Home » ZyXEL Manuals » Networking » ZyXEL P-2602HW-D3A » Manual Viewer

ZyXEL P-2602HW-D3A User Guide - Page 383

Table 155, Table 156, Table 157

Get ZyXEL P-2602HW-D3A PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 383 highlights

P-2602H(W)(L)-DxA Series User's Guide Table 155 TCP Reset Logs LOG MESSAGE Under SYN flood attack, sent TCP RST Exceed TCP MAX incomplete, sent TCP RST Peer TCP state out of order, sent TCP RST Firewall session time out, sent TCP RST Exceed MAX incomplete, sent TCP RST Access block, sent TCP RST DESCRIPTION The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Note: Refer to TCP Maximum Incomplete in the Firewall Attack Alerts screen. The router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state. The router sent a TCP reset packet when a dynamic firewall session timed out.Default timeout values:ICMP idle timeout (s): 60UDP idle timeout (s): 60TCP connection (three way handshaking) timeout (s): 30TCP FIN-wait timeout (s): 60TCP idle (established) timeout (s): 3600 The router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the userconfigured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > "Maximum Incomplete High", the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < "Maximum Incomplete Low". The router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: "sys firewall tcprst"). Table 156 Packet Filter Logs LOG MESSAGE [ TCP | UDP | ICMP | IGMP | Generic ] packet filter matched (set: %d, rule: %d) DESCRIPTION Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule. For type and code details, see Table 165 on page 387. Table 157 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy: ICMP , , Firewall rule [NOT] match: ICMP , , , ICMP access matched the default policy and was blocked or forwarded according to the user's setting. ICMP access matched (or didn't match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule. Appendix I Log Descriptions 383

