Contents
Chapter 14
IPSec VPN.............................................................................................................................. 253
14.1 IPSec VPN Overview ..................................................................................................... 253
14.1.1 IKE SA Overview .................................................................................................... 254
14.2 VPN Rules (IKE) .............................................................................................................. 255
14.3 IKE SA Setup .................................................................................................................. 257
14.3.1 IKE SA Proposal .................................................................................................... 257
14.4 Additional IPSec VPN Topics ........................................................................................... 261
14.4.1 SA Life Time ........................................................................................................... 262
14.4.2 IPSec High Availability ........................................................................................... 262
14.4.3 Encryption and Authentication Algorithms ............................................................. 263
14.5 VPN Rules (IKE) Gateway Policy Edit ............................................................................. 264
14.6 IPSec SA Overview .....................................................................................................270
14.6.1 Local Network and Remote Network ...................................................................... 270
14.6.2 Virtual Address Mapping ........................................................................................ 271
14.6.3 Active Protocol ....................................................................................................... 272
14.6.4 Encapsulation ......................................................................................................... 272
14.6.5 IPSec SA Proposal and Perfect Forward Secrecy ................................................. 273
14.7 VPN Rules (IKE) Network Policy Edit ............................................................................. 273
14.8 Network Policy Port Forwarding ................................................................................... 278
14.9 Network Policy Move .....................................................................................................280
14.10 IPSec SA Using Manual Keys ................................................................................... 281
14.10.1 IPSec SA Proposal Using Manual Keys ............................................................... 281
14.10.2 Authentication and the Security Parameter Index (SPI) ....................................... 281
14.11 VPN Rules (Manual) ...................................................................................................... 281
14.12 VPN Rules (Manual) Edit ............................................................................................ 283
14.13 VPN SA Monitor .......................................................................................................... 285
14.14 VPN Global Setting ....................................................................................................... 286
14.14.1 Local and Remote IP Address Conflict Resolution .............................................. 286
14.15 Telecommuter VPN/IPSec Examples ............................................................................ 289
14.15.1 Telecommuters Sharing One VPN Rule Example ................................................ 289
14.15.2 Telecommuters Using Unique VPN Rules Example ............................................. 290
14.16 VPN and Remote Management ..................................................................................... 291
14.17 Hub-and-spoke VPN ...................................................................................................... 292
14.17.1 Hub-and-spoke VPN Example ............................................................................. 293
14.17.2 Hub-and-spoke Example VPN Rule Addresses ................................................... 293
14.17.3 Hub-and-spoke VPN Requirements and Suggestions ......................................... 294
Chapter 15
Certificates ............................................................................................................................295
15.1 Certificates Overview ....................................................................................................... 295
15.1.1 Advantages of Certificates ..................................................................................... 296
15.2 Self-signed Certificates .................................................................................................... 296
14
ZyWALL 2 Plus User’s Guide
Table of Contents
15.3 Verifying a Certificate ....................................................................................................... 296
15.3.1 Checking the Fingerprint of a Certificate on Your Computer .................................. 296
15.4 Configuration Summary ................................................................................................... 297
15.5 My Certificates ................................................................................................................ 298
15.6 My Certificate Details ..................................................................................................... 300
15.7 My Certificate Export ...................................................................................................... 302
15.7.1 Certificate File Export Formats ............................................................................... 302
15.8 My Certificate Import ..................................................................................................... 303
15.8.1 Certificate File Formats .......................................................................................... 303
15.9 My Certificate Create ..................................................................................................... 305
15.10 Trusted CAs ................................................................................................................. 310
15.11 Trusted CA Details ........................................................................................................ 312
15.12 Trusted CA Import ....................................................................................................... 314
15.13 Trusted Remote Hosts ................................................................................................. 315
15.14 Trusted Remote Host Certificate Details ..................................................................... 316
15.15 Trusted Remote Hosts Import ...................................................................................... 319
15.16 Directory Servers .......................................................................................................... 320
15.17 Directory Server Add or Edit ........................................................................................ 321
Chapter 16
Authentication Server...........................................................................................................323
16.1 Authentication Server Overview ...................................................................................... 323
16.1.1 Local User Database .............................................................................................. 323
16.1.2 RADIUS ..................................................................................................................323
16.1.3 Types of RADIUS Messages .................................................................................. 323
16.2 Local User Database .....................................................................................................324
16.3 RADIUS ......................................................................................................................... 326
Part IV: Advanced ................................................................................ 329
Chapter 17
Network Address Translation (NAT).................................................................................... 331
17.1 NAT Overview ................................................................................................................ 331
17.1.1 NAT Definitions ...................................................................................................... 331
17.1.2 What NAT Does ..................................................................................................... 332
17.1.3 How NAT Works ..................................................................................................... 332
17.1.4 NAT Application ...................................................................................................... 333
17.1.5 Port Restricted Cone NAT ...................................................................................... 334
17.1.6 NAT Mapping Types ............................................................................................... 334
17.2 Using NAT ........................................................................................................................ 335
17.2.1 SUA (Single User Account) Versus NAT ................................................................ 335
ZyWALL 2 Plus User’s Guide
15
Table of Contents
17.3 NAT Overview Screen ..................................................................................................... 336
17.4 NAT Address Mapping ................................................................................................... 337
17.4.1 What NAT Does ..................................................................................................... 337
17.4.2 NAT Address Mapping Edit .................................................................................. 339
17.5 Port Forwarding .............................................................................................................. 340
17.5.1 Default Server IP Address ...................................................................................... 340
17.5.2 Port Forwarding: Services and Port Numbers ........................................................ 341
17.5.3 Configuring Servers Behind Port Forwarding (Example) ....................................... 341
17.5.4 Port Translation ...................................................................................................... 341
17.6 Port Forwarding Screen ................................................................................................... 342
17.7 Port Triggering ............................................................................................................... 344
Chapter 18
Static Route ........................................................................................................................... 347
18.1 IP Static Route .............................................................................................................. 347
18.2 IP Static Route ................................................................................................................. 348
18.2.1 IP Static Route Edit .............................................................................................. 349
Chapter 19
Bandwidth Management.......................................................................................................351
19.1 Bandwidth Management Overview ................................................................................. 351
19.2 Bandwidth Classes and Filters ........................................................................................ 351
19.3 Proportional Bandwidth Allocation ................................................................................... 352
19.4 Application-based Bandwidth Management .................................................................... 352
19.5 Subnet-based Bandwidth Management .......................................................................... 352
19.6 Application and Subnet-based Bandwidth Management ................................................. 352
19.7 Scheduler ........................................................................................................................ 353
19.7.1 Priority-based Scheduler ........................................................................................ 353
19.7.2 Fairness-based Scheduler ..................................................................................... 353
19.7.3 Maximize Bandwidth Usage ................................................................................... 353
19.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic .......................................... 353
19.7.5 Maximize Bandwidth Usage Example .................................................................... 354
19.8 Bandwidth Borrowing .......................................................................................................355
19.8.1 Bandwidth Borrowing Example .............................................................................. 355
19.9 Maximize Bandwidth Usage With Bandwidth Borrowing ................................................. 356
19.10 Over Allotment of Bandwidth ......................................................................................... 356
19.11 Configuring Summary .................................................................................................... 357
19.12 Configuring Class Setup .............................................................................................. 358
19.12.1 Bandwidth Manager Class Configuration ........................................................... 359
19.12.2 Bandwidth Management Statistics ................................................................... 362
19.13 Bandwidth Manager Monitor ........................................................................................ 363
Chapter 20
DNS ........................................................................................................................................ 365
16
ZyWALL 2 Plus User’s Guide
Table of Contents
20.1 DNS Overview ............................................................................................................... 365
20.2 DNS Server Address Assignment ................................................................................... 365
20.3 DNS Servers .................................................................................................................... 365
20.4 Address Record ............................................................................................................... 366
20.4.1 DNS Wildcard ......................................................................................................... 366
20.5 Name Server Record ....................................................................................................... 366
20.5.1 Private DNS Server ................................................................................................ 366
20.6 System Screen ................................................................................................................ 367
20.6.1 Adding an Address Record .................................................................................. 368
20.6.2 Inserting a Name Server Record .......................................................................... 369
20.7 DNS Cache .................................................................................................................... 371
20.8 Configure DNS Cache ..................................................................................................... 371
20.9 Configuring DNS DHCP ................................................................................................ 372
20.10 Dynamic DNS .............................................................................................................. 374
20.10.1 DYNDNS Wildcard ............................................................................................... 374
20.11 Configuring Dynamic DNS ............................................................................................. 374
Chapter 21
Remote Management............................................................................................................ 377
21.1 Remote Management Overview ...................................................................................... 377
21.1.1 Remote Management Limitations .......................................................................... 378
21.1.2 System Timeout ..................................................................................................... 378
21.2 WWW (HTTP and HTTPS) ............................................................................................. 378
21.3 WWW Configuration ........................................................................................................ 379
21.4 HTTPS Example .............................................................................................................. 380
21.4.1 Internet Explorer Warning Messages ..................................................................... 381
21.4.2 Netscape Navigator Warning Messages ................................................................ 381
21.4.3 Avoiding the Browser Warning Messages .............................................................. 382
21.4.4 Login Screen .......................................................................................................... 383
21.5 SSH .............................................................................................................................. 385
21.6 How SSH Works .............................................................................................................. 385
21.7 SSH Implementation on the ZyWALL .............................................................................. 386
21.7.1 Requirements for Using SSH ................................................................................. 386
21.8 Configuring SSH .............................................................................................................. 386
21.9 Secure Telnet Using SSH Examples ............................................................................... 387
21.9.1 Example 1: Microsoft Windows .............................................................................. 387
21.9.2 Example 2: Linux .................................................................................................... 388
21.10 Secure FTP Using SSH Example .................................................................................. 389
21.11 Telnet ........................................................................................................................... 390
21.12 Configuring TELNET ..................................................................................................... 390
21.13 FTP .............................................................................................................................. 391
21.14 SNMP .......................................................................................................................... 392
21.14.1 Supported MIBs ................................................................................................... 393
ZyWALL 2 Plus User’s Guide
17
Table of Contents
21.14.2 SNMP Traps ......................................................................................................... 393
21.14.3 REMOTE MANAGEMENT: SNMP ....................................................................... 393
21.15 DNS ............................................................................................................................. 395
21.16 Introducing Vantage CNM ............................................................................................. 395
21.17 Configuring CNM ........................................................................................................... 396
21.17.1 Additional Configuration for Vantage CNM .......................................................... 397
Chapter 22
UPnP ...................................................................................................................................... 399
22.1 Universal Plug and Play Overview ................................................................................ 399
22.1.1 How Do I Know If I'm Using UPnP? ....................................................................... 399
22.1.2 NAT Traversal ........................................................................................................ 399
22.1.3 Cautions with UPnP ............................................................................................... 399
22.1.4 UPnP and ZyXEL ................................................................................................... 400
22.2 Configuring UPnP ............................................................................................................ 400
22.3 Displaying UPnP Port Mapping .................................................................................... 401
22.4 Installing UPnP in Windows Example .............................................................................. 402
22.4.1 Installing UPnP in Windows Me ............................................................................. 403
22.4.2 Installing UPnP in Windows XP ............................................................................. 404
22.5 Using UPnP in Windows XP Example ............................................................................. 404
22.5.1 Auto-discover Your UPnP-enabled Network Device .............................................. 405
22.5.2 Web Configurator Easy Access ............................................................................. 406
Chapter 23
Custom Application ..............................................................................................................409
23.1 Custom Applicaton ......................................................................................................... 409
23.2 Custom Applicaton Configuration .................................................................................... 409
Chapter 24
ALG Screen ........................................................................................................................... 411
24.1 ALG Introduction ..............................................................................................................411
24.1.1 ALG and NAT ..........................................................................................................411
24.1.2 ALG and the Firewall ...............................................................................................411
24.2 FTP .................................................................................................................................. 412
24.3 H.323 ............................................................................................................................... 412
24.4 RTP .................................................................................................................................. 412
24.4.1 H.323 ALG Details ................................................................................................. 412
24.5 SIP ................................................................................................................................... 413
24.5.1 STUN ..................................................................................................................... 413
24.5.2 SIP ALG Details ..................................................................................................... 413
24.5.3 SIP Signaling Session Timeout .............................................................................. 414
24.5.4 SIP Audio Session Timeout .................................................................................... 414
24.6 ALG Screen ..................................................................................................................... 414
18
ZyWALL 2 Plus User’s Guide
Table of Contents
Part V: Logs and Maintenance ............................................................ 417
Chapter 25
Logs Screens ........................................................................................................................419
25.1 Configuring View Log ...................................................................................................... 419
25.2 Log Description Example ................................................................................................. 420
25.2.1 About the Certificate Not Trusted Log .................................................................... 421
25.3 Configuring Log Settings ................................................................................................ 422
