User Guide
Page 7
Contents Overview Contents Overview Introduction and Registration 43 Getting to Know Your ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN Screens ...131 ...Certificates Screen ...295 Authentication Server Screens 323 Advanced ...329 Network Address Translation (NAT) Screens 331 Static Route Screens ...347 Bandwidth Management Screens 351 DNS Screens ...365 Remote Management Screens 377 UPnP Screens ...397 Custom Application Screen ...407 ALG Screen ...409 Logs and Maintenance ...415 Logs Screens ...417 ...
Contents Overview Contents Overview Introduction and Registration 43 Getting to Know Your ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN Screens ...131 ...Certificates Screen ...295 Authentication Server Screens 323 Advanced ...329 Network Address Translation (NAT) Screens 331 Static Route Screens ...347 Bandwidth Management Screens 351 DNS Screens ...365 Remote Management Screens 377 UPnP Screens ...397 Custom Application Screen ...407 ALG Screen ...409 Logs and Maintenance ...415 Logs Screens ...417 ...
User Guide
Page 8
... ...509 IP Static Route Setup ...519 Network Address Translation (NAT 521 Introducing the ZyWALL Firewall 539 Filter Configuration ...541 SNMP Configuration ...557 System Information & Diagnosis 559 Firmware and Configuration File Maintenance 571 System Maintenance Menus 8 to 10 587 Remote Management ...595 Call Scheduling ...599 Troubleshooting and Specifications 603 Troubleshooting ...605 Product Specifications ...613...
... ...509 IP Static Route Setup ...519 Network Address Translation (NAT 521 Introducing the ZyWALL Firewall 539 Filter Configuration ...541 SNMP Configuration ...557 System Information & Diagnosis 559 Firmware and Configuration File Maintenance 571 System Maintenance Menus 8 to 10 587 Remote Management ...595 Call Scheduling ...599 Troubleshooting and Specifications 603 Troubleshooting ...605 Product Specifications ...613...
User Guide
Page 14
...14.6.1 Telecommuters Sharing One VPN Rule Example 279 14.6.2 Telecommuters Using Unique VPN Rules Example 279 14.7 VPN and Remote Management 281 14.8 Hub-and-spoke VPN ...281 14.8.1 Hub-and-spoke VPN Example 282 14.8.2 Hub-and-spoke... 311 15.8 The Trusted CA Import Screen 313 15.9 The Trusted Remote Hosts Screen 314 15.10 The Trusted Remote Hosts Details Screen 315 15.11 The Trusted Remote Hosts Import Screen 318 15.12 The Directory Servers Screen 319 15.13... IV: Advanced 329 Chapter 17 Network Address Translation (NAT) Screens 331 17.1 Overview ...331 14 ZyWALL 2 Plus User's Guide
...14.6.1 Telecommuters Sharing One VPN Rule Example 279 14.6.2 Telecommuters Using Unique VPN Rules Example 279 14.7 VPN and Remote Management 281 14.8 Hub-and-spoke VPN ...281 14.8.1 Hub-and-spoke VPN Example 282 14.8.2 Hub-and-spoke... 311 15.8 The Trusted CA Import Screen 313 15.9 The Trusted Remote Hosts Screen 314 15.10 The Trusted Remote Hosts Details Screen 315 15.11 The Trusted Remote Hosts Import Screen 318 15.12 The Directory Servers Screen 319 15.13... IV: Advanced 329 Chapter 17 Network Address Translation (NAT) Screens 331 17.1 Overview ...331 14 ZyWALL 2 Plus User's Guide
User Guide
Page 16
....5 The DDNS Screen ...373 Chapter 21 Remote Management Screens 377 21.1 Overview ...377 21.1.1 What You Can Do in the Remote Management Screens 377 21.1.2 What You Need To Know About Remote Management 378 21.2 Remote Management Examples 379 21.2.1 HTTPS Example ...379 ... DNS Screen ...393 21.9 The CNM Screen ...394 21.9.1 Additional Configuration for Vantage CNM 395 21.10 Remote Management Technical Reference 396 Chapter 22 UPnP Screens ...397 22.1 Overview ...397 22.1.1 What You Can Do in the... The Ports Screen ...405 Chapter 23 Custom Application Screen 407 16 ZyWALL 2 Plus User's Guide
