System
Use the system screens to configure general Zyxel Device settings.
• Use the System > Host Name screen (see Host Name) to configure a unique name for the Zyxel Device in your network.
• Use the System > USB Storage screen (see USB Storage) to configure the settings for the connected USB devices.
• Use the System > Date/Time screen (see Date and Time) to configure the date and time for the Zyxel Device.
• Use the System > Console Speed screen (see Console Port Speed) to configure the console port speed when you connect to the Zyxel Device via the console port using a terminal emulation program.
• Use the System > DNS screen (see DNS Overview) to configure the DNS (Domain Name System) server used for mapping a domain name to its corresponding IP address and vice versa.
• Use the System > WWW screens (see WWW Overview) to configure settings for HTTP or HTTPS access to the Zyxel Device and how the login and access user screens look.
• Use the System > SSH screen (see SSH) to configure SSH (Secure SHell) used to securely access the Zyxel Device’s command line interface. You can specify which zones allow SSH access and from which IP address the access can come.
• Use the System > TELNET screen (see Telnet) to configure Telnet to access the Zyxel Device’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come.
• Use the System > FTP screen (see FTP) to specify from which zones FTP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come. You can upload and download the Zyxel Device’s firmware and configuration files using FTP.
• Your Zyxel Device can act as an SNMP agent, which allows a manager station to manage and monitor the Zyxel Device through the network. Use the System > SNMP screen (see SNMP) to configure SNMP settings, including from which zones SNMP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come.
• Use the Auth. Server screen (Authentication Server) to configure the Zyxel Device to operate as a RADIUS server.
• Use the Notification > Mail Server screen (Notification > Mail Server) to configure the Zyxel Device to operate as a RADIUS server.
• Use the Notification > SMS screen (Notification > SMS) to turn on the SMS service on the Zyxel Device in order to send dynamic guest account information in text messages and authorization for VPN tunnel access to a secured network.
• Use the Notification > Response Message screen (Notification > Response Message) to create a web page when access to a website is restricted due to a security service.
• Use the System > Language screen (see Language) to set a language for the Zyxel Device’s Web Configurator screens.
• Use the System > ZON screen (see Zyxel One Network (ZON) Utility) to enable or disable the Zyxel One Network (ZON) utility that uses Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices in the same network as the computer on which ZON is installed.
Note: See each section for related background information and term definitions.
Host Name
A host name is the unique name by which a device is known on a network.
The following table describes the labels in this screen.
Label | Description |
|---|---|
System Name | Enter a descriptive name to identify your Zyxel Device device. This name can be up to 64 alphanumeric characters long. Spaces are not allowed, but dashes (-) underscores (_) and periods (.) are accepted. |
Domain Name | Enter the domain name (if you know it) here. This name is propagated to DHCP clients connected to interfaces with the DHCP server enabled. This name can be up to 254 alphanumeric characters long. Spaces are not allowed, but dashes “-” are accepted. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
USB Storage
The Zyxel Device can use a connected USB device to store the system log and other diagnostic information. Use this screen to turn on this feature and set a disk full warning limit.
Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Activate USB storage service | Select this if you want to use the connected USB device(s). |
Disk full warning when remaining space is less than | Set a number and select a unit (MB or %) to have the Zyxel Device send a warning message when the remaining USB storage space is less than the value you set here. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Date and Time
For effective scheduling and logging, the Zyxel Device system time must be accurate. The Zyxel Device’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server.
