ZyXEL ZyWALL 5 UTM User Guide
ZyXEL ZyWALL 5 UTM Manual
 |
View all ZyXEL ZyWALL 5 UTM manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL ZyWALL 5 UTM manual content summary:
- ZyXEL ZyWALL 5 UTM | User Guide - Page 1
ZyWALL 5/35/70 Series Internet Security Appliance User's Guide Version 4.04 03/2008 Edition 1 DEFAULT LOGIN IP Address http://192.168.1.1 Password 1234 www.zyxel.com - ZyXEL ZyWALL 5 UTM | User Guide - Page 2
- ZyXEL ZyWALL 5 UTM | User Guide - Page 3
(CLI) to configure the ZyWALL. • Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or - ZyXEL ZyWALL 5 UTM | User Guide - Page 4
Conventions • The ZyWALL 5/35/70 series may be referred to as the "ZyWALL", the "device" or the "system" in this User's Guide. • Product example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to - ZyXEL ZyWALL 5 UTM | User Guide - Page 5
Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL 5/35/70 Series User's Guide 5 - ZyXEL ZyWALL 5 UTM | User Guide - Page 6
them or stumble over them. • Always disconnect all cables from this device before servicing or disassembling. • Use ONLY an appropriate power adaptor or cord for your device. • Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe - ZyXEL ZyWALL 5 UTM | User Guide - Page 7
This product is recyclable. Dispose of it properly. Safety Warnings ZyWALL 5/35/70 Series User's Guide 7 - ZyXEL ZyWALL 5 UTM | User Guide - Page 8
Safety Warnings 8 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 9
Screens ...313 Content Filtering Screens ...327 Content Filtering Reports ...349 IPSec VPN ...357 Certificates ...399 Authentication Server Screens 427 Advanced ...433 Network Address Translation (NAT 435 Static Route Screens ...451 Policy Route Screens ...457 Bandwidth Management Screens 465 - ZyXEL ZyWALL 5 UTM | User Guide - Page 10
613 WAN and Dial Backup Setup 619 LAN Setup ...633 Internet Access ...639 DMZ Setup ...645 Route Setup ...649 Wireless Setup ...653 Remote Node Setup ...659 IP Static Route Setup ...669 Network Address Translation (NAT 673 Introducing the ZyWALL Firewall 693 Filter Configuration ...695 SNMP - ZyXEL ZyWALL 5 UTM | User Guide - Page 11
Table of Contents About This User's Guide ...3 Document Conventions...4 Safety Warnings...6 Contents Overview ...9 Table of Contents...11 List of Figures ...29 List of Tables...41 Part I: Introduction 49 Chapter 1 Getting to Know Your ZyWALL 51 1.1 ZyWALL Internet Security Appliance Overview 51 - ZyXEL ZyWALL 5 UTM | User Guide - Page 12
94 4.2.5 Internet Access Wizard: Service Activation 95 4.3 VPN Wizard Gateway Setting 96 4.4 VPN Wizard Network Setting 97 4.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1 99 4.6 VPN Wizard IPSec Setting (IKE Phase 2 100 4.7 VPN Wizard Status Summary 102 4.8 VPN Wizard Setup Complete 104 - ZyXEL ZyWALL 5 UTM | User Guide - Page 13
a 3G Card 130 5.4.2 Configuring 3G WAN Settings 131 5.4.3 Checking WAN Connections 132 5.5 Configuring Load Balancing 132 5.6 Configuring Content Filtering 133 5.6.1 Enable Content Filtering 133 5.6.2 Block Categories of Web Content 134 5.6.3 Assign Bob's Computer a Specific IP Address 136 - ZyXEL ZyWALL 5 UTM | User Guide - Page 14
Encapsulation 186 9.3.3 PPTP Encapsulation 189 9.4 IP Address Example 208 10.1.4 DMZ Private and Public IP Address Example 209 10.2 The DMZ Screen ...210 10.3 The Static DHCP Screen 213 10.4 The IP Alias Screen ...214 10.5 The DMZ Port Roles Screen 216 14 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 15
802.1x + No WEP 242 12.3 MAC Filter ...243 12.4 Technical Reference ...244 Part III: Security 249 Chapter 13 Firewall Screens...251 13.1 Overview ...251 13.1.1 What You Can Do Using the Firewall Screens 252 13.1.2 What You Need To Know About the ZyWALL Firewall 252 13.1.3 Before You Begin 252 - ZyXEL ZyWALL 5 UTM | User Guide - Page 16
Signature Search Example 305 15.4 The Update Screen ...306 15.4.1 mySecurityZone ...307 15.4.2 Configuring Anti-virus Update 307 15.5 The Backup and Restore Screen 309 15.6 Technical Reference ...310 Chapter 16 Anti-Spam Screens ...313 16.1 Overview ...313 16 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 17
.5 The Network Policy Edit: Port Forwarding Screen 372 19.6 The Network Policy Move Screen 374 19.7 The VPN Rules (Manual) Screen 375 19.8 The VPN Rules (Manual): Edit Screen 376 19.9 The VPN SA Monitor Screen 379 19.10 The VPN Global Setting Screen 379 ZyWALL 5/35/70 Series User's Guide 17 - ZyXEL ZyWALL 5 UTM | User Guide - Page 18
Using Unique VPN Rules Example 383 19.12 VPN and Remote Management 385 19.13 Hub-and-spoke VPN ...385 19.13.1 Hub-and-spoke VPN Example 386 19.13.2 Hub-and-spoke Example VPN Rule Addresses 387 19.13.3 Hub-and-spoke VPN Requirements and Suggestions 387 19.14 IPSec VPN Background Information - ZyXEL ZyWALL 5 UTM | User Guide - Page 19
Screen 436 22.3 The NAT Address Mapping Screen 438 22.3.1 NAT Address Mapping Edit 440 22.4 The Port Forwarding Screen 441 22.4.1 Default Server IP Address 441 22.4.2 Port Forwarding: Services and Port Numbers 442 22.4.3 Configuring Servers Behind Port Forwarding (Example 442 22.4.4 NAT and - ZyXEL ZyWALL 5 UTM | User Guide - Page 20
of Contents 25.2 The Summary Screen ...467 25.2.1 Maximize Bandwidth Usage Example 470 25.2.2 Reserving Bandwidth for Non-Bandwidth Class Traffic 471 25.3 The Class Setup Screen 471 25.4 Bandwidth Manager Class Configuration 473 25.4.1 Bandwidth Borrowing Example 476 25.5 Bandwidth Management - ZyXEL ZyWALL 5 UTM | User Guide - Page 21
Reports Screens ...539 31.1 Overview ...539 31.1.1 What You Can Do in the Reports Screens 539 31.2 The Traffic Statistics Screen 539 31.2.1 Viewing Web Site Hits 541 31.2.2 Viewing Host IP Address 542 31.2.3 Viewing Protocol/Port 543 ZyWALL 5/35/70 Series User's Guide 21 - ZyXEL ZyWALL 5 UTM | User Guide - Page 22
Screen 599 Part VI: SMT 603 Chapter 34 Introducing the SMT ...605 34.1 Introduction to the SMT 605 34.2 Accessing the SMT via the Console Port 605 34.2.1 Initial Screen ...605 34.2.2 Entering the Password 606 22 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 23
LAN Menus 633 37.3 LAN Port Filter Setup ...633 37.4 TCP/IP and DHCP Ethernet Setup Menu 634 37.4.1 IP Alias Setup ...636 Chapter 38 Internet Access ...639 38.1 Introduction to Internet Access Setup 639 38.2 Ethernet Encapsulation 639 38.3 Configuring the PPTP Client 641 38.4 Configuring the - ZyXEL ZyWALL 5 UTM | User Guide - Page 24
Filter ...666 Chapter 43 IP Static Route Setup...669 43.1 IP Static Route Setup ...669 Chapter 44 Network Address Translation (NAT 673 44.1 Using NAT ...673 44.1.1 SUA (Single User Account) Versus NAT 673 44.1.2 Applying NAT ...673 44.2 NAT Setup ...675 44.2.1 Address Mapping Sets 676 24 ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 25
2: Internet Access with a Default Server 685 44.4.3 Example 3: Multiple Public IP Addresses With Inside Servers 685 44.4.4 Example 4: NAT Unfriendly Application Programs 689 44.5 Trigger Port Forwarding 690 44.5.1 Two Points To Remember About Trigger Ports 690 Chapter 45 Introducing the ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 26
737 49.5.10 Uploading Configuration File Via Console Port 737 49.5.11 Example Xmodem Configuration Upload Using HyperTerminal 738 Chapter 50 System Maintenance Menus 8 to 10 739 50.1 Command Interpreter Mode 739 50.2 Call Control Support ...740 26 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 27
.4 Wireless Router/AP Troubleshooting 767 54.5 UPnP ...768 Chapter 55 Product Specifications ...769 55.1 Compatible 3G Cards ...773 55.2 Power Adaptor Specifications 775 Part VIII: Appendices and Index 779 Appendix A Removing and Installing a Fuse 781 Appendix B Common Services 783 ZyWALL 5/35 - ZyXEL ZyWALL 5 UTM | User Guide - Page 28
Table of Contents Appendix C Wireless LANs 787 Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display 801 Appendix E Legal Information 805 Appendix F Customer Support 809 Index...815 28 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 29
33 Internet Access Wizard: Activated Services 96 Figure 34 VPN Wizard: Gateway Setting 96 Figure 35 VPN Wizard: Network Setting 98 Figure 36 VPN Wizard: IKE Tunnel Setting 99 Figure 37 VPN Wizard: IPSec Setting 101 Figure 38 VPN Wizard: VPN Status ...102 ZyWALL 5/35/70 Series User's Guide 29 - ZyXEL ZyWALL 5 UTM | User Guide - Page 30
77 SECURITY > CONTENT FILTER > Policy 138 Figure 78 SECURITY > CONTENT FILTER > Policy > External Database (Bob 139 Figure 79 REGISTRATION > Registration 143 Figure 80 REGISTRATION > Registration: Registered Device 144 Figure 81 REGISTRATION > Service 145 30 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 31
> DMZ > Static DHCP 214 Figure 119 NETWORK > DMZ > IP Alias 215 Figure 120 NETWORK > DMZ > Port Roles 216 Figure 121 WLAN Overview ...219 Figure 122 NETWORK > WLAN ...221 Figure 123 NETWORK > WLAN > Static DHCP 224 Figure 124 NETWORK > WLAN > IP Alias 225 ZyWALL 5/35/70 Series User's Guide 31 - ZyXEL ZyWALL 5 UTM | User Guide - Page 32
Configuration 270 Figure 158 My Service Firewall Rule Example: Rule Summary 271 Figure 159 From LAN to VPN Example 273 Figure 160 From VPN to LAN Example 273 Figure 161 From VPN to VPN Example 274 Figure 162 Using IP Alias to Solve the Triangle Route Problem 275 Figure 163 Three-Way Handshake - ZyXEL ZyWALL 5 UTM | User Guide - Page 33
Service Management 351 Figure 199 Blue Coat: Login ...351 Figure 200 Content Filtering Reports Main Screen 352 Figure 201 Blue Coat: Report Home ...352 Figure 202 Global Report Screen Example 353 Figure 203 Requested URLs Example 354 Figure 204 Web Page Review Process Screen 355 Figure 205 VPN - ZyXEL ZyWALL 5 UTM | User Guide - Page 34
Figure 212 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 373 Figure 213 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 374 Figure 214 SECURITY > VPN > VPN Rules (Manual 375 Figure 215 SECURITY > VPN > VPN Rules (Manual) > Edit 376 Figure 216 SECURITY > VPN > SA - ZyXEL ZyWALL 5 UTM | User Guide - Page 35
STATIC ROUTE > IP Static Route > Edit 454 Figure 265 ADVANCED > POLICY ROUTE > Policy Route Summary 459 Figure 266 ADVANCED > POLICY ROUTE > Edit 461 Figure 267 Subnet-based Bandwidth Management Example 466 Figure 268 ADVANCED > BW MGMT > Summary 468 Figure 269 ADVANCED > BW MGMT > Class Setup - ZyXEL ZyWALL 5 UTM | User Guide - Page 36
334 REPORTS > Anti-Spam > Score Distribution 551 Figure 335 REPORTS > E-mail Report 552 Figure 336 LOGS > View Log ...556 Figure 337 myZyXEL.com: Download Center 558 Figure 338 myZyXEL.com: Certificate Download 558 Figure 339 LOGS > Log Settings ...559 36 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 37
Node Profile (3G WAN 630 Figure 378 Menu 3: LAN Setup ...633 Figure 379 Menu 3.1: LAN Port Filter Setup 634 Figure 380 Menu 3: TCP/IP and DHCP Setup 634 Figure 381 Menu 3.2: TCP/IP and DHCP Ethernet Setup 635 Figure 382 Menu 3.2.1: IP Alias Setup 636 ZyWALL 5/35/70 Series User's Guide 37 - ZyXEL ZyWALL 5 UTM | User Guide - Page 38
(PPTP 642 Figure 385 Internet Access Setup (PPPoE 643 Figure 386 Menu 5: DMZ Setup ...645 Figure 387 Menu 5.1: DMZ Port Filter Setup 645 Figure 388 Menu 5: DMZ Setup ...646 Figure 389 Menu 5.2: TCP/IP and DHCP Ethernet Setup 646 Figure 390 Menu 5.2.1: IP Alias Setup 647 Figure 391 Menu 6: Route - ZyXEL ZyWALL 5 UTM | User Guide - Page 39
Port Setup 691 Figure 434 Menu 21: Filter and Firewall Setup 693 Figure 435 Menu 21.2: Firewall Setup 694 Figure 436 Outgoing Packet Filtering Process 695 Figure 437 Filter Rule Process ...697 Figure 438 Menu 21: Filter and Firewall Setup 698 Figure 439 Menu 21.1: Filter Set Configuration - ZyXEL ZyWALL 5 UTM | User Guide - Page 40
486 Menu 24.10 System Maintenance: Time and Date Setting 743 Figure 487 Menu 24.11 - Remote Management Control 746 Figure 488 Menu 25: Sample IP Routing Policy Summary 749 Figure 489 Menu 25.1: IP Routing Policy Setup 751 Figure 490 Menu 25.1.1: IP Routing Policy Setup 753 Figure 491 Example of - ZyXEL ZyWALL 5 UTM | User Guide - Page 41
107 Table 24 Dynamic VPN Rule Tutorial Settings 109 Table 25 REGISTRATION > Registration 143 Table 26 REGISTRATION > Service 145 Table 27 NETWORK > LAN ...153 Table 28 NETWORK > LAN > Static DHCP 156 Table 29 NETWORK > LAN > IP Alias 158 Table 30 NETWORK > LAN > Port Roles 159 Table 31 - ZyXEL ZyWALL 5 UTM | User Guide - Page 42
241 Table 65 WIRELESS > Wi-Fi > Wireless Card: No Access 802.1x + Static WEP 242 Table 66 WIRELESS > Wi-Fi > MAC Filter 243 Table 67 Blocking All LAN to WAN IRC Traffic Example 253 Table 68 Limited LAN to WAN IRC Traffic Example 254 Table 69 SECURITY > FIREWALL > Default Rule (Router Mode 255 - ZyXEL ZyWALL 5 UTM | User Guide - Page 43
Policy > Port Forwarding 373 Table 104 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 374 Table 105 SECURITY > VPN > VPN Rules (Manual 375 Table 106 SECURITY > VPN > VPN Rules (Manual) > Edit 377 Table 107 SECURITY > VPN > SA Monitor 379 Table 108 SECURITY > VPN > Global Setting 381 - ZyXEL ZyWALL 5 UTM | User Guide - Page 44
: Web Site Hits Report 542 Table 163 REPORTS > Traffic Statistics: Host IP Address 543 Table 164 REPORTS > Traffic Statistics: Protocol/ Port 544 Table 165 Report Specifications ...545 Table 166 REPORTS > IDP ...546 Table 167 REPORTS > Anti-Virus ...548 44 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 45
Table 196 Syslog Logs ...583 Table 197 RFC-2408 ISAKMP Payload Types 584 Table 198 MAINTENANCE > General Setup 586 Table 199 MAINTENANCE > Password 587 Table 200 MAINTENANCE > Time and Date 588 Table 201 MAC-address-to-port Mapping Table 591 Table 202 MAINTENANCE > Device Mode (Router Mode 593 - ZyXEL ZyWALL 5 UTM | User Guide - Page 46
Route Failover ...651 Table 233 Menu 7.1: Wireless Setup 654 Table 234 Menu 7.1.1: WLAN MAC Address Filter 656 Table 235 Menu 11.1: Remote Node Profile for Ethernet Encapsulation 660 Table 236 Fields in Menu 11.1 (PPPoE Encapsulation Specific 663 Table 237 Menu 11.1: Remote Node Profile for PPTP - ZyXEL ZyWALL 5 UTM | User Guide - Page 47
IP Routing Policy Setup 753 Table 267 Schedule Set Setup ...758 Table 268 Hardware Specifications ...769 Table 269 Firmware Specifications ...770 Table 270 Feature and Performance Specifications 771 Table 271 Compatible ZyXEL WLAN Cards and Security Features 772 Table 272 3G Features Supported - ZyXEL ZyWALL 5 UTM | User Guide - Page 48
List of Tables 48 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 49
PART I Introduction Getting to Know Your ZyWALL (51) Hardware Installation (55) Introducing the Web Configurator (61) Wizard Setup (87) Tutorials (109) Registration Screens (141) 49 - ZyXEL ZyWALL 5 UTM | User Guide - Page 50
50 - ZyXEL ZyWALL 5 UTM | User Guide - Page 51
transparent firewall in an existing network with minimal configuration. The ZyWALL provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. You can add an IEEE 802.11b/g-compliant wireless LAN by either inserting a wireless LAN card into the - ZyXEL ZyWALL 5 UTM | User Guide - Page 52
access via an Ethernet or wireless port on the modem. The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well. Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem DMZ WAN LAN 52 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 53
the need (and expense) for leased lines between sites. Figure 2 VPN Application 1.3.3 3G WAN Application (ZyWALL 5 Only) Insert a 3G card to have the ZyWALL (in router mode) wirelessly access the Internet via a 3G base station. " At the time of writing, only ZyWALL 5 supports 3G, so all 3G - ZyXEL ZyWALL 5 UTM | User Guide - Page 54
methods to manage the ZyWALL. • Web Configurator. This is recommended for everyday management of the ZyWALL using a (supported) web browser. • Command Line Interface. Line commands are mostly used for troubleshooting by service engineers. See the Command Reference Guide for more information - ZyXEL ZyWALL 5 UTM | User Guide - Page 55
for enclosed rack installations. 2.2 Desktop Installation 1 Make sure the ZyWALL is clean and dry. 2 Set the ZyWALL on a smooth, level surface strong enough to support the weight of the ZyWALL and the connected cables. Make sure there is a power outlet nearby. 3 Make sure there is enough clearance - ZyXEL ZyWALL 5 UTM | User Guide - Page 56
of the ZyWALL does not make the rack unstable or topheavy. Take all necessary precautions to anchor the rack securely before installing the unit. Use a #2 Phillips screwdriver to install the screws. " Failure to use the proper screws may damage the unit. 56 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 57
Brackets and Screws 3 After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack. Secure the ZyWALL to the rack with the rack-mounting screws. Figure 6 Rack Mounting ZyWALL 5/35/70 Series User's Guide 57 - ZyXEL ZyWALL 5 UTM | User Guide - Page 58
the slot as shown next. " Only certain ZyXEL wireless LAN cards or 3G card are compatible with the ZyWALL. Only the ZyWALL 5 can use a 3G card. Do not force, bend or twist the wireless LAN card, 3G card or ZyWALL Turbo Card. Figure 7 WLAN Card Installation 58 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 59
connected. Flashing The backup port is sending or receiving packets. CARD Green Off The wireless LAN or 3G card is not ready, or has failed. On The wireless LAN or 3G card is ready. Flashing The wireless LAN or 3G card is sending or receiving packets. LAN 10/100 Off (ZyWALL 70 only) Green - ZyXEL ZyWALL 5 UTM | User Guide - Page 60
/DMZ is not connected. The ZyWALL has a successful 10 Mbps Ethernet connection. The 10 M LAN/DMZ is sending or receiving packets. Orange On The ZyWALL has a successful 100 Mbps Ethernet connection. Flashing The 100 M LAN/DMZ is sending or receiving packets. 60 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 61
the ZyWALL (refer to the Quick Start Guide). 2 Launch your web browser. 3 Type "192.168.1.1" as the URL. 4 Type "1234" (default) as the password and click Login. In some versions, the default password appears automatically - if this is the case, click Login. ZyWALL 5/35/70 Series User's Guide 61 - ZyXEL ZyWALL 5 UTM | User Guide - Page 62
now see the HOME screen (see Figure 15 on page 65). " The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you. 62 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 63
. This indicates that the defaults have been restored and the ZyWALL is now restarting. 5 Release the RESET button and wait for the ZyWALL to finish restarting. 3.3.2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site, unzip it and save - ZyXEL ZyWALL 5 UTM | User Guide - Page 64
navigate the web configurator from the HOME screen. This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for different ZyWALL models. Figure 14 HOME Screen A C B D Click this icon to open the help page for the current screen. 64 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 65
general status information about the ZyWALL. The ZyWALL is set to router mode by default. Not all fields are available on all models. WAN 2 refers to either the physical WAN 2 port on a ZyWALL with multiple WAN ports or the 3G card on a single WAN ZyWALL in router mode. Figure 15 Web Configurator - ZyXEL ZyWALL 5 UTM | User Guide - Page 66
using bandwidth management. Interfaces This is the port type. Click "+" to expand or "-" to collapse the IP alias drop-down lists. Hold your cursor over an interface's label to display the interface's MAC Address. Click an interface's label to go to the screen where you can configure settings for - ZyXEL ZyWALL 5 UTM | User Guide - Page 67
encapsulation and IPCP Client when you're using PPPoE or PPTP encapsulation. Static displays if the WAN port is using a manually entered static (fixed) IP address. For the LAN, WLAN or DMZ, DHCP server displays when the ZyWALL is set to automatically give IP address information to the computers - ZyXEL ZyWALL 5 UTM | User Guide - Page 68
site hits the ZyWALL has blocked since it last started up. N/A displays when the ZyWALL has never had an external database content filtering service subscription. Disable (collect statistics) displays when the ZyWALL has been subscribed to the external database content filtering service, but content - ZyXEL ZyWALL 5 UTM | User Guide - Page 69
you have enabled budget control but insert a 3G card with a different user account from the one for which you configured budget control. Select this option to have the ZyWALL do budget calculation starting from 0 but use the previous settings. Resume budget control This field displays if you have - ZyXEL ZyWALL 5 UTM | User Guide - Page 70
before the ZyWALL takes the actions you specified in the 3G (WAN 2) screen. Reset time and data budget counters Latest Alerts Date/Time Message System Status Port Statistics DHCP Table VPN Bandwidth Note: The budget counters will not be reset when you restore the factory defaults. The budget - ZyXEL ZyWALL 5 UTM | User Guide - Page 71
to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL. You can use the firewall and VPN in bridge mode. See the user's guide for - ZyXEL ZyWALL 5 UTM | User Guide - Page 72
throughput, you should turn off other applications (for example, using bandwidth management. Network Status Click more to display information about the individual interfaces. IP/Netmask Address This is the IP address and subnet mask of your ZyWALL in dotted decimal notation. Gateway IP Address - ZyXEL ZyWALL 5 UTM | User Guide - Page 73
port. Security Services Turbo Card This field displays whether or not a ZyWALL Turbo Card is installed. IDP/Anti-Virus Definitions IDP/Anti-Virus Expiration Date Anti-Spam Expiration Date Content Filter Expiration Date Intrusion Detected Virus Detected Note: The ZyWALL must have a Turbo Card - ZyXEL ZyWALL 5 UTM | User Guide - Page 74
table displays the five most recent alerts recorded by the ZyWALL. You can see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets. Date/Time This is the date and time the alert was recorded. Message This is the reason - ZyXEL ZyWALL 5 UTM | User Guide - Page 75
Card Y Firewall Y IDP Y Anti-Virus Y Anti-Spam Y Content Filter Y VPN Y Certificates Y Authentication Server Y NAT Static Route Policy Route Bandwidth Management Y DNS Remote Management Y UPnP Custom Application Y ALG Y Reports Y Logs Y Maintenance Y ROUTER - ZyXEL ZyWALL 5 UTM | User Guide - Page 76
WIRELESS 3G (WAN2) This is the same as WAN > 3G (WAN2). Wi-Fi Wireless Card Use this screen to configure the wireless LAN settings and WLAN authentication/security settings. MAC Filter Use this screen to change MAC filter settings on the ZyWALL SECURITY 76 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 77
VPN Rules (Manual) Use this screen to configure VPN connections using manual key management and view the rule summary. SA Monitor Use this screen to display and manage active VPN connections. Global Setting Use this screen to configure the IPSec timer settings. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 78
in IP policy routing. BW MGMT Summary Use this screen to enable bandwidth management on an interface. Class Setup Use this screen to set up the bandwidth classes. Monitor Use this screen to view the ZyWALL's bandwidth usage and allotments. DNS System Use this screen to configure the address - ZyXEL ZyWALL 5 UTM | User Guide - Page 79
IP address(es) users can use Telnet to manage the ZyWALL. FTP Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the ZyWALL. SNMP Use this screen to configure your ZyWALL's settings for Simple Network Management Protocol management - ZyXEL ZyWALL 5 UTM | User Guide - Page 80
ZyWALL work as a router or a bridge. F/W Upload Use this screen to upload firmware to your ZyWALL Backup & Restore Use this screen to backup and restore the configuration or reset the factory defaults to your ZyWALL. Restart This screen allows you to reboot the ZyWALL without turning the power - ZyXEL ZyWALL 5 UTM | User Guide - Page 81
this button to update the screen's statistics immediately. 3.4.7 Show Statistics: Line Chart Click the icon in the Show Statistics screen. This screen shows you a line chart of each port's throughput statistics. Figure 18 HOME > Show Statistics > Line Chart ZyWALL 5/35/70 Series User's Guide 81 - ZyXEL ZyWALL 5 UTM | User Guide - Page 82
manually configured. Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 83
the IP address of the computer using the VPN IPSec feature of your ZyWALL. Remote Network This field displays IP address (in a range) of computers on the remote network behind the remote IPSec router. Encapsulation This field displays Tunnel or Transport mode. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 84
send traffic that does not match any of the bandwidth classes.A Budget (kbps) This field displays the amount of bandwidth allocated to the bandwidth class. Current Usage (kbps) This field displays the amount of bandwidth that each bandwidth class is using. 84 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 85
button to update the screen's statistics immediately. A. If you allocate all the root class's bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class). ZyWALL 5/35/70 Series User's Guide 85 - ZyXEL ZyWALL 5 UTM | User Guide - Page 86
Chapter 3 Introducing the Web Configurator 86 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 87
the wizards you can select: • Internet Access Setup Click this link to open a wizard to set up an Internet connection for WAN1 on a ZyWALL with multiple WAN ports or the WAN port on a ZyWALL with a single WAN port. • VPN Setup Use VPN Setup to configure a VPN connection that uses a pre-shared key - ZyXEL ZyWALL 5 UTM | User Guide - Page 88
Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection. WAN IP Address Assignment 88 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 89
an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. Figure 24 ISP Parameters: PPPoE Encapsulation ZyWALL 5/35/70 Series User's Guide 89 - ZyXEL ZyWALL 5 UTM | User Guide - Page 90
, creating a Virtual Private Network (VPN) using TCP/ IP-based networks. PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. " The ZyWALL supports one PPTP server connection at any given time. 90 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 91
time in seconds that elapses before the router automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP - ZyXEL ZyWALL 5 UTM | User Guide - Page 92
access setup. " Make sure you have installed the ZyWALL Turbo Card before you activate the IDP and anti-virus subscription services. Turn the ZyWALL off before you install or remove the ZyWALL Turbo Card. Figure 26 Internet Access Wizard: Second Screen 92 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 93
applications of services like content filtering, antispam, anti-virus and IDP. " If you want to activate a standard service with your iCard's PIN number (license key), use the REGISTRATION > Service screen. Figure 28 Internet Access Wizard: Registration ZyWALL 5/35/70 Series User's Guide 93 - ZyXEL ZyWALL 5 UTM | User Guide - Page 94