....5 The DDNS Screen ...373 Chapter 21 Remote Management Screens 377 21.1 Overview ...377 21.1.1 What You Can Do in the Remote Management Screens 377 21.1.2 What You Need To Know About Remote Management 378 21.2 Remote Management Examples 379 21.2.1 HTTPS Example ...379 ... DNS Screen ...393 21.9 The CNM Screen ...394 21.9.1 Additional Configuration for Vantage CNM 395 21.10 Remote Management Technical Reference 396 Chapter 22 UPnP Screens ...397 22.1 Overview ...397 22.1.1 What You Can Do in the... The Ports Screen ...405 Chapter 23 Custom Application Screen 407 16 ZyWALL 2 Plus User's Guide
User Guide
Page 22
...588 42.2 Call Control Support ...589 42.2.1 Budget Management 589 42.2.2 Call History ...590 42.3 Time and Date Setting ...591 Chapter 43 Remote Management...595 43.1 Remote Management ...595 43.1.1 Remote Management Limitations 597 Chapter 44 Call Scheduling ...599 44.1 ...Introduction to Call Scheduling 599 Part VII: Troubleshooting and Specifications 603 Chapter 45 Troubleshooting...605 45.1 Power, Hardware Connections, and LEDs 605 45.2 ZyWALL...
...588 42.2 Call Control Support ...589 42.2.1 Budget Management 589 42.2.2 Call History ...590 42.3 Time and Date Setting ...591 Chapter 43 Remote Management...595 43.1 Remote Management ...595 43.1.1 Remote Management Limitations 597 Chapter 44 Call Scheduling ...599 44.1 ...Introduction to Call Scheduling 599 Part VII: Troubleshooting and Specifications 603 Chapter 45 Troubleshooting...605 45.1 Power, Hardware Connections, and LEDs 605 45.2 ZyWALL...
User Guide
Page 29
...Figure 183 Telecommuters Using Unique VPN Rules Example 280 Figure 184 VPN for Remote Management Example 281 Figure 185 VPN Topologies ...282 Figure 186 Hub-and-spoke VPN...Figure 191 IPSec High Availability ...289 Figure 192 Virtual Mapping of Local and Remote Network IP Addresses 291 Figure 193 VPN: Transport and Tunnel Mode Encapsulation ... Import 314 Figure 206 SECURITY > CERTIFICATES > Trusted Remote Hosts 314 Figure 207 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details 316 Figure 208 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import 318 Figure 209 SECURITY > CERTIFICATES...
...Figure 183 Telecommuters Using Unique VPN Rules Example 280 Figure 184 VPN for Remote Management Example 281 Figure 185 VPN Topologies ...282 Figure 186 Hub-and-spoke VPN...Figure 191 IPSec High Availability ...289 Figure 192 Virtual Mapping of Local and Remote Network IP Addresses 291 Figure 193 VPN: Transport and Tunnel Mode Encapsulation ... Import 314 Figure 206 SECURITY > CERTIFICATES > Trusted Remote Hosts 314 Figure 207 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details 316 Figure 208 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import 318 Figure 209 SECURITY > CERTIFICATES...
User Guide
Page 30
... DNS > Cache 371 Figure 238 ADVANCED > DNS > DHCP 372 Figure 239 ADVANCED > DNS > DDNS 374 Figure 240 Secure and Insecure Remote Management From the WAN 377 Figure 241 Security Alert Dialog Box (Internet Explorer 379 Figure 242 Security Certificate 1 (Netscape 380 Figure 243 Security Certificate ... Figure 244 Example: Lock Denoting a Secure Connection 381 Figure 245 Replace Certificate ...382 Figure 246 Device-specific Certificate 382 Figure 247 Common ZyWALL Certificate 382 Figure 248 SSH Example 1: Store Host Key 383 Figure 249 SSH Example 2: Test ...383 Figure 250 SSH Example 2: Log...