You can manually set the Zyxel Device’s time and date or have the Zyxel Device get the date and time from a time server.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Current Time and Date | |
Current Time | This field displays the present time of your Zyxel Device. |
Current Date | This field displays the present date of your Zyxel Device. |
Time and Date Setup | |
Manual | Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered. When you enter the time settings manually, the Zyxel Device uses the new setting once you click Apply. |
New Time (hh-mm-ss) | This field displays the last updated time from the time server or the last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. |
New Date (yyyy-mm-dd) | This field displays the last updated date from the time server or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. |
Get from Time Server | Select this radio button to have the Zyxel Device get the time and date from the time server you specify below. The Zyxel Device requests time and date settings from the time server under the following circumstances. • When the Zyxel Device starts up. • When you click Apply or Synchronize Now in this screen. • 24-hour intervals after starting up. |
Time Server Address | Enter the IP address or URL of your time server. Check with your ISP/network administrator if you are unsure of this information. |
Sync. Now | Click this button to have the Zyxel Device get the time and date from a time server (see the Time Server Address field). This also saves your changes (except the daylight saving settings). |
Time Zone Setup | |
Time Zone | Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). |
Automatically Sync Time Zone | Select this for the Zyxel Device to automatically get its time zone. |
Daylight Saving | |
Enable Daylight Savings | Daylight savings is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening. Select this option if you use Daylight Saving Time. |
Automatically adjust clock for Daylight Saving Time | Select this for the Zyxel Device to automatically adjust the time if daylight savings is implemented in its time zone. |
Start Date | Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The at field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time starts in most parts of the United States on the second Sunday of March. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Second, Sunday, March and type 2 in the at field. Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). |
End Date | Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The at field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select First, Sunday, November and type 2 in the at field. Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, October. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). |
Offset | Specify how much the clock changes when daylight saving begins and ends. Enter a number from 1 to 5.5 (by 0.5 increments). For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Pre-defined NTP Time Servers List
When you turn on the Zyxel Device for the first time, the date and time start at 2003-01-01 00:00:00. The Zyxel Device then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers.
The Zyxel Device continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified.
0.pool.ntp.org |
1.pool.ntp.org |
2.pool.ntp.org |
When the Zyxel Device uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the Zyxel Device goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried.
Time Server Synchronization
Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field.
LoadingThe Current Time and Current Date fields will display the appropriate settings if the synchronization is successful.
If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/Time screen.
To manually set the Zyxel Device date and time.
1 Click System > Date/Time.
2 Select Manual under Time and Date Setup.
3 Enter the Zyxel Device’s time in the New Time field.
4 Enter the Zyxel Device’s date in the New Date field.
5 Under Time Zone Setup, select your Time Zone from the list.
6 As an option you can select the Enable Daylight Saving check box to adjust the Zyxel Device clock for daylight savings.
7 Click Apply.
To get the Zyxel Device date and time from a time server
1 Click System > Date/Time.
2 Select Get from Time Server under Time and Date Setup.
3 Under Time Zone Setup, select your Time Zone from the list.
4 As an option you can select the Enable Daylight Saving check box to adjust the Zyxel Device clock for daylight savings.
6 Click Apply.
Console Port Speed
This section shows you how to set the console port speed when you connect to the Zyxel Device via the console port using a terminal emulation program.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Console Port Speed | Use the drop-down list box to change the speed of the console port. Your Zyxel Device supports 9600, 19200, 38400, 57600, and 115200 bps (default) for the console port. The Console Port Speed applies to a console port connection using terminal emulation software and NOT the Console in the Zyxel Device Web Configurator Status screen. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
DNS Overview
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
DNS Server Address Assignment
The Zyxel Device can get the DNS server addresses in the following ways.
• The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
• If your ISP dynamically assigns the DNS server IP addresses (along with the Zyxel Device’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
• You can manually enter the IP addresses of other DNS servers.
Configuring DNS
Use the DNS screen to configure the Zyxel Device to use a DNS server to resolve domain names for Zyxel Device system features like VPN, DDNS and the time server. You can also configure the Zyxel Device to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the Zyxel Device sends to the specified DHCP client devices.A name query begins at a client computer and is passed to a resolver, a DNS client service, for resolution. The Zyxel Device can be a DNS client service. The Zyxel Device can resolve a DNS query locally using cached Resource Records (RR) obtained from a previous query (and kept for a period of time). If the Zyxel Device does not have the requested information, it can forward the request to DNS servers. This is known as recursion.
The Zyxel Device can ask a DNS server to use recursion to resolve its DNS client requests. If recursion on the Zyxel Device or a DNS server is disabled, they cannot forward DNS requests for resolution.
A Domain Name Server (DNS) amplification attack is a kind of Distributed Denial of Service (DDoS) attack that uses publicly accessible open DNS servers to flood a victim with DNS response traffic. An open DNS server is a DNS server which is willing to resolve recursive DNS queries from anyone on the Internet.
In a DNS amplification attack, an attacker sends a DNS name lookup request to an open DNS server with the source address spoofed as the victim’s address. When the DNS server sends the DNS record response, it is sent to the victim. Attackers can request as much information as possible to maximize the amplification effect.