Figure 29 Internet Access Wizard: Registration in Progress 4.2.4 Internet Access Wizard: Status This screen shows your device registration and service subscription status. Click Close to leave the wizard screen when the registration and activation are done. 94 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 95
Wizard Setup A screen similar to the following appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Figure 31 Internet Access Wizard: Registration Failed 4.2.5 Internet Access Wizard: Service Activation If the ZyWALL has - ZyXEL ZyWALL 5 UTM | User Guide - Page 96
Setup Figure 33 Internet Access Wizard: Activated Services 4.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 22 on page 87) to open the VPN - ZyXEL ZyWALL 5 UTM | User Guide - Page 97
field is read-only and displays the ZyWALL's IP address. Remote Gateway Address Enter the WAN IP address or domain name of the remote IPSec router (secure gateway) in the field below to identify the remote IPSec router by its IP address or a domain name. Set this field to 0.0.0.0 if the remote - ZyXEL ZyWALL 5 UTM | User Guide - Page 98
must be static and correspond to the remote IPSec router's configured local IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask. 98 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 99
Chapter 4 Wizard Setup Table 18 VPN Wizard: Network Setting LABEL DESCRIPTION Starting IP Address When the Remote Network field is configured to Single, enter a (static) IP address on the network behind the remote IPSec router. When the Remote Network field is configured to Range IP, enter the - ZyXEL ZyWALL 5 UTM | User Guide - Page 100
Chapter 4 Wizard Setup The following table describes the labels in this screen. Table 19 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use - ZyXEL ZyWALL 5 UTM | User Guide - Page 101
value is 180 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. ZyWALL 5/35/70 Series User's Guide 101 - ZyXEL ZyWALL 5 UTM | User Guide - Page 102
Chapter 4 Wizard Setup Table 20 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION Perfect Forward Secret (PFS) Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure. Select DH1, DH2 or DH5 to enable PFS. - ZyXEL ZyWALL 5 UTM | User Guide - Page 103
of this VPN gateway policy. Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router mode or the ZyWALL's IP address in bridge mode. Remote Gateway Address This is the IP address or the domain name used to identify the remote IPSec router. Network - ZyXEL ZyWALL 5 UTM | User Guide - Page 104
and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. SA Life Time (Seconds) This is the length of time before an IKE SA automatically renegotiates. Perfect Forward Secret (PFS) Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA setup - ZyXEL ZyWALL 5 UTM | User Guide - Page 105
have an e-mail server(s) connected to the ZyWALL's DMZ. Internet These are the networks that the ZyWALL connects to through an Internet connection. • Select Internet if the e-mail server(s) you use are on the Internet. • Select VPN if you use a VPN tunnel to connect to an e-mail server(s). Back - ZyXEL ZyWALL 5 UTM | User Guide - Page 106
, DMZ, and WLAN zones. This is to check for spam coming to the ZyWALL's local users from the outside e-mail server. • For e-mail servers located at the other end of a VPN tunnel, the ZyWALL recommends checking traffic that comes from the VPN to the LAN, DMZ, and WLAN zones. This is to check for spam - ZyXEL ZyWALL 5 UTM | User Guide - Page 107
traveling from a LAN computer to another LAN computer on the same subnet. From WAN1 To WAN1 means packets that come in through the WAN 1 interface and the ZyWALL routes back out through the WAN 1 interface. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the - ZyXEL ZyWALL 5 UTM | User Guide - Page 108
Congratulations! You have successfully set up the directions that the anti-spam feature checks for spam. This does not enable the anti-spam feature. Go to the SECURITY > ANTI-SPAM screens to enable anti-spam. Figure 43 Anti-Spam Wizard: Setup Complete 108 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 109
Rule Configuration Dynamic VPN rules allow VPN connections from IPSec routers with dynamic WAN IP addresses. This tutorial shows how to configure a basic VPN (Virtual Private Network) tunnel to allow a traveling sales manager named Bob (Y in the figure) using a ZyWALL P1 (B) to securely connect to - ZyXEL ZyWALL 5 UTM | User Guide - Page 110
Chapter 5 Tutorials Table 24 Dynamic VPN Rule Tutorial Settings FIELD ZYWALL A (COMPANY) Local Network (network behind the local ZyWALL) Note: Use static IP addresses or static DHCP to make sure the computers behind the ZyWALLs always use these IP addresses. 10.0.0.2 ~10.0.0.64 Remote Network - ZyXEL ZyWALL 5 UTM | User Guide - Page 111
. • The information that identifies the ZyWALL 70 (A) is circled in red. • The information that identifies the ZyWALL P1 (B) is circled in yellow. • Information that is the same in both is circled in orange. • Extended authentication settings are in green. ZyWALL 5/35/70 Series User's Guide 111 - ZyXEL ZyWALL 5 UTM | User Guide - Page 112
Policy Edit Screens Company Device (A) Remote Device (B) 2 After you click Apply, the A-B_Gateways gateway policy displays as shown next. Click SECURITY > VPN and the A-B_Gateways' add network policy ( ) icon. The following figure shows ZyWALL A's screen. 112 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 113
network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. Here are the company's ZyWALL (A) and the telecommuter's ZyWALL (B) network policy edit screens. • The - ZyXEL ZyWALL 5 UTM | User Guide - Page 114
Chapter 5 Tutorials Figure 47 VPN Network Policy Edit Screens Company Device (A) Telecommuter Device (B) 114 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 115
48 Activate VPN Rule (ZyWALL B) 6 Review the settings on both ZyWALLs as shown next. • The information that identifies the ZyWALL 70 (A) and network X is circled in red. • The information that identifies the ZyWALL P1 (B) and network Y is circled in yellow. ZyWALL 5/35/70 Series User's Guide 115 - ZyXEL ZyWALL 5 UTM | User Guide - Page 116
access settings and log into the VPN tunnel (see Section 5.1.4 on page 117). Do the following to have the telecommuter's ZyWALL (B) use zero configuration mode. 1 Log into ZyWALL B's web configurator. 2 Go to MAINTENANCE and click the Device Mode tab. 116 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 117
. Figure 50 Check The Telecommuter's Computer IP Address C:\>ipconfig Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address 192.168.167.2 Subnet Mask 255.255.255.0 Default Gateway 192.168.167.1 ZyWALL 5/35/70 Series User's Guide 117 - ZyXEL ZyWALL 5 UTM | User Guide - Page 118
the user name "SalesManager" and password "Manager1234". Click Activate. 5 ZyWALL B automatically initiates and negotiates the VPN tunnel with ZyWALL A after you pass the authentication. A successful screen displays. Click Return. 6 Send a ping from the telecommuter's computer (IP address 192 - ZyXEL ZyWALL 5 UTM | User Guide - Page 119
IP addresses. You can also use virtual address mapping (NAT over IPSec) to avoid an overlap (see Section on page 393). 5.2 Security Settings for VPN Traffic The ZyWALL can apply the firewall, IDP, anti-virus, anti-spam and content filtering to the traffic going to or from the ZyWALL's VPN tunnels - ZyXEL ZyWALL 5 UTM | User Guide - Page 120
Tutorials " The security settings apply to VPN traffic going to or from the ZyWALL's VPN tunnels. They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways (VPN pass-through traffic). You can turn on content filtering for all of the ZyWALL's VPN traffic (regardless of - ZyXEL ZyWALL 5 UTM | User Guide - Page 121
spam originating from your own network. For example, you can use IDP to protect the remote networks from intrusions that might come in through your ZyWALL's VPN tunnels. Figure 55 IDP for To VPN Traffic Here is how you would configure this example. ZyWALL 5/35/70 Series User's Guide 121 - ZyXEL ZyWALL 5 UTM | User Guide - Page 122
FTP traffic to come from VPN tunnels to the FTP server. Furthermore, you can configure the firewall rule so that only the network behind device B can access the FTP server through a VPN tunnel (not other remote networks that have VPN tunnels with the ZyWALL). 122 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 123
Click Security > VPN to open the following screen. Click the Add Gateway Policy icon. Figure 58 SECURITY > VPN > VPN Rules (IKE) 2 Use this screen to set up the connection between the routers. Configure the fields that are circled as follows and click Apply. ZyWALL 5/35/70 Series User's Guide 123 - ZyXEL ZyWALL 5 UTM | User Guide - Page 124
Chapter 5 Tutorials Figure 59 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon. 124 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 125
instead of specifying port numbers in this VPN network policy. • The firewall provides better security because it operates at layer 4 and checks traffic sessions. The VPN network policy only operates at layer 3 and just checks IP addresses and port numbers. ZyWALL 5/35/70 Series User's Guide 125 - ZyXEL ZyWALL 5 UTM | User Guide - Page 126
Chapter 5 Tutorials Figure 61 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 126 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 127
. 3 Click the insert icon at the top of the Modify column. Figure 62 SECURITY > FIREWALL > Rule Summary 4 Configure the rule as follows and click Apply. The source addresses are the VPN rule's remote network and the destination address is the LAN FTP server. ZyWALL 5/35/70 Series User's Guide 127 - ZyXEL ZyWALL 5 UTM | User Guide - Page 128
Chapter 5 Tutorials Figure 63 SECURITY > FIREWALL > Rule Summary > Edit: Allow 5 The rule displays in the summary list of VPN to LAN firewall rules. 128 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 129
from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN. 1 Click SECURITY > FIREWALL > Default Rule. 2 Configure the screen as follows and click Apply. ZyWALL 5/35/70 Series User's Guide 129 - ZyXEL ZyWALL 5 UTM | User Guide - Page 130
FIREWALL > Default Rule: Block From VPN To LAN 5.4 How to Set up a 3G WAN Connection This section shows you how to configure and set up a 3G WAN connection on the ZyWALL. In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card - ZyXEL ZyWALL 5 UTM | User Guide - Page 131
you have a wireless card or Turbo card in the ZyWALL, remove it. 3 Slide the connector end of the 3G card into the slot. 4 Connect the ZyWALL's power. 5.4.2 Configuring 3G WAN Settings You should already have an activated user account and network access information from the service provider. 1 Click - ZyXEL ZyWALL 5 UTM | User Guide - Page 132
using the weighted round-robin method. 1 Click NETWORK > WAN > General. 2 Set the WAN operation mode to active/active and select Weighted Round-Robin in the Load Balancing Algorithm field. 3 Enter 6 as the weight for WAN 1 and 4 for WAN 2. 4 Click Apply. 132 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 133
General Chapter 5 Tutorials 5.6 Configuring Content Filtering You can use the ZyWALL's content filtering policies to apply specific content filtering settings to specific users. You can even filter certain things at certain times. For example, you decide to set the default policy to block access - ZyXEL ZyWALL 5 UTM | User Guide - Page 134
. Figure 69 SECURITY > CONTENT FILTER > General 5.6.2 Block Categories of Web Content Here is how to block access to web pages by category of content. 1 Click SECURITY > CONTENT FILTER > Policy and then the external database icon next to the default policy. 134 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 135
Figure 70 SECURITY > CONTENT FILTER > Policy Chapter 5 Tutorials 2 Select Active. 3 Select the categories to block. 4 Click Apply. Figure 71 SECURITY > CONTENT FILTER > Policy > External Database (Default) ZyWALL 5/35/70 Series User's Guide 135 - ZyXEL ZyWALL 5 UTM | User Guide - Page 136
applies the content filter policies in order, so make sure you add the new policy before the default policy. Figure 73 SECURITY > CONTENT FILTER > Policy 136 2 Select Active. 3 Give the policy a name. 4 Configure a single address of 192.168.1.33. 5 Click Apply. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 137
:00. For the rest of the time, the ZyWALL applies the default content filter policy (which blocks access to arts and entertainment web pages). 1 Click SECURITY > CONTENT FILTER > Policy and then the Bob policy's schedule icon. Figure 75 SECURITY > CONTENT FILTER > Policy 2 Select Everyday and enter - ZyXEL ZyWALL 5 UTM | User Guide - Page 138
of Web Content for Bob Now you select the categories of web pages to block Bob from accessing. 1 Click SECURITY > CONTENT FILTER > Policy and then the Bob policy's external database icon. Figure 77 SECURITY > CONTENT FILTER > Policy 138 2 Select Active. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 139
Chapter 5 Tutorials 3 Select the categories to block. This is very similar to Section 5.6.2 on page 134, except you do not select the arts and entertainment category. 4 Click Apply. Figure 78 SECURITY > CONTENT FILTER > Policy > External Database (Bob) ZyWALL 5/35/70 Series User's Guide 139 - ZyXEL ZyWALL 5 UTM | User Guide - Page 140
Chapter 5 Tutorials 140 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 141
Registration myZyXEL.com myZyXEL.com is ZyXEL's online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. Subscription Services Available on the ZyWALL At the time of writing, the ZyWALL can use content filtering, anti-spam, anti-virus and - ZyXEL ZyWALL 5 UTM | User Guide - Page 142
screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering, anti-spam or anti-virus. Instead of using this screen you can go to http://www.myZyXEL.com with the ZyWALL's serial number and LAN MAC address to register it. Refer to the web site's on-line help for - ZyXEL ZyWALL 5 UTM | User Guide - Page 143
option and enter account your user name and password in the fields below to register your ZyWALL. User Name Enter a user name for your myZyXEL.com an iCard and enter the license key in the REGISTRATION Service screen to extend the service. Content Filtering 1month Trial Select the check box - ZyXEL ZyWALL 5 UTM | User Guide - Page 144
Click REGISTRATION > Service to open the screen as shown next. " If you restore the ZyWALL to the default configuration file or upload a different configuration file after you register, click the Service License Refresh button to update license information. 144 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 145
field displays the date your service expires. License Upgrade License Key Enter your iCard's PIN number and click Update to activate or extend a standard service subscription. If a standard service subscription runs out, you need to buy a new iCard (specific to your ZyWALL) and enter the new PIN - ZyXEL ZyWALL 5 UTM | User Guide - Page 146
Chapter 6 Registration Screens 146 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 147
PART II Network LAN Screens (149) Bridge Screens (161) WAN Screens (169) DMZ Screens (207) WLAN Screens (219) Wireless Screens (229) 147 - ZyXEL ZyWALL 5 UTM | User Guide - Page 148
148 - ZyXEL ZyWALL 5 UTM | User Guide - Page 149
LAN Screens • Use the LAN screen (Section 7.2 on page 152) to configure TCP/IP, DHCP, IP/MAC binding and NetBIOS settings on the LAN. • Use the Static DHCP screen (Section 7.3 on page 155) to configure the IP addresses assigned to devices in the LAN by DHCP. ZyWALL 5/35/70 Series User's Guide 149 - ZyXEL ZyWALL 5 UTM | User Guide - Page 150
portion of an IP address. Your ZyWALL will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise. Private IP Addresses Every machine on the Internet must have a unique - ZyXEL ZyWALL 5 UTM | User Guide - Page 151
you disable the ZyWALL's DHCP service, you must have another DHCP server on your LAN, or else the computers must be manually configured. IP Pool Setup The ZyWALL is pre-configured with a pool of IP addresses for the computers on your LAN. See Table 269 on page 770 for the default IP pool range. Do - ZyXEL ZyWALL 5 UTM | User Guide - Page 152
NETWORK > LAN to open the LAN screen. Use this screen to configure the ZyWALL's IP address and other LAN TCP/IP settings as well as the built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 152 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 153
TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 154
are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields. Select Relay to have the ZyWALL forward DHCP requests to another DHCP - ZyXEL ZyWALL 5 UTM | User Guide - Page 155
7.3 The LAN Static DHCP Screen This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC addresses. To change your ZyWALL's static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown. ZyWALL 5/35/70 Series User's Guide 155 - ZyXEL ZyWALL 5 UTM | User Guide - Page 156
click the right mouse button to copy and/or paste the IP address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 7.4 The LAN IP Alias Screen IP alias allows you to partition a physical network into different logical networks - ZyXEL ZyWALL 5 UTM | User Guide - Page 157
following figure shows a LAN divided into subnets A, B, and C. Figure 85 Physical Network & Partitioned Logical Networks To change your ZyWALL's IP alias settings, click NETWORK > LAN > IP Alias. The screen appears as shown. Figure 86 NETWORK > LAN > IP Alias ZyWALL 5/35/70 Series User's Guide 157 - ZyXEL ZyWALL 5 UTM | User Guide - Page 158
's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address. 2 Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL. To change your ZyWALL's port role settings, click NETWORK > LAN > Port Roles. The screen appears as shown. 158 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 159
DMZ. The port will use the ZyWALL's DMZ IP address and MAC address. WLAN Select a port's WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL's WLAN IP address and MAC address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin - ZyXEL ZyWALL 5 UTM | User Guide - Page 160
Chapter 7 LAN Screens 160 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 161
in bridge mode and is bridging traffic on the WAN. The router device has a public WAN IP address and the ZyWALL is transparent. In the second figure the ZyWALL is in router mode and has a public WAN IP address and routes traffic between the LAN and WAN. Figure 89 Bridge Mode LAN 192.168.1.1 WAN - ZyXEL ZyWALL 5 UTM | User Guide - Page 162
the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding. Finding Out More To see more information on bridging refer to Section 33.5 on page 591. To see more advanced information on bridging refer to Section 8.4 on page 166. 162 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 163
LABEL DESCRIPTION Bridge IP Address Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Gateway IP Address Enter the gateway IP address. ZyWALL 5/35/70 Series User's Guide 163 - ZyXEL ZyWALL 5 UTM | User Guide - Page 164
names for content filtering, the time server, etc. If you have the IP address(es) of the DNS server(s), enter the DNS server's IP address(es) in the field(s) to the right. Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol - ZyXEL ZyWALL 5 UTM | User Guide - Page 165
Reset to begin configuring this screen afresh. After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 94 Port Roles Change Complete ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 166
root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP. Network packets are therefore only forwarded between enabled ports, the network to re-establish a valid network topology. 166 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 167
is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops. Table 34 STP Port States PORT STATE DESCRIPTION Disabled STP is disabled (default). Blocking Only configuration and management BPDUs are received and processed. Listening All BPDUs are - ZyXEL ZyWALL 5 UTM | User Guide - Page 168
Chapter 8 Bridge Screens 168 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 169
settings. You can have either a wired WAN connection with a 3G (WAN) connection or two wired WAN connections as shown in the following figures. Figure 95 LAN and WAN (Multiple) LAN WAN 1 ISP Figure 96 LAN and WAN (Multiple) LAN 3G WAN 1 WAN 2 ISP 1 ISP 2 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 170
). If your ISP offers a dial-up Internet connection using PPPoE (PPP over Ethernet) or PPPoA, they should also provide a username and password (and service name) for user authentication. WAN IP Address The WAN IP address is an IP address for the ZyWALL, which makes it accessible from an outside - ZyXEL ZyWALL 5 UTM | User Guide - Page 171
quality of services and maximize bandwidth utilization. See also policy routing to provide quality of service by dedicating a route for a specific traffic type and bandwidth management to specify a set amount of bandwidth for a specific traffic type on an interface. The ZyWALL uses three load - ZyXEL ZyWALL 5 UTM | User Guide - Page 172
a WAN Interface to a Local Host You can set the ZyWALL to send all of a local computer's traffic through the same WAN interface. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file. If the - ZyXEL ZyWALL 5 UTM | User Guide - Page 173
1's IP address and rejects the request. 9.2.1 Configuring the General Screen To configure your WAN General settings click NETWORK > WAN to open the General screen. " WAN 2 refers to either the physical WAN 2 port on a ZyWALL with multiple WAN ports or the 3G card on a single WAN ZyWALL in router - ZyXEL ZyWALL 5 UTM | User Guide - Page 174
Chapter 9 WAN Screens Figure 98 NETWORK > WAN > General 174 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 175
Check Period The ZyWALL tests a WAN connection by periodically sending a ping to either the default gateway or the address in the Ping this Address field. Type a number of seconds (5 to 300) to set the time interval between checks. Allow more time if your destination IP address handles lots of - ZyXEL ZyWALL 5 UTM | User Guide - Page 176
. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. Allow between WAN1 and LAN Select this check box to forward NetBIOS packets from WAN 1 to the LAN port and from the LAN port to WAN1. If your firewall is enabled with the default policy set to block WAN 1 to - ZyXEL ZyWALL 5 UTM | User Guide - Page 177
Figure 99 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load balancing index as shown in the table below. ZyWALL 5/35/70 Series User's Guide 177 - ZyXEL ZyWALL 5 UTM | User Guide - Page 178
and inbound bandwidth utilization in calculating the load balancing index. If the measured inbound stream throughput for both WAN 1 and WAN 2 is 1600K, the ZyWALL calculates the Load Balancing Algorithm field. Figure 100 Load Balancing: Least Load First 178 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 179
a redirect server forwards a local user's request for a file and informs the file server that a particular WAN IP address is requesting the file. If the user's subsequent sessions came from a different WAN IP address, the file server would deny the request. Time Frame You can set the ZyWALL to get - ZyXEL ZyWALL 5 UTM | User Guide - Page 180
the ZyWALL send all of a local computer's traffic through the same WAN interface for the period of time that you specify (1 to 600 seconds). This is useful when a redirect server forwards a local user's request for a file and informs the file server that a particular WAN IP address is requesting - ZyXEL ZyWALL 5 UTM | User Guide - Page 181
allows you to fully utilize the bandwidth of the primary WAN interface while avoiding overloading it and reducing Internet connection fees at the same time. In the following example figure, the upper threshold of the primary WAN interface is set to 800K. The ZyWALL sends network traffic of a new - ZyXEL ZyWALL 5 UTM | User Guide - Page 182
a redirect server forwards a local user's request for a file and informs the file server that a particular WAN IP address is requesting the file. If the user's subsequent sessions came from a different WAN IP address, the file server would deny the request. Time Frame You can set the ZyWALL to get - ZyXEL ZyWALL 5 UTM | User Guide - Page 183
DNS server IP addresses (along with the ZyWALL's WAN IP address), set the DNS server fields to get the DNS server address from the ISP. 3 You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see - ZyXEL ZyWALL 5 UTM | User Guide - Page 184
not appear with the Standard service type. User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Confirm Type your password again to make sure that you have entered is correctly. 184 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 185
By default, the RIP Version field is set to RIP-1. Enable Multicast Select this check box to turn on IGMP (Internet Group Management Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 186
4 and 5 of RFC 2236. Spoof WAN MAC Address from LAN You can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the ZyWALL uses the factory assigned MAC Address to identify itself on the WAN - ZyXEL ZyWALL 5 UTM | User Guide - Page 187
associated with the user name above. Retype to Confirm Type your password again to make sure that you have entered is correctly. Authentication Type The ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP - ZyXEL ZyWALL 5 UTM | User Guide - Page 188
different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT. For more information about NAT see Chapter 22 on page 435. RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information - ZyXEL ZyWALL 5 UTM | User Guide - Page 189
client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 190
for Internet Access Encapsulation Set the encapsulation method to PPTP. The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. User - ZyXEL ZyWALL 5 UTM | User Guide - Page 191
different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT. For more information about NAT see Chapter 22 on page 435. RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information - ZyXEL ZyWALL 5 UTM | User Guide - Page 192
the MAC address prior to hooking up the WAN port. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 9.4 The 3G (WAN2) Screen Use this screen to configure your 3G (WAN2) settings. After you insert a 3G card in the ZyWALL 5, the - ZyXEL ZyWALL 5 UTM | User Guide - Page 193
you install or remove the 3G card. " The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. To change your ZyWALL 5's 3G WAN settings, click NETWORK > WAN > 3G (WAN 2) or NETWORK > WIRELESS > 3G (WAN2). ZyWALL 5/35/70 Series User's Guide 193 - ZyXEL ZyWALL 5 UTM | User Guide - Page 194
