Zyxel-communications ZYWALL10 Manual do Utilizador

ZyWALL 10Internet Security GatewayUser’s GuideVersion 3.24April 2001

ZyWALL 10 Internet Security Gatewayx Table of Contents2.7 General Setup...

ZyWALL 10 Internet Security GatewayFilters 7-1Chapter 7Filter ConfigurationThis chapter shows you how to create and apply filters.7.1 About FilteringY

ZyWALL 10 Internet Security Gateway7-2 Filters7.1.1 The Filter Structure of the ZyWALLA filter set consists of one or more filter rules. Usually, yo

ZyWALL 10 Internet Security GatewayFilters 7-3StartFetch FirstFilter SetFetch FirstFilter RuleActive?ExecuteFilter RuleFetch NextFilter RuleNext filte

ZyWALL 10 Internet Security Gateway7-4 Filters7.2 Configuring a Filter SetTo configure a filter set, follow the procedure below. For more information

ZyWALL 10 Internet Security GatewayFilters 7-5Figure 7-6 NetBIOS_WAN Filter Rules SummaryFigure 7-7 NetBIOS _LAN Filter Rules SummaryFigure 7-8 TEL_FT

ZyWALL 10 Internet Security Gateway7-6 Filters7.2.1 Filter Rules Summary MenuThis screen shows the summary of the existing rules in the filter set.

ZyWALL 10 Internet Security GatewayFilters 7-7ABBREVIATION DESCRIPTIONGENOff OffsetLen LengthRefer to the next section for information on configuring

ZyWALL 10 Internet Security Gateway7-8 FiltersThe following table describes how to configure your TCP/IP filter rule.Table 7-3 TCP/IP Filter Rule Menu

ZyWALL 10 Internet Security GatewayFilters 7-9FIELD DESCRIPTION OPTIONSaccording to the action fields.If More is Yes, then Action Matched and Action N

ZyWALL 10 Internet Security Gateway7-10 FiltersThe following figure illustrates the logic flow of an IP filter.Packetinto IP FilterMatchedMatchedYesAc

ZyWALL 10 Internet Security GatewayTable of Contents xi5.1 IP Static Route Setup...

ZyWALL 10 Internet Security GatewayFilters 7-117.2.4 Generic Filter RuleThis section shows you how to configure a generic filter rule. The purpose o

ZyWALL 10 Internet Security Gateway7-12 FiltersTable 7-4 Generic Filter Rule Menu FieldsFIELD DESCRIPTION OPTIONSFilter # This is the filter set, filt

ZyWALL 10 Internet Security GatewayFilters 7-137.3 Example FilterLet’s look at an example to block outside users from telnetting into the ZyWALL. Plea

ZyWALL 10 Internet Security Gateway7-14 FiltersFigure 7-13 Example Filter — Menu 21.1.1.1When you press [ENTER] to confirm, you will see the following

ZyWALL 10 Internet Security GatewayFilters 7-15Figure 7-14 Example Filter Rules Summary — Menu 21.1.3After you’ve created the filter set, you must app

ZyWALL 10 Internet Security Gateway7-16 Filtersthe raw packets that appear on the wire. They are applied at the point when the ZyWALL is receiving and

ZyWALL 10 Internet Security GatewayFilters 7-17Figure 7-16 Filtering LAN Traffic7.6.2 Remote Node FiltersGo to menu 11.5 (shown below – note that cal

ZyWALL 10 Internet Security GatewaySNMP 8-1Chapter 8SNMP ConfigurationThis chapter discusses SNMP (Simple Network Management Protocol) for network man

ZyWALL 10 Internet Security Gateway8-2 SNMPThe following table describes the SNMP configuration parameters.Table 8-1 SNMP Configuration Menu FieldsFIE

ZyWALL 10 Internet Security Gatewayxii Table of Contents7.6.2 Remote Node Filters...

ZyWALL 10 Internet Security GatewaySystem Information & Diagnosis 9-1Chapter 9System Information & DiagnosisThis chapter covers SMT menus 24.

ZyWALL 10 Internet Security Gateway9-2 System Information & DiagnosisFigure 9-2 Menu 24.1 — System Maintenance — StatusThe following table describ

ZyWALL 10 Internet Security GatewaySystem Information & Diagnosis 9-3FIELD DESCRIPTIONIP Address The LAN port IP address.IP Mask The LAN port IP

ZyWALL 10 Internet Security Gateway9-4 System Information & Diagnosis9.2.1 System InformationSystem Information gives you information about your s

ZyWALL 10 Internet Security GatewaySystem Information & Diagnosis 9-59.2.2 Console Port SpeedYou can change the speed of the console port throug

ZyWALL 10 Internet Security Gateway9-6 System Information & DiagnosisFigure 9-6 Menu 24.3 — System Maintenance — Log and TraceExamples of typical

ZyWALL 10 Internet Security GatewaySystem Information & Diagnosis 9-7You need to configure the UNIX syslog parameters described in the following

ZyWALL 10 Internet Security Gateway9-8 System Information & Diagnosis1. CDRCDR Message FormatSdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );S

ZyWALL 10 Internet Security GatewaySystem Information & Diagnosis 9-9Mar 03 10:39:43 202.132.155.97 ZyXEL:GEN[fffffffffffnordff0080] }S05>R01m

ZyWALL 10 Internet Security Gateway9-10 System Information & Diagnosis9.3.3 Call-Triggering PacketCall-Triggering Packet displays information abou

ZyWALL 10 Internet Security GatewayTable of Contents xiii11.2 Call Control Support ...