Configure the Security Option Control section in the Configuration > System > DNS screen (click Show Advanced Settings to display it) if you suspect the Zyxel Device is being used (either by hackers or by a corrupted open DNS server) in a DNS amplification attack.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Address/PTR Record | This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. |
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
# | This is the index number of the address/PTR record. |
FQDN | This is a host’s fully qualified domain name. |
IP Address | This is the IP address of a host. |
CNAME Record | This record specifies an alias for a FQDN. Use this record to bind all subdomains with the same IP address as the FQDN without having to update each one individually, which increases chance for errors. See CNAME Record (CNAME Record) for more details. |
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
# | This is the index number of the domain zone forwarder record. The ordering of your rules is important as rules are applied in sequence. A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. |
Alias Name | Enter an Alias name. Use “*.” as prefix for a wildcard domain name. For example, *.example.com. |
FQDN | Enter the Fully Qualified Domain Name (FQDN). |
Domain Zone Forwarder | This specifies a DNS server’s IP address. The Zyxel Device can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. When the Zyxel Device needs to resolve a domain zone, it checks it against the domain zone forwarder entries in the order that they appear in this list. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Move | To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. |
# | This is the index number of the domain zone forwarder record. The ordering of your rules is important as rules are applied in sequence. A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. |
Domain Zone | A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. A “*” means all domain zones. |
Type | This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-Defined). |
DNS Server | This is the IP address of a DNS server. This field displays N/A if you have the Zyxel Device get a DNS server IP address from the ISP dynamically but the specified interface is not active. |
Query Via | This is the interface through which the Zyxel Device sends DNS queries to the entry’s DNS server. If the Zyxel Device connects through a VPN tunnel, tunnel displays. |
MX Record (for My FQDN) | A MX (Mail eXchange) record identifies a mail server that handles the mail for a particular domain. |
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
# | This is the index number of the MX record. |
Domain Name | This is the domain name where the mail is destined for. |
IP/FQDN | This is the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above. |
Security Option Control | Click Show Advanced Settings to display this part of the screen. There are two control policies: Default and Customize. |
Edit | Click either control policy and then click this button to change allow or deny actions for Query Recursion and Additional Info from Cache. |
Priority | The Customize control policy is checked first and if an address object match is not found, the Default control policy is checked. |
Name | You may change the name of the Customize control policy. |
Address | These are the object addresses used in the control policy. RFC1918 refers to private IP address ranges. It can be modified in Object > Address. |
Additional Info from Cache | This displays if the Zyxel Device is allowed or denied to cache Resource Records (RR) obtained from previous DNS queries. |
Query Recursion | This displays if the Zyxel Device is allowed or denied to forward DNS client requests to DNS servers for resolution. |
Service Control | This specifies from which computers and zones you can send DNS queries to the Zyxel Device. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Move | To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. |
# | This the index number of the service control rule. The ordering of your rules is important as rules are applied in sequence. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy. |
Zone | This is the zone on the Zyxel Device the user is allowed or denied to access. |
Address | This is the object name of the IP address(es) with which the computer is allowed or denied to send DNS queries. |
Action | This displays whether the Zyxel Device accepts DNS queries from the computer with the IP address specified above through the specified zone (Accept) or discards them (Deny). |
(IPv6) Address Record
An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address.
The Zyxel Device allows you to configure address records about the Zyxel Device itself or another device. This way you can keep a record of DNS names and addresses that people on your network may use frequently. If the Zyxel Device receives a DNS query for an FQDN for which the Zyxel Device has an address record, the Zyxel Device can send the IP address in a DNS response without having to query a DNS name server.
PTR Record
A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name.
Adding an (IPv6) Address/PTR Record
The following table describes the labels in this screen.
Label | Description |
|---|---|
FQDN | Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Underscores are not allowed. Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com). |
IP Address | Enter the IP address of the host in dotted decimal notation. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
CNAME Record
The following table describes the labels in this screen.
label | description |
|---|---|
Alias name | Enter an Alias Name. Use "*." as a prefix in the Alias name for a wildcard domain name (for example, *.example.com). |
FQDN | Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Underscores are not allowed. Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com). |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
Domain Zone Forwarder
A domain zone forwarder contains a DNS server’s IP address. The Zyxel Device can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Adding a Domain Zone Forwarder
The following table describes the labels in this screen.