this option to enable WAN 2. 3G Card Configuration The fields below display only when you enable WAN 2. 3G Wireless Card This displays the manufacturer and model name of your 3G card if you inserted one in the ZyWALL. Otherwise, it displays Not Installed. 194 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 195
Click Scan to have the ZyWALL search for and display the available service providers. This field resets to the default setting (Automatically) if the ZyWALL restarts. ISP Parameters for Internet Access Access Point Name (APN) This field displays with a GSM or HSDPA 3G card. Enter the APN (Access - ZyXEL ZyWALL 5 UTM | User Guide - Page 196
IP Address. Advanced Setup Enable NAT (Network Address Translation) Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network - ZyXEL ZyWALL 5 UTM | User Guide - Page 197
. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/ZyWALL firewall rule that forwards packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2). ZyWALL 5/35/70 Series User's Guide 197 - ZyXEL ZyWALL 5 UTM | User Guide - Page 198
in dotted decimal notation. The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's Internet connection terminates. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 198 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 199
. Use this screen to configure the backup WAN dial-up connection. Not all fields are available on all models. Figure 112 NETWORK > WAN > Dial Backup ZyWALL 5/35/70 Series User's Guide 199 - ZyXEL ZyWALL 5 UTM | User Guide - Page 200
device. Consult the manual of String your WAN device connected to your Dial Backup port for specific AT commands. Advanced Modem Click Edit to display the Advanced Setup screen and edit the details of your dial Setup backup setup. TCP/IP Options Get IP Address Type the login name assigned by - ZyXEL ZyWALL 5 UTM | User Guide - Page 201
. When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives. Broadcast Dial Backup Route Select this check box to forward the backup route broadcasts to the WAN. Enable Multicast Select this check box to turn on IGMP (Internet Group Management Protocol). IGMP - ZyXEL ZyWALL 5 UTM | User Guide - Page 202
The majority of WAN devices default to hanging up the Setup Screen Click the Edit button in the Dial Backup screen to display the Advanced Setup screen. " Consult the manual of your WAN device connected to your dial backup port for specific AT commands. 202 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 203
Control Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number. ZyWALL 5/35/70 Series User's Guide 203 - ZyXEL ZyWALL 5 UTM | User Guide - Page 204
ZyWALL to wait before trying another call after a call has failed Packetswitched GPRS (General Packet Radio Services), High-Speed CircuitSwitched Data times Radio Transmission Technology) is the core CDMA2000 wireless wireless standard defined in ITUA specification ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 205
Chapter 9 WAN Screens A. The International Telecommunication Union (ITU) is an international organization within which governments and the private sector coordinate global telecom networks and services. ZyWALL 5/35/70 Series User's Guide 205 - ZyXEL ZyWALL 5 UTM | User Guide - Page 206
Chapter 9 WAN Screens 206 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 207
the IP addresses assigned to devices in the DMZ by DHCP. • Use the IP Alias screen (Section 10.4 on page 214) to configure IP alias settings on the ZyWALL's DMZ ports. • Use the Port Roles screen (Section 10.5 on page 216) to configure DMZ ports on the ZyWALL. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 208
connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and connected servers (D through F) use public IP addresses that are in another subnet. The public IP addresses of the DMZ and WAN ports are in separate subnets. 208 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 209
) in the Network > DMZ screen (see Figure 117 on page 211) and configure the other subnet in the Network > DMZ > IP Alias screen (see Figure 119 on page 215) to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses. ZyWALL 5/35/70 Series User's Guide 209 - ZyXEL ZyWALL 5 UTM | User Guide - Page 210
IP addresses, the WAN and DMZ ports must use public IP addresses that are on separate subnets. See Appendix E on page 817 for information on IP subnetting. From the main menu, click NETWORK > DMZ to open the DMZ screen. The screen appears as shown next. 210 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 211
of an IP address. Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL 255.255.255.0. RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange - ZyXEL ZyWALL 5 UTM | User Guide - Page 212
are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields. Select Relay to have the ZyWALL forward DHCP requests to another DHCP - ZyXEL ZyWALL 5 UTM | User Guide - Page 213
Static DHCP Screen This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. To change your ZyWALL's static DHCP settings on the DMZ, click NETWORK > DMZ > Static DHCP. The screen appears as shown. ZyWALL 5/35/70 Series User's Guide 213 - ZyXEL ZyWALL 5 UTM | User Guide - Page 214
NAT if you want to make DMZ computers with private IP addresses publicly accessible. When you use IP alias, you can have the DMZ use both public and private IP addresses at the same time. " Make sure that the subnets of the logical networks do not overlap. 214 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 215
do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. ZyWALL 5/35/70 Series User's Guide 215 - ZyXEL ZyWALL 5 UTM | User Guide - Page 216
Select a port's WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL's WLAN IP address and MAC address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 216 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 217
Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User's Guide 217 - ZyXEL ZyWALL 5 UTM | User Guide - Page 218
Chapter 10 DMZ Screens 218 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 219
settings on the WLAN. • Use the Static DHCP screen (Section 11.3 on page 223) to configure the IP addresses assigned to devices in the LAN by DHCP. • Use the IP Alias screen (Section 11.4 on page 224) to configure IP alias settings on the ZyWALL's LAN ports. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 220
. Insert a compatible wireless LAN card and enable the card in the WIRELESS > Wi-Fi screen (see Figure 130 on page 232). Click NETWORK > WLAN to open the WLAN screen to configure the IP address for the ZyWALL's WLAN interface, other TCP/IP and DHCP settings. 220 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 221
of an IP address. Your ZyWALL automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information - ZyXEL ZyWALL 5 UTM | User Guide - Page 222
are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields. Select Relay to have the ZyWALL forward DHCP requests to another DHCP - ZyXEL ZyWALL 5 UTM | User Guide - Page 223
. 11.3 WLAN Static DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. To change your ZyWALL's WLAN static DHCP settings, click NETWORK >WLAN > Static DHCP. The screen appears as shown. ZyWALL 5/35/70 Series User's Guide 223 - ZyXEL ZyWALL 5 UTM | User Guide - Page 224
IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. See Section 7.4 on page 156 for more information on IP alias. " Make sure that the subnets of the logical networks do not overlap. 224 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 225
do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. ZyWALL 5/35/70 Series User's Guide 225 - ZyXEL ZyWALL 5 UTM | User Guide - Page 226
> WLAN > IP Alias (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.5 WLAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Connect wireless LAN - ZyXEL ZyWALL 5 UTM | User Guide - Page 227
button to use the port as part of the DMZ. The port will use the DMZ IP address. WLAN Select a port's WLAN radio button to use the port as part of the WLAN. The port will use the WLAN IP address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring - ZyXEL ZyWALL 5 UTM | User Guide - Page 228
Chapter 11 WLAN Screens 228 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 229
the Wireless Card screen (Section 12.2 on page 232) to configure wireless network settings such as wireless security for the ZyWALL. • Use the MAC Filter screen (Section 12.3 on page 243) to set the ZyWALL to allow or disallow access to devices on your wireless network based on their MAC address. 12 - ZyXEL ZyWALL 5 UTM | User Guide - Page 230
the Service Set with which a wireless station is associated. If you hide the ESSID, then the ZyWALL cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of "hiding" the ZyWALL may be inconvenience for some valid WLAN clients. MAC Address Filtering This - ZyXEL ZyWALL 5 UTM | User Guide - Page 231
external RADIUS server you should use WPA-PSK (WPA-PreShared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to a WLAN. ZyWALL 5/35/70 Series User's Guide 231 - ZyXEL ZyWALL 5 UTM | User Guide - Page 232
specifications chapter for a list of compatible ZyXEL WLAN cards (and the WLAN security features each card supports) and how to install a WLAN card. " You can install either a ZyWALL Turbo Card or a wireless card or a 3G card, but not both at the same time. When you have a wireless card or 3G card - ZyXEL ZyWALL 5 UTM | User Guide - Page 233
security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN. Wireless Card This field displays whether or not a compatible ZyXEL wireless LAN card is installed. ESSID (Extended Service Set - ZyXEL ZyWALL 5 UTM | User Guide - Page 234
. Note: The installed ZyXEL WLAN card may not support all of the WLAN security features you can configure in the ZyWALL. Apply Reset Please see the product specifications chapter for a table of compatible ZyXEL WLAN cards and the WLAN security features each card supports. Click Apply to save - ZyXEL ZyWALL 5 UTM | User Guide - Page 235
. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 12.2.2 WPA-PSK Click WIRELESS > Wi-Fi > Wireless Card to display the Wireless Card screen. Select WPA-PSK from the Security list. ZyWALL 5/35/70 Series User's Guide 235 - ZyXEL ZyWALL 5 UTM | User Guide - Page 236
users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless - ZyXEL ZyWALL 5 UTM | User Guide - Page 237
users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless - ZyXEL ZyWALL 5 UTM | User Guide - Page 238
users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless - ZyXEL ZyWALL 5 UTM | User Guide - Page 239
changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 12.2.5 IEEE 802.1x + Static WEP Click WIRELESS > Wi-Fi > Wireless Card to display the Wireless Card screen. Select 802.1x + Static WEP from the Security list. Figure 135 WIRELESS > Wi-Fi > Wireless Card: 802.1x - ZyXEL ZyWALL 5 UTM | User Guide - Page 240
users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless - ZyXEL ZyWALL 5 UTM | User Guide - Page 241
users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless - ZyXEL ZyWALL 5 UTM | User Guide - Page 242
keys to secure your data from eavesdropping by unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless stations. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring - ZyXEL ZyWALL 5 UTM | User Guide - Page 243
exclude specific devices from accessing the ZyWALL (Deny Association). You need to know the MAC addresses of the devices to configure this screen. To change your ZyWALL's MAC filter settings, click WIRELESS > Wi-Fi > MAC Filter. The screen appears as shown. Figure 138 WIRELESS > Wi-Fi > MAC Filter - ZyXEL ZyWALL 5 UTM | User Guide - Page 244
user and then sends another password information exchanged is also encrypted to protect the network from unauthorized access. EAP Authentication The following figure shows an overview of authentication when you specify a RADIUS server on your access point. 244 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 245
and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. ZyWALL 5/35/70 Series User's Guide 245 - ZyXEL ZyWALL 5 UTM | User Guide - Page 246
and distributes keys to the wireless clients. 4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged between them. Figure 140 WPA-PSK Authentication WPA with RADIUS Application You need the IP address of the RADIUS server, its port number (default is 1812), and the - ZyXEL ZyWALL 5 UTM | User Guide - Page 247
XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client. The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it. ZyWALL 5/35/70 Series User's Guide 247 - ZyXEL ZyWALL 5 UTM | User Guide - Page 248
Chapter 12 Wireless Screens 248 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 249
PART III Security Firewall Screens (251) Intrusion Detection and Prevention (IDP) Screens (277) Anti-Virus Screens (299) Anti-Spam Screens (313) Content Filtering Screens (327) Content Filtering Reports (349) IPSec VPN (357) Certificates (399) Authentication Server Screens (427) 249 - ZyXEL ZyWALL 5 UTM | User Guide - Page 250
250 - ZyXEL ZyWALL 5 UTM | User Guide - Page 251
default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 252
address headers. You can set what the ZyWALL does with packets traveling in a specific direction (including going to/coming from a VPN tunnel) that do not match any of the firewall rules. See also Packet Direction on page 252. Asymmetrical Routes Asymmetrical routes only apply if you have another - ZyXEL ZyWALL 5 UTM | User Guide - Page 253
the IP address of the CEO's computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect. The following figure shows the results of your two custom rules. ZyWALL 5/35/70 Series User's Guide 253 - ZyXEL ZyWALL 5 UTM | User Guide - Page 254
and the ZyWALL would drop it and not check any other firewall rules. 13.3 The Firewall Default Rule Screen Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is in Router mode. 254 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 255
of Service (DoS) attacks when the firewall is activated. Allow Asymmetrical Route Note: When you activate the firewall, all current connections through the ZyWALL are dropped when you apply your changes. If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL's LAN IP - ZyXEL ZyWALL 5 UTM | User Guide - Page 256
apply to the traffic going to or from the ZyWALL's VPN tunnels. They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways (VPN pass-through traffic). Log Apply Reset Use the drop-down list box to set the firewall's default actions based on the direction of travel of - ZyXEL ZyWALL 5 UTM | User Guide - Page 257
the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Note: When you activate the firewall, all current connections through the ZyWALL are dropped when you apply your changes. ZyWALL 5/35/70 Series User's Guide 257 - ZyXEL ZyWALL 5 UTM | User Guide - Page 258
to or from the ZyWALL's VPN tunnels. They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways (VPN pass-through traffic). Log Log Broadcast Frame (Bridge mode only) Apply Reset Use the drop-down list box to set the firewall's default actions based on the direction - ZyXEL ZyWALL 5 UTM | User Guide - Page 259
+ to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists. Name This is the name of the firewall rule. Active This field displays whether a firewall is turned on (Y) or not (N). Click the setting to change it. ZyWALL 5/35/70 Series User's Guide 259 - ZyXEL ZyWALL 5 UTM | User Guide - Page 260
the edit icon or the insert icon to display the Firewall Edit Rule screen. Use this screen to create or edit a firewall rule. Refer to the following table for information on the labels. See Section 13.1 on page 251 for more information about the firewall. 260 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 261
Chapter 13 Firewall Screens Figure 148 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL 5/35/70 Series User's Guide 261 - ZyXEL ZyWALL 5 UTM | User Guide - Page 262
ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from - ZyXEL ZyWALL 5 UTM | User Guide - Page 263
screen to help keep the ZyWALL hidden from probing attempts. You can specify which of the ZyWALL's interfaces will respond to Ping requests and whether or not the ZyWALL is to respond to probing for unused ports. Figure 149 SECURITY > FIREWALL > Anti-Probing ZyWALL 5/35/70 Series User's Guide 263 - ZyXEL ZyWALL 5 UTM | User Guide - Page 264
Values on page 275 for more information on DoS thresholds. Click SECURITY > FIREWALL > Threshold to bring up the next screen. The global values specified for the threshold and timeout apply to all TCP connections. Figure 150 SECURITY > FIREWALL > Threshold 264 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 265
the labels in this screen. Table 74 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Protection on Select the check boxes of any interfaces (or all VPN tunnels) for which you want the ZyWALL to not use the Denial of Service protection thresholds. This disables DoS protection - ZyXEL ZyWALL 5 UTM | User Guide - Page 266
Service This table shows all the services that are already configured for use in firewall rules. See Appendix B on page 783 for a list of common services. # This is the index number of the predefined service. Service Name This is the name of the service. 266 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 267
This is the IP port number or ICMP type and code that defines the service. 13.8.1 The Firewall Edit Custom Service Screen Click SECURITY > FIREWALL > Service > Add to display the following screen. Use this screen to configure a custom service entry not is not predefined in the ZyWALL. See Appendix - ZyXEL ZyWALL 5 UTM | User Guide - Page 268
rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. 5 Click Insert at the top of the Modify column to display the firewall rule configuration screen. 268 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 269
the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. " Custom services show up with an * before their names in the Services list box and the Rule Summary list box. ZyWALL 5/35/70 Series User's Guide 269 - ZyXEL ZyWALL 5 UTM | User Guide - Page 270
Chapter 13 Firewall Screens Figure 157 My Service Firewall Rule Example: Rule Configuration 270 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 271
the remote management settings to allow only a specific computer to manage the ZyWALL. • LAN to WAN These rules specify which computers on the LAN can access which 1 computers or services connected to WAN 1. See Section 13.2 on page 252 for an example. ZyWALL 5/35/70 Series User's Guide 271 - ZyXEL ZyWALL 5 UTM | User Guide - Page 272
traffic from the LAN computers to go out through any of the ZyWALL's VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL's VPN tunnels. 272 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 273
VPN tunnel to go to any of the ZyWALL's interfaces, the ZyWALL itself and other VPN tunnels. You could edit the From VPN To LAN default firewall rule to silently block traffic from the VPN tunnels from going to the LAN computers. Figure 160 From VPN to LAN Example ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 274
through. Figure 161 From VPN to VPN Example If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL's LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or "triangle" route. This causes the ZyWALL to reset the connection, as - ZyXEL ZyWALL 5 UTM | User Guide - Page 275
Chapter 13 Firewall Screens 3 The reply from the WAN goes to the ZyWALL. 4 The ZyWALL then sends it to the computer on the LAN in Subnet 1. Figure 162 Using IP Alias to Solve the Triangle Route Problem DoS Thresholds For TCP, half-open means that the session has not reached the established state- - ZyXEL ZyWALL 5 UTM | User Guide - Page 276
that require this service? 2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For - ZyXEL ZyWALL 5 UTM | User Guide - Page 277
web, FTP, mail servers etc., a firewall and/or NAT router connected to a broadband modem (M) for Internet access. Figure 164 Network Intrusions 14.1.1 What You Can Do Using the IDP Screens • Use the General screen (Section 14.2 on page 279) to enable IDP on the ZyWALL and choose what traffic flows - ZyXEL ZyWALL 5 UTM | User Guide - Page 278
) or revert to the original ZSRT-defined signature Active, Log, Alert and/or Action settings. 14.1.2 What You Need To Know About the ZyWALL IDP Network Intrusions The ZyWALL Internet Security Appliance is designed to protect against network-based intrusions. Network-based intrusions have the goal - ZyXEL ZyWALL 5 UTM | User Guide - Page 279
guide for details. " Turn the ZyWALL off before you install or remove the ZyWALL Turbo card. The ZyWALL Turbo Card does not have a MAC address. 14.2 The General Setup Screen Use this screen to enable IDP on the ZyWALL and choose what traffic flows the ZyWALL checks for intrusions. Click SECURITY - ZyXEL ZyWALL 5 UTM | User Guide - Page 280
traveling from a LAN computer to another LAN computer on the same subnet. From WAN1 To WAN1 means packets that come in through the WAN 1 interface and the ZyWALL routes back out through the WAN 1 interface. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the - ZyXEL ZyWALL 5 UTM | User Guide - Page 281
by other types listed. To see signatures listed by intrusion type supported by the ZyWALL, select that type from the Attack Type list box. Table 78 SECURITY > IDP > Signature: Attack Types TYPE DESCRIPTION DoS/DDoS The goal of Denial of Service (DoS) attacks is not to steal information, but to - ZyXEL ZyWALL 5 UTM | User Guide - Page 282
matched the signature is dropped. Reset Both When the firewall is enabled, the TCP/IP connection is silently torn down. Both sender and receiver are sent TCP RST packets. If the firewall is not enabled only the packet that matched the signature is dropped. 282 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 283
. To revert to the default actions or to save sets of actions, go to the Backup & Restore screen. Figure 167 SECURITY > IDP > Signature: read-only) signature name identifies a specific signature targeted at a specific intrusion. Click the hyperlink for more . ZyWALL 5/35/70 Series User's Guide 283 - ZyXEL ZyWALL 5 UTM | User Guide - Page 284
row to switch between the settings (last partial edited, all selected and all cleared). Action You can change the default signature action here. See Table 80 on page 282 for more details on actions. Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to - ZyXEL ZyWALL 5 UTM | User Guide - Page 285
following table describes the fields in this screen. Table 82 SECURITY > IDP > Signature: Query View LABEL DESCRIPTION Back specific operating system(s). Active Search for enabled and/or disabled signatures here. Log Search for signatures by log . ZyWALL 5/35/70 Series User's Guide 285 - ZyXEL ZyWALL 5 UTM | User Guide - Page 286
, all selected and all cleared). You can change the default signature action here. See Table 80 on page 282 for more details on actions. Click this button to save your changes back to the ZyWALL. Click this button to begin configuring this screen afresh. 286 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 287
view other pages of signatures found in the search. 5 If you change the Active, Log, Alert and/or Action signature fields in the signatures found, then click Apply to save the changes to the ZyWALL. Figure 169 SECURITY > IDP > Signature: Query by Partial Name ZyWALL 5/35/70 Series User's Guide 287 - ZyXEL ZyWALL 5 UTM | User Guide - Page 288
example all severe DDoS type signatures that target the Windows operating system are displayed. 3 Click Search. If you change the Active, Log, Alert and/or Action signature fields in the signatures found, then click Apply to save the changes to the ZyWALL. 288 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 289
flows such as port scans. Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. Click SECURITY > IDP > Anomaly to display the following screen. ZyWALL 5/35/70 Series User's Guide 289 - ZyXEL ZyWALL 5 UTM | User Guide - Page 290
table describes the labels in this screen. Table 83 SECURITY > IDP > Anomaly LABEL DESCRIPTION Protocol Anomaly HTTP Inspection alert log when a match is found for the corresponding rule. See Chapter 32 on page 555 for more information on alerts. 290 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 291
enter https:// mysecurity.zyxel.com/mysecurity/ as the URL in your web browser. You should have already registered your ZyWALL on myZyXEL.com at: http://www.myzyxel.com/myzyxel/. You can use your myZyXEL.com username and password to log into mySecurityZone. ZyWALL 5/35/70 Series User's Guide 291 - ZyXEL ZyWALL 5 UTM | User Guide - Page 292
them. This number increments as new signatures are added, so you should refer to this number regularly. Go to https://mysecurity.zyxel.com/mysecurity/ to see what the latest version number is. You can also subscribe to signature update e-mail notifications. 292 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 293
Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. • Restore previously saved IDP signatures (with your custom configured settings). • Revert to the factory-default signature (Active, Log, Alert and/or Action) settings. ZyWALL 5/35/70 Series User's Guide 293 - ZyXEL ZyWALL 5 UTM | User Guide - Page 294
network edge. However, many attacks (inadvertently) are launched from within an organization. Virtual private networks (VPN), removable storage devices and wireless networks may all provide access to the internal network without going through the firewall. 294 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 295
cause problems. Network IDP Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised, resulting in the equivalent of a LAN Denial of Service - ZyXEL ZyWALL 5 UTM | User Guide - Page 296
version 5.01 or earlier visit sites at the infected Web server, they unwittingly download pages with the JavaScript code that automatically executes, causing the virus to be sent to other computers on the Internet in a somewhat random fashion. Nimda also can infect users within the Web server's own - ZyXEL ZyWALL 5 UTM | User Guide - Page 297
to display the contents, which displays random characters. W32/MyDoom-A creates randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP. ZyWALL 5/35/70 Series User's Guide 297 - ZyXEL ZyWALL 5 UTM | User Guide - Page 298
Chapter 14 Intrusion Detection and Prevention (IDP) Screens 298 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 299
301) to enable the antivirus service and configure to which interface(s) it applies. • Use the Signature screen (Section 15.3 on page 303) to locate signatures and manage how the ZyWALL uses them. • Use the Update screen (Section 15.4 on page 306) to immediately download or schedule new signature - ZyXEL ZyWALL 5 UTM | User Guide - Page 300
identifies SMTP, POP3, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets. 3 The scanning engine checks the contents of the packets for viruses. 4 If a virus pattern is - ZyXEL ZyWALL 5 UTM | User Guide - Page 301
