ZyXEL Communications ZLD Firewall, 16.1 Firewall Overview, LAN, WAN

16

Firewall

This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall.

16.1 Firewall Overview

The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.

A zone is a group of interfaces or VPN tunnels. Group the ZyWALL’s interfaces into different zones based on your needs. You can configure firewall rules for data passing between zones or even between interfaces and/or VPN tunnels in a zone.

This example shows the ZyWALL’s default firewall behavior for WAN to LAN traffic and how stateful inspection works. A LAN user can initiate a Telnet session from within the LAN zone and the firewall allows the response. However, the firewall blocks Telnet traffic initiated from the WAN zone and destined for the LAN zone. The firewall allows VPN traffic between any of the networks.

Figure 18 Default Firewall Action

LAN

WAN

Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.

For example, if you want to allow a specific user from any computer to access one zone by logging in to the ZyWALL, you can set up a rule based on the user name only. If you also apply a schedule to the firewall rule, the user can only access the network at the scheduled time. A user-aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disabled after the user logs out of the ZyWALL.

	133
ZyWALL (ZLD) CLI Reference Guide	133

Contents

ZyWALL (ZLD) Series Quick Start Guide CLI Reference Guide Default Login Details Page Page Page Table of Contents Part II: Reference Page Page Page Page Page Page Page Page Page Page Page Page Command Line Interface 1.1 Overview 1.1.1 The Configuration File 1.2 Accessing the CLI 1.2.1 Console Port 1.2.2 Web Configurator Console Page Page 1.2.3 Telnet 1.2.4SSH (Secure SHell) 1.3 How to Find Commands in this Guide 1.4 How Commands Are Explained 1.4.1 Background Information (Optional) 1.4.2 Command Input Values (Optional) 1.4.3 Command Summary 1.4.4 Command Examples (Optional) 1.5CLI Modes 1.6 Shortcuts and Help 1.6.1 List of Available Commands 1.6.2 List of Sub-commandsor Required User Input 1.6.3 Entering Partial Commands 1.6.4 Entering a ? in a Command 1.6.5 Command History 1.6.6 Navigation 1.6.7 Erase Current Command 1.7 Input Values Page Page 1.8 Ethernet Interfaces 1.9Saving Configuration Changes 1.10 Logging Out User and Privilege Modes 2.1 User And Privilege Modes 2.1.1 Debug Commands Page Page Page Page Object Reference 3.1 Object Reference Commands 3.1.1 Object Reference Command Example Status Page Page Page Registration 5.1 myZyXEL.com Overview 5.1.1 Subscription Services Available on the ZyWALL 5.2 Registration Commands 5.2.1 Command Examples 5.3 Country Code Page Page Page Page Interfaces 6.1 Interface Overview 6.1.1 Types of Interfaces Page Page 6.1.2 Relationships Between Interfaces 6.2 Interface General Commands Summary 6.2.1 Basic Interface Properties and IP Address Commands Page Page Page Page 6.2.1.1 Basic Interface Properties Command Examples 6.2.2 DHCP Setting Commands Page Page 6.2.2.1 DHCP Setting Command Examples 6.2.2.2 DHCP Extended Option Setting Command Example 6.2.3 Interface Parameter Command Examples 6.2.4 RIP Commands 6.2.5 OSPF Commands Page 6.2.6 Connectivity Check (Ping-check)Commands 6.3 Ethernet Interface Specific Commands 6.3.1 MAC Address Setting Commands 6.3.2 Port Grouping Commands 6.4 Virtual Interface Specific Commands 6.4.1 Virtual Interface Command Examples 6.5 PPPoE/PPTP Specific Commands 6.5.1 PPPoE/PPTP Interface Command Examples 6.6 Cellular Interface Specific Commands Page 6.6.1 Cellular Status Page 