ZyXEL Communications ZYWALL 70 - V4.04 Betriebsanweisung

ZyXEL Firmware Release Note ZyWALL 70 Release 4.04(WM.4)C0 Date: Mar 24, 2009 Author: Joris Guo Project Leader:

(5) If firewall is disabled, problem disappeared 10. [BUG FIX] SPR ID: 090121708 Symptom: Fail to build VPN tunnel after SA lifetime ex

ISP(or network). This secondary WAN port can be used in “active-active” load sharing or fail-over configuration providing a highly efficient meth

Appendix 9 IPSec IP Overlap Support ZyWALL BIP Alias 1.1.2.0/24LAN1.1.1.0/24LAN 1.1.2.0/28WANPCA 1.1.1.33PCB 1.1.2.250PCC 1.1.2.250ZyWALL A Figure

Appendix 10 VPN Local IP Address Limitation ZyWALL BIP Alias 1.1.2.0/24LAN1.1.1.0/24LAN 1.1.2.0/28WANPCA 1.1.1.33PCB 1.1.2.250PCC 1.1.2.250ZyWALL

ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why

on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping into the ARP table, otherwise if turn off forceUpdate, then

(2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway I

Figure 1. But there are still some limitations remain that we need to overcome in the future. When you deploy your SIP server on LAN for SIP servic

Figure 2. (2) Try not use different global IPs for SIP client and SIP server on NAT. Currently, there are still some limitations when use differen

phone B. Thus will be fail on call setup. This limitation is SIP client related issue, some SIP clients will send ACK request direct to the remote c

(4) "Update Server" will reply a file list to the PC, the download address of the fill will be "File Server", at the same time &

4. [FEATURE CHANGE] WAS: The SA monitor in IPSec Algorithm column shows info like “ESP AES--SHA1”, and CI “ipsec show sa” could only show

If we set the timeout value as "10 seconds", 5 seconds is not timeout. The device will route the new session to the same interface.

Appendix 16: The mechanism of ZyWALL IPSec policy IP conflict check: ZyWALL classifies traffic to IPSec tunnels according to Network Policies. If

(2) Process runtime policy sent from remote gateway during IKE negotiation Policies under Static IKE rule (configuration) Policies under Dynamic I

3CX Phone A------------- (L)ZyWALL (W)------------- 3CX Phone B----SIP Server Condition: ZyWALL: (1) Set with CI command "sys romr|y

12. [BUG FIX] SPR ID: 080827212 Symptom: The background color of DNS system needs to be consistent. Condition: (1) Enter page eWC>ADVANCE

6. Then turn on the power, the DUT crash Condition (2): 1. Configure DUT's DNS server as an unreachable one. 2. Attach Spirent Avalanche to DUT

user-defined DNS server, confirm NO default server. (9) Configure ZyWALL works as DNS proxy. (10) Enter command in Linux shell: "date;host www

Select Allow users to make configuration changes through UPnP Select Allow UPnP to pass through Firewall Server IP Address = 172.20.10.0

Modifications in V 4.04(WM.1) | 06/26/2008 Modify for formal release. Modifications in V 4.04(WM.1)b2 | 06/18/2008 1. [BUG FIX] SPR ID: 08060202

it should be show”device channel filter enet0 inDev 1 2 3 4,” (2)”device channel filter enet0 display” the display info should not inc

will send check IP packet to checkip.dyndns.org when interface is up and get any IP address. IS: When choosing "Use WAN IP Address" as IP

ZyXEL ZyWALL 70 Standard Version Release 4.04(WM.4)C0 Release Note Date: Mar. 24, 2009 Supported Platforms: ZyXEL ZyWALL 70 Versions: ZyNOS

Condition: (1) Reset to default romfile. (2) Go to eWC>FIREWALL>Rule Summary, then insert a new firewall rule. (3) In eWC>FIREWALL - EDIT R

Dsiable Allow Asymmetrical Route goto eWC>ADVANCED>STATIC ROUTE, add following static route Name Active Destinati

address is not available. Condition: Topology: PC1--(LAN)ZyWALL2+(PPPoE)--Cisco2811(LAN)---PC2 (1) Build VPN from ZyWALL2+ to Cis

(4) On eWC>SECURITY>CONTENT FILTER>Policy, enable External DB for "policy", and enable "Select All Categories".

