Detailed instructions for use are in the User's Guide.
[. . . ] ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Copyright
3
P-334U/GX-4000DB User's Guide
Certifications
Federal Communications Commission (FCC) Interference Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: · This device may not cause harmful interference. [. . . ] For example, if the keyword "bad" was enabled, all sites containing this keyword in the domain name or IP address will be blocked, e. g. , URL http://www. website. com/bad. html would be blocked. Select this check box to enable this feature.
Restrict Web Features ActiveX
Java
Cookies Web Proxy
Enable URL Keyword Blocking
134
Chapter 12 Content Filtering
P-334U/GX-4000DB User's Guide Table 47 Content Filter: Filter
LABEL Keyword Keyword List Add DESCRIPTION Type a keyword in this field. When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request. Enter a message to be displayed when a user tries to access a restricted web site. Click Reset to begin configuring this screen afresh
Delete Clear All Denied Access Message Apply Reset
Message to display when a site is blocked.
12. 5 Schedule
Click Security > Content Filter > Schedule. The following screen displays.
Figure 81 Content Filter: Schedule
Chapter 12 Content Filtering
135
P-334U/GX-4000DB User's Guide
The following table describes the labels in this screen.
Table 48 Content Filter: Schedule
LABEL Day to Block DESCRIPTION Select check boxes for the days that you want the ZyXEL Device to perform content filtering. Select the Everyday check box to have content filtering turned on all days of the week. Time of Day to Block allows the administrator to define during which time periods content filtering is enabled. Time of Day to Block restrictions only apply to the keywords (see above). Restrict web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected. Select All Day to have content filtering always active on the days selected in Day to Block with time of day limitations not enforced. The IPSec SA is established securely using the IKE SA that routers X and Y established first. The rest of this section discusses IKE SA and IPSec SA in more detail.
13. 1. 1 IKE SA (IKE Phase 1) Overview
The IKE SA provides a secure connection between the ZyXEL Device and remote IPSec router. These modes are discussed in more detail in Negotiation Mode on page 143. 13. 1. 1. 1 IP Addresses of the ZyXEL Device and Remote IPSec Router In the ZyXEL Device, you have to specify the IP addresses of the ZyXEL Device and the remote IPSec router to establish an IKE SA. You can usually provide a static IP address or a domain name for the ZyXEL Device. Sometimes, your ZyXEL Device might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can initiate an IKE SA.
13. 1. 2 IKE SA Setup
This section provides more details about IKE SAs.
140
Chapter 13 IPSec VPN
P-334U/GX-4000DB User's Guide
13. 1. 2. 1 IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the ZyXEL Device and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated below.
Figure 84 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
1 2
The ZyXEL Device sends a proposal to the remote IPSec router. Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyXEL Device wants to use in the IKE SA. [. . . ] Threshold WEP
30500007 = 30500008 = 30500009 = 30500010 = 30500011 = 30500012 = 30500013 =