Label | Description |
|---|---|
Domain Zone | A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the Zyxel Device receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Enter * if all domain zones are served by the specified DNS server(s). |
DNS Server | Select DNS Server(s) from ISP if your ISP dynamically assigns DNS server information. You also need to select an interface through which the ISP provides the DNS server IP address(es). The interface should be activated and set to be a DHCP client. The fields below display the (read-only) DNS server IP address(es) that the ISP assigns. N/A displays for any DNS server IP address fields for which the ISP does not assign an IP address. Select Public DNS Server if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. The Zyxel Device must be able to connect to the DNS server without using a VPN tunnel. The DNS server could be on the Internet or one of the Zyxel Device’s local networks. You cannot use 0.0.0.0. Use the Query via field to select the interface through which the Zyxel Device sends DNS queries to a DNS server. Select Private DNS Server if you have the IP address of a DNS server to which the Zyxel Device connects through a VPN tunnel. Enter the DNS server's IP address in the field to the right. You cannot use 0.0.0.0. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
MX Record
A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is sent for that domain. If you do not configure proper MX records for your domain or other domain, external email from other mail servers will not be able to be delivered to your mail server and vice versa. Each host or domain can have only one MX record, that is, one domain is mapping to one host.
Click the Add icon in the MX Record table to add a MX record.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Domain Name | Enter the domain name where the mail is destined for. |
IP Address/FQDN | Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
Security Option Control
Configure the Security Option Control section in the Configuration > System > DNS screen (click Show Advanced Settings to display it) if you suspect the Zyxel Device is being used by hackers in a DNS amplification attack.
One possible strategy would be to deny Query Recursion and Additional Info from Cache in the default policy and allow Query Recursion and Additional Info from Cache only from trusted DNS servers identified by address objects and added as members in the customized policy.
Editing a Security Option Control
Click a control policy and then click Edit to change allow or deny actions for Query Recursion and Additional Info from Cache.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Name | You may change the name for the customized security option control policy. The customized security option control policy is checked first and if an address object match is not found, the Default control policy is checked. |
Query Recursion | Choose if the ZyWALL/USG is allowed or denied to forward DNS client requests to DNS servers for resolution. This can apply to specific open DNS servers using the address objects in a customized rule. |
Additional Info from Cache | Choose if the ZyWALL/USG is allowed or denied to cache Resource Records (RR) obtained from previous DNS queries. |
Address List | Specifying address objects is not available in the default policy as all addresses are included. |
Available | This box displays address objects created in Object > Address. Select one (or more), and click the > arrow to have it (them) join the Member list of address objects that will apply to this rule. For example, you could specify an open DNS server suspect of sending compromised resource records by adding an address object for that server to the member list. |
Member | This box displays address objects that will apply to this rule. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
Adding a DNS Service Control Rule
The following table describes the labels in this screen.
Label | Description |
|---|---|
Create new Object | Use this to configure any new settings objects that you need to use in this screen. |
Address Object | Select ALL to allow or deny any computer to send DNS queries to the Zyxel Device. Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the Zyxel Device. |
Zone | Select ALL to allow or prevent DNS queries through any zones. Select a predefined zone on which a DNS query to the Zyxel Device is allowed or denied. |
Action | Select Accept to have the Zyxel Device allow the DNS queries from the specified computer. Select Deny to have the Zyxel Device reject the DNS queries from the specified computer. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
WWW Overview
Note: To allow the Zyxel Device to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-Zyxel Device security policy rule to block that traffic.
To stop a service from accessing the Zyxel Device, clear Enable in the corresponding service screen.
Service Access Limitations
A service cannot be used to access the Zyxel Device when:
1 You have disabled that service in the corresponding screen.
2 The allowed IP address (address object) in the Service Control table does not match the client IP address (the Zyxel Device disallows the session).
3 The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny.
4 There is a security policy rule that blocks it.
System Timeout
There is a lease timeout for administrators. The Zyxel Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Each user is also forced to log in the Zyxel Device for authentication again when the reauthentication time expires.
You can change the timeout settings in the User/Group screens.
HTTPS
You can set the Zyxel Device to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. Specify which zones allow Web Configurator access and from which IP address the access can come.
HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed).
It relies upon certificates, public keys, and private keys.
HTTPS on the Zyxel Device is used so that you can securely access the Zyxel Device using the Web Configurator. The SSL protocol specifies that the HTTPS server (the Zyxel Device) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the Zyxel Device), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authenticate Client Certificates in the WWW screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the Zyxel Device a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the Zyxel Device.
Note: If you disable HTTP in the WWW screen, then the Zyxel Device blocks all HTTP connection attempts.
Configuring WWW Service Control
Use this screen to specify from which zones you can access the Zyxel Device using HTTP or HTTPS. You can also specify which IP addresses the access can come from.