... DNS > Cache 371 Figure 238 ADVANCED > DNS > DHCP 372 Figure 239 ADVANCED > DNS > DDNS 374 Figure 240 Secure and Insecure Remote Management From the WAN 377 Figure 241 Security Alert Dialog Box (Internet Explorer 379 Figure 242 Security Certificate 1 (Netscape 380 Figure 243 Security Certificate ... Figure 244 Example: Lock Denoting a Secure Connection 381 Figure 245 Replace Certificate ...382 Figure 246 Device-specific Certificate 382 Figure 247 Common ZyWALL Certificate 382 Figure 248 SSH Example 1: Store Host Key 383 Figure 249 SSH Example 2: Test ...383 Figure 250 SSH Example 2: Log...
User Guide
Page 34
......589 Figure 415 Budget Management ...589 Figure 416 Call History ...590 Figure 417 Menu 24: System Maintenance 591 Figure 418 Menu 24.10 System Maintenance: Time and Date Setting 592 Figure 419 Menu 24.11 - Remote Management Control 596 Figure 420 ...Schedule Setup ...599 Figure 421 Schedule Set Setup ...600 Figure 422 Applying Schedule Set(s) to a Remote Node (PPPoE 601 Figure 423 Applying Schedule Set(s) to a Remote Node (PPTP 602 Figure 424 Console/Dial Backup Cable DB-9 End Pin Layout 616 Figure 425 Wall-mounting Example ...618 34 ZyWALL...
......589 Figure 415 Budget Management ...589 Figure 416 Call History ...590 Figure 417 Menu 24: System Maintenance 591 Figure 418 Menu 24.10 System Maintenance: Time and Date Setting 592 Figure 419 Menu 24.11 - Remote Management Control 596 Figure 420 ...Schedule Setup ...599 Figure 421 Schedule Set Setup ...600 Figure 422 Applying Schedule Set(s) to a Remote Node (PPPoE 601 Figure 423 Applying Schedule Set(s) to a Remote Node (PPTP 602 Figure 424 Console/Dial Backup Cable DB-9 End Pin Layout 616 Figure 425 Wall-mounting Example ...618 34 ZyWALL...
User Guide
Page 40
... Logs ...435 Table 141 PPP Logs ...435 Table 142 UPnP Logs ...435 Table 143 Content Filtering Logs ...435 Table 144 Attack Logs ...436 Table 145 Remote Management Logs 437 Table 146 IPSec Logs ...438 Table 147 IKE Logs ...438 Table 148 PKI Logs ...441 Table 149 Certificate Path Verification Failure Reason Codes... Summary ...470 Table 165 SMT Menus Overview ...471 Table 166 Menu 1: General Setup (Router Mode 475 Table 167 Menu 1: General Setup (Bridge Mode 476 40 ZyWALL 2 Plus User's Guide
... Logs ...435 Table 141 PPP Logs ...435 Table 142 UPnP Logs ...435 Table 143 Content Filtering Logs ...435 Table 144 Attack Logs ...436 Table 145 Remote Management Logs 437 Table 146 IPSec Logs ...438 Table 147 IKE Logs ...438 Table 148 PKI Logs ...441 Table 149 Certificate Path Verification Failure Reason Codes... Summary ...470 Table 165 SMT Menus Overview ...471 Table 166 Menu 1: General Setup (Router Mode 475 Table 167 Menu 1: General Setup (Bridge Mode 476 40 ZyWALL 2 Plus User's Guide
User Guide
Page 42
List of Tables Table 211 Call History ...591 Table 212 Menu 24.10 System Maintenance: Time and Date Setting 592 Table 213 Menu 24.11 - Remote Management Control 596 Table 214 Schedule Set Setup ...600 Table 215 Hardware Specifications ...613 Table 216 Firmware Specifications ...613 Table 217 Feature and Performance Specifications 615 ... Table 230 24-bit Network Number Subnet Planning 651 Table 231 16-bit Network Number Subnet Planning 651 Table 232 Commonly Used Services 654 42 ZyWALL 2 Plus User's Guide
List of Tables Table 211 Call History ...591 Table 212 Menu 24.10 System Maintenance: Time and Date Setting 592 Table 213 Menu 24.11 - Remote Management Control 596 Table 214 Schedule Set Setup ...600 Table 215 Hardware Specifications ...613 Table 216 Firmware Specifications ...613 Table 217 Feature and Performance Specifications 615 ... Table 230 24-bit Network Number Subnet Planning 651 Table 231 16-bit Network Number Subnet Planning 651 Table 232 Commonly Used Services 654 42 ZyWALL 2 Plus User's Guide
User Guide
Page 46
The device can be remotely managed using a (supported) web browser. • Command Line Interface. This is recommended for everyday management of the following methods to configure your device. • FTP for firmware upgrades and configuration backup/restore...8226; Vantage CNM (Centralized Network Management). Figure 2 VPN Application 1.3 Ways to Manage the ZyWALL Use any of the ZyWALL using a Vantage CNM server. 46 ZyWALL 2 Plus User's Guide The device can use to manage the ZyWALL. • Web Configurator. Chapter 1 Getting to Know Your ZyWALL Figure 1 Secure Internet Access ...