ZyWALL Turbo Card does not have a MAC address. Finding Out More • See Section 15.6 on page 310 for more information on viruses and virus scanners. 15.2 The General Screen Use this screen to enable the antivirus service and configure to which interfaces the service applies. Click SECURITY > ANTI - ZyXEL ZyWALL 5 UTM | User Guide - Page 302
does NOT decompress any ZIP file(s) within the ZIP file. This field displays whether or not a ZyWALL Turbo Card is installed. Available Service Note: You cannot configure and save the IDP and Anti-Virus screens if the ZyWALL Turbo Card is not installed. 302 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 303
traveling from a LAN computer to another LAN computer on the same subnet. From WAN1 To WAN1 means packets that come in through the WAN 1 interface and the ZyWALL routes back out through the WAN 1 interface. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the - ZyXEL ZyWALL 5 UTM | User Guide - Page 304
to log packets that match the signature). Alert Search for signatures by whether or not the ZyWALL is set to generate an alert mail when packets match the signature). Send Windows Message Search for signatures by whether or not the ZyWALL is set to send a message alert to files' intended user - ZyXEL ZyWALL 5 UTM | User Guide - Page 305
saved settings. 15.3.1 Signature Search Example This example shows a search for signatures that are enabled, set to generate logs and alerts, send Windows messages and destroy the infected portion of the file. Figure 178 Query Example Search Criteria ZyWALL 5/35/70 Series User's Guide 305 - ZyXEL ZyWALL 5 UTM | User Guide - Page 306
with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads. " You should have already registered the ZyWALL at myZyXEL.com (http:// www.myzyxel - ZyXEL ZyWALL 5 UTM | User Guide - Page 307
share the same Auto-Update schedule. Changes made to the schedule in one screen are reflected in the other. " The ZyWALL does not have to reboot when you upload new signatures. Click SECURITY > ANTI-VIRUS > Update. Figure 180 SECURITY > ANTI-VIRUS > Update ZyWALL 5/35/70 Series User's Guide 307 - ZyXEL ZyWALL 5 UTM | User Guide - Page 308
date and time you downloaded new signatures to the ZyWALL. It displays N/A if you have not downloaded any new signatures yet. Current Anti-Virus This field displays the number of Anti-Virus-related signatures. Signatures Signature Update Service Status This field displays License Inactive if - ZyXEL ZyWALL 5 UTM | User Guide - Page 309
can change the pre-defined Active, Log, Alert, Send Windows Message and/or Destroy File settings of individual signatures. Figure 181 SECURITY > ANTI-VIRUS > Backup and Active, Log, Alert, Send Windows Message and/or Destroy File settings. Click Reset. ZyWALL 5/35/70 Series User's Guide 309 - ZyXEL ZyWALL 5 UTM | User Guide - Page 310
Internet). • HAV scanners may reduce computing performance as they also share the resources (such as CPU time) on the computer for file inspection. • You have to update the virus signatures and/or perform virus scans on all computers in the network regularly. 310 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 311
. • NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL 5/35/70 Series User's Guide 311 - ZyXEL ZyWALL 5 UTM | User Guide - Page 312
Chapter 15 Anti-Virus Screens 312 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 313
is identified. • Use the External DB screen (Section 16.3 on page 318) to enable or disable external database services and configure the spam threshold. • Use the Anti-Spam Lists screen (Section 16.4 on page 320) to configure whitelist and blacklist settings. ZyWALL 5/35/70 Series User's Guide 313 - ZyXEL ZyWALL 5 UTM | User Guide - Page 314
Internet Mail Extensions) allows varied media types to be used in email. MIME headers describe an e-mail's content filters. Whitelist Configure whitelist entries to identify legitimate e-mail. The whitelist entries have the ZyWALL the ZyWALL to the ZyWALL. The possible database service in order - ZyXEL ZyWALL 5 UTM | User Guide - Page 315
as IMAP) or other port numbers. Finding Out More See Section 16.6 on page 324 for more information on antispam. 16.2 The General Screen Use this screen to turn the anti-spam feature on or off, choose what traffic flows the ZyWALL checks for spam, and set how the ZyWALL treats spam. Phishing Phishing - ZyXEL ZyWALL 5 UTM | User Guide - Page 316
port 25 and POP3 (TCP port 110) e-mail. See Section 29.2 on page 529 if you need to use anti-spam for SMTP and POP3 traffic on custom ports. Anti-Spam Wizard Click the icon to open wizard that helps you choose which packet directions to check for spam. 316 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 317
traveling from a LAN computer to another LAN computer on the same subnet. From WAN1 To WAN1 means packets that come in through the WAN 1 interface and the ZyWALL routes back out through the WAN 1 interface. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the - ZyXEL ZyWALL 5 UTM | User Guide - Page 318
(see the chapter of product specifications for the threshold). Select Forward to have the ZyWALL allow the excess e-mail sessions without any spam filtering. Select Block to have the ZyWALL drop mail connections to stop the excess e-mail sessions. The e-mail client or server will have to attempt - ZyXEL ZyWALL 5 UTM | User Guide - Page 319
SECURITY > ANTI-SPAM > External DB LABEL DESCRIPTION External Database Enable External Database Enable the anti-spam external database feature to have the ZyWALL Set the spam threshold (from 0 to 100) for considering an e-mail to be spam. The ZyWALL ZyWALL 5/35/70 Series User's Guide 319 - ZyXEL ZyWALL 5 UTM | User Guide - Page 320
Configure the blacklist to identify spam e-mail. You can create whitelist or blacklist entries based on the sender's IP address or e-mail address. You can also create entries that check for particular MIME headers, MIME header values or specific subject text. 320 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 321
to have the ZyWALL forward e-mail that matches a whitelist entry without doing any more anti-spam checking on that individual email. Active This field shows whether or not an entry is turned on. Type This field displays whether the entry is based on the e-mail's source IP address, source e-mail - ZyXEL ZyWALL 5 UTM | User Guide - Page 322
have the ZyWALL treat e-mail that matches a blacklist entry as spam. Active This field shows whether or not an entry is turned on. Type This field displays whether the entry is based on the e-mail's source IP address, source e-mail address, an MIME header or the e-mail's subject. Content This - ZyXEL ZyWALL 5 UTM | User Guide - Page 323
ZyWALL check e-mail for specific content in the subject line. IP Address This field displays when you select the IP type. Enter an IP address in dotted decimal notation. IP Subnet Mask This field displays when you select the IP type. Enter the subnet . ZyWALL 5/35/70 Series User's Guide 323 - ZyXEL ZyWALL 5 UTM | User Guide - Page 324
ZyWALL can check up to the first 63 characters of an e-mail's subject. The whitelist or blacklist check fails ZyWALL would only check up to the first three characters of the e-mail subject. Apply Click Apply to save your settings addresses, domains and IP addresses ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 325
spam filters. Use of relays, image-only e-mails, manipulation of mail formats and HTML obfuscation are common tricks for which the SpamTricks engine checks. The SpamTricks engine also checks for "phishing" (see Section 16.2 on page 315 for more on phishing). ZyWALL 5/35/70 Series User's Guide 325 - ZyXEL ZyWALL 5 UTM | User Guide - Page 326
Chapter 16 Anti-Spam Screens 326 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 327
, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories. The content filtering lookup process is described below. ZyWALL 5/35/70 Series User's Guide 327 - ZyXEL ZyWALL 5 UTM | User Guide - Page 328
, which then blocks and/or logs access to the web site. The web site's address and category are then stored in the ZyWALL's content filtering cache. Policies Content filtering policies allow you to have different content filtering settings for different users or groups of users. For example, you may - ZyXEL ZyWALL 5 UTM | User Guide - Page 329
a VPN tunnel. The ZyWALL applies the content filter to the traffic before encrypting it or after decrypting it. External Database Service General Setup Enable External Database Content Filtering Note: The ZyWALL can apply content filtering on the traffic going to or from the ZyWALL's VPN tunnels - ZyXEL ZyWALL 5 UTM | User Guide - Page 330
category-based content filtering service has expired. Note: After you register for content filtering, you need to wait up to five minutes for content filtering to be activated. See Section 18.2 on page 349 for how to check the content filtering activation. 330 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 331
needs to be updated. See Section 18.4 on page 354 for how to submit the web site for review. " The ordering of your policies is very important as the ZyWALL applies policies in the order they are listed. Figure 189 SECURITY > CONTENT FILTER > Policy ZyWALL 5/35/70 Series User's Guide 331 - ZyXEL ZyWALL 5 UTM | User Guide - Page 332
(blocked) web site addresses. You can also block web sites based on whether the web site's address contains a keyword. Click the schedule icon to set for which days and times the policy applies. Click the delete icon to remove the content filter policy. You cannot delete the default policy. A window - ZyXEL ZyWALL 5 UTM | User Guide - Page 333
as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server. Address Setup Address Type Do you want the - ZyXEL ZyWALL 5 UTM | User Guide - Page 334
Chapter 17 Content Filtering Screens Table 94 SECURITY > CONTENT FILTER > Policy > General (continued) LABEL DESCRIPTION Start IP Address Enter the single IP address or the starting IP address in a range here. End IP Address Enter the ending IP address in a range here. Subnet Mask Enter the - ZyXEL ZyWALL 5 UTM | User Guide - Page 335
, burglary techniques and plagiarism. It also includes pages that provide or sell questionable educational materials, such as term papers. Note: This category includes sites identified as being malicious in any way (such as having viruses, spyware and etc.). ZyWALL 5/35/70 Series User's Guide 335 - ZyXEL ZyWALL 5 UTM | User Guide - Page 336
Chapter 17 Content Filtering Screens Table 95 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL DESCRIPTION Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool (including lotteries) online. It also includes pages - ZyXEL ZyWALL 5 UTM | User Guide - Page 337
Chapter 17 Content Filtering Screens Table 95 SECURITY > CONTENT FILTER > Internet and technologyrelated organizations and companies. Search Engines/Portals Selecting this category excludes pages that support searching the Internet, indices, and directories. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 338
as e-mail addresses, name, social security number, IP address, etc. A site is not classified as spyware if the user is reasonably client downloads. Email Selecting this category excludes pages offering web-based e-mail services, such as online e-mail reading, e-cards, and mailing list services - ZyXEL ZyWALL 5 UTM | User Guide - Page 339
Chapter 17 Content Filtering Screens Table 95 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL DESCRIPTION Religion Selecting this category excludes pages that promote and provide information on conventional or unconventional religious or quasireligious subjects, - ZyXEL ZyWALL 5 UTM | User Guide - Page 340
this button to test whether or not the web site above is saved in the external content filter server's database of restricted web pages. Apply Click Apply to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 340 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 341
" Use the SECURITY > CONTENT FILTER > Object screen (see Section 17.8 on page 343) first to configure the master lists of trusted (allowed) web sites, forbidden (blocked) web sites, and keywords. Figure 192 SECURITY > CONTENT FILTER > Policy > Customization ZyWALL 5/35/70 Series User's Guide 341 - ZyXEL ZyWALL 5 UTM | User Guide - Page 342
Cancel to exit this screen without saving. 17.7 Content Filter Policy: Schedule Click SECURITY > CONTENT FILTER > Policy and then a policy's schedule icon to display the following screen. Use this screen to set for which days and times the policy applies. 342 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 343
for individual day(s) of the week. Apply Click Apply to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 17.8 Content Filter Object Click SECURITY > CONTENT FILTER > Object to display the following screen. ZyWALL 5/35/70 Series User's Guide 343 - ZyXEL ZyWALL 5 UTM | User Guide - Page 344
screens settings in content filtering, you must use the SECURITY > CONTENT FILTER > Policy > Customization screen to set individual policies to add or remove specific sites or keywords for individual policies. Figure 194 SECURITY > CONTENT FILTER > Object 344 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 345
IP address when performing keyword blocking. This means that the ZyWALL checks the characters that come before the first slash in the URL. For example, with the URL www.zyxel.com/news/pressroom.php, content filtering only searches for keywords within www.zyxel.com. See the CLI reference guide to set - ZyXEL ZyWALL 5 UTM | User Guide - Page 346
346 The following table describes the labels in this screen. Table 99 SECURITY > CONTENT FILTER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before - ZyXEL ZyWALL 5 UTM | User Guide - Page 347
Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User's Guide 347 - ZyXEL ZyWALL 5 UTM | User Guide - Page 348
Chapter 17 Content Filtering Screens 348 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 349
3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and click the Test Against Internet Server button. When content filtering is active, you should see an access blocked or access forwarded message. An error message displays if content filtering is not active. 18 - ZyXEL ZyWALL 5 UTM | User Guide - Page 350
Chapter 18 Content Filtering Reports Figure 196 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL's model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure - ZyXEL ZyWALL 5 UTM | User Guide - Page 351
field. You can find this MAC address in the Service Management screen (Figure 198 on page 351). Type your myZyXEL.com account password in the Password field. 6 Click Submit. Figure 199 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab. ZyWALL 5/35/70 Series User's Guide 351 - ZyXEL ZyWALL 5 UTM | User Guide - Page 352
Chapter 18 Content Filtering Reports Figure 200 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 201 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the - ZyXEL ZyWALL 5 UTM | User Guide - Page 353
Figure 202 Global Report Screen Example Chapter 18 Content Filtering Reports 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 5/35/70 Series User's Guide 353 - ZyXEL ZyWALL 5 UTM | User Guide - Page 354
to submit the web site for review. 1 Log into the content filtering reports web site (see Section 18.3 on page 349). 2 In the Web Filter Home screen (see Figure 200 on page 352), click Site Submissions to open the Web Page Review Process screen shown next. 354 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 355
Figure 204 Web Page Review Process Screen Chapter 18 Content Filtering Reports 3 Type the web site's URL in the field and click Submit to have the web site reviewed. ZyWALL 5/35/70 Series User's Guide 355 - ZyXEL ZyWALL 5 UTM | User Guide - Page 356
Chapter 18 Content Filtering Reports 356 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 357
(tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. • Use the SA Monitor screen (see Section 19.9 on page 379) to display and manage active VPN connections. ZyWALL 5/35/70 Series User's Guide 357 - ZyXEL ZyWALL 5 UTM | User Guide - Page 358
IPSec routers at either end of a VPN tunnel. The IKE SA provides a secure connection between the ZyWALL and remote IPSec router. • A network policy contains the IPSec SA settings. It specifies which devices (behind the IPSec routers) can use the VPN tunnel. 358 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 359
Mode on page 391. Main mode is used in various examples in the rest of this section. IP Addresses of the ZyWALL and Remote IPSec Router In the ZyWALL, you have to specify the IP addresses of the ZyWALL and the remote IPSec router to establish an IKE SA. ZyWALL 5/35/70 Series User's Guide 359 - ZyXEL ZyWALL 5 UTM | User Guide - Page 360
19 IPSec VPN You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as - ZyXEL ZyWALL 5 UTM | User Guide - Page 361
the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA (click the edit icon to display the other settings). My ZyWALL This represents your ZyWALL. The WAN IP address, domain - ZyXEL ZyWALL 5 UTM | User Guide - Page 362
identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. Figure 210 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy 362 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 363
-only and displays the ZyWALL's IP address. The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after setup. Primary Remote Gateway Type the WAN IP address or the domain name (up to 31 characters) of the IPSec router with which you're making the VPN connection. Set this field to - ZyXEL ZyWALL 5 UTM | User Guide - Page 364
another party before you can communicate with them over a secure VPN connection requests that come in from IPSec routers with dynamic WAN IP addresses. When you select DNS or E-mail in the Local ID Type field, type a domain name or e-mail address by which to identify this ZyWALL in the local Content - ZyXEL ZyWALL 5 UTM | User Guide - Page 365
it uses for this VPN connection. Select Any to have the ZyWALL not check the remote IPSec router's ID. Content The configuration of the peer content depends on the peer ID type. Do the following when you set Authentication Key to Pre-shared Key. For IP, type the IP address of the computer with - ZyXEL ZyWALL 5 UTM | User Guide - Page 366
3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. Key Group Select which - ZyXEL ZyWALL 5 UTM | User Guide - Page 367
-Edit screen. Use this screen to configure a network policy. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. ZyWALL 5/35/70 Series User's Guide 367 - ZyXEL ZyWALL 5 UTM | User Guide - Page 368
Chapter 19 IPSec VPN Figure 211 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 368 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 369
from the remote IPSec router by the time the timeout period expires, the ZyWALL disconnects the VPN tunnel. Log Select this check box to set the ZyWALL to create logs when it cannot ping the remote device. Ping this Address If you select Check IPSec Tunnel Connectivity, enter the IP address of - ZyXEL ZyWALL 5 UTM | User Guide - Page 370
screen where you can configure port forwarding for your VPN tunnels. The VPN network policy port forwarding rules let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address. Type Select One-to-One to translate a single (static) IP address on your LAN to a single - ZyXEL ZyWALL 5 UTM | User Guide - Page 371
(static) IP address, in a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a subnet mask on the network behind the remote IPSec router. Remote Port 0 is the default and signifies any port. Type a port number from - ZyXEL ZyWALL 5 UTM | User Guide - Page 372
as the Type and click the Port Forwarding Rules button to open the following screen. Use this screen to configure port forwarding for your VPN tunnels to let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address on the LAN. 372 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 373
in this screen. Table 103 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this - ZyXEL ZyWALL 5 UTM | User Guide - Page 374
Virtual Private Network) tunnel gives you a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one or more network policies. • The gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel. • The network - ZyXEL ZyWALL 5 UTM | User Guide - Page 375
Network Address Type field in the VPN - Manual Key - Edit screen is configured to Range Address. A (static) IP address and a subnet mask are displayed when the Remote Network Address Type field in the VPN - Manual Key - Edit screen is configured to Subnet Address. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 376
rules that use manual keys. Manual key management is useful if you have problems with IKE key management. See IPSec SA Using Manual Keys on page 395 for more information about IPSec SAs using manual keys. Figure 215 SECURITY > VPN > VPN Rules (Manual) > Edit 376 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 377
to Subnet Address, this is a subnet mask on the LAN behind your ZyWALL. Remote Network Specify the IP addresses of the devices behind the remote IPSec router that can use the VPN tunnel. The remote IP addresses must correspond to the remote IPSec router's configured local IP addresses. Two - ZyXEL ZyWALL 5 UTM | User Guide - Page 378
subnet mask on the network behind the remote IPSec router. Gateway Policy Information My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel - ZyXEL ZyWALL 5 UTM | User Guide - Page 379
displays the IP address of the computer using the VPN IPSec feature of your ZyWALL. Remote Network This field displays IP address (in a range) of computers on the remote network behind the remote IPSec router. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This - ZyXEL ZyWALL 5 UTM | User Guide - Page 380
the VPN tunnel to access computers on ZyWALL X's network. Figure 217 Overlap in a Dynamic VPN Rule 192.168.1.0/24 0.0.0.0 • Setting Local and Remote IP Address Conflict Resolution to The Local Network has the ZyWALL X check if a packet's destination is also at the local network before forwarding - ZyXEL ZyWALL 5 UTM | User Guide - Page 381
no traffic is received from a remote IPSec router after the specified time period, the ZyWALL disconnects the VPN tunnel. 0 disables the check (this is the default setting). The output idle timer never takes affect if you set this timer to a shorter period. ZyWALL 5/35/70 Series User's Guide 381 - ZyXEL ZyWALL 5 UTM | User Guide - Page 382
Setting (continued) LABEL DESCRIPTION Gateway Domain Name Update Timer If you use dynamic domain names in VPN rules to identify the ZyWALL and/ or the remote IPSec router, the IP address mapped to the domain name can change. The VPN tunnel stops working after the IP address changes. Any users - ZyXEL ZyWALL 5 UTM | User Guide - Page 383
Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL: 0.0.0.0 (dynamic IP address assigned by the ISP) Public static IP address Remote Gateway Address: Public static IP address 0.0.0.0 With this setting only the telecommuter can initiate the IPSec tunnel. Local Network - ZyXEL ZyWALL 5 UTM | User Guide - Page 384
.dydns.org) Local ID Type: DNS Local ID Content: telecommuterb.com Local IP Address: 192.168.3.2 Headquarters ZyWALL Rule 2: Peer ID Type: DNS Peer ID Content: telecommuterb.com Remote Gateway Address: telecommuterb.dydns.org Remote Address 192.168.3.2 384 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 385
MGMT) to allow management access for the service through the specific port. In the following example, the VPN rule's local network (A) includes the ZyWALL's LAN IP address of 192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the - ZyXEL ZyWALL 5 UTM | User Guide - Page 386
connections that you have to set up and maintain in the network. Small office or telecommuter IPSec routers that support a limited number of VPN tunnels are also able to use VPN to connect to more networks. Hub-and-spoke VPN makes it easier for the hub router to manage the traffic between the spoke - ZyXEL ZyWALL 5 UTM | User Guide - Page 387
168.169.0/255.255.255.0 • Remote IP address: 192.168.167.0~192.168.168.255 19.13.3 Hub-and-spoke VPN Requirements and Suggestions Consider the following when implementing a hub-and-spoke VPN. • The local IP addresses configured in the VPN rules cannot overlap ZyWALL 5/35/70 Series User's Guide 387 - ZyXEL ZyWALL 5 UTM | User Guide - Page 388
to have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Make sure that your From VPN and To VPN firewall rules do not block the VPN packets. 19.14 IPSec VPN Background Information Here - ZyXEL ZyWALL 5 UTM | User Guide - Page 389
exchanged. " The ZyWALL and the remote IPSec router must use the same pre-shared key. Router identity consists of ID type and ID content. The ID type can be IP address, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is only - ZyXEL ZyWALL 5 UTM | User Guide - Page 390
router using the trusted certificates and trusted CAs you have set up. Alternatively, if you want to use a specific certificate to authenticate the remote IPSec router, you can use the information in the certificate to specify the peer ID type and ID content. 390 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 391
You must set up the certificates for the ZyWALL and remote IPSec router before you can use certificates in IKE SA. See Chapter 20 on page 399 for more information about certificates. Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to - ZyXEL ZyWALL 5 UTM | User Guide - Page 392
In the following example, there is another router (A) between router X and router Y. Figure 228 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this - ZyXEL ZyWALL 5 UTM | User Guide - Page 393
them through the VPN tunnel. Avoiding Overlapping Local And Remote Network IP Addresses If both IPSec routers support virtual address mapping, you can access devices on both networks, even if their IP addresses overlap. You map the ZyWALL's local network addresses to virtual IP addresses and map the - ZyXEL ZyWALL 5 UTM | User Guide - Page 394
is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. These modes are illustrated below. Figure 230 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data - ZyXEL ZyWALL 5 UTM | User Guide - Page 395
set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the ZyWALL and remote IPSec router - ZyXEL ZyWALL 5 UTM | User Guide - Page 396
rule identifies the remote IPSec router by a static IP address or a domain name. If the Primary Remote Gateway field is set to 0.0.0.0, the ZyWALL cannot initiate the tunnel (and cannot renegotiate the SA). IPSec High Availability IPSec high availability (also known as VPN high availability) allows - ZyXEL ZyWALL 5 UTM | User Guide - Page 397
