Manuals / Brands / Household Appliance / Home Security System / ZyXEL Communications / Household Appliance / Home Security System

ZyXEL Communications 2WG manual

1 784

Download 784 pages, 23.57 Mb

ZyWALL 2WG

Internet Security Appliance

User’s Guide

Version 4.03 12/2007 Edition 1

www.zyxel.com

Contents

www.zyxel.com Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Part IV: Advanced Page Page Page Page Page Page Page Page Page Part VIII: Appendices and Index Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page PART Introduction Page 1.2 Ways to Manage the ZyWALL 1.3Good Habits for Managing the ZyWALL 1.4Applications for the ZyWALL 1.4.2 VPN Application 1.4.3 3G WAN Application 1.4.4 Front Panel Lights 2.1 Web Configurator Overview 2.2Accessing the ZyWALL Web Configurator Page 2.3 Resetting the ZyWALL 2.4 Navigating the ZyWALL Web Configurator 2.4.2 Main Window 2.4.3 HOME Screen: Router Mode Page Page Page Page Page 2.4.4 HOME Screen: Bridge Mode Page Page 2.4.5 Navigation Panel Page Page Page 2.4.6 Port Statistics 2.4.7 Show Statistics: Line Chart 2.4.8 DHCP Table Screen 2.4.9 VPN Status 2.4.10 Bandwidth Monitor Page Page 3.1 Wizard Setup Overview 3.2 Internet Access 3.2.1 ISP Parameters Page Page Page 3.2.2 Internet Access Wizard: Second Screen 3.2.3 Internet Access Wizard: Registration Page 3.2.4 Internet Access Wizard: Status 3.3 VPN Wizard Gateway Setting Page 3.4 VPN Wizard Network Setting 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) Page 3.6 VPN Wizard IPSec Setting (IKE Phase 2) 3.7 VPN Wizard Status Summary Page Page 3.8 VPN Wizard Setup Complete Page 4.1 Security Settings for VPN Traffic 4.1.2 Configuring the VPN Rule Page Page 4.1.3 Configuring the Firewall Rules Page Page Page 4.2 Using NAT with Multiple Public IP Addresses 4.2.2 Configuring the WAN Connection with a Static IP Address Page Page 4.2.3 Public IP Address Mapping Page Page Page Page 4.2.4Forwarding Traffic from the WAN to a Local Computer Page 4.2.5 Allow WAN-to-LANTraffic through the Firewall Page Page Page Page Page Page 4.3 Using NAT with Multiple Game Players 4.4How to Manage the ZyWALL’s Bandwidth 4.4.2 Configuring Bandwidth Management Rules Page Page Page 4.5 Configuring Content Filtering 4.5.2 Block Categories of Web Content Page 4.5.3 Assign Bob’s Computer a Specific IP Address 4.5.4 Create a Content Filter Policy for Bob 4.5.5 Set the Content Filter Schedule 4.5.6 Block Categories of Web Content for Bob Page Page 5.1 myZyXEL.com overview 5.2 Registration 5.3 Service Page Network and Wireless Page 6.1 LAN, WAN and the ZyWALL 6.2 IP Address and Subnet Mask 6.2.1 Private IP Addresses 6.3 DHCP 6.4 RIP Setup 6.5 Multicast 6.6 WINS 6.7 LAN Page Page 6.8 LAN Static DHCP 6.9 LAN IP Alias Page 6.10 LAN Port Roles Page Page 7.1 Bridge Loop 7.2 Spanning Tree Protocol (STP) 7.3 Bridge Page 7.4 Bridge Port Roles Page 8.1WAN Overview 8.2Multiple WAN 8.3 Load Balancing Introduction 8.4 Load Balancing Algorithms 8.4.2 Weighted Round Robin 8.4.3 Spillover 8.5 WAN Interface to Local Host Mapping Timeout 8.6 TCP/IP Priority (Metric) 8.7 WAN General Page Page Page 8.8 Configuring Load Balancing 8.8.2 Weighted Round Robin 8.8.3 Spillover 8.9 WAN IP Address Assignment 8.10DNS Server Address Assignment 8.11 