(5) Fail to connect wan's ftp server and fail to open http://www.163.com. 24. [BUG FIX] SPR ID: 080318065 Symptom: ZyWALL 70 crash in PQA la

Enlarge the length of "User Name" in E-mail Report, Log Settings and Diagnostics from 32 to 64. 2. [ENHANCEMENT] Add CI for changing the

7. [BUG FIX] SPR ID: 080203080 Symptom: Token can’t be correctly set to the device. Condition: (1) For ZyWALL (4.04 patch0 b3), register this devi

Add "www.cerberian.com" and "sitereview.cwfservice.net" website into default trust domain. 3. [BUG FIX] SPR ID: 071022070 Symp

PC1 with Nessus ---- (LAN) ZyWALL (DMZ) ----PC2 (192.168.4.33) Condition: (1) Install Tenable Nessus 3 (you can get it at www.nessus.org) in PC1. Up

(1) Reset rom of ZyWALL. (2) Add a LAN to WAN firewall permit rule, select DNS service, Enable Log Packet Information When Matched. (3) EWC>SECUR

11. In previous 3.64 firmware, the VID value of DPD is not correct. VID change will cause current version not work with the wrong value. Please be

12. [BUG FIX] SPR ID: 080109327 Symptom: Device crash when use ISS scan device. Condition: (1)Use ISS scans device and device crashes. 13. [BUG FI

(2) Enable content filter. Then enable external Database Content Filtering. Enable log for unrated web pages but disable block for it. (3) Create a

Source Interface=LAN Source Starting IP Address=192.168.1.31 Source Ending IP Address=192.168.1.60 Starting Port=20, Ending Port=21 Gateway / WAN In

(4) LAN pc successfully opens a page which will be rated as unrated, such as “172.25.21.80”. (5) Then open this page again, it is blocked, and we ca

WAS: Device would drop the repeated packet. Is: Device will resend the last IKE quick mode packet. (2) WAS: Only when VPN HA is enabled, device

Condition: (1) Input invalid CI with “sys mbuf dis cn” and device crashes. 33. [BUG FIX] SPR ID: 070726881 Symptom: ZyWALL doesn't forward &qu

38. [BUG FIX] SPR ID: 071203015 Symptom: The error message was shown incorrect in Remote Management page. Condition: (1) Go to eWC>ADVANCED>

43. [BUG FIX] SPR ID: 071205212 Symptom: Change WAN port speed in bridge mode error. Condition: (1) Reset default rom of the device, change it t

matched. 47. [BUG FIX] SPR ID: 071212549 Symptom: When ZyWALL sends E-mail report via OpenVMS, the E-Mail can’t display correctly. Some source code

50. [BUG FIX] SPR ID:071211538 Symptom: The content of the mail sent by Diagnostic service is mess. Condition: (1) Enable Traffic Statistics. (2) E

3. When device is writing flash, all the interrupt/service will be stopped. (Firmware upload and signature update for full version will take tens o

6. [ENHANCEMENT] Provide a ci command "sys tos allow_FinPshAck [on|off]" to allow or block packet with FIN, PSH, and ACK flag. Default

Is: ZyWALL can be managed by CNM Vantage Server (SGMP and TR069) and Vantage Access (TR069 only) Below items have been verified with Vantage Ac

(2) Add a DNS record with empty Domain name. (3) CNM agent returns -22051 and set fail. 17. [BUG FIX] SPR ID: 071109669 Symptom: ZyWALL can’t recor

Symptom: There is no log for connectivity check fail Condition: (1) Go to eWC-->Network-->WAN-->General (2) Enable "Check WAN 1 Connec

Condition: (1) Register UTM service from eWC>REGISTRATION>Registration. (2) Update signatures from eWC>SECURITY>IDP>Update. (3) Goto

Condition: (1) Go to eWC>CERTIFICATES>MY CERTIFICATE>DETAILS page and you will find the property field is gone. Modifications in V4.03(WM

(1) Restore default romfile. (2) In CF, enable ”Unrated Website Page -- Block” and save it. You will find that it cannot save. (3) If you add a poli

(6) After few hours(it may take several days), device crashes. 10. [BUG FIX] SPR ID: 071015779 Symptom: Device hang when input command "ip