Address set to 0.0.0.0) • Should use a WAN connectivity check to this ZyWALL's WAN IP address If the remote IPSec router is not a ZyWALL, you may also want to avoid setting the IPSec Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data. ZyWALL 5/35/70 Series User's Guide 397 - ZyXEL ZyWALL 5 UTM | User Guide - Page 398
Chapter 19 IPSec VPN 398 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 399
.12 on page 424) to configure a list of addresses of directory servers (that contain lists of valid and revoked be made openly available; the other key is private and must be kept secure. Public-key encryption in general works as follows. 1 Tim wants to send . ZyWALL 5/35/70 Series User's Guide 399 - ZyXEL ZyWALL 5 UTM | User Guide - Page 400
ZyWALL uses certificates based on public-key cryptology to authenticate users attempting to establish a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel . ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 401
My Certificates Screen Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyWALL's summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. ZyWALL 5/35/70 Series User's Guide 401 - ZyXEL ZyWALL 5 UTM | User Guide - Page 402
ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address . 402 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 403
manually click the icon to have the ZyWALL query the CA (or RA (Registration Authority)) server for a certificate immediately. Otherwise, the ZyWALL checks with the server and updates the status periodically. The poll now icon disappears after the ZyWALL gets a certificate or the request has failed - ZyXEL ZyWALL 5 UTM | User Guide - Page 404
The following table describes the labels in this screen. Table 114 SECURITY > CERTIFICATES > My Certificates > Details LABEL DESCRIPTION Name This field number given by the certification authority or generated by the ZyWALL. Subject This field displays information that identifies the owner of - ZyXEL ZyWALL 5 UTM | User Guide - Page 405
and save the file on a management computer for later manual enrollment. You can copy and set to be the default self-signed certificate that signs the imported trusted remote host certificates. Cancel Click Cancel to quit and return to the My Certificates screen. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 406
is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL. Figure 236 SECURITY > CERTIFICATES > My Certificates > Export The following table describes the - ZyXEL ZyWALL 5 UTM | User Guide - Page 407
default. 20.4.1 Using the My Certificate Import Screen Click SECURITY > CERTIFICATES > My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate from a computer to the ZyWALL. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 408
Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. When you import a binary PKCS#12 format certificate, another screen displays for you to enter the password. Figure 238 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 - ZyXEL ZyWALL 5 UTM | User Guide - Page 409
My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 239 SECURITY > CERTIFICATES > My Certificates > Create (Basic) ZyWALL 5/35/70 Series User's Guide 409 - ZyXEL ZyWALL 5 UTM | User Guide - Page 410
Create (Advanced) The following table describes the labels in this screen. Table 118 SECURITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name Type up to 31 information. The fields below display when you click - ZyXEL ZyWALL 5 UTM | User Guide - Page 411
the email address of the owner of the certificate. You can use up to 63 characters. Check with the certificate's issuing certification authority for their interpretation in this field if you select to apply to a certification authority for a certificate. ZyWALL 5/35/70 Series User's Guide 411 - ZyXEL ZyWALL 5 UTM | User Guide - Page 412
by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510. CA Server Address Enter the IP address (or URL) of the - ZyXEL ZyWALL 5 UTM | User Guide - Page 413
have set the ZyWALL to accept as trusted. The ZyWALL accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities. ZyWALL 5/35/70 Series User's Guide 413 - ZyXEL ZyWALL 5 UTM | User Guide - Page 414
. Table 119 SECURITY > CERTIFICATES > Trusted CAs LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL's PKI storage space box in the certificate's details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority. - ZyXEL ZyWALL 5 UTM | User Guide - Page 415
Use this screen to view in-depth information about the certification authority's certificate, change the certificate's name and set whether or not you want the ZyWALL to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority - ZyXEL ZyWALL 5 UTM | User Guide - Page 416
table describes the labels in this screen. Table 120 SECURITY > CERTIFICATES > Trusted CAs > Details LABEL DESCRIPTION Name ZyWALL not check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL). 416 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 417
Table 120 SECURITY > CERTIFICATES ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative This field displays the certificate's owner's IP address (IP), domain name (DNS) Name or e-mail address ZyWALL 5/35/70 Series User's Guide 417 - ZyXEL ZyWALL 5 UTM | User Guide - Page 418
authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers. MD5 Fingerprint This is the certificate's message digest that the ZyWALL calculated using the MD5 algorithm. You can use this value to verify with the certification - ZyXEL ZyWALL 5 UTM | User Guide - Page 419
following table describes the labels in this screen. Table 121 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy. ZyWALL 5/35/70 Series User's Guide 419 - ZyXEL ZyWALL 5 UTM | User Guide - Page 420
Default This field displays identifying information about the default self-signed certificate Self-signed on the ZyWALL that the ZyWALL the File Download screen. ZyWALL. Refresh Click this button to display the current validity status of the certificates. 420 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 421
the instructions in this screen to save a peer's certificates from a computer to the ZyWALL. You import it. Figure 245 SECURITY > CERTIFICATES > Trusted Remote Hosts > ZyWALL. Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen. ZyWALL 5/35/70 Series User's Guide 421 - ZyXEL ZyWALL 5 UTM | User Guide - Page 422
20 Certificates 20.11 The Trusted Remote Host Certificate Details Screen Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote and/or change the certificate's name. Figure 246 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details 422 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 423
ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This field displays the certificate's owner's IP address (IP), domain name (DNS) or e-mail address authority in the certificate's path. ZyWALL 5/35/70 Series User's Guide 423 - ZyXEL ZyWALL 5 UTM | User Guide - Page 424
the file on a management computer for later distribution (via floppy disk for example). Apply Click Apply to save your changes back to the ZyWALL. You can only the ZyWALL checks the servers listed here. Figure 247 SECURITY > CERTIFICATES > Directory Servers 424 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 425
directory server. Address This field displays the IP address or domain name of the directory server. Port This field displays the port number that a directory server that the ZyWALL can access. Figure 248 SECURITY > CERTIFICATES > Directory Server > Add ZyWALL 5/35/70 Series User's Guide 425 - ZyXEL ZyWALL 5 UTM | User Guide - Page 426
The following table describes the labels in this screen. Table 126 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Access Protocol Server Address Server Port Login Setting Login Password Type up to 31 ASCII characters (spaces are not permitted - ZyXEL ZyWALL 5 UTM | User Guide - Page 427
feature. A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users. The ZyWALL uses the same local user database for VPN extended authentication and wireless LAN security. 21 - ZyXEL ZyWALL 5 UTM | User Guide - Page 428
SECURITY > AUTH SERVER to open the Local User Database screen. The local user database is a list of user profiles stored on the ZyWALL. The ZyWALL can use this list of user profiles to authenticate users. Use this screen to change your ZyWALL's list of user profiles. 428 ZyWALL 5/35/70 Series User - ZyXEL ZyWALL 5 UTM | User Guide - Page 429
Chapter 21 Authentication Server Screens Figure 249 SECURITY > AUTH SERVER > Local User Database ZyWALL 5/35/70 Series User's Guide 429 - ZyXEL ZyWALL 5 UTM | User Guide - Page 430
local user profile on the ZyWALL. Server IP Address Enter the IP address of the external authentication server in dotted decimal notation. Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you - ZyXEL ZyWALL 5 UTM | User Guide - Page 431
the IP address of the external accounting server in dotted decimal notation. Port Number The default port of the RADIUS server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. Key Enter a password (up - ZyXEL ZyWALL 5 UTM | User Guide - Page 432
Chapter 21 Authentication Server Screens 432 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 433
PART IV Advanced Network Address Translation (NAT) (435) Static Route Screens (451) Policy Route Screens (457) Bandwidth Management Screens (465) DNS Screens (479) Remote Management Screens (491) UPnP Screens (519) Custom Application Screen (529) ALG Screen (531) 433 - ZyXEL ZyWALL 5 UTM | User Guide - Page 434
434 - ZyXEL ZyWALL 5 UTM | User Guide - Page 435
IP address to a unique global IP address. • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 436
NAT mapping rules to those computers with public IP addresses on the DMZ. 22.1.3 Before You Begin You must create a firewall rule in addition to setting up SUA/NAT, if you want to allow traffic originating from the WAN to be forwarded through the ZyWALL. 22.2 The NAT Overview Screen Click ADVANCED - ZyXEL ZyWALL 5 UTM | User Guide - Page 437
field displays the highest number of NAT sessions that the ZyWALL will permit at one time. Max. Concurrent Sessions Per Host Use this field to set the highest number of NAT sessions that the ZyWALL will permit a host to have at one time. WAN Operation This read-only field displays the operation - ZyXEL ZyWALL 5 UTM | User Guide - Page 438
the maximum number of address mapping rules that can be configured on the ZyWALL. Port Forwarding Rules The bar displays how many of the ZyWALL's possible port forwarding rules are configured. The first number shows how many port forwarding rules are configured on the ZyWALL. The second number - ZyXEL ZyWALL 5 UTM | User Guide - Page 439
N/A for Server port mapping. Local End IP This is the end Inside Local Address (ILA). If the rule is for all local IP addresses, then this field displays 255.255.255.255 as the Local End IP address. This field is N/A for One-to-One and Server mapping types. ZyWALL 5/35/70 Series User's Guide 439 - ZyXEL ZyWALL 5 UTM | User Guide - Page 440
-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. 3. Many-to-Many Overload mode maps multiple local - ZyXEL ZyWALL 5 UTM | User Guide - Page 441
location. If you are unsure, refer to your ISP. 22.4.1 Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. ZyWALL 5/35/70 Series User's Guide 441 - ZyXEL ZyWALL 5 UTM | User Guide - Page 442
you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. 22.4.2 Port Forwarding: Services and Port Numbers The ZyWALL provides the additional safety of the DMZ ports for connecting your publicly - ZyXEL ZyWALL 5 UTM | User Guide - Page 443
. " If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Refer to Appendix B on page 783 for port numbers commonly used for particular services. ZyWALL 5/35/70 Series User's Guide 443 - ZyXEL ZyWALL 5 UTM | User Guide - Page 444
specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup - ZyXEL ZyWALL 5 UTM | User Guide - Page 445
the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use - ZyXEL ZyWALL 5 UTM | User Guide - Page 446
server responds using a port number ranging between 6970-7170. 4 The ZyWALL forwards the traffic to Jane's computer IP address. 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or - ZyXEL ZyWALL 5 UTM | User Guide - Page 447
Network Address Translation (NAT) Table 134 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyWALL forwards the traffic with this port (or range of ports) to the client - ZyXEL ZyWALL 5 UTM | User Guide - Page 448
forwards it to the Internet. The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. NAT never changes the IP address (either local or global) of an outside host. Figure 259 NAT Overview 448 ZyWALL 5/35/70 Series User - ZyXEL ZyWALL 5 UTM | User Guide - Page 449
has already sent packets to 3, C and 4, D, they can send packets back to 2, B and the ZyWALL will perform NAT on them and send them to the server at IP address 1, port A. Packets have not been sent from 1, A to 4, E or 5, so they cannot send packets to 1, A. ZyWALL 5/35/70 Series User's Guide 449 - ZyXEL ZyWALL 5 UTM | User Guide - Page 450
Chapter 22 Network Address Translation (NAT) Figure 261 Port Restricted Cone NAT Example 450 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 451
a computer (A) connected to the ZyWALL's LAN interface. The ZyWALL routes most traffic from A to the Internet through the default gateway (R1). You create one static route to connect to services offered by your ISP behind router R2. You create another static route to communicate with a separate - ZyXEL ZyWALL 5 UTM | User Guide - Page 452
two static route entries are for default WAN 1 and WAN 2 routes on a ZyWALL with multiple WAN interfaces. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address. 452 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 453
name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number. ZyWALL 5/35/70 Series User's Guide 453 - ZyXEL ZyWALL 5 UTM | User Guide - Page 454
This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the ZyWALL's interface. The gateway helps forward packets to their destinations. Modify Click the edit icon to go to the screen where you can set up a static route on the ZyWALL. Click the - ZyXEL ZyWALL 5 UTM | User Guide - Page 455
this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 5/35/70 Series User's Guide 455 - ZyXEL ZyWALL 5 UTM | User Guide - Page 456
Chapter 23 Static Route Screens 456 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 457
Overview This chapter covers setting and applying policies used for IP routing. Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter - ZyXEL ZyWALL 5 UTM | User Guide - Page 458
IP header. IPPR follows the existing packet filtering facility of RAS in style and in implementation. 24.2 The Policy Route Summary Screen Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen (some of the screen's blank rows are not shown). 458 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 459
policy route. Active This field shows whether the policy is active or inactive. Source Address/Port This is the source IP address range and/or port number range. Destination Address/Port This is the destination IP address range and/or port number range. ZyWALL 5/35/70 Series User's Guide 459 - ZyXEL ZyWALL 5 UTM | User Guide - Page 460
the physical WAN 2 port on the ZyWALL with multiple WAN ports or the 3G card on the supported ZyWALL in router mode. Not all fields are available on all models. Use this screen to configure a policy route to override the default (shortest path) routing behavior and forward packets based on the - ZyXEL ZyWALL 5 UTM | User Guide - Page 461
route. IP Protocol Select Predefined and then the IP protocol from ALL(0), ICMP(1), IGMP(2), TCP(6), UDP(17), GRE(47), ESP(50) or AH(51). Otherwise, select Custom and enter a number from 0 to 255. Type of Service apply to incoming packets of this length. ZyWALL 5/35/70 Series User's Guide 461 - ZyXEL ZyWALL 5 UTM | User Guide - Page 462
used in Internet telephony, instant messaging, events notification and conferencing. The ZyWALL supports SIP traffic pass-through. Select SIP to configure the policy rule for UDP packets with a port 5060 destination. Source Interface Starting IP Address Ending IP Address Starting Port Ending Port - ZyXEL ZyWALL 5 UTM | User Guide - Page 463
ROUTE > Edit (continued) LABEL DESCRIPTION Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router - ZyXEL ZyWALL 5 UTM | User Guide - Page 464
Chapter 24 Policy Route Screens 464 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 465
of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic, such as Voice-over-IP (VoIP), with minimum delay. Bandwidth management addresses questions such as: • Who gets how much access to specific applications? • What priority level should you give to each type of - ZyXEL ZyWALL 5 UTM | User Guide - Page 466
separate LAN subnets. Table 139 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B VoIP 64 Kbps 64 Kbps Web 64 Kbps 64 Kbps FTP 64 Kbps 64 Kbps E-mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps 466 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 467
ADVANCED > BW MGMT to open the Summary screen. Use this screen to enable and configure bandwidth management on different bandwidth classes. Bandwidth Class Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface. ZyWALL 5/35/70 Series User's Guide 467 - ZyXEL ZyWALL 5 UTM | User Guide - Page 468
25 Bandwidth Management Screens You can configure up to one bandwidth filter per bandwidth class. You can also configure bandwidth classes without bandwidth filters. However, it is recommended that you configure sub-classes with filters for any classes that you configure without filters. The ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 469
The WLAN class refers to the Ethernet interfaces in the WLAN port role. The ZyWALL does not apply bandwidth management to an installed wireless card's traffic. Active Speed (kbps) Scheduler Maximize Bandwidth Usage Apply Reset Traffic redirect or IP alias may cause LAN-to-LAN or DMZ-to-DMZ traffic - ZyXEL ZyWALL 5 UTM | User Guide - Page 470
25 Bandwidth Management Screens 25.2.1 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class's bandwidth budget. The classes are set up based on subnets. The interface is set to - ZyXEL ZyWALL 5 UTM | User Guide - Page 471
speed of the interface). Configure subclass layers for the root class. To add or delete child classes on an interface, click ADVANCED > BW MGMT > Class Setup. The screen is shown here with example classes. ZyWALL 5/35/70 Series User's Guide 471 - ZyXEL ZyWALL 5 UTM | User Guide - Page 472
that identifies a bandwidth management class. Service This is the service that this bandwidth management class is configured to manage. Destination IP Address This is the destination IP address for connections to which this bandwidth management class applies. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 473
class applies. Source IP Address This is the source IP address for connections to which this bandwidth management class applies. Source Port This is the source port for connections to which this bandwidth management class applies. Protocol ID This is the protocol ID (service type) number for - ZyXEL ZyWALL 5 UTM | User Guide - Page 474
leave bandwidth available for other traffic types (see Section 25.1.5 on page 467) or you want to set the interface's speed to match what the next device in network can handle (see the Speed field description in Table 141 on page 469). Filter Configuration 474 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 475
Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address). Service This - ZyXEL ZyWALL 5 UTM | User Guide - Page 476
Bandwidth Management Screens Table 146 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Source Address Type Do you want your rule to apply to packets coming from a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50) or a subnet - ZyXEL ZyWALL 5 UTM | User Guide - Page 477
automatically at the end of every time interval or to not update the screen statistics. Refresh Click this button to update the screen's statistics immediately. Clear Counter Click Clear Counter to clear all of the bandwidth management statistics. ZyWALL 5/35/70 Series User's Guide 477 - ZyXEL ZyWALL 5 UTM | User Guide - Page 478
to send traffic that does not match any of the bandwidth classes.A This field displays the amount of bandwidth allocated to the bandwidth class. This field displays the amount of bandwidth that each bandwidth class is using. Click Refresh to update the page. 478 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 479
ISP gives you DNS server addresses, manually enter them in the DNS server fields. 2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL's WAN IP address), set the DNS server fields to get the DNS server address from the ISP. ZyWALL 5/35/70 Series User's Guide 479 - ZyXEL ZyWALL 5 UTM | User Guide - Page 480
DNS servers cannot resolve domain names to private IP addresses on the remote private network. The following figure depicts an example where three VPN tunnels are created from ZyWALL A; one to branch office 2, one to branch office 3 and another to headquarters (HQ). In order to access computers - ZyXEL ZyWALL 5 UTM | User Guide - Page 481
Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. DDNS DDNS (Dynamic DNS) allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting - ZyXEL ZyWALL 5 UTM | User Guide - Page 482
on page 484 for information on the fields. A name server record contains a DNS server's IP address. The ZyWALL can query the DNS server to resolve domain names for features like VPN, DDNS and the time server. When the ZyWALL needs to resolve a domain name, it checks it against the name server record - ZyXEL ZyWALL 5 UTM | User Guide - Page 483
an FQDN for which the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response without having to query a DNS name server. See Section 26.1.2 on page 479 for more on address records. Figure 275 ADVANCED > DNS > Add (Address Record) ZyWALL 5/35/70 Series User's Guide 483 - ZyXEL ZyWALL 5 UTM | User Guide - Page 484
server record contains a DNS server's IP address. The ZyWALL can query the DNS server to resolve domain names for features like VPN, DDNS and the time server. A domain zone may also be included. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain - ZyXEL ZyWALL 5 UTM | User Guide - Page 485
set as a DHCP client. The fields below display the (read-only) DNS server IP address(es) that the ISP assigns. N/A displays for any DNS server IP address fields for which the ISP does not assign an IP address. N/A displays for all of the DNS server IP address fields if the ZyWALL has a fixed WAN IP - ZyXEL ZyWALL 5 UTM | User Guide - Page 486
Setup ZyWALL sends out to the WAN. Maximum TTL Type the maximum time to live (TTL) (60 to 3600 seconds). This sets how long the ZyWALL IP Address This is the (resolved) IP address of a host. This field displays 0.0.0.0 for negative DNS resolution entries. 486 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 487
DNS DESCRIPTION The ZyWALL passes a DNS (Domain Name System) server IP address to the DHCP clients. Select an interface from the drop-down list box to configure the DNS servers for the specified interface. These read-only labels represent the DNS servers. ZyWALL 5/35/70 Series User's Guide 487 - ZyXEL ZyWALL 5 UTM | User Guide - Page 488
DMZ or WLAN IP address displays in the field to the right (read-only). The ZyWALL tells the DHCP clients on the LAN, DMZ or WLAN that the ZyWALL itself is the DNS server. When a computer on the LAN, DMZ or WLAN sends a DNS query to the ZyWALL, the ZyWALL forwards the query to the ZyWALL's system DNS - ZyXEL ZyWALL 5 UTM | User Guide - Page 489
DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping. 26.6 Configuring the Dynamic DNS Screen To change your ZyWALL's DDNS, click ADVANCED > DNS > DDNS. The - ZyXEL ZyWALL 5 UTM | User Guide - Page 490
setting in the WAN Interface field. Disable this feature and the ZyWALL will only update the domain name with an IP address of the WAN interface specified in the WAN Interface field. If that WAN interface does not have a connection, the ZyWALL will not update the domain name with another port's IP - ZyXEL ZyWALL 5 UTM | User Guide - Page 491
) to configure the ZyWALL's HTTP and HTTPS management settings. • Use the SSH screen (Section 27.5 on page 507) to configure the ZyWALL's Secure Shell settings. • Use the Telnet screen (Section 27.7 on page 508) to specify which interfaces allow Telnet access and from which IP address the access can - ZyXEL ZyWALL 5 UTM | User Guide - Page 492
You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4 There is already another remote management session with an - ZyXEL ZyWALL 5 UTM | User Guide - Page 493
Management Screens 27.2 HTTPS Example If you haven't changed the default HTTPS port on the ZyWALL, then in your browser enter "https://ZyWALL IP Address/" as the web site address where "ZyWALL IP Address" is the IP address or domain name of the ZyWALL you wish to access. 27.2.1 Internet Explorer - ZyXEL ZyWALL 5 UTM | User Guide - Page 494
IP address of the ZyWALL's port that you are trying to access) does not match the common name specified in the ZyWALL's HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients. 494 ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 495
Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Figure 285 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL's MAC address that will be specific to - ZyXEL ZyWALL 5 UTM | User Guide - Page 496
27 Remote Management Screens Figure 286 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 287 Common ZyWALL Certificate 27.2.5 Enrolling and Importing SSL Client - ZyXEL ZyWALL 5 UTM | User Guide - Page 497
CA's trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 27.2.6 Installing the CA's Certificate (Example) 1 Double click the CA's trusted certificate to produce a screen similar to the one shown next. ZyWALL 5/35/70 Series User's Guide 497 - ZyXEL ZyWALL 5 UTM | User Guide - Page 498
You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. 498 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 499
Chapter 27 Remote Management Screens Figure 290 Personal Certificate Import Wizard 1 2 The file name and path of the if you wish to import a different certificate. Figure 291 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. ZyWALL 5/35/70 Series User's Guide 499 - ZyXEL ZyWALL 5 UTM | User Guide - Page 500
Chapter 27 Remote Management Screens Figure 292 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be 293 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. 500 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 501
(Example) Use the following procedure to access the ZyWALL via HTTPS. 1 Enter 'https://ZyWALL IP Address/ in your browser's web address field. Figure 296 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal - ZyXEL ZyWALL 5 UTM | User Guide - Page 502
