ZyXEL Communications ZYWALL 35 - V4.04 User's Guide

ZyXEL Firmware Release Note ZyWALL 35 Release 4.04(WZ.6)C0 Date: October 13, 2009 Author: Joris Guo Project Leade

(2) On eWC NETWORK>>WAN, configure it with fixed IP address. (3) On eWC ADVANCED>>DNS>>System, add a public DNS server "172.25.

Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" sub-

Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway f

normal function. Figure 5-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on WAN

contents are consistent and they can connect. Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will use

1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s n

ISP(or network). This secondary WAN port can be used in “active-active” load sharing or fail-over configuration providing a highly efficient method

Appendix 9 IPSec IP Overlap Support ZyWALL BIP Alias 1.1.2.0/24LAN1.1.1.0/24LAN 1.1.2.0/28WANPCA 1.1.1.33PCB 1.1.2.250PCC 1.1.2.250ZyWALL A Figure 1

Appendix 10 VPN Local IP Address Limitation ZyWALL BIP Alias 1.1.2.0/24LAN1.1.1.0/24LAN 1.1.2.0/28WANPCA 1.1.1.33PCB 1.1.2.250PCC 1.1.2.250ZyWALL A

ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why Zy

on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping into the ARP table, otherwise if turn off forceUpdate, th

6. [BUG FIX] SPR ID: 080526515 Symptom: The hyperlink of signature policy in mail report is wrong. Condition: (1) Enable IDP function.

(2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway IP

Figure 1. But there are still some limitations remain that we need to overcome in the future. When you deploy your SIP server on LAN for SIP service,

Figure 2. (2) Try not use different global IPs for SIP client and SIP server on NAT. Currently, there are still some limitations when use different

phone B. Thus will be fail on call setup. This limitation is SIP client related issue, some SIP clients will send ACK request direct to the remote cli

(4) "Update Server" will reply a file list to the PC, the download address of the fill will be "File Server", at the same time &qu

If we set the timeout value as "10 seconds", 5 seconds is not timeout. The device will route the new session to the same interface.

Appendix 16: The mechanism of ZyWALL IPSec policy IP conflict check: ZyWALL classifies traffic to IPSec tunnels according to Network Policies. If the

Policies under Static IKE rule (configuration) Policies under Dynamic IKE rule(configuration) Runtime policies (IKE negotiation) Policies under Stat

to 62. 3. [ENHANCEMENT] For dial backup, add a CI "aux ignoreDSRSignal" to support 3G modem which doesn't issue DSR signal. 4. [ENH

(2) Make connection from another PC to ZyWALL via SSH, but second connection could not be established. 9. [BUG FIX] SPR ID: 090105014 Symptom: F

(FQDN = "aaabbbcc.china.com", IP Address = "192.168.2.33"). (5) On PC1, do nslookup "aaabbbcc.china.com", the resul

WAS: First DNS server for DHCP client is “From ISP” IS: First DNS server for DHCP client is “DNS Relay” 9. [BUG FIX] SPR ID: 080905612 Symptom:

mszie=00000324 12. [BUG FIX] SPR ID: 080825919 Symptom: HTTP Service can't be detected when using http upload. Condition: (1) Enable AV,

(1) Switch on UPnP of ZyWALL. (2) Open uTorrent 1.8 to download some files. (3) In eWC>ADVANCED>UPnP>Ports, there is only one port mapping ru

Symptom: Upload FW to 4.04 patch 2 b1, High and severe IDP signatures ARE NOT LOGGED BY DEFAULT Condition: 1) Upload the 4.04 pre-version FW, for exa

WAN-LAN. Configure X-Header, Phishing Tag and Spam Tag (3) Go to eWC>Security>Anti-Spam> External DB, enable it and set the threshold to

ZyXEL ZyWALL 35 Standard Version Release 4.04(WZ.6)C0 Release Note Date: October 13, 2009 Supported Platforms: ZyXEL ZyWALL 35 Versions: ZyNOS

8. [BUG FIX] SPR ID: 080710761 Symptom: Device will crash while Click a button on web page http://www.doxpara.com/". Topology: PC--------- (

Topology: PC------(L)ZyWALL(W)------PPTP Server (PPTP Client) Condition: (1) Setup PPTP server on Redhat Linux. (2) Create PPTP cli

Topology: ZyWALL 35(DUT)(W)----Internet---- (W)Checkpoint Condition: (1) Configure a static IPSec VPN rule on DUT for checkpoint. The Remote Gat

