ZyXEL ZyWALL 2WG User's Manual
Contents
1. board line 0 mae 1 call 1 COZ OutCall Connected 115200 9 pall eate DETAIL RECORD board 0 line O channel 1 call 1 COL Outgoing Call dev 3 2006 11 17 ch 4 If dialed up successfully you can see the GUI home page as shown below You will get the WAN2 connection 1s up and 3G card s signal strength messages in the latest alerts ZyXEL e System Information l Serurity Servies Sustain Name Content Filter Expiration Date License Inactive REGISTRATION Model ZyWALL ZWG Web Site Blocked Not Supported NETWORK Bootbase Version W108 11 01 2006 oR Firmware Version W4 02 AQLO b1 14 01 2006 3G WAN Interface Status SECURITY Up Time 00 04 12 3G Connection Status Idle 36 UMTS ADVANCED system nine Tere EARTE GNT Service Provider Chunghwa Telecom Signal Strength 35 LOGS Device Mode Router Connection Up Time 0 00 00 MAINTENANCE MUL it IHHHLH Firewall Disabled Tx Bytes Rx Bytes 726 bytes 1253 bytes m ca gz TETEA 3G Card Manufacture Sierra Wireless Inc 3G Card Model ACES errors O ea 3208 3G Card Firmware Revision U12 40ACAP CPU 19 SIM Card ESI FRG SS S000Fss212 Latest hiert DHCP dient 100M Half 192 165 70 eae WAN L 255 255 255 0 006 11 17 10 43 37 WANLI connection is up WAM 2 Idle 0 0 0 0 0 0 0 0 IPCP client OO6 11 17 10 42 33 WARNS connection is up Dial Backup Down 0 0 0 0 0 0 0 0 MA 2006 112. To Use xAuth for authentication enable Extended Authentication while configuring VPN Gateway Policy Select Server Mode on the VPN concentrator There are two kinds of user_identification username password database can be used for authentication Local_User amp RADIUS Note that Local_User first then RADIUS if both exist 199 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Extended Authentication Local User AUTHENTICATION SERVER User Database RADIUS Local User Database Server IP Address 192 168 100 50 TE a When external RADIUS is selected please input the Service IP address of the external RADIUS server and the shared Key which must be configured on the RADIUS The default UDP port number for RADIUS is 1812 If RADIUS server uses a different port number please configure it correctly ZyXEL VPN Client to ZyWALL Tunneling 200 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 1 Setup ZyWALL VPN Client 2 Setup ZyWALL This page guides us to setup a VPN connection between the VPN software and ZyWALL router There will be several devices we need to setup for this case They are VPN software and ZyWALL router As the figure shown below the tunnel between PC 2 and ZyWALL ensures th
3. MEF Multiple Ent Excluded Services ere d VEN F a ie hah Peer Name hared Secret Tozy WALL Bit 34 Enter the secret key in the text box and then press OK button Insert Secret Enter secret 12345678 DE h Cancel 35 On Advanced VPN Properties settings choose Group 1 for Diffie Hellman settings 174 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Star Community Properties CheckPoint ZyWALL General Advanced PH Properties H Center Gateways co abe lite Gateways oo VPM Properties n Tunnel Management al Advanced settings VEN Routing is MEF Multiple Ent Excluded Services 2 Shared secret Advanced YEN Fro Wire Mode IEE Phase 1 Use Diffie Hellman Use ageressive mode Psec Phase 2 Use Perfect Forward Use Diffie Hellman Renegotiate F r security associations every Group 1 68 bit Renegotiate IEE security associations every DECIECW Group 21024 bit 2600 zconds Support IF compression HAT Reset Al YPN Propertes Disable NAT inside the YEN community Advanced 36 Press OK button to save your settings All contents copyright c 2006 ZyXEL Communications Corporation 175 ZyXEL ZyWALL 2WG Support Notes Star Community Properties CheckPoint ZyWALL m Generel Wire Mode be Center Gateways Satellite Gateways Bypass the Firewall ow VEN
4. Enable as Client Enable as Server Nat traversal Enable Keepalive Frequency E 0 900 seconds Dead Peer Detection Enable Cancel j 6 After you press the OK button you will see a Phase 1 rule on this page Phase 1 Phase Manual Key i Concentrator Ping Generator f Monitor reate New Gateway Mame Gateway IP Mode Encryption Algorithm TozZyW ALL 172 22 1 147 Main DES MDS Tm lat 7 To edit your PSec rule phase 2 click VPN gt IPSec gt Phase 2 and then press Create New button to edit your IPSec rules Phase 1 Phase Manual Key 4 Concentrator Ping Generator Monitor i Tunnel Name Remote Gateway Lifetimelsec kb Status Timeout 8 Give aname for your VPN for example ToZyWALL IPSec and choose ToZyWALL policy rule for your Remote Gateway Then press Advanced button to edit the advanced settings 192 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes New YPN Tunnel Tunnel Name ToZyWALL IPSec pocen mn m Remote Gateway TOZ Wall Concentrator 66 99 9 On P2 Proposal settings select Encryption to DES and Authentication to SHA1 and also press button to delete the second P2 proposal rules P2 Proposal 1 Encryption DES Authentication SHA1 A 2 Encryption 3DES v authentication MDS w E Enable replay detection 10 To uncheck the Enable perfect forward secrecy PFS
5. Here are some rules to follow in Authentication Key 3 Pre shared key must be configured identically on both entities 4 The Local ID Type amp Content of Local ZyWALL must be the same as that of Peer ID Type amp Content of peer VPN gateway 5 When IP is selected as ID Type the Content must be in the format of X X X X e g 210 242 82 70 6 When DNS E mail are selected as ID Type the same string must be configured on both entities 99 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes pred com ee ip a IETEN T DE EAE Note 1 If ID Type is mis configured on Local Remote IPSec Gateway the ZyWALL will show NOTFY ERR_ID_INFO error message in related IKE log 2 If Pre shared Key or ID Content are mis configured on Local Remote IPSec Gateway ZyWALL will show NOTFY ERR_ID_INFO error message in related IKE log Using VPN routing between branches 1 Setup VPN in Branch Office A 2 setup VPN in Branch Office B 3 Setup VPN in Headquarter This page guides us how to setup VPN routing between branch offices through headquarter So that whenever branch office A wants to talk to branch office B headquarter plays as a VPN relay Users can gain benefit from such application when the scale of branch offices 1s very large because no additional VPN tunnels between branch offices are needed In this support note we skip the detailed configuration steps for I
6. How do you wantto register these new devices Manually Add f Import from a SML batch registration file You can register add as many devices as you wish at one time via importing XML file to Vantage In the XML file you need to define 218 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 1 device type 2 device name 3 device s LAN MAC address The XML file can be used for mass deployment User can assign a device owner or leave it to the owner of folder AAA Device gt gt Registration Welcome to the Device Registration Wizard Would vou like to associate a device owner with these new devices now eo Step 3 Input the MAC address of LAN interface of the device Give this device a name Select the corresponding Device Type press Finish Device gt Registration Welcome to the Device Registration Wizard Manual Please enter the following device information aM MA lonagesefe1 09 Hex Name Z WWALLTO F Device Type ZAWALL7O weeneeeeees ih Set Vantage CMM configuration to device i Get configuration from the device Encrption Methods None l S ne Ker Note that if the ZyWALL has been deployed configured and you want to retrieve the configuration from device You can select the option Get configuration from the device Otherwise you can use Set Vantage CNM configuration to device to overwrite existing configura
7. Interface Properties Creneval Topology Name Tose 4 4LL subnet IP Address 192 1681 O Het Mask 255 255 255 0 ee Note the interface name must exactly match the name the operatmne system uses for this interface mee help for further infonnaton 18 Clicking Topology screen choose Internal leads to the local network and Network defined by the interface IP and Net Mask for the interface then press OK button to save the settings 165 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Interface Properties General Topology Topology C Extemal deals out to the intemmet IF Addvesses behind this interface C Not Defined te Network defined by the interface IP and Net Mask Specific F New Ant spooting JY Perform Anti Spoofing bazed on interface topology M Wonitcheck packets from New epoot Tracking None Log Alert 19 Pressing OK button to save the settings 166 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Interoperable Device TozyW ALL n Creneral Properties H YEN f Tozy WALL W 172 22 11 236 255255 0 0 Extemal ae aE en cer ot ae ee cpg YEN Domain ie AlIF Addresses behind Gateway based on Topology information C Manually defined o sow YEN Domain III Setup Networks 167 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL
8. ZyXEL ZyWALL 2WG Support Notes 1 Ping the local gateway 2 Ping the IPSec Remote Gateway 3 Ping the remote host with virtual IP address that s located on the remote network C Documents and Settings Kex Lee ping 172 16 1 1 Ping local gateway Pinging 172 16 1 1 with 32 bytes of data Reply from 172 16 1 1 bytes 32 timetims TTL 254 Reply from 172 16 1 1 bytes 32 timetlms TTL 254 Reply from 172 16 1 1 bytes 32 timetilms TTL 254 Reply from 172 16 1 1 bytes 32 timetims TTL 254 Ping statistics For 172 16 1 1 Packets Sent 4 Received 4 Lost B Bz loss gt Approximate round trip times in milli seconds Mininum Ams Maximum Ams Average Ams Co Documents and Settings Hex Lee ping 172 16 3 1 Ping IPSec Remote ee Gateway irtual Pinging 172 16 3 1 with 32 bytes of data IP Address Reply from 172 16 3 1 bytes 32 time 2ms TTL 253 Reply from 172 16 3 1 bytes 32 time 2ms TTL 253 Reply from 172 16 3 1 bytes 32 time 2ms TTL 253 Reply from 172 16 3 1 bytes 32 time 2ms TTL 253 Ping statistics for 172 16 3 1 Packets Sent 4 Received 4 Lost Approximate round trip times in milli seconds Minimum 2ms Maximum 2ms Average 2ms Hx loss C Documents and Settings Hex Lee ping 172 16 3 58 Ping remote computer that s located on the remote network a 2 This is irtual IP Address Pinging 172 16 3 58 with 32 bytes of data orignal IP address is 172 16 1 50 Reply from 172 16
9. 3 In Message to display when a site is blocked you can input the text say Website Blocking to remind the users that the website he is trying to access is blocked And you can input the URL in the Redirect URL field for example www zyxel com to redirect the original URL to this redirect URL 4 In Exempt Computers we can select Exclude specified address ranges from the content filter enforcement to NOT apply content filter policies to the specified IP address ranges for example if the CEO s computer which is assigned an IP address 192 168 10 200 needed NOT to be applied by CF engine the IT staff can add this IP address 192 168 10 200 to the list to meet this exclusion requirement 5 Click on the Apply button to save the settings 214 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyXEL HOME REGISTRATION NETWORK w SECURITY a FIREWALL IDP ANTI VIRUS ANTI SPAM CONTENT FILTER VPN CERTIFICATES AUTH SERVER ADYANCED LOGS MAINTENANCE LOGOUT ZyWALL 2WG Support Notes General Categories Customization Cache General Setup 1 enabie Content Filter Restrict Web Features Block L Activex L Java Applet L Cookies Schedule to Block 2 atways Block Block From 0 0 Message to display when a site is blocked Denied Access Message Website Blocking Redirect URL www zyxel com Exempt Computers
10. Accept all encrypted traffic fidence Wote The ole applies for all Intemally Managed conmmounuty Log Traffic as defined in Global Properties Logeme Log Tat 26 On Center Gateways settings press Add button to add a center gateway Star Community Properties CheckPoint ZyWALL General Center Gateways i Center Gateways ho patellite Gateways All the connections between the Gateways below and the Satellite VPN Properties Gateways will be encrypted n Tunnel Management Participant Gateways H Advanced Settings Addy Edit Remove Mesh center gatewars 170 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 27 If you have already done the previous settings you should see a central gateway here Select the gateway and then press OK button Add Center Gateways bwery1 2191 The candidates must be defined as 1 YEN installed 2 Version Wt FEL and above Only for Intemaly managed 3 Host Gateway Gateway Cluster or Interoperable Device JE Cancel Help 28 On Satellite Gateways settings press Add button to add a remote gateway star Community Properties CheckPoint ZyWALL Satellite Gateways i Center Gateways Satellite Gateways All the connections between the Gateways below and the Center YPN Properties Gateways will be encrypted Tunnel Management Participant Gateways H Advanced pettiness Edit Remove
11. It is usually a static IP so that we can pre configure it in ZyWALL for making VPN connections If it is a dynamic IP given by ISP you still can configure this IP address after the remote ZyWALL is on line and its WAN IP is available from ISP F18 Does ZyWALL support dynamic secure gateway IP If the remote VPN gateways uses dynamic IP we enter 0 0 0 0 as the Secure Gateway IP Address in ZyWALL In this case the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side However if both gateways use dynamic IP addresses it is no way to establish VPN connection at all F19 What VPN gateway that has been tested with ZyWALL successfully We have tested ZyWALL successfully with the following third party VPN gateways Cisco 1720 Router IOS 12 2 2 XH IP ADSL FW IDS PLUS IPSEC 3DES NetScreen 5 ScreenOS 2 6 0r6 SonicWALL SOHO 2 WatchGuard Firebox II Zy XEL ZyWALL 100 Avaya VPN Netopia VPN IN VPN F20 What VPN software that has been tested with ZyWALL successfully We have tested ZyWALL successfully with the following third party VPN software SafeNet Soft PK 3DES edition Checkpoint Software SSH Sentinel 1 4 SecGo IPSec for Windows F Secure IPSec for Windows KAME IPSec for UNIX Nortel IPSec for UNIX Intel VPN v 6 90 FreeS WAN for Linux SSH Remote ISAKMP Testing Page http isakmp test ssh fi cgi bin nph isakmp test Windows 2000 Windows XP IPSec 25
12. List 20 Y per page From Allzones y To Allzones v From Trust To Untrust total policy 2 ID Source Destination Service Action Options 1 LAN Any 3 192 168 1 0 255 255 255 0 192 168 2 0 255 255 255 0 ANY From Untrust To Trust total policy 2 ID Source Destination Service Action 2 Any LAN D 4 192 168 2 0 255 255 255 0 192 168 1 0 255 255 255 0 ANY 150 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 18 Move your policy rules to top thus your device will check the rule at first Policies From All zones To All zones List 2 Y per page From Allzones E To Allzores Go From Trust To Untrust total policy 2 ID Source Destination Service Action Options iJ E 192 168 1 0 255 255 255 0 192 168 2 0 255 255 255 0 ANY Edi ie 1 LAN Any ANY y Edit From Untrust To Trust total policy 2 ID Source Destination Service Action Options a 192 168 2 0 255 255 255 0 192 168 1 0 255 255 255 0 ANY lt P a at A Any LAN ANY 19 Click VPNs gt Monitor Status this page displays a table that lists all the VPN groups configured on the NetScreen device You could check the link states to know your VPN tunnel is up or down VPNs gt Monitor Status SN List 22 per page TETTE Show All B Hee secure NS5GT _ VPNName SAID Policy ID Peer Gateway IP
13. Personals amp Dating Political Activist Groups Real Estate Reference Religion Restaurants Dining Food Search Engines and Portals Shopping Society amp Lifestyle Software Downloads 243 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Sports Recreation Hobbies Streaming Media MP3 Travel Vehicles Web Advertisements Web Communications Web Hosting E24 How does the ZyXEL content filtering handle dynamically generated sites We use BlueCoat s Dynamic Real Time Rating service to accurately categorize dynamic content Because BlueCoat provides Dynamic Real Time Rating technology most dynamic sites receive the correct rating BlueCoat s database continually reviews the ratings of stored URLs to ensure that the content has not changed E25 Does BlueCoat have more than one data center Is the BlueCoat Web Filter geographically load balanced Yes BlueCoat provides several geographically distributed data centers to meet the demand of users around the world E26 Who can generate and view reports on BlueCoat WEB site Anyone with the administration username and password can view and generate reports E27 How can I get Content Filtering report You can get report for content filtering by clicking Register button from ZyXEL appliance s WEB GUI and then you will be redirected to http myZy XEL com web server By clicking Content Filter
14. Set this field to SUA Only if you want all clients share one IP to Internet Step 2 Configuring NAT Address Mapping To configure NAT go to ADVANCED gt NAT gt Address Mapping NAT Overview Port Forwarding Port Triggering SUA Address Mapping Rules Local Start IP Local End IP Global Start IP Global End IP EA wa RN Server Full Feature Address Mapping Rules Local Start IP Local End IP Global Start IP Global End IP Modif 3 EAE m lt r cc lt r e BHAE 30 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Step 3 Using Multiple Global IP addresses for clients and servers One to One Many to One Server Set mapping types General Server 192 168 1 20 Other Clients 192 168 1 FIP Server 1 192 168 1 10 3 IGAs Assigned by ISP FIP Server 2 192 168 1 11 In this case we have 3 IGAs UGA1 IGA and IGA3 from the ISP We have two very busy internal FTP servers and also an internal general server for the web and mail In this case we want to assign the 3 IGAs by the following way using 4 NAT rules Rule 1 One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 200 1 1 1 Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 200 1 1 2 Rule 3 Many to One type to map the other clients to IGA3 200 1 1 3 Rule 4 Server type to map a web server and mail server with ILA
15. ZyXEL ZyWALL 2WG Support Notes F28 Single Range Subnet which types of IP address does ZyWALL support in VPN IPSec All ZyWALL series support single range and subnet configuration for VPN IPSec In other words you can specify a single PC a range of PCs or even a network of PCs to utilize the VPN IPSec service F29 Does ZyWALL support IPSec pass through Yes ZyWALL can support IPSec pass through ZyWALL series don t only support IPSec VPN gateway it can also be a NAT router supporting IPSec pass through If the VPN connection is initiated from the security gateway behind ZyWALL no configuration is necessary for neither NAT nor Firewall If the VPN connection is initiated from the security gateway outside of ZyWALL NAT port forwarding and Firewall forwarding are necessary To configure NAT port forwarding please go to WEB interface Setup NAT put the secure gateway s IP address in default server To configure Firewall forwarding please go to WEB interface Setup Firewall select Packet Direction to WAN to LAN and create a firewall rule the forwards IKE UDP 500 F30 Can ZyWALL behave as a NAT router supporting IPSec pass through and an IPSec gateway simultaneously No ZyWALL can t support them simultaneously You need to choose either one If ZyWALL is to support IPSec pass through you have to disable the VPN function on ZyWALL To disable it you can either deactivate each VPN rule or issue a CI command IPSec switc
16. 1 Display share ZyWALL security information including AV IDP policy advisory and resource 2 Search ZyWALL detailed product information including AV IDP policy advisory and resource 3 Receive ZyWALL advisory news by email D08 What is Update Server Update Server is designed to serve the AV IDP security service subscribers to assure their device is update so that is capable to handle latest threats from Internet When a ZyWALL device is scheduled to download the AV IDP signature pack the download request is pointed to the Update Server Update Server is hosted by ZyXEL and the capacity of Update Server is precisely calculated After taking the following factors into consideration bandwidth consumption availability geographically distribution of subscribers we have decided to build the Update Server in IDCs in a globally distributed architecture plus 24x7 monitoring mechanism This will fully assure the maximum quality of service for all security service subscribers 231 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes D09 Who maintains mySecurityZone amp Update Server It s maintained by ZyXEL Security Response Team ZSRT who manages backend support from the beginning of outbreak happen to attack sample collection analyze it and output it as policy and finally make solution of advisory ZSRT is formed as a group of security experts D10 What s the URL for these serv
17. 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 20 On Local Network choose Subnet Address for your Address Type Starting IP Address and Ending IP Address Subnet are your local site LAN IP addresses In this example you should type 192 168 1 0 on Starting IP Address field and then type 255 255 255 0 on Ending IP Address Subnet field Local Network ec Address Type Subnet Address Starting IP Address 192 168 1 0 pet IP Address Subnet 255 255 255 JBE OBR 6 Local Port Start 0 End 0 21 On Remote Network choose Subnet Address for your Address Type Starting IP Address and Ending IP Address Subnet are your remote site LAN IP addresses In this example you should type 192 168 168 0 on Starting IP Address field and then type 255 255 255 0 on Ending IP Address Subnet field Remote Network ERY Address Type Subnet Address Starting IP Address 192 16s 168 0 Ending IP Address Subnet 955 255 255 0 Mask Remote Port Start 0 End 0 22 On IPSec Proposal select Encapsulation Mode to Tunnel Active Protocol to ESP Encryption Algorithm to DES and Authentication Algorithm to SHA1 and then press Apply button on this page 134 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes IPSec Proposal 23 When you finished doing your settings you will see the following page VPN Rules Manual SA Monitor Global Se
18. C Network defined by the intertace IP and Wet Mask C Specific Ant s pooting Perform Anti Spoofing based on interface topology F Don tcheck packets trom z spout Tracking None te Log dlen 9 Selecting 192 168 2 0 interface and press Edit button to check its settings Clicking Topology screen choose Internal leads to the local network and Network defined by the interface IP and Net Mask for the interface then press OK button to save the settings 160 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Interface Properties General Topology Topology C Extemal deals out to the intemmet IF Addvesses behind this interface C Not Defined te Network defined by the interface IP and Net Mask f Specific F Hew Ant spooting JY Perform Anti Spoofing baged on interface topology M Dontcheck packets from New epoot Tracking t Mone ff Loe Alert II Setup Interoperable Device IPSec Tunnel Ss Point 10 On the main menu click Manage gt Network Objects All contents copyright c 2006 ZyXEL Communications Corporation 161 localhost Check Point SmartDashboard Standard ZyWALL 2WG Support Notes File Edit View Manage Rules Policy Smartiap Search Window Help Network Objects DEVICES Resources meyers and OPSEL Applications 348 Check Time kA ty iH WEN Communities Modes i E Intero Remote Ac
19. Check if the MAC address 1s valid 2 Check if the Host Name is valid e g home If you are not able to get the Internet IP from the ISP check which authentication method your ISP uses and troubleshoot the problem as described below 1 Your ISP checks the MAC address Some ISPs only provide an IP address to the user with an authorized MAC address This authorized MAC can be the PC s MAC which is used by the ISP for the authentication So if a new network card is used or the ZyWALL is attached to the cable modem directly the ISP will reject the DHCP discovery from this MAC thus no IP is assigned by the ISP The ZyWALL supports to clone the MAC from the first PC the ISP installed to be its WAN MAC To clone the MAC from the PC you need to enter that PC s IP in WAN menu of the ZyWALL web configurator 2 Your ISP checks the Host Name Some ISPs take advantage of the host name message in a DHCP packet such as home to do the authentication When first installing the ISP s tech people configure the host name as the Computer Name of the PC in the Networking settings When the ZyWALL 1s attached to the cable modem to connect to the ISP we should configure this host name in the ZyWALL s system menu 1 A21 What is BOOTP DHCP BOOTP stands for Bootstrap Protocol DHCP stands for Dynamic Host Configuration Protocol Both are mechanisms to dynamically assign an IP address for a TCP IP client by the server In this case the Z
20. Compatible Basic Outgoing Interface untrust Cancel Advanced N 10 On Security Level settings choose User Defined option and choose nopfs esp des sha rule on Phase 2 Proposal The nopfs esp des sha means no PFS ESP Protocol Encryption Algorithm to DES and Authentication Algorithm to SHA1 147 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes ropisesp desstav 11 Check VPN Monitor check box thus you can monitor your VPN tunnels Then press Return button and press OK button on next page to save your settings Optimized _ Cancel a 12 When you finished doing the settings you will see an IPSec rule on the page PNs gt AutoKkey IKE List 20 y per page To y WALL IPSec To yWALL Custom On Edit E 13 On your main page click Policies to set up your policy rules To choose From to Trust and To to Untrust it means from LAN to WAN and then press New button to edit your policy rules 148 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Policies From All zones To All zones INV List 20 Y per page NETSCREEN From Trust To Ms AB IEO secure NS5GT From Trust To Untrust total policy 1 ID Source Destination Service Action Options Configure Enable 1 LAN Any ANY Dy Edit Clone Remove F From Untrust To Trust total policy 1 ID Source Destination Service Action
21. Enforce content filter policies for all computers Include specified address ranges in the content filter enforcement 4 exclude specified address ranges from the content filter enforcement From To i Add Range Add Address Ranges Address List T92 168 10 200 192 168 10 200 9 24 Hour Format Delete Range 3 2 Using external database content filtering L Web Proxy If you have registered the CF service you can enable external database content filtering in the CONTENT FILTER gt Categories page with selecting the categories check boxes to specify the types of contents to be filtered while accessing a website which contains these specified categories of contents As the figure listed below Sports Recreation Hobbies and Financial Services are selected ZyXEL HOME REGISTRATION NETWORK Wi SECURITY ica FIREWALL IDP ANTI VIRUS ANTI SPAM CONTENT FILTER VPN CERTIFICATES AUTH SERVER AD YANCED LOGS MAINTENANCE LOGOUT i General Categories Customization Auto Category Setup M enable External Database Content Filtering Block Log _ Block L Log Block _ Log Matched Web Pages Unrated Web Pages When Content Filter Server Is Unavailable Content Filter Server Unavailable Timeout 19 1 30 seconds Select Categories _ Select All Categories _ Adult Mature Content Intimate Apparel Swimsuit _ Illegal Questionab
22. Gateway Interface Protocol Metric Vsys Configure 192 168 1 0 24 0 0 0 0 trust C 0 Root 172 22 0 0 16 0 0 0 0 untrust C 0 Root 0 0 0 0 0 172 22 0 254 untrust C 1 Root Active route C Connected I Imported eBEBGP OOSPF Ei OSPF external type 1 S Static A Auto Exported iB IBGP R RIP E2 OSPF external type 2 6 To edit your PSec rule click VPNs gt AutoKey Advanced gt Gateway and then press New button to edit your IKE rules 7 Give a name for your policy for example ToZyWALL Remote Gateway IP Addr is the ZyWALL s WAN IP address In this example select Static IP Address option and set 172 22 3 89 on the text box Enter the key string 12345678 on Preshared Key text box and then press Advanced button to edit the advanced settings 145 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Gateway Name lozZyW ALL Security Level Standard Compatible Basic Custom Remote Gateway Type Static IP Address IP Address Hostname 172 22 3 89 Dynamic IP Address Peer ID Dialup User User None Dialup User Group Group None Preshared Key eseseeees Use As Seed C Local ID optional Outgoing Interface untrust Cancel L Advanced 6 On Security Level settings you could set up phase 1 IKE rules In this example select User Defined and choose pre g1l des md5 rule The pre g1 des md5 means Pre Share Key group
23. In a web browser enter the IP address the default is 192 168 1 1 of your ZyWALL in the Address field A screen displays enter the administrative login password 1234 is the default 2 Access control in VPN tunnel application can be enforced via Firewall feature Switch to Security gt Firewall menu to configure the traffic from VPN or to VPN access control rule 123 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes FIREWALL Rule Summary Anti Probing Th reshold Service Default Rule Setup YPN a Em Soca Pernt P Pemt ve T tog 3 For example the remote VPN policy is 192 168 2 0 24 and we want to block the traffic from 192 168 2 33 to access local LAN subnet 192 168 1 0 24 The default VPN to LAN traffic is permit and we have to change the VPN to LAN access control rule in rule summary sub menu 124 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Anti Probing Threshold Service Firewall Rules Storage Space in Use Oo Packet Direction LAN to LAN f ZyWALL LAN to LAN f 2yvvvALL LAN to WAN LAN to DMZ EILAN to WLAN itination Address Service Type Action Sch Log Modif WAM to LAN new rule AN to VAN ZYWALL ber Default Policy Pe NAN to DMZ rule WAN to WLAN ber DMZ to LAN DMZ to VAN DMZ to DMZ f ZYWALL 1 FT VPM to LAN eo To es PN to Wah DMZ to VER PN to Dh
24. Nudity If you feel that the Content Filtermg has incorrectly blocked you from the above site clicl Corporate Hews Product Support Where to Buy Contact Us ZyXEL Internet Security Applianceme uy New Product Wha s New Award amp Review Solution Center Multimedia Auto Provisioner July OF 2005 e 70nNe P 339T wins ezone Self Installation Kit ZyXEL Ranked 25th in BusinessNext Taiwan CHOICE Choice from eZone June Info Tech100 the Top Ranking of Networking 2005 a vendors Ai y JA a June 14 2005 j _MAP_ _ ZyXEL Unveils ES 3124PVVR Layer 2 Business Solution R 2 wo Intelligent Managed Power over Ethernet eo Switch restige eres Site Selector June 13 2005 IT awarded Preis Leistungs Sieger Price Performance ZyXEL Successfully Completes TR 069 a taon Frea ee Gite Solero Business 7 2 Proactively Prevent Phishing Phishing The act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft With the CF feature provided by ZyWALL 2 Plus network administrator can dramatically lower the chance of company network to prevent users accessing the known phishing websites 2 1 O Setup the ZyWALL 2PLUS CF service to block the known phishing web sites 2 1 1 The General settings l In CONTETN FILTER gt General check the Enable Content Fil
25. PRI Storage Space in Use E Certificates euseeces CHZyWALL auto generated self signed cen SELF Chen I sen en e 2G _ OGAOCSS9BHT l GMT GET 2 7yWALL A REQ Ch tostigeyxolcomw WA WA WA 5 a Er aa Refresh 15 Click Browse button to find the location you stored ZyWALL s certificate then press Apply button All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes apat O O22222 L Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats Binary X 509 PEM Base 64 encoded 409 s Binary PRCSH7 PEM Base64 encoded PRCSAT For my certificate importation to be successful 4 certification request corresponding to the imported cenificate must already exist on ZyWALL After the importation the certification request will automatically be deleted File Path G cerlizywall_a cert Browse Cancel 16 After a while if you see the gray entry turns to a black one then it means the import of ZyWALL s certificate 1s successful My Certificates Trusted CAs Trene aati Directory Servers PRI Storage Space in Use mo My Cortificatos Setting p Valid Valid Name type Subject ter Erom To Moai z000 7030 Jan dat Jan tat A e CH ZyWALL 70 ao awto_generated_self_signed_cen SELF a agtecqney CU ZYWALL 70 OOADCSSOBS Daonna E D GMT GMT CH
26. Select Bridge and 20 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes assign a management IP for ZyWALL The Gateway IP Address is used as next hop of default route ZyWALL will restart after applying the change Note Here we suggest admin to dedicate an IP address to ZyWALL itself at the same subnet as original one like 210 242 82 X 24 in this example In this way admin doesn t need to change his PC s IP address when he wants to access Internet and ZyWALL s web GUI at the same time Time and Date Backup amp Restore viele General Password Device Mode F W Upload The ZyWALL restarts automatically after you change the device mode and click Apply Router IP Address See LON Won DMZ and WLAN IF Address IP Subnet Mask Gateway IP Address E http 192 168 1 1 BridgeRestart html Microsoft Internet Explorer TEN O x File Edit wiew Favorites Tools Help T AIN Ve a me i cr 3 sak 1 gt E B f gt Search z Favorites 4 ae os ea rel E E 33 Address http 192 168 1 1 BridgeRestart html E o Links gt Snagit e Y7 o x Search Web B Gr Comal Bry vahoo Ej Games SP Personals Music gW Finance gt The ZyWALL is rebooting to Bridge Mode 4s there will be no indication of when the process is complete please wait for one minute before attempting to access
27. Using Bandwidth Management Why Bandwidth Management BWM Nowadays we have many different traffic types for Internet applications Some traffic may consume high bandwidth such as FTP File Transfer Protocol if you are downloading or uploading files with large size Some other traffic may not require high bandwidth but they require stable supply of bandwidth such as VoIP traffic The VoIP quality would not be good if all of the outgoing bandwidth is occupied via FTP Additionally chances are that you would like to grant higher bandwidth for some body special that is using specific IP address in your network All of these are reasons why we need bandwidth management 35 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes FIP 10 Mbps WEB 10 Mbps Mail 5 Mbps VoIP 128 kbps a WEB 4500 kbps LL i _ Internet a Tat a a WEB 200 kbps How Bandwidth Management in ZyWALL ZyWALL achieves BWM by classifying packets and control when to send out the classified packets Bandwidth Management of ZyXEL appliances operates on the IP layer The major step to configure BWM is defining filter rules by fields of IP header or TCP UDP port number Then specify the volume of bandwidth you want to allocate to the filtered traffic There are two types of BWM in ZyXEL implementations Full and Lite versions Full version Users can define how they wa