for most SSH client programs. Refer to your SSH client program user's guide. 27.2.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program. 1 Launch the SSH client and specify the connection information (IP address, port number or device - ZyXEL ZyWALL 5 UTM | User Guide - Page 503
whether the SSH service is available on the ZyWALL. Enter "telnet 192.168.1.1 22" at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the - ZyXEL ZyWALL 5 UTM | User Guide - Page 504
sftp> put firmware.bin ras Uploading firmware.bin to /ras Read from remote host 192.168.1.1: Connection reset by peer Connection closed $ 27.3 The WWW Screen Use this screen to configure the ZyWALL's HTTP and HTTPS management settings. HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or - ZyXEL ZyWALL 5 UTM | User Guide - Page 505
an SSL-aware web browser go to port 443 (by default) on the ZyWALL's WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL's WS (web server). Figure 303 HTTPS Implementation " If you disable the HTTP service in the REMOTE MGMT > WWW screen, then - ZyXEL ZyWALL 5 UTM | User Guide - Page 506
with the IP address that you specify to access the ZyWALL using this service. HTTP Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. 506 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 507
Chapter 27 Remote Management Screens Table 149 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP Address A secure client is a "trusted" computer that is allowed to - ZyXEL ZyWALL 5 UTM | User Guide - Page 508
if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP Address A secure client is a "trusted" computer that is allowed to - ZyXEL ZyWALL 5 UTM | User Guide - Page 509
if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP Address A secure client is a "trusted" computer that is allowed to - ZyXEL ZyWALL 5 UTM | User Guide - Page 510
if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP Address A secure client is a "trusted" computer that is allowed to - ZyXEL ZyWALL 5 UTM | User Guide - Page 511
. • Trap - Used by the agent to inform the manager of some events. Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. ZyWALL 5/35/70 Series User's Guide 511 - ZyXEL ZyWALL 5 UTM | User Guide - Page 512
(power on). 1 warmStart (defined in RFC- A trap is sent after booting (software reboot). 1215) 4 authenticationFailure (defined in A trap is sent to the manager when receiving any SNMP RFC-1215) get or set requirements with the wrong community (password). 6 whyReboot (defined in ZYXEL - ZyXEL ZyWALL 5 UTM | User Guide - Page 513
if needed, however you must use the same port number in order to use that service for remote management. Service Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP Address A secure client is a "trusted" computer that is allowed to - ZyXEL ZyWALL 5 UTM | User Guide - Page 514
> REMOTE MGMT > DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here. Service Access Select the interface(s) through which a computer may send DNS queries to the ZyWALL. Secure Client IP Address A secure client is a "trusted" computer that is allowed - ZyXEL ZyWALL 5 UTM | User Guide - Page 515
registration status and last registration time. Vantage CNM Setup Enable Select this check box to allow Vantage CNM to manage your ZyWALL. Vantage CNM Server Address If the Vantage server is on the same subnet as the ZyXEL device, enter the private or public IP address of the Vantage server. If - ZyXEL ZyWALL 5 UTM | User Guide - Page 516
server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 27.13 Remote Management Technical Reference How SSH Works The following table summarizes how a secure connection is established between two remote hosts. Figure 313 How - ZyXEL ZyWALL 5 UTM | User Guide - Page 517
After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. ZyWALL 5/35/70 Series User's Guide 517 - ZyXEL ZyWALL 5 UTM | User Guide - Page 518
Chapter 27 Remote Management Screens 518 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 519
the following: • Dynamic port mapping • Learning public IP addresses • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See Chapter 22 on page 436 for further information about NAT. ZyWALL 5/35/70 Series User's Guide 519 - ZyXEL ZyWALL 5 UTM | User Guide - Page 520
The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP device joins a network, it - ZyXEL ZyWALL 5 UTM | User Guide - Page 521
to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box. window and click Next. 5 Restart the computer when prompted. ZyWALL 5/35/70 Series User's Guide 521 - ZyXEL ZyWALL 5 UTM | User Guide - Page 522
1 Click Start, Settings and Control Panel. Service in the Components selection box and click Details. 5 In the Networking Services ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device. 522 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 523
icon and select Properties. Chapter 28 UPnP Screens 3 In the Internet Connection Properties You may edit or delete the port mappings or window, click Settings to see the port click Add to manually add port mappings. mappings that were automatically created. ZyWALL 5/35/70 Series User's Guide 523 - ZyXEL ZyWALL 5 UTM | User Guide - Page 524
status. 28.2.2.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device. 524 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 525
Places. Chapter 28 UPnP Screens 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. ZyWALL 5/35/70 Series User's Guide 525 - ZyXEL ZyWALL 5 UTM | User Guide - Page 526
ADVANCED > UPnP LABEL DESCRIPTION UPnP Setup Device Name This identifies the ZyXEL device in UPnP applications. Enable the login screen without entering the ZyWALL's IP address (although you must still enter the password to access the web configurator). 526 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 527
restarting. If you use UPnP and you set a port on your computer to be fixed for a specific service (for example FTP for file transfers), this option allows the ZyWALL to keep a record when your computer uses UPnP to create a NAT forwarding rule for that service. WAN Interface in This field displays - ZyXEL ZyWALL 5 UTM | User Guide - Page 528
number on the Internal Client to which the ZyWALL should forward incoming connection requests. Internal Client This field displays the DNS host name or IP address of a client on the LAN. Multiple NAT clients can use a single port simultaneously if the internal client field is set to 255.255.255 - ZyXEL ZyWALL 5 UTM | User Guide - Page 529
-spam, anti-virus, and content filtering features monitor traffic on custom ports, in addition to the default ports. 29.1.1 What You Can Do in the Custom Application Screen Use the Custom App screen (Section 29.2 on page 529) to configure custom application settings on the ZyWALL. 29.1.2 What You - ZyXEL ZyWALL 5 UTM | User Guide - Page 530
a single port number, enter it here. End Port Enter the ending port for the range that the ZyWALL is to monitor for this application. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 530 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 531
an application for which the ZyWALL has ALG service enabled, the ZyWALL translates the device's private IP address inside the data stream to a public IP address. It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application's traffic - ZyXEL ZyWALL 5 UTM | User Guide - Page 532
TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. If the FTP server is located on the LAN, you must also configure NAT port forwarding and firewall rules - ZyXEL ZyWALL 5 UTM | User Guide - Page 533
317 H.323 ALG Example • With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and port forwarding rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN, DMZ or WLAN. Use policy routing to have the H.323 calls from each of - ZyXEL ZyWALL 5 UTM | User Guide - Page 534
STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) allows the VoIP device to find the presence and types of NAT routers and/or firewalls between it and the public Internet. STUN also allows the VoIP device to find the public IP address that NAT assigned, so - ZyXEL ZyWALL 5 UTM | User Guide - Page 535
ADVANCED > ALG to open the ALG screen. Use the ALG screen to turn individual ALGs off or on and set the SIP timeout. " If the ZyWALL provides an ALG for a service, you must enable the ALG in order to perform bandwidth management on that service's traffic. ZyWALL 5/35/70 Series User's Guide 535 - ZyXEL ZyWALL 5 UTM | User Guide - Page 536
Voice over IP), the sending of voice signals over Internet Protocol. SIP Timeout Most SIP clients have an "expire" mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the - ZyXEL ZyWALL 5 UTM | User Guide - Page 537
PART V Reports, Logs and Maintenance Reports Screens (539) Logs Screens (555) Maintenance Screens (585) 537 - ZyXEL ZyWALL 5 UTM | User Guide - Page 538
538 - ZyXEL ZyWALL 5 UTM | User Guide - Page 539
most used protocols or service ports • The LAN, DMZ or WLAN IP addresses to and/or from which the most traffic has been sent • How much traffic has been sent to and from the LAN, DMZ or WLAN IP addresses to and/or from which the most traffic has been sent. ZyWALL 5/35/70 Series User's Guide 539 - ZyXEL ZyWALL 5 UTM | User Guide - Page 540
syslog server already configured in the Log Settings screen. Apply Click Apply to save your changes to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Interface Select on which interface (LAN, DMZ or WLAN) the logs will be collected. The logs on the DMZ, LAN or WLAN IP - ZyXEL ZyWALL 5 UTM | User Guide - Page 541
Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited. Protocol/Port displays the protocols or service ports that have been used the most and the amount of traffic for the most used protocols or service ports. Host IP Address - ZyXEL ZyWALL 5 UTM | User Guide - Page 542
first. The ZyWALL counts each page viewed in a web site as another hit on the web site. Hits This column lists how many times each web site has been visited. The count starts over at 0 if a web site passes the hit count limit (see Table 165 on page 545). 31.2.2 Viewing Host IP Address In the - ZyXEL ZyWALL 5 UTM | User Guide - Page 543
Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 544
port. The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic for the particular protocol or service port. The count starts over at 0 if a protocol or port passes the bytes count limit (see Table 165 on page 545). 544 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 545
per protocol/port or LAN IP address. The count starts over at 0 if it passes 264 bytes. 31.3 The IDP Screen Click REPORTS > IDP to display the IDP screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 326 REPORTS > IDP ZyWALL 5/35/70 Series User's Guide 545 - ZyXEL ZyWALL 5 UTM | User Guide - Page 546
the destination IP address at which intrusion attempts were targeted. Occurrences This field displays how many times the ZyWALL has detected the event described in the entry. Total This field displays the sum of the occurrences of the events in the entries. Refresh Click Refresh to update the - ZyXEL ZyWALL 5 UTM | User Guide - Page 547
31.4 The Anti-Virus Screen Click REPORTS > Anti-Virus to display the Anti-Virus screen. This screen displays antivirus statistics. Figure 329 REPORTS > Anti-Virus ZyWALL 5/35/70 Series User's Guide 547 - ZyXEL ZyWALL 5 UTM | User Guide - Page 548
by Destination. It shows the destination IP address of virus-infected files that the ZyWALL has detected. Occurrences This field displays how many times the ZyWALL has detected the event described in follows when you display the top entries by destination. 548 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 549
time displays) if you restart the ZyWALL or click the Flush button. Total Mail Scanned This field displays the number of e-mails that the ZyWALL has checked. Spam Mail Detected This field displays the number of e-mails that the ZyWALL has classified as spam. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 550
. It shows the source IP address of spam e-mails that the ZyWALL has detected. Occurrences This column displays when you display the entries by Sender Mail Address or Source. This field displays how many times the ZyWALL received spam from the entry's e-mail address. Total This field displays - ZyXEL ZyWALL 5 UTM | User Guide - Page 551
when you display the score distribution. Figure 334 REPORTS > Anti-Spam > Score Distribution 31.6 The E-mail Report Screen You can configure the ZyWALL to email a report including the information on network traffic, IDP, anti-virus and anti-spam statistics provided in the report screens. Click - ZyXEL ZyWALL 5 UTM | User Guide - Page 552
is disabled, you will not receive the report files. User Name Enter the user name (up to 63 characters) (usually the user name of a mail account you specified in the Mail Sender field). Password Enter the password associated with the user name above. 552 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 553
, Hourly, Daily and Weekly. If you select Daily or Weekly, specify a time of day for the ZyWALL to generate and send diagnostic e-mails. If you select Weekly, then also specify to save your changes. Reset Click Reset to begin configuring this screen afresh. ZyWALL 5/35/70 Series User's Guide 553 - ZyXEL ZyWALL 5 UTM | User Guide - Page 554
Chapter 31 Reports Screens 554 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 555
older entries as it adds new ones. You can configure the ZyWALL to email you the log when it is full in the Log Settings screen. Click a column heading to sort the entries by the relevant attribute. A triangle indicates ascending or descending sort order. ZyWALL 5/35/70 Series User's Guide 555 - ZyXEL ZyWALL 5 UTM | User Guide - Page 556
This field displays the log number. Time This field displays the time the log was recorded. See Section 33.4 on page 587 to configure the ZyWALL's time and date. Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming - ZyXEL ZyWALL 5 UTM | User Guide - Page 557
VeriSign. If you upgraded to ZyNOS V4.00 firmware without uploading the V4.00 default configuration file, you can download a CA certificate signed by VeriSign from myZyXEL.com and import it into the ZyWALL as a trusted CA. This will stop the ZyWALL from generating this log every time it attempts to - ZyXEL ZyWALL 5 UTM | User Guide - Page 558
: Certificate Download 32.3 The Log Settings Screen To change your ZyWALL's log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or - ZyXEL ZyWALL 5 UTM | User Guide - Page 559
172 LOGS > Log Settings LABEL DESCRIPTION E-mail Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. ZyWALL 5/35/70 Series User's Guide 559 - ZyXEL ZyWALL 5 UTM | User Guide - Page 560
the categories of logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly email alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation 560 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 561
DHCP, PPPoE, PPTP or dial-up server. DHCP client IP expired A DHCP client's IP address has expired. DHCP server assigns %s The DHCP server assigned an IP address to a client. Successful SMT login Someone has logged on to the router's SMT interface. SMT login failed Someone has failed to log - ZyXEL ZyWALL 5 UTM | User Guide - Page 562
has failed to log on to the router's web configurator interface using HTTPS protocol. DNS server %s was not responding to last 32 consecutive queries... The specified DNS server did not respond to the last 32 consecutive queries. DDNS update IP:%s (host %d) The device updated the IP address of - ZyXEL ZyWALL 5 UTM | User Guide - Page 563
Dial backup started working. Dial backup stopped working. The LAN subnet, LAN alias 1, or LAN alias 2 was changed and the specified static DHCP IP addresses are no longer valid. The static DHCP IP address conflicts with another host. The device failed to send an e-mail (error message included). The - ZyXEL ZyWALL 5 UTM | User Guide - Page 564
already exists. : %d, peer port : %d already exists. was bind to [legalIP] but he uses [srcIP]. The device's IP address is different from the IP address assigned to this device. This log also records if the IP address assigned to this device is used by another device. DHCP Server dynamic - ZyXEL ZyWALL 5 UTM | User Guide - Page 565
TCP RST The router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: "sys firewall tcprst"). Table 177 Packet Filter Logs LOG MESSAGE [ TCP | UDP | ICMP | IGMP | Generic ] packet filter matched (set: %d, rule: %d) DESCRIPTION Attempted - ZyXEL ZyWALL 5 UTM | User Guide - Page 566
need to reconfigure budget control settings. The inserted 3G card is different from the previous one configured for budget control. You may need to reconfigure budget control settings specific to the current user account. Budget counters are reset, The ZyWALL restarted budget calculation from - ZyXEL ZyWALL 5 UTM | User Guide - Page 567
is damaged. The 3G connection has been dropped due to the specific reason, such as idle timeout, manual disconnection, failure to get an IP address, switching to WAN 1, ping check failure, connection reset, and so on. The ZyWALL updated the 3G network signal strength indication. This shows that the - ZyXEL ZyWALL 5 UTM | User Guide - Page 568
the time schedule or you didn't select the "Block Matched Web Site" check box, the system forwards the web content. Waiting content filter The external content filtering server did not respond within the timeout server timeout period. DNS resolving failed The ZyWALL cannot get the IP address - ZyXEL ZyWALL 5 UTM | User Guide - Page 569
. The IP address in an FTP port command is different from the client IP address. It may be a bounce attack. Fragment packet size is The fragment packet size is smaller than the MTU size of output smaller than the MTU size interface. of output interface. ZyWALL 5/35/70 Series User's Guide 569 - ZyXEL ZyWALL 5 UTM | User Guide - Page 570
use of DNS service was blocked according to remote management settings. Table 186 Wireless Logs LOG MESSAGE DESCRIPTION WLAN MAC Filter Fail The MAC filter blocked a wireless station from connecting to the device. WLAN MAC Filter Success The MAC filter allowed a wireless station to connect - ZyXEL ZyWALL 5 UTM | User Guide - Page 571
no inbound traffic for a certain time period. You can use the "ipsec timer chk_conn" CI command to set the time period. The default value is 2 minutes. The router dropped all connections with the "MyIP" configured as "0.0.0.0" when the WAN IP address changed. Please check the algorithm configuration - ZyXEL ZyWALL 5 UTM | User Guide - Page 572
being configured for DES causes the connection to fail. Local / remote IPs of incoming request conflict with rule The security gateway is set to "0.0.0.0" and the router used the peer's "Local Address" as the router's "Remote Address". This information conflicted with static rule #d; thus the - ZyXEL ZyWALL 5 UTM | User Guide - Page 573
input idle time out, disconnect The tunnel for the listed rule was dropped because there was no inbound traffic within the idle timeout period. XAUTH succeed! Remote user: The ZyWALL, acting as authentication server, was able to authenticate the username given in this log. XAUTH fail - ZyXEL ZyWALL 5 UTM | User Guide - Page 574
SCEP online certificate enrollment failed because the certification authority server's address cannot be resolved. The CMP online certificate enrollment was successful. The Destination field records the certification authority server's IP address and port. 574 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 575
> name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd user cert: The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd CRL - ZyXEL ZyWALL 5 UTM | User Guide - Page 576
the RADIUS Server. The local user database only supports the EAP-MD5 method. A user tried to use another authentication method and was not authenticated. The router logged out a user whose session expired. The router logged out a user who ended the session. 576 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 577
from user. The router logged out a user from which there was no authentication response. User logout because of idle timeout expired. The router logged out a user whose idle timeout period expired. User logout because of user request. A user logged out. Local User Database does not support - ZyXEL ZyWALL 5 UTM | User Guide - Page 578
Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) 5 Source route failed 4 Source Quench 0 A gateway may discard internet datagrams if it does not have the buffer space - ZyXEL ZyWALL 5 UTM | User Guide - Page 579
ID:10001,Window Ping. The device does not have a signature file loaded. The device failed to update the signature file through the Internet. %s describes the reason for the error. You may need to provide the error message when contacting customer support if you are repeatedly unable to download the - ZyXEL ZyWALL 5 UTM | User Guide - Page 580
signature file loaded. Failed in signature update - %s! The device failed to update the signature file through the Internet. %s describes the reason for the error. You may need to provide the error message when contacting customer support if you are repeatedly unable to download the signature file - ZyXEL ZyWALL 5 UTM | User Guide - Page 581
is the source and subject of an e-mail for which the anti-spam external database query failed. The device received a response with an unknown format from the anti-spam external database server. The following log identifies the e-mail that was being checked. ZyWALL 5/35/70 Series User's Guide 581 - ZyXEL ZyWALL 5 UTM | User Guide - Page 582
Logs (continued) LOG MESSAGE DESCRIPTION Mail From:Email address This is the source and subject of an e-mail for which the anti-spam Subject:Mail Subject! external database query failed. Remove rating server [%Rating Server IP Address%] from server list! The listed server IP address address - ZyXEL ZyWALL 5 UTM | User Guide - Page 583
the web MAIN MENU, LOGS, Log Settings page. The severity is the log's syslog class. The definition of messages and notes are defined in the other log tables. The "devID" is the MAC address of the router's LAN port. The "cat" is the same as the category in the router's logs. Traffic Log: - ZyXEL ZyWALL 5 UTM | User Guide - Page 584
as the system name if you haven't configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU, LOGS, Log Settings page. The severity is the log's syslog class. 1stReIP is the IP address of the first mail relay server. The definition of messages and notes - ZyXEL ZyWALL 5 UTM | User Guide - Page 585
configure the ZyWALL as a router or a bridge. • Use the F/W Upload screen (Section 33.8 on page 595) to upgrade the ZyWALL's firmware. • Use the Backup and Restore screen (Section 33.9 on page 597) to backup and restore the ZyWALL configuration file and to reset the device to factory settings. • Use - ZyXEL ZyWALL 5 UTM | User Guide - Page 586
have to log in with your password again. Very long idle timeouts may have security risks. A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin - ZyXEL ZyWALL 5 UTM | User Guide - Page 587
changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 33.4 The Time and Date Screen The ZyWALL's Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external - ZyXEL ZyWALL 5 UTM | User Guide - Page 588
the labels in this screen. Table 200 MAINTENANCE > Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL's present time. Current Date This field displays the ZyWALL's present date. Time and Date Setup 588 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 589
configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the ZyWALL get the time and date from the time server you specified below. Time Protocol Select the time service protocol - ZyXEL ZyWALL 5 UTM | User Guide - Page 590
Return button to go back to the Time and Date screen after the time and date is updated successfully. Figure 344 Synchronization is Successful 590 If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 591
address of an incoming frame with its internal table: • If the table contains an association between the destination address and any of the bridge's ports aside from the one on which the frame was received, the frame is forwarded out the associated port. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 592
can also serve as a DHCP server to assign IP addresses to your local computers. The LAN, WAN, DMZ and WLAN interfaces all have different IP addresses. The ZyWALL also provides NAT, port forwarding, policy routing, and DNS in router mode. These features allow you to set up private network. See Table - ZyXEL ZyWALL 5 UTM | User Guide - Page 593
a bridge. Device Mode Setup Router When the ZyWALL is in router mode, there is no need to select or clear this radio button. IP Address Click LAN, WAN, DMZ or WLAN to go to the LAN, WAN, DMZ or WLAN screen where you can view and/or change the corresponding settings. Bridge Select this radio - ZyXEL ZyWALL 5 UTM | User Guide - Page 594
Apply to set the ZyWALL to router mode. LAN Interface IP Address Enter the IP address of your ZyWALL' s LAN port in dotted decimal notation. 192.168.1.1 is the factory default. LAN Interface Subnet Mask Enter the IP subnet mask of the ZyWALL's LAN port. DHCP DHCP (Dynamic Host Configuration - ZyXEL ZyWALL 5 UTM | User Guide - Page 595
Apply, please wait for one minute and use the IP address you configured in the LAN Interface IP Address field to access the ZyWALL again. Reset Click Reset to begin configuring this screen afresh. 33.8 The F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system - ZyXEL ZyWALL 5 UTM | User Guide - Page 596
Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 351 Firmware Upload Error 596 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 597
& Restore. Information related to factory defaults, backup configuration, and restoring configuration return to your previous settings. Click Backup to save the ZyWALL's current configuration to your ZyWALL while configuration file upload is in progress. ZyWALL 5/35/70 Series User's Guide 597 - ZyXEL ZyWALL 5 UTM | User Guide - Page 598
details on how to set up your computer's IP address. If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. Figure 355 Configuration Upload Error Back to Factory Defaults Click the Reset button to clear all user-entered configuration - ZyXEL ZyWALL 5 UTM | User Guide - Page 599
can also press the hardware RESET button to reset the factory defaults of your ZyWALL. Refer to Section 3.3 on page 63 for more information on the RESET button. 33.10 The Restart Screen System restart allows you to reboot the ZyWALL without turning the power off. Click MAINTENANCE > Restart. Click - ZyXEL ZyWALL 5 UTM | User Guide - Page 600