The device can be remotely managed using a (supported) web browser. • Command Line Interface. This is recommended for everyday management of the following methods to configure your device. • FTP for firmware upgrades and configuration backup/restore...8226; Vantage CNM (Centralized Network Management). Figure 2 VPN Application 1.3 Ways to Manage the ZyWALL Use any of the ZyWALL using a Vantage CNM server. 46 ZyWALL 2 Plus User's Guide The device can use to manage the ZyWALL. • Web Configurator. Chapter 1 Getting to Know Your ZyWALL Figure 1 Secure Internet Access ...
User Guide
Page 59
... screen to change the LAN/DMZ/WLAN port roles on the ZyWALL. Chapter 2 Introducing the Web Configurator Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE WLAN Firewall Y Content Filter Y VPN Y Certificates Y Authentication Server Y NAT Static Route Bandwidth Management Y DNS Remote Management Y UPnP Custom APP Y ALG Y Logs Y Maintenance Y ROUTER MODE Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Table Key: A Y in...
... screen to change the LAN/DMZ/WLAN port roles on the ZyWALL. Chapter 2 Introducing the Web Configurator Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE WLAN Firewall Y Content Filter Y VPN Y Certificates Y Authentication Server Y NAT Static Route Bandwidth Management Y DNS Remote Management Y UPnP Custom APP Y ALG Y Logs Y Maintenance Y ROUTER MODE Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Table Key: A Y in...
User Guide
Page 207
... the LAN. You can specify which of the packets. Note: You also need to configure the remote management settings if you want to allow a WAN computer to manage the ZyWALL or restrict management from probing attempts. Apply Cancel Note: You may also need to configure NAT port forwarding (or ...full featured NAT address mapping rules) if you want to allow the passage of the ZyWALL's interfaces will respond to Ping ...
... the LAN. You can specify which of the packets. Note: You also need to configure the remote management settings if you want to allow a WAN computer to manage the ZyWALL or restrict management from probing attempts. Apply Cancel Note: You may also need to configure NAT port forwarding (or ...full featured NAT address mapping rules) if you want to allow the passage of the ZyWALL's interfaces will respond to Ping ...
User Guide
Page 215
... they apply. Note: You can also configure the remote management settings to allow only a specific computer to manage the ZyWALL. • LAN to WAN These rules specify which computers on the LAN can manage the ZyWALL (remote management) and communicate between networks or subnets connected to the... LAN interface (IP alias). By default, the ZyWALL allows packets traveling in the following sections: • Packet Direction Examples ...
... they apply. Note: You can also configure the remote management settings to allow only a specific computer to manage the ZyWALL. • LAN to WAN These rules specify which computers on the LAN can manage the ZyWALL (remote management) and communicate between networks or subnets connected to the... LAN interface (IP alias). By default, the ZyWALL allows packets traveling in the following sections: • Packet Direction Examples ...
User Guide
Page 216
... synchronization, from the LAN and going out through any of the ZyWALL's VPN tunnels. Note: You also need to configure the remote management settings to allow a WAN computer to go out through any of the ZyWALL's VPN tunnels. 216 ZyWALL 2 Plus User's Guide For example, by default the From LAN... • Allow public access to traffic before encrypting it . You could configure the From DMZ To VPN default rule to set the ZyWALL to manage the ZyWALL. Note: You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow a WAN computer to ...