6.6.2 Cellular Interface Command Examples 6.7 Tunnel Interface Specific Commands 6.7.1 Tunnel Interface Command Examples 6.8 USB Storage Specific Commands 6.8.1 USB Storage General Commands Example 6.9 WLAN Specific Commands 6.9.1 WLAN General Commands 6.9.2 WLAN Interface Commands Page 6.9.3 WLAN MAC Filter Commands 6.10 VLAN Interface Specific Commands 6.10.1 VLAN Interface Command Examples 6.11 Bridge Specific Commands 6.11.1 Bridge Interface Command Examples 6.12 Auxiliary Interface Specific Commands 6.12.1 Auxiliary Interface Command Examples Page Trunks 7.1 Trunks Overview 7.2 Trunk Scenario Examples 7.3 Trunk Commands Input Values 7.4 Trunk Commands Summary 7.5 Trunk Command Examples 7.6 Link Sticking WAN1 3 WAN2 LAN 7.7Link Sticking Commands Summary 7.8 Link Sticking Command Example Page Route 8.1 Policy Route 8.2 Policy Route Commands Page Page Page Page 8.2.1 Assured Forwarding (AF) PHB for DiffServ 8.2.2 Policy Route Command Example 8.3 IP Static Route 8.4 Static Route Commands 8.4.1 Static Route Commands Examples Routing Protocol 9.1 Routing Protocol Overview 9.2 Routing Protocol Commands Summary 9.2.1 RIP Commands 9.2.2 General OSPF Commands 9.2.3 OSPF Area Commands 9.2.4 Virtual Link Commands 9.2.5 Learned Routing Information Commands 9.2.6 show ip route Command Example Zones 10.1 Zones Overview 10.2 Zone Commands Summary 10.2.1 Zone Command Examples Page DDNS 11.1 DDNS Overview 11.2 DDNS Commands Summary Page Page Virtual Servers 12.1 Virtual Server Overview 12.1.1 1:1 NAT and Many 1:1 NAT 12.2 Virtual Server Commands Summary Page 12.2.1 Virtual Server Command Examples 12.2.2 Tutorial - How to Allow Public Access to a Server HTTP Redirect 13.1 HTTP Redirect Overview 13.1.1 Web Proxy Server 13.2 HTTP Redirect Commands 13.2.1 HTTP Redirect Command Examples Page ALG 14.1 ALG Introduction 14.2 ALG Commands 14.3 ALG Commands Example Page IP/MAC Binding 15.1 IP/MAC Binding Overview 15.2 IP/MAC Binding Commands 15.3 IP/MAC Binding Commands Example Firewall 16.1 Firewall Overview 16.2 Firewall Commands Page Page 16.2.1 Firewall Sub-Commands 16.2.2 Firewall Command Examples 16.3 Session Limit Commands Page IPSec VPN 17.1 IPSec VPN Overview 17.2 IPSec VPN Commands Summary 17.2.1 IKE SA Commands 17.2.2 IPSec SA Commands (except Manual Keys) Page Page 17.2.3 IPSec SA Commands (for Manual Keys) 17.2.4 VPN Concentrator Commands 17.2.5 VPN Configuration Provisioning Commands 17.2.6 SA Monitor Commands Page SSL VPN 18.1 SSL Access Policy 18.1.1SSL Application Objects 18.1.2 SSL Access Policy Limitations 18.2 SSL VPN Commands 18.2.1 SSL VPN Commands 18.2.2 Setting an SSL VPN Rule Tutorial Page Page Page L2TP VPN 19.1 L2TP VPN Overview 19.2 IPSec Configuration 19.2.1 Using the Default L2TP VPN Connection 19.3Policy Route 19.4 L2TP VPN Commands 19.4.1 L2TP VPN Commands 19.5 L2TP VPN Example 19.5.1Configuring the Default L2TP VPN Gateway Example 19.5.2 Configuring the Default L2TP VPN Connection Example 19.5.3 Configuring the L2TP VPN Settings Example 19.5.4 Configuring the Policy Route for L2TP Example Application Patrol 20.1 Application Patrol Overview 20.2 Application Patrol Commands Summary 20.2.1 Pre-definedApplication Commands 20.2.2 Rule Commands for Pre-definedApplications 20.2.2.1 Rule Sub-commands 20.2.3 Exception Commands for Pre-definedApplications 20.2.4 Other Application Commands 20.2.5 Rule Commands for Other Applications 20.2.6 General Commands for Application Patrol Page 20.2.6.1 General Command Examples Page Page Anti-Virus 21.1 Anti-VirusOverview 21.2 Anti-virusCommands 21.2.1 General Anti-virusCommands 