Default Key WEP Key1 WEP Key2 WEP Key3 WEP Key4 Wlan Active Wlan 4X Mode
<1|2|3|4> = 0 = = = = <0(Disable) | 1(Enable)> <0(Disable) | 1(Enable)> PVA <0(No) | 1(Yes)> <0(Allow) | 1(Deny)> =0 =0
*/ MENU 3. 5. 1 WLAN MAC ADDRESS FILTER FIN 30501001 = 30501002 = 30501003 = FN Mac Filter Active Filter Action Address 1 INPUT =0 =0 = 00:00:00:00:0 0:00 = 00:00:00:00:0 0:00 = 00:00:00:00:0 0:00 . . . 32 = 00:00:00:00:0 0:00
30501004 =
Address
2
30501005 =
Address
3
Continued 30501034 =
. . . Address
Appendix H Internal SPTGEN
319
P-334U/GX-4000DB User's Guide
Table 138 Menu 4 Internet Access Setup
/ Menu 4 Internet Access Setup FIN 40000000 = 40000001 = 40000002 = 40000003 = 40000004 = FN Configured ISP Active ISP's Name Encapsulation <2(PPPOE) | 3(RFC 1483)| 4(PPPoA )| 5(ENET ENCAP)> <1(LLC-based) | 2(VC-based) PVA <0(No) | 1(Yes)> <0(No) | 1(Yes)> <0(No) | 1(Yes)> INPUT =1 =1 =1 = ChangeMe =2
40000005 = 40000006 = 40000007 = 40000008 = 40000009 = 40000010 = 40000011 = 40000012 = 40000013 = 40000014 = 40000015 = 40000016 = 40000017 = 40000018 = 40000019 = 40000020 = 40000021 = 40000022 = 40000023 = 40000024 = 40000025 = 40000026 =
Multiplexing VPI # VCI # Service Name My Login My Password Single User Account IP Address Assignment IP Address Remote IP address Remote IP subnet mask ISP incoming protocol filter set 1 ISP incoming protocol filter set 2 ISP incoming protocol filter set 3 ISP incoming protocol filter set 4 ISP outgoing protocol filter set 1 ISP outgoing protocol filter set 2 ISP outgoing protocol filter set 3 ISP outgoing protocol filter set 4 ISP PPPoE idle timeout Route IP Bridge
=1 =0 = 35
<Str> <Str> <Str> <0(No) | 1(Yes)>
= any = test@pqa = 1234 =1
<0(Static)|1(D = 1 ynamic)> = 0. 0. 0. 0 = 0. 0. 0. 0 =0 =6 = 256 = 256 = 256 = 256 = 256 = 256 = 256 =0 <0(No) | 1(Yes)> <0(No) | 1(Yes)> =1 =0
320
Appendix H Internal SPTGEN
P-334U/GX-4000DB User's Guide Table 138 Menu 4 Internet Access Setup (continued)
40000027 = 40000028 = 40000029 = 40000030 = 40000031= ATM QoS Type Peak Cell Rate (PCR) Sustain Cell Rate (SCR) Maximum Burst Size(MBS) RIP Direction <0(None) | 1(Both) | 2(In Only) | 3(Out Only)> <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)> <0(No) |1(Yes)> <0(CBR) | (1 (UBR)> =1 =0 =0 =0 =0
40000032=
RIP Version
=0
40000033=
Nailed-up Connection
=0
Table 139 Menu 12
/ Menu 12. 1. 1 IP Static Route Setup FIN 120101001 = 120101002 = 120101003 = 120101004 = 120101005 = 120101006 = 120101007 = FIN 120108001 = 120108002 = 120108003 = 120108004 = 120108005 = 120108006 = 120108007 = FN IP Static Route set #1, Name IP Static Route set #1, Active IP Static Route set #1, Destination IP address IP Static Route set #1, Destination IP subnetmask IP Static Route set #1, Gateway IP Static Route set #1, Metric IP Static Route set #1, Private FN IP Static Route set #8, Name IP Static Route set #8, Active IP Static Route set #8, Destination IP address IP Static Route set #8, Destination IP subnetmask IP Static Route set #8, Gateway IP Static Route set #8, Metric IP Static Route set #8, Private <0(No) |1(Yes)> <0(No) |1(Yes)> PVA <Str> <0(No) |1(Yes)> PVA <Str> <0(No) |1(Yes)> INPUT = =0 = 0. 0. 0. 0 =0 = 0. 0. 0. 0 =0 =0 INPUT = =0 = 0. 0. 0. 0 =0 = 0. 0. 0. 0 =0 =0
/ Menu 12. 1. 2 IP Static Route Setup
Appendix H Internal SPTGEN
321
P-334U/GX-4000DB User's Guide
Table 140 Menu 15 SUA Server Setup