ZyWALL 10 Internet Security GatewaySystem Information & Diagnosis 9-11Figure 9-10 Menu 24.4 — System Maintenance — DiagnosticFollow the procedure

ZyWALL 10 Internet Security Gateway9-12 System Information & DiagnosisFigure 9-11 WAN & LAN DHCPThe following table describes the diagnostic t

ZyWALL 10 Internet Security GatewayFirmware and Configuration File Maintenance 10-1Chapter 10Firmware and Configuration FileMaintenanceThis chapter t

ZyWALL 10 Internet Security Gateway10-2 Firmware and Configuration File MaintenanceTable 10-1 Filename ConventionsFILE TYPE INTERNALNAMEEXTERNALNAMEDE

ZyWALL 10 Internet Security GatewayFirmware and Configuration File Maintenance 10-310.2.1 Example: Backup Configuration Using HyperTerminalThis secti

ZyWALL 10 Internet Security Gateway10-4 Firmware and Configuration File Maintenance10.3 Restore ConfigurationMenu 24.6 -- System Maintenance - Restore

ZyWALL 10 Internet Security GatewayFirmware and Configuration File Maintenance 10-5Figure 10-8 Telnet into Menu 24.6 Restore Configuration10.4 Upload

ZyWALL 10 Internet Security Gateway10-6 Firmware and Configuration File MaintenanceStep 4. After successful firmware upload, enter atgo to restart th

ZyWALL 10 Internet Security GatewayFirmware and Configuration File Maintenance 10-7Menu 24.6 replaces the current configuration with your customized

ZyWALL 10 Internet Security Gateway10-8 Firmware and Configuration File MaintenanceStep 1. Use telnet from your workstation to connect to the ZyWALL

ZyWALL 10 Internet Security Gatewayxiv Table of Contents14.1 SMT Menus...

ZyWALL 10 Internet Security GatewayFirmware and Configuration File Maintenance 10-9COMMAND DESCRIPTIONRemote File This is the filename on the ZyWALL.

ZyWALL 10 Internet Security Gateway10-10 Firmware and Configuration File MaintenanceFigure 10-13 Telnet into Menu 24.7.1You see the following screen w

ZyWALL 10 Internet Security GatewayFirmware and Configuration File Maintenance 10-1110.6.1 Using the FTP command from the DOS PromptStep 1. Launch t

ZyWALL 10 Internet Security Gateway10-12 Firmware and Configuration File MaintenanceTable 10-3 Third Party FTP Clients — General FieldsCOMMAND DESCRIP

ZyWALL 10 Internet Security GatewaySystem Maintenance & Information 11-1Chapter 11 System Maintenance & InformationThis chapter leads you thr

ZyWALL 10 Internet Security Gateway11-2 System Maintenance & Information11.2 Call Control SupportThe ZyWALL provides two call control functions: b

ZyWALL 10 Internet Security GatewaySystem Maintenance & Information 11-3The total budget is the time limit on the accumulated time for outgoing c

ZyWALL 10 Internet Security Gateway11-4 System Maintenance & InformationFigure 11-5 Call HistoryTable 11-2 Call History FieldsFIELD DESCRIPTIONPho

ZyWALL 10 Internet Security GatewaySystem Maintenance & Information 11-5Select menu 24 in the main menu to open Menu 24 - System Maintenance, as

ZyWALL 10 Internet Security Gateway11-6 System Maintenance & InformationTable 11-3 Time and Date Setting FieldsFIELD DESCRIPTIONEnter the time ser

ZyWALL 10 Internet Security GatewayTable of Contents xv17.1 Introduction...

ZyWALL 10 Internet Security GatewaySystem Maintenance & Information 11-711.4 Remote Management SetupTelnet and FTP do not support encryption, so

ZyWALL 10 Internet Security Gateway11-8 System Maintenance & Information11.5 Boot CommandsThe BootModule AT commands execute from within the route

ZyWALL 10 Internet Security GatewaySystem Maintenance & Information 11-9Figure 11-10 Boot Module Commands======= Debug Command Listing =======AT

ZyWALL 10 Internet Security GatewayTelnet 12-1Chapter 12Telnet Configuration and CapabilitiesThis chapter covers the Telnet Configuration and Capabil

ZyWALL 10 Internet Security Gateway12-2 Telnet12.3.2 System TimeoutThere is a system timeout of 5 minutes (300 seconds) for either the console port or

Firewall and Content FiltersIVPart IV: Firewall and Content FiltersChapters 13 — 20 define the term “Firewall”, introduce the ZyWALL Firewall and ZyWA

ZyWALL 10 Internet Security GatewayWhat Is a Firewall? 13-1Chapter 13What is a Firewall?This chapter gives some background information on Firewalls.O

ZyWALL 10 Internet Security Gateway13-2 What Is a Firewall?ii. Robust authentication and logging pre-authenticates application traffic before it re

ZyWALL 10 Internet Security Gatewayxvi Table of ContentsAppendix E Firewall CLI Commands ...