diagnostic file, change your console port speed to 115200 bps (on both the ZyWALL and your terminal emulation program) and enlarge the console text buffer. E-mail Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail address specified in the Mail Sender - ZyXEL ZyWALL 5 UTM | User Guide - Page 601
field). Password Enter the password associated with the user name above. Perform Diagnostics Now Click this button to generate and send a diagnostic e-mail immediately, instead of based on a time period or CPU usage level. Schedule Periodic Diagnostics Use these fields to set the ZyWALL to - ZyXEL ZyWALL 5 UTM | User Guide - Page 602
Chapter 33 Maintenance Screens 602 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 603
WAN and Dial Backup Setup (619) LAN Setup (633) Internet Access (639) DMZ Setup (645) Route Setup (649) Wireless Setup (653) Remote Node Setup (659) IP Static Route Setup (669) Network Address Translation (NAT) (673) Introducing the ZyWALL Firewall (693) Filter Configuration (695) SNMP Configuration - ZyXEL ZyWALL 5 UTM | User Guide - Page 604
604 - ZyXEL ZyWALL 5 UTM | User Guide - Page 605
access the SMT (System Management Terminal) menus via console port, how to navigate the SMT and how to configure SMT menus. 34.2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide. When configuring using the console - ZyXEL ZyWALL 5 UTM | User Guide - Page 606
ch =4, ethernet address: 00:00:00:00:00:00 AUX port init . done Modem init . inactive Press ENTER to continue... 34.2.2 Entering the Password The login screen appears after you press [ENTER], prompting you to enter the password, as shown below. For your first login, enter the default password "1234 - ZyXEL ZyWALL 5 UTM | User Guide - Page 607
Node Setup 12. Static Routing Setup 15. NAT Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 25. IP Routing Policy Setup 26. Schedule Setup 99. Exit Enter Menu Selection Number: ZyWALL 5/35/70 Series User's Guide 607 - ZyXEL ZyWALL 5 UTM | User Guide - Page 608
(Internet address, gateway, login, etc.) with this menu. 5 DMZ Setup Use this menu to apply DMZ filters, and configure DHCP and TCP/IP settings for the DMZ port. 6 Route Setup Use this menu to configure your WAN route assessment, traffic redirect properties and failover parameters. 7 Wireless - ZyXEL ZyWALL 5 UTM | User Guide - Page 609
Setup 3 LAN Setup 3.1 LAN Port Filter Setup 3.2 TCP/IP and DHCP Ethernet Setup 4 Internet Access Setup 5 DMZ Setup 5.1 DMZ Port Filter Setup 5.2 TCP/IP and DHCP Ethernet Setup 6 Route Setup 6.1 Route Assessment 6.2 Traffic Redirect 6.3 Route Failover 7 Wireless Setup 7.1 Wireless Setup - ZyXEL ZyWALL 5 UTM | User Guide - Page 610
24.10 Time and Date Setting 24.11 Remote Management Setup 25.1 IP Routing Policy Setup 26.1 Schedule Set Setup 21.1.x Filter Rules Summary 21.1.x.x Generic Filter Rule 21.1.x.x TCP/IP Filter Rule 24.2.1 System Information 24.2.2 Console Port Speed 24.3.1 View Error Log 24.3.2 Syslog Logging 24 - ZyXEL ZyWALL 5 UTM | User Guide - Page 611
]. 4 Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an "x" for each character you type. 34.5 Resetting the ZyWALL See Section 3.3 on page 63 for directions on resetting the ZyWALL. ZyWALL 5/35/70 Series User's Guide 611 - ZyXEL ZyWALL 5 UTM | User Guide - Page 612
Chapter 34 Introducing the SMT 612 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 613
this menu. Table 210 Menu 1: General Setup (Router Mode) FIELD DESCRIPTION System Name Choose a router. The domain name entered by you is given priority over the ISP assigned domain name. If you want to clear this field just press [SPACE BAR] and then [ENTER]. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 614
the subnet mask of your ZyWALL. Gateway Enter the gateway IP address. First System DNS Server Second System DNS Server Third System DNS Server Enter the DNS server's IP address(es) in the IP Address field(s) if you have the IP address(es) of the DNS server(s). 614 ZyWALL 5/35/70 Series User - ZyXEL ZyWALL 5 UTM | User Guide - Page 615
Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE Service Provider= WWW.DynDNS.COM Active= No Username= Password= ******** Edit Host= No Press ENTER to Confirm or ESC to Cancel: Follow the instructions - ZyXEL ZyWALL 5 UTM | User Guide - Page 616
1 - General Setup Figure 367 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary # Summary 01 Hostname=ZyWALL, Type=Dynamic, "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. 5 Select Edit in the Select Command field; type the index number - ZyXEL ZyWALL 5 UTM | User Guide - Page 617
have a connection, the ZyWALL will attempt to use the IP address of another WAN to update the domain name. When the WAN s are in the active/passive operating mode, the ZyWALL will update the domain name with the IP address of whichever WAN has a connection, regardless of the setting in the Bind WAN - ZyXEL ZyWALL 5 UTM | User Guide - Page 618
field. When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. 618 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 619
MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 620
. Table 215 MAC Address Cloning in WAN Setup FIELD DESCRIPTION (WAN 1/2) MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN - ZyXEL ZyWALL 5 UTM | User Guide - Page 621
menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. 36.3.2 Advanced WAN Setup " Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands. ZyWALL 5/35/70 Series User's Guide 621 - ZyXEL ZyWALL 5 UTM | User Guide - Page 622
WAN Port Setup: AT ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication. Called Id Enter the keyword preceding the dialed number. Speed Enter the keyword preceding the connection speed. 622 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 623
= CHAP/PAP Pri Phone #= 0 Sec Phone #= Edit IP= No Edit Script Options= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Always On= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: ZyWALL 5/35/70 Series User's Guide 623 - ZyXEL ZyWALL 5 UTM | User Guide - Page 624
Edit Filter sets This field leads to another "hidden" menu. Use [SPACE BAR] to select Yes and press [ENTER] to open menu 11.3.4 to edit the filter sets. See Section 36.3.6 on page 628 for more details. Idle Timeout Enter the number of seconds of idle time (when there is no traffic from the ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 625
set to 0.0.0.0 to have the ISP or other remote router dynamically (automatically) assign your WAN IP address if you do not know it. Enter your WAN IP address here if you know it (static). This is the address assigned to your local ZyWALL, not the remote router. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 626
another network (for example a public IP address used on the Internet). Press [SPACE BAR] and then [ENTER] to select either Full Feature, None or SUA Only. Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports - ZyXEL ZyWALL 5 UTM | User Guide - Page 627
. If there are errors in the script and it gets stuck at a set for longer than the "Dial Timeout" in menu 2 (default 60 seconds), the ZyWALL will timeout and drop the line. To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of - ZyXEL ZyWALL 5 UTM | User Guide - Page 628
transfer of voice and non-voice data and provides broadband Internet access to mobile devices. See Section 9.4 on page 192 for more information. To set up a 3G connection, you need to configure 1 Menu 2 - WAN Setup, 2 Menu 11.2 - Remote Node Profile (3G WAN) 628 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 629
2 on the ZyWALL that supports a 3G card. " It is not necessary to configure menu 2 with a Sierra Wireless AC595 3G card. Figure 376 3G Modem Setup in WAN Setup (ZyWALL 5) Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 - ZyXEL ZyWALL 5 UTM | User Guide - Page 630
, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet. If your Login Enter the login name assigned by your ISP for this remote node. My Password Enter the password assigned by your ISP for this remote node. 630 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 631
Edit Filter sets This field leads to another "hidden" menu. Use [SPACE BAR] to select Yes and press [ENTER] to open menu 11.3.4 to edit the filter sets. See Section 36.3.6 on page 628 for more details. Idle Timeout Enter the number of seconds of idle time (when there is no traffic from the ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 632
Chapter 36 WAN and Dial Backup Setup 632 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 633
Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 634
Chapter 37 LAN Setup Figure 379 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 37.4 TCP/IP and DHCP Ethernet Setup Menu From the main - ZyXEL ZyWALL 5 UTM | User Guide - Page 635
DHCP server here. Use the instructions in the following table to configure TCP/IP parameters for the LAN port. " LAN and DMZ IP addresses must be on separate subnets. Table 225 Menu 3.2: LAN TCP/IP Setup Fields FIELD DESCRIPTION TCP/IP Setup: IP Address Enter the IP address of your ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 636
None Version= RIP-1 Incoming protocol filters= Outgoing protocol filters= IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: 636 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 637
Use the instructions in the following table to configure IP alias parameters. Table 226 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION IP Alias 1, 2 Choose Yes to configure the LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask - ZyXEL ZyWALL 5 UTM | User Guide - Page 638
Chapter 37 LAN Setup 638 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 639
access. 38.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your - ZyXEL ZyWALL 5 UTM | User Guide - Page 640
Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address - ZyXEL ZyWALL 5 UTM | User Guide - Page 641
for a PPTP connection. After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option. This brings up the following screen. ZyWALL 5/35/70 Series User's Guide 641 - ZyXEL ZyWALL 5 UTM | User Guide - Page 642
Internet Access Setup (PPTP) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address - ZyXEL ZyWALL 5 UTM | User Guide - Page 643
385 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network - ZyXEL ZyWALL 5 UTM | User Guide - Page 644
Chapter 38 Internet Access 644 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 645
to your public server(s) traffic. Figure 387 Menu 5.1: DMZ Port Filter Setup Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: ZyWALL 5/35/70 Series User's Guide 645 - ZyXEL ZyWALL 5 UTM | User Guide - Page 646
or ESC to Cancel: The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup. Each public server will need a unique IP address. Refer to Section 37.4 on page 634 for information on how to configure these fields. 646 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 647
2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 226 on page 637 for instructions on configuring IP alias parameters. ZyWALL 5/35/70 Series User's Guide 647 - ZyXEL ZyWALL 5 UTM | User Guide - Page 648
Chapter 39 DMZ Setup 648 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 649
Point= Yes Check Point= N/A Probing WAN 2 Check Point= Yes Use Default Gateway as Check Point= Yes Check Point= N/A Probing Traffic Redirection Check Point= No Use Default Gateway as Check Point= N/A Check Point= N/A Press ENTER to Confirm or ESC to Cancel: ZyWALL 5/35/70 Series User's Guide 649 - ZyXEL ZyWALL 5 UTM | User Guide - Page 650
setup. The default is No. Backup Gateway IP Address Enter the IP address of your backup gateway in dotted decimal notation. The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's Internet connection terminates. Metric This field sets this route's priority among the routes - ZyXEL ZyWALL 5 UTM | User Guide - Page 651
ZyWALL may attempt and fail to connect to the Internet before traffic is forwarded to the backup gateway. When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 652
Chapter 40 Route Setup 652 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 653
Setup Enable Wireless LAN= No Bridge Channel= WLAN ESSID= ZyXEL Hide ESSID= No Channel ID= CH06 2437MHz RTS Threshold= 2432 Frag. Threshold= 2432 WEP= Disable Default Key= N/A Key1= N/A Key2= N/A Key3= N/A Key4= N/A Edit MAC Address Filter= No Press ENTER to Confirm or ESC to Cancel: ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 654
Chapter 41 Wireless Setup " The settings of all client stations on the wireless LAN must match those of the ZyWALL. Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 233 Menu 7.1: Wireless Setup FIELD DESCRIPTION Enable Wireless LAN Press [SPACE - ZyXEL ZyWALL 5 UTM | User Guide - Page 655
[ESC] at any time to cancel. 41.1.1 MAC Address Filter Setup Your ZyWALL checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses. However, intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication - ZyXEL ZyWALL 5 UTM | User Guide - Page 656
allowed to access the router. The default action, Allowed Association, permits association with the ZyWALL. MAC addresses not listed will be denied access to the router. MAC Address Filter Address 1..12 Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers that are allowed - ZyXEL ZyWALL 5 UTM | User Guide - Page 657
Chapter 41 Wireless Setup Figure 398 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None Client IP Pool: Starting Address= N/A Size of Client IP Pool= N/A TCP/IP Setup: IP Address= 0.0.0.0 IP Subnet Mask= 0.0.0.0 RIP Direction= None Version= N/A Multicast - ZyXEL ZyWALL 5 UTM | User Guide - Page 658
IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 226 on page 637 for instructions on configuring IP alias parameters. 658 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 659
Menu 11.3 Remote Node Profile (Backup ISP) and configure the setup for your Dial Backup port connection. Figure 400 Menu 11: Remote Node Setup Menu 11 - Remote Node Setup 1. WAN_1 (ISP, SUA) 2. WAN_2 (ISP, NAT) 3. -Dial (BACKUP_ISP, SUA) Enter Node # to Edit: ZyWALL 5/35/70 Series User's Guide 659 - ZyXEL ZyWALL 5 UTM | User Guide - Page 660
Profile Rem Node Name= WAN 1 Active= Yes Route= IP Encapsulation= Ethernet Service Type= Standard Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Relogin Every (min)= N/A Edit IP= No Session Options: Schedules= Edit Filter Sets= No Press ENTER to Confirm or ESC to - ZyXEL ZyWALL 5 UTM | User Guide - Page 661
If it does not, then you must enter the authentication server IP address here. Relogin Every (min) This field is available when you select Telia Login in the Service Type field. The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. Type the number of minutes from 1 to 59 - ZyXEL ZyWALL 5 UTM | User Guide - Page 662
Yes Route= IP Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Nailed-Up Connection= No Session Options: Edit Filter Sets= No - ZyXEL ZyWALL 5 UTM | User Guide - Page 663
- accept PAP only. Telco Option Allocated Budget The field sets a ceiling for outgoing call time for this remote node. The default for this field is 0 meaning no budget control. Period(hr) This field is the time period that the budget should be reset. For example, if we are allowed to call this - ZyXEL ZyWALL 5 UTM | User Guide - Page 664
Node Setup Figure 403 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= WAN 1 Active= Yes Route= IP Encapsulation= PPTP Service Type= Standard Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP: My IP - ZyXEL ZyWALL 5 UTM | User Guide - Page 665
in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many - ZyXEL ZyWALL 5 UTM | User Guide - Page 666
each filter field. Note that spaces are accepted in this field. For more information on defining the filters, please refer to Chapter 46 on page 695. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets. 666 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 667
or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: ZyWALL 5/35/70 Series User's Guide 667 - ZyXEL ZyWALL 5 UTM | User Guide - Page 668
Chapter 42 Remote Node Setup 668 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 669
a ZyWALL with multiple WAN interfaces. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address. " The "-" before a route name indicates the static route is inactive. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 670
49. ________ 50. ________ Now, enter the index number of the static route that you want to configure. Figure 408 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private - ZyXEL ZyWALL 5 UTM | User Guide - Page 671
that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyWALL; over the WAN, the gateway must be the IP address of one of the remote nodes. Metric Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see - ZyXEL ZyWALL 5 UTM | User Guide - Page 672
Chapter 43 IP Static Route Setup 672 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 673
public WAN IP addresses for your ZyWALL. 44.1.2 Applying NAT You apply NAT via menu 4 or 11.1.2 as displayed next. The next figure shows you how to apply NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 Internet Access Setup. ZyWALL 5/35/70 Series User's Guide 673 - ZyXEL ZyWALL 5 UTM | User Guide - Page 674
Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address - ZyXEL ZyWALL 5 UTM | User Guide - Page 675
and trigger port rules for the first WAN interface and separate sets of rules for the second WAN interface. Figure 411 Menu 15: NAT Setup Menu 15 - NAT Setup 1. Address Mapping Sets 2. Port Forwarding Setup 3. Trigger Port Setup Enter Menu Selection Number: ZyWALL 5/35/70 Series User's Guide 675 - ZyXEL ZyWALL 5 UTM | User Guide - Page 676
NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 44.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 412 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 2. example 255. SUA (read only) Enter Menu - ZyXEL ZyWALL 5 UTM | User Guide - Page 677
in this screen. Note also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. " The entire set will be deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. ZyWALL 5/35/70 Series User's Guide 677 - ZyXEL ZyWALL 5 UTM | User Guide - Page 678
15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx Local Start IP Local End IP Global Start IP Global End IP Type 1. set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. 678 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 679
rule brings up the following menu, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. " An IP End address must be numerically greater than its corresponding IP Start address. ZyWALL 5/35/70 Series User's Guide 679 - ZyXEL ZyWALL 5 UTM | User Guide - Page 680
Server Mapping Set This field is available only when you select Server in the Type field. Once you have finished configuring a rule in this menu, press [ENTER] at the message "Press ENTER to Confirm..." to save your configuration, or press [ESC] to cancel. 680 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 681
assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Follow No 0 0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: ZyWALL 5/35/70 Series User's Guide 681 - ZyXEL ZyWALL 5 UTM | User Guide - Page 682
[ESC] at any time to cancel. 5 Enter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field. 6 Enter the inside IP address of the server in the IP Address field. In - ZyXEL ZyWALL 5 UTM | User Guide - Page 683
(NAT) Figure 419 Menu 15.2.1: NAT Server Setup Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address 001 No 0 0 0.0.0.0 002 Yes 21 25 192.168.1.33 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 - ZyXEL ZyWALL 5 UTM | User Guide - Page 684
4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address - ZyXEL ZyWALL 5 UTM | User Guide - Page 685
pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure. Figure 424 Menu 15.2.1: Specifying an Inside Server Menu 15.2.1 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address 001 No - ZyXEL ZyWALL 5 UTM | User Guide - Page 686
the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 427 on page 687). 6 Repeat the previous step for rules 2 to 4 as outlined above. 7 When finished, menu 15.1.1 should look like as shown in Figure 428 on page 688. 686 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 687
configure the first rule. Figure 427 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.1 End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: ZyWALL 5/35/70 Series User's Guide 687 - ZyXEL ZyWALL 5 UTM | User Guide - Page 688
15.2. 3 (Enter 1 or 2 from menu 15.2 on a ZyWALL with multiple WAN ports) configure the menu as shown in Figure 429 on page 688. Figure 429 Example 3: Menu 15.2.1 Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address 001 Yes 80 80 192.168.1.21 002 - ZyXEL ZyWALL 5 UTM | User Guide - Page 689
-One-to-One Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= 10.132.50.1 End = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: After you've configured your rule, you should be able to check the settings in menu 15.1.1 as shown next. ZyWALL 5/35/70 Series User's Guide 689 - ZyXEL ZyWALL 5 UTM | User Guide - Page 690
the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use - ZyXEL ZyWALL 5 UTM | User Guide - Page 691
port is a port (or a range of ports) that causes (or triggers) the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Enter a port number or the starting port number in a range of port numbers. ZyWALL 5/35/70 Series User's Guide 691 - ZyXEL ZyWALL 5 UTM | User Guide - Page 692
Trigger Port Setup (continued) FIELD DESCRIPTION End Port Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. 692 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 693
with the ZyWALL firewall. 45.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 434 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu - ZyXEL ZyWALL 5 UTM | User Guide - Page 694
the ZyWALL Firewall Figure 435 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default - ZyXEL ZyWALL 5 UTM | User Guide - Page 695
in the following figure. Figure 436 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. ZyWALL 5/35/70 Series User's Guide 695 - ZyXEL ZyWALL 5 UTM | User Guide - Page 696
rules and protocol filter rules within the same set. You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Sets of factory default filter rules have been - ZyXEL ZyWALL 5 UTM | User Guide - Page 697
437 Filter Rule Process Chapter 46 Filter Configuration You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. ZyWALL 5/35/70 Series User's Guide 697 - ZyXEL ZyWALL 5 UTM | User Guide - Page 698
Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 438 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall - ZyXEL ZyWALL 5 UTM | User Guide - Page 699
you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the ZyWALL will warn you and will not allow you to save. ZyWALL 5/35/70 Series User's Guide 699 - ZyXEL ZyWALL 5 UTM | User Guide - Page 700
. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Destination: IP Addr. Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is 0. 700 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 701
] at the message "Press ENTER to Confirm" to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. The following figure illustrates the logic flow of an IP filter. ZyWALL 5/35/70 Series User's Guide 701 - ZyXEL ZyWALL 5 UTM | User Guide - Page 702
Executing an IP Filter 46.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. 702 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 703
is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Type Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters displayed below each type will be different. TCP/IP filter rules are used to filter IP packets while - ZyXEL ZyWALL 5 UTM | User Guide - Page 704
an example to block outside users from accessing the ZyWALL via telnet. Figure 443 Telnet Filter Example 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. 2 Enter 1 to open Menu 21.1 - Filter Set Configuration. 3 Enter the index of the filter set you wish to configure (say - ZyXEL ZyWALL 5 UTM | User Guide - Page 705
/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log - ZyXEL ZyWALL 5 UTM | User Guide - Page 706
according to the filter rules you designed. • Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. • Packet filtering only checks the header portion of an IP packet. 706 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 707
the traffic from B to A. Filters cannot distinguish traffic originating from an inside host or an outside host by IP address. 4 To block/allow IP trace route. 46.5.2 Firewall • The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an - ZyXEL ZyWALL 5 UTM | User Guide - Page 708
incoming telnet, FTP and HTTP connections. Figure 448 Filtering DMZ Traffic Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 708 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 709
, FTP and HTTP connections. Figure 449 Filtering Remote Node Traffic Menu 11.1.4 - Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: ZyWALL 5/35/70 Series User's Guide 709 - ZyXEL ZyWALL 5 UTM | User Guide - Page 710
Chapter 46 Filter Configuration 710 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 711
to SNMP messages from this address. A blank (default) field means your ZyWALL will respond to all SNMP messages it receives, regardless of source. Trap Community Type the Trap community, which is the password sent with each trap to the SNMP manager. ZyWALL 5/35/70 Series User's Guide 711 - ZyXEL ZyWALL 5 UTM | User Guide - Page 712
(power on). 1 warmStart (defined in RFC-1215) A trap is sent after booting (software reboot). 4 authenticationFailure (defined in A trap is sent to the manager when receiving any RFC-1215) SNMP get or set requirements with the wrong community (password). 6 whyReboot (defined in ZYXEL - ZyXEL ZyWALL 5 UTM | User Guide - Page 713
1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: 48.2 System - ZyXEL ZyWALL 5 UTM | User Guide - Page 714
00:00:AA:77:89:27 IP Address 172.23.37.207 0.0.0.0 192.168.1.1 0.0.0.0 0.0.0.0 IP Mask 255.255.0.0 0.0.0.0 255.255.255.0 0.0.0.0 0.0.0.0 DHCP None Client Server None None System up Time: 0:52:46 Press Command: COMMANDS: 1, 2-Drop WAN1,2 9-Reset Counters ESC-Exit The following table describes - ZyXEL ZyWALL 5 UTM | User Guide - Page 715
IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left. DHCP This is the DHCP setting of the port listed on the left. System up Time This is the total time the ZyWALL has been on. CARD bridged to This field shows whether the wireless card is set - ZyXEL ZyWALL 5 UTM | User Guide - Page 716
the IP mask of the ZyWALL. DHCP This field shows the DHCP setting of the ZyWALL. When finished viewing, press [ESC] or [ENTER] to exit. 48.3.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 - Console Port Speed. Your ZyWALL supports 9600 (default), 19200 - ZyXEL ZyWALL 5 UTM | User Guide - Page 717