/ Menu 15 SUA Server Setup FIN 150000001 = 150000002 = 150000003 = 150000004 = 150000005 = 150000006 = 150000007 = 150000008 = 150000009 = 150000010 = 150000011 = 150000012 = 150000013 = 150000014 = 150000015 = 150000016 = 150000017 = 150000018 = 150000019 = 150000020 = 150000021 = 150000022 = 150000023 = 150000024 = 150000025 = 150000026 = 150000027 = 150000028 = 150000029 = 150000030 = FN SUA Server IP address for default port SUA Server #2 Active SUA Server #2 Protocol SUA Server #2 Port Start SUA Server #2 Port End SUA Server #2 Local IP address SUA Server #3 Active SUA Server #3 Protocol SUA Server #3 Port Start SUA Server #3 Port End SUA Server #3 Local IP address SUA Server #4 Active SUA Server #4 Protocol SUA Server #4 Port Start SUA Server #4 Port End SUA Server #4 Local IP address SUA Server #5 Active SUA Server #5 Protocol SUA Server #5 Port Start SUA Server #5 Port End SUA Server #5 Local IP address SUA Server #6 Active SUA Server #6 Protocol SUA Server #6 Port Start SUA Server #6 Port End SUA Server #6 Local IP address SUA Server #7 Active SUA Server #7 Protocol SUA Server #7 Port Start SUA Server #7 Port End <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> = 0 <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> PVA INPUT = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 = 0. 0. 0. 0 =0 =0
322
Appendix H Internal SPTGEN
P-334U/GX-4000DB User's Guide Table 140 Menu 15 SUA Server Setup (continued)
150000031 = 150000032 = 150000033 = 150000034 = 150000035 = 150000036 = 150000037 = 150000038 = 150000039 = 150000040 = 150000041 = 150000042 150000043 = 150000044 = 150000045 = 150000046 = 150000047 = 150000048 = 150000049 = 150000050 = 150000051 = 150000052 = 150000053 = 150000054 = 150000055 = 150000056 = SUA Server #7 Local IP address SUA Server #8 Active SUA Server #8 Protocol SUA Server #8 Port Start SUA Server #8 Port End SUA Server #8 Local IP address SUA Server #9 Active SUA Server #9 Protocol SUA Server #9 Port Start SUA Server #9 Port End SUA Server #9 Local IP address = SUA Server #10 Active SUA Server #10 Protocol SUA Server #10 Port Start SUA Server #10 Port End SUA Server #10 Local IP address SUA Server #11 Active SUA Server #11 Protocol SUA Server #11 Port Start SUA Server #11 Port End SUA Server #11 Local IP address SUA Server #12 Active SUA Server #12 Protocol SUA Server #12 Port Start SUA Server #12 Port End SUA Server #12 Local IP address <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> <0(No) | 1(Yes)> <0(All)|6(TCP)|17(U DP)> = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0 =0 =0 =0 =0 = 0. 0. 0. 0
Table 141 Menu 21. 1 Filter Set #1
/ Menu 21 Filter set #1 FIN 210100001 = FIN 210101001 = FN Filter Set 1, Name FN IP Filter Set 1, Rule 1 Type PVA <Str> PVA <2(TCP/IP)> INPUT = INPUT =2
/ Menu 21. 1. 1. 1 set #1, rule #1
Appendix H Internal SPTGEN
323
P-334U/GX-4000DB User's Guide Table 141 Menu 21. 1 Filter Set #1 (continued)
210101002 = 210101003 = 210101004 = 210101005 = 210101006 = 210101007 = IP Filter Set 1, Rule 1 Active IP Filter Set 1, Rule 1 Protocol IP Filter Set 1, Rule 1 Dest IP address IP Filter Set 1, Rule 1 Dest Subnet Mask IP Filter Set 1, Rule 1 Dest Port IP Filter Set 1, Rule 1 Dest Port Comp <0(none)|1(equal) |2(not equal)| 3(less)| 4(greater)> <0(No)|1(Yes)> =1 =6 = 0. 0. 0. 0 =0 = 137 =1
210101008 = 210101009 = 210101010 = 210101011 =