WAN MAC Address 8.12 WAN Page Page 8.12.2 PPPoE Encapsulation Page Page 8.12.3 PPTP Encapsulation Page Page 8.13 WAN 2 (3G WAN) Page Page Page Page Page 8.14 Traffic Redirect 8.15 Configuring Traffic Redirect 8.16 Configuring Dial Backup Page 8.17 Advanced Modem Setup 8.18 Configuring Advanced Modem Setup Page Page 9.1 DMZ 9.2 Configuring DMZ Page Page 9.3 DMZ Static DHCP 9.4 DMZ IP Alias Page 9.5 DMZ Public IP Address Example 9.6 DMZ Private and Public IP Address Example 9.7 DMZ Port Roles Page 10.1 Wireless LAN Introduction 10.2Configuring WLAN Page Page 10.3 WLAN Static DHCP 10.4 WLAN IP Alias Page 10.5 WLAN Port Roles Page 10.6 Wireless Security Overview 10.6.1 SSID 10.6.2 MAC Address Filter 10.6.3 User Authentication 10.6.4 Encryption 10.7 Wireless Card Page Page 10.7.1 SSID Profile 10.8 Configuring Wireless Security 10.8.1No Security 10.8.2 Static WEP 10.8.3 IEEE 802.1x Only 10.8.4 IEEE 802.1x + Static WEP 10.8.5 WPA, WPA2, WPA2-MIX 10.8.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Page 10.9 MAC Filter Page ART Security Page 11.1 Firewall Overview 11.2 Packet Direction Matrix Page 11.3 Packet Direction Examples 11.3.1 To VPN Packet Direction 11.3.2 From VPN Packet Direction Page 11.3.3 From VPN To VPN Packet Direction Page 11.4Security Considerations 11.5 Firewall Rules Example Page 11.6 Asymmetrical Routes 11.7 Firewall Default Rule (Router Mode) Page 11.8 Firewall Default Rule (Bridge Mode) Page 11.9 Firewall Rule Summary Page 11.9.1 Firewall Edit Rule Page Page 11.10 Anti-Probing 11.11 Firewall Thresholds 11.12 Threshold Screen Page 11.13 Service 11.13.1 Firewall Edit Custom Service 11.14 My Service Firewall Rule Example Page Page Page Page 12.1 Content Filtering Overview 12.2 Content Filtering with an External Database 12.3Content Filter General Screen Page Page 12.4 Content Filter Policy Page 12.5 Content Filter Policy: General 12.6 Content Filter Policy: External Database Page Page Page Page Page Page 12.7 Content Filter Policy: Customization Page 12.8 Content Filter Policy: Schedule 12.9 Content Filter Object Page 12.10 Customizing Keyword Blocking URL Checking 12.11 Content Filtering Cache Page 13.1 Checking Content Filtering Activation 13.2Viewing Content Filtering Reports Page Page Page Page 13.3 Web Site Submission Page Page 14.1 IPSec VPN Overview 14.1.1 IKE SA Overview 14.2 VPN Rules (IKE) Page 14.3 IKE SA Setup Page Page Page 14.4 Additional IPSec VPN Topics 14.4.1 SA Life Time 14.4.2IPSec High Availability 14.4.3 Encryption and Authentication Algorithms 14.5 VPN Rules (IKE) Gateway Policy Edit Page Page Page Page Page 14.6 IPSec SA Overview 14.6.2 Virtual Address Mapping 14.6.3 Active Protocol 14.6.4Encapsulation 14.7 VPN Rules (IKE) Network Policy Edit Page Page Page Page 14.8 Network Policy Port Forwarding Page 14.9 Network Policy Move 14.10 Dialing the VPN Tunnel via Web Configurator 14.11 VPN Troubleshooting 14.12 IPSec Debug Page 14.13 IPSec SA Using Manual Keys 14.14 VPN Rules (Manual) Page 14.15 VPN Rules (Manual) Edit Page Page 14.16 VPN SA Monitor 14.17 VPN Global Setting Page Page 14.18 Telecommuter VPN/IPSec Examples 14.18.1 Telecommuters Sharing One VPN Rule Example 14.18.2 Telecommuters Using Unique VPN Rules Example Page 14.19 VPN and Remote Management 