(2) Select the log schedule as "When Log is Full". (3) Ping ZyWALL35's LAN port nonstop from the PC in LAN. There will be high ping r

17. [BUG FIX] SPR ID: 080307371 Symptom: OIDs for VPN does not work. Even after tunnel has been up for a while and traffic has been passed, those O

LAN-C Yes 10.21.10.0 / 255.255.255.0 10.1.1.21 (2) PC1 begin to ping PC2, can't receive any reply from PC2. 19. [BUG F

Symptom: Fail to dial into the sip phone when the packets generated from SIP provider are fragmented. Condition: Topology: SIP phone 1-----SIP s

Service configuration: Select Active FTP Service, Direction: LAN->WAN1, and WAN1->LAN (3) Using some ftp client in ZyWALL LAN side t

Modifications in V 4.04(WZ.0)C0 | 03/28/2008 Modify for formal release Modifications in V 4.04(WZ.0)b5 | 03/21/2008 1. [BUG FIX] SPR ID: 080313755

(2) Goto SMT menu24.8, key command “d d 1” to dail PPTP again. (3) Get information “Remote node [WAN 1] is connected, IP is dd783c36”. (4) The IP is s

cause current version not work with the wrong value. Please be sure to connect with devices which have updated VID, or the DPD may not work correctly.

Condition: (1) Rom restores (2) On SMT24.8, input command: sys tos fwSchedule active on (3) In eWC>Firewall, add a rule on LAN to WAN, block TCP &a

(3) In ZyWALL1, configure IKE and IPsec rule. Enable Nailup. Make sure the tunnel can be built successfully. (4) In ZyWALL2, configure IKE rule and IP

8. [BUG FIX] SPR ID: 071115009 Symptom: When adding a new sub-class with bandwidth budget = 0, can save, but cannot edit or delete. Condition: (1) R

static DHCP mapping left. (5) Key in command ipconfig/release on PC1. (6) After PC1 release this IP successfully, check eWC>>Home>>DHCP ta

in ewc, all values are correctly set to the device. (3) Login "www.eurodns.com" with the Username=xxx, Password=xxx. Click "My Domains&

(6) Go to eWC>SECURITY>CONTENT FILTER>EDIT POLICY>EXTERNAL DATABASE Active External Database Service Configuration Select Categories: Sear

22. [BUG FIX] SPR ID: 080114612 Symptom: Dial Backup will be triggered even if traffic redirect works. Condition: Topology: PC--- (LAN) ZyWALL (Di

25. [BUG FIX] SPR ID: 080115675 Symptom: Back AV/IDP Signature fails. Condition: (1) Register a device with Signature to CNM. In CNM: Configuration

Enhance Agent to support CNM 3.0 Patch2 (1) Support MAC/IP binding (2) Support VPN AES128/192/256 and DH5 (3) Support DDNS multi service providers (4)

ZyWALL. 36. [BUG FIX] SPR ID:071113829 Symptom: When create My Certificates, and the certificate name include spaces, The certificate can be created

upload and signature update for full version will take tens of seconds) 4. Because of the memory shortage (ZW5/P1), device have to restart when custo

P2P" and click apply. (4) In the search result, we can find P2P signatures only. 41. [BUG FIX] SPR ID: 071204069 Symptom: DUT updates with "

Symptom: Log for connectivity check fails Source IP and Destination IP should be NULL when domain name doesn't exist. Device shouldn’t show the D

Condition: (1) Doing IXIA stress testing with IDP/AV/AS/CF functionality and device will crash. 49. [BUG FIX] SPR ID: 071206262 Symptom: ZyWALL can’t

(1) Register with WWW.EuroDNS.COM. (2) Use wireshark to capture the packets when DUT update DDNS. (3) The information of DDNS user agent shows "A

9. [ENHANCEMENT] Refine GUI layout. (1) eWC>LOGS>Log Settings, add a section for mail schedule. (2) eWC>MAINTENANCE>Diagnostics , add a

For more detail information, please refer to appendix 14. 13. [FEATURE CHANGE] WAS: When CNM was ON, device's alerts will stop mailing to the

18. [BUG FIX] SPR ID: 070927476 Symptom: ZyWALL uses PC MAC address as the source MAC to send ESP/AH packets. Condition: (bridge mode)

(4) In Reports>IDP page, select "Top Entry By Signature Name" and there is no related information. 23. [BUG FIX] SPR ID: 071013726 Symp