ZyWALL 10 Internet Security GatewayWhat Is a Firewall? 13-3Figure 13-1 ZyWALL Firewall Application13.3 Denial of ServiceDenials of Service (DoS) at

ZyWALL 10 Internet Security Gateway13-4 What Is a Firewall?Some of the most common IP ports are:Table 13-1 Common IP Ports21 FTP 53 DNS23 Telnet 80

ZyWALL 10 Internet Security GatewayWhat Is a Firewall? 13-5Figure 13-2 Three-Way HandshakeUnder normal circumstances, the application that initiates

ZyWALL 10 Internet Security Gateway13-6 What Is a Firewall?3. A brute-force attack, such as a "Smurf" attack, targets a feature in the IP

ZyWALL 10 Internet Security GatewayWhat Is a Firewall? 13-7! Denies all sessions originating from the WAN (Internet) to the LAN (local network).Figur

ZyWALL 10 Internet Security Gateway13-8 What Is a Firewall?6. Later, an inbound packet reaches the interface. This packet is part of the connection

ZyWALL 10 Internet Security GatewayWhat Is a Firewall? 13-9If an initiation packet originates on the LAN, this means that someone is trying to make a

ZyWALL 10 Internet Security Gateway13-10 What Is a Firewall?2. Think about access control before you connect a console port to the network in any w

ZyWALL 10 Internet Security GatewayWhat Is a Firewall? 13-118. Change your passwords regularly. Also, use passwords that are not easy to figure out.

ZyWALL 10 Internet Security GatewayList of Figures xviiList of FiguresFigure 1-1 Secure Internet Access via Cable ...

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Firewall 14-1Chapter 14Introducing the ZyWALL FirewallThis chapter shows you how to get star

ZyWALL 10 Internet Security Gateway14-2 Introducing the ZyWALL FirewallFigure 14-3 Menu 21.2 — Firewall SetupConfigure the firewall rules using the Z

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Firewall 14-3ICMP EchoA brute-force attack, such as a "Smurf" attack, targets a fe

ZyWALL 10 Internet Security Gateway14-4 Introducing the ZyWALL FirewallTracerouteTraceroute is a utility used to determine the path a packet takes be

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Firewall 14-5Table 14-4 View Firewall LogFIELD DESCRIPTION EXAMPLES# This is the index numbe

ZyWALL 10 Internet Security Gateway14-6 Introducing the ZyWALL FirewallFigure 14-5 Big Picture — Filtering, Firewall and NAT14.3 Packet Filtering Vs

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Firewall 14-7When To Use Filtering1. To block/allow LAN packets by their MAC address.2. To

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Web Configurator 15-1Chapter 15Introducing the ZyWALL Web ConfiguratorThis chapter shows you

ZyWALL 10 Internet Security Gateway15-2 Introducing the ZyWALL Web ConfiguratorFigure 15-2 ZyWALL Web Configurator Welcome Screen

ZyWALL 10 Internet Security Gatewayxviii List of FiguresFigure 4-4 Menu 11.3 — Remote Node Network Layer Options...

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Web Configurator 15-315.2 Enabling the FirewallClick Firewall, then Configuration, then the

ZyWALL 10 Internet Security Gateway15-4 Introducing the ZyWALL Web Configuratormail account. Enter the complete e-mail address to which alert message

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Web Configurator 15-5Table 15-1 E-mailFIELD DESCRIPTION OPTIONSAddress InformationMail Serve

ZyWALL 10 Internet Security Gateway15-6 Introducing the ZyWALL Web Configurator15.3.3 SMTP Error MessagesIf there are difficulties in sending e-mail

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Web Configurator 15-7Figure 15-5 E-mail Log15.4 Attack AlertThe first defense against DOS at

ZyWALL 10 Internet Security Gateway15-8 Introducing the ZyWALL Web Configurator5. Type of traffic for certain servers.If your network is slower than

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Web Configurator 15-9Figure 15-6 Attack AlertThe following table describes the fields in thi

ZyWALL 10 Internet Security Gateway15-10 Introducing the ZyWALL Web ConfiguratorTable 15-3 Attack AlertFIELD DESCRIPTION DEFAULT VALUESGenerate alert

ZyWALL 10 Internet Security GatewayIntroducing the ZyWALL Web Configurator 15-11FIELD DESCRIPTION DEFAULT VALUESrises above this number, the ZyWALLdel

ZyWALL 10 Internet Security GatewayList of Figures xixFigure 6-21 NAT Example 4...

