ZyXEL Communications ZYWALL 70 - V4.03 Technical Information

ZyXEL Firmware Release Note ZyWALL 70 Release 4.03(WM.1)C0 Date: Jan 31, 2008 Author: Wgang Wang Project Leader

Symptom: ZyWALL doesn't forward "no such name" response to DNS client. Condition: (1) Configure ZyWALL as DNS server on PC. (2) PC

(6) Then, you will find PC2 can’t ping PC4. 15. [BUG FIX] SPR ID: 070911459 Symptom: CI command "ip arp force on" does not take effect on

Symptom: The "Up Time" shown on the Port Statistics and Home page are quite different when the ZyWALL uptime is more than 100 hours. Cond

21. [BUG FIX] SPR ID: 071114943 Symptom: ZyWALL cannot reply packet on correct WAN interface. Condition: (192.168.1.60)

23. [BUG FIX] SPR ID: 071115021 Symptom: When adding a new sub-class with bandwidth budget = 0, can save, but Can not edit or delete.

(b) Input PC2 IP 192.168.4.33. (c) Enable all plug-in with default settings (Even dangerous plug-in are enabled). (d) Scan from the local host. (e)

"ip cf externalDB exDblogserver 220.128.56.38" (3) Go to eWC>SECURITY>CONTENT FILTER>General, do following settings Enable Conte

(4) ZyWALL crashes. 4. [BUG FIX] SPR ID: 070914803 Symptom: Dial Backup will be dialed in Active/Active mode even when two WAN interfaces ar

(1) Enable content filter and block cookie. (2) Access "tw.msn.com" website and you will get ”Bad Request (Invalid Header Name)” in browse

14. [BUG FIX] SPR ID: 070905185 Symptom: ZyWALL crashes when testing content filter. Conditions: (1). Restore default romfile and Ena

ZyXEL ZyWALL 70 Standard Version Release 4.03(WM.1)C0 Release Note Date: Jan 31, 2008 Supported Platforms: ZyXEL ZyWALL 70 Versions: ZyNOS V

** 3G card (only for USB dongle) can be removed if WAN2 is disabled. (For ZyWALL 5H only) ** Support Bandwidth Management for USB serial typ

Condition: The NAT setup of WAN 1 is full feature, and NAT setup of WAN 2 is SUA. Can't see the site on the public DMZ from I

WAS: --------------------------------------------------------------------------------------------------- |#| Time | Message

| | |Kurt-I6400(00:13:02:88:79:59) | | | | --------------------------------------------

17. [BUG FIX] SPR ID: 070411473, 070411474, 070411475, 070411476 ITS #: 16872 Symptom: VPN traffic stops between two gateways. Condition: Topol

Was: DDNS update error: The hostname specified does not exist.| Code: nohost Is: Update error: The hostname specified does not exist. |DD

26. [ENHANCEMENT] SPR ID: ITS #:18000 Add a hidden CI command "ipsec maxIkePskLength [31|32]" to turn on 32-byte PSK. After turn on

(1) WAN interface down. (2) WAN IP changes to x.x.x.x. (3) CPU load reaches 100%. (4) ZyWALL switches to Dial Backup. (5) NAT ta

The ZyWALL just breaks the first infected file packet and stop track the file session in the previous mechanism. The old one has better perf

from SNMP management software. 20. [BUG FIX] ITS#: 14936 Symptom: This kind of URL request such as "http://www.host:80" c

11. In previous 3.64 firmware, the VID value of DPD is not correct. VID change will cause current version doesn’t work with the wrong value. Please

VPN1: ZW35B build a VPN with ZW35A VPN2: ZW5 build a VPN with ZW35A (1) Build the VPN1 and ping PC1 from PC2. (2) Build VPN2.

Syslog Server for Analysis". (4) Go to eWC>LOGS>Log Settings page, activate "Syslog" and setup the syslog server IP as PC_A.

WAN . Condition: (1) Reset to default factory. (2) Setting a correct PPPoE connection in WAN interface, disable "nailed-up", a

Condition: Topology: P2002(A) --- DUT1(PPPoE) =====VPN TUNNEL===== DUT2 --- P2002(B) (1) DUT1 WAN is PPPoE. (2) DUT1 and DUT2 enable SIP

(2) Enable Web site customization in the Customization page. (3) Add Forbidden Web Site or Keyword Blocking. (4) Access the Web Page which sho

(3) Device's WAN can't dial up because incorrect login name and password. (4) Device crash after 2 minutes. 9. [BUG FIX] 070208756 S

(1) Setup one VPN between ZW5 and ZW70. (2) Enable the AV and IDP in ZW5, and enable the zip file scan in AV. (3) PC1 start FTP and HTTP download on

time. 8. [BUG FIX] 061128584, 061128585 (ITS#13932) Symptom: Device crashes by hardware watchdog. Condition: Topology: (a) PC --- [LAN]ZyWALL[WAN]

(1) In router mode, enable content filter and set the block message but leave the Redirect URL blank. (2) Enable external database content filtering

'cnm encrymode <mode>'. IS: Change cnm encryption mode with one CLI: 'cnm encry <mode> <key>' 17. [BUG

(3) The host can still ping Internet using LAN DHCP address. (4) The scenario will continue about 30secs. 3. When device is writing flash, all the

(3) When WAN2 is down, using "ip ro st" to show route table, the static route disappears, the traffic goes to some destination will go thr

Condition: (1) Let ZyWALL WAN1 uptime be more than 300 hours. (2) Go to eWC>HOME page, the "Up Time" is "4:00:00". (3) Click

Symptom: Multiple PPPoE cannot use the same PPPoE session ID. Condition: Topology: ZyWALL [WAN1] --- PPPoE [WAN2] ---