14.20 Hub-and-spokeVPN 14.20.1 Hub-and-spokeVPN Example 14.20.2 Hub-and-spokeExample VPN Rule Addresses 14.20.3Hub-and-spokeVPN Requirements and Suggestions Page Page 15.1 Certificates Overview 15.2Self-signedCertificates 15.3 Verifying a Certificate 15.4Configuration Summary 15.5 My Certificates Page 15.6 My Certificate Details Page 15.7 My Certificate Export 15.8 My Certificate Import Page 15.9 My Certificate Create Page Page Page Page 15.10 Trusted CAs Page 15.11 Trusted CA Details Page Page 15.12 Trusted CA Import 15.13 Trusted Remote Hosts Page 15.14 Trusted Remote Hosts Import 15.15 Trusted Remote Host Certificate Details Page 15.16 Directory Servers 15.17 Directory Server Add or Edit Page Page 16.1 Authentication Server Overview 16.2 Local User Database Page 16.3 RADIUS Page Advanced Page 17.1 NAT Overview 17.1.2What NAT Does 17.1.3 How NAT Works 17.1.4 NAT Application 17.1.5 Port Restricted Cone NAT 17.1.6 NAT Mapping Types 17.2Using NAT 17.3 NAT Overview Screen 17.4 NAT Address Mapping Page 17.4.2 NAT Address Mapping Edit 17.5 Port Forwarding 17.5.2Port Forwarding: Services and Port Numbers 17.5.3 Configuring Servers Behind Port Forwarding (Example) 17.5.4 NAT and Multiple WAN 17.5.5 Port Translation 17.6 Port Forwarding Screen Page 17.7 Port Triggering Page 18.1 IP Static Route 18.2 IP Static Route 18.2.1 IP Static Route Edit Page 19.1 Policy Route 19.2Benefits 19.3Routing Policy 19.4 IP Routing Policy Setup 19.5 Policy Route Edit Page Page Page 20.1 Bandwidth Management Overview 20.2 Bandwidth Classes and Filters 20.3 Proportional Bandwidth Allocation 20.4 Application-basedBandwidth Management 20.5 Subnet-basedBandwidth Management 20.6 Application and Subnet-basedBandwidth Management 20.7 Scheduler 20.7.5Maximize Bandwidth Usage Example 20.8Bandwidth Borrowing 20.9Maximize Bandwidth Usage With Bandwidth Borrowing 20.10Over Allotment of Bandwidth 20.11 Configuring Summary Page 20.12 Configuring Class Setup 20.12.1 Bandwidth Manager Class Configuration Page Page 20.12.2 Bandwidth Management Statistics Monitor Page Page 21.1 DNS Overview 21.2 DNS Server Address Assignment 21.3DNS Servers 21.4 Address Record 21.5 Name Server Record 21.6System Screen Page 21.6.1 Adding an Address Record 21.6.2 Inserting a Name Server Record 21.7 DNS Cache 21.8 Configure DNS Cache Page 21.9 Configuring DNS DHCP 21.10 Dynamic DNS 21.11 Configuring Dynamic DNS Page 22.1 Remote Management Overview 22.2 WWW (HTTP and HTTPS) 22.3WWW Page 22.4 HTTPS Example 22.4.3 Avoiding the Browser Warning Messages 22.4.4 Login Screen Page 22.5 SSH 22.6 How SSH Works 22.7 SSH Implementation on the ZyWALL 22.8 Configuring SSH 22.9 Secure Telnet Using SSH Examples 22.10Secure FTP Using SSH Example 22.11 Telnet 22.12 Configuring TELNET 22.13 FTP 22.14 SNMP 22.14.1Supported MIBs 22.14.2 SNMP Traps 22.14.3 REMOTE MANAGEMENT: SNMP 22.15 DNS 22.16 Introducing Vantage CNM 22.17 Configuring CNM Page 22.17.1 Additional Configuration for Vantage CNM 23.1 Universal Plug and Play Overview 23.2 Configuring UPnP 23.3 Displaying UPnP Port Mapping 23.4 Installing UPnP in Windows Example 23.4.1 Installing UPnP in Windows Me 23.5Using UPnP in Windows XP Example 23.5.1Auto-discoverYour UPnP-enabledNetwork Device 23.5.2 Web Configurator Easy