ZyWALL 10 Internet Security GatewayCreating Custom Rules 16-1Chapter 16Creating Custom RulesThis chapter contains instructions for defining both Local

ZyWALL 10 Internet Security Gateway16-2 Creating Custom Rules5. What computers on the LAN are to be affected (if any)?6. What computers on the Inte

ZyWALL 10 Internet Security GatewayCreating Custom Rules 16-316.3 Connection DirectionThis section talks about configuring firewall rules for connecti

ZyWALL 10 Internet Security Gateway16-4 Creating Custom RulesFigure 16-2 WAN to LAN Traffic16.4 Rule SummaryThe fields in the Rule Summary screens ar

ZyWALL 10 Internet Security GatewayCreating Custom Rules 16-5Figure 16-3 Firewall Rules Summary — First ScreenThe following table describes the fields

ZyWALL 10 Internet Security Gateway16-6 Creating Custom RulesTable 16-1 Firewall Rules Summary — First ScreenFIELD DESCRIPTION OPTIONSGeneralName Thi

ZyWALL 10 Internet Security GatewayCreating Custom Rules 16-7FIELD DESCRIPTION OPTIONSClick Apply to create a new firewall rule. New firewall rules ar

ZyWALL 10 Internet Security Gateway16-8 Creating Custom RulesTable 16-2 Predefined ServicesSERVICE DESCRIPTIONBGP(TCP:179) Border Gateway Protocol.BO

ZyWALL 10 Internet Security GatewayCreating Custom Rules 16-9SERVICE DESCRIPTIONSFTP(TCP:115) Simple File Transfer Protocol.SMTP(TCP:25) Simple Mail T

ZyWALL 10 Internet Security Gateway16-10 Creating Custom Rules16.5.1 Creating/Editing Firewall RulesTo create a new rule, click a number (No.) then c

ZyWALL 10 Internet Security Gatewayii CopyrightCopyrightCopyright © 2001 by ZyXEL Communications Corporation.The contents of this publication may not

ZyWALL 10 Internet Security Gatewayxx List of FiguresFigure 9-8 Menu 24.3.2 — System Maintenance — UNIX Syslog...

ZyWALL 10 Internet Security GatewayCreating Custom Rules 16-11Table 16-3 Creating/Editing A Firewall RuleFIELD DESCRIPTION OPTIONSSource AddressPress

ZyWALL 10 Internet Security Gateway16-12 Creating Custom Rules16.5.2 Source and Destination AddressesTo add a new source or destination address, clic

ZyWALL 10 Internet Security GatewayCreating Custom Rules 16-13Table 16-4 Adding/Editing Source and Destination AddressesFIELD DESCRIPTION OPTIONSAddre

ZyWALL 10 Internet Security Gateway16-14 Creating Custom Rules16.6 TimeoutThe fields in the Timeout screens are the same for Local and Internet netwo

ZyWALL 10 Internet Security GatewayCreating Custom Rules 16-15Table 16-5 Timeout MenuFIELD DESCRIPTION DEFAULTVALUETCP Timeout ValuesConnection Timeou

ZyWALL 10 Internet Security GatewayCustom Ports 17-1Chapter 17Custom PortsThis chapter covers creating, viewing and editing custom ports.17.1 Introduc

ZyWALL 10 Internet Security Gateway17-2 Custom PortsTable 17-1 Custom PortsFIELD DESCRIPTIONCustomizedServicesNo. This is the number of your customiz

ZyWALL 10 Internet Security GatewayCustom Ports 17-317.2 Creating/Editing A Custom PortClick Edit to create a new custom port or edit an existing one

ZyWALL 10 Internet Security Gateway17-4 Custom PortsTable 17-2 Creating/Editing A Custom PortFIELD DESCRIPTION OPTIONSService Name Enter a unique nam

ZyWALL 10 Internet Security GatewayList of Figures xxiFigure 12-1 Telnet Configuration on a TCP/IP Network...

ZyWALL 10 Internet Security GatewayExample Firewall Rules 18-1Chapter 18LogsThis chapter contains information about using the log screen to view the r

ZyWALL 10 Internet Security Gateway18-2 Example Firewall RulesTable 18-1 Log ScreenFIELD DESCRIPTION EXAMPLESNo. This is the index number of the fire

ZyWALL 10 Internet Security GatewayExample Firewall Rules 19-1Chapter 19Example Firewall RulesThis chapter gives examples for configuring various rule

ZyWALL 10 Internet Security Gateway19-2 Example Firewall RulesStep 1. Activate the firewall. You may activate the firewall through the ZyWALL Web Co

ZyWALL 10 Internet Security GatewayExample Firewall Rules 19-3Step 2. Configure your E-mail screen as follows. Click the E-mail tab to bring up the n

ZyWALL 10 Internet Security Gateway19-4 Example Firewall RulesStep 3. Configure your firewall rule as shown in the following screen. The default fir

ZyWALL 10 Internet Security GatewayExample Firewall Rules 19-5Step 4. Click DestAdd to configure the destination address as the IP of your server on

ZyWALL 10 Internet Security Gateway19-6 Example Firewall RulesStep 5. When you have finished configuring your rules, the Rule Summary screen should

ZyWALL 10 Internet Security GatewayExample Firewall Rules 19-7Step 1. First you want to send alerts when there is an attack. Go to the Attack Alert s

ZyWALL 10 Internet Security Gateway19-8 Example Firewall RulesFigure 19-7 Configuring A POP Custom PortStep 4. Now, you will create rules to block a

ZyWALL 10 Internet Security Gatewayxxii List of FiguresFigure 19-2 Example 1: E-mail Screen...