25.4 Configuring Reports ....................................................................................................... 425
25.4.1 Viewing Web Site Hits ............................................................................................ 427
25.4.2 Viewing Host IP Address ........................................................................................ 427
25.4.3 Viewing Protocol/Port ............................................................................................. 428
25.4.4 System Reports Specifications ............................................................................... 430
25.5 Log Descriptions .............................................................................................................. 430
25.6 Syslog Logs .................................................................................................................... 445
Chapter 26
Maintenance .......................................................................................................................... 447
26.1 Maintenance Overview .................................................................................................... 447
26.2 General Setup and System Name ................................................................................... 447
26.2.1 General Setup ....................................................................................................... 447
26.3 Configuring Password .................................................................................................... 448
26.4 Time and Date ................................................................................................................ 449
26.5 Pre-defined NTP Time Server Pools ............................................................................... 452
26.5.1 Resetting the Time ................................................................................................. 452
26.5.2 Time Server Synchronization ................................................................................. 452
26.6 Introduction To Transparent Bridging ............................................................................... 453
26.7 Transparent Firewalls ...................................................................................................... 454
26.8 Configuring Device Mode (Router) ................................................................................. 454
26.9 Configuring Device Mode (Bridge) ................................................................................. 455
26.10 F/W Upload Screen ...................................................................................................... 457
26.11 Backup and Restore ..................................................................................................... 459
26.11.1 Backup Configuration ........................................................................................... 460
26.11.2 Restore Configuration .......................................................................................... 460
26.11.3 Back to Factory Defaults ..................................................................................... 461
26.12 Restart Screen .............................................................................................................. 461
26.13 Diagnostics .................................................................................................................... 462
Part VI: SMT.......................................................................................... 465
ZyWALL 2 Plus User’s Guide
19
Table of Contents
Chapter 27
Introducing the SMT .............................................................................................................467
27.1 Introduction to the SMT ...................................................................................................467
27.2 Accessing the SMT via the Console Port ........................................................................ 467
27.2.1 Initial Screen ..........................................................................................................467
27.2.2 Entering the Password ........................................................................................... 468
27.3 Navigating the SMT Interface .......................................................................................... 468
27.3.1 Main Menu ............................................................................................................. 469
27.3.2 SMT Menus Overview ............................................................................................ 471
27.4 Changing the System Password ..................................................................................... 472
27.5 Resetting the ZyWALL ..................................................................................................... 473
Chapter 28
SMT Menu 1 - General Setup ............................................................................................... 475
28.1 Introduction to General Setup .......................................................................................... 475
28.2 Configuring General Setup .............................................................................................. 475
28.2.1 Configuring Dynamic DNS ..................................................................................... 476
Chapter 29
WAN and Dial Backup Setup................................................................................................ 481
29.1 Introduction to WAN and Dial Backup Setup ................................................................... 481
29.2 WAN Setup ...................................................................................................................... 481
29.3 Dial Backup ..................................................................................................................... 482
29.4 Configuring Dial Backup in Menu 2 ................................................................................. 482
29.5 Advanced WAN Setup ..................................................................................................... 483
29.6 Remote Node Profile (Backup ISP) ................................................................................. 485
29.7 Editing TCP/IP Options ....................................................................................................487
29.8 Editing Login Script .......................................................................................................... 488
29.9 Remote Node Filter ......................................................................................................... 489
Chapter 30
LAN Setup.............................................................................................................................. 491
30.1 Introduction to LAN Setup ............................................................................................... 491
30.2 Accessing the LAN Menus .............................................................................................. 491
30.3 LAN Port Filter Setup ....................................................................................................... 491
30.4 TCP/IP and DHCP Ethernet Setup Menu ........................................................................ 492
30.4.1 IP Alias Setup ......................................................................................................... 495
Chapter 31
Internet Access ..................................................................................................................... 497
31.1 Introduction to Internet Access Setup .............................................................................. 497
31.2 Ethernet Encapsulation ................................................................................................... 497
31.3 Configuring the PPTP Client ............................................................................................ 499
20
ZyWALL 2 Plus User’s Guide
Table of Contents
31.4 Configuring the PPPoE Client ......................................................................................... 499
31.5 Basic Setup Complete ..................................................................................................... 500
Chapter 32
DMZ Setup ............................................................................................................................. 501
32.1 Configuring DMZ Setup ................................................................................................... 501
32.2 DMZ Port Filter Setup ...................................................................................................... 501
32.3 TCP/IP Setup ................................................................................................................... 502
32.3.1 IP Address ..............................................................................................................502
32.3.2 IP Alias Setup ......................................................................................................... 503
Chapter 33
Wireless Setup ......................................................................................................................505
33.1 TCP/IP Setup ................................................................................................................... 505
33.1.1 IP Address ..............................................................................................................505
33.1.2 IP Alias Setup ......................................................................................................... 506
Chapter 34
Remote Node Setup..............................................................................................................509
34.1 Introduction to Remote Node Setup ................................................................................ 509
34.2 Remote Node Setup ........................................................................................................ 509
34.3 Remote Node Profile Setup ............................................................................................. 509
34.3.1 Ethernet Encapsulation .......................................................................................... 510
34.3.2 PPPoE Encapsulation .............................................................................................511
34.3.3 PPTP Encapsulation .............................................................................................. 513
34.4 Edit IP .............................................................................................................................. 514
34.5 Remote Node Filter ......................................................................................................... 516
34.6 Traffic Redirect ................................................................................................................ 517
Chapter 35
IP Static Route Setup............................................................................................................ 519
35.1 IP Static Route Setup ...................................................................................................... 519
Chapter 36
Network Address Translation (NAT).................................................................................... 521
36.1 Using NAT ........................................................................................................................ 521
36.1.1 SUA (Single User Account) Versus NAT ................................................................ 521
36.1.2 Applying NAT ......................................................................................................... 521
36.2 NAT Setup ....................................................................................................................... 523
36.2.1 Address Mapping Sets ........................................................................................... 523
36.3 Configuring a Server behind NAT .................................................................................... 528
36.4 General NAT Examples ................................................................................................... 530
36.4.1 Internet Access Only .............................................................................................. 530
ZyWALL 2 Plus User’s Guide
21
Table of Contents
36.4.2 Example 2: Internet Access with a Default Server ................................................. 532
36.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............................. 532
36.4.4 Example 4: NAT Unfriendly Application Programs ................................................. 536
36.5 Trigger Port Forwarding ...................................................................................................537
36.5.1 Two Points To Remember About Trigger Ports ...................................................... 537
Chapter 37
Introducing the ZyWALL Firewall ........................................................................................539
37.1 Using ZyWALL SMT Menus ............................................................................................ 539
37.1.1 Activating the Firewall ............................................................................................ 539
Chapter 38
Filter Configuration............................................................................................................... 541
38.1 Introduction to Filters ....................................................................................................... 541
38.1.1 The Filter Structure of the ZyWALL ........................................................................ 542
38.2 Configuring a Filter Set .................................................................................................... 544
38.2.1 Configuring a Filter Rule ........................................................................................ 546
38.2.2 Configuring a TCP/IP Filter Rule ............................................................................ 546
38.2.3 Configuring a Generic Filter Rule ........................................................................... 549
38.3 Example Filter .................................................................................................................. 550
38.4 Filter Types and NAT ....................................................................................................... 552
38.5 Firewall Versus Filters ..................................................................................................... 552
38.5.1 Packet Filtering: ..................................................................................................... 552
38.5.2 Firewall ................................................................................................................... 553
38.6 Applying a Filter .............................................................................................................. 553
38.6.1 Applying LAN Filters ............................................................................................... 554
38.6.2 Applying DMZ Filters .............................................................................................. 554
38.6.3 Applying Remote Node Filters ............................................................................... 555
Chapter 39
SNMP Configuration.............................................................................................................557
39.1 SNMP Configuration ........................................................................................................557
39.2 SNMP Traps .................................................................................................................... 558
Chapter 40
System Information & Diagnosis.........................................................................................559
40.1 Introduction to System Status .......................................................................................... 559
40.2 System Status .................................................................................................................. 559
40.3 System Information and Console Port Speed .................................................................. 561
40.3.1 System Information ................................................................................................ 561
40.3.2 Console Port Speed ............................................................................................... 562
40.4 Log and Trace .................................................................................................................. 562
40.4.1 Viewing Error Log ................................................................................................... 562
22
ZyWALL 2 Plus User’s Guide
Table of Contents
40.4.2 Syslog Logging ....................................................................................................... 563
40.4.3 Call-Triggering Packet ............................................................................................ 566
40.5 Diagnostic ........................................................................................................................ 567
40.5.1 WAN DHCP ............................................................................................................ 568
Chapter 41
Firmware and Configuration File Maintenance..................................................................571
41.1 Introduction ...................................................................................................................... 571
41.2 Filename Conventions ..................................................................................................... 571
41.3 Backup Configuration ......................................................................................................572
41.3.1 Backup Configuration ............................................................................................. 572
41.3.2 Using the FTP Command from the Command Line ............................................... 573
41.3.3 Example of FTP Commands from the Command Line .......................................... 574
41.3.4 GUI-based FTP Clients .......................................................................................... 574
41.3.5 File Maintenance Over WAN .................................................................................. 574
41.3.6 Backup Configuration Using TFTP ......................................................................... 575
41.3.7 TFTP Command Example ...................................................................................... 575
41.3.8 GUI-based TFTP Clients ........................................................................................ 575
41.3.9 Backup Via Console Port ....................................................................................... 576
41.4 Restore Configuration ...................................................................................................... 577
41.4.1 Restore Using FTP ................................................................................................. 577
41.4.2 Restore Using FTP Session Example .................................................................... 578
41.4.3 Restore Via Console Port ....................................................................................... 579
41.5 Uploading Firmware and Configuration Files .................................................................. 579
41.5.1 Firmware File Upload ............................................................................................. 580
41.5.2 Configuration File Upload ....................................................................................... 580
41.5.3 FTP File Upload Command from the DOS Prompt Example ................................. 581
41.5.4 FTP Session Example of Firmware File Upload .................................................... 582
41.5.5 TFTP File Upload ................................................................................................... 582
41.5.6 TFTP Upload Command Example ......................................................................... 583
41.5.7 Uploading Via Console Port ................................................................................... 583
41.5.8 Uploading Firmware File Via Console Port ............................................................ 583
41.5.9 Example Xmodem Firmware Upload Using HyperTerminal ................................... 583
41.5.10 Uploading Configuration File Via Console Port .................................................... 584
41.5.11 Example Xmodem Configuration Upload Using HyperTerminal ........................... 585
Chapter 42
System Maintenance Menus 8 to 10....................................................................................587
42.1 Command Interpreter Mode ............................................................................................ 587
42.1.1 Command Syntax ................................................................................................... 588
42.1.2 Command Usage ................................................................................................... 588
42.2 Call Control Support ........................................................................................................ 589
42.2.1 Budget Management .............................................................................................. 589
ZyWALL 2 Plus User’s Guide
23
Table of Contents
42.2.2 Call History ............................................................................................................. 590
42.3 Time and Date Setting .....................................................................................................591
Chapter 43
Remote Management............................................................................................................ 595
43.1 Remote Management ...................................................................................................... 595
43.1.1 Remote Management Limitations .......................................................................... 597
Chapter 44
Call Scheduling..................................................................................................................... 599
44.1 Introduction to Call Scheduling ........................................................................................ 599
Part VII: Troubleshooting and Specifications ................................... 603
Chapter 45
Troubleshooting....................................................................................................................605
45.1 Power, Hardware Connections, and LEDs ...................................................................... 605
45.2 ZyWALL Access and Login .............................................................................................. 606
45.3 Internet Access ................................................................................................................ 608
45.4 Wireless Router/AP Troubleshooting ............................................................................... 610
45.5 UPnP ............................................................................................................................... 610
Chapter 46
Product Specifications.........................................................................................................613
46.1 General ZyWALL Specifications ...................................................................................... 613
46.2 Cable Pin Assignments ................................................................................................... 615
46.3 Wall-mounting Instructions .............................................................................................. 617
Part VIII: Appendices and Index ......................................................... 619
Appendix A Setting up Your Computer’s IP Address............................................................ 621
Appendix B Pop-up Windows, JavaScripts and Java Permissions ......................................637
Appendix C IP Addresses and Subnetting ........................................................................... 645
Appendix D Common Services ............................................................................................653
Appendix E Importing Certificates ........................................................................................657
Appendix F Legal Information ..............................................................................................669
Appendix G Customer Support ............................................................................................673
24
ZyWALL 2 Plus User’s Guide
Table of Contents
Index....................................................................................................................................... 679
ZyWALL 2 Plus User’s Guide
25
Table of Contents
26
ZyWALL 2 Plus User’s Guide