IP Filter Set 1, Rule 1 Src IP address IP Filter Set 1, Rule 1 Src Subnet Mask IP Filter Set 1, Rule 1 Src Port IP Filter Set 1, Rule 1 Src Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4( greater)> <1(check next)|2(forward)| 3(drop)> <1(check next)|2(forward)| 3(drop)> PVA <2(TCP/IP)> <0(No)|1(Yes)>
= 0. 0. 0. 0 =0 =0 =0
210101013 =
IP Filter Set 1, Rule 1 Act Match
=3
210101014 =
IP Filter Set 1, Rule 1 Act Not Match
=1
/ Menu 21. 1. 1. 2 set #1, rule #2 FIN 210102001 = 210102002 = 210102003 = 210102004 = 210102005 = 210102006 = 210102007 = FN IP Filter Set 1, Rule 2 Type IP Filter Set 1, Rule 2 Active IP Filter Set 1, Rule 2 Protocol IP Filter Set 1, Rule 2 Dest IP address IP Filter Set 1, Rule 2 Dest Subnet Mask IP Filter Set 1, Rule 2 Dest Port IP Filter Set 1, Rule 2 Dest Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4( greater)> INPUT =2 =1 =6 = 0. 0. 0. 0 =0 = 138 =1
210102008 = 210102009 = 210102010 = 210102011 =
IP Filter Set 1, Rule 2 Src IP address IP Filter Set 1, Rule 2 Src Subnet Mask IP Filter Set 1, Rule 2 Src Port IP Filter Set 1, Rule 2 Src Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4( greater)>
= 0. 0. 0. 0 =0 =0 =0
324
Appendix H Internal SPTGEN
P-334U/GX-4000DB User's Guide Table 141 Menu 21. 1 Filter Set #1 (continued)
210102013 = IP Filter Set 1, Rule 2 Act Match <1(check next)|2(forward)| 3(drop)> <1(check next)|2(forward)| 3(drop)> =3
210102014 =
IP Filter Set 1, Rule 2 Act Not Match
=1
Table 142 Menu 21. 1 Filer Set #2,
/ Menu 21. 1 filter set #2, FIN 210200001 = FN Filter Set 2, Nam PVA <Str> INPUT = NetBIOS_WAN INPUT =1 =6 = 0. 0. 0. 0 =0 = 137 <0(none)|1(equal)|2 = 1 (not equal)|3(less)|4(gr eater)> = 0. 0. 0. 0 =0 =0 <0(none)|1(equal)|2 = 0 (not equal)|3(less)|4(gr eater)> <1(check =3 next)|2(forward)|3( drop)> <1(check =1 next)|2(forward)|3( drop)> PVA INPUT
/ Menu 21. 1. 2. 1 Filter set #2, rule #1 FIN 210201001 = 210201002 = 210201003 = 210201004 = 210201005 = 210201006 = 210201007 = FN IP Filter Set 2, Rule 1 Type IP Filter Set 2, Rule 1 Active IP Filter Set 2, Rule 1 Protocol IP Filter Set 2, Rule 1 Dest IP address IP Filter Set 2, Rule 1 Dest Subnet Mask IP Filter Set 2, Rule 1 Dest Port IP Filter Set 2, Rule 1 Dest Port Comp PVA <0(No)|1(Yes)> <0(none)|2(TCP/IP)> = 2
210201008 = 210201009 = 210201010 = 210201011 =
IP Filter Set 2, Rule 1 Src IP address IP Filter Set 2, Rule 1 Src Subnet Mask IP Filter Set 2, Rule 1 Src Port IP Filter Set 2, Rule 1 Src Port Comp
210201013 =
IP Filter Set 2, Rule 1 Act Match
210201014 =
IP Filter Set 2, Rule 1 Act Not Match
/ Menu 21. 1. 2. 2 Filter set #2, rule #2 FIN FN
Appendix H Internal SPTGEN
325
P-334U/GX-4000DB User's Guide Table 142 Menu 21. 1 Filer Set #2, (continued)
210202001 = 210202002 = 210202003 = 210202004 = 210202005 = 210202006 = 210202007 = IP Filter Set 2, Rule 2 Type IP Filter Set 2, Rule 2 Active IP Filter Set 2, Rule 2 Protocol IP Filter Set 2, Rule 2 Dest IP address IP Filter Set 2, Rule 2 Dest Subnet Mask IP Filter Set 2, Rule 2 Dest Port IP Filter Set 2, Rule 2 Dest Port Comp <0(none)|2(TCP/IP)> = 2 <0(No)|1(Yes)> =1 =6 = 0. 0. 0. 0 =0 = 138 <0(none)|1(equal)|2 = 1 (not equal)|3(less)|4(gr eater)> = 0. 0. 0. 0 =0 =0 <0(none)|1(equal)|2 = 0 (not equal)|3(less)|4(gr eater)> <1(check =3 next)|2(forward)|3( drop)> <1(check =1 next)|2(forward)|3( drop)>
210202008 = 210202009 = 210202010 = 210202011 =