16. [FEATURE CHANGE] (1). Remove CF chedule “Active” field in CF>Policy>Schedule page. (2). Change CF rom convert behavior as, (2.1) If

Topology: subnet A---(WLAN) ZW (WAN)---Internet (WALN Alias) | subnet_B Condi

Action for matched Packets = Permit. (3) Can’t ping 192.168.1.33 from 192.168.2.33 and you can find “Unsupported/out-of-order ICMP: ICMP (Echo Reply

Condition: (1) Restore romfile (password:fenris120) from SPR, go to Class Setup under WAN1. (2) Add sub-class FTP, band

|MACAddr:0013026c13a3| --------------------------------------------------------------------------------------------------- | | |DHCP server

Symptom: Can't change the default route on ZyWALL Condition: (1) Using ci command "ip route status" to make sure default

(1) Reset ZyWALL5/35/70 ROM file. (2) Configure the DMZ IP(10.10.1

21. [BUG FIX] ITS #14567 Symptom: IPSec tunnel cannot be built. Condition: ZyWALL-----NAT Router-----Fortinet 200 (1) Create a VPN

(5) Decide when the profile works by schedule. (6) Provide the information about which profile a packet belongs to in the log. 31. [ENHAN

38. [ENHANCEMENT] (1) In eWC>VPN>VPN Rules (IKE) page, add an Active/Inactive hyperlink in every network policy. (2) In eWC>VPN>

(2) The enhancement can also work in Linux. 45. [ENHANCEMENT] Add direction information in logs of Anti-Virus, IDP and Firewall Attack.

50. [BUG FIX] SPR ID: 070123093,070123094,070123095 Symptom: Memory leak when doing IDP CLI operation. Condition: (1)CI> idp sig load 12

(1) In eWC>AV>Signature>Switch to query view: select Signature Search by Attributes, Severe, DDOS and click search. (2) Click ordering

(3) Visit other web site is normal. (4) This problem is also existed in 4.01 Patch 2 C0 too. 6. Keyword blocking has functioned even if “Web site c

/------(W)ZW35(L)----PC2 PC1-----(L)DUT(W)----| \------(W)ZW70(L)----PC3 (1) Create one VPN tunnel for PC1 and

62. [BUG FIX] SPR ID: 060914870 Symptom: There will be lots of "Common TOS double free" log by SYN flooding tool. Condition: (1

Modifications in V 4.02(WM.0)b1 | 03/21/2007 Convert firmware version to 4.02. Modifications in V 4.01(WM.4) | 03/20/2007 Modify for formal releas

appeared of page when enable or disable "Don't block trusted Web sites". Condition: (1) Enable Content Filter and block ActiveX, Java

Condition: (1) Enable NAT. (2) Sometimes DUT will crash in customer site. 12. [ENHANCEMENT] Add Vantage CNM device agent – 2.1.4(WM.0) which suppor

(7) Again to access http://www.tcc.net.tw (8) Log should be displayed as “www.tcc.net.tw: Business/Economy(cache hit)|WEB BLOCK”, not “(cache hit)|W

(3) WAN1 & WAN2 down, Dial Backup is up. (4) The Dial Backup session between the ZyWALL and ISP is established, ZyWALL got an IP address provi

14. [BUG FIX] 061218035 Symptom: Device crashes sometimes when you use Anti-Spam function. Condition: (1) Restore default romfile. (2) Register Ant

(3) PC connects to devcie’s DMZ port and ping device’s DMZ IP. (4) Can’t get response from device. 20. [BUG FIX] Symptom: iChat behind ZyWALL can n

it. Modifications in V 4.01(WM.3) | 12/04/2006 Modify for formal release. Modifications in V 4.01(WM.3)b1 | 11/24/2006 1. [ENHANCEMENT] SPR ID: 0

subnet as WAN to device. [Condition] (1). Let device register to Vantage. (2). Vantage set Dial Backup to enable. (3). Vantage set Dial Backup Fixed

Topology: P2002A------------+-(LAN)ZW70(WAN)---------P2002B SIP Server--------| (1) Create a port forwarding rule o