P2002A (1) P2002A unregistered to SIP server (2) Configure SIP Server Address as 192.168.30.114 P2002B (1) P2002B unregistered to SIP server (2) Conf

3. [BUG FIX] SPR ID: 070809666 Symptom: ZyWALL crashes when receive pop3 mail from WAN. Conditions: PC1---(192.168.100.33)router(192.168.1.3

them. (2) On DUT1 enable Firewall, and set Drop for VPN to LAN, then add a firewall rule of VPN to LAN: Source address = 192.168.2.33 Destination Addr

Conditions: (1) Load 4.00 FW and enable "Gambling" category. (2) Upload 4.03 FW and the "Gambling" category is gone. 8. [BUG

Symptom: Wizard internet access setup has wrong URL link. Conditions: 1. Go to eWC>Home>Wizard>Internet Access setup>Product registra

Add “WIRELESS” group in left panel and move the wireless features (network>wireless card, 3G) into it. Modifications in V 4.03(WZ.0)b1 | 06/29/200

(4) ZyWALL switches to Dial Backup. (5) NAT table is full. 8. [ENHANCEMENT] Support IXP425 B1 version CPU. WAS: Support IXP425 A0/B0

infected file packet and the following file packet as well. It is safer but downs performance for handling infected files. Wet also fix the line-assem

Symptom: This kind of URL request such as "http://www.host:80" can not pass through content filter trusted web site. Condition: (1)

(2) Build VPN2. (3) There will be a large delay in the ping. 24. [BUG FIX] SPR ID: 060627810 Symptom: If the encapsulation type of WAN inte

(5) PC_A enables the Kiwi Syslog Daemon. (6) There is no traffic log sent to kiwi Syslog Daemon anymore. 29. [BUG FIX] SPR ID: 060725664.

(1) Reset to default factory. (2) Setting a correct PPPoE connection in WAN interface, disable "nailed-up", and idle timer is 20 s

P2002(A) --- DUT1(PPPoE) =====VPN TUNNEL===== DUT2 --- P2002(B) (2) Configure as attached file. Test Steps: (1) DUT1 WAN is PPPoE. (2) DUT1

(5) It is blocked by content filter. 5. There is a forward log of the blocked web site. Condition: (1) Register Content Filter service. (2) Enable Co

44. [BUG FIX] SPR ID: 070228410 Symptom: ZyWALL BW MGMT class search order shows wrong when moving classes. Condition:

| | |WLAN STA denied by WLAN MAC Filter | | |MACAddr:0013026c13a3| ----------------------------------------------

Modifications in V 4.02(WZ.1)b1 | 05/15/2007 1. [BUG FIX] SPR ID: 070317140, 070317141, 070317142, 070317143,070322461, 070322462, 070322463 Symptom

Topology: (192.168.2.1) (192.168.1.1) wan2(192.168.1.3) wan1(192.168.2.2) pc------------------------Router----------------

Condition: (1) Change ZyWALL to bridge mode. (2) Use the follo

Sessions 87/10000 CPU 0% (2) See "sysCPUUsage", "sysFlashUsage", "sysRAMUsage" and "sysSessionUsage"

============================ task name = dns-proxy, pc = f6f30 tosFree is not in network task... task name = dns-proxy, pc = f6f30 tosFr

Condition: (1) Enable CF and external CF. (2) Access www.msn.com from PC (3) You will see some URL end with .gjf or .jpg files in

Symptom: Content Filter "Restrict Web Features" is inconsistent behavior on appeared of page when enable or disable "Don't block t

Symptom: DUT will crash sometime. Condition: (1) Enable NAT. (2) Sometimes DUT will crash in customer site. Modifications in V 4.01(WZ.4)b1 | 01/29/2

And sometimes the log shown as “ping of death. ICMP(W to L, Echo Reply)”. [UPnP] 1. Sometimes on screen the “Local Area Connection” icon for UPnP d

BLOCK”, not “(cache hit)|WEB BLOCK”. 6. [BUG FIX] 061113707 Symptom: Content filter trusted web will be blocked when select "Don't block J

(4) The Dial Backup session between the ZyWALL and ISP is established, ZyWALL got an IP address provided by the ISP, but the PC in LAN can't pi

13. [BUG FIX] 061218035 Symptom: Device crashes when you use Anti-Spam function. Condition: (1) Restore default romfile. (2) Register Anti-Spam servic

(4) Can’t get response from device. 19. [BUG FIX] Symptom: iChat behind ZyWALL can not make a video call with another iChat in WAN . Condition: Topol