28. WLAN to P PN to WLAN VPN to WPN ZyWALL 4 Click the Insert button to insert a new rule Default Rule Rule Summary Anti Probing Threshold Service Firewall Rules Storage Space in Use Oo Packet Direction YPMto LAN Default Policy Permit None Log Source Address Destination Address Service Type Action Sch Log Modify F new rule before rule rule number to rule rule number 5 Edit the source and destination address as 192 168 2 33 and 192 168 1 0 255 255 255 0 All contents copyright c 2006 ZyXEL Communications Corporation 125 ZyXEL ZyWALL 2WG Support Notes FIREWALL EDIT RULE PR_ Block Edit Source Address Any Address v 192 168 2334 Modify Edit Destination Address Any Address Y 192165 1 0 255 255 255 0 Edit Service 6 The service type is Any to block all kind of traffic from 192 168 2 33 to access LAN subnet and Action for Matched Packets is Drop and then click apply to save and activate the configuration 126 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes m Z Edit Service ECHO REPLY ICMP Type 0 Code 0 A ERED J ECHO REGUEST ICMP Type 8iCode 0 i BOOTP _CLIENT UDF Be BOOTP _SERVER UCF 67 CU SEEME TCPUDP 7648 24032 DNS TCPWUDP 53 FINGER TCP 79 FIPCTCP 201 24 H 323 TCP 4 720 Edit Schedule 7 Wecan see a
29. ZyWALL 35 UTM and ZyWALL 70 UTM owners D Security Service Activation and UpdateFAQ D01 Why do have to register 1 If you wanted to use the free trial service of ZyWALL your have to activate it from within myZyXEL com 2 If you purchased iCard for a security service you must activate the security service from within myZyXEL com The security services in ZyNOS v4 00 includes AV IDP Anti Spam and Content Filtering service D02 In addition to registration what can I do with myZyXEL com 1 Access firmware and security service updates 2 Get ZyWALL alerts on services firmware and products 3 Manage activate change or delete your ZyWALL security services online 235 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes In summary myZy XEL com delivers a convenient centralized way to register all your ZyWALL security appliances and security services It eliminates the hassle of registering individual ZyWALL appliances and upgrades to streamline the management of all your ZyWALL security services Instead of registering each ZyWALL product individually using myZyXEL com you have a single user profile where you can manage all your product registration and service activation DO3 Is there anything changed on myZyXEL com because of the launch of ZyNOS v4 00 Which ZyWALL models can be registered via myZyXEL com Yes Because the launch of ZyNOS v4 00 we are proudly to intro
30. ZyXEL ZyWALL 2WG Support Notes Check Fount Gateway twsrv12191 EJ General Properties Check Point Gateway General Properties Topology NAT Name twsrv1219 tf YEN Remote Access IP Address 172 22 2 58 Get address Authentication zi m Loge and Masters somment Capacity Optimization F Advanced Copr as secure Internal Communication i Comumnuninaton DH cn cp_mgmto twerv12191 a rstf Check Pout Products Firewall VPN Qos SecureChent Policy Server WAP rover Y IT_Lenter Server VN I Additonal Prod ucts Cancel Help 7 On Topology settings you should see two interfaces of IP settings here if your PC has two network cards Check Point Gateway twstv12191 Hame IP Addres Network Mask IP Addresses behir botwike 172 22 3 58 255 255 0 0 Extemal 1390 192 168 2 0 255 255 3550 Exmtemal i Remote Access Authentication H Logs and Masters Capacity Optimization H Advanced 159 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 8 Selecting 172 22 2 58 interface and press Edit button to check its settings Clicking Topology screen choose External leads out to the internet for the interface Then press OK button to save the settings Interface Properties EI General Topology Multicast Restrictions i Intemal leads to the local network IP Addresses behind this intertace Not Defined
31. c 2006 ZyXEL Communications Corporation HOME REGISTRATION NETWORK ha LAN 0M WLAN WIRELESS CARD SECURITY 4AD YANCED 3G Wireless Card Access Point Name 4PN User Name Password Retype to Confirm PIN Code Phone Number Authentication Type Wailed Up Idle Timeout ZyWALL 2WG Support Notes Traffic Redirect Dial Backup jeneseses BEBE EGEE o 400 Seconds LOGS MAINTENANCE Get Automatically fram ISP C Use Fixed IP Address My WON IF amp ddress LOGOUT Advanced Setup W Enable NAT Network Address Translation Enable Multicast Multicast Version Apply Reset 3 Then the 3G wireless card will be dialed up automatically when WANI is not available If you check the Natled up option as shown in the figure above the system will automatically dial up the 3G Internet access even if WANI is available Then you will see the process in logs as following 11 All contents copyright c 2006 ZyXEL Communications Corporation ZyWALL 2WG Support Notes 74135 Fz e a 10 43 38 HOME REGISTRATION NETWORK ar SECURITY ADYANCED je flocs RAS Savane wan interface gets IP 221 120 40 36 LOGOUT P o IFEF opema a 2 42 3 ppprlPcr Starting Hee ti 1 il peels Opening a ppp LOF Opening an 2006 di T 10 42 31 2006 ACE poe 31 e en
32. check box And then press OK button to save the settings 193 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes New YPN Tunnel Tnne Nanie TozyWALL IPSec mMm Remote Gateway TOZ yWWALL v H Concentrator P Proposal 1 Eneryption DES v Authentication SHAL k Enable replay detection Enable perfect forward secrecyi PFS DH Group 1 J Keylife Seconds v 1800 Seconds 460 od KBytes hutokey Keep Alive Enable Internet browsing None Quick Mode Identities Use selectors from policy Use wildcard selectors Specify a selector OK s j cancel 11 After you press the OK button you will see your IPSec rule Phase2 on this page Phase 1 Phase Manual Key Concentrator Ping Generator Monitor Remote Gateway Lifetimelsec kb Status Timeout TozyWALL IPSec 172 22 1 147 1800 N4 12 On the main page click Firewall gt Address and then press Create New button to edit your address rules Address Group Address 0 0 0 0 0 0 0 0 194 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 13 To define the IP source address of the Network behind FortiNet Giving a name for your address rule for example Fortinet network and enter the IP Range Subnet in the text box In this example you sho
33. www phishbank com the attempt will be blocked because www phishbank com is added in the forbidden list and will be redirected to www zyxel com with Website Blocking message displayed at the moment 213 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Website Blocking Corporate News Product Support Where to Buy Contact Us New Product What s New Award amp Review Site Selector Multimedia Auto Provisioner July OF 2005 s i Prestige 2002 Series Site Selector Self Installation Kit ZyXEL Ranked 25th in BusinessNext Taiwan awarded Preis Leistungs Info Tech100 the Top Ranking of Networking Sieger Price Performance vendors YVinner from Computer U S Customers June 14 2005 Bild Www Us zyxel com is ZyXEL Unveils ES 31 24PVVR Layer 2 June 2005 special for North America ptellinent Managed E over Ftherne er ee Customers 3 Prevent non business web surfing Below is an example that demonstrates how to configure the ZyWALL 2 Plus CF service to prevent employee from surfing websites that are not related to work Setting up the ZyWALL 2 Plus CF service to block the non business web surfing 3 1 The General settings 1 In CONTETN FILTER gt General check the Enable Content Filter check box to enable CF function 2 In Schedule to Block select the Always Block to let CF engine to do blocking the websites all the time
34. 17 10 42 29 WAM connection is down LAM LOOM Full 192 168 1 17 DHCP server MA 255 255 255 0 System Status WLAN 100M Full 0 0 0 0 0 0 0 0 Static MA Port Statistics DHCP Table Bandwidth DMZ LOOM Full 0 0 0 0 0 0 0 0 Static N A 12 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Utilize the embedded wireless card to provide LAN users access 1 Go to GUI menu Network gt WIRELESS CARD enable it and configure the other parameters like 802 11 mode four modes available 802 11b only 802 112 only 802 11b g 802 11la only channel ID super mode RTS CTS fragmentation output power four options 100 50 25 12 5 and roaming ZYWALL 2WG allows you to configure up to 8 SSID profiles Choose the SSID profile you want to use and click Apply button ZyXEL HOME Wireless Card Security MAC Filter REGISTRATION Enable Wireless Card NETWORK fa bridge to LAN a Mote device will reboot if another option is LAN choosed WAN 502 11 Mode 802 1b q ki DMZ Choose Channel ID Channel 006 2437MHz or Scan Super Mode RTSYCTS Threshold 2346 256 2346 Fragmentation Threshald 2346 256 2346 SECURITY po Output Power 100 ADYANCED Enable Roaming Select SSID Profile WLAN WIRELESS CARD LOGS MAINTENANCE Name SSID Security action SS1ID01L Zym EL0L security i E LOGOUT e Ssloo2 Z2ysELO2 securityO1 E
35. 171 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 29 If you have already done the previous settings you should see a remote gateway here Select the gateway and then press OK button Add Satellite Gateways The candidates must be defined az 1 VEN installed 2 Verion NG FFL and above nly for Intemally managed 3 Host Gateway Gateway Cluster or Interoperable Device 30 On VPN Properties settings select Encryption Algorithm to DES Authentication Algorithm to MD5 on phase 1 and also select Encryption Algorithm to DES Authentication Algorithm to SHA1 on phase 2 Star Community Properties CheckPoint ZyWALL Ceneral YPN Properties i Center Gateways matellite Gateways TEE Phase 1 Properties VPN Properties Tunnel Management Pon ke anik E Advanced Settings erform key exchange encryption with DES Perform data intesrity with MDS IF c Phase 2 Froperties Perform IF c data encryption with Perform data inte erity with 172 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 31 On Tunnel Management leave the settings to default settings Star Community Properties CheckPoint yWALL 00 General Tunnel Manazement oo Center Gateways Satellite Gateways Permanent Tunnels YEN Properties g l unmnel Management Set Permanent Tunnels H Advanced Settings 2 f all tunnels tn the com
36. 245 Pe IPSec FAO cenian unnan Anan atin devo Maas a dee ena 245 F01 How to count my VPN tunnels on ZyWALL ccccccccssssseees 245 F02 What iS VEN ciccssdvssssiesiscxcasvexanasesiecvessdessanlastwasvestenenasessssubesteacnniareass 246 BOS Why do Lneed VPN cestuitessvctectecusutencoessuctessavssvacvstecceeusevensedeobonsenness 246 F04 What are most common VPN protocols cccccsssssssscceees 247 BOS Whatis PPTP onanii 247 F06 What 1S E2 TP aaa E Eo EEE EEEE 247 F07 Whatis IP SOC amp sssssscass ies stacestccncsessl suas tveaszsatioistisas teens ravisuavinarenaieneths 247 MOS WV AUC is SA ieena e AEEA EREE 248 F09 What is Pre Shared Key ssssssccccccccsssscccecccocsssscceeccosssssseceoossssos 248 RaQ What 1s Phase LIDTOr circs nonora neso aneen edanean 248 F11 What are Local ID and Peer ID ooossssssssesecceccccccccssssssssseseseeeee 249 F12 Is my ZyWALL ready for IPSec VPN eeesccosssssccceococsssscceeeossssos 249 F13 How do I configure ZyWALL VPN ccccccccssssssssssssccccscesesees 249 F14 What VPN protocols are supported by ZyWALL ssssssecccccssoss 250 F15 What types of encryption does ZyWALL VPN support 250 F16 What types of authentication does ZyWALL VPN support 250 F17 I am planning my ZyWALL to ZyWALL VPN configuration All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes WY WACO TECH to KN
37. 3 58 bhytes 32 time 4ms TIL 126 Reply from 172 16 3 58 bhytes 32 time Jms TIL 126 Reply from 172 16 3 58 bytes 32 time 3ms TIL 126 Reply from 172 16 3 58 bytes 32 time 4ms TITL 126 Ping statistics for 172 16 3 58 Packets Sent 4 Received 4 Lost Az loss Approximate round trip times in milli seconds Minimum Jms Maximum 4ms Average Jms C Documents and Settings Hex Lee gt Never lost your VPN connection IPSec High Availability l Setup ZyWALL VPN with high availability 119 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes The VPN high availability 1s design for securing VPN connection Normally we will deploy the ZyWALL2 Plus as branch office or SOHO gateway and build up the VPN tunnel to central office The design for IPSec HA is based on the redundant gateway option implement on the ZyWALL2 Plus In traditional design the VPN connection will be dropped once the remote gateway internet connection going down ZyXEL already had Dual WAN security gateway solution to prevent the failure of internet connection but for the VPN connection transfers from primary WAN to backup WAN only support DDNS IP update before ZyWALL2 Plus supports redundant remote gateway to continue the VPN connection once the primary WAN connection failure The redundant gateway can be configured as IP format or Domain Name format this provide the flexibility for administrator to configure t
38. Authentication and phase 2 Key Exchange Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec F09 What is Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called Pre shared because you have to share it with another party before you can communicate with them over a secure connection What are the differences between IKE and manual key VPN The only difference between IKE and manual key is how the encryption keys and SPIs are determined For IKE VPN the key and SPIs are negotiated from one VPN gateway to the other Afterward two VPN gateways use this negotiated keys and SPIs to send packets between two networks For manual key VPN the encryption key authentication key Gif needed and SPIs are predetermined by the administrator when configuring the security association IKE is more secure than manual key because IKE negotiation can generate new keys and SPIs randomly for the VPN connection F10 What is Phase 1 ID for In IKE phase 1 negotiation IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request However in some application remote VPN box or client software is using an IP address dynamically assigned from ISP so ZyWALL needs additional information to make the decision Such additional information is what we call phase 1 ID In the IKE payload there are local and peer ID fie
39. EREK SS1ID03 Z2yAELOS securityO1 SSIBO4 2y ELO4 security OL SIO05 Zya EL0S security i SSIDO6 Zy s ELG security i Rees r aT T Status Ready Note You can modify the SSID profile by clicking the modify ED icon 1n the figure above here you can configure the SSID information and choose the security and the MAC filtering 13 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Wireless Card Security MAC Filter SSID Profile SIDD ZyXEL secutyor Cancel To configure the security and the MAC filter go to Wireless Card gt Security or Wireless Card gt MAC Filter to further configure it For example we would like to provide the wireless access clients with preset MAC address filtering list Furthermore these clients will also have to pass the security control described below a Wireless security level to WPA PSK with key 12345678 b Only allow the PC s with MAC of 00 A0 C5 11 22 33 00 A0 C5 11 22 44 and O0 A0 C5 11 22 55 are allowed to associate the wireless network 14 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Wireless Card _ Wireless Card Security MAC Filter Security Profile Index _ Profile Name Security Mode Wireless Card Wireless Card Security MAC Filter Security Profile security 15 All contents copyright c 2006 ZyXEL Communicati
40. IKE traffic to fe ALL Remote Offices Branch Office WAT Router ee e O gt N Ea E Internet h Soa VPN Gateway T T Peer VPN Gateway Private IP Public IP By far the easiest way to combine IPSec and NAT is to completely avoid these problems by locating IPSec endpoints in public address space This can be accomplished in two ways 1 Perform NAT on a device located behind IPSec gateway 2 Use an IPSec gateway for both IPSec VPN and NAT Internet Access However in some situation it is inevitable to locate IPSec gateway in public IP address and it must be 46 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes placed behind the NAT router For example the NAT router has a different interface e g leased line ISDN which are not supported by IPSec gateway This example gives some guideline for configuring ZyWALL behind NAT router Port Fareaitiog Aubes Bed pi ee E SA L i Edit Service F JIPSEC_TRANSPORT TUNNEL AH 0 PJ IPSEC_TUNNEL ESP 0 Forward Op STG Y 1 UDP 500 IKE must be forwarded to ZyWALL to accept incoming VPN connection from peer VPN gateway or client 2 If Firewall is running on the same NAT router make sure a firewall rule is configured to allow IKE IPSec AH ESP traffic to pass through thiran s ltcert fama Mr iflcatesh 210 242 8270 E pomem inen maa e 3 On ZyWALL enable NAT Traversal no matter
41. Internet Access Sharing Router using jane lt mycompany ispname com gt and john lt mycompany ispname com gt respectively as their e mail addresses Again they will be able to retrieve their individual private and secured e mail if they have been assigned the proper access right A13 Is it possible to access a server running behind NAT from the outside Internet If possible how Yes it is possible because ZyWALL delivers the packet to the local server by looking up to a NAT server 223 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes table Therefore to make a local server accessible to the outsider the port number and the internal IP address of the server must be configured in NAT menu A14 What DHCP capability does the ZyWALL support The ZyWALL supports DHCP client on the WAN port and DHCP server on the LAN port The ZyWALL s DHCP client allows it to get the Internet IP address from ISP automatically The ZyWALL s DHCP server allows it to automatically assign IP and DNS addresses to the clients on the local LAN A15 How do I used the reset button more over what field of parameter will be reset by reset button You can used a sharp pointed object insert it into the little reset hole beside the power connector Press down the reset button and hold down for approx 10 second the unit will be reset When the reset button is pressed the device s all parameter will be reset ba
42. Manager Hil Qos JE Desktop Security E MAME SOURCE DESTINATION FPN SERICE ACTION TRACK INSTALL OM TIME 1 amp Any ay appre E Any Traffic amp Any arop Mone Policy Target w Any Add Usets Access Edit Delete Where Used Manage Device Nesate Cell melect All Zut opy Paste Quercy Column Clear Query 41 Choosing Net_192 168 1 0 network object and press OK button to save your settings 177 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Add Object Network objects LocalMachine_ All Interfaces Met_192 168 1 0 Met_192 168 2 0 1 Tozy ALL ter 2191 Add Object Network objects pene All LocalMachine_All_ Interfaces Met_1927 168 1 0 Met_192 168 2 0 1 TOZ y ALL bwvervd 2194 New Remove Edit 43 On the destination field please use the same way to add your network objects Net_192 168 1 0 and Net_192 168 2 0 178 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 44 On the VPN field click right button of your mouse and choose Edit Cell option to add your VPN communities Delete Where Tad 45 On VPN Match Conditions choose Only connections encrypted in specific VPN Communities option and press Add button to add community to your rule YEN Match Conditions Match conditions Any connections whether Clear or Encr
43. Options Configure Enable Move 2 Any LAN 5 Edit Clone Remove 6 m 14 Give a name for your policy for example ZyWALL amp NetScreen 15 On Source Address you should set up Local LAN IP addresses In this example select New Address option and type 192 168 1 0 255 255 255 0 on the text box On Destination Address you should set up remote IP addresses In this example select New Address option and type 192 168 2 0 255 255 255 0 on the text box 16 Select Action to Tunnel and select ToZyWALLIPSecVPN rule Check Modify matching bidirectional VPN policy check box it means that you can create modify the VPN policy for the opposite direction Then press OK button to save your settings 149 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Name optional ZyWALL amp NetScreen New Address 192 168 1 0 235 233 233 0 Source Address OAddress Book Entry 4ny v Multiple New Address 192 168 2 0 B250 259 2909 0 OAddress Book Entry Any v Multiple Service ANY v Application None Destination Address Action Tunnel v Deep Inspection Attached AV Object Names Em Available AY Object Names lt scan mgr gt Antivirus Objects Tunnel ypy ToZyWALL IPSec v Modify matching bidirectional VPN policy L2TP None v 17 When you finished doing the settings you will see the policy rules on the page Policies From All zones To All zones
44. Properties Tunnel Management Allow uninepected encrypted traffic between Wire mode interfaces oF arene settings of this Community s members MEP Multiple Entr M Wie mode routing Allow members to xo Me Tne pected Excluded Services encispted trattic in VEN xo ning conti urations vhared Secret oo Advanced YPN Pro 37 After you press OK button you should see a new object here ajaaa S E YEN Communities A Mylntanst 1 255 Remote Access IV Setup Security 38 Click Security tab on the right side to do the security settings 176 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Sia Security FEF Address Translation il SmartDefens igh Web Intelligence 2 VPN Manager fag QoS FEI Desktop Security MAMIE SOURCE DESTINATION VP SERVICE ACTION TRACK INSTALL ON TIME 39 Press Add button to add a rule es Policy Smearthlap Search Window Help 22 amp 2b Vee ae ea 91 i a E Jes 8 gh ee EH Security 525 Address Translation i nee jig Web Intelligence VPN Manager Mj QoS FLA Desktop Security hc Ea SOURCE DESTINATION PH SERWICE ACTION TRACK INSTALL OM TIME 40 On the default rule select the source field and click right button of your mouse and then choose Add option to add your network objects see Security S Address Translation tit amantDefene fa Web Intelligence al VPN
45. Space in Use Valid Valid Pe swa mer 20 TET moa 2000 2030 CN ZAVALL70 CNZA Jan 1st Jan 1st auto generated self signed _cert SELF 0 0 0 0 00 00 Z ia 0040C559B533 oonncsseessa GMT WA 2 yWALL B REQ Ch testt zyxel com oe N A WA Import Create Refresh 82 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Step 4 Enroll Certificate Request on ZVWALLB 1 Copy the content of Certificate in PEM Encoded Format by selecting all of the content then right click your mouse and select Copy Keep your copy in clipboard for later paste ZyWALL B Type PECS IO Certification Request Serial Number E Subject Ch testaicz yxel com tw Issuer A Signature Algorithm rsa pkesl shal Valid From A Valid To MA Key Algorithm rsaEncryption 1024 bits ates See EMAIL testai zyxel com tw ame Key Usage DigitalSignature KeyEncipherment MDS Fingerprint 04 09 58 64 a0 79 01 70 e94a 75 5b 41 50 95 56 SHA1 Fingerprint 30 5c e9 de 7563 H 1cb1 a521 6f659 31 96 4c ca r4 0b 56 Ss38o0TuyPolin SbogodseLil vloVERENTe zZD axsV LMZfgF 080c IHoF48H0g8M HosaIriQKEjvIbAGABOD vOwNYJEozIhveMkokoMS4wL DALEgNVHOGSEBAMC CB BaAwHOTY LORS MAOGCS AGS Ibs DOGEBRBOUAASAGEAGTS e 7GSLIEBLTVATSIDVO 1 Qe 0 S476 nodmbSFSyDNNOUTSEpT4S538eq laoHVk5 262LO0Y4eH5o0Zohpt Gut JOYWUF LSACEy Turak Z4C3adzVicvEuyN yUOTESIRWSI5 MqCJhes3 CED S7nURATZ Baas END CERTIFICATE MEE Delete
46. Type SA Status Link ToZyWALL IPSec 00000002 4 3 172 22 3 89 AutoIKE Active Up Check Point with ZyWALL VPN Tunneling 1 Setup ZYWALL VPN 2 Setup Check Point VPN 151 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes This page guides us to setup a VPN connection between the ZyWALL and a PC which uses Check Point software As the figure shown below the tunnel between PC1 and PC2 ensures the packet flows between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for ZyWALL and Check Point are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are ZyWALL router and a PC which uses Check Point software IPSec Tunnel E e S ZyWALL Check Point The IP addresses we use in this example are as shown below WAN 172 22 1 236 WAN 172 22 2 58 LAN 192 168 1 0 24 LAN 192 168 2 0 24 1 Setup ZyWALL VPN 1 Using a web browser login ZyWALL by giving the LAN IP address of ZyWALL in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 2 Goto SECURITY gt VPN gt Press Add button 152 All contents copyright c 2006 ZyXEL Communications Corporation yXEL ZyWALL 2WG Support Notes VPN Rules Manual SA Monitor Global Setting VPN Rules Finca VPN Tunnel YPN Rules Give a
47. VPN sessions 7 My IP Addr is the WAN IP of ZyWALL 8 Secure Gateway IP Addr is the remote secure gateway IP which is PC 1 in this example 9 Select Encapsulation Mode to Tunnel 10 Check the ESP check box AH can not be used in SUA NAT case 11 Select Encryption Algorithm to DES and Authentication Algorithm to SHA1 as we configured in ZyWALL VPN Client 12 Enter the key string 12345678 in the Pre shared Key text box and click Apply See the VPN rule screen shot 207 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL Prope ty Extended Authentication o Local Policy Remote Policy Authentication Method Gateway Information IPSec Algorithm oy You can further adjust IKE Phase 1 Phase 2 parameters by pressing Advanced button All contents copyright c 2006 ZyXEL Communications Corporation ZyWALL 2WG Support Notes Tunnel Local User FC po Single Address Seon ie rel erase Single Address see a er 12345670 auto generated self_signed_cert Pp E po iP lt 7yWALL WAN None DDNS eez SSS DES SHAT My Certificates MDS E aerese Anca 208 ZyXEL ZyWALL 2WG Support Notes Phase 1 Phase Content Filter Application To filter non work related and unproductive web surfing to mitigate spyware and phishing threats Web browsing is one of the most common activity people do on daily bases However there
48. ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Check Point IPSec Tunnel y N ZyWALL p X ee i i a a a wW e p 1 on your PC clicking Start gt Programmer gt Check Point SmartConsole R60 gt SmartDashboard 2 Enter your user name and password then press OK button to use your Check Point 3 On Network Objects you must see a default check point object here For this example my default check point object is twsrv12191 double click the object to check its settings a lt IE 2 IE Interoperable Devices i Networks 4 Before you did the settings you should make sure that your object is a Check Point Gateway not a Check Point Host 5 If your check point object is a Check Point Host select your object and click the right button on your mouse then choose Convert To Gateway to change its settings 157 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes me 1 tlala I Nodes New Check Pout Interoperable I Edit Networks Delete fife Dynamic Objet Paste Where Used Last Modified Query Objects Monitor mort Tree 6 On General Properties the IP Addrrss field is the WAN IP of your PC In this example you should type 172 22 2 58 IP address on the text box On Check Point Products settings check VPN check box here 158 All contents copyright c 2006 ZyXEL Communications Corporation
49. a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines A secure VPN is a combination of tunneling encryption authentication access control and auditing technologies services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication F03 Why do I need VPN There are some reasons to use a VPN The most common reasons are because of security and cost Security 1 Authentication With authentication VPN receiver can verify the source of packets and guarantee the data integrity 2 Encryption With encryption VPN guarantees the confidentiality of the original user data Cost 1 Cut long distance phone charges Because users typically dial the their local ISP for VPN thus long distance phone charge is reduced than making a long direct connection to the remote office 2 Reducing number of access lines Many companies pay monthly charges for two types access lines 1 high speed links for their Internet access and 2 frame relay ISDN Primary Rate Interface or T1 lines to carry data A VPN may allow a 246 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes company to carry the data traffic over its Internet access lines thus reducing the need for some installed lines F04 What are most common VPN protocols There are currently three major
50. are lots of threats and traps that are available on the WWW too Web browsing should be sanctioned as the figure listed below so that the impact of hazardous web content malicious java and ActiveX spyware and phishing attack can be minimized These attacks are known to be found in websites that provides pirate software pornography and other illegitimate websites Also the non business web surfing such as the sports financial and gambling web sites should be prevented to increase company productivity With ZyWALL 2 Plus Content Filter service network administrator can effectively allow prevent network users from viewing different categories of web sites 209 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Active X Java Cookie Ni anane ee WAN LAN Zone 1 Minimize Spyware Attack As mentioned earlier pornography websites are known to contain Spyware and Trojans thus it is recommended to use ZyWALL 2 Plus to prevent users from access these types of websites Below is an example to illustrate how to configure ZyWALL to fulfill this purpose 1 1 CF License Activation In Registration page if you already have an account exist in myZyXEL com then all you have to do is first select Existing myZyXEL com account and enter your username password and select Content Filter 1 month trial version to activate Registration Service C New myy sEL cam account ie Existing m
51. cccccccssssssees 226 A27 Can the ZyWALL NAT handle IPSec packets sent by the VPN All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Gateway Dehind Zy WALL crearanse a 226 A28 How do I setup my ZyWALL for routing IPSec packets over NAT iaeiiai E E E NETRE 227 A29 What is STP Spanning Tree Protocol RSTP Rapid STP 227 A30 What is the flow ZyWALL handles inbound and outgoing NABI TEO E TI OE O E E E AEI E i eceselaaaieees 227 o E E e O EE E E E A AE E AE A AE EE A AS 221 B01 What is a network firewall cccsscscccccccccssssssssssssssssssssssssccees 228 B02 What makes ZyWALL Se cure sssccccccsssssscccccssssssccccccssssccsoes 228 B03 What are the basic types of firewalls ccccccsssssssssssscccsceseeees 228 B04 What kind of firewall is the ZyWALL cccccsssscsccccccssssccoees 229 B05 Why do you need a firewall when your router has packet filtering and NAT Duilt im cccccssccccccccsssssssssssssssssssssssscccccssssseees 229 B06 What is Denials of Service DOS attack cccccsccssccccsccscccscsees 229 B07 What is Ping of Death attack sssssscsssccccssssssssssssccccssesesees 230 B08 What is Teardrop attack cccccccccsssssssssssccccccsssssssssssccccssssesess 230 B09 What is SYN Flood attack ccscscccccccccccssssssssssscsssssssssssccees 230 B10 Whatis LAND Attack oasen
52. example choose internal option for your source Interface zone and choose wan option for your destination Interface Zone 19 On Address Name settings choose Fortinet network rule for your source address rules and choose ZyWALL network rule for your destination address rules 20 On Action settings choose ENCRYPT option and choose ToZyWALL IPSec rule for your VPN Tunnel Then press OK button to save your settings 196 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes New Policy Source Destination Interface Zone _internal Address Name Fortinet network j ZyWALL network Schedule always r Service ANY ENCRYPT VPN Tunnel ToZyWALL IPSec Allow inbound C Inbound NAT Allow outbound C Outbound NAT Protection Profile Log Traffic ID Source i Schedule Service Action Enable le w internal gt wanl 7 all all always ANY ACCEPT 1 z Fortinet network ZYWALL network always ANT ENCRYPT aves a ie al 22 Click VPN gt IPSec gt Monitor this page displays a table that lists all the VPN rules configured on the FortiNet device You could check the link states here to know your VPN tunnel is up or down Phase 1 Phase 2 F Manual Key Concentrator Ping Generator i Monitor No dialup tunnels Static IP and dynamic DNS fel E Mame Remote gateway Timeout Proxy ID
53. if the front NAT router supports NAT Traversal IPSec pass through or not With this option enabled ZyWALL can detect if it is placed behind NAT 47 All contents copyright c 2006 ZyXEL Communications Corporation ZyXE ZyWALL 2WG Support Notes when peer VPN entity also support NAT Traversal function If yes the IPSec traffic will be encapsulated in UDP packet to avoid traversal problem on NAT routers 4 Under VPN gt Gateway Policy gt Gateway Policy Information configure the private IP address as My Address on local ZyWALL gateway behind NAT router 5 On peer VPN gateway use the public WAN IP address of NAT Router as the Remote Gateway Address of Gateway Policy rule The ID must be consistent no matter if IP DNS EMAIL is used So long as if the ID Type and content are consistent on both VP entities Mapping multiple Network policy to same gateway policy This section describes an example configuration to map multiple different network policies to same gateway policy which is built between two VPN gateways Different network policies allow user in one network to access multiple destination networks which are not in the continuous range The other feature of this application is to limit some users to access some specific destination and prevent others from accessing the same network In following example the owner of PC1 belongs to financial department and needs to connect to the financial department Dept 1 for bus
54. ificat i services Microsoft internet Explorer Bak GA Gh Aeh Favos Ged F d 2 a Address i hetp 192 168 1 33jcertsrvicertfnsh asp reen ee ee Microsort L eriiticatt Home Certificate Issued The certificate you requested was issued to you DER encoded or Base 64 encoded 8 A file download would pop out press Save button and choose the local folder you would like to store the certification path All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 9 Double click the saved file Select Certificates right click the Certificate choose All Tasks gt Export Certificates E x Dj x t wew e lM o Tree IEN Certificates File EHEJ GACERTIZWA PATH P7B E3 Certificates Export a certificate 10 Certificate Export Wizard would be popped up then press Next gt Certificate Export Wizard Welcome to the Certificate Export Wizard This wizard helps you capy certificates certiFicate trust lists and certificate revocation lists From a certificate store to your disk A certificate which is issued by a certification authority is a confirmation of your identity and contains information used to protect data or to establish secure network connections A certificate store is the system area where certificates are kept To continue click Next Cancel 76 All contents copyright c 2006 ZyXEL Communications Corpor