List of Figures

List of Figures
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................................... 48
Figure 2 VPN Application ....................................................................................................................... 48
Figure 3 Front Panel .............................................................................................................................. 49
Figure 4 Change Password Screen ........................................................................................................ 52
Figure 5 Replace Certificate Screen ....................................................................................................... 52
Figure 6 Example Xmodem Upload ........................................................................................................ 53
Figure 7 HOME Screen .......................................................................................................................... 54
Figure 8 Web Configurator HOME Screen in Router Mode ................................................................... 55
Figure 9 Web Configurator HOME Screen in Bridge Mode .................................................................... 58
Figure 10 HOME > Show Statistics ........................................................................................................ 64
Figure 11 HOME > DHCP Table ............................................................................................................. 65
Figure 12 HOME > VPN Status .............................................................................................................. 66
Figure 13 Home > Bandwidth Monitor .................................................................................................... 67
Figure 14 Wizard Setup Welcome .......................................................................................................... 69
Figure 15 ISP Parameters: Ethernet Encapsulation ...............................................................................70
Figure 16 ISP Parameters: PPPoE Encapsulation ................................................................................. 72
Figure 17 ISP Parameters: PPTP Encapsulation ...................................................................................74
Figure 18 Internet Access Wizard: Second Screen ................................................................................75
Figure 19 Internet Access Setup Complete ............................................................................................ 76
Figure 20 Internet Access Wizard: Registration ..................................................................................... 77
Figure 21 Internet Access Wizard: Registration in Progress .................................................................. 78
Figure 22 Internet Access Wizard: Status .............................................................................................. 78
Figure 23 Internet Access Wizard: Registration Failed ..........................................................................78
Figure 24 Internet Access Wizard: Registered Device ........................................................................... 79
Figure 25 Internet Access Wizard: Activated Services ...........................................................................79
Figure 26 VPN Wizard: Gateway Setting ............................................................................................... 80
Figure 27 VPN Wizard: Network Setting ................................................................................................ 81
Figure 28 VPN Wizard: IKE Tunnel Setting ............................................................................................ 82
Figure 29 VPN Wizard: IPSec Setting .................................................................................................... 84
Figure 30 VPN Wizard: VPN Status ....................................................................................................... 85
Figure 31 VPN Wizard Setup Complete ................................................................................................. 87
Figure 32 Firewall Rule for VPN ............................................................................................................. 90
Figure 33 SECURITY > VPN > VPN Rules (IKE) .................................................................................. 90
Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy ............................................. 91
Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example ................................ 92
Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy ............................................... 93
Figure 37 SECURITY > FIREWALL > Rule Summary ........................................................................... 94
Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow ..................................................... 95
ZyWALL 2 Plus User’s Guide
27
List of Figures
Figure 39 SECURITY > FIREWALL > Rule Summary: Allow ................................................................. 96
Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN ...................................... 96
Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses ............................................... 97
Figure 42 Tutorial Example: WAN Connection with a Static Public IP Address ..................................... 98
Figure 43 Tutorial Example: WAN Screen ............................................................................................. 99
Figure 44 Tutorial Example: DNS > System ........................................................................................... 99
Figure 45 Tutorial Example: DNS > System Edit-1 ............................................................................. 100
Figure 46 Tutorial Example: DNS > System Edit-2 ............................................................................. 100
Figure 47 Tutorial Example: DNS > System: Done ............................................................................. 101
Figure 48 Tutorial Example: Status ....................................................................................................... 101
Figure 49 Tutorial Example: Mapping Multiple Public IP Addresses to Inside Servers ........................ 102
Figure 50 Tutorial Example: NAT > NAT Overview .............................................................................. 103
Figure 51 Tutorial Example: NAT > Address Mapping .......................................................................... 103
Figure 52 Tutorial Example: NAT Address Mapping Edit: One-to-One (1) .......................................... 104
Figure 53 Tutorial Example: NAT Address Mapping Edit: One-to-One (2) .......................................... 104
Figure 54 Tutorial Example: NAT Address Mapping Edit: Many-to-One ............................................. 104
Figure 55 Tutorial Example: NAT Address Mapping Done ................................................................. 105
Figure 56 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer .......................... 106
Figure 57 Tutorial Example: NAT Address Mapping Edit: Server ....................................................... 106
Figure 58 Tutorial Example: NAT Port Forwarding ............................................................................... 107
Figure 59 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer .......................... 107
Figure 60 Tutorial Example: Firewall Default Rule .............................................................................. 108
Figure 61 Tutorial Example: Firewall Rule: WAN to LAN .................................................................... 108
Figure 62 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Web Server ...................... 109
Figure 63 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Web Server ........................110
Figure 64 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Mail Server ........................111
Figure 65 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Mail Server .........................111
Figure 66 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for FTP Server ........................112
Figure 67 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server .........................113
Figure 68 Tutorial Example: Firewall Rule Summary ............................................................................113
Figure 69 Tutorial Example: NAT Address Mapping Done: Game Playing .........................................115
Figure 70 Tutorial Example: Bandwidth Management ...........................................................................116
Figure 71 Tutorial Example: Bandwidth Management Summary .........................................................117
Figure 72 Tutorial Example: Bandwidth Management Class Setup ......................................................117
Figure 73 Tutorial Example: Bandwidth Management Class Setup: VoIP .............................................118
Figure 74 Tutorial Example: Bandwidth Management Class Setup: FTP .............................................118
Figure 75 Tutorial Example: Bandwidth Management Class Setup: WWW .........................................119
Figure 76 Tutorial Example: Bandwidth Management Class Setup Done .............................................119
Figure 77 Tutorial Example: Bandwidth Management Monitor ............................................................. 120
Figure 78 SECURITY > CONTENT FILTER > General ........................................................................ 121
Figure 79 SECURITY > CONTENT FILTER > Policy ........................................................................... 122
Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default) .......................... 122
Figure 81 HOME > DHCP Table ........................................................................................................... 123
28
ZyWALL 2 Plus User’s Guide
List of Figures
Figure 82 SECURITY > CONTENT FILTER > Policy ........................................................................... 123
Figure 83 SECURITY > CONTENT FILTER > Policy > Insert .............................................................. 124
Figure 84 SECURITY > CONTENT FILTER > Policy ........................................................................... 124
Figure 85 SECURITY > CONTENT FILTER > Policy > Schedule (Bob) .............................................. 125
Figure 86 SECURITY > CONTENT FILTER > Policy ........................................................................... 125
Figure 87 SECURITY > CONTENT FILTER > Policy > External Database (Bob) ............................... 126
Figure 88 REGISTRATION ................................................................................................................... 128
Figure 89 REGISTRATION: Registered Device ................................................................................... 129
Figure 90 REGISTRATION > Service ................................................................................................... 130
Figure 91 LAN and WAN ..................................................................................................................... 133
Figure 92 NETWORK > LAN ................................................................................................................ 137
Figure 93 NETWORK > LAN > Static DHCP ........................................................................................ 139
Figure 94 Physical Network & Partitioned Logical Networks ................................................................ 140
Figure 95 NETWORK > LAN > IP Alias ................................................................................................ 141
Figure 96 NETWORK > LAN > Port Roles ...........................................................................................142
Figure 97 Port Roles Change Complete ............................................................................................... 143
Figure 98 Bridge Loop: Bridge Connected to Wired LAN ..................................................................... 145
Figure 99 NETWORK > Bridge ............................................................................................................. 148
Figure 100 NETWORK > Bridge > Port Roles ...................................................................................... 150
Figure 101 Port Roles Change Complete ............................................................................................. 150
Figure 102 NETWORK > WAN Route ................................................................................................. 152
Figure 103 NETWORK > WAN > WAN (Ethernet Encapsulation) ..................................................... 155
Figure 104 NETWORK > WAN > WAN (PPPoE Encapsulation) ......................................................... 158
Figure 105 NETWORK > WAN > WAN (PPTP Encapsulation) ........................................................... 161
Figure 106 Traffic Redirect WAN Setup ................................................................................................ 164
Figure 107 Traffic Redirect LAN Setup ................................................................................................. 164
Figure 108 NETWORK > WAN > Traffic Redirect ................................................................................ 164
Figure 109 NETWORK > WAN > Dial Backup ................................................................................... 166
Figure 110 NETWORK > WAN > Dial Backup > Edit ......................................................................... 169
Figure 111 NETWORK > DMZ ............................................................................................................. 172
Figure 112 NETWORK > DMZ > Static DHCP ................................................................................... 174
Figure 113 NETWORK > DMZ > IP Alias ............................................................................................ 176
Figure 114 DMZ Public Address Example ............................................................................................ 177
Figure 115 DMZ Private and Public Address Example ......................................................................... 178
Figure 116 NETWORK > DMZ > Port Roles ....................................................................................... 179
Figure 117 NETWORK > WLAN .......................................................................................................... 182
Figure 118 NETWORK > WLAN > Static DHCP .................................................................................. 184
Figure 119 NETWORK > WLAN > IP Alias ......................................................................................... 186
Figure 120 WLAN Port Role Example ................................................................................................. 187
Figure 121 NETWORK > WLAN > Port Roles ..................................................................................... 188
Figure 122 NETWORK > WLAN > Port Roles: Change Complete ....................................................... 188
Figure 123 Default Firewall Action ........................................................................................................ 191
Figure 124 SECURITY > FIREWALL > Default Rule (Router Mode) ................................................... 192
ZyWALL 2 Plus User’s Guide
29
List of Figures
Figure 125 Default Block Traffic From WAN to DMZ Example ......................................................... 193
Figure 126 From LAN to VPN Example ............................................................................................... 195
Figure 127 Block DMZ to VPN Traffic by Default Example ............................................................... 196
Figure 128 From VPN to LAN Example ............................................................................................... 197
Figure 129 Block VPN to LAN Traffic by Default Example ................................................................. 197
Figure 130 From VPN to VPN Example .............................................................................................. 198
Figure 131 Block VPN to VPN Traffic by Default Example ............................................................... 199
Figure 132 Blocking All LAN to WAN IRC Traffic Example .................................................................. 200
Figure 133 Limited LAN to WAN IRC Traffic Example .......................................................................... 201
Figure 134 Using IP Alias to Solve the Triangle Route Problem .......................................................... 202
Figure 135 SECURITY > FIREWALL > Default Rule (Router Mode) ................................................... 203
Figure 136 SECURITY > FIREWALL > Default Rule (Bridge Mode) .................................................... 205
Figure 137 SECURITY > FIREWALL > Rule Summary ....................................................................... 207
Figure 138 SECURITY > FIREWALL > Rule Summary > Edit ............................................................ 209
Figure 139 SECURITY > FIREWALL > Anti-Probing ............................................................................211
Figure 140 Three-Way Handshake ....................................................................................................... 212
Figure 141 SECURITY > FIREWALL > Threshold ............................................................................ 213
Figure 142 SECURITY > FIREWALL > Service ................................................................................... 215
Figure 143 Firewall Edit Custom Service ............................................................................................. 216
Figure 144 My Service Firewall Rule Example: Service ...................................................................... 217
Figure 145 My Service Firewall Rule Example: Edit Custom Service ................................................. 217
Figure 146 My Service Firewall Rule Example: Rule Summary ........................................................... 218
Figure 147 My Service Firewall Rule Example: Rule Edit: Source and Destination Addresses .......... 218
Figure 148 My Service Firewall Rule Example: Edit Rule: Service Configuration ................................ 220
Figure 149 My Service Firewall Rule Example: Rule Summary: Completed ........................................ 221
Figure 150 Content Filtering Lookup Procedure ................................................................................... 224
Figure 151 SECURITY > CONTENT FILTER > General ...................................................................... 225
Figure 152 SECURITY > CONTENT FILTER > Policy ......................................................................... 228
Figure 153 SECURITY > CONTENT FILTER > Policy > General ........................................................ 229
Figure 154 SECURITY > CONTENT FILTER > Policy > External Database ....................................... 231
Figure 155 SECURITY > CONTENT FILTER > Policy > Customization .............................................. 238
Figure 156 SECURITY > CONTENT FILTER > Policy > Schedule ...................................................... 240
Figure 157 SECURITY > CONTENT FILTER > Object ........................................................................ 241
Figure 158 SECURITY > CONTENT FILTER > Cache ........................................................................ 244
Figure 159 myZyXEL.com: Login ......................................................................................................... 246
Figure 160 myZyXEL.com: Welcome ................................................................................................... 246
Figure 161 myZyXEL.com: Service Management ................................................................................ 247
Figure 162 Blue Coat: Login ................................................................................................................. 247
Figure 163 Content Filtering Reports Main Screen .............................................................................. 248
Figure 164 Blue Coat: Report Home .................................................................................................... 248
Figure 165 Global Report Screen Example .......................................................................................... 249
Figure 166 Requested URLs Example ................................................................................................. 250
Figure 167 Web Page Review Process Screen ................................................................................... 251
30
ZyWALL 2 Plus User’s Guide
List of Figures
Figure 168 VPN: Example .................................................................................................................... 253
Figure 169 VPN: IKE SA and IPSec SA .............................................................................................. 254
Figure 170 Gateway and Network Policies .......................................................................................... 255
Figure 171 IPSec Fields Summary ..................................................................................................... 255
Figure 172 SECURITY > VPN > VPN Rules (IKE) .............................................................................. 256
Figure 173 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal ......................................... 257
Figure 174 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange ...................................... 258
Figure 175 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication ............................................. 258
Figure 176 VPN/NAT Example ............................................................................................................. 261
Figure 177 IPSec High Availability ....................................................................................................... 263
Figure 178 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ......................................... 265
Figure 179 Virtual Mapping of Local and Remote Network IP Addresses ............................................ 271
Figure 180 VPN: Transport and Tunnel Mode Encapsulation .............................................................. 272
Figure 181 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ........................................... 274
Figure 182 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding ............. 279
Figure 183 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ........................................ 280
Figure 184 SECURITY > VPN > VPN Rules (Manual) ........................................................................ 282
Figure 185 SECURITY > VPN > VPN Rules (Manual) > Edit .............................................................. 283
Figure 186 SECURITY > VPN > SA Monitor ...................................................................................... 286
Figure 187 Overlap in a Dynamic VPN Rule ........................................................................................ 287
Figure 188 Overlap in IP Alias and VPN Remote Networks ................................................................. 287
Figure 189 SECURITY > VPN > Global Setting ................................................................................. 288
Figure 190 Telecommuters Sharing One VPN Rule Example .............................................................. 289
Figure 191 Telecommuters Using Unique VPN Rules Example ........................................................... 290
Figure 192 VPN for Remote Management Example ............................................................................ 292
Figure 193 VPN Topologies .................................................................................................................. 292
Figure 194 Hub-and-spoke VPN Example ...........................................................................................293
Figure 195 Certificates on Your Computer ........................................................................................... 296
Figure 196 Certificate Details .............................................................................................................. 297
Figure 197 Certificate Configuration Overview ..................................................................................... 297
Figure 198 SECURITY > CERTIFICATES > My Certificates ............................................................... 298
Figure 199 SECURITY > CERTIFICATES > My Certificates > Details ................................................. 300
Figure 200 SECURITY > CERTIFICATES > My Certificates > Export ................................................. 302
Figure 201 SECURITY > CERTIFICATES > My Certificates > Import ................................................. 304
Figure 202 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 ............................... 305
Figure 203 SECURITY > CERTIFICATES > My Certificates > Create (Basic) .................................... 306
Figure 204 SECURITY > CERTIFICATES > My Certificates > Create (Advanced) ............................. 307
Figure 205 SECURITY > CERTIFICATES > Trusted CAs ....................................................................311
Figure 206 SECURITY > CERTIFICATES > Trusted CAs > Details .................................................... 312
Figure 207 SECURITY > CERTIFICATES > Trusted CAs > Import ..................................................... 315
Figure 208 SECURITY > CERTIFICATES > Trusted Remote Hosts .................................................... 315
Figure 209 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ..................................... 317
Figure 210 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ..................................... 319
ZyWALL 2 Plus User’s Guide
31
List of Figures
Figure 211 SECURITY > CERTIFICATES > Directory Servers ............................................................ 320
Figure 212 SECURITY > CERTIFICATES > Directory Server > Add ................................................... 321
Figure 213 SECURITY > AUTH SERVER > Local User Database ...................................................... 325
Figure 214 SECURITY > AUTH SERVER > RADIUS .......................................................................... 326
Figure 215 How NAT Works ................................................................................................................. 333
Figure 216 NAT Application With IP Alias ............................................................................................ 333
Figure 217 Port Restricted Cone NAT Example ................................................................................... 334
Figure 218 ADVANCED > NAT > NAT Overview .................................................................................. 336
Figure 219 ADVANCED > NAT > Address Mapping ............................................................................. 338
Figure 220 ADVANCED > NAT > Address Mapping > Edit .................................................................. 339
Figure 221 Multiple Servers Behind NAT Example .............................................................................. 341
Figure 222 Port Translation Example ................................................................................................... 342
Figure 223 ADVANCED > NAT > Port Forwarding ............................................................................... 343
Figure 224 Trigger Port Forwarding Process: Example ........................................................................ 344
Figure 225 ADVANCED > NAT > Port Triggering ................................................................................. 345
Figure 226 Example of Static Routing Topology ................................................................................... 347
Figure 227 ADVANCED > STATIC ROUTE > IP Static Route .............................................................. 348
Figure 228 ADVANCED > STATIC ROUTE > IP Static Route > Edit .................................................... 349
Figure 229 Subnet-based Bandwidth Management Example .............................................................. 352
Figure 230 ADVANCED > BW MGMT > Summary .............................................................................. 357
Figure 231 ADVANCED > BW MGMT > Class Setup .......................................................................... 358
Figure 232 ADVANCED > BW MGMT > Class Setup > Add Sub-Class .............................................. 360
Figure 233 ADVANCED > BW MGMT > Class Setup > Statistics ........................................................ 362
Figure 234 ADVANCED > BW MGMT > Monitor ................................................................................. 363
Figure 235 Private DNS Server Example ............................................................................................. 367
Figure 236 ADVANCED > DNS > System DNS ................................................................................... 367
Figure 237 ADVANCED > DNS > Add (Address Record) .................................................................... 369
Figure 238 ADVANCED > DNS > Insert (Name Server Record) .......................................................... 370
Figure 239 ADVANCED > DNS > Cache ............................................................................................. 371
Figure 240 ADVANCED > DNS > DHCP .............................................................................................. 373
Figure 241 ADVANCED > DNS > DDNS .............................................................................................. 375
Figure 242 Secure and Insecure Remote Management From the WAN .............................................. 377
Figure 243 HTTPS Implementation ...................................................................................................... 379
Figure 244 ADVANCED > REMOTE MGMT > WWW .......................................................................... 379
Figure 245 Security Alert Dialog Box (Internet Explorer) ...................................................................... 381
Figure 246 Security Certificate 1 (Netscape) ........................................................................................ 382
Figure 247 Security Certificate 2 (Netscape) ........................................................................................ 382
Figure 248 Example: Lock Denoting a Secure Connection ................................................................. 383