... synchronization, from the LAN and going out through any of the ZyWALL's VPN tunnels. Note: You also need to configure the remote management settings to allow a WAN computer to go out through any of the ZyWALL's VPN tunnels. 216 ZyWALL 2 Plus User's Guide For example, by default the From LAN... • Allow public access to traffic before encrypting it . You could configure the From DMZ To VPN default rule to set the ZyWALL to manage the ZyWALL. Note: You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow a WAN computer to ...
User Guide
Page 218
... in the same subnet as the connection has not been acknowledged. VPN traffic destined for remote management) or goes out through the ZyWALL. This causes the ZyWALL to partition your network into logical sections over the same interface. 218 ZyWALL 2 Plus User's Guide You can use IP alias instead of asymmetrical route topology on the...
... in the same subnet as the connection has not been acknowledged. VPN traffic destined for remote management) or goes out through the ZyWALL. This causes the ZyWALL to partition your network into logical sections over the same interface. 218 ZyWALL 2 Plus User's Guide You can use IP alias instead of asymmetrical route topology on the...
User Guide
Page 281
... second (hub-andspoke) approach, there is a VPN connection between the spoke routers and itself. You also have to configure remote management (REMOTE MGMT) to allow management access for the service through a VPN tunnel to manage the ZyWALL. Chapter 14 IPSec VPN Screens Table 74 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Telecommuter C (telecommuterc.dydns.org...
... second (hub-andspoke) approach, there is a VPN connection between the spoke routers and itself. You also have to configure remote management (REMOTE MGMT) to allow management access for the service through a VPN tunnel to manage the ZyWALL. Chapter 14 IPSec VPN Screens Table 74 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Telecommuter C (telecommuterc.dydns.org...
User Guide
Page 292
...perform a new DH key exchange every time an IPSec SA is similar to verify the integrity of the computer behind the ZyWALL or remote IPSec router. With ESP, however, the ZyWALL does not include the IP header when it encapsulates the packet, so it encapsulates the packet. As a result, if...router, whichever is not possible to an IKE SA proposal (see Section 14.9 on the active protocol. The header for remote management), not between the IP headers. With AH, the ZyWALL includes part of the original IP header when it is the destination. • Inside header: The inside IP header ...
...perform a new DH key exchange every time an IPSec SA is similar to verify the integrity of the computer behind the ZyWALL or remote IPSec router. With ESP, however, the ZyWALL does not include the IP header when it encapsulates the packet, so it encapsulates the packet. As a result, if...router, whichever is not possible to an IKE SA proposal (see Section 14.9 on the active protocol. The header for remote management), not between the IP headers. With AH, the ZyWALL includes part of the original IP header when it is the destination. • Inside header: The inside IP header ...
User Guide
Page 329
PART IV Advanced Network Address Translation (NAT) Screens (331) Static Route Screens (347) Bandwidth Management Screens (351) DNS Screens (365) Remote Management Screens (377) UPnP Screens (397) ALG Screen (409) 329
PART IV Advanced Network Address Translation (NAT) Screens (331) Static Route Screens (347) Bandwidth Management Screens (351) DNS Screens (365) Remote Management Screens (377) UPnP Screens (397) ALG Screen (409) 329
User Guide
Page 337
... assign the LAN IP addresses and the ISP assigns the WAN IP address. Figure 216 Multiple Servers Behind NAT Example Port Translation The ZyWALL can use port translation with port forwarding, multiple servers on page 653 for connecting your public servers. 17.4.1 Configuring Servers Behind Port Forwarding... coming from your publicly accessible servers. The ZyWALL provides the additional safety of 192.168.1.35 to another (B in the example). When you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the remote management setup. This makes the LAN more secure ...
... assign the LAN IP addresses and the ISP assigns the WAN IP address. Figure 216 Multiple Servers Behind NAT Example Port Translation The ZyWALL can use port translation with port forwarding, multiple servers on page 653 for connecting your public servers. 17.4.1 Configuring Servers Behind Port Forwarding... coming from your publicly accessible servers. The ZyWALL provides the additional safety of 192.168.1.35 to another (B in the example). When you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the remote management setup. This makes the LAN more secure ...