(3) DeviceA enables AS for WAN->VPN direction. (4) PC receives mail from mail server, mail gets stuck. 12. [ENHANCEMENT] SPR ID: 060331694

Symptom: ZyWALL cannot trigger dial backup. Condition: Topology: PC--(LAN)ZyWALL(dial backup)--Internet (1) Restore default romfile. (2) Set up dial

TCP 192.168.111.2:50999 66.59.243.66:26397 ACCESS PERMITTED" Engineer Note: The value in default ROM file is "on" in 4.01. 22. [ENHA

Condition: (1) In eWC->SECURITY->CONTENT FILTER->General page, enable "Content filter" and block "Java Applet/ActiveX/Cook

(1) The configured romfile please refer to SPR. (2) PC1 cannot see PC2 by NetBIOS via VPN tunnel. Note: This problem only happens when policy index

5. [ENHANCEMENT] Add a CI command to turn on or off the LDAP packet parsing in NAT module. Usage: "ip nat service ldap [on|off]" 6.

Symptom: ZyWALL serial cannot connect one CDMA terminal RWT FCT CDMA.24. Condition: Russia raised this issue that our ZyWALL cannot connec

Modifications in V4.01(WM.0)b5 | 07/31/2006 1. [BUG FIX] Symptom: Device crashes when upload F/W. Condition: Topology : PC_A == ZyWALL == P1 == PC_

5. [FEATURE CHANGE] Change some wordings which contain "fail back" in GUI and log. Was: "Fail back ****". Is: "Fall back

Features: Modifications in V 4.04(WM.4) | 03/24/2009 Modify for formal release. Modifications in V 4.04(WM.4)b2 | 03/17/2009 1. [BUG FIX] SPR I

(5) Unplug wireless card and reboot device. (6) PC connects to DMZ port, IP is 10.10.2.100/24 and gateway is 10.10.2.1, and the PC ping 10.1

adjustment. 18. [BUG FIX] Symptom: The IDP should work when the traffic is "from VPN to LAN". Condition: Topology PCB-------ZYWALL----

3. [FEATURE CHANGE] WAS: In SMT 24.8, "ipsec adjTcpMss auto" will let the "IPSec adjust TCP MSS" switch to auto mode.

5. [ENHANCEMENT] Support dual multiple WAN devices for IPSec HA scenario. 6. [ENHANCEMENT] Change the Anti-Spam wording in log. WAS: "

SA lifetime = 180 seconds Policy 1: Local network: 2.2.2.2/24 Remote network: 1.1.1.1/24 SA lifetime = 28800 sec

(3) In ZW5, enable AS. (4) PC2 can’t receive the mail from PC1. 14. [BUG FIX][060424803] Symptom: ZyWALL crashes after changing MA

Topology: PC1 (mail client) --- ZW5 (PPTP) === VPN tunnel === ZW70 ---- PC2 (mail server) (1) Establish VPN tunnel between ZW5 and ZW70. (2

(2) ZyWALL popup java script error. (3) The status bar shows "spSave () fail with Error -6103". 21. [BUG FIX][060502036] Sympt

Local End IP= 3.3.3.3 Global Start IP= 4.4.4.4 Global End IP= 5.5.5.5 (3) Click "Apply" button, then ZyWALL crashes. 26. [BU

31. [BUG FIX][060420625] Symptom: VPN can be successfully built up with wrong IPSec rule. Condition: Topology: (LAN) ZyWALL_A (WAN)=======

6. [BUG FIX] SPR ID: 081124085 Symptom: ZyWALL tranfer avidp signature type error. Condition: (1) register and activate service from wizard;

Modifications in V 4.01(WM.0)b1 | 04/24/2006 1. [ENHANCEMENT] (1) Add UTM reports for IDP/AV/AS. (2) Change linkage from GUI>Logs>Reports t

Consolidate "Router reply ICMP packet" log. (1) Router reply ICMP packet: ICMP(Port Unreachable). (2) Router reply ICMP packet: ICMP(Host

New function (1) You can change the server port. (2) You can set the security IP address for each type of server. (3) You can define the rule for s

Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered"

"Incoming Port". If it matches, Prestige will forward the packet to the recorded IP address in the internal table for this port. (This beh

Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" su

Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway

normal function. Figure 5-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on W

contents are consistent and they can connect. Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will u

1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s