55. ionainn eaae ataia 230 B11 What is Brute force attack eecccccocosossssssecececceccccosososssssssssseceeeee 230 B12 What is IP Spoofing attack ssceeeccocsssscccecococsssscccecccsssssceceesssssos 231 B13 What are the default ACL firewall rules in ZyWALL 231 B14 Why does traffic redirect static policy route be blocked by DN VANS SE tesctecss cae vesveestunsandestuasceeuensuasaesscureateacarkas tusssessenevasesasauboseeecadaseass 231 B15 How can I protect against IP spoofing attacks cccccccsssees 233 C security Service licenses PAO ucria eae ee 234 CUD Walls IC arg siirre eE 234 C02 Where can I buy the iCard and how much does it cost 234 C03 How many kinds of iCard does ZyXEL provide cccccseees 234 C04 Is each type of iCard device specific ssccscccccrrssssssssscccccoees 234 C05 What are the available security service licenses which require additional purchase and license activation in ZyNOS v4 00 234 C06 What kind of iCard should I Duy cccssssscccccsssssccccceesecees 235 C07 If I violate the mappings described above for example using a silver iCard for ZyWALL 35 or ZyWALL 70 what will happen 235 C08 Can I try the Content Filtering service for free How long is the free trial period of Content Filtering Service ssccccssccccsessssees 235 D Security Service Activation and UpdateFAQ cc
56. kits to mobile phones H11 Can wireless signals pass through walls Transmitting through a wall is possible depending upon the material used in its construction In general metals and substances with a high water content do not allow radio waves to pass through Metals reflect radio waves and concrete attenuates radio waves The amount of attenuation suffered in passing through concrete will be a function of its thickness and amount of metal re enforcement used H12 What are the potential factors that may causes interference among WLAN products Factors of interference 1 Obstacles walls ceilings furniture etc 262 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 2 Building Materials metal door aluminum studs 3 Electrical devices microwaves monitors electric motors Solution 1 Minimizing the number of walls and ceilings 2 Antenna is positioned for best reception 3 Keep WLAN products away from electrical devices eg microwaves monitors electric motors etc 4 Add additional APs if necessary H13 What is SSID Sever Set ID SSID is a configurable identification that allows clients to communicate to the appropriate base station With proper configuration only clients that are configured with the same SSID can communicate with base stations having the same SSID SSID from a security point of view acts as a simple single shared password between base stations
57. place dynamically and automatically in the background However you may want to maintain your own URL keyword list on device to maximize the effectiveness of the Content Filtering service E17 What is BlueCoat Filter list BlueCoat http www cerberian com provides Internet content filtering service through an outsourced model to original equipment manufacturers OEMs and service providers With the BlueCoat Integration Kit ZyXEL integrates the BlueCoat content filtering service into ZyXEL appliances such as ZyWALL Prestige ZyAir series E18 How many ratings does the BlueCoat database contain BlueCoat database contains 4 3 million ratings The BlueCoat database contains about 4 3 million ratings Because BlueCoat rates sites at the domain or directory level the database actually covers hundreds of millions of unique web pages E19 How often does BlueCoat update the database BlueCoat continuously updates the ratings database but BlueCoat s outsourced model does not require customers to update a local database Unlike other Internet content filtering solutions BlueCoat s outsourced solution does not require clients to receive large database updates daily or weekly Instead BlueCoat customers all access the same ratings database When a user requests a URL not contained in the database the BlueCoat solution uses Dynamic Real time Rating to assign a rating to that page All unrated URLs are further analyzed by background tec
58. protocol to enroll certificates Step 1 Download CA server s Certificate Step 2 Create certificate request and enroll certificate request on ZyWALL A Step 3 Create certificate request and enroll certificate request on ZyWALL B Step 4 Using Certificate in VPN on ZyWALL A Step 5 Using Certificate in VPN on ZyWALL B l Download CA S Certificate 2 Create Certificate Request amp n 3 Create Cemificate Request amp Enroll Certificate Request Enroll Certificate Request 4 Using Certificate in VPN 5 Using Certificate in VPN m LAN 10 1 133 1 LAN 192 165 2 1 10 1 133 0 24 192 168 2 0 24 WAN 192 168 1 35 WAN 192 168 1 36 Step 1 Download CA server s Certificate The most critical part for online certification request would be we need to send the certification request over Internet which 1s an insecure environment To prevent certification request from being modified or eavesdropped we need to download CA server s certificate in the first step When ZyWALL delivers the certification requests the public key in CA server s certificate will be used to protect the data You may need to access CA server s WEB interface or contact the administrator to get CA s certificate Then you can go to SECURITY gt CERTIFICATES gt Trusted CAs to import the downloaded certificate 58 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Directory Servers My Certificates Trusted CAs Trusted R
59. secure access and configuration management A05 Does the ZyWALL support PPPoE Yes The ZyWALL supports PPPoE since ZyNOS 2 50 A06 How do I know I am using PPPoE PPPoE requires a user account to login to the provider s server If you need to configure a user name and password on your computer to connect to the ISP you are probably using PPPoE If you are simply connected to the Internet when you turn on your computer you probably are not You can also check your ISP or the information sheet given by the ISP Please choose PPPoE as the encapsulation type in the ZyWALL if you are using PPPoE service provided by your ISP A07 Why does my Internet Service Provider use PPPoE PPPoE emulates a familiar Dial Up connection It allows your ISP to provide services using their existing network configuration over the broadband connections Besides PPPoE supports a broad range of existing applications and service including authentication accounting secure access and configuration management 222 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes A08 How can I configure the ZyWALL Telnet remote management CLI command line Web browser web server embedded for easy configurations A09 What can we do with ZyWALL Browse the World Wide Web WWW send and receive individual e mail and up download data on the internet These are just a few of many benefits you can enjoy when you put the who
60. the ZyWALL again 21 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Step3 After rebooting login ZyWALL s GUI by accessing ZyWALL s management IP address Accessing ZyWALL by the PC with a static IP address configured in the same subnet or with an IP from DHCP server refer to step for the pre configured firewall rule Step4 In this example since we want to apply a DMZ zone for servers So for ZyWALL 2 Plus which the ports of LAN amp DMZ can be configured user can decide the roles of each port Go to Network gt gt LAN or DMZ or WLAN gt gt Port Roles By default 4 ports are assigned to LAN In this example we use port 1 amp 2 assigned to LAN and Port 3 amp 4 assigned to DMZ as following picture Static DHCP IP Alias Port Roles L E Lan OOO EARR KoA 1d Step5 Furthermore to configure firewall rule to control the access of your network go to SECURITY gt gt FIREWALL as you do in router mode firewall For example user wants to block the access from a FTP server 210 242 82 2 in DMZ zone to LAN hosts 210 242 82 31 34 Note that they all sits in the same IP segment 210 242 82 0 24 Edit the firewall rule via Firewall gt gt Rule Summary and with packet direction DMZ to LAN Firewall Rules Storage Space in Use oaf 100 Packet Direction DMZ to LAN And enter 210 242 82 2 as the source address and 210 242 82 31 34 as d
61. the dynamic IP address we can use the DDNS service The DDNS server allows to alias a dynamic IP address to a static hostname Whenever the ISP assigns you a new IP the ZyWALL sends this IP to the DDNS server for its updates A24 What DDNS servers does the ZyWALL support The DDNS servers the ZyWALL supports currently is WWW DYNDNS ORG where you apply the DNS from and update the WAN IP to A25 What is DDNS wildcard Some DDNS servers support the wildcard feature which allows the hostname yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful when there are multiple servers inside and you want users to be able to use things such as www yourhost dyndns oreg and still reach your hostname A26 Does the ZyWALL support DDNS wildcard Yes the ZyWALL supports DDNS wildcard that WWW DynDNS ORG supports When using wildcard you simply enter yourhost dyndns org in the Host field in Network WAN DDNS menu A27 Can the ZyWALL NAT handle IPSec packets sent by the VPN gateway behind ZyWALL Yes the ZyWALL s NAT can handle IPSec ESP Tunneling mode We know when packets go through NAT NAT will change the source IP address and source port for the host To pass IPSec packets NAT must 226 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes understand the ESP packet with protocol number 50 replace the source IP address of the IPSec gateway to th
62. these encryption decryption verifying and authenticating processes is that special software does them all transparently so that Bob and Alice receive the assurances they need without having actually to engage in computations themselves Strong Authentication and Data Integnty BOB MESSAGE SENDER ALICE MESSAGE RECIPIENT 64 OK og ght to be 630K ought to enogagh for be enough for anybody anybody EHI Gates 71987 Bn Gates 719387 Alice has hes the message and Bob hashes the message by compares the result to the using a hash function to message digest Thay should i be identical create a message digas DA TA INTEGRITY Alice uses Bobs public key Bob creates a digital signature to decrypt the dig ita byencrypting the message gig nature digest with his private hey STRONG AUTHENTICATION Bob sends the message Alice raceatves the and the digital signature message and the to A lice digital signature 258 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes G12 Does ZyXEL provide CA service No ZyXEL doesn t maintain CA service for customers customers need to find CA server trusted 3rd party in order to use PKI functionality on ZyWALL G13 What if customers don t have access to CA service but would like to use PKI function ZyXEL VPN solution provides a mechanism called self signed Certificate If you don t have access CA service but would like to
63. tunnel mode is possible to work in NAT case In the NAT router is ZyWALL NAT router supporting IPSec pass through default port and the ZyWALL WAN IP must be configured in NAT Server Table WAN IP of the NAT router is the tunneling endpoint for this case not the WAN IP of ZyWALL 252 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes If firewall is turned on in ZyWALL you must forward IKE port in Internet interface If NAT are also enabled in ZyWALL NAT server is required for non secure connections NAT server is not required for secure connections and the physical private IP is used For example host Zy WALL NAT Router Internet Secure host Non secure host F26 Where can I configure Phase 1 ID in ZyWALL Phase 1 ID can be configured in VPN setup menu as following Property Vv Gateway Policy Information tae aye Authentication Key 9 9 AUMEeEnuUcCauon FOr ACUVAUNY VPN IKE Proposal v Associated Network Policies Name Local Network Remote Network F27 How can keep a tunnel alive To keep a tunnel alive you can check Nailed up option when configuring your VPN tunnel With this option the ZyWALL will keep IPSec tunnel up at all time With Nailed up the ZyWALL will try to establish whenever tunnel is terminated due to any unknown reason 233 All contents copyright c 2006 ZyXEL Communications Corporation
64. tunneling protocols for VPNs They are Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP and Internet Protocol Security IPSec F05 What is PPTP PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade F06 What is L2TP Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Protocol PPTP used by an Internet service provider ISP to enable the operation of a virtual private network VPN over the Internet F07 What is IPSec IPSec is a set of IP extensions developed by IETF Internet Engineering Task Force to provide security services compatible with the existing IP standard IPv 4 and also the upcoming one IPv 6 In addition IPSec can protect any protocol that runs on top of IP for instance TCP UDP and ICMP The IPSec provides cryptographic security services These services allow for authentication integrity access control and confidentiality PSec allows for the information exchanged between remote sites to be encrypted and verified You can create encrypted tunnels VPNs or just do encryption between computers Since you have so many options IPSec is truly the most extensible and complete n
65. unnel l A Network J E VPN Rules 3 Give aname for your policy for example ToNetScreen 4 My IP Addr is the WAN IP of ZyWALL In this example you should type 172 22 3 89 IP address on My ZyWALL text box 5 Secure Gateway IP Addr is the NetScreen s WAN IP address In this example you should type 172 22 3 130 IP address on Remote Gateway text box 140 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property Name ToNetscreen I f T Gateway Folicy Information yWALL 172 22 3 89 ae Relate Gateway 172 22 3 130 6 In Authentication Key enter the key string 12345678 in the Pre Shared Key text box Authentication Key 12345678 auto_generate qd seli_signec_cerl See My Certificates R 0 0 0 0 s 000 7 Select Negotiation Mode to Main mode Encryption Algorithm to DES Authentication Algorithm to MD5 Key Group to DH1 and then click Apply button on this page _ IKE Proposal Des E MDS ix 28800 Da Associated Network Policies Local Network Remote Network 141 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 8 You will see an IKE rule on your VPN page click L R button to edit your IPSec rule VPN VPN Rules Manual SA Monitor Global Setting VPN Rules P m VEN Tunnel 9 Check Active check box and give a name to this policy Property ToNetScreen IPS
66. use PKI function please use the self signed Certificate Check here for how to configure it G14 How can have Self signed certificate for ZyXEL appliance Each ZyXEL appliance would provide a Self signed certificate along with default configuration file You can check content of Self signed certificate in WEB GUI G15 Can I create self signed certificates in addition to the default one Yes you can create self signed certificates of your own by selecting self signed category when creating My Certificates G16 Will Self signed certificate be erased if reset to default configuration file Yes the original Self signed certificate will be erased But ZyXEL appliance will create a new self signed certificate at it s first boot up time after resetting the configuration But the new self signed certificate is different from the original one So users also need to export the new self signed certificate to appliance s peer if they would like to use PKI for VPN G17 Will certificates stored in ZyXEL appliance be erased if reset to default configuration file Yes My Certificates Trusted CAs Certificates and Trusted Remote s Certificates will be totally erased after erasing configuration files Users need to enroll My Certificates and import Trusted CA s certificates amp Trusted Remote s certificates again G18 What can I do prior to reset appliance s configuration You can export Trusted CA s certificates and Trusted Remote s
67. 1 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes F21 Will ZyXEL support Secure Remote Management Yes we will support it and we are working on it currently F22 Does ZyWALL VPN support NetBIOS broadcast Yes the ZyWALL does support NetBIOS broadcast over VPN F23 Is the host behind NAT allowed to use IPSec VPN Gateway embedded NAT AH tunnel mode ESP tunnel mode VPN client gateway behind NAT ESP tunnel mode NAT in Transport mode None The NAT router must support IPSec pass through For example for ZyWALL NAT routers IPSec pass through is supported since ZyNOS 3 21 The default port and the client IP have to be specified in NAT menu Server Setup F24 How do I configure ZyWALL with NAT for internal servers Generally without IPSec to configure an internal server for outside access we need to configure the server private IP and its service port in NAT Server Table However if both NAT and IPSec is enabled in ZyWALL the edit of the table is necessary only if the connection is a non secure connections For secure connections none NAT server settings are required since private IP is reachable in the VPN case For example host ZyWALL NAT ADSL Modem Internet Secure host Non secure host F25 am planning my ZyWALL behind a NAT router What do I need to know Some tips for this The NAT router must support to pass through IPSec protocol Only ESP
68. 1 DES for Encryption Algorithm and MD5 for Authentication Algorithm Select Main ID Protection option for Mode Initiator Then press Return button and press OK button on next page to save your settings Security Level Predefined Standard Compatible Basic User Defined Custom Phase 1 Proposal re s des mds v None Mone w Mone Mode Initiator Main ID Protection Aggressive 7 When you finished doing the settings you will see an IKE rule on the page 146 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes VPNs gt AutoKey Advanced gt Gateway List 20 per page Type Address ID User Group Local ID Security Level Configure Name ToZyWALL Static 172 22 35 89 Custom Edit 8 To edit your IPSec rule click VPNs gt AutoKey IKE and then press New button to edit your IPSec rules 9 Give a name for your VPN for example ToZyWALL IPSec On Remote Gateway choose Predefined option and select ToZyWALL rule Then press Advanced button to edit the advanced settings VPN Name fo yWALL IPSec Security Level Standard Compatible Basic Custom Remote Gateway Predefined ToZyWALL Create a Simple Gateway Gateway Name Type Static IP Address Hostname Dynamic IP Peer ID Dialup User User None Dialup Group Group None Local ID optional Preshared Key Use As Seed 1 Security Level Standard
69. 1x IEEE 802 1x Port Based Network Access Control is an IEEE Institute of Electrical and Electronics Engineers standard which specifies a standard mechanism for authenticating at the link layer Layer 2 users access to IEEE 802 networks such as Ethernet IEEE 802 3 and Wireless LAN IEEE 802 11 For IEEE 802 11 WLAN IEEE 802 1x authentication can be based on username password or digital certificate H18 Can use WiFi access when I plug a 3G wireless card in the PCMCIA slot Yes since ZyWALL 2WG supports an embedded wireless card for 802 11a b g wireless access 264 All contents copyright c 2006 ZyXEL Communications Corporation
70. 2WG Support Notes E15 How many URL keywords does ZyWALL support 00000 240 E16 How do I Keep database of Content Filtering service updated 241 E17 What is BlueCoat Filter list cccccccccccccsssssssssssssssscssssssscsscees 241 E18 How many ratings does the BlueCoat database contain 241 E19 How often does BlueCoat update the database 0eeeees 241 E20 How do I locate sites to block cccccccccccccccsssssssssscsssssssssssscees 241 E21 Do humans review the ratings cssssssccccccssssssssssssccccsssseeees 242 E22 How can I do if I find a WEB site is mis categorized 00 242 E23 How many and what categories do you Provide ccccccccrsssees 242 E24 How does the ZyXEL content filtering handle dynamically SENET ACU SIES aiar a EEE 244 E25 Does BlueCoat have more than one data center Is the BlueCoat Web Filter geographically load balanced eeecocosssssceeecccossssceeceoosssos 244 E26 Who can generate and view reports on BlueCoat WEB site 244 E27 How can I get Content Filtering report ssssssssccceccossssssececossssos 244 E28 Can I change the password for BlueCoat service sssscccccssssss 244 E29 Which User Name amp Password should I input for Content Filteri TEDOEC ia 245 E30 My device can t get connected to Http myZyXEL com so I can t get into Registration page What should I check 00
71. 2WG Support Notes Property ta ZyWVAALLA KE E Tunnel 7 Extended Authentication E oy Local User i po B Local Policy Subnet Address 7 32 4 BG 2 Ba ea el Se Sh Oe Remote Policy Subnet Address LU ees ene oe 2 a 258 a Oe ey Ser os Authentication Method 12345678 ZyWALL B ha Gateway Information zi 192 163 1 ab louisezywall dyndns org E DDNS 192 166 1 35 IPSec Algorithm e DES MDS E MDS Advanced Apply Cancel 13 You can check detailed settings by clicking Advanced button All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Negotiation Mode Encryption Algorithm Authentication Algorithm SA Life Time Seconds Key Group Active Protocol Encryption Algorithm Authentication Algorithm SA Life Time Seconds Encapsulation Perfect Forward Secrecy PFS Enable Replay Detection Protocol Local Port Start End Remote Port Start End Cancel Using Pre Shared Key for Device Authentication The IKE protocol also provides primary authentication verifying the identity of the remote system before negotiating the encryption algorithm and keys Two kinds of authentication methods are supported on ZyWALL pre shared key amp certificate If pre shared key is used a shared symmetric key must be manually exchanged and configured on the two entities Three types of identity are available IP DNS and E mail
72. 3 192 168 1 20 to IGA3 Type Server allows us to specify multiple servers of different types to other machines behind NAT on the LAN Rule 1 Setup Select One to One type to map the FTP Server 1 with ILA 192 168 1 10 to IGA1 200 1 1 1 ANIME ipani Type Local Stani IP Lecal End iP Global Stet IP Global End EP 31 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Rule 2 Setup Selecting One to One type to map the FTP Server 2 with ILA 192 168 1 11 to IGA2 200 1 1 2 SUA NAT Address Mapping Address Ma ppiny Halu Rule 3 Setup Select Many to One type to map the other clients to IGA3 SUANAT Address Mapping Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA3 SUA NAT Address Mapping When we have configured all four rules in the rule summary page 32 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes NAT Overview Port Forwarding Port Triggering SUA Address Mapping Rules Local Start IP Local End IP Global Start IP Global End IP NAT Overview Address Mapping Port Forwarding Rules Port Translation Server IP Address Bee Be fe a Please note that if you turn on ZyWALL s firewall function then you should add a firewall rule from WAN to LAN to forward the incoming connections If you would like to only allow traffic going to the
73. 4 Secure Gateway IP Addr is the SonicWALL s WAN IP address In this example you should type 172 22 1 251 IP address on Remote Gateway text box Property Tosonic vAle Gateway Policy Information 172 22 3 69 IRAAN Ao 15 In Authentication Key enter the key string 12345678 in the Pre Shared Key text box 131 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Authentication Key 112345678 aulo_generated_self_signed_cerl Sige Wy Cerincates LIP l 0 0 0 0 IP 0 0 0 0 16 Select Negotiation Mode to Main mode Encryption Algorithm to DES Authentication Algorithm to MDS Key Group to DH1 and then press Apply button on this page IKE Proposal pa F a ia wr rl jenna 4 Sein ll Associated Network Policies Local Network Remote Network 17 You will see an IKE rule on your VPN page press L R button to edit your IPSec rule 132 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes VPN VPN Rules VPN Rules Internet VP Tunnel 18 Check Active check box and give a name to this policy Property ToSonicWALL IPSecRule 19 On Gateway Policy Information you should choose ToSonicWALL IKE policy for your IPSec rule Gateway Policy Information gt gt Gateway Policy ToSonicWALL gt ae ess i i ae Local Network Recycle Bin 133 All contents copyright c
74. Filter Destination IP Address Destination Subnet Mask Destination Port Class Configuration Class Name Bandwidth Budget Priority Borrow bandwidth from parent class Filter Configuration V Enable Bandwidth Filter Destination IP Address P i ee eel PO ees e Destination Subnet Mask 255 255 255 O Destination Port 2121 Source IP Address 192 ee 1 0 Source Subnet Mask 255 299 m foo U Source Port 0 Protocol ID Cancel Give this class a name for example App Configure the speed you would like to allocate to this class Enter a number between 0 and 7 to set the priority of this class The higher the number the higher the priority The default setting is 3 Check this box if you would like to let this class to borrow bandwidth from it s parents when the required bandwidth is higher than the configured amount Do not check this if you want to limit the bandwidth of this class at the configured value Please note that you should also disable Maximize Bandwidth Usage on the interface to meat the condition Check this to specify the traffic types via IP addresses Port numbers Enter the IP address of destination that meats this class Enter the destination subnet mask Enter the destination port number of the traffic 38 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Enter the IP address of source that meats this class Note that for traff
75. IP Address 192 1682 Za D A5 255 255 12 On Remote Network choose Subnet Address for your Address Type Starting IP Address and Ending IP Address Subnet are your remote site LAN IP addresses In this example you should type 192 168 1 0 on Starting IP Address field and then type 255 255 255 0 on Ending IP Address Subnet field Remote Network ER ddress Type Subnet Address 55 255 255 0 13 On IPSec Proposal select Encapsulation Mode to Tunnel Active Protocol to ESP Encryption Algorithm to DES and Authentication Algorithm to SHA1 and then press Apply button on this page IPSec Proposal 189 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 14 After you press the Apply button you will see the following page a ToFortiNet 79172 22 1 147 Ce 9172 22 2 138 Sy A ToFortiNet 192 166 2 0 192 168 1 0 IPSecRule ch 2d ed Ld ce ale ay e porn reba ti E E i2 2 Setup FortiNet VPN We choose FortiGate 60 device in this example 1 Using a web browser login FortiNet by giving the LAN IP address of FortiNet in URL field 2 To edit your IPSec rule click VPN gt IPSec gt Phase 1 and then press Create New button to edit your IKE rules Phase1 Phase2 ManualKey Concentrator Ping Generator Monitor Gateway Mame Gateway IF Encryption Algorithm 3 Give a name for your poli
76. L maps multiple ILA to one IGA This is equivalent to SUA 1 e PAT port address translation ZyXEL s Single User Account feature that previous ZyNOS routers supported the SUA only option in today s routers 3 Many to Many Overload In Many to Many Overload mode the ZyWALL maps the multiple ILA to shared IGA 4 Many One to One In Many One to One the ZyWALL maps each ILA to unique IGA 27 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 5 Server In Server mode the ZyWALL maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each server to one unique IGA please use the One to One mode The following table summarizes these types NAT Type IP Mapping One to One ILA 1 lt gt IGA1 ILA 1 lt gt IGA1 Many to One ILA2 lt gt IGA1 SUA PAT ILA1 lt gt IGA1 ILA2 lt gt IGA2 ILA3 lt gt IGA 1 ILA4 lt gt IGA2 Many to Many Overload ILA1 lt gt IGA1 ILA2 lt gt IGA2 Many One to One I LA3 lt gt IGA3 ILA4 lt gt IGA4 Server P lt gt IGA1 Server 2 IP lt gt IGA 1 Server e SUA Versus Multi NAT SUA Single User Account 1f you get only one public IP address from your ISP then you should use SUA With SUA PCs on ZyWALL s LAN side can access Internet without further configuration If you have internal serve
77. LLI and ZyWALL2 according to the network topology as planned Create the IPSec Gateway Policy on ZyWALL 1 and ZyWALL2 Create the IPSec Network Policy on ZyWALL 1 and ZyWALL2 Trigger the IPSec VPN connection between ZyWALL 1 and ZyWALL2 Verify the functionality of NAT over IPSec via Ping command VV V WV STEP 1 Configuring the Network Setting on the ZyWALL 1 and ZyWALL 2 Lunch a web browser window and logon into the ZyWALL s web configurator Configure the LAN and WAN interfaces according to the application scenario and network topology you planned Configure both of the ZyWALL s LAN and WAN interface with the proper IP address and network mask Interfaces Status IP Netmask IP Assignment Renew WAN 1 100M Full 192 168 4 254 Static Pag 25a aS 0 WAM 2 Down 0 0 0 0 0 0 0 0 DHCP client Dial Backup Down 0 0 0 0 0 0 0 0 H A LAN LOOM Full 172 16 1 1 DHCP server N A zaa ae Jas 0 WEAN 100M Full 0 0 0 07 0 0 0 0 Static HA DMZ 100M Full 0 0 0 0 0 0 0 0 Static HA ZyWALL 1 Local 111 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Interfaces Status IP Netmask IP Assignment Renew WAR 1 LOooMmM Full 192 168 5 254 Static ASI Sp sal A ele A WAN 2 Down Oar oe 0 DHCP client Dial Backup Down 0 0 0 0 0 0 0 0 HA LAN Loom Full 172 146 1 1 DHCP server Pian a Papal iat eel a A wW LA LooMm Full 0 0 0 0 0 0 0 0 Static DMZ LOOM Full 0 0 0 0 0 0 0 0 Static Zy
78. Manager can be switched onoff independently for each interface Class active Speed kbps Scheduler____ Maximize Bandwidth Usage WAN 100000 Priority Based Key Settings Mae Check the box to enable BWM on the interface Note that if you would like to manage traffic from WAN to LAN you should apply BWM on LAN interface Speed Enter the total speed to manage on this interface This value is the budget of the class tree s root Scheduler Choose the principle to allocate bandwidth on this interface Priority Based allocates bandwidth via priority Fairness Based allocates bandwidth by ratio Check this box if you would like to give residuary bandwidth from Interface to the Maximize classes who need more bandwidth than configured amount Do not select this if you Bandwidth want to reserve bandwidth for traffic that does not match a bandwidth class or you want Usage to limit the bandwidth of each class at the configured value Please note that to meat the second condition you should also disable bandwidth borrowing on the class Go to ADVANCED gt BW MGMT gt Class Setup select the interface on which you would like to setup the Class tree Click the radio button besides the Root Class then press Add Sub Class 37 All contents copyright c 2006 ZyXEL Communications Corporation XEL Zy ZyWALL 2WG Support Notes Key Settings Class Name Bandwidth Budget Priority Bandwidth Borrowing Enable Bandwidth
79. N or backup WAN or work with your primary WAN Ethernet or PPP together as a dual WAN application Application 3G WIFI 3G Data Card Access Primary WAN Backup WAN Dual WAN LB a n i Internet 36 card S gt a Internet N All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Utilize 3G and Wireless for the Internet Access Following we will show you how to configure it step by step Utilize 3G card to get Internet access 1 Plug the 3G card to ZyWALL 2WG s card slot before powering on the ZyWALL 2WG device 2 Login the GUI After the system boots up you can see the 3G card information on the home page Make sure there is no Error message in 3G Card IMEI and SIM Card IMSI fields Otherwise you need to re install the 3G card and the SIM card and make sure they are properly installed Please refer to the quick start guide 1f you need to troubleshoot because of an error message ZyXEL HOME REGISTRATION NETWORK SECURITY ADYANCED LOGS MAINTENANCE LOGOUT System Information System Name Model ZyWALL 2G Bootbase Yersion wi 0S 11 fo1 2006 Firmware Version w4 DZCAQIL OJb1 11 01 2006 Up Time OO 01 20 system Time 2001 01 01 00 43 21 SMT Device Mode Router Firewall Enabled System Resources Memory 23 32 MB Sessions 20 2000 cpu 1 interfaces Status IP Net
80. OW J scsstsssceucwnpcectesasecertenietdacsanssseasnectedeanssceriessetassianss 250 F18 Does ZyWALL support dynamic secure gateway IP ccsee0 251 F19 What VPN gateway that has been tested with ZyWALL SUICCOSSINMINY A E R EE E TPE E A E E A 251 F20 What VPN software that has been tested with ZyWALL SUCCESSIV oeei eE e E E E E 251 F21 Will ZyXEL support Secure Remote Management ssssssssssceeee 252 F22 Does ZyWALL VPN support NetBIOS broadcast cccceeees 252 F23 Is the host behind NAT allowed to use PSec csssssssseeees 252 F24 How do I configure ZyWALL with NAT for internal servers 252 F25 I am planning my ZyWALL behind a NAT router What do I need to KNOW corces ranra EAE Aae aE 252 F26 Where can I configure Phase 1 ID in ZyWALL ccccsseeeees 253 F27 How can I keep a tunnel allive sssssssssccccccssssssssssccccssesesees 253 F28 Single Range Subnet which types of IP address does ZyWALL SUpport M VENA ESCE sir en nE aceite 254 F29 Does ZyWALL support IPSec pass through cccccsssssssssees 254 F30 Can ZyWALL behave as a NAT router supporting IPSec pass through and an IPSec gateway simultaneously scccssccccssesesees 254 G PKIFAQ veistieen tite ie ee E 254 G01 Basic Cryptography COnCEept ccccccccsssssssssssssccccsecsssssssscccosees 254 G02 What is PIS sunrunner E R 255 G03 What are the security services PKI provide
81. Select All In this support note we utilize certificate enrollment service from Microsoft Windows 2000 CA server The enrollment procedure of your CA server may be different you may need to check your CA service provider for details For how to setup Windows 2000 CA server users may refer to http www microsoft com 2 Issue the URL to access the CA server type in User Name Password Domain fields 83 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes File Edit View Favorites Tools Help da Back m E fat A Search 4 Favorites SP Media E Sy KS 7 Address E http 192 168 1 53fcertsry Go x z Enter Network Password o 2 x Please type your user name and password Site 192 168 1 33 User Hame ftest2 Password i Domain eso local Save this password in your password list cence zl Opening page http 192 168 1 33 certsrv 2 Internet a 3 Select Request a Certificate then press Next gt button All contents copyright c 2006 ZyXEL Communications Corporation 84 ZyXEL ZyWALL 2WG Support Notes A Microsoft Certificate Services Microsoft Internet Explorer File Edit view Favorites Tools Help qm Back p ig at Z Search 2 Favorites SP Media Ea Es Address e htto 192 168 1 33 certsrv P n R Home Microsoft Certificate Serv Welcome You use this web site to request a certificate for you