ZyWALL 10 Internet Security GatewayExample Firewall Rules 19-9Step 5. Click SrcAdd under the Source Address box and enter the IP address of the mail

ZyWALL 10 Internet Security Gateway19-10 Example Firewall RulesStep 7. The Rule Summary screen should look like Figure 19-9. Don’t forget to click A

ZyWALL 10 Internet Security GatewayExample Firewall Rules 19-11Step 9. On completing the procedure the Rule Summary for this Internet firewall rules

ZyWALL 10 Internet Security Gateway19-12 Example Firewall Rules19.1.3 Example 3: DHCP Negotiation and Syslog Connection from theInternetThe following

ZyWALL 10 Internet Security GatewayExample Firewall Rules 19-13Step 2. Follow the procedures outlined in the previous examples to configure all your

ZyWALL 10 Internet Security Gateway19-14 Example Firewall RulesStep 3. On completing the procedure the Rule Summary for this Internet firewall rules

ZyWALL 10 Internet Security GatewayContent Filtering 20-1Chapter 20Content FilteringThis chapter provides a brief overview of content filtering using

ZyWALL 10 Internet Security Gateway20-2 Content FilteringFigure 20-1 Categories Screen

ZyWALL 10 Internet Security GatewayContent Filtering 20-320.2 Update ListContent on the Internet is constantly changing, so the content filter list sh

ZyWALL 10 Internet Security Gateway20-4 Content Filtering20.3 Exempting ComputersThis screen allows the administrator to include or exclude a range o

ZyWALL 10 Internet Security GatewayList of Tables xxiiiList of TablesTable 2-1 LED functions ...

ZyWALL 10 Internet Security GatewayContent Filtering 20-520.4 CustomizingCustomize the content filter list by adding or removing specific sites from t

ZyWALL 10 Internet Security Gateway20-6 Content Filtering20.5 KeywordsThe ZyWALL can also be configured to block certain web sites by using URL keywo

ZyWALL 10 Internet Security GatewayContent Filtering 20-720.6 Log RecordsThis screen records the results of your content filter policies.Figure 20-6 L

Troubleshooting, Appendices, Glossary and IndexVPart V: Troubleshooting, Appendices, Glossary and IndexChapter 21 provides information about solving c

ZyWALL 10 Internet Security GatewayTroubleshooting 21-1Chapter 21TroubleshootingThis chapter covers potential problems and possible remedies. After e

ZyWALL 10 Internet Security Gateway21-2 Troubleshooting21.2 Problems with the LAN InterfaceTable 21-2 Troubleshooting the LAN InterfaceProblem Corre

ZyWALL 10 Internet Security GatewayTroubleshooting 21-321.4 Problems with Internet AccessTable 21-4 Troubleshooting Internet AccessProblem Corrective

ZyWALL 10 Internet Security GatewayPPPoE AAppendix APPPoEPPPoE in ActionAn ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516

ZyWALL 10 Internet Security Gatewayxxiv List of TablesTable 7-2 Rule Abbreviations Used ...

ZyWALL 10 Internet Security GatewayPPPoEBHow PPPoE WorksThe PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over

ZyWALL 10 Internet Security GatewayPPTP CAppendix B PPTPWhat is PPTP?PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC

ZyWALL 10 Internet Security Gateway PPTPDAccess Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacksand

ZyWALL 10 Internet Security GatewayHardware Specifications EAppendix CHardware SpecificationsPower Specification I/P AC 120V / 60Hz ; O/P DC 12V 1200

ZyWALL 10 Internet Security GatewayF Safety InstructionsAppendix DImportant Safety InstructionsThe following safety instructions apply to the ZyWALL.1

ZyWALL 10 Internet Security GatewayCLI Commands GAppendix EFirewall CLI CommandsThe following table describes the syntax used to configure your firewa

ZyWALL 10 Internet Security GatewayH CLI CommandsFunction CLI Syntax Descriptionconfig edit firewall e-mailemail-to<e-mail address>Edits the mai

ZyWALL 10 Internet Security GatewayCLI Commands IFunction CLI Syntax DescriptionConfig edit firewall set <set #>default-permit <forward | blo

ZyWALL 10 Internet Security GatewayJ CLI CommandsFunction CLI Syntax Descriptionconfig edit firewall set <set #>rule<rule #> srcaddr-subne

ZyWALL 10 Internet Security GatewayCLI Commands KFunction CLI Syntax DescriptionDDeelleetteeconfig delete firewall e-mailRemoves all the settings for

ZyWALL 10 Internet Security GatewayList of Tables xxvTable 17-1 Custom Ports...