IP Filter Set 2, Rule 2 Src IP address IP Filter Set 2, Rule 2 Src Subnet Mask IP Filter Set 2, Rule 2 Src Port IP Filter Set 2, Rule 2 Src Port Comp
210202013 =
IP Filter Set 2, Rule 2 Act Match
210202014 =
IP Filter Set 2, Rule 2 Act Not Match
Table 143 Menu 23 System Menus
*/ Menu 23. 1 System Password Setup FIN 230000000 = FIN 230200001 = 230200002 = 230200003 = 230200004 = FN System Password FN Authentication Server Configured Authentication Server Active Authentication Server IP Address Authentication Server Port PVA <0(No) | 1(Yes)> <0(No) | 1(Yes)> PVA INPUT = 1234 INPUT =1 =1 = 192. 168. 1. 32 = 1822
*/ Menu 23. 2 System security: radius server
326
Appendix H Internal SPTGEN
P-334U/GX-4000DB User's Guide Table 143 Menu 23 System Menus (continued)
230200005 = Authentication Server Shared Secret = 111111111111 111 111111111111 1111 <0(No) | 1(Yes)> <0(No) | 1(Yes)> =1 =1 = 192. 168. 1. 44 = 1823 = 1234 PVA <0(Authentication Required) |1(No Access Allowed) |2(No Authentication Required)> INPUT =2
230200006 = 230200007 = 230200008 = 230200009 = 230200010 = FIN 230400001 =
Accounting Server Configured Accounting Server Active Accounting Server IP Address Accounting Server Port Accounting Server Shared Secret FN Wireless Port Control
*/ Menu 23. 4 System security: IEEE802. 1x
230400002 = 230400003 = 230400004 =
ReAuthentication Timer (in second) Idle Timeout (in second) Authentication Databases <0(Local User Database Only) |1(RADIUS Only) |2(Local, RADIUS) |3(RADIUS, Local)> <0(8021x) |1(WPA) |2(WPAPSK)> <0(Disable) |1(64bit WEP) |2(128-bit WEP)> <0(Disable) |1(Enable)> <0(TKIP) |1(WEP)>
= 555 = 999 =1
230400005 = 230400006 =
Key Management Protocol Dynamic WEP Key Exchange
=0 =0
230400007 = 230400008 = 230400009 = 230400010 =
PSK
=
= =0 =0 =0
WPA Mixed Mode Data Privacy for Broadcast/ Multicast packets WPA Broadcast/Multicast Key Update Timer
Table 144 Menu 24. 11 Remote Management Control
/ Menu 24. 11 Remote Management Control FIN 241100001 = FN TELNET Server Port PVA INPUT = 23
Appendix H Internal SPTGEN
327
P-334U/GX-4000DB User's Guide Table 144 Menu 24. 11 Remote Management Control (continued)
241100002 = 241100003 = 241100004 = 241100005 = 241100006 = 241100007 = 241100008 = 241100009 = TELNET Server Access TELNET Server Secured IP address FTP Server Port FTP Server Access FTP Server Secured IP address WEB Server Port WEB Server Access WEB Server Secured IP address <0(all)|1(none)|2(L = 0 an)|3(Wan)> = 0. 0. 0. 0 = 21 <0(all)|1(none)|2(L = 0 an)|3(Wan)> = 0. 0. 0. 0 = 80 <0(all)|1(none)|2(L = 0 an) |3(Wan)> = 0. 0. 0. 0
Command Examples
The following are example Internal SPTGEN screens associated with the Prestige's command interpreter commands.
Table 145 Command Examples
FIN FN PVA INPUT
/ci command (for annex a): wan adsl opencmd FIN 990000001 = FN ADSL OPMD PVA <0(glite)|1(t1. 413 )|2(gdmt)|3(multim ode)> PVA <0(etsi)|1(normal) |2(gdmt)|3(multimo de)> INPUT =3
/ci command (for annex B): wan adsl opencmd FIN 990000001 = FN ADSL OPMD INPUT =3
328
Appendix H Internal SPTGEN
P-334U/GX-4000DB User's Guide
APPENDIX I
Triangle Route
The Ideal Setup
When the firewall is on, your Prestige acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Prestige to protect your LAN against attacks.
Figure 201 Ideal Setup
The "Triangle Route" Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices. [. . . ]