82. Source Proxy ID Destination To yWALL IPsec yz Z2 l 236 500 O eme 192 165 1 192 166 2 197 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Remote Access VPN Scenario The remote access VPN scenario is to provide a remote users secure connections to access corporate network over a public networking infrastructure VPN has become the logical solution for remote access connectivity The remote access VPN scenario is to provide a remote users secure connections to access corporate network over a public networking infrastructure Deploying a remote access VPN enables corporations to reduce communications expenses by leveraging the infrastructures of Internet service providers At the same time VPN allows remote to take advantage of broadband connectivity Remote users e g mobile users telecommuters may use dial up ISDN digital subscriber line DSL or cable technologies to gain Internet access Internet J i ZyWALL user B ee Because IP address is dynamically assigned by service providers the Remote Gateway Address of gateway way policy must be configured with 0 0 0 0 or domain name If 0 0 0 0 is used as Remote Gateway Address ZyWALL accepts all attempts from any IP address and authenticate the remote VPN device with pre shared key or certificate If the remote entity passes authentication ZyWALL and remote entity wi
83. VPN gateway ZyWALL uses a static public IP address 43 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes static Public FP o a WAN e Peer VPN Gateway 1 Configure the static Public IP address to WAN interface through Network gt WAN gt WAN IP Address Assignment 2 Enter the WAN IP address as My Address in Gateway Policy 3 On peer VPN gateway use the same IP address as Remote Gateway Address in Gateway Policy On Local VPN gateway select IP as the Local IP Type and enter the public WAN IP address as the content of identify One remote VPN peer select IP as the Peer ID Type and enter the same IP address as the content of identify Configure ZyWALL with Dynamic WAN IP Address This section describes an example configuration ZyWALL with dynamic WAN IP address If ZyWALL uses PPPoE or Ethernet DHCP for its Internet connection WAN IP address is dynamically assigned by ISP Since ZyWALL has no idea about its WAN IP address before it is assigned it is difficult impossible to use WAN IP Address for My Address in Gateway Policy To overcome this problem Dynamic DNS can be used to resolving the VPN gateway When new IP 44 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes address is assigned to ZyWALL s WAN interface ZyWALL will updates the related record in DDNS server Therefore the peer VPN gateway can r
84. WALL 2 Remote STEP 2 Create the Gateway Policy Phase 1 on the ZyWALL 1 and ZyWALL 2 Click Security gt VPN gt Add Gateway Policy in order to add a new IPSec VPN Gateway Policy Assign My Address on ZyWALL 1 with IP address 172 16 4 254 and the Primary Remote Gateway as 172 16 5 254 Assign My Address on ZyWALL 2 with IP address 172 16 5 254 and the Primary Remote Gateway as 172 16 4 254 Property Gateway Policy Information Authentication Key o My Certificates Gateway Policy on ZyWALL 1 112 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Extended Authentication IKE Proposal Associated Network Policies Gateway Policy on ZyWALL 1 Click Apply in order to complete the settings Repeat the steps for ZyWALL 2 113 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property Gateway Policy Information 192 1665 254 None DONS Authentication Key y Gateway Policy on ZyWALL 2 Extended Authentication E Local User RADIUS fe IKE Proposal al Associated Network Policies Cancel Gateway Policy on ZyWALL 2 STEP 3 Create the Network Policy Phase 2 on the ZyWALL 1 and ZyWALL 2 After completing the settings for the Gateway Policy click Add Network Policy to add a network 114 All contents copyright c 2006 ZyXEL Communicatio
85. What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets This header information includes the source destination addresses and ports of the packets Application level Firewalls generally are hosts running proxy servers which permit no traffic directly between networks and which perform logging and auditing of traffic passing through them A proxy server is an application gateway or circuit level gateway that runs on top of general operating system such as UNIX or Windows NT It hides valuable data by requiring users to communicate with secure systems by mean of a proxy A key drawback of this device is performance Stateful Inspection Firewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency however they may lack the granular application level access control or caching that some proxies support 228 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Not
86. ZyWALL 2WG Security Appliance Support Notes Version 4 03 Sep 2007 YA Networking Power ZyXEL ZyWALL 2WG Support Notes INDEX PADDING ATION INOUCS ois sis essed enres aeara aana Aa a aie E EAS 9 Moby Meme DCCC GS an E E A 9 Utilize 3G and Wireless for the Internet ACCESS ccccssssssssssssssssees 10 Seamless Incorporation into your network cc ceeecccccccccceeseeeeeececeeeeaaeeseeeeeees 18 Using Transparent Bridge Mode Firewall cccsssssssssccccsseseeees 18 Internet C OnME CEO Mii cose sisseriesisducessssstcdssaaduedsadasenceasedecdsasaatacedoedvacsadeaenteds 24 DHCP SErver CHEM FCLAY secs ctuc vssecaescascsacensscwsbsacacducenssesersceesssienssseetenseeteaens 25 Usma NAF NMUIOEINA TDs sics3ciesacecdessencsctansassdaneccatcdesacssdenccacactansasetaneceesacanaess 26 Optimize network performance amp availability 2 0 0 0 eeseeeeeeceeeceeeeeeessseeeees 35 Using Bandwidth Management ssssseececccsssssccecococssssececoccsssssceeeesssssssssee 35 Secure Connections across the Internet esnesssseooeresssssssseterssssssssseeersssssssees 43 Site to Site VPN Intranet Scenario sosssosssosssosssosseossesssesssesssessseo 43 Configure ZyWALLs with Static WAN IP Address cceeeeeeeeeeeees 43 Configure ZyWALL with Dynamic WAN IP Address 006 44 Configure ZyWALL behind NAT Router cccecccccccceeeeesseeeeeeeeees 46 Mapping multiple Netwo
87. ZyWALL 2WG Support Notes IPSec Tunnel ge ZWA Check Point b oe 192 168 2 0 24 Check Foint twerv 12191 2 Nodes ah LS Interoperable Devices New Wetwork p Delete Query Objects mort Tree 21 Give a name for your network policy and set the network IP address to 192 168 1 0 24 Then press OK button to save the settings Network Properties Net 192 168 1 0 General NAT Name Met_192 168 1 0 Network Address 192 168 1 0 Net Mask 255 255 255 0 amment Solor LE Broadcast address E Included C Notincluded 168 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 22 To add another network policy and set the network IP address 192 168 2 0 24 Then press OK button to save the settings Network Properties Net _ 192 168 2 0 General NAT Name Met_192 168 2 0 Network Address 192 168 2 0 Net Mask 255 aoe aco orment olor r Broadcast address f Included C Nat included IV Setup VPN Communities 23 Click VPN communities tab to do the settings w Eb S ae 5 v B Hes iE ite a lala Ie ALS v Do not show empty folders 25 On General settings giving a name for your VPN communities For example CheckPoint_ZyWALL 169 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Lommmty Traffic security
88. ZyWALL 2WG Support Notes USA Office 2 Internet Management Intranet Management To manage your ZyWALLs through Vantage CNM user needs to prepare Vantage CNM server and 3rd party FTP Syslog Telnet servers For the detailed installation amp registration process to myZyXEL com please refer to Vantage CNM Support Note Vantage CNM Z XEL Devices Server Agent SGMP DES 3DES Internet Group In the following section we will explain how to add your ZyWALL to Vantage CNM server manually Note that ZyWALL must be registered on Vantage CNM before it can be managed via Vantage CNM In 217 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes the following section we will explain how to register device manually Devices can be also added imported to Vantage CNM through XML files For detailed operation please refer to Vantage CNM Support Note Please check CNM Reference Guide for XML description files pdf for detailed description Add device manually Step 1 Left click on the folder e g AAA and go to Device gt gt Registration SA https 127 0 0 1 Yantage CNM 2 1 Mic ZyXEL o Status Synchronize Firmware Mgmt Firmware Upgrade Configuration File Step 2 Select Manual Add and press Next Select No for not to associate the device to the device owner now then press Next Device gt gt Registration Welcome to the Device Registration Wizard
89. ZyiP OU POA O ZyXEL C TW uh wd S G MAILTO elchengiryxel com twO 27 5207 2752 GMT GMT CERT CN Administrator Create Refrrsh 17 Repeat the same procedure from 9 to 13 to export CA s certificate Note that you may get more than one CA server s certificate it s not necessary to export all of the CA server s certificates you can double click ZYWALL s certificate such as zywall_a cert cert in this example and select Certification Path to view the nearest CA server s name and then export that CA server s certificate Import the saved CA server s certificate Click Browse button and then select the location 79 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes CERTIFICATES Trusted CA Setting Mame Subpect kaier Vaihi From Valid Ta estii CA Setting Hami Sjeti Walid From Walid To Modify fi jz f i i me as na Ln Cii H RAEN I Ay ee bi Er PE rb A r F Ee E I r m ee Sy Bet ees ee t maram ar a LPa epee tee rt fain 2 Lhe fr i rr lt lt rai Cee i Naip or FL as le H pa hinna era rire ee pe bo Ao i iy 1 mm ghen ee Lt ETEA ee o 7 i 2 499 CHT AA LF ee 4 5 Lit pat eyes a ee ee a ae pia f Step 3 Create Certificate Request on Zy WALL_B 1 Go to VPN gt My Certificates gt Click Create button All contents copyright c 2006 ZyXEL Communications Corporation 80 ZyXEL ZyWALL 2WG Support Notes CERTIFICATES Trust
90. a T EEEE E 209 2 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes To filter non work related and unproductive web surfing to mitigate spyware and phishing threats ccccccccsssssssssssssccccccscssssssssscccessssesees 209 Centralized Management sienes aes welosiae va coset AN 216 Using Vantage CNM for Manageme nl sscsscccccsssssssssssssccccseseesees 216 AD eas di easieae Sousa E E AO 221 PP EOOUCET AO oi csiterdenaccosucnadteanluedteuteedlsadinaatesutvadeontinctusautedilindencategetvadiandsoatner 221 A01 What is the ZyWALL Internet Access Sharing Router 221 A02 Will the ZyWALL work with my Internet connection 222 A03 What do I need to use the ZYWALL essssscccccsssccccccccecccccsseccecosceee 222 A04 Whatis PPPOE onanoi a Ni 222 A05 Does the ZyWALL support PPPoE eessccsssssseeeocccsssscceceoosssssssee 222 A06 How do I know I am using PPPOE eeeescosssseseceooccsssscccecoosssssssee 222 A07 Why does my Internet Service Provider use PPPoE 222 A08 How can I configure the ZYWALL eeececossssesececcocssssceeeooosssssseee 223 A09 What can we do with Zy WALL e ssseccccssecccccoscecccccsceccecosscccecosceee 223 A10 Does ZyWALL support dynamic IP addressing ssssssceccccssossoo 223 A11 What is the difference between the internal IP and the real IP Irom TINY ES Pe anaa E 223 A12 How does e m
91. aa i E H lihis device may not cause harmful inhatiannca _ This device mus accent ony inteteence received including INtSrorence Mal moy couse undeteed operation E Plage gge fhe mane i ieteriennee pp ogo recepton ii ELRES i password is the password to login Http myZyXEL com E30 My device can t get connected to Http myZyXEL com so I can t get into Registration page What should I check 1 Please check the Internet Access is ok via launching Internet Browser and connect to a public WEB site 2 If your ZyWALL is using Static or Fixed WAN IP address please make sure that you have configured DNS server s IP address for the device in System gt General gt System DNS Servers or Maintenance gt General gt System DNS Server F IPSec FAQ F01 How to count my VPN tunnels on ZyWALL On 3 64 multiple Network Policies IKE Phase 2 can be mapped to same Gateway policy IKE Phase 1 ZyWALL counts the Network policies as VPN tunnels In following example two network policies Netowrk_1 amp Network_2 are mapped to same gateway 245 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes policy Gateway_1 In this case this will be counted as two VPN tunnels VPN RULES KE VPN Rules Manua SA Monitor Global Setting Local Internet Remote Network 2 VPN Tunnel _ Network _ poate j e m na E Recycle Bin F02 What is VPN A VPN gives users
92. ail work through the ZyWALL cccccccssssees 223 A13 Is it possible to access a server running behind NAT from the outside Internet If possible HOW cccsssssssscccccsssssssssssscccssssesees 223 A14 What DHCP capability does the ZyWALL support 000 224 A15 How do I used the reset button more over what field of parameter will be reset by reset DUttOMN cccccccccssssssssssssccccsseeesees 224 A16 What network interface does the new ZyWALL series support 224 A17 How does the ZyWALL support TFTP ssssscsssccccseeeesees 224 A18 Can the ZyWALL support TFTP over WAN cccccccssssssssees 224 A19 How can I upload data to outside Internet over the one way CADIC sss vessecaverpecaiacvisesteenpidsdcvansassseubesdsusmisectceapatdackuesesaseubusacaemasstevpataiereiss 224 A20 My ZyWALL can not get an IP address from the ISP to connect to the Internet what can I dO cccccssscccsescccsssscccsescsesesccesesscccscsosesess 225 A2ZL Whats BOOTPDHCP prunon a 225 AZZ Wbat is DDNS sscisssacactiverensenccechesatecenteassdeactasnteutvuscecacsedecenteassdeastnnas 225 A23 When do I need DDNS service sssssssssccccccccccccscccsssssesscecccecesssssso 226 A24 What DDNS servers does the ZyWALL support 00000e 226 A25 What is DDNS wildcard eeesssssssssssuseeccsosssosssssscssssssseeccsosssesssss 226 A26 Does the ZyWALL support DDNS wildcard
93. amp PPTP Select the correct encapsulation type from the drop down menu The wizards will requests related information needed These fields vary depending on what you select in the Encapsulation field Fill them in with the information exactly as given by the ISP or network administrator 24 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Following picture is an example while PPPoE is selected ISP Parameters for Internet Access E WAH IP Address Assignment T irnia la mIn Once the required information is correctly configured click on the Finish button to apply the setting and then you have finished configuring Internet Access on WAN link DHCP server client relay ZyWALL supports 1 DHCP client on the WAN port User can choose either a static IP or a dynamic IP address for WAN port When choosing dynamic IP ZYWALL will get a DHCP IP address from ISP or upper layer DHCP server 2 DHCP server relay none on the LAN ports ZyWALL supports DHCP server for LAN ports but also 1 When choosing DHCP setting as None the LAN will NOT assign IP address to the associated hosts Client PCs need to configure IP address manually 25 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 2 When choosing DHCP setting as a Server the LAN will automatically assign IP subnet gateway and DNS to the associated c
94. and clients H14 What is WEP Wired Equivalent Privacy WEP is a security mechanism defined within the 802 11 standard and designed to make the security of the wireless medium equal to that of a cable wire WEP data encryption was designed to prevent access to the network by intruders and to prevent the capture of wireless LAN traffic through eavesdropping WEP allows the administrator to define a set of respective Keys for each wireless network user based on a Key String passed through the WEP encryption algorithm Access is denied by anyone who does not have an assigned key WEP comes in 40 64 bit and 128 bit encryption key lengths Note WEP has shown to have fundamental flaws in its key generation processing H15 What is a WEP key A WEP key 1s a user defined string of characters used to encrypt and decrypt data H16 By turning off the broadcast of SSID can someone still sniff the SSID Many APs by default have broadcasting the SSID turned on Sniffers typically will find the SSID in the broadcast beacon packets Turning off the broadcast of SSID in the beacon message a common practice does not prevent getting the SSID since the SSID is sent in the clear in the probe message when a client associates to an AP a sniffer just has to wait for a valid user to associate to the network to 263 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes see the SSID H17 What is 802
95. ase negotiation F12 ls my ZyWALL ready for IPSec VPN IPSec VPN is available for ZyWALL since ZyNOS V3 50 It is free upgrade no registration is needed By upgrading the firmware and also configurations romfile to ZyNOS V3 50 the IPSec VPN capability is ready in your ZyWALL You then can configure VPN via web configurator Please download the firmware from our web site F13 How do I configure ZyWALL VPN You can configure ZyWALL for VPN via web GUI ZyWALL 1 supports Web only 249 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes F14 What VPN protocols are supported by ZyWALL All ZyWALL series support ESP protocol number 50 and AH protocol number 51 F15 What types of encryption does ZyWALL VPN support ZyWALL supports 56 bit DES and 168 bit 3DES F16 What types of authentication does ZyWALL VPN support VPN vendors support a number of different authentication methods ZyWALL VPN supports both SHAI and MDS AH provides authentication integrity and replay protection but not confidentiality Its main difference with ESP is that AH also secures parts of the IP header of the packet like the source destination addresses but ESP does not ESP can provide authentication integrity replay protection and confidentiality of the data it secures everything in the packet that follows the header Replay protection requires authentication and integrity these two go always t
96. ase64 Encoded Format MHITBhHeCcaTog vIBAgGIEQuwTy TaN bogkqhkiGowOBaAoUrF Absa MSE wHuYDVooDExha eVdETEwQHT awh AwHEEwosUwNhTicsNDUwHhcWNHDawhTaxMD awhDawwheN hs awhT ax MD AwHD Awl 47 MSEwHuYDVOOCDExhaeVdbTEwQhTawhc AwoEEwosUwHT Il enNDUwsD ay BokqhkiGo3wORBAQEF AaNLADBIAREASBOIC 3 YoCxGo4n sGs0cJalwegx yELOL E aszgqkeiCnnmMtLoFocakhmTnicouy SnsF24LivyLadFmoomEcPwIDagaboodows2ad BoNVHOSR AGAR BANC AqewJIOYyDVYRORBE4wHIEAMDBBMENIMNDE yMzO1loGr 1ldG uzevu Lil lengwE gY DVROTiQEABRAGWEGEB wWIBATANBgQkqhkiGowOBASUFAANBacc Htwi hakOo7O3 WTHxnbUwshsyiquegy ShSIUoSqdeF VOL S6mII Vs fmebGut ahF sho jGivl gE dfOWwORORLUyc Export Apply Cancel Then import the certificate to the other ZyWALL VPN gateway Go to the other ZyWALL and click Import button under CERTIFICATES gt Trusted Remote Hosts Trusted Remote Host Certificates Issuer My Default Self signed Certificate CN yWWALL 1000 00A0C5012345 Name Subject Valid From Valid To Modify C impor Jy Refresh Select the certificate from local computer All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats Binary X 509 PEM Base64 encoded X 509 Binary PKCS PEM Base 54 encoded PKCS Trusted Remote Host Certificates Issuer My Default Sel
97. ate Bandwidth Management on the interface on which you want to control In this example it is LAN Assign 2048Kbps to LAN interface Class Setup Monitor Bandwidth Management Setup Speed kbps Scheduler Maximize Bandwidth Usage Class Active w O O o w l sss vy ls een Reset Step2 Go to Class Setup and select LAN from the drop down list of Interface Click on Root Class and then click on Add Sub Class to create and add a new class under root Class Setup We add a service and allocate 400kbps for FTP and destined to FTP Client A Select the Service as FTP from drop down list Input Client A s IP address as Destination IP Address 40 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Class Name Bandwidth Budget Priority Borrow bandwidth from parent class Enable Bandwidth Filter Destination Port Source IP Address Source Subnet Mask Source Port Protocol ID Step3 Add another service and allocate 800kbps for FTP and destined to FTP Client B Select the Service as FTP from drop down list Input Client B s IP address as Destination IP Address lass Name FIP OB Handwidth Budget oUL Priority 3 0 7 Borrow bandwidth from parent class Enable Bandwidth Filter Jestination IP Address Destination Subnet Mask Destination Port Source IP Address Source Subnet Mask Source Port Protocol ID All contents copyright c 2006 Z
98. ation ZyXEL ZyWALL 2WG Support Notes 11 Choose DER encoded binary X 509 CER then press Nxet gt Certificate Export Wizard Export File Format Certificates can be exported in a variety of File Formats Select the Format you want to use Base 64 encoded 509 CER Cryptographic Message Syntax Standard PECS 7 Certificates P7B Include all certificates in the certification path if possible Personal Information Exchange PRES 12 PRX P Include all certificates in the certification path iF possible Enable strong protection requires IE 5 0 Nt 4 05P4 or aboyes Delete the private kes if the export ts successful lt Back Cancel 12 Specify the path to store your exported Certificate Certificate Export Wizard a x File to Export Specify the name of the File you want to export File name ic certzvivall a cer T1 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 13 Click Finish Certificate Export Wizard Completing the Certificate Export Wizard You have successfully completed the Certificate Export wizard You have specified the Following settings File Marne acert Export keys Mo Include all certificates in the certification path Mo File Format DER En 14 Go to ZYWALL WEB GUI gt VPN gt My Certificates gt click Import button Trusted Remote Hosts Directory Servers fay Certificates Trusted Gig
99. ay for all data passing between the Internet and the LAN For some reasons load balance or backup line users may want traffic to be re routed to another Internet access devices while still be protected by ZyWALL In such case the network topology is the most important issue Here is a common example that people mis deploy the LAN traffic redirect and static route 231 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes The above figure indicates the triangle route topology It works fine if you turn off firewall function on ZyWALL box However if you turn on firewall your connection will be blocked by firewall because of the following reason Step 1 Being the default gateway of PC ZyWALL will receive all outgoing traffic from PC Step 2 And because of Static route Traffic Redirect Policy Routing ZyWALL forwards the traffic to another gateway ISDN Router which is in the same segment as ZyWALL s LAN Step 3 However the return traffic won t go back to ZyWALL in stead the another gateway ISDN Router will send back the traffic to PC directly Because the gateway say P201 and the PC are in the same segment When firewall is turned on ZyWALL will check the outgoing traffic by ACL and create dynamic sessions to allow return traffic to go back To achieve Anti DoS ZyWALL will send RST packets to the PC and the peer since it never receives the TCP SYN ACK packet Thus the c
100. c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes When Bob clicks on the digital signature option on his e mail application special software applies a mathematical formula known as a hash function to the message converting it to a fixed length string of characters called a message digest The digest acts as a digital fingerprint of the original message If the original message is changed in any way it will not produce the same message digest when the hash function is applied Bob s software then encrypts the message digest with his private key producing a digital signature of the message He transmits the message and digital signature to Alice Alice uses Bob s public key to decrypt the digital signature revealing the message digest Since only Bob s public key can decrypt the digital signature she is able to verify that Bob was the sender of the message This verification process also tells Alice s software which hash function was used to create the message digest of Bob s original message To verify the message content Alice s software applies the hash function to the message she received from Bob The message digests should be identical If they are Alice knows the message has not been changed and she is assured of its integrity If Bob had wanted to ensure the confidentiality of his message he could have encrypted it with Alice s public key before applying the hash function to the message The best thing about all
101. ccsessssecceeeeeeseeseeeeeeees 239 D01 Why do I have to register sseccecccsssseceeeocoosssscececcccssssscceoocsssssssee 235 4 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes D02 In addition to registration what can I do with myZyXEL com 235 D03 Is there anything changed on myZyXEL com because of the launch of ZyNOS v4 00 Which ZyWALL models can be registered WEA TY Z y AE EE i T E E TE E E 236 D04 What s the difference between new registration flow and previous registration What s the advantage of new registration flow over the previous registration flow eeescssssssececcccosssscceecocossssceceoossssso 236 D05 If I were new to myZyXEL com what are the required fields when I register my ZyWALL device on myZyXEL com 000088 237 D06 When using the new registration flow of myZyXEL com for ZyNOS v4 0 do I have to create a new account if I were already a registered user ON MYZYXEL COM cccccccsssssssssccccccccsssssscssscccssssssees 237 D07 What is MySecurity Zone ccccccccssssssssssscccccccsssssssscsssccessssssees 237 D08 What is Update SERVER ssssccccecccccssecccecccccssssececcccossscesecccosssseeseee 237 D09 Who maintains mySecurityZone amp Update Server 0000 238 D10 What s the URL for these service portals sssscsssccccssseeeees 238 EsContent Pilte FAO acenion a a E A AA 238 E01 What s t
102. certificates before resetting 259 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes configuration to the local computer Then import them back to ZyXEL appliance G19 If export My Certificates from ZyXEL appliance save them locally and then import them back after resetting the configuration file can reuse the imported My Certificates No you can t reuse them Each certificate stored in My Certificates has corresponding private key When you erase the configuration the corresponding private keys are also deleted So you can t reuse the certificates by importing them afterward H Wireless FAQ H01 What are the capability of wireless feature of ZyWALL In ZyWALL 2WG it has an embedded wireless to support 802 1x EAP MD5 TLS TTLS PEAP authentication and WEP WPA WPA2 for security access control H02 What is the coverage range of Wireless in ZyWALL The coverage range typically is SOm 80m indoor 150m 300m outdoor The actual range may very depend on environment as to obstacles and walls RF interference in the environment H03 What is a Wireless LAN Wireless LANs provide all the functionality of wired LANs without the need for physical connections wires Data is modulated onto a radio frequency carrier and transmitted through the ether Typical bit rates are 11 Mbps and 54Mbps although in practice data throughput is half of this Wireless LANs can be formed simply by eq
103. cess Qos saat iew Monitor User Authority 11 You will see the network objects window press new button and select Interoperable Device Network Objects Network objects DM Met InternalMet LocalMiachine Remove Node Interoperable Device p Network Domain OSE Device Group Logical server Address Ranges Dameanuc Object VolP Domains Q aQqyx Te 2 H r Address on ORIG SOURCE All contents copyright c 2006 ZyXEL Communications Corporation 162 ZyXEL ZyWALL 2WG Support Notes 12 On General Properties settings give a name and an IP address for the Interoperable Device In this example the IP address is ZyWALL s WAN IP address Interoperable Device ToZy WALL Ea Petal Properhess Interoperable Device General Properties Topology H VEN Name Tozy WALL IF Address 172 221 236 Get address l Dynami Addres omment Color E 13 On Topology settings pressing Add button to add a new interface Interoperable Device ToZy WALL x n Creneral Properties Topology Topology a VEN Get i Eemove YEN Domain f AlIF Addresses behind Gateway based on Topology information C Manually defined Paw VEN Domai 163 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 14 Giving a name for the interface and assign the IP address subnet mask for the interface In this exampl
104. ck to factory default The default IP address is 192 168 1 1 Password 1234 ESSID Wireless A16 What network interface does the new ZyWALL series support The new ZyWALL series support auto MDX MDIX 10 100M Ethernet LAN WAN port to connect to the computer on LAN and 10 100M Ethernet to connect to the external cable or xDSL modem on WAN A17 How does the ZyWALL support TFTP In addition to the direct console port connection the ZyWALL supports the uploading download of the firmware and configuration file using TFTP Trivial File Transfer Protocol over LAN A18 Can the ZyWALL support TFTP over WAN Although TFTP should work over WAN as well it is not recommended because of the potential data corruption problems A19 How can I upload data to outside Internet over the one way cable A workaround 1s to use an alternate path for your upstream path such as a dial up connection to an Internet service provider So 1f you can find another way to get your upstream packets to the Internet you will still be able to receive downstream packets via ZyWALL 224 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes A20 My ZyWALL can not get an IP address from the ISP to connect to the Internet what can do Currently there are various ways that ISPs control their users That 1s the WAN IP is provided only when the user 1s checked as an authorized user The ISPs currently use three ways 1
105. cy for example ToZyWALL Remote Gateway IP Addr is the ZyWALL s WAN IP address In this example select Static IP Address option and set 172 22 1 147 on the text box Choosing Main mode and also enter the key string 12345678 on Preshared Key text box Then press Advanced button to edit the advanced settings 190 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes New YPN Gateway Gateway Name TozyWalL O Remote Gateway Static IP Address IP Address 172 22 11 147 Mode O Aggressive Main ID protection Authentication Method Preshared Key Pre shared Key CALLIE Peer Options O Accept any peer ID CALTH Nat Traversal DPO 4 On P1 proposal settings select Encryption to DES Authentication to MD5 and DH Group to Group1 Then press button to delete the second P1 proposal rules Pi Proposal 1 Encryption DES Authentication MDS 2 Encryption SDES v Authentication MDS v k P DH Group iv eea a 5 To uncheck the Nat traversal check box And then press OK button to save the settings 191 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Pi Proposal 1 Encryption DES Authentication MDS E DH Group S a est keylife i 120 172800 seconds Local ID optional Auth Disable
106. d Format by selecting all of the content then right click your mouse and select Copy Keep your copy in clipboard for later paste 69 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes ZyXEL HOME HE THAORP LARK ea SECURITY RPA AL LAE al PRTRECATES ADVANCED Curtificate LOGS MAIR TERANCE LOGOUT In this support note we utilize certificate enrollment service from Microsoft Windows 2000 CA server The enrollment procedure of your CA server may be different you may need to check your CA service provider for details For how to setup Windows 2000 CA server users may refer to http www microsoft com 2 Issue the URL to access the CA server type in User Name Password Domain fields 70 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL Fie Ect view Favortes Took Help Address 48 192 168 1 23 certsry Enter Network Password Site 192 168 1 33 User Name test P od m Domai eso local T Save this password in your password list Opening page http 192 168 1 33 certsry 3 Select Request a Certificate then press Next gt button All contents copyright c 2006 ZyXEL Communications Corporation ZyWALL 2WG Support Notes 71 ZyXEL ZyWALL 2WG Support Notes a Microsoft Certificate Services Microsoft Internet Explorer Fie Edt View Favorites Tools Help E f enk G 2 Al Reach Favores A
107. d Up option if you need the functionality that will automatically re initiate a tunnel to a configured peer in the event of SA Lifetime expires failure on the link Property PC1 to Deptt 12 This network policy PC1 to Dept1 will be mapped to Gateway Policy Static Public IP Address by default If you need to change to other pre defined Gateway Policy you can select from the drop down list Gateway Policy Information gt amp gt Static Public IP Address fea 13 Under Local Network choose Subnet and input 192 168 71 0 and 255 255 255 0 for Dept1 in this example 51 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Local Network a Subnet Address gt Remote Network 49 15 Under IPSec Proposal select the Encryption and Authentication Algorithm Note the configuration must be consist on both ZyWALLs GW1 amp GW2 IPSec Proposal 17 The new Network Policy PC1 to Dept1 is added to the Gateway Policy 54 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes YPH Rules Local Internet same Remote _ Network 2 Z PNtunne fier _ Network a i static Public IP Address 210 242 82 70 210 242 982 395 PC1 to Deptt fT o ERY 192 168 1 101 w amp 712 18 Foll
108. d instant broadband Internet access router with 802 11 wireless support 221 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes A02 Will the ZyWALL work with my Internet connection The ZyWALL 1s designed to be compatible with most network environment cable or xDSL modems Most external Cable and xDSL modems use an Ethernet port to connect to your computer so the ZyWALL can be place between the computer and the External modem As long as your Internet Access device has an Ethernet port you can use the ZyWALL Besides 1f your ISP supports PPPoE you can also use the ZyWALL because PPPoE had been supported in the ZyWALL A03 What do I need to use the ZyWALL You need an xDSL modem or cable modem with an Ethernet port to use the ZyWALL The ZyWALL has two Ethernet ports LAN port and WAN port You should connect the computer to the LAN port and connect the external modem to the WAN port If the ISP uses PPPoE Authentication you need the user account to enter in the ZyWALL A04 What is PPPoE PPPoE stands for Point to Point Protocol over Ethernet that is an IETF draft standard specifying how a computer interacts with a broadband modem 1 e xDSL cable wireless etc to achieve access to the high speed data networks via a familiar PPP dialer such as Dial Up Networking user interface PPPoE supports a broad range of existing applications and service including authentication accounting