Figure 249 Replace Certificate ............................................................................................................. 384
Figure 250 Device-specific Certificate .................................................................................................. 384
Figure 251 Common ZyWALL Certificate ............................................................................................. 384
Figure 252 SSH Communication Over the WAN Example .................................................................. 385
Figure 253 How SSH Works ................................................................................................................. 385
32
ZyWALL 2 Plus User’s Guide
List of Figures
Figure 254 ADVANCED > REMOTE MGMT > SSH ............................................................................. 387
Figure 255 SSH Example 1: Store Host Key ........................................................................................ 388
Figure 256 SSH Example 2: Test ........................................................................................................ 388
Figure 257 SSH Example 2: Log in ...................................................................................................... 389
Figure 258 Secure FTP: Firmware Upload Example ............................................................................ 389
Figure 259 ADVANCED > REMOTE MGMT > TELNET ..................................................................... 390
Figure 260 ADVANCED > REMOTE MGMT > FTP ............................................................................. 391
Figure 261 SNMP Management Model ................................................................................................ 392
Figure 262 ADVANCED > REMOTE MGMT > SNMP .......................................................................... 394
Figure 263 ADVANCED > REMOTE MGMT > DNS ............................................................................. 395
Figure 264 ADVANCED > REMOTE MGMT > CNM ............................................................................ 396
Figure 265 ADVANCED > UPnP .......................................................................................................... 400
Figure 266 ADVANCED > UPnP > Ports .............................................................................................. 401
Figure 267 ADVANCED > Custom APP ..............................................................................................410
Figure 268 H.323 ALG Example .......................................................................................................... 412
Figure 269 SIP ALG Example ............................................................................................................. 414
Figure 270 ADVANCED > ALG ........................................................................................................... 415
Figure 271 LOGS > View Log ........................................................................................................... 419
Figure 272 myZyXEL.com: Download Center ...................................................................................... 421
Figure 273 myZyXEL.com: Certificate Download ................................................................................. 422
Figure 274 LOGS > Log Settings ......................................................................................................... 423
Figure 275 LOGS > Reports ................................................................................................................ 426
Figure 276 LOGS > Reports: Web Site Hits Example .......................................................................... 427
Figure 277 LOGS > Reports: Host IP Address Example ...................................................................... 428
Figure 278 LOGS > Reports: Protocol/Port Example ........................................................................... 429
Figure 279 MAINTENANCE > General Setup ...................................................................................... 448
Figure 280 MAINTENANCE > Password ............................................................................................ 449
Figure 281 MAINTENANCE > Time and Date ...................................................................................... 450
Figure 282 Synchronization in Process ................................................................................................ 452
Figure 283 Synchronization is Successful ............................................................................................ 453
Figure 284 Synchronization Fail ........................................................................................................... 453
Figure 285 MAINTENANCE > Device Mode (Router Mode) ................................................................ 455
Figure 286 MAINTENANCE > Device Mode (Bridge Mode) ................................................................ 456
Figure 287 MAINTENANCE > Firmware Upload .................................................................................. 457
Figure 288 Firmware Upload In Process .............................................................................................. 458
Figure 289 Network Temporarily Disconnected ....................................................................................458
Figure 290 Firmware Upload Error ....................................................................................................... 459
Figure 291 MAINTENANCE > Backup and Restore ............................................................................. 459
Figure 292 Configuration Upload Successful ....................................................................................... 460
Figure 293 Network Temporarily Disconnected ....................................................................................460
Figure 294 Configuration Upload Error ................................................................................................. 461
Figure 295 Reset Warning Message .................................................................................................... 461
Figure 296 MAINTENANCE > Restart ................................................................................................. 462
ZyWALL 2 Plus User’s Guide
33
List of Figures
Figure 297 MAINTENANCE > Diagnostics .........................................................................................463
Figure 298 Initial Screen ....................................................................................................................... 468
Figure 299 Password Screen .............................................................................................................. 468
Figure 300 Main Menu (Router Mode) ................................................................................................. 469
Figure 301 Main Menu (Bridge Mode) .................................................................................................. 470
Figure 302 Menu 23: System Password ............................................................................................... 472
Figure 303 Menu 1: General Setup (Router Mode) .............................................................................. 475
Figure 304 Menu 1: General Setup (Bridge Mode) .............................................................................. 476
Figure 305 Menu 1.1: Configure Dynamic DNS ................................................................................... 477
Figure 306 Menu 1.1.1: DDNS Host Summary .................................................................................... 478
Figure 307 Menu 1.1.1: DDNS Edit Host .............................................................................................. 479
Figure 308 MAC Address Cloning in WAN Setup ................................................................................. 481
Figure 309 Menu 2: Dial Backup Setup .............................................................................................. 483
Figure 310 Menu 2.1: Advanced WAN Setup ....................................................................................... 484
Figure 311 Menu 11.2: Remote Node Profile (Backup ISP) ................................................................ 485
Figure 312 Menu 11.2.2: Remote Node Network Layer Options .......................................................... 487
Figure 313 Menu 11.2.3: Remote Node Script .....................................................................................489
Figure 314 Menu 11.2.4: Remote Node Filter ...................................................................................... 490
Figure 315 Menu 3: LAN Setup ............................................................................................................ 491
Figure 316 Menu 3.1: LAN Port Filter Setup ........................................................................................ 492
Figure 317 Menu 3: TCP/IP and DHCP Setup .................................................................................... 492
Figure 318 Menu 3.2: TCP/IP and DHCP Ethernet Setup .................................................................... 493
Figure 319 Menu 3.2.1: IP Alias Setup ................................................................................................. 495
Figure 320 Menu 4: Internet Access Setup (Ethernet) ......................................................................... 497
Figure 321 Internet Access Setup (PPTP) ........................................................................................... 499
Figure 322 Internet Access Setup (PPPoE) ......................................................................................... 500
Figure 323 Menu 5: DMZ Setup .......................................................................................................... 501
Figure 324 Menu 5.1: DMZ Port Filter Setup ........................................................................................ 501
Figure 325 Menu 5: DMZ Setup ........................................................................................................... 502
Figure 326 Menu 5.2: TCP/IP and DHCP Ethernet Setup .................................................................... 502
Figure 327 Menu 5.2.1: IP Alias Setup ................................................................................................. 503
Figure 328 Menu 7: WLAN Setup ......................................................................................................... 505
Figure 329 Menu 7.2: TCP/IP and DHCP Ethernet Setup .................................................................... 506
Figure 330 Menu 7.2.1: IP Alias Setup ................................................................................................. 507
Figure 331 Menu 11: Remote Node Setup ........................................................................................... 509
Figure 332 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ............................................ 510
Figure 333 Menu 11.1: Remote Node Profile for PPPoE Encapsulation .............................................. 512
Figure 334 Menu 11.1: Remote Node Profile for PPTP Encapsulation ................................................ 514
Figure 335 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation ............... 515
Figure 336 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) .............................................. 516
Figure 337 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) ................................. 517
Figure 338 Menu 11.1.5: Traffic Redirect Setup ................................................................................... 517
Figure 339 Menu 12: IP Static Route Setup ........................................................................................ 519
34
ZyWALL 2 Plus User’s Guide
List of Figures
Figure 340 Menu 12. 1: Edit IP Static Route ........................................................................................ 520
Figure 341 Menu 4: Applying NAT for Internet Access ......................................................................... 522
Figure 342 Menu 11.1.2: Applying NAT to the Remote Node ............................................................... 522
Figure 343 Menu 15: NAT Setup .......................................................................................................... 523
Figure 344 Menu 15.1: Address Mapping Sets .................................................................................... 524
Figure 345 Menu 15.1.255: SUA Address Mapping Rules ................................................................... 524
Figure 346 Menu 15.1.1: First Set ........................................................................................................ 526
Figure 347 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ......................................... 527
Figure 348 Menu 15.2: NAT Server Sets .............................................................................................. 528
Figure 349 15.2.1: NAT Server Configuration ...................................................................................... 529
Figure 350 Menu 15.2: NAT Server Setup .......................................................................................... 530
Figure 351 Server Behind NAT Example .............................................................................................. 530
Figure 352 NAT Example 1 .................................................................................................................. 531
Figure 353 Menu 4: Internet Access & NAT Example .......................................................................... 531
Figure 354 NAT Example 2 .................................................................................................................. 532
Figure 355 Menu 15.2: Specifying an Inside Server ............................................................................. 532
Figure 356 NAT Example 3 .................................................................................................................. 533
Figure 357 Example 3: Menu 11.1.2 ..................................................................................................... 534
Figure 358 Example 3: Menu 15.1.1.1 ................................................................................................. 534
Figure 359 Example 3: Final Menu 15.1.1 ............................................................................................ 535
Figure 360 Example 3: Menu 15.2. ...................................................................................................... 535
Figure 361 NAT Example 4 .................................................................................................................. 536
Figure 362 Example 4: Menu 15.1.1.1: Address Mapping Rule ........................................................... 536
Figure 363 Example 4: Menu 15.1.1: Address Mapping Rules ............................................................ 537
Figure 364 Menu 15.3.1: Trigger Port Setup ........................................................................................ 538
Figure 365 Menu 21: Filter and Firewall Setup ..................................................................................... 539
Figure 366 Menu 21.2: Firewall Setup .................................................................................................. 540
Figure 367 Outgoing Packet Filtering Process ..................................................................................... 541
Figure 368 Filter Rule Process ............................................................................................................. 543
Figure 369 Menu 21: Filter and Firewall Setup ..................................................................................... 544
Figure 370 Menu 21.1: Filter Set Configuration .................................................................................... 544
Figure 371 Menu 21.1.1: Filter Rules Summary ...................................................................................545
Figure 372 Menu 21.1.1.1: TCP/IP Filter Rule ..................................................................................... 546
Figure 373 Executing an IP Filter ......................................................................................................... 548
Figure 374 Menu 21.1.1.1: Generic Filter Rule .................................................................................... 549
Figure 375 Telnet Filter Example .......................................................................................................... 550
Figure 376 Example Filter: Menu 21.1.3.1 ........................................................................................... 551
Figure 377 Example Filter Rules Summary: Menu 21.1.3 .................................................................... 551
Figure 378 Protocol and Device Filter Sets .......................................................................................... 552
Figure 379 Filtering LAN Traffic ............................................................................................................ 554
Figure 380 Filtering DMZ Traffic ........................................................................................................... 554
Figure 381 Filtering Remote Node Traffic ............................................................................................. 555
Figure 382 Menu 22: SNMP Configuration ........................................................................................... 557
ZyWALL 2 Plus User’s Guide
35
List of Figures
Figure 383 Menu 24: System Maintenance .......................................................................................... 559
Figure 384 Menu 24.1: System Maintenance: Status .......................................................................... 560
Figure 385 Menu 24.2: System Information and Console Port Speed ................................................. 561
Figure 386 Menu 24.2.1: System Maintenance: Information .............................................................. 561
Figure 387 Menu 24.2.2: System Maintenance: Change Console Port Speed .................................... 562
Figure 388 Menu 24.3: System Maintenance: Log and Trace .............................................................. 563
Figure 389 Examples of Error and Information Messages ................................................................... 563
Figure 390 Menu 24.3.2: System Maintenance: Syslog Logging ......................................................... 563
Figure 391 Call-Triggering Packet Example ......................................................................................... 567
Figure 392 Menu 24.4: System Maintenance: Diagnostic .................................................................... 568
Figure 393 WAN & LAN DHCP ............................................................................................................. 568
Figure 394 Telnet into Menu 24.5 ......................................................................................................... 573
Figure 395 FTP Session Example ........................................................................................................ 574
Figure 396 System Maintenance: Backup Configuration ..................................................................... 576
Figure 397 System Maintenance: Starting Xmodem Download Screen ............................................... 576
Figure 398 Backup Configuration Example .......................................................................................... 576
Figure 399 Successful Backup Confirmation Screen ........................................................................... 577
Figure 400 Telnet into Menu 24.6 ......................................................................................................... 578
Figure 401 Restore Using FTP Session Example ................................................................................ 578
Figure 402 System Maintenance: Restore Configuration ..................................................................... 579
Figure 403 System Maintenance: Starting Xmodem Download Screen ............................................... 579
Figure 404 Restore Configuration Example ......................................................................................... 579
Figure 405 Successful Restoration Confirmation Screen ..................................................................... 579
Figure 406 Telnet Into Menu 24.7.1: Upload System Firmware ........................................................... 580
Figure 407 Telnet Into Menu 24.7.2: System Maintenance ................................................................. 581
Figure 408 FTP Session Example of Firmware File Upload ................................................................. 582
Figure 409 Menu 24.7.1 As Seen Using the Console Port ................................................................... 583
Figure 410 Example Xmodem Upload .................................................................................................. 584
Figure 411 Menu 24.7.2 As Seen Using the Console Port .................................................................. 584
Figure 412 Example Xmodem Upload .................................................................................................. 585
Figure 413 Command Mode in Menu 24 .............................................................................................. 587
Figure 414 Valid Commands ................................................................................................................ 588
Figure 415 Call Control ......................................................................................................................... 589
Figure 416 Budget Management .......................................................................................................... 589
Figure 417 Call History ......................................................................................................................... 590
Figure 418 Menu 24: System Maintenance .......................................................................................... 591
Figure 419 Menu 24.10 System Maintenance: Time and Date Setting ................................................ 592
Figure 420 Menu 24.11 – Remote Management Control ..................................................................... 596
Figure 421 Schedule Setup .................................................................................................................. 599
Figure 422 Schedule Set Setup ............................................................................................................ 600
Figure 423 Applying Schedule Set(s) to a Remote Node (PPPoE) ...................................................... 601
Figure 424 Applying Schedule Set(s) to a Remote Node (PPTP) ........................................................ 602
Figure 425 Console/Dial Backup Cable DB-9 End Pin Layout ............................................................. 616
36
ZyWALL 2 Plus User’s Guide
List of Figures
Figure 426 Wall-mounting Example ...................................................................................................... 618
Figure 427 Masonry Plug and M4 Tap Screw .......................................................................................618
Figure 428 WIndows 95/98/Me: Network: Configuration ...................................................................... 622
Figure 429 Windows 95/98/Me: TCP/IP Properties: IP Address .......................................................... 623
Figure 430 Windows 95/98/Me: TCP/IP Properties: DNS Configuration .............................................. 624
Figure 431 Windows XP: Start Menu .................................................................................................... 625
Figure 432 Windows XP: Control Panel ............................................................................................... 625
Figure 433 Windows XP: Control Panel: Network Connections: Properties ......................................... 626
Figure 434 Windows XP: Local Area Connection Properties ............................................................... 626
Figure 435 Windows XP: Internet Protocol (TCP/IP) Properties .......................................................... 627
Figure 436 Windows XP: Advanced TCP/IP Properties ....................................................................... 628
Figure 437 Windows XP: Internet Protocol (TCP/IP) Properties .......................................................... 629
Figure 438 Macintosh OS 8/9: Apple Menu .......................................................................................... 630
Figure 439 Macintosh OS 8/9: TCP/IP ................................................................................................. 630
Figure 440 Macintosh OS X: Apple Menu ............................................................................................ 631
Figure 441 Macintosh OS X: Network .................................................................................................. 632
Figure 442 Red Hat 9.0: KDE: Network Configuration: Devices ......................................................... 633
Figure 443 Red Hat 9.0: KDE: Ethernet Device: General .................................................................. 633
Figure 444 Red Hat 9.0: KDE: Network Configuration: DNS ............................................................... 634
Figure 445 Red Hat 9.0: KDE: Network Configuration: Activate ........................................................ 634
Figure 446 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 ............................................... 635
Figure 447 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 ................................................... 635
Figure 448 Red Hat 9.0: DNS Settings in resolv.conf ........................................................................ 635
Figure 449 Red Hat 9.0: Restart Ethernet Card ................................................................................. 635
Figure 450 Red Hat 9.0: Checking TCP/IP Properties ....................................................................... 636
Figure 451 Pop-up Blocker ................................................................................................................... 637
Figure 452 Internet Options: Privacy .................................................................................................... 638
Figure 453 Internet Options: Privacy .................................................................................................... 639
Figure 454 Pop-up Blocker Settings ..................................................................................................... 639
Figure 455 Internet Options: Security ................................................................................................... 640
Figure 456 Security Settings - Java Scripting ....................................................................................... 641
Figure 457 Security Settings - Java ...................................................................................................... 641
Figure 458 Java (Sun) .......................................................................................................................... 642
Figure 459 Mozilla Firefox: Tools > Options ......................................................................................... 643
Figure 460 Mozilla Firefox Content Security ......................................................................................... 643
Figure 461 Network Number and Host ID ............................................................................................ 646
Figure 462 Subnetting Example: Before Subnetting ............................................................................ 648
Figure 463 Subnetting Example: After Subnetting ............................................................................... 649
Figure 464 Security Certificate ............................................................................................................. 657
Figure 465 Login Screen ...................................................................................................................... 658
Figure 466 Certificate General Information before Import .................................................................... 658
Figure 467 Certificate Import Wizard 1 ................................................................................................. 659
Figure 468 Certificate Import Wizard 2 ................................................................................................. 659
ZyWALL 2 Plus User’s Guide
37
List of Figures
Figure 469 Certificate Import Wizard 3 ................................................................................................. 660
Figure 470 Root Certificate Store ......................................................................................................... 660
Figure 471 Certificate General Information after Import ....................................................................... 661
Figure 472 ZyWALL Trusted CA Screen .............................................................................................. 662
Figure 473 CA Certificate Example ...................................................................................................... 663
Figure 474 Personal Certificate Import Wizard 1 .................................................................................. 664
Figure 475 Personal Certificate Import Wizard 2 .................................................................................. 664
Figure 476 Personal Certificate Import Wizard 3 .................................................................................. 665
Figure 477 Personal Certificate Import Wizard 4 .................................................................................. 665
Figure 478 Personal Certificate Import Wizard 5 .................................................................................. 666
Figure 479 Personal Certificate Import Wizard 6 .................................................................................. 666
Figure 480 Access the ZyWALL Via HTTPS ........................................................................................ 666
Figure 481 SSL Client Authentication ................................................................................................... 667
Figure 482 ZyWALL Secure Login Screen ........................................................................................... 667
38
ZyWALL 2 Plus User’s Guide