Section	Page
P-2602HW(L) Series	1
P-2602H Series	1
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	5
ZyXEL Limited Warranty	6
Customer Support	7
Table of Contents	9
List of Figures	23
List of Tables	29
Preface	35
Getting To Know the ZyXEL Device	37
1.1 Introducing the P-2602H(W)(L)-Dx Series	37
1.2 Features	38
1.3 Wireless Features (“W” models only)	42
1.4 Applications for the ZyXEL Device	44
1.4.1 Internet Access	44
1.4.1.1 Internet Single User Account	44
1.4.2 Making Calls via Internet Telephony Service Provider	44
1.4.3 Make Peer-to-peer Calls	45
1.4.4 Firewall for Secure Broadband Internet Access	45
1.4.5 LAN to LAN Application	46
1.4.6 LEDs	47
Introducing the Web Configurator	49
2.1 Web Configurator Overview	49
2.1.1 Accessing the Web Configurator	49
2.1.2 The RESET Button	51
2.1.2.1 Using The Reset Button	51
2.2 Web Configurator Main Screen	52
2.2.1 Title Bar	52
2.2.2 Navigation Panel	53
2.2.3 Main Window	55
2.2.4 Status Bar	55
Internet and Wireless Setup Wizard	57
3.1 Introduction	57
3.2 Internet Access Wizard Setup	57
3.2.1 Manual Configuration	59
3.3 Wireless Connection Wizard Setup	65
VoIP Wizard And Example	71
4.1 Introduction	71
4.2 VoIP Wizard Setup	71
Bandwidth Management Wizard	77
5.1 Introduction	77
5.2 Predefined Media Bandwidth Management Services	77
5.3 Bandwidth Management Wizard Setup	78
Status Screens	83
6.2 Any IP Table	86
6.3 WLAN Status (“W” models only)	87
6.4 Packet Statistics	87
6.5 VoIP Statistics	89
WAN Setup	93
7.1.1 Encapsulation	93
7.1.1.1 ENET ENCAP	93
7.1.1.2 PPP over Ethernet	93
7.1.1.3 PPPoA	94
7.1.1.4 RFC 1483	94
7.1.2 Multiplexing	94
7.1.2.1 VC-based Multiplexing	94
7.1.2.2 LLC-based Multiplexing	94
7.1.3 VPI and VCI	94
7.1.4 IP Address Assignment	95
7.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation	95
7.1.4.2 IP Assignment with RFC 1483 Encapsulation	95
7.1.4.3 IP Assignment with ENET ENCAP Encapsulation	95
7.1.5 Nailed-Up Connection (PPP)	95
7.1.6 NAT	95
7.2 Metric	96
7.3 Traffic Shaping	96
7.3.1 ATM Traffic Classes	97
7.3.1.1 Constant Bit Rate (CBR)	97
7.3.1.2 Variable Bit Rate (VBR)	97
7.3.1.3 Unspecified Bit Rate (UBR)	98
7.4 Zero Configuration Internet Access	98
LAN Setup	107
8.1.1 LANs, WANs and the ZyXEL Device	107
8.1.2 DHCP Setup	108
8.1.2.1 IP Pool Setup	108
8.1.3 DNS Server Address	108
8.1.4 DNS Server Address Assignment	109
8.2 LAN TCP/IP	109
8.2.1 IP Address and Subnet Mask	109
8.2.1.1 Private IP Addresses	110
8.2.2 RIP Setup	110
8.2.3 Multicast	111
8.2.4 Any IP	111
8.2.4.1 How Any IP Works	112
Wireless LAN	121
9.1 Wireless Network Overview	121
9.2 Wireless Security Overview	122
9.2.1 SSID	122
9.2.2 MAC Address Filter	122
9.2.3 User Authentication	123
9.2.4 Encryption	123
9.2.5 One-Touch Intelligent Security Technology (OTIST)	124
9.3 Wireless Performance Overview	124
9.3.1 Quality of Service (QoS)	124
9.4 Additional Wireless Terms	125
9.5.1 No Security	126
9.5.2 WEP Encryption Screen	127
9.5.3 WPA(2)-PSK	128
9.5.4 WPA(2) Authentication Screen	130
9.6.1 Notes on OTIST	135
Network Address Translation (NAT) Screens	141
10.1.1 NAT Definitions	141
10.1.2 What NAT Does	142
10.1.3 How NAT Works	142
10.1.4 NAT Application	143
10.1.5 NAT Mapping Types	143
10.2 SUA (Single User Account) Versus NAT	144
10.4 Port Forwarding	145
10.4.1 Default Server IP Address	146
10.4.2 Port Forwarding: Services and Port Numbers	146
10.4.3 Configuring Servers Behind Port Forwarding (Example)	146
Voice	151
11.1 Introduction to VoIP	151
11.2 SIP	151
11.2.1 SIP Identities	151
11.2.1.1 SIP Number	151
11.2.1.2 SIP Service Domain	152
11.2.2 SIP Call Progression	152
11.2.3 SIP Servers	152
11.2.3.1 SIP User Agent	153
11.2.3.2 SIP Proxy Server	153
11.2.3.3 SIP Redirect Server	154
11.2.3.4 SIP Register Server	154
11.3.1 RTP	156
11.4 Pulse Code Modulation	156
11.5 Voice Coding	156
11.5.1 G.711	156
11.5.2 G.729	156
11.6 PSTN Call Setup Signaling	157
11.7 MWI (Message Waiting Indication)	157
11.8 Custom Tones (IVR)	157
11.8.0.1 Recording Custom Tones	157
11.8.0.2 Listening to Custom Tones	158
11.8.0.3 Deleting Custom Tones	158
11.10 Quality of Service (QoS)	162
11.10.1 Type Of Service (ToS)	162
11.10.2 DiffServ	162
11.10.2.1 DSCP and Per-Hop Behavior	162
11.10.3 VLAN	163
11.11 Phone	164
11.12 PSTN Line (“L” models only)	164
11.12.1 Voice Activity Detection/Silence Suppression	164
11.12.2 Comfort Noise Generation	164
11.12.3 Echo Cancellation	164
11.15 Supplementary Phone Services Overview	168
11.15.1 The Flash Key	168
11.15.2 Europe Type Supplementary Phone Services	168
11.15.2.1 European Call Hold	169
11.15.2.2 European Call Waiting	169
11.15.2.3 European Call Transfer	169
11.15.2.4 European Three-Way Conference	170
11.15.3 USA Type Supplementary Services	170
11.15.3.1 USA Call Hold	170
11.15.3.2 USA Call Waiting	171
11.15.3.3 USA Call Transfer	171
11.15.3.4 USA Three-Way Conference	171
11.17 Speed Dial	172
11.17.1 Peer-to-Peer Calls	172
Phone Usage	179
12.1 Dialing a Telephone Number	179
12.2 Using Speed Dial to Dial a Telephone Number	179
12.3 Internal Calls	179
12.4 Checking the Device’s IP Address	179
12.5 Auto Firmware Upgrade	180
Firewalls	181
13.2 Types of Firewalls	181
13.2.1 Packet Filtering Firewalls	181
13.2.2 Application-level Firewalls	182
13.2.3 Stateful Inspection Firewalls	182
13.3 Introduction to ZyXEL’s Firewall	182
13.3.1 Denial of Service Attacks	183
13.4 Denial of Service	183
13.4.1 Basics	183
13.4.2 Types of DoS Attacks	184
13.4.2.1 ICMP Vulnerability	186