109. d to decrypt it This makes it possible to receive secure messages by simply publishing one key the public key and keeping the other secret the private key G02 What is PKI PKI is acronym of Public Key Infrastructure A PKI is a comprehensive system of policies processes and technologies working together to enable users of the Internet to exchange information securely and confidentially Public Key Infrastructures are based on the use of cryptography the scrambling of information by a mathematical formula and a virtual key so that it can only be decoded by an authorized party using a related key A PKI uses pairs of cryptographic keys provided by a trusted third party known as a Certification Authority CA Central to the workings of a PKI a CA issues digital certificates that positively identify the holder s identity A Certification Authority maintains accessible directories of valid certificates and a list of certificates it has revoked G03 What are the security services PKI provides PKI brings to the electronic world the security and confidentiality features provided by the physical documents hand written signatures sealed envelopes and established trust relationships of traditional paper based transactions These features are Confidentiality Ensures than only intended recipients can read files Data Integrity Ensures that files cannot be changed without detection Authentication Ensures that participants in an elec
110. de e Allow everything that is not spoofing us Filter rule setup e Filter type TCP IP Filter Rule e Active Yes e Source IP Addr a b c d e Source IP Mask w x y z e Action Matched Drop e Action Not Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask For the output data filters e Deny bounce back packet e Allow packets that originate from us Filter rule setup e Filter Type TCP IP Filter Rule e Active Yes e Destination IP Addr a b c d 232 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes e Destination IP Mask w x y z e Action Matched Drop e Action No Matched Forward Where a b c d is an IP address on your local network and w x y z is your net mask C Security Service licenses FAQ C01 What is iCard iCard is used for delivering security service license of ZyXEL products including ZyWALL product family ZyWALL security service is enabled by purchasing an iCard to obtain a user license C02 Where can I buy the iCard and how much does it cost You can buy the 1Card from the local dealer or distributor please contact them for the price Please check http www zyxel com for ZyXEL global contact information C03 How many kinds of iCard does ZyXEL provide Choices are ranging from Platinum Silver and Gold depending on the model of the device For the models supported by each type please check the print o
111. ds of users that enable roaming over a broad area H05 What is IEEE 802 11 The IEEE 802 11 1s a wireless LAN industry standard and the objective of IEEE 802 11 is to make sure that different manufactures wireless LAN devices can communicate to each other 802 11 provides 1 or 2 Mbps transmission in the 2 4 GHz ISM band using either FHSS or DSSS H06 What is 802 11b 802 11b is the first revision of 802 11 standard allowing data rates up to 11 Mbps in the 2 4GHz ISM band Also known as 802 11 High Rate and Wi Fi 802 11b only uses DSSS the maximum speed of 11Mbps has fallbacks to 5 5 2 and 1Mbps The IEEE 802 11b standard has a nominal speed of 11 megabits per second Mbps However depending on signal quality and how many other people are using the wireless Ethernet through a particular Access Point usable speed will be much less H07 What is 802 119 802 11g is an extension to 802 11b 802 11g increases 802 11b s data rates to 54 Mbps and still utilize the the 2 4 GHz ISM Modulation is based upon OFDM orthogonal frequency division multiplexing technology An 802 11b radio card will interface directly with an 802 11g access point and vice versa 261 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes at 11 Mbps or lower depending on range The range at 54 Mbps is less than for 802 11b operating at 11 Mbps H08 What is 802 11a 802 11a the second revision of 802 11 tha
112. duce the new registration flow on myZyXEL com However you can still register devices running older firmware Please refer to the following table for model mappings Model Mappings for Registration on myZyXEL com PORN AV IDP Service Anti Spam Service Content Filtering Device Registration na ant er Activation Activation Service Activation ZW 2plus v4 00 ZW 2plus v4 00 es ZW5 v4 00 ZW5 v4 00 New Registration ZW5 v4 00 ZW5 v4 00 ZW 35 v4 00 ZW 35 v4 00 Flow ZW35 v4 00 ZW 35 v4 00 ZW 70 v4 00 ZW 70 v4 00 ZW 70 v4 00 ZW 70 v4 00 ZW 2 v3 62 ZW 2 v3 62 Previous ZW5 v3 64 v3 62 ZW5 v3 64 v3 62 Registration Flow ZW35 v3 64 or below ZW 35 v3 64 or below ZW 70 v3 65 or below ZW 70 v3 65 or below Note Devices running ZyNOS v4 00 dose NOT support the Previous Registration F low D04 What s the difference between new registration flow and previous registration What s the advantage of new registration flow over the previous registration flow 1 In new registration flow the registration 1s processed within device s WebGUI In previous registration flow the registration is processed through hyperlink to myZy XEL com in a separate browser window 2 The new registration flow is easier to use for both experienced customers and new customers In the new registration flow it s no longer necessary to open another web browser window to register your device Instead the regi
113. e router s WAN IP address However NAT should not change the source port of the UDP packets which are used for key managements Because the remote gateway checks this source port during connections the port thus 1s not allowed to be changed A28 How do setup my ZyWALL for routing IPSec packets over NAT For outgoing IPSec tunnels no extra setting is required For forwarding the inbound IPSec ESP tunnel A Default server set in menu 15 1s required It is because NAT makes your LAN appear as a single machine to the outside world LAN users are invisible to outside users So to make an internal server for outside access we must specify the service port and the LAN IP of this server in Menu 15 Thus NAT is able to forward the incoming packets to the requested service behind NAT and the outside users access the server using the ZYWALL s WAN IP address So we have to configure the internal IPSec as a default server unspecified service port in menu 15 when it acts a server gateway A29 What is STP Spanning Tree Protocol RSTP Rapid STP When the ZyWALL is set to bridge mode R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network The configuration is especially for the advanced user who knows the protocol well A30 What is the flow Z
114. e you should assign ZyWALL s WAN port settings Interface Properties General Topology Name ToZyWALL_ Wan IP Addres 172 221 236 Net Mask 255 255 0 0 d Note the interface name must exactly match the name the operating system uses for this interface bee help for further imnfornatior 15 Clicking Topology screen and choose External leads out to the internet for the interface Then press OK button to save the settings Interface Properties General Topology C Intemal deads to the local network TP Sddresss behind this intentace Wot Defined Network defined by the internace IP and Net Mask Specific Ant spoofing Jf Perform Ant Spoofing bas d on interface topology Don tcheck packets from New epoot Tracking C None Loe Alert 16 Pressing Add button to add another interface All contents copyright c 2006 ZyXEL Communications Corporation 164 ZyXEL ZyWALL 2WG Support Notes Interoperable Device a WALL Creneral Properties Topology Topology a VEN ret Name IP Address Network Mask IF Addresses behir Tozy WALL OW 172 292 1236 220 20 0 0 Remove YEN Domain f ANTP Addresses behind Gateway based on Topology information C Manually defined po Hew phaw TEN Homai 17 Giving a name for the interface and assign the IP address subnet mask for the interface In this example you should assign ZyWALL s LAN port settings
115. e minutes to complete the whole process After CA server agrees to 1ssue the corresponding certificate you will find a newly enrolled certificate in My Certificates CERTIFICATES Walid Valid Frans Ta Step 3 Create certificate request and enroll certificate request on ZyWALL B 60 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 1 Input a name for this Certificate so you can identify this Certificate later 2 In Subject Information give this certificate a Common Name by either Host IP Address Host Domain Name or E Mail address Organizational Unit Organization Country are optional fields you are free to either enter them or not 3 Finally specify the key length 4 Select Create a certification request and enroll for a certificate immediately online 5 Specify the Enrollment Protocol to Simple Certificate Enrollment Protocol SCEP 6 Inthe CA Server s Address field input the URL to access CA server for example http 1 1 1 1 8080 scep 7 Choose the previously downloaded CA server s certificate from the drop down list 8 Input user name and password if necessary 9 Then click Apply CERTIFICATES MY CERTIFICATE CREATE Enrollment Options 61 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes After pressing the Apply button ZyWALL would create the certification request and
116. e packets flow between them 1s secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for the software and ZyWALL are explained in the following sections YPN Gatewa Mobile User The IP addresses we use in this example are as shown below LAN 202 132 171 1 202 132 171 33 py Mey ile a es WAN 202 132 170 1 1 Setup ZyWALL VPN Client 1 Open ZyWALL VPN Client Security Policy Editor 2 Add a new connection named ZyWALL as shown below 3 Select Connection Security to Secure 201 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes FA Security Policy Editor ZyWALL YPN Client File Edit Options Help ajej c x ZS ehwork Security Policy T Only Connect Manually C Non secure a C Block Add a New Remote Party Identity and Addressing Connection ID Type any v IP Address ny ID 0 0 0 0 Protocol jal Fort fal Connect using Secure Gateway Tunnel IE Type iF Address 0 0 0 0 Click here to find out about program add ons Remote Party Identity and Addressing settings 4 In ID Type option please choose IP Address option and enter the IP address of the remote PC PC 2 in this case 5 Check Connect using Secure Gateway Tunnel please also select IP Address as ID Type and enter ZyYWALL s WAN IP address in the following field The detailed configuration 1s shown 1n t
117. ecRule 10 On Gateway Policy Information you should choose ToNetScreen IKE policy for your IPSec rule Gateway Policy Information gt Gateway Policy ToNetScreen v eae om Local Network 11 On Local Network choose Subnet Address for your Address Type Starting IP Address and Ending IP Address Subnet are your local site LAN IP addresses In this example you should 142 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes type 192 168 2 0 on Starting IP Address field and then type 255 255 255 0 on Ending IP Address Subnet field ely Address Type Subnet Address v starting IP Address 192 168 2 4 O0 F IF Address f Subnet zz 955 355 0 Local Port Start Oo End oF 12 On Remote Network choose Subnet Address for your Address Type Starting IP Address and Ending IP Address Subnet are your remote site LAN IP addresses In this example you should type 192 168 1 0 on Starting IP Address field and then type 255 255 255 0 on Ending IP Address Subnet field Remote Network ERY Address Type Subnet Address Starting IP Address 192 168 1 O See IP Address Subnet 955 955 255 Remote Port start lo End oF 13 On IPSec Proposal select Encapsulation Mode to Tunnel Active Protocol to ESP Encryption Algorithm to DES and Authentication Algorithm to SHA1 and then press Apply button on this page 143 All contents copyright c 2006 ZyXEL Communica
118. ed CAs Mose e Directory Servers My Certificates Setting Al Name ee eS Subject Issuer__ Valid From Valid To Modify m S T 2 Input a name for this Certificate so you can identify this Certificate later In Subject Information give this certificate a Common Name by either Host IP Address Host Domain Name or E Mail address Organizational Unit Organization Country are optional fields you are free to either enter them or not Finally specify the key length and select Create a certification request and save it locally for later manual enrollment Subject Information Enroliment Options Simple Certificate Enrollment Protocol SCEP E 81 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 3 Wait for 1 2 minutes until Request Generation Successful displays During this period ZyWALL is working on creation of private public key pair and certificate request Request Generation in Progress This may take up to one minute Please wait 4 After creating certificate request ZyWALL would return Successful Message Request Generation Successful Please click on Return to go to the My Certificates screen Return 5 In My Certificates tab you can get a new entry in grey color This is the Certificate Request you just created Click Details to export the request My Certificates Trusted CAs OS ene Directory Servers PKI Storage
119. eded by this value when itis larger than this value 5 Under Authentication Key Pre Shared Key or Certificate can be used as authentication method For detailed usage of Pre Shared Key and Certificate please refer to XXX In this example Pre Shared Key is used and the string 12345678 is used as example 49 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Pre Shared Key 12345678 Certificate See My Certificates Local ID Type IP Peer ID Type IF v ontent 210 242 82 35 6 Extended Authentication xAuth can be enabled or not depending on your application For detailed info you can refer to XXX Server Mode Search Local User first then RADIUS C Client Mode User Name Password 7 Under IKE Proposal select the Encryption and Authentication Algorithm Note the configuration must be consist on both ZyWALLs GW1 amp GW2 eqgotiation Mode Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds Enable Multiple Proposals 8 Click on Apply to save profile 9 The IKE rule will be configured as below 50 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes YPH Rules Manual SA Monitor Global Setting VPN Rules 11 Activate the profile and name this policy as PC1 to Dept1 in this example Enable Naile
120. emote PHI Storage Space in Use 1S es ee E E CH SSH Test CA CN SSH Test CA 4 Wo Liabilities 1 No Liabilities OSSH OSSH ANT Aug 4st 200M Aug ts scl ti SSH CA Communications Communications O70 GMT 07102 GMT Ho Bg aceite ran jaani balls Step 2 Create certificate request and enroll certificate request on ZyWALL A 1 Input a name for this Certificate so you can identify this Certificate later 2 In Subject Information give this certificate a Common Name by either Host IP Address Host Domain Name or E Mail address Organizational Unit Organization Country are optional fields you are free to either enter them or not 3 Finally specify the key length 4 Select Create a certification request and enroll for a certificate immediately online 5 Specify the Enrollment Protocol to Simple Certificate Enrollment Protocol SCEP 6 Inthe CA Server s Address field input the URL to access CA server for example http 1 1 1 1 8080 scep 7 Choose the previously downloaded CA server s certificate from the drop down list 8 Input user name and password 1f necessary 9 Then click Apply 59 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes CERTIFICATES MY CERTIFICATE CREATE Sirhjeect information Enroliment Options After pressing the Apply button ZyWALL would create the certification request and send it to the CA server for enrollment It may take on
121. ended Authentication Local Policy Remote Policy sT ALE Authentication Method See My Certificates Gateway Information 152 16 1 l loursezywall dyndns org E iE on IPSec Algorithm 13 You can check detailed settings by clicking Advanced button 63 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Phase Step 5 Using Certificate in VPN on ZyWALL B 1 Activate the rule 2 Give this VPN rule a name toZyWALL_A 3 Select Key Management to IKE 4 Select Negotiation Mode to Main 5 Edit Local Address Type Subnet Address Starting IP Address 192 168 2 0 End IP Address Subnet Mask 255 255 255 0 6 Edit Remote Address Type Subnet Address Starting IP Address 10 1 33 0 End IP Address Subnet Mask 255 255 255 0 7 Authentication Key Select Certificate and choose certificate you enrolled for this device from drop down list 8 Fill in My IP address 192 168 1 36 9 Peer ID type ANY 10 Secure Gateway Address 192 168 1 35 11 Encapsulation Mode Tunnel 12 Leave other options as default 64 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property iin E ae Pe a a ol ree 7 E Ls z F Extended Authentication bse F er ae ee a a Ha Se Search Local User first then RADIUS Local Policy Remote Policy s Twr Authenticati
122. er using one of the following methods Note that the policy of the certification authority CA will determine the certificates that you can obtain C Submit a certificate request to this CA using a form Submit a certificate request using a based encoded PKCS 10 file or a renewal request using a baseb4 encoded PE CS 7 file C Request a certificate for a smart card on behalf of another user using the Smart Cara Enrallment station You must have an enrolment agent certificate to Surut a request for another user hE i Done ii jimi ai F gt Internet FA 6 Right click your mouse then paste the certificate request you get in step 4 1 All contents copyright c 2006 ZyXEL Communications Corporation 87 ZyXEL ZyWALL 2WG Support Notes Microsoft Certificate Services Microsoft Internet Explorer File Edit view Favorites Tools Help bak fa Geach fFyFavorites Smeda Al Br amp 3 amp Address http jf 192 168 1 33fcertsry certrqxt asp Microsoft Certificate Se COU CA submit A Saved Request Paste a baseb4 encoded PKCS 10 certificate request or PKCS 7 renewal request generated by an external application Such as a web server into the request field to submit the request to the certification authority CA Saved Request BEGIN CERTIFICATE REQUEST MITBeecCB OIBADASMRgwF gTDVOODD ASO ZENOMUBS Baseb4 Encoded END CERTIFICATE REQUEST Certificate Request PKCS 10 or 7 Y a Browse for a file
123. erates by mapping the private IP addresses to a global IP address It is only one subset of the NAT The ZyWALL supports the most of the features of the NAT based on RFC 1631 and we call this feature as Multi NAT For more information on IP address translation please refer to RFC 1631 The ZP Network Address Translator NAT 26 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes e How NAT works If we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address GA see the following figure The term inside refers to the set of networks that are subject to translation NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers and then forwards each packet to the Internet ISP thus making them appear as 1f they had come from the NAT system itself e g the ZyWALL router The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored ISP ILA Inside Local Addresses ILA IGA IGA Inside Global Addresses Figure1 Local Global IP Addresses e NAT Mapping Types NAT supports five types of IP port mapping They are 1 One to One In One to One mode the ZyWALL maps one ILA to one IGA 2 Many to One In Many to One mode the ZyWAL
124. es B04 What kind of firewall is the ZyWALL 1 The ZyWALL s firewall inspects packets contents and IP headers It 1s applicable to all protocols that understands data in the packet is intended for other layers from network layer up to the application layer 2 The ZyWALL s firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked 3 The ZyWALL s firewall uses session filtering 1 e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session 4 The ZyWALL s firewall is fast It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The ZyWALL s firewall provides email service to notify you for routine reports and when alerts occur B05 Why do you need a firewall when your router has packet filtering and NAT built in With the spectacular growth of the Internet and online access companies that do business on the Internet face greater security threats Although packet filter and NAT restrict access to particular computers and networks however for the other companies this security may be insufficient because packets filters typicall
125. esolve ZyWALL s IP address to make a VPN tunnel In following example local VPN gateway ZyWALL uses a dynamic WAN IP address PPPoE with dynamic IP assignment 45 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 4 Configure the DDNS entry under DNS gt DDNS and bind it to a WAN interface 5 Under Gateway Policy menu select the DDNS entry from drop down list and use it as My Domain Name 6 Configure the DDNS entry in Remote Gateway Address on peer VPN gateway 7 Both DNS and E mail can be used as the Local ID amp Peer ID for authentication Note If Hi Available HA for incoming VPN HA is necessary enable the HA option while configure the DDNS entry under DNS gt DDNS ZyWALL will update its DDNS entry with another WAN interface when the specified WAN interface is not available Therefore the next coming VPN connection will go through second WAN interface Configure ZyWALL behind NAT Router This section describes an example configuration ZyWALL behind NAT Router Internet Gateway NAT routers sit on the border between private and public Internet networks converting private addresses in each IP packet into legally registered public ones NAT is commonly supported by Internet access routers that sit at the network edge However IPSec is NAT sensitive protocol which means modification on PSec traffic may cause failure of VPN connection Forward UDP pon 00
126. estination address And then select the service and set the action for Matched Packet to BLOCK 22 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes FIREWALL Default Rule tule Anti Probing Threshold Service Rule Summary FIREWALL EDIT RULE Edit Source Address Any Address x Edit Destination Address Any Address m 210 242 82 31 210 242 82 34 23 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Internet Connection A typical Internet access application of the ZyWALL is shown below This section guides you how to configure ZyWALL to gain the Internet access Internet Stepl First of all Select Home menu and click Internet Access Wizard to configure your WAN connection Click Internet Access under Home gt gt Wizards for Internet Access Quick Setup A pop up window as below will indicate you to enter ISP Parameters for Internet Access ISP Parameters for Internet Access You can select ethernet PPPoE or PPTP according to in which the network you are lf you don t know please ask your network administrator The most popular type of network is ethernet Encapsulation Ethernet WAN IP Address Assignment IP Address Assignment Dynamic Finish There are three kinds of encapsulation which are supported by ZyWALL Ethernet PPPoE
127. etwork security solution What secure protocols does IPSec support There are two protocols provided by IPSec they are AH Authentication Header protocol number 51 and ESP Encapsulated Security Payload protocol number 50 What are the differences between Transport mode and Tunnel mode The IPSec protocols AH and ESP can be used to protect either an entire IP payload or only the upper layer protocols of an IP payload Transport mode is mainly for an IP host to protect the data generated locally while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability 247 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes In this case Transport mode only protects the upper layer protocols of IP payload user data Tunneling mode protects the entire IP payload including user data There is no restriction that the IPSec hosts and the security gateway must be separate machines Both IPSec protocols AH and ESP can operate in either transport mode or tunnel mode F08 What is SA A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use What is IKE IKE is short for Internet Key Exchange Key Management allows you to determine whether to use IKE ISAKMP or manual key configuration to set up a VPN There are two phases in every IKE negotiation phase 1
128. explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are ZyWALL router and FortiNet router 185 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes IPSec Tunnel ee la ZyWALL FortiNet The IP addresses we use in this example are as shown below WAN 172 22 1 147 WAN 172 22 2 138 LAN 192 168 2 0 24 LAN 192 168 1 0 24 1 Setup ZyWALL VPN 1 Using a web browser login ZyWALL by giving the LAN IP address of ZyWALL in URL field 2 Goto SECURITY gt VPN gt Press Add button YPN Rules VPN Rules IKE Manual SA Monitor Global Setting VPN Rules Local nternet Remote _ Network 2 VPN Tunnel a Network VPN Rules 3 Give aname for your policy for example ToFortiNet 4 My IP Addr is the WAN IP of ZyWALL In this example you should type 172 22 1 147 IP address on My ZyWALL text box 5 Secure Gateway IP Addr is the FortiNet s WAN IP address In this example you should type 172 22 2 138 IP address on Remote Gateway text box 186 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property ToFortiNet i Gateway Policy Information 172 224147 Dome i Oo ny paman kar See DDNS 1172 222136 6 In Authentication Key enter the key string 12345678 in the Pre Shared Key text box Authentication Key 112345678 aut
129. f signed Certificate CH 4 VWWALL 1000 OOAQCSO12345 Name Subject Valid From Valid To Modify _ 7 2005 Jan 18th 2008 Jan 19th edo Sasa Su 03 12 18 GMT 03 12 18 GMT E g When you configure VPN rule with certificate select Certificate under VPN gt Gateway Policy Select My Certificate from the drop down list When My certificate 1s selected ZyWALL will show what 1s the Local ID Type and Content in my certificate You must configure the same setting on peer ZyWALL and vise versal For example on Local ZyWALL the Local ID Type is E mail and content is 00A0C5012345 auto gen cert Therefore configure Peer ID Type and content on peer ZyWALL YPN VPN Rule IKE on peer 4yWALL Online Enroll Certificates This example displays how to use PKI feature in VPN function of ZyXEL appliance Through PKI function users can achieve party identification when doing VPN IPSec negotiation With online enrollment ZyWALL firstly create certification request locally then send certification request to trusted CA Certificate Authority 57 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes servers and finally get a certificate for further usage ZyWALL supports both SCEP and CMP protocols as methods of online enrollment Both SCEP and CMP online enrollment protocols provide secure mechanisms to transmit ZyWALL s certification request securely over Internet In this example we adopt SCEP
130. h off G PKI FAQ G01 Basic Cryptography concept Encryption and decryption are two major operations involved in cryptography Whenever we would like to send some secret over an insecure media such as Internet we may encrypt the secret before sending it out The receiver thus needs the corresponding decryption key to recover the encrypted secrete We need to have keys for both encryption and decryption The key used to encrypt data is called the encryption key and the key for decryption is called the decryption key Cryptography can be categorized into two types symmetric and asymmetric cryptography For symmetric cryptography the encryption key is the same with the decryption Otherwise we the 254 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes cryptography as asymmetric Symmetric cryptography such as DES 3DES AES is normally used for data transmission since it requires less computation power than asymmetric cryptography The task of privately choosing a key before communicating however can be problematic Applications in real case may use asymmetric cryptography for to protect distribution of keys symmetric and uses symmetric cryptography for data transmission Asymmetric cryptography solves the key exchange problem by defining an algorithm which uses two keys each of which can be used to encrypt a message If one key is used to encrypt a message then the other must be use
131. he DHCP server or the gateway upper than the ZyWALL there is one firewall rule needs to be activated Go to Firewall gt gt Rule Summary choose WAN to LAN from Packet Direction You will see a rule to permit the service type BOOTP_CLIENT UDP 68 to pass firewall It s INACTIVE by default Admin can activate the rule by clicking the N as following picture Then the rule will be activated right away __DefaultRule Rule Summary Anti Probing Threshold Service Rule Summary Firewall Rules Storage Space in Use c lt C Packet Direction Jian to LAN Default Policy Drop Log Source Destination f Name active PEA aces Service Type Action Sch Log Modify BA wo rue 2 N an z any Neteroscrcpaipe 137 139 446 a ee Pe ee Ea Insert new rule before rule rule number howe ruie f to rule f1 frule number Default Rule Rule Summary Anti Probing Threshold Service Firewall Rules Storage Space in Use Packet Direction VAN to LAN Default Policy Drop Log Source Destination Name Active Address Address any a BOOTP_CLIENT UDP 68 Z Permit No ves e wel Rule_2 N Any Any 7 NetBlOS TCRUDP 137 139 445 Permit Ma Mo Ei iy Insert ren rule before rulefi frule number Move rule 1 to rule i rule number Service Type Action SchjLog Modify Step2 To change the device mode go to MAINTENANCE gt gt Device Mode
132. he following figure 202 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes FA Security Policy Editor ZyWALL YPN Client File Edit Options Help Alex E tA Network Security Policy o My Connections dey A ALL Other Connections IP Address of PC1 WAN IP address of ZyWALL Pre Share Key Settings 6 Extend ZyWALL icon you may see My Identity Connection Security f Secure Only Connect Manually C Nor secure a Block Remote Party dentity and Addressing D Type IP Address 2021 32 171 333 Protocol jal Fort fal v Connect using Secure Gateway Tunnel ID Type IP Address 202 132 170 1 Click here to find out about program add ons 7 Click My Identity click the Pre Shared Key icon in the right side of the window 8 Enter a key you that later you will also need to configure in ZyWALL in the pop out windows In this example we enter 12345678 See below All contents copyright c 2006 ZyXEL Communications Corporation 203 ZyXEL Fa Security Policy Editor ZYWALL YPN Client File Edit Options Help als yxa t Network Securty Policy o My Connections Fl dy Aah 4 aE Security Policy Other Connections ZyWALL 2WG Support Notes ZNI 2 Pre Shared Kep E o Hone sr ID Typ Fort My Identity Select Certificate O A x ea Enter Pre Shared Key at least 8 characters Security Pol
133. he network setting z wi ase f ili E DAU ZyWALL 35UTM Central Office ZyWALL 2 Plus Remote Office SOHO How to configure the VPN HA 1 Using a web browser login ZyWALL by giving the LAN IP address of ZyWALL in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 2 Go to SECURITY gt VPN gt Press Add button 120 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes VPN Rules VPN Rules KE Manual SA Monitor Global Setting VPN Rules Local p Internet a Remote _ Network 2 VPN tunneat N A a Network e i 2 d iaae net A P VPN Rules 3 Give aname for your policy for example Dual_GW_VPN 4 My IP Addr is the WAN IP of ZyWALL In this example you should type 220 123 23 7 IP address on My ZyWALL text box 5 Primary Remote Gateway IP Address is the Central office s WAN1 IP address In this example you should type 61 79 65 3 IP address on Primary Remote Gateway text box 6 Check the Enable IPSec High Availability box to enable the IPSec HA and input the WAN2 IP address as the redundant gateway In this example you should type 61 82 69 2 IP address on Redundant Remote Gateway text box 7 The Fail back to Primary Remote Gateway when possible is an option leaving to user to design if they want switchi
134. he operation between ZyXEL appliance and BlueCoat Ata COMGGE EEE E EE S AAA IA TE T EI I EEA 238 E02 How many entries can the cache of Web Site Auto Categorization keep at NOSE osica R 238 E03 Can I specify the time out value of the query response from Blue oat Cala Center sosisini nonsen eaa Ee aeea naa 238 E04 Can I decide whether to forward or drop the HTTP response if the query to BlueCoat data center is timed out ssscceeeccoosssssceceoosssss 239 E05 How to register for BlueCoat service secccccsssscceeccccssssseeeeossssse 239 E06 Why can t I make registration successfully cccsssccsssssssees 239 E07 What services can I get with Trial Registration 00000e 239 E08 What types of content filter does ZyWALL provide 0000 239 E09 What are the primary features of ZyXEL Content Filtering 239 E10 Who needs ZyXEL Content Filtering Is ZyXEL Content Filtering for small companies or for large corporations cceeee 240 E11 Can I have different policies in effect for different times of the day OF WEEK ura a aA 240 E12 How many policies can I create sssssccccccccssssscceccccsssssceeeoossssos 240 E13 Can I create my own categories sessssscccecccccssssecceeoccsssssceeeososssoe 240 E14 Can I override block or allow certain URLs regardless of the FAUNE eair ENE T 240 5 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL
135. hnologies and human raters E20 How do locate sites to block BlueCoat provides category ratings for Web sites Based on the category rating from BlueCoat users of Zy XEL appliances then define blocking forwarding policy in WEB GUI Do humans review the web sites 241 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes BlueCoat uses expert Web content raters to train the ratings technology Initially category experts create a list of URLs that represent good content for each category The ratings technology then uses this initial set of pages to recognize content similar to those initial pages Through BlueCoat s internal processes the ratings technology learns to better categorize pages as it rates more and more user requests The BlueCoat staff also continually adds new pages to all categories and evaluates any pages that the rating process could not recognize Users can request BlueCoat staff to rate specific new pages or review automatic ratings assigned by the technology Through this process the ratings technology becomes more accurate at categorizing future user requests E21 Do humans review the ratings BlueCoat s Web content raters periodically review each content area They also examine pages based on categorization requests from end users BlueCoat periodically reviews certain content areas to fine tune the ability of the ratings technology to recognize specific types of conte