List of Tables

List of Tables
Table 1 Front Panel LEDs ...................................................................................................................... 49
Table 2 Title Bar: Web Configurator Icons ............................................................................................. 54
Table 3 Web Configurator HOME Screen in Router Mode .................................................................... 55
Table 4 Web Configurator HOME Screen in Bridge Mode .................................................................... 58
Table 5 Bridge and Router Mode Features Comparison ....................................................................... 60
Table 6 Screens Summary .................................................................................................................... 61
Table 7 HOME > Show Statistics ........................................................................................................... 64
Table 8 HOME > DHCP Table ............................................................................................................... 65
Table 9 HOME > VPN Status ................................................................................................................. 66
Table 10 ADVANCED > BW MGMT > Monitor ...................................................................................... 67
Table 11 ISP Parameters: Ethernet Encapsulation ................................................................................ 70
Table 12 ISP Parameters: PPPoE Encapsulation ................................................................................. 72
Table 13 ISP Parameters: PPTP Encapsulation .................................................................................... 74
Table 14 Internet Access Wizard: Registration ...................................................................................... 77
Table 15 VPN Wizard: Gateway Setting ................................................................................................ 80
Table 16 VPN Wizard: Network Setting ................................................................................................. 81
Table 17 VPN Wizard: IKE Tunnel Setting ............................................................................................. 83
Table 18 VPN Wizard: IPSec Setting ..................................................................................................... 84
Table 19 VPN Wizard: VPN Status ........................................................................................................ 86
Table 20 REGISTRATION ................................................................................................................... 128
Table 21 REGISTRATION > Service ................................................................................................... 130
Table 22 NETWORK > LAN ................................................................................................................. 137
Table 23 NETWORK > LAN > Static DHCP ........................................................................................ 140
Table 24 NETWORK > LAN > IP Alias ................................................................................................ 141
Table 25 NETWORK > LAN > Port Roles ............................................................................................ 142
Table 26 STP Path Costs .................................................................................................................... 146
Table 27 STP Port States .................................................................................................................... 147
Table 28 NETWORK > Bridge ............................................................................................................. 148
Table 29 NETWORK > Bridge > Port Roles ........................................................................................150
Table 30 NETWORK > WAN Route ..................................................................................................... 152
Table 31 Private IP Address Ranges ................................................................................................... 153
Table 32 NETWORK > WAN > WAN (Ethernet Encapsulation) .......................................................... 155
Table 33 NETWORK > WAN > WAN (PPPoE Encapsulation) ............................................................ 158
Table 34 NETWORK > WAN > WAN (PPTP Encapsulation) ............................................................... 161
Table 35 NETWORK > WAN > Traffic Redirect ................................................................................... 165
Table 36 NETWORK > WAN > Dial Backup ........................................................................................ 166
Table 37 NETWORK > WAN > Dial Backup > Edit .............................................................................. 169
Table 38 NETWORK > DMZ ................................................................................................................ 172
ZyWALL 2 Plus User’s Guide
39
List of Tables
Table 39 NETWORK > DMZ > Static DHCP ........................................................................................ 175
Table 40 NETWORK > DMZ > IP Alias ............................................................................................... 176
Table 41 NETWORK > DMZ > Port Roles ...........................................................................................179
Table 42 NETWORK > WLAN ............................................................................................................. 182
Table 43 NETWORK > WLAN > Static DHCP ..................................................................................... 185
Table 44 NETWORK > WLAN > IP Alias ............................................................................................. 186
Table 45 NETWORK > WLAN > Port Roles ........................................................................................ 188
Table 46 Blocking All LAN to WAN IRC Traffic Example ..................................................................... 200
Table 47 Limited LAN to WAN IRC Traffic Example ............................................................................ 201
Table 48 SECURITY > FIREWALL > Default Rule (Router Mode) ...................................................... 203
Table 49 SECURITY > FIREWALL > Default Rule (Bridge Mode) ...................................................... 205
Table 50 SECURITY > FIREWALL > Rule Summary .......................................................................... 207
Table 51 SECURITY > FIREWALL > Rule Summary > Edit ................................................................ 210
Table 52 SECURITY > FIREWALL > Anti-Probing .............................................................................. 212
Table 53 SECURITY > FIREWALL > Threshold .................................................................................. 214
Table 54 SECURITY > FIREWALL > Service ...................................................................................... 215
Table 55 SECURITY > FIREWALL > Service > Add ........................................................................... 216
Table 56 SECURITY > CONTENT FILTER > General ........................................................................ 225
Table 57 SECURITY > CONTENT FILTER > Policy ........................................................................... 228
Table 58 SECURITY > CONTENT FILTER > Policy > General ........................................................... 229
Table 59 SECURITY > CONTENT FILTER > Policy > External Database .......................................... 231
Table 60 SECURITY > CONTENT FILTER > Policy > Customization ................................................. 238
Table 61 SECURITY > CONTENT FILTER > Policy > Schedule ........................................................ 240
Table 62 SECURITY > CONTENT FILTER > Object ........................................................................... 241
Table 63 SECURITY > CONTENT FILTER > Cache ........................................................................... 244
Table 64 SECURITY > VPN > VPN Rules (IKE) ................................................................................. 256
Table 65 VPN Example: Matching ID Type and Content ..................................................................... 259
Table 66 VPN Example: Mismatching ID Type and Content ............................................................... 259
Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ............................................. 266
Table 68 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy .............................................. 275
Table 69 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding ................. 279
Table 70 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ............................................ 280
Table 71 SECURITY > VPN > VPN Rules (Manual) ........................................................................... 282
Table 72 SECURITY > VPN > VPN Rules (Manual) > Edit ................................................................. 283
Table 73 SECURITY > VPN > SA Monitor ..........................................................................................286
Table 74 SECURITY > VPN > Global Setting ......................................................................................288
Table 75 Telecommuters Sharing One VPN Rule Example ................................................................. 290
Table 76 Telecommuters Using Unique VPN Rules Example ............................................................. 291
Table 77 SECURITY > CERTIFICATES > My Certificates .................................................................. 298
Table 78 SECURITY > CERTIFICATES > My Certificates > Details ................................................... 300
Table 79 SECURITY > CERTIFICATES > My Certificates > Export .................................................... 303
Table 80 SECURITY > CERTIFICATES > My Certificates > Import .................................................... 304
Table 81 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 .................................. 305
40
ZyWALL 2 Plus User’s Guide
List of Tables
Table 82 SECURITY > CERTIFICATES > My Certificates > Create ................................................... 307
Table 83 SECURITY > CERTIFICATES > Trusted CAs .......................................................................311
Table 84 SECURITY > CERTIFICATES > Trusted CAs > Details ....................................................... 313
Table 85 SECURITY > CERTIFICATES > Trusted CAs Import ........................................................... 315
Table 86 SECURITY > CERTIFICATES > Trusted Remote Hosts ...................................................... 316
Table 87 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ....................................... 317
Table 88 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ........................................ 319
Table 89 SECURITY > CERTIFICATES > Directory Servers .............................................................. 320
Table 90 SECURITY > CERTIFICATES > Directory Server > Add ..................................................... 321
Table 91 SECURITY > AUTH SERVER > Local User Database ......................................................... 325
Table 92 SECURITY > AUTH SERVER > RADIUS ............................................................................ 326
Table 93 NAT Definitions ..................................................................................................................... 331
Table 94 NAT Mapping Types .............................................................................................................. 335
Table 95 ADVANCED > NAT > NAT Overview .................................................................................... 336
Table 96 ADVANCED > NAT > Address Mapping ............................................................................... 338
Table 97 ADVANCED > NAT > Address Mapping > Edit ..................................................................... 340
Table 98 ADVANCED > NAT > Port Forwarding .................................................................................. 343
Table 99 ADVANCED > NAT > Port Triggering ................................................................................... 345
Table 100 ADVANCED > STATIC ROUTE > IP Static Route .............................................................. 348
Table 101 ADVANCED > STATIC ROUTE > IP Static Route > Edit .................................................... 349
Table 102 Application and Subnet-based Bandwidth Management Example ..................................... 352
Table 103 Maximize Bandwidth Usage Example ................................................................................. 354
Table 104 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example ........................ 354
Table 105 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example ..................... 355
Table 106 Bandwidth Borrowing Example ........................................................................................... 356
Table 107 Over Allotment of Bandwidth Example ............................................................................... 356
Table 108 ADVANCED > BW MGMT > Summary ............................................................................... 357
Table 109 ADVANCED > BW MGMT > Class Setup ........................................................................... 359
Table 110 ADVANCED > BW MGMT > Class Setup > Add Sub-Class ............................................... 360
Table 111 Services and Port Numbers ................................................................................................. 362
Table 112 ADVANCED > BW MGMT > Class Setup > Statistics ......................................................... 363
Table 113 ADVANCED > BW MGMT > Monitor ................................................................................... 364
Table 114 ADVANCED > DNS > System DNS .................................................................................... 368
Table 115 ADVANCED > DNS > Add (Address Record) ..................................................................... 369
Table 116 ADVANCED > DNS > Insert (Name Server Record) ........................................................... 370
Table 117 ADVANCED > DNS > Cache ..............................................................................................372
Table 118 ADVANCED > DNS > DHCP ...............................................................................................373
Table 119 ADVANCED > DNS > DDNS ...............................................................................................375
Table 120 ADVANCED > REMOTE MGMT > WWW ........................................................................... 380
Table 121 ADVANCED > REMOTE MGMT > SSH ............................................................................. 387
Table 122 ADVANCED > REMOTE MGMT > TELNET ....................................................................... 390
Table 123 ADVANCED > REMOTE MGMT > FTP .............................................................................. 391
Table 124 SNMP Traps ........................................................................................................................ 393
ZyWALL 2 Plus User’s Guide
41
List of Tables
Table 125 ADVANCED > REMOTE MGMT > SNMP .......................................................................... 394
Table 126 ADVANCED > REMOTE MGMT > DNS ............................................................................. 395
Table 127 ADVANCED > REMOTE MGMT > CNM ............................................................................. 396
Table 128 ADVANCED > UPnP ........................................................................................................... 400
Table 129 ADVANCED > UPnP > Ports .............................................................................................. 401
Table 130 ADVANCED > Custom APP ................................................................................................ 410
Table 131 ADVANCED > ALG ............................................................................................................. 415
Table 132 LOGS > View Log ............................................................................................................... 420
Table 133 Log Description Example .................................................................................................... 420
Table 134 LOGS > Log Settings .......................................................................................................... 424
Table 135 LOGS > Reports ................................................................................................................. 426
Table 136 LOGS > Reports: Web Site Hits Report .............................................................................. 427
Table 137 LOGS > Reports: Host IP Address .....................................................................................428
Table 138 LOGS > Reports: Protocol/ Port .......................................................................................... 429
Table 139 Report Specifications .......................................................................................................... 430
Table 140 System Maintenance Logs .................................................................................................. 430
Table 141 System Error Logs .............................................................................................................. 432
Table 142 Access Control Logs ........................................................................................................... 432
Table 143 TCP Reset Logs .................................................................................................................. 433
Table 144 Packet Filter Logs ............................................................................................................... 433
Table 145 ICMP Logs .......................................................................................................................... 433
Table 146 CDR Logs ........................................................................................................................... 434
Table 147 PPP Logs ............................................................................................................................ 434
Table 148 UPnP Logs .......................................................................................................................... 434
Table 149 Content Filtering Logs ......................................................................................................... 435
Table 150 Attack Logs ......................................................................................................................... 435
Table 151 Remote Management Logs ................................................................................................. 437
Table 152 IPSec Logs .......................................................................................................................... 437
Table 153 IKE Logs ............................................................................................................................. 438
Table 154 PKI Logs ............................................................................................................................. 441
Table 155 Certificate Path Verification Failure Reason Codes ............................................................ 442
Table 156 ACL Setting Notes .............................................................................................................. 442
Table 157 ICMP Notes ......................................................................................................................... 443
Table 158 Syslog Logs ........................................................................................................................ 445
Table 159 RFC-2408 ISAKMP Payload Types .................................................................................... 446
Table 160 MAINTENANCE > General Setup ....................................................................................... 448
Table 161 MAINTENANCE > Password ..............................................................................................449
Table 162 MAINTENANCE > Time and Date ...................................................................................... 450
Table 163 MAC-address-to-port Mapping Table .................................................................................. 453
Table 164 MAINTENANCE > Device Mode (Router Mode) ................................................................. 455
Table 165 MAINTENANCE > Device Mode (Bridge Mode) ................................................................. 456
Table 166 MAINTENANCE > Firmware Upload .................................................................................. 458
Table 167 Restore Configuration ......................................................................................................... 460
42
ZyWALL 2 Plus User’s Guide
List of Tables
Table 168 MAINTENANCE > Diagnostics ...........................................................................................463
Table 169 Main Menu Commands ....................................................................................................... 468
Table 170 Main Menu Summary .......................................................................................................... 470
Table 171 SMT Menus Overview ......................................................................................................... 471
Table 172 Menu 1: General Setup (Router Mode) ............................................................................... 475
Table 173 Menu 1: General Setup (Bridge Mode) ............................................................................... 476
Table 174 Menu 1.1: Configure Dynamic DNS .................................................................................... 477
Table 175 Menu 1.1.1: DDNS Host Summary ..................................................................................... 478
Table 176 Menu 1.1.1: DDNS Edit Host .............................................................................................. 479
Table 177 MAC Address Cloning in WAN Setup ................................................................................. 482
Table 178 Menu 2: Dial Backup Setup ................................................................................................ 483
Table 179 Advanced WAN Port Setup: AT Commands Fields ............................................................ 484
Table 180 Advanced WAN Port Setup: Call Control Parameters ........................................................ 485
Table 181 Menu 11.3: Remote Node Profile (Backup ISP) .................................................................. 486
Table 182 Menu 11.2.2: Remote Node Network Layer Options .......................................................... 487
Table 183 Menu 11.2.3: Remote Node Script ...................................................................................... 489
Table 184 Menu 3.2: DHCP Ethernet Setup Fields ............................................................................. 493
Table 185 Menu 3.2: LAN TCP/IP Setup Fields .................................................................................. 494
Table 186 Menu 3.2.1: IP Alias Setup ................................................................................................. 495
Table 187 Menu 4: Internet Access Setup (Ethernet) ......................................................................... 498
Table 188 New Fields in Menu 4 (PPTP) Screen ................................................................................ 499
Table 189 New Fields in Menu 4 (PPPoE) screen ............................................................................... 500
Table 190 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ............................................. 510
Table 191 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ......................................................... 513
Table 192 Menu 11.1: Remote Node Profile for PPTP Encapsulation ................................................. 514
Table 193 Remote Node Network Layer Options Menu Fields ............................................................ 515
Table 194 Menu 11.1.5: Traffic Redirect Setup .................................................................................... 517
Table 195 Menu 12. 1: Edit IP Static Route ......................................................................................... 520
Table 196 Applying NAT in Menus 4 & 11.1.2 ...................................................................................... 523
Table 197 SUA Address Mapping Rules ............................................................................................. 525
Table 198 Fields in Menu 15.1.1 .......................................................................................................... 526
Table 199 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set .......................................... 527
Table 200 15.2.1: NAT Server Configuration ....................................................................................... 529
Table 201 Menu 15.3: Trigger Port Setup ............................................................................................ 538
Table 202 Abbreviations Used in the Filter Rules Summary Menu ..................................................... 545
Table 203 Rule Abbreviations Used .................................................................................................... 545
Table 204 Menu 21.1.1.1: TCP/IP Filter Rule ...................................................................................... 547
Table 205 Generic Filter Rule Menu Fields ......................................................................................... 549
Table 206 SNMP Configuration Menu Fields ....................................................................................... 557
Table 207 SNMP Traps ........................................................................................................................ 558
Table 208 System Maintenance: Status Menu Fields .......................................................................... 560
Table 209 Fields in System Maintenance: Information ........................................................................ 562
Table 210 System Maintenance Menu Syslog Parameters ................................................................. 564
ZyWALL 2 Plus User’s Guide
43
List of Tables
Table 211 System Maintenance Menu Diagnostic ............................................................................... 568
Table 212 Filename Conventions ........................................................................................................ 572
Table 213 General Commands for GUI-based FTP Clients ................................................................ 574
Table 214 General Commands for GUI-based TFTP Clients .............................................................. 575
Table 215 Valid Commands ................................................................................................................. 588
Table 216 Budget Management ........................................................................................................... 590
Table 217 Call History .......................................................................................................................... 591
Table 218 Menu 24.10 System Maintenance: Time and Date Setting ................................................. 592
Table 219 Menu 24.11 – Remote Management Control ...................................................................... 596
Table 220 Schedule Set Setup ............................................................................................................ 600
Table 221 Hardware Specifications ..................................................................................................... 613
Table 222 Firmware Specifications ...................................................................................................... 613
Table 223 Feature and Performance Specifications ............................................................................ 615
Table 224 Console Cable Pin Assignments ......................................................................................... 616
Table 225 Dial Backup Cable Pin Assignments ...................................................................................616
Table 226 Ethernet Cable Pin Assignments ........................................................................................ 616
Table 227 IP Address Network Number and Host ID Example ........................................................... 646
Table 228 Subnet Masks ..................................................................................................................... 647
Table 229 Maximum Host Numbers .................................................................................................... 647
Table 230 Alternative Subnet Mask Notation ....................................................................................... 647
Table 231 Subnet 1 .............................................................................................................................. 649
Table 232 Subnet 2 .............................................................................................................................. 650
Table 233 Subnet 3 .............................................................................................................................. 650
Table 234 Subnet 4 .............................................................................................................................. 650
Table 235 Eight Subnets ...................................................................................................................... 650
Table 236 24-bit Network Number Subnet Planning ............................................................................ 651
Table 237 16-bit Network Number Subnet Planning ............................................................................ 651
Table 238 Commonly Used Services ................................................................................................... 654
44
ZyWALL 2 Plus User’s Guide
PART I
Introduction and
Registration
Getting to Know Your ZyWALL (47)
Introducing the Web Configurator (51)
Wizard Setup (69)
Tutorials (89)
Registration (127)
45
46
CHAPTER 1

Getting to Know Your ZyWALL

This chapter introduces the main features and applications of the ZyWALL.