13.4.2.2 Illegal Commands (NetBIOS and SMTP)	186
13.4.2.3 Traceroute	187
13.5 Stateful Inspection	187
13.5.1 Stateful Inspection Process	188
13.5.2 Stateful Inspection on Your ZyXEL Device	188
13.5.3 TCP Security	189
13.5.4 UDP/ICMP Security	189
13.5.5 Upper Layer Protocols	190
13.6 Guidelines for Enhancing Security with Your Firewall	190
13.6.1 Security In General	190
13.7 Packet Filtering Vs Firewall	191
13.7.1 Packet Filtering:	191
13.7.1.1 When To Use Filtering	192
13.7.2 Firewall	192
13.7.2.1 When To Use The Firewall	192
Firewall Configuration	193
14.1 Access Methods	193
14.2 Firewall Policies Overview	193
14.3 Rule Logic Overview	194
14.3.1 Rule Checklist	194
14.3.2 Security Ramifications	194
14.3.3 Key Fields For Configuring Rules	195
14.3.3.1 Action	195
14.3.3.2 Service	195
14.3.3.3 Source Address	195
14.3.3.4 Destination Address	195
14.4 Connection Direction	195
14.4.1 LAN to WAN Rules	196
14.4.2 Alerts	196
14.7 Example Firewall Rule	203
14.8.1 Threshold Values	207
14.8.2 Half-Open Sessions	208
14.8.2.1 TCP Maximum Incomplete and Blocking Time	208
Content Filtering	211
Introduction to IPSec	215
16.1 VPN Overview	215
16.1.1 IPSec	215
16.1.2 Security Association	215
16.1.3 Other Terminology	215
16.1.3.1 Encryption	215
16.1.3.2 Data Confidentiality	216
16.1.3.3 Data Integrity	216
16.1.3.4 Data Origin Authentication	216
16.1.4 VPN Applications	216
16.2 IPSec Architecture	216
16.2.1 IPSec Algorithms	217
16.2.2 Key Management	217
16.3 Encapsulation	217
16.3.1 Transport Mode	218
16.3.2 Tunnel Mode	218
16.4 IPSec and NAT	218
VPN Screens	221
17.1 VPN/IPSec Overview	221
17.2 IPSec Algorithms	221
17.2.1 AH (Authentication Header) Protocol	221
17.2.2 ESP (Encapsulating Security Payload) Protocol	221
17.3 My IP Address	222
17.4 Secure Gateway Address	223
17.4.1 Dynamic Secure Gateway Address	223
17.6 Keep Alive	225
17.7 VPN, NAT, and NAT Traversal	226
17.8 Remote DNS Server	227
17.9 ID Type and Content	227
17.9.1 ID Type and Content Examples	229
17.10 Pre-Shared Key	229
17.12 IKE Phases	234
17.12.1 Negotiation Mode	235
17.12.2 Diffie-Hellman (DH) Key Groups	236
17.12.3 Perfect Forward Secrecy (PFS)	236
17.14 Manual Key Setup	239
17.14.1 Security Parameter Index (SPI)	239
17.18 Telecommuter VPN/IPSec Examples	244
17.18.1 Telecommuters Sharing One VPN Rule Example	244
17.18.2 Telecommuters Using Unique VPN Rules Example	245
17.19 VPN and Remote Management	247
Static Route	249
Bandwidth Management	253
19.2 Application-based Bandwidth Management	253
19.3 Subnet-based Bandwidth Management	253
19.4 Application and Subnet-based Bandwidth Management	254
19.5 Scheduler	254
19.5.1 Priority-based Scheduler	254
19.5.2 Fairness-based Scheduler	255
19.6 Maximize Bandwidth Usage	255
19.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	255
19.6.2 Maximize Bandwidth Usage Example	256
19.6.2.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth	256
19.6.2.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth	257
19.6.3 Bandwidth Management Priorities	257
Dynamic DNS Setup	263
20.1.1 DYNDNS Wildcard	263
Remote Management Configuration	267
21.1.1 Remote Management Limitations	267
21.1.2 Remote Management and NAT	268
21.1.3 System Timeout	268
21.3 Telnet	269
21.6.1 Supported MIBs	272
21.6.2 SNMP Traps	273
Universal Plug-and-Play (UPnP)	277
22.1.1 How do I know if I'm using UPnP?	277
22.1.2 NAT Traversal	277
22.1.3 Cautions with UPnP	278
22.2 UPnP and ZyXEL	278
22.3 Installing UPnP in Windows Example	279
22.4 Using UPnP in Windows XP Example	282
System	289
23.1 General Setup and System Name	289
Logs	295
24.1.1 Alerts and Logs	295
24.4 SMTP Error Messages	299
24.4.1 Example E-mail Log	299
Tools	301
25.1 Introduction	301
25.2 Filename Conventions	301
25.3 File Maintenance Over WAN	302
25.5.1 Backup Configuration	305
25.5.2 Restore Configuration	305
25.5.3 Reset to Factory Defaults	307
25.7 Using FTP or TFTP to Back Up Configuration	308
25.7.1 Using the FTP Commands to Back Up Configuration	308
25.7.2 FTP Command Configuration Backup Example	308
25.7.3 Configuration Backup Using GUI-based FTP Clients	309
25.7.4 Backup Configuration Using TFTP	309
25.7.5 TFTP Command Configuration Backup Example	310
25.7.6 Configuration Backup Using GUI-based TFTP Clients	310
25.8 Using FTP or TFTP to Restore Configuration	310
25.8.1 Restore Using FTP Session Example	311
25.9 FTP and TFTP Firmware and Configuration File Uploads	311
25.9.1 FTP File Upload Command from the DOS Prompt Example	311
25.9.2 FTP Session Example of Firmware File Upload	312
25.9.3 TFTP File Upload	312
25.9.4 TFTP Upload Command Example	313
Diagnostic	315
Troubleshooting	319
27.1 Problems Starting Up the ZyXEL Device	319
27.2 Problems with the LAN	319
27.3 Problems with the WAN	320
27.4 Problems Accessing the ZyXEL Device	321
27.4.1 Pop-up Windows, JavaScripts and Java Permissions	321
27.4.1.1 Internet Explorer Pop-up Blockers	322
27.4.1.2 JavaScripts	325
27.4.1.3 Java Permissions	327
27.5 Telephone Problems	329
27.6 Problems With Multiple SIP Accounts	330
27.6.1 Outgoing Calls	330
27.6.2 Incoming Calls	331
Product Specifications	333
Splitters and Microfilters	339
Setting up Your Computer’s IP Address	341
IP Addresses and Subnetting	353
Wireless LANs	361
Services	371
Firewall Commands	375
Triangle Route	377
Log Descriptions	381
Command Interpreter	393
Internal SPTGEN	395
Index	421
A	421
B	421
C	421
D	422
E	422
F	422
G	423
H	423
I	423
J	424
K	424
L	424
M	424
N	424
O	424
P	425
Q	425
R	425
S	426
T	426
U	427
V	427
W	427