136. ic from LAN to WAN since BWM is before NAT you should use the IP address before NAT processing Source IP Address Source Subnet a Enter the destination subnet mask Mask Source Port Enter the source port number of the traffic Protocol ID Enter the protocol number for the traffic 1 for ICMP 6 for TCP or 17 for UDP After configuration BWM you can check current bandwidth of the configured traffic in ADVANCED gt BWM MGMT gt Monitor The values in the column of Current usage kbps would display the actually number Summary Class Setup Monitor Interface Current Usage kbps 0 Default Class 1500 0 Root Class 1500 Scenario Limit bandwidth usage but when there is residual bandwidth we hope it can be shared fairly among several active traffic Description FTP Client A can get 400kbps FTP traffic and FTP Client B can get 800 kbps FTP traffic and IPTV user can retrieve 800 kbps UDP streaming LAN Interface Fairness based Speed 2048kbps Class 1 Budget 400kbps Dest IP FTP Client A s IP Service FTP Priority 3 enable Borrow Class 2 Budget 800kbps Dest IP FTP Client B s IP Service FTP Priority 3 enable Borrow Class 3 Budget 800kbps Dest IP IPTV Client s IP Protocol UDP 39 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes FTP A 400kbps FTP E 400kbps IPTY user 800 kbps Step 1 Activ
137. ice portals myZyXEL com http www myzyxel com myzyxel mySecurityZone https mysecurity zyxel com mysecurity For Update Server there is no interactive login screen available since it communicates with ZyWALL devices only E Content Filter FAQ E01 What s the operation between ZyXEL appliance and BlueCoat data center Whenever a PC behind ZyXEL appliance issues HTTP requests to some public WEB server ZyXEL appliance will forward the request to the targeted WEB server but also issue an categorization query to BlueCoat data center When the HTTP response is back to ZyXEL appliance the appliance will hold the response for a while and wait for the query result from the BlueCoat data center If the query is not back within 10 seconds by default setting ZyXEL appliance will block by default setting the HTTP response to the PC If the query is back ZyXEL appliance will drop or forward the request according to the Content Filtering policy set in the appliance The result of categorization query will be cached in ZyXEL appliance Later on HTTP requests to the same WEB server will be inspected by local cache E02 How many entries can the cache of Web Site Auto Categorization keep at most ZyXEL appliance can keep 1024 entries in the cache at most Entries that are used less frequently will be overwritten first when the cache is full Contents inside the cache will be cleared out after rebooting E03 Can specify the time out
138. icy Settings This kep iz used during Authentication Phase if the Authentication Method Proposal is Pre Shared key 9 Click Security Policy option to choose Main Mode as Phase 1 Negotiation Mode All contents copyright c 2006 ZyXEL Communications Corporation 204 ZyXEL ZyWALL 2WG Support Notes FA Security Policy Editor ZyWALL YPN Client File Edit Options Help alex E tA Network Security Policy o My Connections Security Policy Hb WALL Select Phaze 1 Negotiation Mode G My dently I SE Security Policy a H E Suthentication Phase 1 Aggressive Mode Hee Key Exchange Phase 2 es Mende Other Connections Enable Perfect Forward Secrecy PFS PRS ey laroup Dilfie H ellman Group 2 MW Enable Replay Detection 10 Extend Security Policy icon you will see two icons Authentication Phase 1 and Key Exchange Phase 2 11 The settings shown in the following two figures for both Phases are our examples You can choose any but they should match whatever you enter in ZyWALL 205 All contents copyright c 2006 ZyXEL Communications Corporation yXEL FA Security Policy Editor ZyWALL YPN Client File Edit Options Help alex E tA Network Security Policy o My Connections El amp WALL F3 My Identity T Security Policy EE E Proposal posal se nl Rey Exchange Phase 2 Other Connections Fa A Security Policy Editor ZYWALL YPN Client File Edit Options Help alsel
139. ight c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 2 Input a name for this Certificate so you can identify this Certificate later In Subject Information give this certificate a Common Name by either Host IP Address Host Domain Name or E Mail address Organizational Unit Organization Country are optional fields you are free to either enter them or not Finally specify the key length and select Create a certification request and save it locally for later manual enrollment Subject Information Enrollment Options 3 Wait for 1 2 minutes until Request Generation Successful displays During this period ZyWALL is working on creation of private public key pair and certificate request CERTIFICATES MY CERTIFICATE CREATE STATUS Request Generation in Progress 4 After creating certificate request ZyWALL would return Successful Message 68 All contents copyright c 2006 ZyXEL Communications Corporation XEL Zy ZyWALL 2WG Support Notes CERTIFICATES MY CERTIFICATE CREATE STATUS 5 In My Certificates tab you can get a new entry in grey color This is the Certificate Request you just created Click Details to export the request CERTIFICATES Trusted CAs rasa e Directory Servers My Certificates Setting Hame i 1 a i Step 2 Enroll Certificate Request ENT TAT Walid Valid Modify 1 Copy the content of Certificate in PEM Encode
140. ilter policies for all computers LOGS Include specified address ranges in the content filter enforcement MAINTENANCE 4 exclude specified address ranges from the content filter enforcement 4dd Address Ranges Address List l LOGOUT 192 168 10 200 192 168 10 200 From i i To Add Range Delete Range 2 1 2 LJ Customize the Forbidden web sites which are known phishing web sites In addition to use external content filter server to do filtering policies we can customize the filter policies as our own Just as the settings in the CONTETN FILTER gt Customization Check Enable Web site customization check box Enter the distrusted web site in the Forbidden Web Site list The forbidden list is similar to the black list ZyXEL HOME General Categories Customization Cache REGISTRATION Web Site List Customization NETWORK aoe Enable Web site customization SECURITY A C Disable all Web traffic except for trusted Web sites Pati C Don t block Java Activex Cookies Web proxy to trusted Web sites IDP _ Trusted Web Sites ANTI VIRUS ANTI SPAM Add Trusted Web Site Trusted Web Sites CONTENT FILTER VPN CERTIFICATES AUTH SERVER Forbidden Web Site List ADYANCED E l dd Forbidden Web Site Forbidden Web Sites LOGS O A www phishbank com MAINTENANCE wy phishbank com LOGOUT Add 2 1 3 O Demonstrate Customization Content filtering by an example Using a browser to browse
141. iness sensitive application PC2 belongs to other group Dept 2 and need to access Dept 2 IPSec Tunnel 1 IPSec Tunnel 2 48 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes The configuration goal is to achieve following two 1 Setup VPN rule to allow PC1 to access Dept 1 through the tunnel between GW1 amp GW2 2 Setup VPN rule to allow PC2 to access Dept 2 through the tunnel between GW1 amp GW2 WAN WAN 192 168 35 101192 168 35 102 192 168 71 0 24 192 168 72 0 24 210 242 82 35 210 242 82 70 The following will illustrate how to configure on the GW1 1 Login ZyWALL and click at VPN SECURITY FIREWALL CAMTENT FILTER VPH CERIHFICATES AUTH SERVER ADVANCED 3 Click on the icon to add a new gateway policy of the VPN tunnel 4 Enable NAT Traversal and configure the WAN IP as the My Address of My ZyWALL and Mame Static Public IP Address W MAT Traversal My ZyWALL Domain Name or IP Address My Domain Name Mone See DONS Primary Remote Gateway 210 242 62 55 Domain Name or IP Address l Enable IPSec High Availability Ea Redundant Remote Gateway Domain Name or IP Address Fail back to Primary Remote Gateway when possible Fail Back Check Interval 28800 180 86400 seconds Fail Back Check Interval The time interval for checking availibility of Primary Remote Gateway IPSec S life time will be supers
142. ing Report the WEB interface of BlueCoat reporting system will pop out By entering the MAC address you registered to Http myZyXEL com web server which you can check from Registration Status of Http myZy XEL com server and password you specified when doing registration you can log into BlueCoat reporting system E28 Can change the password for BlueCoat service Yes you can click Register button from ZyXEL appliance s WEB GUI then Http myZyXEL com web page would popped out You can change password in user profile 244 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes E29 Which User Name amp Password should I input for Content Filtering report The User Name is the smallest Ethernet MAC address of your device To identify check the sticker in the bottom of the device as below ZyXEL Communications Corporation Made in Taiwan Model Number ZyWALL 70 seri moor MMNUULININTHIN Ii Ly Ethernet Address Power Boling 100 240VAC S0 80My 0 55 0 34 mon Powe Candumption Wott ergs CAUTION Ta Drewan Hethig shock please do ngl opon Ine cover Ma Bpnhicggpita Ports inte Rete rarmighig fo qualified aiton i WARNING Do ai us ony oihar cower omid ar capl the ong thal aceompanies Ie ee unit Ue of another adaptercould result in damage to the unit The device complies wih Pari 15 FOC rules Opengtion ia fubject io the following Pad Goendtticne FC oe J im
143. internal server you should specify server s private IP address in the field of the destination IP address 33 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Default Aule Rule Summary Anti Prebing Threshold Firewall Rules Storage Space in Use Insert new rule before rude rule mumbar Move nale ta rule ube reamberp Application for Non NAT Friendly Support Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it 1s better to use Many One to One or One to One NAT mapping types thus each user login to the server 1s using a unique global IP address The following figure illustrates this User 1 LAI 192 168 1 10 User 2 ILA2 ZyWALL 192 168 1 11 User 3 ILA3 192 1686 1 12 3 ILAs lt gt 3 IGAS 3 ILAs map to 3 IGAs using Many One to One or One to One One rule configured for using Many One to One mapping type 1s shown below 34 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes ZyXEL HOME REGISTRATION Address Mapping Rule NETWORK iv SECURITY i Type Many One to One gt Local Start IP 192 168 ADYANCED N NAT Local End IP 192 168 Tairi Global Start IP hi MGM ee Global End IP DNS REMOTE MGMT UPnP LOGS MAINTENANCE Optimize network performance amp availability
144. ld to achieve this 248 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes F11 What are Local ID and Peer ID Local ID and Peer ID are used in IKE phase 1 negotiation It s in FQDN Fully Qualified Domain Name format IKE standard takes it as one type of Phase 1 ID Phase 1 ID is identification for each VPN peer The type of Phase 1 ID may be IP FQDN DNS User FQDN E mail The content of Phase 1 ID depends on the Phase 1 ID type The following is an example for how to configure phase 1 ID ID type Content IP 202 132 154 1 DNS www zyxel com E mail support zyxel com tw Please note that in ZyWALL if DNS or E mail type is chosen you can still use a random string as the content such as this_is_zywall It s not neccessary to follow the format exactly By default ZyWALL takes IP as phase 1 ID type for itself and it s remote peer But if its remote peer is using DNS or E mail you have to adjust the settings to pass phase 1 ID checking When should I use FQDN If your VPN connection is ZyWALL to ZyWALL and both of them have static IP address and there is no NAT router in between you can ignore this option Just leave Local Peer ID type as IP and then skip this option If either side of VPN tunneling end point is using dynamic IP address you may need to configure ID for the one with dynamic IP address And in this case Aggressive mode is recommended to be applied in ph
145. le _ Weapons _ Business Economy _ Education _ Brokerage Trading _ Military C Computers Internet C Web Communications _ Personals Dating _ Email _ Shopping _ Society Lifestyle sports Recreation Hobbies C Humor Jokes _ Pay to Surf L Clear All Categories _ Pornography _ Nudity L Gambling C Abortion C Cult Occult C Cultural Institutions L Games _ Political Activist Groups _ Hacking Proxy Avoidance Job Search Careers _ Reference C Newsgroups _ Auctions C Gay Lesbian Travel C Streaming Media MP3 _ For Kids 3 3 Demonstrate Content Filtering by an example C Sex Education C Alcohol Tobacco _ Violence Hate Racism _ amp rts Entertainment C Illegal Drugs M Financial Services L Government Legal _ Health L Search Engines Portals C News Media L Chat Instant Messaging Religion _ Real Estate _ Restaurants Dining Food C Vehicles C Software Downloads C Web Advertisements Using a browser to browse the sports website for example www nba com it will be blocked and redirected All contents copyright c 2006 ZyXEL Communications Corporation 215 ZyXEL ZyWALL 2WG Support Notes to www zyxel com with Website Blocking message displayed at the moment l http viwww nba com Content Control ron Bluecoat Vebsite Blocking Sports Recreation Hobbies If you feel that the C
146. le office on line with the ZyWALL Internet Access Sharing Router A10 Does ZyWALL support dynamic IP addressing The ZyWALL supports both static and dynamic IP address from ISP A11 What is the difference between the internal IP and the real IP from my ISP Internal IPs is sometimes referred to as virtual IPs They are a group of up to 255 IPs that are used and recognized internally on the local area network They are not intended to be recognized on the Internet The real IP from ISP instead can be recognized or pinged by another real IP on the internet The ZyWALL Internet Access Sharing Router works like an intelligent router that route between the virtual IP and the real IP A12 How does e mail work through the ZyWALL It depends on what kind of IP you have Static or Dynamic If your company has a domain name it means that you have a static IP address Suppose your company s e mail address is xxx mycompany com Joe and Debbie will be able to send e mail through ZyWALL Internet Access Sharing Router using jane mycompany com and debbie mycompany com respectively as their e mail addresses They will be able to retrieve their individual private and secure e mail 1f they have been assigned the proper access right If your company does not have a domain name it means that your ISP provides you with a dynamic IP address Suppose your company s e mail address is mycompany ispname com Jane and John will be able to send e mail through ZyWALL
147. lients 3 When choosing DHCP setting as a Relay the LAN will forward the DHCP request to another DHCP server Using NAT Multi NAT e Whatis Multi NAT e How NAT works e NAT Mapping Types e SUA versus Multi NAT e Example Step 1 Applying NAT on WAN Interface Step 2 Configuring NAT Address Mapping Step 3 Using Multiple Global IP addresses for clients and servers One to One Many to One Server Set mapping types e Application Non NAT Friendly Support e What is Multi NAT NAT Network Address Translation NAT RFC 1631 is the translation of an Internet Protocol address used within one network to a different IP address known within another network One network is designated the inside network and the other is the outside Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP In addition you can designate servers e g a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers NAT offers the additional benefit of firewall protection In such case all incoming connections to your network will be filtered out by the ZyWALL thus preventing intruders from probing your network The SUA feature that the ZyWALL supports previously op
148. ll then generate dynamic shared keys for the IKE SAs and IPSec QM SAs Using xAuth for User Authentication IKE Extended Authentication Xauth is a draft RFC developed by the Internet Engineering Task Force IETF based on the Internet Key Exchange IKE protocol The Xauth feature is an enhance to the 198 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes existing Internet Key Exchange IKE Protocol feature Xauth allows authentication methods to perform user authentication in a separate phase after the IKE authentication phase exchange The Xauth feature is an extension to the IKE feature and does not replace IKE authentication Before Xauth IKE only supported authentication of the device not authentication of the user using the device With Xauth IKE can now authenticate the user using the device after the device has been authenticated during normal IKE authentication Since remote users may use the same pre shared key for device authentication it may have some problem once the key is compromised Otherwise an extra authentication would be more en user l Internet r4 WAN i Fi Teleco er VPN Rules IKE YPN Rules Manual SA Monitor Global Setting VPH Rules Remote _ Network VPN Rules JAI Dyn Remote Access 9172 22 19 Eara Dynamic Tz Too mT at 255 255 255 0
149. m Ge Web eline GQ VEN Meager ig God FE Desktop Secucity a soe pemanan dk et TG dk Ha S80 oe nA TOF 1B 0 4E ha 100 1S 20 ahs Chany AVELL a Ary i Pet E Leva we Pois Tag amp Any 181 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 51 Pressing add button to add another rule which could drop packets if it doesn t match your VPN rule BEE Security 55 Address Translation ij SmartDefense jg Web Intelligence VPN Manager f QoS FC Desktop Security SOURCE DESTINATION SERVICE ACTION TRACK INSTALL ON TIME COMMENT Seb Net_192 168 1 0 Spb Net_192 168 1 0 CheckPoint_ZyVVALL Any accept Log Policy Target Any tee Net_192 168 2 0 dyb Net_192 168 2 0 Any Any x Any Traffic Any drop El Log Policy Target Any V Install Policy 52 On your main menu click Policy gt Install option to Install your policy Dashboard Standard Policy smaithap Search Window Verity Tiew l Access Lists Install Database Policy Installation Targets Wiew Policy of Convert to Uninstall Management High Avedabilitr Global Propertes 53 Selecting your policy rule and press OK button to install the policy 182 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Install Policy Installation Targets Advanced Secu
150. mask WA 1 Down 0 0 0 0 0 0 0 0 WAN 2 Dial 0 0 0 0 0 0 0 0 Dial Backup Down 0 0 0 0 0 0 0 0 LAM 1O0M Full 192 168 1 1 Zoo 290 200 0 w LAM 100M Full 0 0 0 0 0 0 0 0 DMZ LOOM Full 0 0 0 0 0 0 0 0 IP Assignment Renew DHCP client RENEW IPSF client Drop MEA Dial CHOP server W A Static MA Static My Security Services Content Filter Expiration Date License Inactive Web Site Blocked VSG WAN Interface Stat 3G Connection Status Service Provider Signal Strength Connection Up Time Tx Bytes Rx Bytes 3G Card Manufacture 3G Card Model Mot Supported Dial 2G UMTS Limited Service O 0 01 01 0 bytes 0 bytes Sierra Wireless Inc ACEO 3G Card Firmware Revision U1 1 S2AC AP 3G Card IMEI SIM Card IMSI Latest Alerts Date Time 2001 01 01 00 43 02 2001 01 01 00 42 55 2001 01 01 00 42 55 2001 01 01 00 42 32 System Status Port Statistics DHCP Table YPN Bandwidth WANI connection is dawn 3370907000938693 466323100263560 Message Failed to dial 24 connection Error Codef 23000 Failed to dial 2G connection Error Codef 3000 Repeated 10 WAM connection is dawn 3 Switch to GUI menu Network gt WAN tab Configure the APN username password PIN code phone number the authentication type and other settings you have got from your service provider Click the Apply button 10 All contents copyright
151. med G GS 4 GO El Address j http 192 168 1 33 certsrv Microsoft Caniica alii Welcome You use this web site to request a certificate for your web browser e mail client or other secure program Once you acquire a certificate you will be able to securely identify yourself to other people over the web sign your e mail messages encrypt your e mail messages and more depending upon the type of certificate you request Select atask Retrieve the CA certificate or certificate revocation list Request a certificate C Check on a pending certificate 4 Choose Advanced request the press Next gt button All contents copyright c 2006 ZyXEL Communications Corporation 12 ZyXEL ZyWALL 2WG Support Notes T Microsolt Certificate Services Microsoft Internet Explorer Flo Edt View Favorites Took pak gt 2 seach Gyraote Quem 21 SO aa Address httpi 192 168 1 33 certsrv certrqus asp Microsoft Cartificate Senice Home Choose Request Please select the ype of request you would like to make C User certificate request Advanced request 5 Choose Submit a certificate request using a base64 then press Next gt button All contents copyright c 2006 ZyXEL Communications Corporation 73 ZyXEL ZyWALL 2WG Support Notes Address http 192 160 1 33 certsrvfcertrqad asp Microsoft Cenit alte Advanced Certificate Requests You can request a certificate for you
152. munity yall tinnels of specific Gateways On specific tinnels in the community select Perneanent Tunnels ME Tunnel down track Tummel up tack VPN Tunnel sharing Control the number of YEN wnnel opened between peer Gateways C One VEN tunnel per each pair of hosts f One VEH tunnel per subnet pair f One YEH tunnel per Gateway pair 32 On VPN routing settings choose To center or through the center to other satellites to internet and other VPN targets option star Community Properties CheckPoint ZyWALL YPN Rouhnz i Center Gateways ia patellite Crate ways VPN Properties i Tunnel Management E Advanced settings be VPN Routine MEP fhultiple Enti Excluded Services l shared secret Advanced PH Pro Enable YEN routine for satellites C To center only To center and to other satellites through center f To center or through the center to other satellites to intemet and other YEM targets All contents copyright c 2006 ZyXEL Communications Corporation 173 ZyXEL ZyWALL 2WG Support Notes 33 On Shared Secret settings choose ToZyWALL option and press Edit button star Community Properties CheckPoint_7yAW ALL Shared Secret Center Gateways oo watellite Gateways WPN Properties n Tunel Management Advanced Settings Each External member will have the followme VPN Routing secret with all intemal members in this community Ww Use ony Shared Secret for all Extemal members
153. n the cards C04 Is each type of iCard device specific Yes Different model of ZyXEL product may uses different type of iCard for registration Users need to check the supported model names before purchasing C05 What are the available security service licenses which require additional purchase and license activation in ZyNOS v4 00 V4 00 is a major new release of ZyNOS and it includes the following security services which require license purchase and activation 1 Anti Virus IDP security service 2 Anti Spam security service 3 Content Filtering security service 234 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes C06 What kind of iCard should buy It depends on the ZyWALL model you have the security service you desire and the license period you need See the following table for those mappings Here we highlight ZyWALL 5 35 70 since they especially provide AV IDP AS features AV IDP AL APS o u o e s T C07 If violate the mappings described above for example using a silver iCard for ZyWALL 35 or ZyWALL 70 what will happen The activation will fail C08 Can I try the Content Filtering service for free How long is the free trial period of Content Filtering service Yes you can try the Content Filtering service for free The free trial period is 30 days and is available to ZyWALL 2 ZyWALL 2Plus ZyWALL 5 ZyWALL 35 ZyWALL 70 ZyWALL 5 UTM
154. name for your policy for example ToCheckPoint My IP Addr is the WAN IP of ZyWALL In this example you should type 172 22 1 236 IP address on My ZyWALL text box Secure Gateway IP Addr is the remote PC s IP address In this example you should type 172 22 2 58 IP address on Remote Gateway text box Property ToCheckPoint Gateway Policy Information o a tae 172 22258 6 In Authentication Key enter the key string 12345678 in the Pre Shared Key text box Authentication Key 12345678 aulo_generated_sell_signed_cerl iise My Gerincates P E 0 0 0 0 IP v f 0 0 0 0 153 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 7 Select Negotiation Mode to Main mode Encryption Algorithm to DES Authentication Algorithm to MDS Key Group to DH1 and then press Apply button on this page IKE Proposal SE Local Network Remote Network your 9 Check Active check box and give a name to this policy Property ToCheckPoint IPSecRule 154 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 10 On Gateway Policy Information you should choose ToCheckPoint IKE policy for your IPSec rule Gateway Policy Information gt gt Gateway Policy ToCheckPoint T ot heckPaint h Local Network Recycle Bin 11 On Local Network choose Subnet Address for your Address Ty
155. new rule had been configured and showed in the rule summary page This will achieve our goal to block all traffic from VPN remote host 192 168 2 33 to access the LAN subnet 127 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes FIREWALL Default Rule file Saecs Anti Probing Threshold Service Rule Summary Sirection VPNto LAN x m Name active Tsource Address Destination service Typelaction sch Log Modify ae 192 166 2355 case lease 192 166 1 0 255 255 255 Oo ADYA ns Er rE How to configure Web filtering rule over VPN Content Filter 1 The switch to enable the content filtering over VPN traffic is available in Content Filter general configuration page The content filtering over VPN can only be enabled after the content filter global switch enabled otherwise the enable content filter for VPN traffic option will be gray out CONTENT FILTER Catego ries Customization General Setup Restrict Web Features ual Schedule to Block D Block From 0 ToO i0 24 Hour Format Message to display when a site is blocked 2 The traffic decrypted from VPN tunnel and send to internet can be applied the web filtering rule after enable the content filter for traffic that matches IPSec policy 128 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 129 All contents copyright c 2006 ZyXEL Communications Cor
156. ng the connection back to the primary gateway when it is recovery In this example we decide to switch the connection back to primary gateway and the check interval is 28800 seconds 8 The remaining VPN setting is the same as pervious steps to complete all settings 9 Please remember to setup a corresponding VPN rule in central office s firewall for building up the VPN tunnel from WAN2 to remote office s firewall ZyWALL2 Plus 121 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property me T Na Gateway Policy Information 61 79 65 3 161 82 69 2 Domain 25600 eo 122 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Access control and security VPN connection Security policy enforcement IPSec Setup ZyWALL VPN with access control Firewall Setup ZyWALL VPN with web filtering rule Content Filter Normally the traffic transmitted between VPN tunnel is treated as security connection due on multi authentication and encryption methods Thus the security gateway won t inspect the VPN traffic because the traffic sending with cipher text format not in plaintext The enhanced algorithm we adopted is ZyWALL can inspect the VPN packet before encrypt or after decrypt the packet sending to or receiving from VPN tunnel How to configure access control rule over VPN 1 Log into the web configurator on the ZyWALL
157. ns Corporation ZyXEL ZyWALL 2WG Support Notes policy Check the Active checkbox in the Virtual Address Mapping Rule block to enable NAT over PSec You can decide the amount of IP addresses for NAT Network Address Translation from the Type drop down menu In this example we want to NAT all the IP addresses of the subnet Therefore we select Many One to One Enter the subnet range in the Private Starting IP Address field and Private Ending IP Address field Note Private IP address represents the original IP address of the Local Area Network In the Virtual Starting IP Address field we specify the new IP address after NAT Property Connection h4 7 dl d L d d Gateway Policy Information Eaa En NAT FSec E x Virtual Address Mapping Rule Port Forwarding Rules Many One to One T T T T Local Network EL Range Address i ae 5 ee liz a 16 eo ag In the figure above the Virtual IP address is specified starting from 172 16 2 1 to 172 16 2 254 on ZyWALL 1 115 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Remote Network 4 IPSec Proposal On ZyWALL 1 the remote network will be changed to 172 16 3 0 Click Apply in order to complete the setting Repeat the steps for ZyWALL 2 in order to configure Network Policy 116 All contents copyright c 2006 ZyXEL Communications Co
158. nt Also when users believe a page has received an incorrect rating BlueCoat rating experts will review the categories assigned and make changes as necessary BlueCoat also uses the human rated sites to further train and improve the content analysis system E22 How can I do if find a WEB site is mis categorized When you find a web site is not categorized as you expect you can report to either support zyxel com tw or BlueCoat Site Submissions E23 How many and what categories do you provide Zy XEL Content Filtering provides 52 categories We currently recognizes the following 52 categories Potential Liable amp Objectionable Content Categories Adult Mature Content Alcohol Tobacco Gambling Hacking Proxy Avoidance Systems Illegal Drugs legal Questionable Intimate Apparel Swimsuit Nudity Pornography 242 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Sex Education Violence Hate Racism Weapons Potential Non Productive Categories Abortion Arts Entertainment Auctions Brokerage Trading Business amp Economy Chat Instant Messaging Computers Internet Cult Occult Cultural Institutions Education Email Financial Services For Kids Games Gay amp Lesbian Government Legal Health Humor Jokes Job Search Careers Military News amp Media Newsgroups Pay to surf sites
159. nt to classify traffic on each interface In this version child class can borrow bandwidth from parent class if necessary by Bandwidth Borrowing For classes that need more bandwidth even after bandwidth borrowing users can also apply Maximize Bandwidth Usage from the interface ah J aj i 7 F a one eh oy tt n FL Pan a i a L 4 Ei E _ G 7 Class Tree Using BWM 36 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Go to ADVANCED gt BW MGMT gt Summary activate bandwidth management on the interface you would like to manage We enable the BWM function on WAN interface in this example Enter the total speed for this interface that you want to allocate using bandwidth management This appears as the bandwidth budget of the interface s root class Select how you want the bandwidth to be allocated Priority Based means bandwidth is allocated via priority so the traffic with highest priority would be served first then the second priority is served secondly and so on If Fairness Based is chosen then the bandwidth is allocated by ratio Which means if A class needs 300 kbps B class needs 600 kbps then the ratio of A and B s actual bandwidth is 1 2 So if we get 450 kbps in total then A would get 150 kbps B would get 300 kbps Summary Class Setup Monitor Bandwidth Manager manages the bandwidth of traffic flawing out of router on the specific interface Bandwidth
160. nternet access and presume that you are familiar with basic ZyNOS VPN configuration 100 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes As the figure shown below each branch office have a VPN tunnel to headquarter thus PCs in branch offices can access systems 1n headquarter via the tunnel Through VPN routing ZyWALL series now provide you a solution to let PCs in branch offices talk to each other through the existing VPN tunnels concentrated on the headquarter Headquarter Branch A The IP addresses we use in this example are as shown below WAN 202 3 1 1 WAN 202 1 1 1 WAN 202 2 1 1 LAN 192 168 3 1 LAN 192 168 1 1 LAN 192 168 2 1 192 168 3 0 24 192 168 1 0 24 192 168 2 0 24 1 Setup VPN in branch office A Because VPN routing enables branch offices to talk to each other via tunnels concentrated on headquarter In this step we configure an IPSec rule in ZyWALL Branch_A for PCs behind branch office A to access both LAN segments of headquarter and branch office B Because the LAN segments of headquarter and branch office B are continuous we merge them into one single rule by including these two segments in Remote section If by any chance the two segments are not continuous we strongly recommend you to setup different rules for these segments 1 Goto SECURITY gt VPN gt Press Add button 101 All contents copyright c 2006 ZyXEL Communication
161. o generated self signed_cent See My Certificates 7 Select Negotiation Mode to Main mode Encryption Algorithm to DES Authentication Algorithm to MD5 Key Group to DH1 and then click Apply button on this page _ IKE Proposal Main DES MDS 28800 DH1 aiai ai iai Associated Network Policies EJ Local Network Remote Network 187 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 8 After you press the Apply button you will see an IKE rule on this page click L R button to edit your IPSec rule PN Rules Manual SA Monitor Global Setting PN Rules VPN Tunnel 9 Check Active check box and give a name to this policy Property ae ToFortiNet IPSecRule 10 On Gateway Policy Information you should choose ToFortiNEt IKE policy for your IPSec rule Gateway Policy Information QS Gateway Policy Torotot spl a tHecoHe thie sToFortivet Recycle Bin Local Network 11 On Local Network choose Subnet Address for your Address Type Starting IP Address and Ending IP Address Subnet are your local site LAN IP addresses In this example you should type 192 168 2 0 on Starting IP Address field and then type 255 255 255 0 on Ending IP Address Subnet field 188 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Local Network T Address Type Subnet Address v ing
162. ogether Confidentiality encryption can be used with or without authentication integrity Similarly one could use authentication integrity with or without confidentiality F17 am planning my ZyWALL to ZyWALL VPN configuration What do I need to know First of all both ZyWALL must have VPN capabilities Please check the firmware version V3 50 or later has the VPN capability If your ZyWALL is capable of VPN you can find the VPN options in Advanced gt VPN tab For configuring a box to box VPN there are some tips If there is a NAT router running in the front of ZyWALL please make sure the NAT router supports to pass through IPSec In NAT case either run on the frond end router or in ZyWALL VPN box only IPSec ESP tunneling mode is supported since NAT against AH mode Source IP Destination IP Please do not number the LANs local and remote using the same exact range of private IP addresses This will make VPN destination addresses and the local LAN addresses are indistinguishable and VPN will not work Secure Gateway IP Address This must be a public routable IP address private IP is not allowed That means it can not be in the 10 x x x subnet the 192 168 x x subnet nor in the range 172 16 0 0 250 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 172 31 255 255 these address ranges are reserved by internet standard for private LAN numberings behind NAT devices