21.2.2 Zone to Zone Anti-virusRules Page 21.2.3 White and Black Lists 21.2.4Signature Search Anti-virusCommand 21.3 Update Anti-virusSignatures 21.3.1 Update Signature Examples 21.4 Anti-virusStatistics 21.4.1 Anti-virusStatistics Example IDP Commands 22.1 Overview 22.2 General IDP Commands 22.2.1 IDP Activation 22.3 IDP Profile Commands 22.3.1 Global Profile Commands 22.3.2IDP Zone to Zone Rules 22.3.3 Editing/Creating IDP Signature Profiles 22.3.4 Editing/Creating Anomaly Profiles Page Page Page 22.3.5 Editing System Protect 22.3.6 Signature Search 22.3.6.1 Search Parameter Tables Page 22.4 IDP Custom Signatures 22.4.1 Custom Signature Examples Page Page 22.5 Update IDP Signatures 22.5.1 Update Signature Examples 22.6 IDP Statistics 22.6.1 IDP Statistics Example Page Content Filtering 23.1 Content Filtering Overview 23.2 Content Filtering Policies 23.3External Web Filtering Service 23.4 Content Filtering Reports 23.5 Content Filter Command Input Values 23.6 General Content Filter Commands Page 23.7 Content Filter Filtering Profile Commands Page 23.8 Content Filter URL Cache Commands 23.9 Content Filtering Statistics 23.9.1 Content Filtering Statistics Example 23.10 Content Filtering Commands Example Page Page Page Anti-Spam 24.1 Anti-SpamOverview 24.2 Anti-SpamCommands 24.2.1 General Anti-SpamCommands 24.2.2 Zone to Zone Anti-spamRules Page 24.2.3 White and Black Lists Page 24.2.4DNSBL Anti-SpamCommands Page 24.2.4.1 DNSBL Example 24.3 Anti-SpamStatistics 24.3.1 Anti-SpamStatistics Example Page Device HA 25.1 Device HA Overview 25.1.1Before You Begin 25.2General Device HA Commands 25.3 Active-PassiveMode Device HA 25.4Active-PassiveMode Device HA Commands 25.4.1 Active-PassiveMode Device HA Commands Page 25.4.2 Active-PassiveMode Device HA Command Example 25.5 Legacy Mode (VRRP) Device HA 25.6 Legacy Mode (VRRP) Device HA Commands 25.6.1 VRRP Group Commands 25.6.2 VRRP Synchronization Commands 25.6.3 Link Monitoring Commands Page User/Group 26.1 User Account Overview 26.1.1 User Types 26.2 User/Group Commands Summary 26.2.1 User Commands 26.2.2 User Group Commands 26.2.3 User Setting Commands 26.2.3.1 User Setting Command Examples 26.2.4 Force User Authentication Commands 26.2.4.1 force-auth Sub-commands 26.2.4.2 Force Authentication Policy Insert Command Example 26.2.5 Additional User Commands 26.2.5.1 Additional User Command Examples Addresses 27.1 Address Overview 27.2 Address Commands Summary 27.2.1 Address Object Commands 27.2.1.1 Address Object Command Examples 27.2.2 Address Group Commands 27.2.2.1 Address Group Command Examples Page Services 28.1 Services Overview 28.2 Services Commands Summary 28.2.1 Service Object Commands 28.2.2 Service Group Commands 28.2.2.1 Service Group Command Examples Page Schedules 29.1 Schedule Overview 29.2 Schedule Commands Summary 29.2.1 Schedule Command Examples AAA Server 30.1 AAA Server Overview 30.2Authentication Server Command Summary 30.2.1 ad-serverCommands 30.2.2 ldap-serverCommands 30.2.3 radius-serverCommands 30.2.4radius-serverCommand Example 30.2.5 aaa group server ad Commands 30.2.6 aaa group server ldap Commands 30.2.7 aaa group server radius Commands 30.2.8 aaa group server Command Example Authentication Objects 31.1 Authentication Objects Overview 31.2 aaa authentication Commands 31.2.1 aaa authentication Command Example 31.3test aaa Command 31.3.1 Test a User Account Command Example Page Page Certificates 32.1 Certificates Overview 32.2 Certificate Commands 32.3 Certificates Commands Input Values 32.4 Certificates Commands Summary Page Page 32.5 