Match case Limit results 1 per page

P-2602H(W)(L)-DxA Series User’s Guide

Appendix I Log Descriptions

383

For type and code details, see

Table 165 on page 387

Table 155

TCP Reset Logs

LOG MESSAGE

DESCRIPTION

Under SYN flood attack,

sent TCP RST

The router sent a TCP reset packet when a host was under a SYN

flood attack (the TCP incomplete count is per destination host.)

Exceed TCP MAX

incomplete, sent TCP RST

The router sent a TCP reset packet when the number of TCP

incomplete connections exceeded the user configured threshold.

(the TCP incomplete count is per destination host.) Note: Refer to

TCP Maximum Incomplete

in the

Firewall Attack Alerts

screen.

Peer TCP state out of

order, sent TCP RST

The router sent a TCP reset packet when a TCP connection state

was out of order.Note: The firewall refers to RFC793 Figure 6 to

check the TCP state.

Firewall session time

out, sent TCP RST

The router sent a TCP reset packet when a dynamic firewall

session timed out.Default timeout values:ICMP idle timeout (s):

60UDP idle timeout (s): 60TCP connection (three way

handshaking) timeout (s): 30TCP FIN-wait timeout (s): 60TCP idle

(established) timeout (s): 3600

Exceed MAX incomplete,

sent TCP RST

The router sent a TCP reset packet when the number of

incomplete connections (TCP and UDP) exceeded the user-

configured threshold. (Incomplete count is for all TCP and UDP

connections through the firewall.)Note: When the number of

incomplete connections (TCP + UDP) > “Maximum Incomplete

High”, the router sends TCP RST packets for TCP connections

and destroys TOS (firewall dynamic sessions) until incomplete

connections < “Maximum Incomplete Low”.

Access block, sent TCP

RST

The router sends a TCP RST packet and generates this log if you

turn on the firewall TCP reset mechanism (via CI command: "sys

firewall tcprst").

Table 156

Packet Filter Logs

LOG MESSAGE

DESCRIPTION

[ TCP | UDP | ICMP | IGMP |

Generic ] packet filter

matched (set: %d, rule: %d)

Attempted access matched a configured filter rule (denoted by

its set and rule number) and was blocked or forwarded

according to the rule.

Table 157

ICMP Logs

LOG MESSAGE

DESCRIPTION

Firewall default policy: ICMP

<Packet Direction>, <type:%d>,

<code:%d>

ICMP access matched the default policy and was blocked

or forwarded according to the user's setting.

Firewall rule [NOT] match: ICMP

<Packet Direction>, <rule:%d>,

<type:%d>, <code:%d>

ICMP access matched (or didn’t match) a firewall rule

(denoted by its number) and was blocked or forwarded

according to the rule.