163. on Methed SEs Gateway Information IP Address 12 168 1 My Domain Na lowsezywall dyndns org See DONS IPSec Algorithm ESF 13 You can check detailed settings by clicking Advanced button All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Phase 1 Phase Offline Enroll Certificates In this guide we describe how ZyWALL devices both ZyWALL A and ZyWALL B as PSec VPN tunnel end points authenticate each other through PKI We use CA Certificate Authority service provided by Windows 2000 server in this example The whole procedure includes All contents copyright c 2006 ZyXEL Communications Corporation 66 ZyXEL ZyWALL 2WG Support Notes 1 Create Certificate Request 3 Create Certificate Request 2 Enroll Certificate Request ra N Enroll Certificate Request 5 Using Certificate in VPN 6 Using Certificate in VPN LAN 10 1 133 1 LAN 192 168 2 1 10 1 133 0 24 192 168 2 0 24 eterno WAN 192 168 1 35 WAN 192 168 1 36 Ga Step 1 Create Certiticate Request on ZyWALL A 1 Go to VPN gt My Certificates gt Click Create button My Cenificates Trusted CAs WU Remote Directory Servers PRI Storage Space in Use _ Subject issuer Valid From Valid To CN ZyWALL uawa m 2000 Jan 2030an ao ay 1st 00 00 00 1st 00 00 00 y GMT GMT auto_genorated self signed_cen SELF F0 67 All contents copyr
164. onnection will always be reset by ZyWALL Solutions A Deploying your second gateway in IP alias segment is a better solution In this way your connection can be always under control of firewall And thus there won t be Triangle Route problem a Freire reins Switch HUB ZYWALL 100 B Deploying your second gateway on WAN side i ge o ISON rouler j Dwie HUB m a WAN Router 232 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes C To resolve this conflict we add an option for users to allow disallow such Triangle Route topology in both CI command and Web configurator You can issue this command sys firewall ignore triangle all on to allow firewall bypass triangle route checking In Web GUI you can find this option in firewall setup page But we would like to notify that if you allow Triangle Route any traffic will be easily injected into the protected network through the unprotected gateway In fact it s a security hole in your protected network B15 How can I protect against IP spoofing attacks The ZyWALL s firewall will automatically detect the IP spoofing and drop it if the firewall is turned on If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks The basic scheme 1s as follows For the input data filter e Deny packets from the outside that claim to be from the insi
165. ons Corporation ZyXEL ZyWALL 2WG Support Notes Wireless Card _ Wireless Card Security MAC Address Filter User Name MAC Address 00 al c51 1 ee 33 O0 a0 c5 11 e244 m m it La DL 00 al c5 1 1 e235 16 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes After you have configured the Security and MAC filter profiles you can choose them in the main page of wireless card setting as shown Wireless Card Securit MAC Filter Wireless Card Setting Ca G02 Thy 7 Channel O06 2437MHz r or can 100 amo B Security MAC Filter lssipn Dizable securityOl B SSID Profile 17 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Seamless Incorporation into your network Using Transparent Bridge Mode Firewall If user wants to insert a firewall into current network IP setting of hosts and servers may need to change Following example illustrates an example of current deployment servers and other hosts sit in the same IP segment O a P i N Internet Internet Gateway 210 242 82 254 24 WEE Server 210 242 82 1 24 FIP Server 210 242 82 2 24 Mail Server a 210 242 82 3 24 ee kT a f PCA PCB PCC PCD 710 949 29 31 9 210 249 QI 34 92 If a router mode firewall is inserted into existing network user may need to reassign the IP of all servers and hosts and
166. ontent Filtering has incorrectly blocked you from the above site ZyXEL Corporate News Product Support Where to Buy Contact Us ZyXEL Internet Security Applianceme New Product Multimedia Auto Provisioner Self Installation Kit traa n M Se e ta ly Da S Wha s New July OF 2005 ZyXEL Ranked 25th in BusinessNext Taiwan Info Tech100 the Top Ranking of Networking Vendors June 14 2005 ZyXEL Unveils ES 3124PVVR Layer 2 Intelligent Managed Power over Ethernet Switch June 13 2005 ZyXEL Successfully Completes TR 069 Centralized Management Using Vantage CNM for Management Vantage CNM is a centralized network management solution that allows users to easily configure t 2 Sang t 2 Award amp Review Solution Center P 335VVT wins ezone Business e 70ne Choice from eZone June AL Business Solution Prestige 2002 Series awarded Preis Leistungs Sieger Price Performance Site Selector manage and monitor ZyWALL devices from any location Vantage CNM provides some key features like Centralized Firewall Management Firmware Upgrade and Management Intuitive Device and Account Monitoring Logs and Alarms One click VPN and Multiple Administrator Multiple Domain Management The following diagram depicts an example of the network environment for using Vantage CNM All contents copyright c 2006 ZyXEL Communications Corporation 216 ZyXEL
167. opology VPN Tunnel Ci My ZyWALL Remote Gateway Local Network LANI Remote Network 172 16 1 0 172 16 1 1 WANI aahi LANI 172 16 1 0 255 255 255 0 192 168 4 254 Pere eee ee tele 255 255 255 0 irtual Starting IP Address Private IP 172 16 3 1 172 16 1 1 to dLa irtual Ending IP Address 172 16 1 254 NAT over IPSec 172 16 3 254 The above is an IPSec VPN application running in tunnel mode In the network topology shown both the local area networks LAN are assigned with the same network IP network mask 172 168 1 0 24 Without a special feature enchantment on both side gateway routers establishing an IPSec VPN basing on this network topology is not possible since it will cause a routing problem You are required to manually 110 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes change at least one of the LAN IP addresses in order to prevent the routing problem Unfortunately changing the entire network setting takes extra effort in configuration which is never preferable The feature enhancement named NAT over IPSec is designed to resolve the IP network overlapping problem without changing the original network architecture In order to achieve this application you are required to configure the side ZyWALL devices according to the following procedures Assumption We call My ZyWALL ZyWALL 1 and Remote Gateway ZyWALL 2 gt Configure network setting on ZyWA
168. ow the same procedures as step 10 16 to add 2 Network Policy PC2 to Dept2 VPH Rules Local Internet i aee Remote _ Network iir 7 e Network 7 Static Public IP Address 5792 10 242 82 70 7210 242 82 35 F ia PC1 to Deptt el A ERY 192 168 1 101 w 7 7 iB 192 168 72 0 gt PC to Dept Ld Gee SERGE ERY 192 168 1 102 i y 0 ia Finish Using Certificate for Device Authentication IKE must authenticate the identities of the systems using the Diffie Hellman algorithm This process is known as primary authentication IKE can use two primary authentication methods 1 Digital Signatures 2 Pre shared keys Digital signature and public key encryption are both based on asymmetric key encryption and require a mechanism for distributing public keys This is usually done using security certificates and a Public Key Infrastructure PKI If certificate Digital Signatures is used for authentication there are five available types of identity IP 53 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes DNS E mail Subject Name and Any Depending how certificates are generated it can be classified into three methods 1 Using Self signed Certificates both entities must be ZyXEL IPSec gateway 2 Online Enroll Certificates 3 Offline Enroll Certificates This example displays how to use PKI feature in VPN function of ZyXEL appliance Through PKI function use
169. packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications impossible 230 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes B12 What is IP Spoofing attack Many DoS attacks also use IP Spoofing as part of their attack IP Spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall B13 What are the default ACL firewall rules in ZyWALL There are two default ACLs pre configured in the ZyWALL one allows all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets rae ZyWALL 10 Internet Forward LAN to WAN Connections Default ACLs _ _ _ Black WAN to LAN Connections B14 Why does traffic redirect static policy route be blocked by ZyWALL ZyWALL is an ideal secure gatew
170. pe Starting IP Address and Ending IP Address Subnet are your local site LAN IP addresses In this example you should type 192 168 1 0 on Starting IP Address field and then type 255 255 255 0 on Ending IP Address Subnet field Local Network T Address Type Subnet Address Starting IP Address 192 168 1 0 eee IP Address Subnet 755 955 2955 0 Local Port Start 0 End 0 12 On Remote Network choose Subnet Address for your Address Type Starting IP Address and Ending IP Address Subnet are your remote site LAN IP addresses In this example you should type 192 168 2 0 on Starting IP Address field and then type 255 255 255 0 on Ending IP Address Subnet field Remote Network ER Address Type Subnet Address Starting IP Address 192 HBB M sM ae IP Address Subnet 255 255 255 0 Remote Port Start 0 End 0 155 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 13 On IPSec Proposal select Encapsulation Mode to Tunnel Active Protocol to ESP Encryption Algorithm to DES and Authentication Algorithm to SHA1 and then press Apply button on this page IPSec Proposal Tunnel v DES E 28800 EN cance 14 After you press the Apply button you will see the following page Manual SA Monitor Global Setting VPN Rules Internet VPN Tunnel boai 2 Setup CheckPoint VPN I Setup Network Objects 156 All contents copyright c 2006
171. poration ZyXEL ZyWALL 2WG Support Notes ZyWALL vs 3rd Party VPN Gateway SonicWALL with ZyWALL VPN Tunneling 1 Setup ZyWALL VPN 2 Setup SonicWALL VPN This page guides us to setup a VPN connection between the ZyWALL and SonicWALL router As the figure shown below the tunnel between PC1 and PC2 ensures the packet flows between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for ZyWALL and SonicWALL are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are ZyWALL router and SonicWALL router IPSec Tunnel ZYWALL SonicWALL The IP addresses we use in this example are as shown below WAN 172 22 3 89 WAN 172 22 1 251 192 108 1 192 168 168 6 A LAN 192 168 1 1 LAN 192 168 168 618 1 Setup ZyWALL VPN 10 Using a web browser login ZyWALL by giving the LAN IP address of ZyWALL in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 130 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 11 Go to SECURITY gt VPN gt Press Add button VPN Rules Manual SA Monitor Global Setting VPN Rules YPN Rules 12 Give a name for your policy for example ToSonicWALL 13 My IP Addr is the WAN IP of ZyWALL In this example you should type 172 22 3 89 IP address on My ZyWALL text box 1
172. public key to scramble the information in the message Only the recipient s private key can decrypt the message So if Bob wants to send a confidential message to Alice his PKI software finds Alice s public key in the directory where it is published and he uses it to encrypt his message When Alice receives the encrypted message she uses her private key to decrypt it Because Alice keeps her private key secret Bob can be assured that even if his message were to be intercepted only Alice can read it Alice s Public 7 lt Decryption Key Alice s Public Plaintext Message Plaintext Message Alice G10 What is a digital signature Not to be confused with a digitized signature a scan of a hand written signature a digital signature can be used with either encrypted or unencrypted messages to confirm the sender s identity and ensure the recipient that the message content has not been changed in transmission Digital signatures incorporate the characteristics of hand written signatures in that they can only be generated by the signer are verifiable and cannot easily be imitated or repudiated G11 How does a digital signature work Suppose that the famous Bob and Alice wish to correspond electronically Bob wants to assure Alice that he originated the electronic message and that its contents have not been tampered with He does so by signing the message with a digital signature 257 All contents copyright
173. r The issuing Certification Authority s distinguished name The user s public key The validity period The certificate s serial number The issuing Certification Authority s digital signature is for verifying the information in the digital certificate G07 What are public and private keys and what is their relationship A PKI uses asymmetric cryptography to encrypt and decrypt information In asymmetric cryptography encryption is done by a freely available public key and decryption is done by a closely guarded private key Although the public and private keys in a particular key pair are mathematically related it is impossible to determine one key from the other Each key in an asymmetric key pair performs a function that only the other can undo G08 What are Certificate Policies CPs Certification Authorities issue digital certificates that are appropriate to specific purposes or applications For example in the Government of Canada Public Key Infrastructure digital certificates for data confidentiality are different from those used for digital signatures Certificate Policies 256 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes describe the rules governing the different uses of these certificates G09 How does a PKI ensure data confidentiality Users public keys are published in an accessible directory A person wishing to send an encrypted message uses the recipient s
174. r web browser e mail client or other secure program Once you acquire a certificate you will be able to securely identify yourself to other people over the web sign your e mail messages encrypt your e mail messages and more depending upon the type of certificate you request Select a task Retrieve the CA certificate or certificate revocation list Request a certificate C Check on a pending certificate E hg i Done im imi iim F gt Internet a 4 Choose Advanced request the press Next gt button All contents copyright c 2006 ZyXEL Communications Corporation 85 ZyXEL ZyWALL 2WG Support Notes A Microsoft Certificate Services Microsoft Internet Explorer File Edit view Favorites Tools Help daBack gt E ii Search Favorites Media E4 B5 ce 5 Address http 192 168 1 33 certsrv certrqus asp Microsoft Certificate Servi EREE Home Choose Request Type Flease select the type of request you would like to make C User certificate request Advanced request 4 menm 4 5 Choose Submit a certificate request using a base64 then press Next gt button All contents copyright c 2006 ZyXEL Communications Corporation 86 ZyXEL ZyWALL 2WG Support Notes A Microsoft Certificate Services Microsoft Internet Explorer File Edit view Favorites Tools Help Home Advanced Certificate Reguests You can request a certificate for yourself another user or a comput
175. related setting of applications However it may be a huge task to administrators 18 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Router Mode Internet Gateway 210 242 82 254 24 WEB Server 192 168 1 1 24 FTP Server 192 168 1 2 24 192 168 2 1 2 Mail Server a 192 168 1 3 24 Deploying a transparent mode firewall doesn t require any changes of settings on the original network topology It works as bridge switch therefore all the hosts can communicate with each other as without firewall in between At the same time the transparent firewall can check the packets passing through it and block attacks and limit unauthorized access through access control right Bridge Mode Internet Gateway 210 242 82 254 24 WEB Server 210 242 82 1 24 Mail Server 210 242 82 3 24 os PCA PCE PEC i In the following section we will explain how to configure ZyWALL as bridge firewall Therefore all hosts and servers can keep using the same IP as that of current network 19 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes User can configure ZyWALL to act as a router mode firewall or bridge transparent firewall The default is router mode firewall Stepl Before changing ZyWALL to bridge mode if admin wants to make the ZyWALL s LAN PC be able to get DHCP IP address assignment from t
176. revocation lists From 4 certificate store to your disk 4 certificate which is issued by a certification authority is a confirmation of your identity and contains information Used to protect data or to establish secure network connections A certificate store is the system area where certificates are kept To continue click Next 11 Choose DER encoded binary X 509 CER then press Nxet gt All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Certificate Export Wizard Export File Format Certificates can be exported in a variety of File Formats Select the format you want to use DER encoded binary 509 CER Base 64 encoded 509 CER Cryptographic Message Syntax Standard PKCS 7 Certificates P7B F Indude all certificates in the certification path iF possible C Personal Information Exchange PKCS 12 G PFR F Indude all certificates in the certification path if possible F Enable strong protection requires IE 5 0 NT 4 0 5P4 or above Delete the private key if the export is successful lt Back Cancel 12 Specify the path to store your exported Certificate Certificate Export Wizard File to Export Specify the name of the File you want bo export File name f ncertizywall_b cer 91 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 13 Click Finish Certificate Export Wizard Comple
177. ri jay twesry1 2151 elect ATT lear All Select Targets Installation Mode i Install on each selected gateway independently Bor Gateway Clusters metal on all the members if it fails do notinstall at all C Install on all selected gateways if it fails do not install on gateways of the same version Revision Control Name Standard 2005 08 30 14 29 06 Conment Created by test 54 Waiting few seconds for the installation All contents copyright c 2006 ZyXEL Communications Corporation 183 ZyXEL ZyWALL 2WG Support Notes Installation Process Standard Installation Targets Version Advanced Seouri E twa 12191 NGX RGO Y Verifying 55 If you install the policy successfully your VPN tunnel should work normally with your ZyWALL 184 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Installation Process Standard Version Advanced Security BE tere 2191 NGX REO Progress Installation completed successfully FortiNet with ZyWALL VPN Tunneling 1 Setup ZyWALL VPN 2 Setup FortiNet VPN This page guides us to setup a VPN connection between the ZyWALL and FortiNet router As the figure shown below the tunnel between PC1 and PC2 ensures the packet flows between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for ZyWALL and FortiNet are
178. rk policy to same gateway policy 48 Using Certificate for Device Authentication ccccccceeseseeeeeeeeeeeees 53 Using Self sisned Certificates iieaoe ar E EE 54 Online Enroll Certificates icc cccchaccaseenteets coins desciesecsvclariaseentaetens 57 One Enrol enn Caves na a as al harris 66 Using Pre Shared Key for Device Authentication ccccccceeeeees 99 Using VPN routing between branches ccccccceccceeeesseeeeeeeeeeeeeaes 100 NAT over IPSecon ZYNOS asinina cami Seen 110 Never lost your VPN connection IPSec High Availability 119 Access control and security VPN connection Security policy SMEORCCMICING IPSEC oaa Need nas a A ER 123 How to configure access control rule over VPN eee 123 How to configure Web filtering rule over VPN Content Filter128 ZyWALL vs 3rd Party VPN Gateway sscssssssceccccccsssscceeocccossscceeeoesssoo 130 SonicWALL with ZyWALL VPN Tunneling eee 130 NetScreen with ZyWALL VPN Tunneling ccccceesseeeees 139 Check Point with ZyWALL VPN Tunneling eee 151 FortiNet with ZyWALL VPN Tunneling eeseeeeesessseeeeeeeeereeeeees 185 Remote Access VPN Scenario sccccccssssssssssssssssssssssssssssssssssssscseeees 198 Using xAuth for User Authentication cc cececcccccecceessseeeeeeeeeeeeaens 198 ZyXEL VPN Client to ZyWALL Tunneling ee eecceeeeeeeeeeeeeees 200 Content Filter Applicaton iir
179. rks select Specify destination networks below option and then press Add button 136 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Network Subnet Mask 4 Network IP Address and Subnet Mask are your remote site LAN IP addresses In this example you should type 192 168 1 0 on Network text box and then type 255 255 255 0 on Subnet Mask text box and then press OK button F http 192 168 168 168 Edit f OX 192 165 1 0 255 255 2550 5 Click Proposals tab on IKE Phase1 proposal settings select Main mode DH Group to Group1 Encryption to DES and Authentication to MD5 On IPsec Phase2 proposal settings select ESP Protocol Encryption to DES and Authentication to SHA1 Then press OK button on this page 137 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Group 1 na ee 6 When you finished doing your settings you will see the following page A o2 of H 4 5 al Name Gateway Destinations Crypto Suite Enable Configure 1 GroupVPN ESP 3DES HMAC SHAI KEY O v ih 2 TozyvVALL 172 22 23 09 192 168 1 1 192 168 1 254 ESP DES HMAC SHA IKE o iv 7 When your VPN tunnel is up you will see the following page 138 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes all Identiner 000651137508 items 1 t z fot 2 H 4 K H Wame Gatewa
180. roperty to ZyWWALLB KE E Tunnel 7 Extended Authentication oF Local User S Local Policy Subnet Address US eae i learn clears 239 A eo Aer 1g Remote Policy Subnet Address 7 2 eer 2 fia geen eso eer oe ala Authentication Method 12345678 ZYWALL A 7 Gateway Information oH 1952 1686 1 2 35 louisezywall dyndns org DDNS 192 166 1 36 IPSec Algorithm 2i MDS x Advanced Apply _Lancel 13 You can check detailed settings by clicking Advanced button All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Phase 1 Phase 2 Step 6 Using Certificate in VPNon ZyWALL B 1 Activate the rule 2 Give this VPN rule a name toZyWALL_A 3 Select Key Management to IKE 4 Select Negotiation Mode to Main 5 Edit Local Address Type Subnet Address Starting IP Address 192 168 2 0 End IP Address Subnet Mask 255 255 255 0 6 Edit Remote Address Type Subnet Address Starting IP Address 10 1 33 0 End IP Address Subnet Mask 255 255 255 0 7 Authentication Key Select Certificate and choose certificate you enrolled for this device from drop down list 8 Fill in My IP address 192 168 1 36 9 Peer ID type ANY 10 Secure Gateway Address 192 168 1 35 11 Encapsulation Mode Tunnel 12 Leave other options as default 97 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL
181. rporation ZyXEL ZyWALL 2WG Support Notes Connection H4 7 Gateway Policy Information i Gay MAT PSec 4 T Virtual Address Mapping Rule Fort Forwarding Rules Many One to One TERETE 16 a1 16 16 Local Network PL Range Address v i ae ee EE i ae ee E On ZyWALL 2 the Virtual IP Addresses starts from 172 16 3 1 to 172 16 3 254 Remote Network FR Range Address Lie Ge TE ca 1 4 16 2 IPSec Proposal STEP 4 Establish the IPSec VPN Tunnel Connection 117 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Click Security gt VPN gt Connect in order to establish the IPSec VPN Tunnel connection PN Rules Manual SA Monitor Global Setting YPN Rules VPN Tunnel Once the IPSec works correctly you will see the message as it appears in the following screenshot and click Return to back to VPN page VPN DIAL You can also check the SA by clicking the SA Monitor tab VPN YPN Rules IKE YPN Rules Manual Global Setting Security Associations Table ptt Name __ Local Network Remote Network IPSec Algorithm Refresh Disconnect rE STEP 5 Validate the functionality of NAT over PSec by PING command Once the VPN tunnel is established we can ping the following hosts to ensure the NAT function is work correctly 118 All contents copyright c 2006 ZyXEL Communications Corporation
182. rs can achieve party identification when doing VPN IPSec negotiation Using Self signed Certificates For customers who don t have CA service support in their environment but would like to use PKI feature ZyWALL provides self signed certificates to achieve this As the name indicates a self signed certificate is a certificate signed by the device ZyWALL itself ZyWALL has the feature to sign itself a so called self signed certificate which can be imported to other ZyWALL for authentication This feature allows users to use certificate without CA The certificate must be exchanged and imported into Trusted Remote Hosts before making a VPN connection Import 54 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes The factory default self signed certificates are the same on all ZyWALL models It is not secure to use the default self signed certificate To make the self signed certificate unique for this device you should replace the factory default certificate by pressing the Apply button in the following page at the first time you login to ZyWALL Replace Factory Default Certificate The factory default certificate is common to all ZYWALL models Click Apply to create a certificate using your ZyVWWALL s MAC address that will be specific to this device If you reset ZyWALL to default configuration file the original self signed certificate is also erased and a new self signed ce
183. rs to be accessed by remote users on Internet you need to go to ADVANCED gt SUA NAT gt SUA Server to setup which service or port numbers you would like to forward to which Internal server Multi NAT 1f you get multiple public IP addresses from your ISP then you may use Multi NAT With Multi NAT you can choose different types of NAT mapping methods to utilize the public IP addresses You should define each NAT mapping rules clearly in ADVANCED gt SUA NAT gt Address Mapping so that internal PCs can access Internet and internal servers can be accessed by remote uses on Internet 28 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Step 1 Applying NAT in WAN Interface You can choose the NAT mapping types to either SUA Only or Full Feature in WAN setup NETWORK gt WAN Traffic Redirect Dial Backup ISP Parameters for Internet Access WAN IP Address Assignment Advanced Setup shIP v1 or ADVANCED gt NAT gt NAT Overview Address Mapping Port Forwarding Port Triggering MAT Setup All contents copyright c 2006 ZyXEL Communications Corporation 29 ZyXEL ZyWALL 2WG Support Notes Set to Full Feature if there are multiple IP addresses Full Feature given by ISP and can assigned to your clients Set to Routring if lient Internet IP Network Address Translation Routing re SO a ee ae addresses and thus do not need NAT function
184. rself another user or a computer using one of the following methods Note that the policy of the certification authority CA will determine the certificates that you can obtain C Submit a certificate request to this CA using a form Submit a certificate request using a base64 encoded PKCS 10 file or a renewal request using a baseb4 encoded PKCS 7 file C Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment Station You musi have an enroliment agent cerniicate to subme request for another user 6 Right click your mouse then paste the certificate request you get in step 2 1 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes a Micr osoft Certificate Services Microsoft Internet Explorer Heak gt DA GY Ah ivot Breda 9 Gh SO EG E sift me Microsoft Cerificate Si Home submit A Saved Request Paste a basebd encoded PKCS 10 certificate request or PACS 7 renewal request generated by an external application such as a web server into the request field to submit the request to the certification authonty CA Saved Request Based Encoded Cartdicate Request PKCS 10 or Hy Ps Browse for a file to insert Certificate Template User Additional Attributes Atinbutes 7 Click Download CA certification path El Microsoft Cert
185. rtificate should be created at the first boot up time To use self signed certificate go to ZyWALL CERTIFICATES gt My Certificates and export ZyWALL s certificate My Certificates Se From Valid To Modify _ oc CN yWALL 7000 Jan 2030 Jan auto generated self signed _cert SELF 1000 1000 1st 00 00 00 1st 00 00 oo J0 00A0C5012345 00A0C5012345 GMT GMT 1 Press Export to save the ZyWALL self signed certificate to local computer in Binary X 509 format 55 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Certificate in PEM Base 54 Encoded Format MITBHSCCaTGg awlIBagiEQhuT TanbgkqhkiGowORaGuF apa NsSEwHwiDVoobExha eVdRTEwQhTawhc whEEwozUwhTIleNDUwHhcNMD awhT ax AwhD aAwWhcNMs AwhT ax HD AwMD Awl 49 MSEwHuYDYOODExhaevdRTEwQuhT awhc AuwMEEwosO0whT I eNDUwsdD ay BokqhkiGowOBAGeEF AANLIDRT ARE AOTC 73 YoCeGo4l sGs0cJalwe ox yELQLS E as zgqkeCnnmnMLoOFoCakNmn nicoHy SnsF24LivyLadFmocmEcPulDagabooows zO BoNVHOS RB AQAR BANC AgqowdIOYDVRORBEIWHIEASNDBREMEMIMDEyNezO1loGrFildG buszevu Li LeonGwEgvyDVROTAGE AB AGWBGEB wIBATANBQkqhkiGo3wOBAGUF AANBACC Htwi hakOo O3 WTHxnEUWaAsyiquegy ShSIUo0SqdeF YOfL bm Is Y mzbGu anFrsbhojGivl GB dEOWOKOHLYyc Apply Cancel 2 Or mark the certificate in PEM Base 64 Encoded Format and then copy to a test editor e g Notepad and then save to you local computer in PEM Base 64 Encoded Format Certificate in PEM B
186. s sssscssseccsees 255 G04 What are the main elements of a PKI sssssssssssscsssceeees 255 G05 What is a Certification Authority sssssssseccccccccoosseccccccccssseccceceeoo 256 G06 What is a digital certificate ssseccccccossssssccccccccsssscececocsssssscceosoo 256 G07 What are public and private keys and what is their relationship ss scces cvs cexsescccccesscasousesszcecesssesausescacecsesvastusessacecasdvesanseseacecaeiensees 256 G08 What are Certificate Policies CPS cccccsssccssscccsscccsscccscccess 256 G09 How does a PKI ensure data confidentiality ssccccccssssssees 257 G10 What is a digital signature ccccccssssccccccccsssssssssssssssssssssscees 257 G11 How does a digital signature work sscccssccccssssssssssssscccoees 257 G12 Does ZyXEL provide CA service scccssssssssscccccccssssssssssccooees 259 G13 What if customers don t have access to CA service but would hike touse PIL GUNG HON siani EE 259 G14 How can I have Self signed certificate for ZyXEL appliance 259 G15 Can I create self signed certificates in addition to the default ONO ge ee et re ne ee SP Ps a VR es eo eT eR I Oe eee 259 7 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes G16 Will Self signed certificate be erased if I reset to default COMPOUT AION TIC ssaa N 259 G17 Will certificates
187. s Corporation ZyXEL ZyWALL 2WG Support Notes 2 12 check Active check box and give a name to this policy Give this VPN rule a name Branch_A Select Key Management to IKE and Negotiation Mode to Main In Local section select Address Type to Range Address set IP Address Start to 192 168 3 0 and End to 192 168 3 255 This section covers the LAN segment of branch office A In Remote section select Address Type to Range Address set IP Address Start to 192 168 1 0 and End to 192 168 2 255 This section covers the LAN segment of both headquarter and branch office B My IP Addr is the WAN IP of this ZyWALL 202 3 1 1 Set Secure Gateway Addr to the IP address of Headquarter 202 1 1 1 Select Encapsulation Mode to Tunnel Check the ESP check box AH can not be used in SUA NAT case Select Encryption Algorithm to DES and Authentication Algorithm to SHA 1 These parameters are for IKE phase 2 negotiation You can set more detailed configuration by pressing Advanced button Enter the key string 12345678 in the Pre shared Key text box and click Apply 102 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property MAT Tra IKE a Extended Authentication iiser Ham Lotal Policy Remote Policy Authentication Method fauto_ganerated self signed cext Se IP f Gateway information IPSec Algorithm i reryp aah Flinn i You can set
188. s moment the configuration 1s synchronized on both device and Vantage CNM 220 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes TELNET Registration Information Registration Status Last Registration Time 2005 03 16 10 30 22 Vantage CHM Setup W Enable Vantage CNM Server Address Encryption Algorithm On Vantage CNM the device icon will turn green and the device status will change to On and the WAN IP of the device will be shown on the content screen FP Woot 4AAZyVVALL O Device Status Device Name Type MAC Status Firmware Version Last Edit ZWVALL70 ZWVALL70 O0a0c57d1635 10 59 1 253 3 630M 2 2005 3 16 18 31 02 FAQ A Product FAQ A01 What is the ZyWALL Internet Access Sharing Router The ZyWALL series fulfills a range of application environments from small and medium businesses SOHO or Telecommuters to home user or education applications The ZyWALL series provides a robust Firewall to protect your network and the IPSec VPN function allows you to create a secure connection for e business ZyWALL s design helps users to save expenses minimize maintenance and simultaneously provide a high quality networking environment The ZyWALL series is a robust solution complete with everything needed for providing Internet access to multiple workstations through your cable or ADSL modem It is the most simple and affordable solution for multiple an
189. send it to the CA server for enrollment After CA server agrees to issue the corresponding certificate ZyWALL will receive 1t automatically and you will find a newly enrolled certificate in My Certificates My Canificates Trusted CAs ee Directory Servers PRI Storage Space in Use fies Valid a E n auto_ generated self signed cen SELF cn zy ozman sen Jan S GWT GMTO 1 No Liabilities SSH CERT CNetest zyxel com tw 23rd 22nd O Cama cong 1006 39 10 36 39 GMT a i CN SSH Test CA saps Bae Create Refresh Step 4 Using Certificate in VPN on ZyWALL A 1 Activate the rule 2 Give this VPN rule a name toZyWALL_B 3 Select Key Management to IKE 4 Select Negotiation Mode to Main 5 Edit Local Address Type Subnet Address Starting IP Address 10 1 33 0 End IP Address Subnet Mask 255 255 255 0 6 Edit Remote Address Type Subnet Address Starting IP Address 192 168 2 0 End IP Address Subnet Mask 255 255 255 0 7 Authentication Key Select Certificate and choose certificate you enrolled for this device from drop down list 8 Fill in My IP address 192 168 1 35 9 Peer ID type ANY 10 Secure Gateway Address 192 168 1 36 11 Encapsulation Mode Tunnel 12 Leave other options as default 62 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Fi operty F E i j i C NAT Tr F Ext