Certificates Commands Examples ISP Accounts 33.1 ISP Accounts Overview 33.1.1 PPPoE and PPTP Account Commands 33.1.2 Cellular Account Commands SSL Application 34.1 SSL Application Overview 34.1.1 SSL Application Object Commands Page 34.1.2 SSL Application Command Examples Endpoint Security 35.1 Endpoint Security Overview 35.1.1 Endpoint Security Commands Summary 35.1.2 Endpoint Security Object Commands Page Page 35.1.3 Endpoint Security Object Command Example Page Page DHCPv6 Objects 36.1 DHCPv6 Object Commands Summary 36.1.1 DHCPv6 Object Commands 36.1.2 DHCPv6 Object Command Examples Page System 37.1 System Overview 37.2 Customizing the WWW Login Page Page 37.3 Host Name Commands 37.4 Time and Date 37.4.1 Date/Time Commands 37.5 Console Port Speed 37.6 DNS Overview 37.6.1 Domain Zone Forwarder 37.6.2 DNS Commands 37.6.3 DNS Command Example System Remote Management 38.1 Remote Management Overview 38.1.1 Remote Management Limitations 38.1.2System Timeout 38.2 Common System Command Input Values 38.3 HTTP/HTTPS Commands Page 38.3.1 HTTP/HTTPS Command Examples 38.4 SSH 38.4.1 SSH Implementation on the ZyWALL 38.4.2 Requirements for Using SSH 38.4.3 SSH Commands 38.4.4 SSH Command Examples 38.5 Telnet 38.6 Telnet Commands 38.6.1 Telnet Commands Examples 38.7 Configuring FTP 38.7.1 FTP Commands 38.7.2 FTP Commands Examples 38.8 SNMP 38.8.1 Supported MIBs 38.8.2 SNMP Traps 38.8.3 SNMP Commands 38.8.4 SNMP Commands Examples 38.9 ICMP Filter 38.10 Dial-inManagement 38.10.1 AT Command Strings 38.10.2 DTR Signal 38.10.3 Response Strings 38.10.4 Dial-inManagement Commands 38.11 Vantage CNM 38.11.1 Vantage CNM Commands 38.12 Language Commands 38.13 IPv6 Commands File Manager 39.1 File Directories 39.2Configuration Files and Shell Scripts Overview 39.2.1 Comments in Configuration Files or Shell Scripts 39.2.2Errors in Configuration Files or Shell Scripts 39.2.3 ZyWALL Configuration File Details 39.2.4Configuration File Flow at Restart 39.3 File Manager Commands Input Values 39.4 File Manager Commands Summary 39.5 File Manager Command Examples 39.6 FTP File Transfer 39.6.1 Command Line FTP File Upload 39.6.2 Command Line FTP Configuration File Upload Example 39.6.3 Command Line FTP File Download 39.6.4 Command Line FTP Configuration File Download Example 39.7 ZyWALL File Usage at Startup Page 39.9Restoring the Recovery Image Page 39.10 Restoring the Firmware Page 39.11 Restoring the Default System Database Page 39.11.1 Using the atkz -uDebug Command Page Page Logs 40.1 Log Commands Summary 40.1.1 Log Entries Commands 40.1.2 System Log Commands 40.1.3 Debug Log Commands 40.1.4 E-mailProfile Commands Page 40.1.5 Console Port Logging Commands Reports and Reboot 41.1 Report Commands Summary 41.1.1 Report Commands 41.1.2 Report Command Examples 41.1.3 Session Commands 41.1.4 Packet Size Statistics Commands 41.2 Email Daily Report Commands 41.2.1 Email Daily Report Example Page 41.3 Reboot Session Timeout Page Diagnostics 43.1 Diagnostics 43.2 Diagnosis Commands 43.3 Diagnosis Commands Example Page Packet Flow Explore 44.1 Packet Flow Explore 44.2 Packet Flow Explore Commands 44.3 Packet Flow Explore Commands Example Page Page Packet Flow Filter 45.1 Packet Flow Filter 45.2 Packet Flow Filter Commands 45.3 Packet Flow Filter Commands Examples Page Page Maintenance Tools Page 46.1 Maintenance Command Examples 46.1.1 Packet Capture Command Example Page Page Watchdog Timer 47.1 Hardware Watchdog Timer 47.2 Software Watchdog Timer 47.3 Application Watchdog 47.3.1 Application Watchdog Commands Example Page Page List of Commands (Alphabetical)