ZyWALL 10 Internet Security GatewayL Power Adapter SpecificationsAppendix FPower Adapter SpecificationsAC Power Adapter SpecificationsNorth AmericaAC

ZyWALL 10 Internet Security GatewayPower Adapter Specifications MJapanAC Power Adapter model JOD-48-1124Input power: AC100Volts/ 50/60Hz/ 27VAOutput p

ZyWALL 10 Internet Security GatewayN Glossary of TermsGlossary of Terms10BaseTThe 10-Mbps baseband Ethernet specification that uses two pairs of twist

ZyWALL 10 Internet Security GatewayGlossary of Terms OCookie A string of characters saved by a web browser on the user's hard disk. Many web page

ZyWALL 10 Internet Security GatewayP Glossary of TermsDigital Signature Digital code that authenticates whomever signed the document or software. Soft

ZyWALL 10 Internet Security GatewayGlossary of Terms QEvents These are network activities. Some activities are direct attacks on your system, whileoth

ZyWALL 10 Internet Security GatewayR Glossary of TermsIntegrity Proof that the data is the same as originally intended. Unauthorized software or peopl

ZyWALL 10 Internet Security GatewayGlossary of Terms Ssame as your Ethernet address.) The MAC layer frames data for transmission over thenetwork, then

ZyWALL 10 Internet Security GatewayT Glossary of TermsThis category of computer criminal includes several different types of illegal activitiesMaking

ZyWALL 10 Internet Security GatewayGlossary of Terms UProxy Server A server that performs network operations in lieu of other systems on the network.P

ZyWALL 10 Internet Security GatewayV Glossary of Termssecurity flaws in their network systems.ServerA computer, or a software package, that provides a

ZyWALL 10 Internet Security GatewayGlossary of Terms WTFTPTrivial File Transfer Protocol is an Internet file transfer protocol similar to FTP (FileTra

ZyWALL 10 Internet Security GatewayIndex YIndexAAction for Matched Packets... 16-11Activate The Firewall ...

ZyWALL 10 Internet Security GatewayZ IndexE-mail tab...15-4EncapsulationPPP over Ethernet...

ZyWALL 10 Internet Security GatewayIndex AARule Summary ... 16-4log...

ZyWALL 10 Internet Security GatewayBB IndexSecurity Ramifications...16-2Send Alerts When Attacked ...

ZyWALL 10 Internet Security GatewayIndex CCXxDSL modem... 1-3, 1-4, 2-3, 2-4, 4-3, 21-2, 21-3XMODEM protocol...

ZyWALL 10 Internet Security GatewayPreface xxviiPrefaceAbout Your RouterCongratulations on your purchase of the ZyWALL 10 Internet Security Gateway.Do

ZyWALL 10 Internet Security Gatewayxxviii PrefaceRegardless of your particular application, it is important that you follow the steps outlined in Cha

Getting StartedIPart I: Getting StartedChapters 1— 3 are structured as a step-by-step guide to help you connect, install and setup yourZyWALL to opera

ZyWALL 10 Internet Security GatewayFCC iiiFederal Communications Commission(FCC) Interference StatementThis device complies with Part 15 of FCC rules.

ZyWALL 10 Internet Security GatewayGetting to Know Your ZyWALL 1-1Chapter 1Getting to Know Your ZyWALLThis chapter introduces the main features and a

ZyWALL 10 Internet Security Gateway1-2 Getting to Know Your ZyWALLPPTP EncapsulationPoint-to-Point Tunneling Protocol (PPTP) is a network protocol tha

ZyWALL 10 Internet Security GatewayGetting to Know Your ZyWALL 1-3Full Network ManagementThis feature allows you to access the SMT (System Management

ZyWALL 10 Internet Security Gateway1-4 Getting to Know Your ZyWALLFigure 1-1 Secure Internet Access via CableFigure 1-2 Secure Internet Access via DSL

ZyWALL 10 Internet Security GatewayHardware Installation & Initial Setup 2-1Chapter 2Hardware Installation & Initial SetupThis chapter explai

ZyWALL 10 Internet Security Gateway2-2 Hardware Installation & Initial SetupLEDS FUNCTION INDICATORSTATUSACTIVE DESCRIPTIONOff The WAN Link is not

ZyWALL 10 Internet Security GatewayHardware Installation & Initial Setup 2-3console port of the ZyWALL and the other end (choice of 9-pin or 25-

ZyWALL 10 Internet Security Gateway2-4 Hardware Installation & Initial Setup3. A cable/xDSL modem and an ISP account.After the ZyWALL is properly

ZyWALL 10 Internet Security GatewayHardware Installation & Initial Setup 2-5Several operations that you should be familiar with before you attemp

ZyWALL 10 Internet Security Gatewayiv Canadian UsersInformation for Canadian UsersThe Industry Canada label identifies certified equipment. This certi

ZyWALL 10 Internet Security Gateway2-6 Hardware Installation & Initial Setup2.5.1 Main MenuAfter you enter the password, the SMT displays the ZyWA

ZyWALL 10 Internet Security GatewayHardware Installation & Initial Setup 2-72.5.2 System Management Terminal Interface SummaryTable 2-3 Main Men

ZyWALL 10 Internet Security Gateway2-8 Hardware Installation & Initial Setup2.5.3 SMT Menus at a GlanceFigure 2-6 SMT Menus at a Glance