Access Page Page 24.1 Custom Applicaton 24.2Custom Applicaton Configuration Page 25.1 ALG Introduction 25.2 FTP 25.4 RTP Page 25.5SIP 25.6 ALG Screen Page Logs and Maintenance Page 26.1 Configuring View Log 26.2 Log Description Example 26.2.1 About the Certificate Not Trusted Log 26.3 Configuring Log Settings Page Page 26.4 Configuring Reports Page 26.4.1Viewing Web Site Hits 26.4.2 Viewing Host IP Address 26.4.3 Viewing Protocol/Port Page 26.5 Log Descriptions Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page 26.6 Syslog Logs Page Page 27.1 Maintenance Overview 27.2 General Setup and System Name 27.3 Configuring Password 27.4 Time and Date Page Page 27.5 Pre-definedNTP Time Server Pools 27.6 Introduction To Transparent Bridging 27.7Transparent Firewalls 27.8 Configuring Device Mode (Router) 27.9 Configuring Device Mode (Bridge) Page 27.10 F/W Upload Screen Page 27.11 Backup and Restore 27.11.1 Backup Configuration 27.11.2 Restore Configuration 27.12 Restart Screen 27.13 Diagnostics Page Page SMT Page 28.1 Introduction to the SMT 28.2 Accessing the SMT via the Console Port 28.3 Navigating the SMT Interface 28.3.1 Main Menu Page 28.3.2 SMT Menus Overview Page 28.4 Changing the System Password 28.5 Resetting the ZyWALL 29.1 Introduction to General Setup 29.2 Configuring General Setup Page 29.2.1 Configuring Dynamic DNS Page Page Page 30.1Introduction to WAN, 3G WAN and Dial Backup Setup 30.2 WAN Setup 30.3 Dial Backup 30.3.2Advanced WAN Setup Page 30.3.3 Remote Node Profile (Backup ISP) Page 30.3.4 Editing TCP/IP Options 30.3.5 Editing Login Script Page 30.4 3G WAN Page 30.4.2 Remote Node Profile (3G WAN) Page Page 31.1 Introduction to LAN Setup 31.2 Accessing the LAN Menus 31.3 LAN Port Filter Setup 31.4 TCP/IP and DHCP Ethernet Setup Menu Page Page 31.4.1 IP Alias Setup Page 32.1 Introduction to Internet Access Setup 32.2Ethernet Encapsulation Page 32.3Configuring the PPTP Client 32.4 Configuring the PPPoE Client 32.5 Basic Setup Complete Page 33.1 Configuring DMZ Setup 33.2 DMZ Port Filter Setup 33.3 TCP/IP Setup 33.3.2IP Alias Setup Page 34.1 Configuring Route Setup 34.2 Route Assessment 34.3 Traffic Redirect 34.4 Route Failover Page 35.1 TCP/IP Setup 35.1.2 IP Alias Setup Page Page 36.1 Introduction to Remote Node Setup 36.2 Remote Node Setup 36.3 Remote Node Profile Setup 36.3.1 Ethernet Encapsulation 36.3.2 PPPoE Encapsulation 36.3.3 PPTP Encapsulation 36.4 Edit IP Page 36.5 Remote Node Filter Page 37.1 IP Static Route Setup Page Page Page 38.1Using NAT Page 38.2 NAT Setup 38.2.1Address Mapping Sets Page Page Page 38.3Configuring a Server behind NAT Page Page 38.4 General NAT Examples 38.4.2 Example 2: Internet Access with a Default Server 38.4.3 Example 3: Multiple Public IP Addresses With Inside Servers Page Page 38.4.4 Example 4: NAT Unfriendly Application Programs Page 38.5 Trigger Port Forwarding Page Page 39.1 Using ZyWALL SMT Menus Page 40.1 Introduction to Filters 40.1.1 The Filter Structure of the ZyWALL Page 40.2 Configuring a Filter Set 40.2.1 Configuring a Filter Rule 40.2.2 Configuring a TCP/IP Filter Rule Page 40.2.3 Configuring a Generic Filter Rule Page 40.3 Example Filter Page 40.4Filter Types and NAT 40.5 Firewall Versus Filters 40.6Applying a Filter 40.6.1Applying