24.3: System Maintenance: Log and Trace Menu 24.3 - System Maintenance - Log and Trace 1. View Error Log 2. UNIX Syslog 4. Call-Triggering Packet Please enter selection Examples of typical error and information messages are presented in the following figure. ZyWALL 5/35/70 Series User's Guide 717 - ZyXEL ZyWALL 5 UTM | User Guide - Page 718
more details. When finished configuring this screen, press [ENTER] to confirm or [ESC] to cancel. Your ZyWALL sends five types of syslog messages. Some examples (not all ZyWALL specific) of these syslog messages with their message formats are shown next: 718 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 719
dev:device No. ch:channel No.) L02 Tunnel Connected(L2TP) C02 OutCall Connected xxxx (means .....x Protocol: (1:IP 2:IPX 3:IPXHC ZyXEL: Packet Trigger: Protocol=1, Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d143013500400007 7600000 3 Filter log ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 720
xxxx] S04>R01mD IP[...] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP") spo: Source port dpo: Destination portMar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080 - ZyXEL ZyWALL 5 UTM | User Guide - Page 721
Diagnosis 5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo - ZyXEL ZyWALL 5 UTM | User Guide - Page 722
Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP = 4 = 20 = 0x00 (0) = 0x002C (44) = 0x0002 (2) = 0x00 = 0x00 = 0xFE (254) = 0x06 (TCP) = 0xFB20 (64288) = 0xC0A80101 (192.168.1.1) = 0x00000000 (0.0.0.0) TCP Header: Source Port - ZyXEL ZyWALL 5 UTM | User Guide - Page 723
and/or renew the assigned WAN IP address, subnet mask and default gateway in a fashion similar to winipcfg. Figure 461 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. ZyWALL 5/35/70 Series User's Guide 723 - ZyXEL ZyWALL 5 UTM | User Guide - Page 724
its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings. Internet Setup Test or PPPoE/PPTP/3G Setup Test Enter 4 to test the Internet setup. You can also test the Internet setup in - ZyXEL ZyWALL 5 UTM | User Guide - Page 725
can download new firmware releases from your nearest ZyXEL FTP site to use to upgrade your ZyWALL's performance. 49.2 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc - ZyXEL ZyWALL 5 UTM | User Guide - Page 726
configurations, system-related data (including the default password), the error log and the trace log. *.rom Firmware Ras This is the generic name for the ZyNOS firmware on *.bin the ZyWALL. 49.3 Backup Configuration " The ZyWALL displays different messages explaining different ways to backup - ZyXEL ZyWALL 5 UTM | User Guide - Page 727
), please see your router manual. 49.3.2 Using the FTP Command from the Command Line 1 Launch the FTP client on your computer. 2 Enter "open", followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is "1234 - ZyXEL ZyWALL 5 UTM | User Guide - Page 728
in the Secure Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. 49.3.6 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the - ZyXEL ZyWALL 5 UTM | User Guide - Page 729
TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL's default IP address when shipped. Send/Fetch Use "Send" to upload the file to the ZyWALL and "Fetch" to back up the file on your computer. Local File Enter the path and name of the firmware - ZyXEL ZyWALL 5 UTM | User Guide - Page 730
that the Xmodem download has started. Figure 465 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time. Starting XMODEM download... 3 Run to restore unless you have a backup configuration file stored on disk. 730 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 731
menu to restore using TFTP), please see your router manual. 1 Launch the FTP client on your computer. 2 Enter "open", followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is "1234"). 5 Enter "bin" to - ZyXEL ZyWALL 5 UTM | User Guide - Page 732
Chapter 49 Firmware and Configuration File Maintenance 49.4.2 Restore Using FTP Session Example Figure 469 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data for it. Choose the Xmodem protocol. Then click Send. 732 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 733
is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the ZyWALL, you will see the following screens for uploading firmware and the configuration file using FTP. ZyWALL 5/35/70 Series User's Guide 733 - ZyXEL ZyWALL 5 UTM | User Guide - Page 734
the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "admin" and SMT password as requested. 3. Type "put firmwarefilename ras" where "firmwarefilename" is the name of your firmware upgrade file on your workstation and "ras" is - ZyXEL ZyWALL 5 UTM | User Guide - Page 735
, follow the procedure shown next. 1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. ZyWALL 5/35/70 Series User's Guide 735 - ZyXEL ZyWALL 5 UTM | User Guide - Page 736
download/upload. 49.5.8 Uploading Firmware File Via Console Port 1 Select 1 from Menu 24.7 - System Maintenance - Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen. 736 ZyWALL 5/35/70 Series User - ZyXEL ZyWALL 5 UTM | User Guide - Page 737
. 49.5.10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24.7 - System Maintenance - Upload Firmware to display Menu 24.7.2 - System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen. ZyWALL 5/35/70 Series User's Guide 737 - ZyXEL ZyWALL 5 UTM | User Guide - Page 738
on your terminal. 4. After successful firmware upload, enter "atgo" to restart password may change (menu 23), also. 3. When uploading the DEFAULT configuration file, the console port speed will be reset to 9600 bps and the password ZyWALL by entering "atgo". 738 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 739
and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: ZyWALL 5/35/70 Series User's Guide 739 - ZyXEL ZyWALL 5 UTM | User Guide - Page 740
Menus 8 to 10 50.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the - ZyXEL ZyWALL 5 UTM | User Guide - Page 741
. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node. Enter 0 to update the screen. The budget and the - ZyXEL ZyWALL 5 UTM | User Guide - Page 742
9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen. 742 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 743
4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC-1305), is similar to Time (RFC-868). Select Manual to enter the new time and new date manually. Time Server Address Enter the IP address or domain name of your timeserver. Check with your ISP/ network - ZyXEL ZyWALL 5 UTM | User Guide - Page 744
instance, you would type 02 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel" to save your configuration, or press [ESC] to cancel. 744 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 745
the ZyWALL by not allowing access for the service/protocol through any of the ZyWALL interfaces. To disable remote management of a service, select Disable in the corresponding Access field. Enter 11 from menu 24 to bring up Menu 24.11 - Remote Management Control. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 746
+WLAN, WAN+DMZ+WLAN, LAN+WAN+DMZ+WLAN or Disable. Secure Client IP The default 0.0.0.0 allows any client to use this service to remotely manage the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address. Certificate Press [SPACE BAR] and then [ENTER] to select the - ZyXEL ZyWALL 5 UTM | User Guide - Page 747
that service in menu 24.11. 3 The IP address in the Secure Client IP field (menu 24.11) does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4 There is an SMT console session running. 5 There is already another remote management session - ZyXEL ZyWALL 5 UTM | User Guide - Page 748
Chapter 51 Remote Management 748 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 749
52 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 52.1 IP Routing Policy IP Routing Policy Summary FIELD DESCRIPTION # This is the policy index number. A This displays whether a policy is active (Y) or not (N). ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 750
, or press [ESC] at any time to cancel. Table 264 IP Routing Policy Setup ABBREVIATION MEANING Criterion SA Source IP Address SP Source Port DA Destination IP Address DP Destination Port P IP layer 4 protocol number (TCP=6, UDP=17...) T Type of service of incoming packet PR Precedence - ZyXEL ZyWALL 5 UTM | User Guide - Page 751
] to choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal. Source addr start / end Source IP address range from start to end. port start / end Source port number range from start to end; applicable only for TCP/UDP. Destination ZyWALL 5/35/70 Series User's Guide 751 - ZyXEL ZyWALL 5 UTM | User Guide - Page 752
Remote Node to have the ZyWALL send traffic that matches the policy route through a specific WAN port. Gateway addr This field displays if you selected IP Address in the Gateway Type field. Defines the outgoing gateway address. The gateway must be on the same subnet as the ZyWALL if it is on the - ZyXEL ZyWALL 5 UTM | User Guide - Page 753
remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure. Route 1 represents the default IP route and route 2 represents the configured IP route. ZyWALL 5/35/70 Series User's Guide 753 - ZyXEL ZyWALL 5 UTM | User Guide - Page 754
clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next. Figure 492 IP Routing Policy Example 1 Menu 25.1 - IP Routing Policy Setup - ZyXEL ZyWALL 5 UTM | User Guide - Page 755
means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Figure 493 IP Routing Policy Example 2 Menu 25.1 - IP Routing Policy Setup Rule Index= 2 Active= No Criteria: IP Protocol = 6 Type of Service= Don't Care Packet length= 10 Precedence = Don - ZyXEL ZyWALL 5 UTM | User Guide - Page 756
Chapter 52 IP Policy Routing 756 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 757
precedence over set 2, 3 and 4 as the ZyWALL, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on. You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. ZyWALL 5/35/70 Series User's Guide 757 - ZyXEL ZyWALL 5 UTM | User Guide - Page 758
If a connection has been already established, your ZyWALL will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration. Table 267 Schedule Set Setup FIELD DESCRIPTION Active Press [SPACE BAR] to select - ZyXEL ZyWALL 5 UTM | User Guide - Page 759
Active= Yes Route= IP Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing= My Login= My Password= ******** Authen= CHAP/PAP Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= 1,2,3,4 Nailed-Up Connection= No Session Options: Edit Filter Sets= No Idle - ZyXEL ZyWALL 5 UTM | User Guide - Page 760
Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= PPTP Service Type= Standard Outgoing= My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP: My IP Addr= My IP Mask= Server IP Addr= Connection ID/Name= Edit IP= No Telco Option: Allocated Budget(min - ZyXEL ZyWALL 5 UTM | User Guide - Page 761
PART VII Troubleshooting and Product Specifications Troubleshooting (763) Product Specifications (769) 761 - ZyXEL ZyWALL 5 UTM | User Guide - Page 762
762 - ZyXEL ZyWALL 5 UTM | User Guide - Page 763
you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyWALL Access and Login • Internet Access • Wireless Router/AP Troubleshooting • UPnP 54.1 Power, Hardware Connections, and LEDs V The ZyWALL does not turn on. None - ZyXEL ZyWALL 5 UTM | User Guide - Page 764
password is 1234. 2 If this does not work, you have to reset the device to its factory defaults. See Section 3.3 on page 63. V I cannot see or access the Login screen in the web configurator. 1 Make sure you are using the correct IP address. • The default IP address is 192.168.1.1. • Use the ZyWALL - ZyXEL ZyWALL 5 UTM | User Guide - Page 765
computer is using a dynamic IP address. See Appendix D on page 795. Your ZyWALL is a DHCP server by default. 6 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address. See Section 3.3 on page 63. 7 If the problem continues, contact the network administrator - ZyXEL ZyWALL 5 UTM | User Guide - Page 766
Internet wirelessly, make sure the wireless settings in the wireless client are the same as the settings in the AP. 4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 5 If the problem continues, contact your ISP. 766 ZyWALL 5/35/70 Series User - ZyXEL ZyWALL 5 UTM | User Guide - Page 767
suggestions. Advanced Suggestions • Check the settings for bandwidth management. If it is disabled, you might consider activating it. If it is enabled, you might consider changing the allocations. 54.4 Wireless Router/AP Troubleshooting V I cannot access the ZyWALL or ping any computer from the WLAN - ZyXEL ZyWALL 5 UTM | User Guide - Page 768
Troubleshooting 5 Check that both the ZyWALL and your wireless station are using the same wireless and wireless security settings. 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the ZyWALL. 7 Make sure you allow the ZyWALL . 768 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 769
Mbps RJ-45 Ethernet ports. Reset Button Restores factory default settings Console RS-232 DB9F Dial Backup RS-232 DB9M Extension Card Slot For installing an optional ZyXEL wireless LAN card, 3G card or a ZyWALL Turbo extension card Operating Temperature 0º C ~ 50º C Storage Temperature -30 - ZyXEL ZyWALL 5 UTM | User Guide - Page 770
or MAC filtering to protect your wireless network. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyWALL. Configuration Backup & Restoration Network Address Translation (NAT) Port Forwarding DHCP - ZyXEL ZyWALL 5 UTM | User Guide - Page 771
and Performance Specifications FEATURE ZYWALL 70 Local User Database Entries 32 Static DHCP Table Entries 128 Static Routes 50 Policy Routes 48 Port Forwarding Rules 100 Concurrent Sessions (NAT sessions) 10,000 Address Mapping Rules 100 Configurable IPSec VPN Network Policies - ZyXEL ZyWALL 5 UTM | User Guide - Page 772
60Mbps VPN (3DES) Throughput 40Mbps 35Mbps 30Mbps User Licenses Unlimited Unlimited Unlimited Compatible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyWALL at the time of writing. It also shows the security features that each card supports - ZyXEL ZyWALL 5 UTM | User Guide - Page 773
Specifications 55.1 Compatible 3G Cards At the time of writing, you can use the following 3G wireless cards in the ZyWALL 5. The table also shows you the 3G features supported by the compatible 3G cards. Table 272 3G Features Supported By Compatible 3G Cards FEATURES SIERRA 3G CARD WIRELESS - ZyXEL ZyWALL 5 UTM | User Guide - Page 774
even when data is transmitting Dormant status update after the connection is established Budget Control Y Y Y Y Bandwidth Management Y Y Y Y HUAWEI EC360 Y Y Table 274 3G Features Supported By Additional Compatible 3G Cards 3G CARD HUAWEI FEATURES EC500 HUAWEI E220 OPTION GLOBETRO - ZyXEL ZyWALL 5 UTM | User Guide - Page 775
274 3G Features Supported By Additional Compatible 3G Cards 3G CARD HUAWEI FEATURES EC500 HUAWEI E220 OPTION GLOBETRO TTER HSDPA 7.2 READY NOVATEL MERLIN EX720 Budget Control Y Y Y Y Bandwidth Management Y Y Y Y NOVATEL MERLIN PC720 Y Y 55.2 Power Adaptor Specifications Table 275 - ZyXEL ZyWALL 5 UTM | User Guide - Page 776
/AUX switch changes the setting in the firmware only and does not change the CON/AUX port's pin assignments. ZyWALLs with a CON/AUX port also have a 9-pin adaptor for the console cable with these pin assignments on the male end. 776 4. Pins 2,3 and 5 are used. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 777
Chapter 55 Product Specifications Table 282 Ethernet Cable Pin Assignments WAN / LAN ETHERNET CABLE PIN LAYOUT Straight-through Crossover (Switch) ( - 2 IRD - 3 OTD + 3 IRD + 3 OTD + 6 OTD - 6 IRD - 6 OTD - (Switch) 1 IRD + 2 IRD 3 OTD + 6 OTD - ZyWALL 5/35/70 Series User's Guide 777 - ZyXEL ZyWALL 5 UTM | User Guide - Page 778
Chapter 55 Product Specifications 778 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 779
PART VIII Appendices and Index Removing and Installing a Fuse (781) Common Services (783) Wireless LANs (787) Windows 98 SE/Me Requirements for Anti-Virus Message Display (801) Legal Information (805) Customer Support (809) Index (815) 779 - ZyXEL ZyWALL 5 UTM | User Guide - Page 780
780 - ZyXEL ZyWALL 5 UTM | User Guide - Page 781
product specifications chapter. Removing a Fuse " Disconnect all power from the ZyWALL before you begin this procedure. 1 Place the rear panel of the ZyWALL in front of you. 2 Remove the power cord from the back of the unit. 3 The fuse housing is located between the power switch and the power port - ZyXEL ZyWALL 5 UTM | User Guide - Page 782
Appendix A Removing and Installing a Fuse 782 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 783
, a service that matches web names (e.g. www.zyxel.com) to IP numbers. The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. ZyWALL 5/35/70 Series User's Guide 783 - ZyXEL ZyWALL 5 UTM | User Guide - Page 784
. PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel. Remote Command Service. A streaming audio service that enables real time sound over the web. Remote Execution Daemon. Remote Login. 784 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 785
to allow users to log into remote host systems. Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). Another videoconferencing solution. ZyWALL 5/35/70 Series User's Guide 785 - ZyXEL ZyWALL 5 UTM | User Guide - Page 786
Appendix B Common Services 786 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 787
clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 788
but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. 788 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 789
A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is - ZyXEL ZyWALL 5 UTM | User Guide - Page 790
before the AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. 790 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 791
Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. ZyWALL 5/35/70 Series User's Guide 791 - ZyXEL ZyWALL 5 UTM | User Guide - Page 792
Secure Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Most Secure Wi-Fi Protected Access (WPA) WPA2 " You must enable the same wireless security settings on the ZyWALL and on all wireless clients - ZyXEL ZyWALL 5 UTM | User Guide - Page 793
EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. . ZyWALL 5/35/70 Series User's Guide 793 - ZyXEL ZyWALL 5 UTM | User Guide - Page 794
supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. 794 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 795
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. ZyWALL 5/35/70 Series User's Guide 795 - ZyXEL ZyWALL 5 UTM | User Guide - Page 796
password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password- wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. 796 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 797
XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application Example To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and - ZyXEL ZyWALL 5 UTM | User Guide - Page 798
AP and wireless clients use management protocol type. MAC address filters are not dependent on how you configure these security features. Table 287 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 799
. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. ZyWALL 5/35/70 Series User's Guide 799 - ZyXEL ZyWALL 5 UTM | User Guide - Page 800
Appendix C Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. 800 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 801
. For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages. For Windows 2000 and later versions, a message window automatically displays when an alert is ). 1 Right-click on the program task bar and click Properties. ZyWALL 5/35/70 Series User's Guide 801 - ZyXEL ZyWALL 5 UTM | User Guide - Page 802
... Figure 507 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. 802 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 803
"winpopup" in the Command line field and click Next. Figure 509 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish. ZyWALL 5/35/70 Series User's Guide 803 - ZyXEL ZyWALL 5 UTM | User Guide - Page 804
. Figure 511 Windows 98 SE: Startup: Shortcut " The WinPopup window displays after the computer finishes the startup process (see Figure 505 on page 801). 804 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 805
publication is subject to change without notice. Your use of the ZyWALL is subject to the terms and conditions of your service provider. Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used - ZyXEL ZyWALL 5 UTM | User Guide - Page 806
if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, .11b or 802.11g operation of this product in the U.S.A. is firmware-limited to channels 1 through 11. • To comply with FCC RF Canada. 806 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 807
device at http://www.zyxel.com/web/ support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. ZyWALL 5/35/70 Series User's Guide 807 - ZyXEL ZyWALL 5 UTM | User Guide - Page 808
Appendix E Legal Information 808 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 809
B, Horizon Building, No.6, Zhichun Str, Haidian District, Beijing • Web: http://www.zyxel.cn China - ZyXEL Communications (Shanghai) Corp. • Support E-mail: [email protected] • Sales E-mail: [email protected] • Telephone: +86-021-61199055 • Fax: +86-021-52069033 ZyWALL 5/35/70 Series User's Guide 809 - ZyXEL ZyWALL 5 UTM | User Guide - Page 810
: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, Finland France • E-mail: [email protected] • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France 810 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 811
• Support: http://zyxel.kz/support • Sales E-mail: [email protected] • Telephone: +7-3272-590-698 • Fax: +7-3272-590-689 • Web: www.zyxel.kz • Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre, 050010 Almaty, Republic of Kazakhstan ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 812
Okrzei 1A, 03-715 Warszawa, Poland Russia • Support: http://zyxel.ru/support • Sales E-mail: [email protected] • Telephone: +7-095-542-89-29 • Fax: +7-095-542-89-25 • Web: www.zyxel.ru • Regular Mail: ZyXEL Russia, Ostrovityanova 37a Str., Moscow 117279, Russia 812 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 813
E-mail: [email protected] • Sales E-mail: [email protected] • Telephone: +662-831-5315 • Fax: +662-831-5395 • Web: http://www.zyxel.co.th • Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi, Muang, Nonthaburi 11000, Thailand. ZyWALL 5/35/70 Series User's Guide 813 - ZyXEL ZyWALL 5 UTM | User Guide - Page 814
E-mail: [email protected] • Telephone: +44-1344-303044, 0845 122 0301 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) 814 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 815
management 465 address type 475 bandwidth borrowing 473 bandwidth class 465 bandwidth filter 475 class configuration 473 class setup 471 maximize bandwidth usage 468, 469 monitor 478 proportional allocation 466 root class 471 scheduler 469 statistics 477 sub-class layers 471 Basic Service Set - ZyXEL ZyWALL 5 UTM | User Guide - Page 816
type 617 use server detected IP 618 wildcard 617 default configuration 63 default server IP address 441 default settings 598 Denial of Service. See DoS. device introduction 51 DHCP 82, 151, 152, 488, 635 Relay 635 Server 635 WAN 723 DHCP clients 586 DHCP table 82 ZyWALL 5/35/70 Series User's Guide - ZyXEL ZyWALL 5 UTM | User Guide - Page 817
, 654, 767 ZyWALL 5/35/70 Series User's Guide Index Ethernet encapsulation 88, 639, 660 extended authentication 391 Extended Service Set IDentification. See ESSID. Extended Service Set, See ESS 788 external database 314, 318 F F/W version 716 factory defaults 598 factory-default configuration file - ZyXEL ZyWALL 5 UTM | User Guide - Page 818
ID content 389 ID type 389 IP address, remote IPSec router 360 IP address, ZyXEL Device 360 local identity 390 main mode 359, 391 NAT traversal 392 negotiation mode 359 password 391 peer identity 390 pre-shared key 389 proposal 388 SA life time 396 user name 391 IMAP 315 incoming protocol filter 637 - ZyXEL ZyWALL 5 UTM | User Guide - Page 819
392, 396 IPSec SA. See also VPN. ISP parameters 88 L LAN 152 port filter setup 633 setup 633 legitimate e-mail 314 levels of severity of intrusions 282 license key 144 link type 73 loading a configuration file 597 log 717 log and trace 717 log facility 718 login screen 606 M MAC address 183, 620 - ZyXEL ZyWALL 5 UTM | User Guide - Page 820
282 policy-based routing 457 polymorphic virus 310 pool of IP addresses 151, 154 POP2 315 POP3 315, 318, 320 port filter setup DMZ 645 LAN 633 port forwarding 441 VPN 372 port restricted cone NAT 449 port scans 277 port statistics 80 Post Office Protocol. See POP. PPPoE client 642 encapsulation 89 - ZyXEL ZyWALL 5 UTM | User Guide - Page 821
781 reports 539 ZyWALL 5/35/70 Series User's Guide host IP address 541, 542 protocol/port 541, 543 web site hits 541 required fields 607 reset button 63 resetting the time 588 resetting the ZyWALL 63 restore configuration 597, 730 via console port 737 restoring factory defaults 598 restoring files - ZyXEL ZyWALL 5 UTM | User Guide - Page 822
services 141 SYN scanning 281 syntax conventions 4 syslog logging 718 system information 713 maintenance 713 name 585, 613 status 713 timeout 492 System Management Terminal. See SMT. T target market 51 task bar properties 802 TCP maximum incomplete 265 TCP/IP 664 and DHCP Ethernet setup 634 filter - ZyXEL ZyWALL 5 UTM | User Guide - Page 823
717 trademarks 805 traffic from VPN 120 redirect 197 to VPN 121 transparent firewall 71, 161, 591, 593 triangle routes 274 vs virtual interfaces 274 trigger port forwarding 690 Trivial File Transfer Protocol. See TFTP. trojan horse 281 troubleshooting 599 Type of Service. See ToS. U unicast 152 - ZyXEL ZyWALL 5 UTM | User Guide - Page 824
See WPA. Windows Internet Naming Service. See WINS. WinPopup window 801 WINS 152, 154 WINS server 154 wireless channel 767 wireless client WPA supplicants 797 wireless LAN 767 wireless security 767, 791 wizard setup 87 WLAN interference 789 IP alias 657 MAC address filter 656 security parameters 798
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
-
705
-
706
-
707
-
708
-
709
-
710
-
711
-
712
-
713
-
714
-
715
-
716
-
717
-
718
-
719
-
720
-
721
-
722
-
723
-
724
-
725
-
726
-
727
-
728
-
729
-
730
-
731
-
732
-
733
-
734
-
735
-
736
-
737
-
738
-
739
-
740
-
741
-
742
-
743
-
744
-
745
-
746
-
747
-
748
-
749
-
750
-
751
-
752
-
753
-
754
-
755
-
756
-
757
-
758
-
759
-
760
-
761
-
762
-
763
-
764
-
765
-
766
-
767
-
768
-
769
-
770
-
771
-
772
-
773
-
774
-
775
-
776
-
777
-
778
-
779
-
780
-
781
-
782
-
783
-
784
-
785
-
786
-
787
-
788
-
789
-
790
-
791
-
792
-
793
-
794
-
795
-
796
-
797
-
798
-
799
-
800
-
801
-
802
-
803
-
804
-
805
-
806
-
807
-
808
-
809
-
810
-
811
-
812
-
813
-
814
-
815
-
816
-
817
-
818
-
819
-
820
-
821
-
822
-
823
-
824
 |
 |
www.zyxel.com
ZyWALL 5/35/70 Series
Internet Security Appliance
User’s Guide
Version 4.04
03/2008
Edition 1
DEFAULT LOGIN
IP Address
Password
1234