190. since Branch B s LAN 1s also included in remote policy please go to ZyYWALL s SMT menu 24 8 CI command mode and issue this command So that local management traffic from Branch B s LAN PC to Branch B s ZyWALL would not go into VPN process You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter mips Phase 2 3 Setup VPN in Headquarter 1 The correspondent rule for Branch_A in headquarter 106 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property NA IKE 2 Extended Authentication Local Policy Remote Policy Authentication Medhod Gateway Information E M IPSec Algonthm ESP 107 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Phase 1 Phase 2 2 The correspondent rule for Branch_B 108 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property NA IKE 2 Extended Authentication Local Policy Remote Policy Authentication Method S E My Certificates Gateway Information IPSec Algorithm ESF 109 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Phase 1 Phase 2 NAT over IPSec on ZyNOS Network T
191. ssccsccccccccccscccccccees 263 HIA Whati WEP sssini EEE 263 HiS Whatiia WEP Key busperrons arsenas sae E E CENAE aaar 263 H16 By turning off the broadcast of SSID can someone still sniff the SSID eoa aE REER 263 HI What is 902 Ne aresoarra ANEN EAER ad 264 H18 Can I use WiFi access when I plug a 3G wireless card in the PCMCIA slol eiet E oi aastee eet egoliaastess 264 8 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Application Notes Mobility Internet Access You may have the experienced a need of Internet access in a location where wired connection is difficult to deploy e g in countryside or mountain Or you are just in a public environment without Internet access like in a park on a bus in a train or metropolitan subway etc Or you may temporarily need Internet access when you are in your exhibition booth and need Internet access for some demonstration ZyWALL 2WG is especially designed for the mobility Internet access it is light to carry everywhere and can utilize a 3G card for dial up to get the Internet access Besides you could utilize the embedded wireless card to provide wireless access for your LAN users Not only the mobility you could also use ZyWALL 2WG as your WAN backup in the small office or SOHO You could further choose a certain load balancing mechanism to perform dual WAN access In summery you could utilize the 3G wireless access for your primary WA
192. ssembled at the destination some systems will crash hang or reboot B09 What is SYN Flood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response while the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set a relatively long intervals terminates the TCP three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users B10 What is LAND attack In a LAN attack hackers flood SYN packets to the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself B11 What is Brute force attack A Brute force attack such as Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request
193. stored in ZyXEL appliance be erased if I reset to default configuration file sessessssccccsesivesexs ects cececedesexsasexcctescescensestaceiaecsesevs 259 G18 What can I do prior to reset appliance s configuration 259 G19 If I export My Certificates from ZyXEL appliance save them locally and then import them back after resetting the configuration file can I reuse the imported My Certificates ssssssssccccssssssees 260 Fes Wireless TAO uraa A 260 H01 What are the capability of wireless feature of ZyWALL 260 H02 What is the coverage range of Wireless in ZyWALL cc000 260 HOS What is a Wireless LAN siscccsassisenssvcasesasieictisasiaccsaravisasevinareanieieths 260 H04 What are the advantages of Wireless LANS cccsssssssseeeees 260 HOS What 18 IEEE S02 lhurnssncaannnnna aa a 261 HOG Whats SOZ ID aranne aa e aa EE aeeoa 261 HO What is SUZ ANG oa 261 HOS WHat 1S 502 11a Pacers secsveveusensceutesateventeasedaactasaventenerneleiatasertensedaastines 262 OD Whatis WEI aicina 262 H10 What types of devices use the 2 4 GHz Band eessssssssceeeeocsssss 262 H11 Can wireless signals pass through walls ssccssssccsssssssees 262 H12 What are the potential factors that may causes interference AMONS WLAN products sdessievevindasccakastevedceesscceesesevedinsucccesaslevedeueeseceasetees 262 H13 What is SSID Sever Set ID ccccccsssccs
194. stration flow is embedded in device s WebGUI Furthermore customer is no longer required to manually input the MAC of the device because the MAC will be automatically sent to myZyXEL com during the registration flow 236 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes D05 If were new to myZyXEL com what are the required fields when register my ZyWALL device on myZyXEL com The required fields include user name password valid email address and country DO6 When using the new registration flow of myZyXEL com for ZyNOS v4 0 do I have to create a new account if were already a registered user on myZyXEL com No you don t have to re create a user account on myZyXEL com if you were a registered user Your user profile is already stored on myZyXEL com D07 What is mySecurityZone 1 mySecurityZone is a free service portal It s open to the public 2 For public users you can browse the latest security news and updates from ZSRT access free resources and subscribe to our free newsletter 3 For those ZyWALL product owners who have already registered on myZyXEL com you can additionally use the same username password to login to mySecurityZone to view detail description for all policies of AV IDP service and make queries Furthermore you automatically receive our advisories carrying latest security updates and valuable information Summary In mySecurityZone you can
195. t Web Data including Activex Java Applet Cookie Web proxy e URL keywords blocking e BlueCoat filter list E09 What are the primary features of ZyXEL Content Filtering Blocking or Forwarding Policy Management ZyXEL appliance Monitoring BlueCoat Real time URL Rating BlueCoat Real Time Reporting BlueCoat 239 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes E10 Who needs ZyXEL Content Filtering Is ZyXEL Content Filtering for small companies or for large corporations All businesses can benefit from using the ZyXEL Content Filtering solution Zy XEL Content Filtering helps organizations manage monitor and report on users Internet activity regardless of their location within the organization Almost any organization business government or school can benefit from BlueCoat s centrally managed web based filtering service Consider the following 30 to 40 of Internet surfing during work hours is not business related In some companies as much as 70 of bandwidth is consumed by non productive pursuits 68 of all Internet porn traffic occurs during the 9 to 5 workday 53 of teens have encountered offensive Web sites that include pornography hate or violence Of these 91 unintentionally found the offensive sites while searching the Web Zy XEL Content Filtering is helpful to improve productivity minimize legal liability and conserve costl
196. t operates in the unlicensed 5 GHz band and allows transmission rates of up to 54Mbps 802 11a uses OFDM orthogonal frequency division multiplexing as opposed to FHSS or DSSS Higher data rates are possible by combining channels Due to higher frequency range is less than lower frequency systems 1 e 802 11b and 802 11 and can increase the cost of the overall solution because a greater number of access points may be required 802 1 1a is not directly compatible with 802 11b or 802 11g networks In other words a user equipped with an 802 11b or 802 11g radio card will not be able to interface directly to an 802 11a access point Multi mode NICs will solve this problem H09 What is Wi Fi The Wi Fi logo signifies that a product is interoperable with wireless networking equipment from other vendors A Wi Fi logo product has been tested and certified by the Wireless Ethernet Compatibility Alliance WECA The Socket Wireless LAN Card is Wi Fi certified and that means that it will work interoperate with any brand of Access Point that is also Wi Fi certified H10 What types of devices use the 2 4 GHz Band Various spread spectrum radio communication applications use the 2 4 GHz band This includes WLAN systems not necessarily of the type IEEE 802 11b cordless phones wireless medical telemetry equipment and Bluetooth short range wireless applications which include connecting printers to computers and connecting modems or hands free
197. ter check box to enable CF function In Schedule to Block select the Always Block to let CF engine to do blocking the web sites In Message to display when a site is blocked you can input the text say Website Blocking to remind the users that the website he is trying to access is blocked And you can input the URL in the Redirect URL field for example www zyxel com to redirect the original URL to this redirect URL In Exempt Computers item we can select Exclude specified address ranges from the content filter enforcement to NOT apply content filter policies to the specified IP address ranges for example 1f the CEO s computer which is assigned an IP address 192 168 10 200 needed NOT to be applied by CF engine the IT staff can add this IP address 192 168 10 200 to the list to meet this exclusion requirement Click on the Apply button to save the settings 212 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes ZyX EL General Categories Customization Cache HOME 1 Menabie Content Filter REGISTRATION Restrict Web Features NETWORK Block C Activex C Java Applet L Cookies C Web Proxy SECURITY FIREWALL Schedule to Block IDP 2 atways Block ANTI VIRUS Block From 9 10 To o 24 Hour Format ANTI SPAM Message to display when a site is blocked CONTENT FILTER VPN CERTIFICATES AUTH SERVER Exempt Computers AUNAN w Enforce content f
198. ting the Certificate Export Wizard You have successfully completed the Certificate Export wizard You have specified the following settings File Name Export Keys Include all certificates in the certification path No File Format DER En 14 Go to ZyWALL WEB GUI gt VPN gt My Certificates gt click Import button Trusted Remote Hosts Directory Servers My Certificates Trusted CAs PKI Storage Space in Use pe ose oen zE CH 2 VALL70 te _generated_self_signed_ 7 ELF f 0040C559B53535 2 ZyWALL B a Oresa com oo L WA ar WA B f Import l Create Refresh 15 Click Browse button to find the location you stored ZyWALL s certificate then press Apply button 92 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes CERTIFICATES MY CERTIFICATE IMPORT Import 16 After a while if you see the gray entry turns to a black one then t means the import of ZyWALL s certificate 1s successful CERTIFICATES Trusted Remote Hosts Directory Servers CRL Issuer Modify 17 Repeat the same procedure from 9 to 13 to export CA s certificate Note that you may get more than one CA server s certificate 1t s not necessary to export all of the CA server s certificates you can double click ZYWALL s certificate such as zywall_a cert cert in this example and select Certification Path to view the nearest CA server s name and then export that CA ser
199. tion on device as soon as it registers to Vantage CNM After finishing the configuration on Vantage CNM click on Finish to finish the registration of device on CNM and following screen will show up and ZyWALL is added to CNM under folder AAA 219 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes z https 127 0 0 1 Yantage CNM 2 1 Microsoft Internet Explorer DEVICE CONFIGURATION BUILDING BLOCK SYSTEM MONITOR REPORT 37 Wwoottaaa Device Registration Finished Register Status ZyWALL O ZyWALL O 0 0 0 0 OO0a0c56fe109 Device Name Device Type WAN IP Address LAN MAC Address Step 4 On the device go to ADVANCED gt REMOTE MGMT gt CNM enable Vantage CNM and configure Vantage CNM Server Address in the filed If Encryption Algorithm is enabled you must select the same algorithm and secret key on both device and Vantage CNM In the following case the Encryption Algorithm is disabled TELNET Registration Information Registration Status Not Registered Last Registration Time 0000 00 00 00 00 00 Retest Vantage CHM Setup W Enable Vantage CHM Server Address Ws Soi 1 e252 Encryption Algorithm NONE Step 5 After configuring CNM remote management on device ZyWALL will start to register itself to configured Vantage CNM server After exchanging the configuration between ZyWALL and Vantage CNM the Registration Status will change to Registered At thi
200. tions Corporation ZyXEL ZyWALL 2WG Support Notes IPSec Proposal 14 When you finished doing your settings you will see the following page VPN Rules YPN Rules 2 Setup NetScreen VPN We choose NetScreen 5GT device in this example 3 Using a web browser login NetScreen by giving the LAN IP address of NetScreen in URL field 4 Check your WAN LAN IP address Click Network gt Interfaces the trust IP Netmask used for LAN the untrust IP Netmask used for WAN 144 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Network gt Interfaces List SAW List per page NETSCREEN List ALL 4 ie Interfaces Tunnel IF v Name IP Netmask Zone if Type iT Link Configure serial 0 0 0 0 0 Null Unused down Edit trust 192 168 1 1 24 Trust Layer3__ Edit untrust 172 22 3 130 16 Untrust Layer3 up Edit vlani 0 0 0 0 0 VLAN Layer3 Edit Note About the settings you could reference to NetScreen user guide to get the detail info 5 If you set a static IP address for your WAN port you should click Network gt Routing gt Routing Entries to edit your Gateway IP address In this example my Gateway IP address is 172 22 0 254 Network gt Routing gt Routing Entries SAV NETSCREEN SECURE List route entries for All virtual routers trust vr trust vr IP Netmask
201. to insert Certificate Template User Additional Attributes Attributes 7 Click Download CA certification path Microsoft Certificate Services Microsoft Internet Explorer File Edit view Favorites Tools Help Back fat search G Favorites PMedia S b Gi le Address http 192 168 1 33 certsry certhnsh asp Microsoft Certificate Serices CS Certificate Issued The certificate you requested was issued to you DER encoded or Base 64 encoded Download CA certificate a Download CA semicaong ath le Download C4 certification path fea fe ie Internet P 8 A file download would pop out press Save button and choose the local folder you would like to store the certification path 88 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 9 Double click the saved file Select Certificates right click the Certificate choose All Tasks gt Export EH Certificates action view 4 gt m Ba i e Certificates File 9 G CERT ZwWB PATH P7B 3 Certificates Expo rt a certificate 10 Certificate Export Wizard would be popped up then press Next gt All contents copyright c 2006 ZyXEL Communications Corporation 89 ZyXEL ZyWALL 2WG Support Notes Certificate Export Wizard Welcome to the Certificate Export Wizard This wizard helps you copy certificates certificate trust lists and certificate
202. tronic transaction are who they claim to be Non repudiation Prevents participants from denying involvement in an electronic transaction G04 What are the main elements of a PKI A PKI includes A Certification Authority Digital certificates Mathematically related key pairs each comprising a private key and a public key These elements work within a formal structure defined by 255 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Certificate Policies A Certification Practice Statement G05 What is a Certification Authority A Certification Authority is a trusted third party that verifies the identity of an applicant registering for a digital certificate Once a Certification Authority is satisfied as to the authenticity of an applicant s identity it issues that person a digital certificate binding his or her identity to a public key Digital certificates are also issued to organizations and devices but we will focus on people for the purposes of this discussion G06 What is a digital certificate An electronic credential that vouches for the holder s identity a digital certificate has characteristics similar to those of a passport it has identifying information is forgery proof and is issued by a trusted third party Digital certificates are published in on line directories Typically a digital certificate contains The user s distinguished name a unique identifie
203. tting YPN Rules 2 Setup SonicWALL VPN We choose SonicWALL TZ150 device in this example 1 Using a web browser login SonicWALL by giving the LAN IP address of SonicWALL in URL field Go to VPN page check Enable VPN check box and then press Add button it will bring up a page which you could do your VPN settings Note You could use VPN Policy Wizard to set up your VPN rules as well 135 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes YPN gt Settings VPN Global Settings Enable YPN Unique Firewall Identifier 0006B1 137908 VPN Policies tems 1 tot oft Ws e H Gateway Destinations Crypto Suite Enable Configure SS oat ESP 3DES HMAC SHAI IKE O oh G Delete All 1 Policies Defined 0 Policies Enabled 3 Maximum Policies Allowed 2 Click General tab on Security Policy settings give a name to this policy In this example type ToZyWALL on Name text box IPSec Primary Gateway Name or Address is the ZyWALL s WAN IP Address remote gateway IP address In this example you should type 172 22 3 89 on IPSec Primary Gateway Name or Address text box Then enter the key string 12345678 on Shared Secret text box General Security Policy IPSec Keying Mode IKE using Preshared Secr w Name ToZyWALL IPSec Primary Gateway Name or Address 172 22 3 89 IPSec Secondary Gateway Name or Address Shared Secret 12345678 3 On Destination Netwo
204. uipping PC s with wireless NICs If connectivity to a wired LAN is required an Access Point AP is used as a bridging device AP s are typically located close to the centre of the wireless client population H04 What are the advantages of Wireless LANs a Mobility Wireless LAN systems can provide LAN users with access to real time information anywhere in their organization This mobility supports productivity and service opportunities not possible with wired networks 260 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes b Installation Speed and Simplicity Installing a wireless LAN system can be fast and easy and can eliminate the need to pull cable through walls and ceilings c Installation Flexibility Wireless technology allows the network to go where wire cannot go d Reduced Cost of Ownership While the initial investment required for wireless LAN hardware can be higher than the cost of wired LAN hardware overall installation expenses and life cycle costs can be significantly lower Long term cost benefits are greatest in dynamic environments requiring frequent moves and changes e Scalability Wireless LAN systems can be configured in a variety of topologies to meet the needs of specific applications and installations Configurations are easily changed and range from peer to peer networks suitable for a small number of users to full infrastructure networks of thousan
205. uld enter 192 168 1 0 24 IP Range Subnet for the FortiNet network Then press OK button to save your Settings New Address IP Range Subnet 192 168 1 0 24 Cancel Address Name Fortinet network 14 Press Create New button to edit another address rules Address Group Mame ma Address all 0 0 0 0 0 0 0 0 Fortinet network 192 1668 1 0 255 755 255 0 14 15 To define the IP source address of the Network behind ZyWALL Giving a name for your address rule for example ZyWALL network and enter the IP Range Subnet in the text box In this example you should enter 192 168 2 0 24 IP Range Subnet for the ZyWALL network Then press OK button to save your settings New Address Address Name ZyWALL network IP Range Subnet 1192 168 2 0 24 16 After you finished the settings you should see two address rules on this page 195 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Address Group Address all 0 0 0 0 0 0 0 0 Fortinet network 192 166 1 0 255 255 255 0 ZYWALL network 192 168 2 0 255 255 255 0 17 On the main page click Firewall gt Policy and then press Create New button to edit your policy rules ID Source Schedule Service Action Enable b internal gt wani 1 18 On Interface Zone settings select the interface to internal private network and select the interface to external public network In this
206. up IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter 103 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Phase 1 Phase 7 2 Setup VPN 1n branch office B Be very careful about the remote IP address in branch office B because for systems behind branch office B want to systems behind branch office A and headquarter we have to specify these two segments in Remote section However if we include these two segments in one rule the LAN segment of branch office B will be also included in this single rule which means intercommunication inside branch office B will run into VPN tunnel To avoid such situation we need two separate rules to cover the LAN segment of branch office A and headquarter This rule is for branch office B to access headquarter s LAN and Branch A s LAN 104 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Property NA Extended Authentication z 1 a Sri L ao P bd AMEEN 2 Taa L ral Policy Remote Policy Authentication Medhod Jauto_qenerated self signed_cert El See My Certificates Gateway Information IPSec Algorithm ESF 105 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Note that
207. value of the query response from BlueCoat data center Yes you can change it on ZyXEL appliance The default value of the time out is 10 seconds 238 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes E04 Can decide whether to forward or drop the HTTP response if the query to BlueCoat data center is timed out Yes you can set the policy drop or forward when query is timed out The default policy is block E05 How to register for BlueCoat service Either for free trial purpose or if you get PIN code by purchasing 1Card you need to initiate registration process from ZyXEL appliance by clicking Registration and Reports button from content Filter gt Categories page E06 Why can t make registration successfully Since the Registration job 1s between ZyXEL appliance and Http myZyXEL com server Please make sure your Internet connection from ZyXEL appliance is ok first and keep the connection between them online during the registration process Since once the registration is granted on the Http myZyXEL com server Http myZyXEL com needs to feedback the result either Successful or Fail to ZyXEL appliance E07 What services can I get with Trial Registration With Trial Registration you can get Web Site Auto Categorization and Content Filtering Report services E08 What types of content filter does ZyWALL provide ZyWALL supports three types of content filtering e Restric
208. ver s certificate Import the saved CA server s certificate Click Browse button and then select the location 93 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes CERTIFICATES My Certificates Trusted CAs dmc Ep mnte Directory Servers Subject Issuer Valid From Modify 18 After import CA s certificate you will get this display CERTIFICATES Trusted Remote Trusted CA Setting Name ubject Valid From Valid To root cer CN test Cc i Step 5 Using Certificate in VPN on ZyWALL A 1 Activate the rule 2 Give this VPN rule a name toZyWALL_B 3 Select Key Management to IKE 4 Select Negotiation Mode to Main 5 Edit Local Address Type Subnet Address Starting IP Address 10 1 33 0 End IP Address Subnet Mask 255 255 255 0 6 Edit Remote Address Type Subnet Address Starting IP Address 192 168 2 0 End IP Address Subnet Mask 255 255 255 0 7 Authentication Key Select Certificate and choose certificate you enrolled for this device from drop down list 8 Fill in My IP address 192 168 1 35 94 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 9 Peer ID type ANY 10 Secure Gateway Address 192 168 1 36 11 Encapsulation Mode Tunnel 12 Leave other options as default All contents copyright c 2006 ZyXEL Communications Corporation 95 ZyXEL ZyWALL 2WG Support Notes P
209. xa l Network Security Policy o My Connections E D ey ALL F3 My Identity Fa Security Policy A Authentication Phase 1 E Froposal 1 ZyWALL 2WG Support Notes ZS Authentication Method and Algorithme aTthentication Methad Pre Shared Key Encryption agg crypt lg DES Hash Alg MDDS Seconds Seconds 2600 Kep Group Diffie H ellman Group 1 5A Life Seconds Seconds 2600 Compression Mone F MW Encapsulation Protocol ESF DES Hash Alg MEOS z 5A Life Encrypt Alg h apsulatiorn Tunnel bd Authentication Protocol AH Hash lg SHA 1 ii E neapsulation Tunnel All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 2 Setup ZyWALL VPN 1 Using a web browser login ZyWALL by giving the LAN IP address of ZyWALL in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 2 Goto SECURITY gt VPN gt Press Add button 3 check Active check box and give a name to this policy 4 Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in ZyWALL VPN Client 5 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind ZyWALL 6 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure remote host Note You may assign a range of Source Destination IP addresses for multiple
210. y Internet bandwidth within the organization BlueCoat provides the most complete and accurate Internet filtering solution of any Internet management provider and enables companies to better manage secure and protect their Internet investment E11 Can have different policies in effect for different times of the day or week Yes but only one blocking period of time is supported currently on ZyXEL appliance E12 How many policies can create Two One is for all users the other is exempting zone With exempting zone you can define a specific range of IP exempting from the policy for all users E13 Can I create my own categories No you can t create your own policies other than the 52 categories BlueCoat provides E14 Can I override block or allow certain URLs regardless of the rating Yes you can use key word blocking to override ratings in the BlueCoat database E15 How many URL keywords does ZyWALL support 64 keywords are supported 240 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes E16 How do I keep database of Content Filtering service updated From the current design there is no local Content Filtering signature database stored on the ZyWALL devices As a result you don t have to worry about the signature update of ZyWALL devices since it s not required The transactions and queries between CF enabled ZyWALL devices and our dynamic database server are taking
211. y Destinations Crypto Suite Enable Contigure 1 Group PN ESP3DESHMACSHAI KE O it 2 TOAANALL 172 22 3 99 199 168 1 1 192 168 1 254 ESP DES HMAC SHAt KE up i ow ferme lever cp Mame Local Remote Gateway ToFWALL 192 168 168 1 192 168 168 255 1921681 1 192 168 1 254 172 22 3 89 _ Renegotiate ih lt NetScreen with ZyWALL VPN Tunneling 1 Setup ZyWALL VPN 2 Setup NetScreen VPN This page guides us to setup a VPN connection between the ZyWALL and NetScreen router As the figure shown below the tunnel between PC1 and PC2 ensures the packet flows between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for ZyWALL and NetScreen are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are ZyWALL router and NetScreen router 139 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes The IP addresses we use in this example are as shown below WAN 172 22 3 89 WAN 172 22 1 251 192 168 2 192 168 1 36 cuales LAN 192 168 2 1 LAN 192 168 1 1 1 Setup ZyWALL VPN 24 Using a web browser login ZyWALL by giving the LAN IP address of ZyWALL in URL field 2 Go to SECURITY gt VPN gt Press Add button VPN Rules YPN Rules IKE Manual SA Monitor Global Setting VPN Rules Local ss a Remote _ Network f A
212. y cannot maintain session state Thus for greater security a firewall is considered B06 What is Denials of Service DoS attack Denial of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources There are four types of DoS attacks Those that exploits bugs in a TCP IP implementation such as Ping of Death and Teardrop 2 Those that exploits weaknesses in the TCP IP specification such as SYN Flood and LAND Attacks 3 Brute force attacks that flood a network with useless data such as Smurf attack 4 IP Spoofing 229 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes B07 What is Ping of Death attack Ping of Death uses a PING utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system Systems may crash hang or reboot B08 What is Teardrop attack Teardrop attack exploits weakness in the reassemble of the IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original packet except that it contains an offset field The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are rea
213. yWALL Internet Access Sharing Router 1s a BOOTP DHCP server WinXP 2000 and WinNT clients use DHCP to request an internal IP address while WFW and WinSock clients use BOOTP TCP IP clients may specify their own IP or utilize BOOTP DHCP to request an IP address A22 What is DDNS The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname allowing your 225 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes computer to be more easily accessed from various locations on the Internet To use the service you must first apply an account from several free Web servers such as WWW DYNDNS ORG Without DDNS we always tell the users to use the WAN IP of the ZyWALL to reach our internal server It is inconvenient for the users if this IP is dynamic With DDNS supported by the ZyWALL you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the ZyWALL When the ISP assigns the ZyWALL a new IP the ZyWALL updates this IP to DDNS server so that the server can update its IP to DNS entry Once the IP to DNS table in the DDNS server is updated the DNS name for your web server 1 e www zyxel com tw is still usable A23 When do need DDNS service When you want your internal server to be accessed by using DNS name rather than using
214. yWALL handles inbound and outgoing traffic 1 Fora ZyWALL with router mode following are the inspection flow for inbound and outgoing traffic Traffic from WAN gt NAT gt Firewall gt Policy Route gt Load Balance gt Static Route gt IDP gt AV gt AS gt CF gt BWM Traffic to WAN gt Firewall gt Policy Route gt Load Balance gt Static Route gt IDP gt AV gt AS gt CF gt BMW gt NAT B Firewall FAQ 221 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes B01 What is a network firewall A firewall is a system or group of systems that enforces an access control policy between two networks It may also be defined as a mechanism used to protect a trusted network from an un trusted network The firewall can be thought of two mechanisms One to block the traffic and the other to permit traffic B02 What makes ZyWALL secure The ZyWALL is pre configured to automatically detect and thwart Denial of Service DoS attacks such as Ping of Death SYN Flood LAND attack IP Spoofing etc It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN The ZyWALL supports Network Address Translation NAT which translates the private local addresses to one or multiple public addresses This adds a level of security since the clients on the private LAN are invisible to the Internet B03
215. yXEL Communications Corporation 41 ZyXEL ZyWALL 2WG Support Notes Step4 Add another service and allocate 800kbps for IPTV user and destined to Media traffic to IPTV user Select the Service as Custom from drop down list and set Protocol IP as 17 UDP Input IPTV user s IP address as Destination IP Address Class Configuration L Filter Configuration E Step 5 Three classes are created for FTP Client A B amp IPTV user as below d LAN T 42 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Secure Connections across the Internet Site to Site VPN Intranet Scenario A site to site VPN protects the network resources on your protected networks from unauthorized use by users On an unprotected network such as the public Internet Site to site VPN connects offices in different locations with encryption technology wa Branch Office Configure ZyWALLs with Static WAN IP Address This section describes an example configuration ZyWALL with static WAN IP address If ZyWALL 1s used as Internet gateway and public IP address is assigned on ZyWALL s WAN interface ZyWALL uses this public WAN IP address for terminating the VPN tunnels from remote VPN gateways In following example local
216. ypted For a typical example of usage of the YEN column please see Help const to 46 Choosing CheckPoint_ZyWALL object for your rule and press OK button 179 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes Add Community to rale T h B k F D j nt ere Wilt i L L Mylntranet RemoteAccess 47 Clicking OK button to save your settings YEN Match Conditions Match conditions C Anmrconnections whether Clear ar Encrypted H C Only connections encrypted in any Site to Site VPN Community ha Ony connections encrypted in specific YEN Communities CheckPoint ZyWALL For a typical example of wase of the YPN column pleas see Help JE y Cancel Help 48 On action field click right button of your mouse and choose accept option for your rule 180 All contents copyright c 2006 ZyXEL Communications Corporation ZyWALL 2WG Support Notes ACTION Edit properties ER drop amp reject User Auth E Client Auth tnt session Auth Query Colum Clear Query 49 On the track field click right button of your mouse and choose Log option for your rule TRACK INSTALL OM fone Account 1 Alert 1 Snimp Trap Mail Ee UserDetined UserDetined 2 zl UserDetined 3 Len Colur lear Gers 50 If you finished the settings you should see a rule as below Get Security E Mres Trenslstion Lh SmeciDeten
217. yzysEL com account User Name lleoyang pasend ee Type username and password from 6 to 20 characters Content Filtering 1 month Trial Note For more device services management please go to myZy EL com Apply 1 2 Using external database content filtering to achieve best result Enable external database content filtering in the CONTENT FILTER gt Categories with selecting the Adult Mature Content Sex Education Pornography Nudity Hacking Proxy Avoidance 210 All contents copyright c 2006 ZyXEL Communications Corporation ZyXEL ZyWALL 2WG Support Notes 99 66 Violence Hate Racism Gay Lesbian Gambling Illegal Questionable Illegal Drugs and Cult Occult categories most spyware comes from such kind of websites to be filtered while accessing a website which contains these specified categories of contents General Customization Auto Category Setup Select Categories Ej i E S E E Sis E S E E E U H E E eee eee E E E E E 5 E Ei E E E E E E E 1 3 Demonstrate Content Filtering by an example Using a browser to browse the nudity website for example www nudistweb net it will be blocked and redirected to www zyxel com with Website Blocking message displayed at the moment 211 All contents copyright c 2006 ZyXEL Communications Corporation ZyWALL 2WG Support Notes iger lr Website Blocking
Download Pdf Manuals
Related Search