LAN Filters 40.6.2 Applying DMZ Filters 40.6.3 Applying Remote Node Filters Page 41.1 SNMP Configuration 41.2 SNMP Traps 42.1 Introduction to System Status 42.2 System Status Page 42.3 System Information and Console Port Speed 42.3.2 Console Port Speed 42.4 Log and Trace 42.4.2 Syslog Logging Page Page 42.4.3 Call-TriggeringPacket 42.5 Diagnostic 42.5.1 WAN DHCP Page 43.1 Introduction 43.2 Filename Conventions 43.3Backup Configuration 43.3.2 Using the FTP Command from the Command Line 43.3.3Example of FTP Commands from the Command Line 43.3.4 GUI-basedFTP Clients 43.3.5 File Maintenance Over WAN 43.3.6Backup Configuration Using TFTP 43.3.7 TFTP Command Example 43.3.8 GUI-basedTFTP Clients 43.3.9 Backup Via Console Port 43.4Restore Configuration 43.4.1Restore Using FTP 43.4.2Restore Using FTP Session Example 43.4.3 Restore Via Console Port 43.5 Uploading Firmware and Configuration Files 43.5.2 Configuration File Upload 43.5.3 FTP File Upload Command from the DOS Prompt Example 43.5.4FTP Session Example of Firmware File Upload 43.5.5 TFTP File Upload 43.5.6 TFTP Upload Command Example 43.5.7 Uploading Via Console Port 43.5.8Uploading Firmware File Via Console Port 43.5.9Example Xmodem Firmware Upload Using HyperTerminal 43.5.10Uploading Configuration File Via Console Port 43.5.11Example Xmodem Configuration Upload Using HyperTerminal 44.1 Command Interpreter Mode 44.1.1 Command Syntax 44.1.2 Command Usage 44.2 Call Control Support 44.2.2 Call History 44.3 Time and Date Setting Page Page Page 45.1 Remote Management Page 45.1.1 Remote Management Limitations Page 46.1 IP Routing Policy Summary 46.2 IP Routing Policy Setup Page 46.2.1 Applying Policy to Packets 46.3 IP Policy Routing Example Page Page Page 47.1 Introduction to Call Scheduling Page Page Page Troubleshooting and Specifications Page 48.1Power, Hardware Connections, and LEDs 48.2 ZyWALL Access and Login Page 48.3 Internet Access Page Page 49.1 General ZyWALL Specifications Page Page 49.2 Compatible 3G Cards 49.33G Card Installation 49.4Wall-mountingInstructions Page 49.5 Power Adaptor Specifications 49.6 Cable Pin Assignments Page Page Appendices and Index Page Internet Explorer Pop-upBlockers Page Page JavaScripts Java Permissions Mozilla Firefox Page Page Windows 95/98/Me Page Page Windows 2000/NT/XP Page Page Page Page Macintosh OS 8/9 Page Macintosh OS Linux Page Page Page Page Introduction to IP Addresses Structure Subnet Masks Notation Subnetting Example: Four Subnets Example: Eight Subnets Subnet Planning Configuring IP Addresses Page Page Page Page Wireless LAN Topologies Page Channel RTS/CTS Fragmentation Threshold Preamble Type IEEE 802.11g Wireless LAN Wireless Security Overview IEEE RADIUS Types of EAP Authentication Page Dynamic WEP Key Exchange WPA and WPA2 Page Page Security Parameters Summary Antenna Overview Antenna Characteristics Types of Antennas for WLAN Positioning Antennas Import ZyWALL Certificates into Netscape Navigator Importing the ZyWALL’s Certificate into Internet Explorer Page Page Page Enrolling and Importing SSL Client Certificates Page Page Page Page Using a Certificate When Accessing the ZyWALL Example Copyright Certifications Page ZyXEL Limited Warranty Page Page Page Page Page Page Page Numerics