1.1 ZyWALL Internet Security Appliance Overview

The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates. The ZyWALL’s De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting publicly accessible servers. The ZyWALL provides the option to change port roles from LAN to DMZ.
You can also deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration.
The ZyWALL provides bandwidth management, NAT, port forwarding, DHCP server and many other powerful features.
You can add an IEEE 802.11a/b/g-compliant wireless LAN by connecting an access point (AP) to an Ethernet port in a WLAN port role.
See Chapter 46 on page 613 for a complete list of features.

1.2 Applications for the ZyWALL

Here are some examples of what you can do with your ZyWALL.

1.2.1 Secure Broadband Internet Access via Cable or DSL Modem

For Internet access, connect the WAN Ethernet port to your existing Internet access gateway (company network, or your cable or DSL modem for example). Connect computers or servers to the LAN ports for shared Internet access.
The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.
ZyWALL 2 Plus User’s Guide
47
Chapter 1 Getting to Know Your ZyWALL
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem

1.2.2 VPN Application

ZyWALL VPN is an ideal cost-effective way to connect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites.
Figure 2 VPN Application

1.3 Ways to Manage the ZyWALL

Use any of the following methods to manage the ZyWALL.
• Web Configurator. This is recommended for everyday management of the ZyWALL using a (supported) web browser.
• Command Line Interface. Line commands are mostly used for troubleshooting by service engineers.
• SMT. System Management Terminal is a text-based configuration menu that you can use to configure your device.
• FTP for firmware upgrades and configuration backup/restore (Chapter 41 on page 571)
• SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this User’s Guide.
• Vantage CNM (Centralized Network Management). The device can be remotely managed using a Vantage CNM server.
48
ZyWALL 2 Plus User’s Guide
Chapter 1 Getting to Know Your ZyWALL

1.4 Good Habits for Managing the ZyWALL

Do the following things regularly to make the ZyWALL more secure and to manage the ZyWALL more effectively.
• Change the password. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.
• Write down the password and put it in a safe place.
• Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the ZyWALL to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the ZyWALL. You could simply restore your last configuration.

1.5 LEDs

Figure 3 Front Panel
The following table describes the lights.
Table 1 Front Panel LEDs
LED COLOR STATUS DESCRIPTION
PWR Off The ZyWALL is turned off.
Green On The ZyWALL is ready and running.
Flashing The ZyWALL is restarting.
Red On The power to the ZyWALL is too low.
ACT Green Off The backup port is not connected.
On The backup port is connected.
Flashing The backup port is sending or receiving packets.
LAN 10/100 Off The LAN/DMZ/WLAN is not connected.
Green On The ZyWALL has a successful 10Mbps Ethernet connection.
Flashing The 10M LAN/DMZ/WLAN is sending or receiving packets.
Orange On The ZyWALL has a successful 100Mbps Ethernet
Flashing The 100M LAN/DMZ/WLAN is sending or receiving packets.
connection.
ZyWALL 2 Plus User’s Guide
49
Chapter 1 Getting to Know Your ZyWALL
Table 1 Front Panel LEDs (continued)
LED COLOR STATUS DESCRIPTION
WAN 10/100 Off The WAN connection is not ready, or has failed.
Green On The ZyWALL has a successful 10Mbps WAN connection.
Flashing The 10M WAN is sending or receiving packets.
Orange On The ZyWALL has a successful 100Mbps WAN connection.
Flashing The 100M WAN is sending or receiving packets.
50
ZyWALL 2 Plus User’s Guide
CHAPTER 2
Introducing the Web
Configurator
This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens.

2.1 Web Configurator Overview

The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
In order to use the web configurator you need to allow:
• Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2.
• JavaScripts (enabled by default).
• Java permissions (enabled by default).
See Appendix B on page 637 if you want to make sure these functions are allowed in Internet Explorer or Netscape Navigator.

2.2 Accessing the ZyWALL Web Configurator

" By default, the packets from WLAN to WLAN/ZyWALL are dropped and users
cannot configure the ZyWALL wirelessly.
1 Make sure your ZyWALL hardware is properly connected and prepare your computer/
computer network to connect to the ZyWALL (refer to the Quick Start Guide).
2 Launch your web browser. 3 Type "192.168.1.1" as the URL. 4 Type "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
ZyWALL 2 Plus User’s Guide
51
Chapter 2 Introducing the Web Configurator
5 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore.
Figure 4 Change Password Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your
ZyWALL’s MAC address that will be specific to this device.
" If you do not replace the default certificate here or in the CERTIFICATES
screen, this screen displays every time you access the web configurator.
Figure 5 Replace Certificate Screen
7 You should now see the HOME screen (see Figure 8 on page 55).
" The management session automatically times out when the time period set in
the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you.
52
ZyWALL 2 Plus User’s Guide

2.3 Resetting the ZyWALL

If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory­default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234, also.

2.3.1 Procedure To Use The Reset Button

Make sure the PWR LED is on (not blinking) before you begin this procedure.
1 Press the RESET button for ten seconds, and then release it. If the PWR LED begins to
blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.
2 Turn the ZyWALL off. 3 While pressing the RESET button, turn the ZyWALL on. 4 Continue to hold the RESET button. The PWR LED will begin to blink and flicker very
quickly after about 20 seconds. This indicates that the defaults have been restored and the ZyWALL is now restarting.
5 Release the RESET button and wait for the ZyWALL to finish restarting.
Chapter 2 Introducing the Web Configurator

2.3.2 Uploading a Configuration File Via Console Port

1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in
a folder.
2 Turn off the ZyWALL, begin a terminal emulation software session and turn on the
ZyWALL again. When you see the message "Press Any key to enter Debug Mode within 3 seconds", press any key to enter debug mode.
3 Enter "y" at the prompt below to go into debug mode. 4 Enter "atlc" after "Enter Debug Mode" message. 5 Wait for "Starting XMODEM upload" message before activating Xmodem upload on
your terminal. This is an example Xmodem configuration upload using HyperTerminal.
Figure 6 Example Xmodem Upload
Type the configuration file’s location, or click Browse to search for it.
Choose the Xmodem protocol.
Then click Send.
6 After successful firmware upload, enter "atgo" to restart the router.
ZyWALL 2 Plus User’s Guide
53
Chapter 2 Introducing the Web Configurator

2.4 Navigating the ZyWALL Web Configurator

The following summarizes how to navigate the web configurator from the HOME screen. This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for different ZyWALL models.
Figure 7 HOME Screen
A
B
C
As illustrated above, the main screen is divided into these parts:
A - title bar
B - navigation panel
C - main window
D - status bar

2.4.1 Title Bar

The title bar provides some icons in the upper right corner.
The icons provide the following functions.
Table 2 Title Bar: Web Configurator Icons
ICON DESCRIPTION
D
Wizard: Click this icon to open one of the web configurator wizards. See Chapter 3
on page 69 for more information.
Help: Click this icon to open the help page for the current screen.
54
ZyWALL 2 Plus User’s Guide

2.4.2 Main Window

The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document.
Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE > Device Mode screen.
2.4.3 HOME Screen: Router Mode
The following screen displays when the ZyWALL is set to router mode. This screen displays general status information about the ZyWALL. The ZyWALL is set to router mode by default.
Figure 8 Web Configurator HOME Screen in Router Mode
Chapter 2 Introducing the Web Configurator
The following table describes the labels in this screen.
Table 3 Web Configurator HOME Screen in Router Mode
LABEL DESCRIPTION
Automatic Refresh Interval
Refresh Click this button to update the status screen statistics immediately.
System Information
System Name This is the System Name you enter in the MAINTENANCE > General screen. It
Model This is the model name of your ZyWALL.
Bootbase Version This is the bootbase version and the date created.
ZyWALL 2 Plus User’s Guide
Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
55
Chapter 2 Introducing the Web Configurator
Table 3 Web Configurator HOME Screen in Router Mode (continued)
LABEL DESCRIPTION
Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's
proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
Up Time This field displays how long the ZyWALL has been running since it last started up.
The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE > Restart), or when you reset it (see Section 2.3 on page 53).
System Time This field displays your ZyWALL’s present date (in yyyy-mm-dd format) and time
(in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field label to go to the screen where you can modify the ZyWALL’s date and time settings.
Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the
field label to go to the screen where you can configure the ZyWALL as a router or a bridge.
Firewall This displays whether or not the ZyWALL’s firewall is activated. Click the field
label to go to the screen where you can turn the firewall on or off.
System Resources
Flash The first number shows how many megabytes of the flash the ZyWALL is using.
Memory The first number shows how many megabytes of the heap memory the ZyWALL
is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in megabytes). The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
Sessions The first number shows how many sessions are currently open on the ZyWALL.
This includes all sessions that are currently traversing the ZyWALL, terminating at the ZyWALL or Initiated from the ZyWALL.
The second number is the maximum number of sessions that can be open at one time.
The bar displays what percent of the maximum number of sessions is in use. The bar turns from green to red when the maximum is being approached.
CPU This field displays what percentage of the ZyWALL’s processing ability is
Interfaces This is the port type.
Status For the LAN, DMZ and WLAN ports, this displays the port speed and duplex
IP/Netmask This shows the port’s IP address and subnet mask.
currently used. When this percentage is close to 100%, the ZyWALL is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications (for example, using bandwidth management.
Click "+" to expand or "-" to collapse the IP alias drop-down lists.
setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full­duplex refers to a device's ability to send and receive simultaneously, while half­duplex indicates that traffic can flow in only one direction at a time. The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect.
For the WAN and Dial Backup ports, it displays the port speed and duplex setting if you’re using Ethernet encapsulation and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
56
ZyWALL 2 Plus User’s Guide
Chapter 2 Introducing the Web Configurator
Table 3 Web Configurator HOME Screen in Router Mode (continued)
LABEL DESCRIPTION
IP Assignment For the WAN, if the ZyWALL gets its IP address automatically from an ISP, this
displays DHCP client when you’re using Ethernet encapsulation and IPCP Client when you’re using PPPoE or PPTP encapsulation. Static displays if the WAN port is using a manually entered static (fixed) IP address.
For the LAN, DHCP server displays when the ZyWALL is set to automatically give IP address information to the computers connected to the LAN. DHCP relay displays when the ZyWALL is set to forward IP address assignment requests to another DHCP server. Static displays if the LAN port is using a manually entered static (fixed) IP address. In this case, you must have another DHCP server on your LAN, or else the computers must be manually configured.
For the dial backup port, this shows N/A when dial backup is disabled and IPCP client when dial backup is enabled.
Renew If you are using Ethernet encapsulation and the WAN port is configured to get the
IP address automatically from the ISP, click Renew to release the WAN port’s dynamically assigned IP address and get the IP address afresh. Click Dial to dial up the PPTP, PPPoE or dial backup connection. Click Drop to disconnect the PPTP, PPPoE or dial backup connection.
Security Services
Content Filter Expiration Date
Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last
Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL. You can
Date/Time This is the date and time the alert was recorded.
Message This is the reason for the alert.
System Status
Port Statistics Click Port Statistics to see router performance statistics such as the number of
DHCP Table Click DHCP Table to show current DHCP client information.
VPN Click VPN to display the active VPN connections.
Bandwidth Click Bandwidth to view the ZyWALL’s bandwidth usage and allotments.
This is the date the category-based content filtering service subscription expires. Click the field label to go to the screen where you can update your service subscription.
started up. N/A displays when the service subscription has expired.
see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets.
packets sent and number of packets received for each port.
2.4.4 HOME Screen: Bridge Mode
The following screen displays when the ZyWALL is set to bridge mode. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.
In bridge mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL.
ZyWALL 2 Plus User’s Guide
57
Chapter 2 Introducing the Web Configurator
You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other features that are available in bridge mode.
Figure 9 Web Configurator HOME Screen in Bridge Mode
The following table describes the labels in this screen.
Table 4 Web Configurator HOME Screen in Bridge Mode
LABEL DESCRIPTION
Automatic Refresh Interval
Refresh Click this button to update the screen’s statistics immediately.
System Information
System Name This is the System Name you enter in the MAINTENANCE > General screen. It is
Model This is the model name of your ZyWALL.
Bootbase Ver si on
Firmware Ver si on
Up Time This field displays how long the ZyWALL has been running since it last started up.
Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
This is the bootbase version and the date created.
This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE >
Restart), or when you reset it (see Section 2.3 on page 53).
58
ZyWALL 2 Plus User’s Guide
Chapter 2 Introducing the Web Configurator
Table 4 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL DESCRIPTION
System Time This field displays your ZyWALL’s present date (in yyyy-mm-dd format) and time
(in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field label to go to the screen where you can modify the ZyWALL’s date and time settings.
Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the
field label to go to the screen where you can configure the ZyWALL as a router or a bridge.
Firewall This displays whether or not the ZyWALL’s firewall is activated. Click the field label
to go to the screen where you can turn the firewall on or off.
System Resources
Flash The first number shows how many megabytes of the flash the ZyWALL is using.
Memory The first number shows how many megabytes of the heap memory the ZyWALL is
Sessions The first number shows how many sessions are currently open on the ZyWALL.
CPU This field displays what percentage of the ZyWALL’s processing ability is currently
Network Status
IP/Netmask Address
Gateway IP Address
Rapid Spanning Tree Protocol
Bridge Priority This is the bridge priority of the ZyWALL. The bridge (or switch) with the lowest
Bridge Hello Time
Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU)
Forward Delay This is the forward delay interval.
Bridge Port This is the port type. Port types are: WAN, LAN, DMZ and WLAN.
using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in megabytes). The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
This includes all sessions that are currently traversing the ZyWALL, terminating at the ZyWALL or initiated from the ZyWALL
The second number is the maximum number of sessions that can be open at one time.
The bar displays what percent of the maximum number of sessions is in use. The bar turns from green to red when the maximum is being approached.
used. When this percentage is close to 100%, the ZyWALL is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications (for example, using bandwidth management.
This is the IP address and subnet mask of your ZyWALL in dotted decimal notation.
This is the gateway IP address.
This shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The following labels or values relative to RSTP do not apply when RSTP is disabled.
bridge priority value in the network is the root bridge (the base of the spanning tree).
This is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge.
from the root bridge.
ZyWALL 2 Plus User’s Guide
59
Chapter 2 Introducing the Web Configurator
Table 4 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL DESCRIPTION
Port Status For the WAN, LAN, DMZ, and WLAN Interfaces, this displays the port speed and
duplex setting. For the WAN port, it displays Down when the link is not ready or has failed.
RSTP Status This is the RSTP status of the corresponding port.
RSTP Active This shows whether or not RSTP is active on the corresponding port.
RSTP Priority This is the RSTP priority of the corresponding port.
RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding
port.
Security Services
Content Filter Expiration Date
Web Site Blocked
Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL. You can
Date/Time This is the date and time the alert was recorded.
Message This is the reason for the alert.
System Status
Port Statistics Click Port Statistics to see router performance statistics such as the number of
VPN Click VPN to display the active VPN connections.
Bandwidth Click Bandwidth to view the ZyWALL’s bandwidth usage and allotments.
This is the date the category-based content filtering service subscription expires. Click the field label to go to the screen where you can update your service subscription.
This displays how many web site hits the ZyWALL has blocked since it last started up. N/A displays when the service subscription has expired.
see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets.
packets sent and number of packets received for each port.