ZyWALL 10 Internet Security GatewayHardware Installation & Initial Setup 2-92.6 Changing the System PasswordThe first thing you should do is cha

ZyWALL 10 Internet Security Gateway2-10 Hardware Installation & Initial SetupThe Domain Name entry is what is propagated to the DHCP clients on th

ZyWALL 10 Internet Security GatewayHardware Installation & Initial Setup 2-11Table 2-4 General Setup Menu FieldFIELD DESCRIPTION EXAMPLESystem Na

ZyWALL 10 Internet Security Gateway2-12 Hardware Installation & Initial SetupTable 2-5 Configure Dynamic DNS Menu FieldsFIELD DESCRIPTION EXAMPLES

ZyWALL 10 Internet Security GatewayHardware Installation & Initial Setup 2-13Figure 2-10 Menu 2 — WAN SetupThe MAC address field allows users to

ZyWALL 10 Internet Security Gateway2-14 Hardware Installation & Initial SetupFigure 2-11 Menu 3 — LAN Setup2.9.1 LAN Port Filter SetupThis menu a

ZyWALL 10 Internet Security GatewayInternet Access 3-1Chapter 3Internet AccessThis chapter shows you how to configure the LAN as well as the WAN of y

ZyWALL 10 Internet Security GatewayDeclaration of Conformity vDeclaration of ConformityWe, the Manufacturer/Importer,ZyXEL Communications Corp.No. 6,

ZyWALL 10 Internet Security Gateway3-2 Internet AccessExample of network properties for LAN servers with fixed IP addresses:Choose an IP address:192.1

ZyWALL 10 Internet Security GatewayInternet Access 3-3Internet addresses for your local networks. On the other hand, if you are part of a much larger

ZyWALL 10 Internet Security Gateway3-4 Internet AccessWAN interfaces using menus 3.2 (LAN) and 11.3 (WAN). Select None to disable IP Multicasting on t

ZyWALL 10 Internet Security GatewayInternet Access 3-5Figure 3-3 Menu 3 — LAN SetupFrom menu 3, select the submenu option TCP/IP and DHCP Setup and p

ZyWALL 10 Internet Security Gateway3-6 Internet AccessTable 3-1 DHCP Ethernet Setup Menu FieldsFIELD DESCRIPTION EXAMPLEDHCP This field enables/disabl

ZyWALL 10 Internet Security GatewayInternet Access 3-7FIELD DESCRIPTION EXAMPLEMulticast IGMP (Internet Group Multicast Protocol) is a session-layer

ZyWALL 10 Internet Security Gateway3-8 Internet AccessUse the instructions in the following table to configure IP Alias parameters.Table 3-3 IP Alias

ZyWALL 10 Internet Security GatewayInternet Access 3-9Figure 3-6 Menu 4 — Internet Access Setup (Ethernet)The following table describes this screen.T

ZyWALL 10 Internet Security Gateway3-10 Internet AccessFIELD DESCRIPTIONIP Address Enter the (fixed) IP address assigned to you by your ISP (Static IP

ZyWALL 10 Internet Security GatewayInternet Access 3-11Figure 3-7 Internet Access Setup (PPTP)The following table contains instructions about the new

ZyWALL 10 Internet Security Gatewayvi CE

ZyWALL 10 Internet Security Gateway3-12 Internet Accessknown as dynamic service selection. This enables the service provider to easily create and offe

ZyWALL 10 Internet Security GatewayInternet Access 3-133.4 Basic Setup CompleteWell done! You have successfully connected, installed and set up your

Advanced ApplicationsIIPart II: Advanced ApplicationsChapters 4 — 6 describe advanced applications including Remote Node Setup, IP Static routesand NA

ZyWALL 10 Internet Security GatewayRemote Node Setup 4-1Chapter 4Remote Node SetupThis chapter shows you how to configure a remote node.A remote node

ZyWALL 10 Internet Security Gateway4-2 Remote Node SetupTable 4-1 Fields in Menu 11.1FIELD DESCRIPTION EXAMPLERem Node Name Enter a descriptive name f

ZyWALL 10 Internet Security GatewayRemote Node Setup 4-3Once you have configured the Remote Node Profile Menu, press [ENTER] to return to menu 11.Pres

ZyWALL 10 Internet Security Gateway4-4 Remote Node SetupDo not specify a nailed-up connection unless your telephone company offers flat-rate service o

ZyWALL 10 Internet Security GatewayRemote Node Setup 4-5Figure 4-3 Menu 11.1 — Remote Node Profile for PPTP EncapsulationThe next table shows how to c

ZyWALL 10 Internet Security Gateway4-6 Remote Node Setup4.2 Editing TCP/IP Options (with Ethernet Encapsulation)Move the cursor to the Edit IP field

ZyWALL 10 Internet Security GatewayRemote Node Setup 4-7FIELD DESCRIPTION EXAMPLEPrivate This field is valid only for PPTP/PPPoE encapsulation. Thispa

ZyWALL 10 Internet Security GatewayZyXEL Limited Warranty viiZyXEL Limited WarrantyZyXEL warrants to the original end user (purchaser) that this produ