15. [BUG FIX] SPR ID: 060822272 Symptom: ZyWALL will not mail its LOG if the IP specified on the One-To-One Public IP. Condition: Topology:

break the file with more than one virus. Now ZyWALL breaks the first infected file packet and the following file packet as well. It is safer but dow

26. [BUG FIX] SPR ID: 060809598 Symptom: PC can not access the web server (www.fapa.com.pl) via our ZyWALL. Condition: PC---(LAN)ZyWALL(WAN)---int

30. [BUG FIX] SPR ID: 060831744 Symptom: PC cannot ping WLAN interface IP. Condition: Topology: PC1(10.0.0.1)----(10.0.0.2)(WAN)ZyWALL(WLAN)(192.16

Support 60 categories in content filtering. New categories: ""Hacking", Phishing", "Spyware/Malware Sources",

Symptom: The packet will be dropped if the device does not have the ARP entry of the receiver of this packet. Condition: (1) Clear ARP

PC-----(LAN)ZW70(WAN) (1) On PC, try trace route a host(www.yahoo.com). (2) Trace route cannot get response from our device. 15. [BUG FIX]

(2) On DUT1 enable Firewall, and set Drop for VPN to LAN, then add a firewall rule of VPN to LAN: Source address = 192.168.2.33 Destination Address

(5) When the PC1 is sending mails will cause mail stuck until timeout. 2. [BUG FIX] Symptom: Upload firmware by eWC will cause CPU load 100%.

10. [ENHANCEMENT] (3) In eWC>HOME page, show MAC address in Network Status Table. [060606360] (4) Change ZyWALL eWC refresh pages to consistent

Anti-Virus can detect viruses. (4) In eWC>REPORTS>THREAT REPORTS, Total Sessions Scanned of IDP will count number. But it should not. 16.

The detect virus name shows ’Unknown Signature’ and the Occurrence is very big, even is a negative number. 21. [BUG FIX] Symptom: Someti

WC>Registration> Service. (5) Interfaces 1. Give each eWC>interface a hyperlink to link to the corresponding configuration page.

(192.168.70.200)ZW_B --- (192.168.2.33)PC2 (1) VPN configuration on ZW_A: IKE 1: Secure gateway: 192.168.70.200 Enable

12. [BUG FIX][060515863] Symptom: In eWC>HOME>Network Status>more page, wireless cannot get correct port status. Condition: (1) Insert

Peer ID: Type=DNS Content = a.b.c.d IPSEC Policy: Local=Single 1.1.1.1, Peer=Single 2.2.2.2 (2) On Bridge_B, add two VPN rules

Condition: Topology: PC1 (192.168.1.33)------(LAN)ZyWALL(WAN:192.168.70.175)-----PC2(192.168.70.176) (1) Reset to default romfile. (

123456789.123456789.123456789.123456789.123456789.123456789.123". (3) While applying the setting, VPN Rules page shows incorrect domain n

Condition: (1) Input “google” in Keyword Blocking of Customization. (2) Visit http://info.zyxel.com.tw in LAN PC. The web site is opened successfull

(1) Go to eWC>NAT>NAT overview, change Max concurrent sessions per host to 500. (2) Use BluePortScan to do port scan. (3) Hi

(2) Click Reset button, ZyWALL pup up JavaScript error. 33. [BUG FIX][060425022] Symptom: Device crash (Soft watchdog starts up.) Condition

1. Support "*" to indicate match any character 0 or more times. 2. It is case-insensitive. 3. The maximum length of the email and subject

Appendix 1 Remote Management Enhancement (Add SNMP & DNS Control) New function (1) You can change the server port. (2) You c

Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secured Client IP = 0.0.0

Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered"

"Incoming Port". If it matches, Prestige will forward the packet to the recorded IP address in the internal table for this port. (This beh

Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" su

Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway

normal function. Figure 5-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on W

[MISC] 1. The DMZ TxPkts counter increment at about 1 pkt/min even without any Ethernet cables ever connected. 2. In eWC->Statistics, Tx data f

contents are consistent and they can connect. Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will u

1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s

ISP(or network). This secondary WAN port can be used in “active-active” load sharing or fail-over configuration providing a highly efficient meth

Appendix 9 IPSec IP Overlap Support ZyWALL BIP Alias 1.1.2.0/24LAN1.1.1.0/24LAN 1.1.2.0/28WANPCA 1.1.1.33PCB 1.1.2.250PCC 1.1.2.250ZyWALL A Figure

Appendix 10 VPN Local IP Address Limitation ZyWALL BIP Alias 1.1.2.0/24LAN1.1.1.0/24LAN 1.1.2.0/28WANPCA 1.1.1.33PCB 1.1.2.250PCC 1.1.2.250ZyWALL

ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why

on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping into the ARP table, otherwise if turn off forceUpdate,

(2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway I

Figure 1. But there are still some limitations remain that we need to overcome in the future. When you deploy your SIP server on LAN for SIP servic

Figure 2. (2) Try not use different global IPs for SIP client and SIP server on NAT. Currently, there are still some limitations when use differen

Enlarge the length of "User Name" in E-mail Report, Log Settings and Diagnostics from 31 to 63. 4. [ENHANCEMENT] SPR ID: 071114968 Free

phone B. Thus will be fail on call setup. This limitation is SIP client related issue, some SIP clients will send ACK request direct to the remote c

(4) "Update Server" will reply a file list to the PC, the download address of the fill will be "File Server", at the same time &

If we set the timeout value as "10 seconds", 5 seconds is not timeout. The device will route the new session to the same interface.

(bridge mode) (NAT router) (router mode) PC1------(LAN)ZyWALL(WAN)----VSG-1200----IPSec gateway----PC2 (1) Build a VPN tunnel between ZyW