2.4.5 Navigation Panel

After you enter the password, use the sub-menus on the navigation panel to configure ZyWALL features.
The following table lists the features available for each device mode. Not all ZyWALLs have all features listed in this table.
Table 5 Bridge and Router Mode Features Comparison
FEATURE BRIDGE MODE ROUTER MODE
Internet Access Wizard Y
VPN Wizard Y Y
DHCP Table Y
System Statistics Y Y
Registration Y Y
LAN Y
WAN Y
DMZ Y
Bridge Y
60
ZyWALL 2 Plus User’s Guide
Chapter 2 Introducing the Web Configurator
Table 5 Bridge and Router Mode Features Comparison
FEATURE BRIDGE MODE ROUTER MODE
WLAN Y
Firewall Y Y
Content Filter Y Y
VPN Y Y
Certificates Y Y
Authentication Server Y Y
NAT Y
Static Route Y
Bandwidth Management Y Y
DNS Y
Remote Management Y Y
UPnP Y
Custom APP Y Y
ALG Y Y
Logs Y Y
Maintenance Y Y
Table Key: A Y in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
The following table describes the sub-menus.
Table 6 Screens Summary
LINK TAB FUNCTION
HOME This screen shows the ZyWALL’s general device and network
status information. Use this screen to access the wizards, statistics and DHCP table.
REGISTRATIONRegistration Use this screen to register your ZyWALL and activate the trial
service subscriptions.
Service Use this to manage and update the service status and license
NETWORK
LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.
Static DHCP Use this screen to assign fixed IP addresses on the LAN.
IP Alias Use this screen to partition your LAN interface into subnets.
Port Roles Use this screen to change the LAN/DMZ/WLAN port roles.
BRIDGE Bridge Use this screen to change the bridge settings on the ZyWALL.
Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the
information.
ZyWALL.
ZyWALL 2 Plus User’s Guide
61
Chapter 2 Introducing the Web Configurator
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
WAN Route This screen allows you to configure route priority.
WAN Use this screen to configure the WAN port for internet access.
Traffic Redirect
Dial Backup Use this screen to configure the backup WAN dial-up connection.
DMZ DMZ Use this screen to configure your DMZ connection.
Static DHCP Use this screen to assign fixed IP addresses on the DMZ.
IP Alias Use this screen to partition your DMZ interface into subnets.
Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the
WLAN WLAN Use this screen to configure your WLAN connection.
Static DHCP Use this screen to assign fixed IP addresses on the WLAN.
IP Alias Use this screen to partition your WLAN interface into subnets.
Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the
SECURITY
FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction
Rule Summary This screen shows a summary of the firewall rules, and allows you
Anti-Probing Use this screen to change your anti-probing settings.
Threshold Use this screen to configure the threshold for DoS attacks.
Service Use this screen to configure custom services.
CONTENT FILTER
VPN VPN Rules
CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage
General This screen allows you to enable content filtering and block certain
Policy Use this screen to select which categories of web pages to filter
Object Use this screen to customize the content filter list.
Cache Use this screen to view and configure the ZyWALL’s URL caching.
(IKE)
VPN Rules (Manual)
SA Monitor Use this screen to display and manage active VPN connections.
Global Setting Use this screen to configure the IPSec timer settings.
Trusted CAs Use this screen to view and manage the list of the trusted CAs.
Trusted Remote Hosts
Directory Servers
Use this screen to configure your traffic redirect properties and parameters.
ZyWALL.
ZyWALL.
of network traffic to which to apply the rule
to edit/add a firewall rule.
web features.
out, as well as to register for external database content filtering and view reports.
Use this screen to configure VPN connections using IKE key management and view the rule summary.
Use this screen to configure VPN connections using manual key management and view the rule summary.
certificates and certification requests.
Use this screen to view and manage the certificates belonging to the trusted remote hosts.
Use this screen to view and manage the list of the directory servers.
62
ZyWALL 2 Plus User’s Guide
Chapter 2 Introducing the Web Configurator
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
AUTH SERVER Local User
Database
RADIUS Configure this screen to use an external server to authenticate
ADVANCED
NAT NAT Overview Use this screen to enable NAT.
Address Mapping
Port Forwarding
Port Triggering
STATIC ROUTE IP Static Route Use this screen to configure IP static routes.
BW MGMT Summary Use this screen to enable bandwidth management on an interface.
Class Setup Use this screen to set up the bandwidth classes.
Monitor Use this screen to view the ZyWALL’s bandwidth usage and
DNS System Use this screen to configure the address and name server
Cache Use this screen to configure the DNS resolution cache.
DHCP Use this screen to configure LAN/DMZ/WLAN DNS information.
DDNS Use this screen to set up dynamic DNS.
REMOTE MGMT
UPnP UPnP Use this screen to enable UPnP on the ZyWALL.
Custom APP Custom APP Use this screen to specify port numbers for the ZyWALL to monitor
ALG ALG Use this screen to allow certain applications to pass through the
WWW Use this screen to configure through which interface(s) and from
SSH Use this screen to configure through which interface(s) and from
TELNET Use this screen to configure through which interface(s) and from
FTP Use this screen to configure through which interface(s) and from
SNMP Use this screen to configure your ZyWALL’s settings for Simple
DNS Use this screen to configure through which interface(s) and from
CNM Use this screen to configure and allow your ZyWALL to be
Ports Use this screen to view the NAT port mapping rules that UPnP
Use this screen to configure the local user account(s) on the ZyWALL.
wireless and/or VPN users.
Use this screen to configure network address translation mapping rules.
Use this screen to configure servers behind the ZyWALL.
Use this screen to change your ZyWALL’s port triggering settings.
allotments.
records.
which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL.
which IP address(es) users can use Secure Shell to manage the ZyWALL.
which IP address(es) users can use Telnet to manage the ZyWALL.
which IP address(es) users can use FTP to access the ZyWALL.
Network Management Protocol management.
which IP address(es) users can send DNS queries to the ZyWALL.
managed by the Vantage CNM server.
creates on the ZyWALL.
for FTP, HTTP, SMTP, POP3, H323, and SIP traffic.
ZyWALL.
ZyWALL 2 Plus User’s Guide
63
Chapter 2 Introducing the Web Configurator
Table 6 Screens Summary (continued)
LINK TAB FUNCTION
LOGS View Log Use this screen to view the logs for the categories that you
Log Settings Use this screen to change your ZyWALL’s log settings.
Reports Use this screen to have the ZyWALL record and display network
MAINTENANCE General This screen contains administrative.
Password Use this screen to change your password.
Time and Date Use this screen to change your ZyWALL’s time and date.
Device Mode Use this screen to configure and have your ZyWALL work as a
F/W Upload Use this screen to upload firmware to your ZyWALL
Backup & Restore
Restart This screen allows you to reboot the ZyWALL without turning the
Diagnosis Use this screen to have the ZyWALL generate and send
LOGOUT Click this label to exit the web configurator.
selected.
usage reports.
router or a bridge.
Use this screen to backup and restore the configuration or reset the factory defaults to your ZyWALL.
power off.
diagnostic files by e-mail and/or the console port.
2.4.6 Port Statistics
Click Port Statistics in the HOME screen. Read-only information here includes port status and packet specific statistics. The Poll Interval(s) field is configurable.
Figure 10 HOME > Show Statistics
The following table describes the labels in this screen.
Table 7 HOME > Show Statistics
LABEL DESCRIPTION
Port These are the ZyWALL’s interfaces.
Status For the WAN and dial backup ports, this displays the port speed and duplex setting
if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation. Dial backup is not available in bridge mode.
For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting.
64
ZyWALL 2 Plus User’s Guide
Table 7 HOME > Show Statistics (continued)
LABEL DESCRIPTION
TxPkts This is the number of transmitted packets on this port.
RxPkts This is the number of received packets on this port.
Collisions This is the number of collisions on this port.
Tx B/s This displays the transmission speed in bytes per second on this port.
Rx B/s This displays the reception speed in bytes per second on this port.
Up Time This is the total amount of time the line has been up.
System Up Time This is the total time the ZyWALL has been on.
Automatic Refresh Interval
Refresh Click this button to update the screen’s statistics immediately.
Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
2.4.7 DHCP Table Screen
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.
Chapter 2 Introducing the Web Configurator
Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyWALL’s DHCP server.
Figure 11 HOME > DHCP Table
The following table describes the labels in this screen.
Table 8 HOME > DHCP Table
LABEL DESCRIPTION
Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the
specified interface.
# This is the index number of the host computer.
IP Address This field displays the IP address relative to the # field listed above.
Host Name This field displays the computer host name.
ZyWALL 2 Plus User’s Guide
65
Chapter 2 Introducing the Web Configurator
Table 8 HOME > DHCP Table (continued)
LABEL DESCRIPTION
MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area
Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is
assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.
Reserve Select the check box in the heading row to automatically select all check boxes or
select the check box(es) in each entry to have the ZyWALL always assign the selected entry(ies)’s IP address(es) to the corresponding MAC address(es) (and host name(s)). You can select up to 32 entries in this table. After you click Apply, the MAC address and IP address also display in the Static DHCP screen (where you can edit them) for the specified interface.
Refresh Click Refresh to reload the DHCP table.
2.4.8 VPN Status
Click VPN in the HOME screen when the ZyWALL is set to router mode. This screen displays read-only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel.
Figure 12 HOME > VPN Status
The following table describes the labels in this screen.
Table 9 HOME > VPN Status
LABEL DESCRIPTION
# This is the security association index number.
Name This field displays the identification name for this VPN policy.
Local Network This field displays the IP address of the computer using the VPN IPSec feature of
your ZyWALL.
Remote Network This field displays IP address (in a range) of computers on the remote network
behind the remote IPSec router.
66
ZyWALL 2 Plus User’s Guide
Table 9 HOME > VPN Status
LABEL DESCRIPTION
Encapsulation This field displays Tun nel or Transport mode.
IPSec Algorithm This field displays the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
Automatic Refresh Interval
Refresh Click this button to update the screen’s statistics immediately.
Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
2.4.9 Bandwidth Monitor
Click Bandwidth in the HOME screen to display the bandwidth monitor. This screen displays the device’s bandwidth usage and allotments.
Figure 13 Home > Bandwidth Monitor
Chapter 2 Introducing the Web Configurator
The following table describes the labels in this screen.
Table 10 ADVANCED > BW MGMT > Monitor
LABEL DESCRIPTION
Interface Select an interface from the drop-down list box to view the bandwidth usage
Class This field displays the name of the bandwidth class.
Budget (kbps) This field displays the amount of bandwidth allocated to the bandwidth class.
Current Usage (kbps) This field displays the amount of bandwidth that each bandwidth class is
ZyWALL 2 Plus User’s Guide
of its bandwidth classes.
A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes. If you do not enable maximize bandwidth usage on an interface, the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes.
using.
A
67
Chapter 2 Introducing the Web Configurator
Table 10 ADVANCED > BW MGMT > Monitor
LABEL DESCRIPTION
Automatic Refresh Interval
Refresh Click this button to update the screen’s statistics immediately.
A.If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class).
Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
68
ZyWALL 2 Plus User’s Guide
CHAPTER 3

Wizard Setup

This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode.

3.1 Wizard Setup Overview

The web configurator's setup wizards help you configure Internet and VPN connection settings.
In the HOME screen, click the wizard icon screen. The following summarizes the wizards you can select:
• Internet Access Setup
Click this link to open a wizard to set up an Internet connection for the WAN port on the ZyWALL (in router mode).
• VPN Setup
Use VPN Setup to configure a VPN connection that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. See Section
3.3 on page 79.
Figure 14 Wizard Setup Welcome
to open the Wizard Setup Welcome
ZyWALL 2 Plus User’s Guide
69
Chapter 3 Wizard Setup

3.2 Internet Access

The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.

3.2.1 ISP Parameters

The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field.
3.2.1.1 Ethernet
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number.
Choose Ethernet when the WAN port is used as a regular Ethernet.
Figure 15 ISP Parameters: Ethernet Encapsulation
70
The following table describes the labels in this screen.
Tabl e 11 ISP Parameters: Ethernet Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation You must choose the Ethernet option when the WAN port is used as a regular
Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
ZyWALL 2 Plus User’s Guide
Chapter 3 Wizard Setup
Tabl e 11 ISP Parameters: Ethernet Encapsulation
LABEL DESCRIPTION
WAN IP Address Assignment
IP Address Assignment
My WAN IP Address
My WAN IP Subnet Mask
Gateway IP Address
First DNS Server Second DNS
Server
Back Click Back to return to the previous wizard screen.
Apply Click Apply to save your changes and go to the next screen.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.
Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.
Enter your WAN IP address in this field.
Enter the IP subnet mask in this field.
Enter the gateway IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to access it.
3.2.1.2 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.
ZyWALL 2 Plus User’s Guide
71
Chapter 3 Wizard Setup
Figure 16 ISP Parameters: PPPoE Encapsulation
The following table describes the labels in this screen.
Table 12 ISP Parameters: PPPoE Encapsulation
LABEL DESCRIPTION
ISP Parameter for Internet Access
Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet
forms a dial-up connection.
Service Name Type the name of your service provider. This field is optional.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Retype to Confirm
Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
WAN IP Address Assignment
IP Address Assignment
Type your password again for confirmation.
from the PPPoE server. The default time is 100 seconds.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.
Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.
72
ZyWALL 2 Plus User’s Guide
Table 12 ISP Parameters: PPPoE Encapsulation (continued)
LABEL DESCRIPTION
My WAN IP Address
First DNS Server Second DNS
Server
Back Click Back to return to the previous wizard screen.
Apply Click Apply to save your changes and go to the next screen.
3.2.1.3 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/ IP-based networks.
PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet.
Enter your WAN IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to access it.
Chapter 3 Wizard Setup
" The ZyWALL supports one PPTP server connection at any given time.
ZyWALL 2 Plus User’s Guide
73
Chapter 3 Wizard Setup
Figure 17 ISP Parameters: PPTP Encapsulation
74
The following table describes the labels in this screen.
Table 13 ISP Parameters: PPTP Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must
configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the User Name above.
Retype to Confirm Type your password again for confirmation.
Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout Type the time in seconds that elapses before the router automatically
disconnects from the PPTP server.
PPTP Configuration
My IP Address Type the (static) IP address assigned to you by your ISP.
ZyWALL 2 Plus User’s Guide
Chapter 3 Wizard Setup
Table 13 ISP Parameters: PPTP Encapsulation
LABEL DESCRIPTION
My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Server IP Address Type the IP address of the PPTP server.
Connection ID/ Name
WAN IP Address Assignment
IP Address Assignment
My WAN IP Address
First DNS Server Second DNS
Server
Back Click Back to return to the previous wizard screen.
Apply Click Apply to save your changes and go to the next screen.
Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your xDSL modem.
Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.
Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.
Enter your WAN IP address in this field.
Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do
not configure a DNS server, you must know the IP address of a machine in order to access it.
3.2.2 Internet Access Wizard: Second Screen
Click Next to go to the screen where you can register your ZyWALL and activate the free content filtering trial application. Otherwise, click Skip to display the congratulations screen and click Close to complete the Internet access setup.
Figure 18 Internet Access Wizard: Second Screen
ZyWALL 2 Plus User’s Guide
75
Chapter 3 Wizard Setup
Figure 19 Internet Access Setup Complete
3.2.3 Internet Access Wizard: Registration
If you clicked Next in the previous screen (see Figure 18 on page 75), the following screen displays.
Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial application of service like content filtering.
" If you want to activate a standard service with your iCard’s PIN number
(license key), use the REGISTRATION > Service screen.
76
ZyWALL 2 Plus User’s Guide
Chapter 3 Wizard Setup
Figure 20 Internet Access Wizard: Registration
The following table describes the labels in this screen.
Table 14 Internet Access Wizard: Registration
LABEL DESCRIPTION
Device Registration If you select Existing myZyXEL.com account, only the User Name and
Password fields are available.
New myZyXEL.com account
Existing myZyXEL.com account
User Name Enter a user name for your myZyXEL.com account. The name should be
Check Click this button to check with the myZyXEL.com database to verify the user
Password Enter a password of between six and 20 alphanumeric characters (and the
Confirm Password Enter the password again for confirmation.
E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters
Country Select your country from the drop-down box list.
Back Click Back to return to the previous screen.
Next Click Next to continue.
If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL.
If you already have an account at myZyXEL.com, select this option and enter your user name and password in the fields below to register your ZyWALL.
from six to 20 alphanumeric characters (and the underscore). Spaces are not allowed.
name you entered has not been used.
underscore). Spaces are not allowed.
(periods and the underscore are also allowed) without spaces.
After you fill in the fields and click Next, the following screen shows indicating the registration is in progress. Wait for the registration progress to finish.
ZyWALL 2 Plus User’s Guide
77
Chapter 3 Wizard Setup
Figure 21 Internet Access Wizard: Registration in Progress
Click Close to leave the wizard screen when the registration and activation are done.
Figure 22 Internet Access Wizard: Status
The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings.
Figure 23 Internet Access Wizard: Registration Failed
78
If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.
ZyWALL 2 Plus User’s Guide
Figure 24 Internet Access Wizard: Registered Device
Figure 25 Internet Access Wizard: Activated Services
Chapter 3 Wizard Setup