ZyWALL 10 Internet Security Gateway4-8 Remote Node SetupFigure 4-5 Menu 11.3 — Remote Node Network Layer OptionsThe next table gives you instructions

ZyWALL 10 Internet Security GatewayRemote Node Setup 4-9FIELD DESCRIPTION EXAMPLEnumber.Private This parameter determines if the ZyWALL will include t

ZyWALL 10 Internet Security Gateway4-10 Remote Node SetupFigure 4-6 Menu 11.5 — Remote Node Filter (Ethernet Encapsulation)Figure 4-7 Menu 11.5 — Remo

ZyWALL 10 Internet Security GatewayIP Static Route Setup 5-1Chapter 5IP Static Route SetupThis chapter shows you how to configure static routes with y

ZyWALL 10 Internet Security Gateway5-2 IP Static Route Setup5.1 IP Static Route SetupYou configure IP static routes in menu 12. 1, by selecting one o

ZyWALL 10 Internet Security GatewayIP Static Route Setup 5-3Table 5-1 IP Static Route Menu FieldsFIELD DESCRIPTIONRoute # This is the index number of

ZyWALL 10 Internet Security GatewayNAT 6-1Chapter 6Network Address Translation (NAT)This chapter discusses how to configure NAT on the ZyWALL.6.1 Intr

ZyWALL 10 Internet Security Gateway6-2 NATThe global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. Inaddi

ZyWALL 10 Internet Security GatewayNAT 6-36.1.4 NAT Mapping TypesNAT supports five types of IP/port mapping. They are:1. One to One: In One-to-One

ZyWALL 10 Internet Security Gatewayviii Customer SupportCustomer SupportWhen you contact your customer support representative please have the followin

ZyWALL 10 Internet Security Gateway6-4 NATTYPE IP MAPPING SMT ABBREVIATIONServer Server 1 IP!" IGA1Server 2 IP!" IGA1Server 3 IP!" IGA1

ZyWALL 10 Internet Security GatewayNAT 6-5Figure 6-2 NAT Application6.2 SMT Menus6.2.1 Applying NAT in the SMT MenusYou apply NAT via menus 4 or 11.3

ZyWALL 10 Internet Security Gateway6-6 NATFigure 6-3 Menu 4 — Applying NAT for Internet AccessThe following figure shows how you apply NAT to the remo

ZyWALL 10 Internet Security GatewayNAT 6-7Table 6-3 Applying NAT in Menus 4 & 11.3FIELD OPTIONS DESCRIPTIONFull FeatureWhen you select this option

ZyWALL 10 Internet Security Gateway6-8 NATEnter 1 to bring up Menu 15.1 — Address Mapping Sets.Figure 6-6 Menu 15.1 — Address Mapping Sets1. NAT_SET i

ZyWALL 10 Internet Security GatewayNAT 6-9Table 6-4 SUA Address Mapping RulesFIELD DESCRIPTION EXAMPLESet Name This is the name of the set you selecte

ZyWALL 10 Internet Security Gateway6-10 NATFigure 6-8 Menu 15.1.1 — First SetThe Type, Local and Global Start/End IPs are configured in menu 15.1.1.1

ZyWALL 10 Internet Security GatewayNAT 6-11Table 6-5 Fields in Menu 15.1.1FIELD DESCRIPTION EXAMPLESet Name Enter a name for this set of rules. This i

ZyWALL 10 Internet Security Gateway6-12 NATThe following table describes the fields in this screen.Table 6-6 Menu 15.1.1.1 — Configuring an Individual

ZyWALL 10 Internet Security GatewayNAT 6-136.3.1 Multiple Servers behind NATIf you wish, you can make inside servers for different services, e.g., we

ZyWALL 10 Internet Security GatewayTable of Contents ixTable of ContentsCopyright...

ZyWALL 10 Internet Security Gateway6-14 NATStep 4. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration afteryou define

ZyWALL 10 Internet Security GatewayNAT 6-156.4 Examples6.4.1 Internet Access OnlyIn the following Internet access example, you only need one rule wher

ZyWALL 10 Internet Security Gateway6-16 NATthe Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle thiscase

ZyWALL 10 Internet Security GatewayNAT 6-176.4.3 Example 3: General CaseIn this example, there are 3 IGAs from our ISP. There are many departments bu

ZyWALL 10 Internet Security Gateway6-18 NATStep 3. Enter 1 to configure the Address Mapping Sets.Step 4. Enter 1 to begin configuring this new set.

ZyWALL 10 Internet Security GatewayNAT 6-19When you have configured all four rules, Menu 15.1.1 should look as follows.Figure 6-19 Example 3: Final Me

ZyWALL 10 Internet Security Gateway6-20 NAT6.4.4 Example 4: NAT Unfriendly Application ProgramsSome applications do not support NAT Mapping using TCP

ZyWALL 10 Internet Security GatewayNAT 6-21Figure 6-22 Example 4: Menu 15.1.1.1 — Address Mapping RuleAfter you’ve configured your rule, you should be

Advanced ManagementIIIPart III: Advanced ManagementChapters 7 — 12 provides information on ZyWALL Filtering, SNMP Configuration, SystemInformation and