Modifications in V 4.01(WZ.3) | 12/04/2006 Modify for formal release. Modifications in V 4.01(WZ.3)b1 | 11/24/2006 1. [ENHANCEMENT] SPR ID: 061109

Topology: P2002A------------+-(LAN)ZW70(WAN)---------P2002B SIP Server--------| (1) Create a port forwarding rule on

(3) DeviceA enables AS for WAN->VPN direction. (4) PC receives mail from mail server, mail gets stuck. 12. [ENHANCEMENT] SPR ID: 060331694 Add

Symptom: ZyWALL cannot trigger dial backup. Condition: Topology: PC--(LAN)ZyWALL(dial backup)--Internet (1) Restore default romfile. (2) Set up dial b

TCP 192.168.111.2:50999 66.59.243.66:26397 ACCESS PERMITTED" Engineer Note: The value in default ROM file is "on" in 4.01. 22. [ENHANC

Condition: (1) In eWC->SECURITY->CONTENT FILTER->General page, enable "Content filter" and block "Java Applet/ActiveX/Cookie

1. Symptom: Cannot configure DDNS from SMT. Condition: (1) Enter SMT menu1, Edit Dynamic DNS= Yes. (2) Try to input username and password. (3) Cann

(1) The configured romfile please refer to SPR. (2) PC1 cannot see PC2 by NetBIOS via VPN tunnel. Note: This problem only happens when policy index i

5. [ENHANCEMENT] Add a CI command to turn on or off the LDAP packet parsing in NAT module. Usage: "ip nat service ldap [on|off]" 6. [

CDMA.24. Condition: Russia raised this issue that our ZyWALL cannot connect one kind of CDMA terminal RWT FCT CDMA.24, but it is okay when t

1. [BUG FIX] Symptom: Device crashes when upload F/W. Condition: Topology : PC_A == ZyWALL == P1 == PC_B (1) Build tunnel between PC_A and PC_B and s

8. [FEATURE CHANGE] WAS: In eWC>HOME page, the memory bar will become red when the percentage of memory usage is over 90%. IS: In eWC>HOME page

15. [BUG FIX] Symptom: Unknown crash. Condition: (1) Restore default romfile. (2) Switch device to Active/Active mode, and confirm WAN1 and WAN2 c

20. [BUG FIX] Symptom: The device will crash when using VPN manual mode. Condition: PC1--ZWA--ZWB--PC2 (1) Add a VPN manual mode rule in both ZW

WAS: 19/64MB IS: 19/64 MB (2) Time representation: Modify eWC>home page>Up Time as a running clock. (3) Firm

(2) Remove CI command "ipsec swFwScan on|off". 8. [BUG FIX][060502049] Symptom: Device crashes when sends large number of mails. Condition

10. [BUG FIX][060517002] Symptom: Some wordings in "eWC-＞ANTI-VURUS" are not correct. Condition: (1) Go to "eWC-＞ANTI-VIRUS-＞General&

Features: Modifications in V4.04(WZ.6) | 10/13/2009 Modify for formal release. Modifications in V4.04(WZ.6)b2 | 10/07/2009 1. [FEATURE CHANGE] The r

15. [BUG FIX][060509567] Symptom: Bridge mode Network Status Bridge Port loss DMZ port. Condition: Bridge mode in GUI Home> Network Status

Condition: Topology as follows: PC (A) ---- [L]DUT(B)[W] ------- Internet --- HTTP server(D)(66.102.7.104) | |

22. [BUG FIX][060427214] Symptom: Redundant gateway sometimes can’t be saved if it's in domain name format. Condition: (1) Create an IKE rul

Condition: (1) Go to SMT11.1, configure Encapsulation as "PPPoE" or "PPTP". (2) Go to SMT11.1->Edit IP, change "Pr

IKE: Static rule, enable XAUTH and set as client mode. IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.2 (2) On Bridge_B, ad

2. [ENHANCEMENT] Add redundant IPSec gateway (IPSec HA). 3. [ENHANCEMENT] IPSec traffic can be managed by security rule (IDP/AV/AS/FW/CF/BM) 4. [FE

(1) "active [yes|no]": Let ZyWALL accept gratuitous ARP request. (2) "forceUpdate [on|off]" If zywall ARP table already had targ

(6) The default server access of the SNMP and DNS is ALL. Modification (1) The default value for Server access rule is ALL. (2) Under the default set

Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered"

"Incoming Port". If it matches, Prestige will forward the packet to the recorded IP address in the internal table for this port. (This behav