3.3 VPN Wizard Gateway Setting

Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel.
Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 69) to open the VPN configuration wizard. The first screen displays as shown next.
ZyWALL 2 Plus User’s Guide
79
Chapter 3 Wizard Setup
Figure 26 VPN Wizard: Gateway Setting
The following table describes the labels in this screen.
Table 15 VPN Wizard: Gateway Setting
LABEL DESCRIPTION
Gateway Policy Property
Name Type up to 32 characters to identify this VPN gateway policy. You may use any
Gateway Policy Setting
My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name
Remote Gateway Address
Back Click Back to return to the previous screen.
Next Click Next to continue.
character, including spaces, but the ZyWALL drops trailing spaces.
of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the
VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect.
The VPN tunnel has to be rebuilt if this IP address changes. When the ZyWALL is in bridge mode, this field is read-only and displays the
ZyWALL’s IP address.
Enter the WAN IP address or domain name of the remote IPSec router (secure gateway) in the field below to identify the remote IPSec router by its IP address or a domain name. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.

3.4 VPN Wizard Network Setting

Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec routers at either end of a VPN tunnel.
80
ZyWALL 2 Plus User’s Guide
Chapter 3 Wizard Setup
Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Figure 27 VPN Wizard: Network Setting
The following table describes the labels in this screen.
Table 16 VPN Wizard: Network Setting
LABEL DESCRIPTION
Network Policy Property
Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build
the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not
apply the policy. Packets for the tunnel do not trigger the tunnel.
Name Type up to 32 characters to identify this VPN network policy. You may use any
character, including spaces, but the ZyWALL drops trailing spaces.
Network Policy Setting
Local Network Local IP addresses must be static and correspond to the remote IPSec router's
Starting IP Address
Ending IP Address/ Subnet Mask
configured remote IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
When the Local Network field is configured to Single, enter a (static) IP address on the LAN behind your ZyWALL. When the Local Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a (static) IP address on the LAN behind your ZyWALL.
When the Local Network field is configured to Single, this field is N/A. When the Local Network field is configured to Range IP, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL.
ZyWALL 2 Plus User’s Guide
81
Chapter 3 Wizard Setup
Table 16 VPN Wizard: Network Setting
LABEL DESCRIPTION
Remote Network
Starting IP Address
Ending IP Address/ Subnet Mask
Back Click Back to return to the previous screen.
Next Click Next to continue.
Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
When the Remote Network field is configured to Single, enter a (static) IP address on the network behind the remote IPSec router. When the Remote Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Network field is configured to Subnet, enter a (static) IP address on the network behind the remote IPSec router
When the Remote Network field is configured to Single, this field is N/A. When the Remote Network field is configured to Range IP, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Network field is configured to Subnet, enter a subnet mask on the network behind the remote IPSec router.

3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1)

Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA.
Figure 28 VPN Wizard: IKE Tunnel Setting
82
ZyWALL 2 Plus User’s Guide
Chapter 3 Wizard Setup
The following table describes the labels in this screen.
Table 17 VPN Wizard: IKE Tunnel Setting
LABEL DESCRIPTION
Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow
more incoming connections from dynamic IP addresses to use separate passwords.
Note: Multiple SAs (security associations) connecting through a
secure gateway must have the same negotiation mode.
Encryption Algorithm
Authentication Algorithm
Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
SA Life Time (Seconds)
Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a
Back Click Back to return to the previous screen.
Next Click Next to continue.
When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.
Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero x), which is not counted as part of the 16 to 62 character range for the key. For example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre­shared key is not used on both ends.

3.6 VPN Wizard IPSec Setting (IKE Phase 2)

Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA.
ZyWALL 2 Plus User’s Guide
83
Chapter 3 Wizard Setup
Figure 29 VPN Wizard: IPSec Setting
The following table describes the labels in this screen.
Table 18 VPN Wizard: IPSec Setting
LABEL DESCRIPTION
Encapsulation Mode Tunnel is compatible with NAT, Transport is not.
IPSec Protocol Select the security protocols used for an SA.
Encryption Algorithm When DES is used for data communications, both sender and receiver must
Authentication Algorithm
SA Life Time (Seconds)
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption. Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES. Select NULL to set up a tunnel without encryption. When you select NULL, you do not enter an encryption key.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
84
ZyWALL 2 Plus User’s Guide
Table 18 VPN Wizard: IPSec Setting (continued)
LABEL DESCRIPTION
Perfect Forward Secret (PFS)
Back Click Back to return to the previous screen.
Next Click Next to continue.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower).

3.7 VPN Wizard Status Summary

This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct.
Figure 30 VPN Wizard: VPN Status
Chapter 3 Wizard Setup
ZyWALL 2 Plus User’s Guide
85
Chapter 3 Wizard Setup
The following table describes the labels in this screen.
Table 19 VPN Wizard: VPN Status
LABEL DESCRIPTION
Gateway Policy Property
Name This is the name of this VPN gateway policy.
Gateway Policy Setting
My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router
Remote Gateway Address
Network Policy Property
Active This displays whether this VPN network policy is enabled or not.
Name This is the name of this VPN network policy.
Network Policy Setting
Local Network
Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/ Subnet Mask
Remote Network
Starting IP Address This is a (static) IP address on the network behind the remote IPSec router.
Ending IP Address/ Subnet Mask
IKE Tunnel Setting (IKE Phase 1)
Negotiation Mode This shows Main Mode or Aggressive Mode. Multiple SAs connecting through
Encryption Algorithm
Authentication Algorithm
Key Group This is the key group you chose for phase 1 IKE setup.
SA Life Time (Seconds)
Pre-Shared Key This is a pre-shared key identifying a communicating party during a phase 1 IKE
IPSec Setting (IKE Phase 2)
Encapsulation Mode This shows Tunn el mode or Transport mode.
mode or the ZyWALL’s IP address in bridge mode.
This is the IP address or the domain name used to identify the remote IPSec router.
When the local network is configured for a single IP address, this field is N/A. When the local network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the local network is configured for a subnet, this is a subnet mask on the LAN behind your ZyWALL.
When the remote network is configured for a single IP address, this field is N/A. When the remote network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the remote network is configured for a subnet, this is a subnet mask on the network behind the remote IPSec router.
a secure gateway must have the same negotiation mode.
This is the method of data encryption. Options can be DES, 3DES or AES.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
This is the length of time before an IKE SA automatically renegotiates.
negotiation.
86
ZyWALL 2 Plus User’s Guide
Table 19 VPN Wizard: VPN Status (continued)
LABEL DESCRIPTION
IPSec Protocol ESP or AH are the security protocols used for an SA.
Encryption Algorithm
Authentication Algorithm
SA Life Time (Seconds)
Perfect Forward Secret (PFS)
Back Click Back to return to the previous screen.
Finish Click Finish to complete and save the wizard setup.
This is the method of data encryption. Options can be DES, 3DES, AES or
NULL.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.
This is the length of time before an IKE SA automatically renegotiates.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA setup. Otherwise, DH1 or DH2 are selected to enable PFS.

3.8 VPN Wizard Setup Complete

Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule.
Chapter 3 Wizard Setup
Figure 31 VPN Wizard Setup Complete
ZyWALL 2 Plus User’s Guide
87
Chapter 3 Wizard Setup
88
ZyWALL 2 Plus User’s Guide
CHAPTER 4

Tutorials

This chapter describes
• how to apply security settings to VPN traffic.
• how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP.
• how to allocate bandwidth and apply priorities to traffic that flows out through the ZyWALL’s WAN port.

4.1 Security Settings for VPN Traffic

The ZyWALL can apply the firewall and content filtering to the traffic going to or from the ZyWALL’s VPN tunnels. The ZyWALL applies the security settings to the traffic before encrypting VPN traffic that it sends out or after decrypting received VPN traffic.
" The security settings apply to VPN traffic going to or from the ZyWALL’s VPN
tunnels. They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways (VPN pass-through traffic).
You can turn on content filtering for all of the ZyWALL’s VPN traffic (regardless of its direction of travel). You can apply firewall security to VPN traffic based on its direction of travel. The following examples show how you do this for the firewall.

4.1.1 Firewall Rule for VPN Example

The firewall provides even more fine-tuned control for VPN tunnels. You can configure default and custom firewall rules for VPN packets.
Take the following example. You have a LAN FTP server with IP address 192.168.1.4 behind device A. You could configure a VPN rule to allow the network behind device B to access your LAN FTP server through a VPN tunnel. Now, if you don’t want other services like chat or e-mail going to the FTP server, you can configure firewall rules that allow only FTP traffic to come from VPN tunnels to the FTP server. Furthermore, you can configure the firewall rule so that only the network behind device B can access the FTP server through a VPN tunnel (not other remote networks that have VPN tunnels with the ZyWALL).
ZyWALL 2 Plus User’s Guide
89
Chapter 4 Tutorials
Figure 32 Firewall Rule for VPN

4.1.2 Configuring the VPN Rule

This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B.
1 Click Security > VPN to open the following screen. Click the Add Gateway Policy
icon.
Figure 33 SECURITY > VPN > VPN Rules (IKE)
2 Use this screen to set up the connection between the routers. Configure the fields that are
circled as follows and click Apply.
90
ZyWALL 2 Plus User’s Guide
Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy
Chapter 4 Tutorials
3 Click the Add Network Policy icon.
ZyWALL 2 Plus User’s Guide
91
Chapter 4 Tutorials
Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example
4 Use this screen to specify which computers behind the routers can use the VPN tunnel.
Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers. This is due to the following reasons.
• While FTP uses a control session on port 20, the port for the data session is not fixed. So this example uses the firewall’s FTP application layer gateway (ALG) to handle this instead of specifying port numbers in this VPN network policy.
• The firewall provides better security because it operates at layer 4 and checks traffic sessions. The VPN network policy only operates at layer 3 and just checks IP addresses and port numbers.
92
ZyWALL 2 Plus User’s Guide
Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy
Chapter 4 Tutorials

4.1.3 Configuring the Firewall Rules

Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions.
4.1.3.1 Firewall Rule to Allow Access Example
Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server.
ZyWALL 2 Plus User’s Guide
93
Chapter 4 Tutorials
1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Refresh. 3 Click the insert icon.
Figure 37 SECURITY > FIREWALL > Rule Summary
4 Configure the rule as follows and click Apply. The source addresses are the VPN rule’s
remote network and the destination address is the LAN FTP server.
94
ZyWALL 2 Plus User’s Guide
Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow
Chapter 4 Tutorials
5 The rule displays in the summary list of VPN to LAN firewall rules.
ZyWALL 2 Plus User’s Guide
95
Chapter 4 Tutorials
Figure 39 SECURITY > FIREWALL > Rule Summary: Allow
4.1.3.2 Default Firewall Rule to Block Other Access Example
Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN.
1 Click SECURITY > FIREWALL > Default Rule. 2 Configure the screen as follows and click Apply.
Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN
96
ZyWALL 2 Plus User’s Guide

4.2 Using NAT with Multiple Public IP Addresses

This section shows you examples of how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP.

4.2.1 Example Parameters and Scenario

The following table shows the public IP addresses from your ISP and your ZyWALL’s LAN IP address.
Public IP Addresses 1.2.3.4 to 1.2.3.7
ZyWALL’s LAN IP Address 192.168.1.1
The following figure shows the network you want to set up in this example.
• Assign the first public address (1.2.3.4) to the ZyWALL’s WAN port.
• Map the second and third public IP addresses (1.2.3.5 and 1.2.3.6) to the web and mail servers (192.168.1.12 and 192.168.1.13) respectively for traffic in both directions.
• Map the first public address (1.2.3.4) to outgoing traffic from other local computers.
• Map the first public address (1.2.3.4) to incoming traffic from the WAN.
• Forward FTP traffic using port 21 from the WAN to a specific local computer (192.168.1.39).
• The last public IP address (1.2.3.7) is not mapped to any device and is reserved for future use.
Chapter 4 Tutorials
Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses
To set up this network, we are going to:
1 Configure the WAN connection to use the first public IP address (1.2.3.4). 2 Configure NAT address mapping for other public IP addresses (1.2.3.5 and 1.2.3.6). 3 Configure NAT port forwarding to forward FTP traffic from the WAN to a specific
computer on your local network.
ZyWALL 2 Plus User’s Guide
97
Chapter 4 Tutorials

4.2.2 Configuring the WAN Connection with a Static IP Address

The following table shows the information your ISP gave you for Internet connection.
Encapsulation PPPoE
Public IP Addresses 1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
Gateway IP Address 1.2.3.89
Subnet Mask 255.255.255.0
User Name exampleuser
Password abcd1234
DNS Server 1.2.1.1
1.2.1.2
Follow the steps below to configure your ZyWALL for Internet access using PPPoE in this example.
Figure 42 Tutorial Example: WAN Connection with a Static Public IP Address
1 Click NETWORK > WAN > WAN. 2 Select PPPoE (PPP over Ethernet) from the Encapsulation drop-down list box. 3 In the ISP Parameters for Internet Access section, enter the information (such as the
user name and password) provided by your ISP. If your ISP didn’t give you the service name, leave the field blank.
4 In the WA N IP Address Assignment section, select Use Fixed IP Address and enter
the first fixed public IP address (1.2.3.4 in this example).
5 Click Apply.
98
ZyWALL 2 Plus User’s Guide
Figure 43 Tutorial Example: WAN Screen
Chapter 4 Tutorials
6 Click ADVANCED > DNS. 7 The System screen displays. Click the Insert button to configure the IP address of the
DNS server the ZyWALL can query to resolve domain names.
Figure 44 Tutorial Example: DNS > System
8 Select Public DNS Server and enter the first DNS server’s IP address given by your ISP.
Click Apply.
ZyWALL 2 Plus User’s Guide
99
Chapter 4 Tutorials
Figure 45 Tutorial Example: DNS > System Edit-1
9 Enter the rule number (2) where you want to put the second record and click the Insert
button to configure the second DNS server’s IP address as follows. Click Apply.
" To resolve a domain name, theZyWALL checks it against the name server
record entries in the order that they appear in this list.
Figure 46 Tutorial Example: DNS > System Edit-2
10 The DNS > System screen should look as shown.
100
ZyWALL 2 Plus User’s Guide
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use