Note: Admin Service Control deals with management access (to the Web Configurator).
User Service Control deals with user access to the Zyxel Device (logging into SSL VPN for example).
User Service Control deals with user access to the Zyxel Device (logging into SSL VPN for example).
The following table describes the labels in this screen.
Label | Description |
|---|---|
HTTPS | |
Enable | Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device Web Configurator using secure HTTPs connections. |
Server Port | The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the Zyxel Device, for example 8443, then you must notify people who need to access the Zyxel Device Web Configurator to use “https://Zyxel Device IP Address:8443” as the URL. |
Authenticate Client Certificates | Select Authenticate Client Certificates (optional) to require the SSL client to authenticate itself to the Zyxel Device by sending the Zyxel Device a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the Zyxel Device . |
Server Certificate | Select a certificate the HTTPS server (the Zyxel Device) uses to authenticate itself to the HTTPS client. You must have certificates already configured in the My Certificates screen. |
Redirect HTTP to HTTPS | To allow only secure Web Configurator access, select this to redirect all HTTP connection requests to the HTTPS server. |
Admin/User Service Control | Admin Service Control specifies from which zones an administrator can use HTTPS to manage the Zyxel Device (using the Web Configurator). You can also specify the IP addresses from which the administrators can manage the Zyxel Device. User Service Control specifies from which zones a user can use HTTPS to log into the Zyxel Device (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the Zyxel Device. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Move | To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. |
# | This is the index number of the service control rule. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy. |
Zone | This is the zone on the Zyxel Device the user is allowed or denied to access. |
Address | This is the object name of the IP address(es) with which the computer is allowed or denied to access. |
Action | This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). |
HTTP | |
Enable | Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device Web Configurator using HTTP connections. |
Server Port | You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the Zyxel Device. |
Admin/User Service Control | Admin Service Control specifies from which zones an administrator can use HTTP to manage the Zyxel Device (using the Web Configurator). You can also specify the IP addresses from which the administrators can manage the Zyxel Device. User Service Control specifies from which zones a user can use HTTP to log into the Zyxel Device (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the Zyxel Device. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Move | To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. |
# | This is the index number of the service control rule. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy. |
Zone | This is the zone on the Zyxel Device the user is allowed or denied to access. |
Address | This is the object name of the IP address(es) with which the computer is allowed or denied to access. |
Action | This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). |
Authentication | |
Client Authentication Method | Select a method the HTTPS or HTTP server uses to authenticate a client. You must have configured the authentication methods in the Object > Auth. method screen. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Service Control Rules
Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Create new Object | Use this to configure any new settings objects that you need to use in this screen. |
Address Object | Select ALL to allow or deny any computer to communicate with the Zyxel Device using this service. Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using this service. |
Zone | Select ALL to allow or prevent any Zyxel Device zones from being accessed using this service. Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. |
Action | Select Accept to allow the user to access the Zyxel Device from the specified computers. Select Deny to block the user’s access to the Zyxel Device from the specified computers. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
Customizing the WWW Login Page
Use this screen to customize the Web Configurator login screen. You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet.
You can specify colors in one of the following ways:
• Click Color to display a screen of web-safe colors from which to choose.
• Enter the name of the desired color.
• Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black.
• Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black.
Your desired color should display in the preview screen on the right after you click in another field, click Apply, or press [ENTER]. If your desired color does not display, your browser may not support it. Try selecting another color.
The following table describes the labels on the screen.
Label | Description |
|---|---|
Select Type | Select whether the Web Configurator uses the default login screen or one that you customize in the rest of this screen. |
Logo File | You can upload a graphic logo to be displayed on the upper left corner of the Web Configurator login screen and access page. Specify the location and file name of the logo graphic or click Browse to locate it.  Use a GIF, JPG, or PNG of 100 kilobytes or less. Click Upload to transfer the specified graphic file from your computer to the Zyxel Device. |
Customized Login Page | Use this section to set how the Web Configurator login screen looks. |
Title | Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. |
Title Color | Specify the color of the screen’s title text. |
Message Color | Specify the color of the screen’s text. |
Note Message | Enter a note to display at the bottom of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. |
Background | Set how the screen background looks. To use a graphic, select Picture and upload a graphic. Specify the location and file name of the logo graphic or click Browse to locate it. The picture’s size cannot be over 438 x 337 pixels. Use a GIF, JPG, or PNG of 100 kilobytes or less. To use a color, select Color and specify the color. |
Customized Access Page | Use this section to customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. |
Title | Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. |
Message Color | Specify the color of the screen’s text. |
Note Message | Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. |
Background | Set how the window’s background looks. To use a graphic, select Picture and upload a graphic. Specify the location and file name of the logo graphic or click Browse to locate it. The picture’s size cannot be over 438 x 337 pixels. Use a GIF, JPG, or PNG of 100 kilobytes or less. To use a color, select Color and specify the color. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
SSH
You can use SSH (Secure SHell) to securely access the Zyxel Device’s command line interface. Specify which zones allow SSH access and from which IP address the access can come.
SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the Zyxel Device for a management session.
Note: To allow an SSH connection to the Zyxel Device, add SSH in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group which defines the default services allowed in the WAN_to_Device security policy.
SSH Implementation on the Zyxel Device
Your Zyxel Device supports SSH version 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the Zyxel Device for management using port 22 (by default).
Requirements for Using SSH
You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the Zyxel Device over SSH.
Configuring SSH
Use this screen to specify from which zones SSH can be used to manage the Zyxel Device. You can also specify from which IP addresses the access can come.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable | Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device CLI using this service. |
Server Port | You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. |
Server Certificate | Select the certificate whose corresponding private key is to be used to identify the Zyxel Device for SSH connections. You must have certificates already configured in the My Certificates screen. |
Service Control | This specifies from which computers you can access which Zyxel Device zones. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Move | To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. |
# | This the index number of the service control rule. |
Zone | This is the zone on the Zyxel Device the user is allowed or denied to access. |
Address | This is the object name of the IP address(es) with which the computer is allowed or denied to access. |
Action | This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Service Control Rules
The following table describes the labels in this screen.
Label | Description |
|---|---|
Create new Object | Use this to configure any new settings objects that you need to use in this screen. |
Address Object | Select ALL to allow or deny any computer to communicate with the Zyxel Device using SSH. Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using SSH. |
Zone | Select ALL to allow or prevent any Zyxel Device zones from being accessed using SSH. Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. |
Action | Select Accept to allow the user to access the Zyxel Device from the specified computers. Select Deny to block the user’s access to the Zyxel Device from the specified computers. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
1
2
3
login as: admin Using keyboard-interactive authentication. Password: % session is not found Bad terminal type: "xterm". Will assume vt100. Router> enable Router# |
Telnet
You can use Telnet to access the Zyxel Device’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come.
Configuring Telnet
Use this screen to specify from which zones Telnet can be used to manage the Zyxel Device. You can also specify from which IP addresses the access can come.
Note: To allow a Telnet connection to the Zyxel Device, add Telnet in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group which defines the default services allowed in the WAN_to_Device security policy.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable | Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device CLI using this service. |
Server Port | You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. |
Service Control | This specifies from which computers you can access which Zyxel Device zones. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Move | To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. |
# | This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy. |
Zone | This is the zone on the Zyxel Device the user is allowed or denied to access. |
Address | This is the object name of the IP address(es) with which the computer is allowed or denied to access. |
Action | This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Service Control Rules
The following table describes the labels in this screen.
Label | Description |
|---|---|
Create new Object | Use this to configure any new settings objects that you need to use in this screen. |
Address Object | Select ALL to allow or deny any computer to communicate with the Zyxel Device using Telnet. Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using Telnet. |
Zone | Select ALL to allow or prevent any Zyxel Device zones from being accessed using Telnet. Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. |
Action | Select Accept to allow the user to access the Zyxel Device from the specified computers. Select Deny to block the user’s access to the Zyxel Device from the specified computers. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
FTP
You can upload and download the Zyxel Device’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.
Use this screen to specify from which zones FTP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable | Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device using this service. |
TLS required | Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication. This implements TLS as a security mechanism to secure FTP clients and/or servers. |
Server Port | You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. |
Server Certificate | Select the certificate whose corresponding private key is to be used to identify the Zyxel Device for FTP connections. You must have certificates already configured in the My Certificates screen. |
Service Control | This specifies from which computers you can access which Zyxel Device zones. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Move | To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. |
# | This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy. |
Zone | This is the zone on the Zyxel Device the user is allowed or denied to access. |
Address | This is the object name of the IP address(es) with which the computer is allowed or denied to access. |
Action | This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Service Control Rules
The following table describes the labels in this screen.
Label | Description |
|---|---|
Create new Object | Use this to configure any new settings objects that you need to use in this screen. |
Address Object | Select ALL to allow or deny any computer to communicate with the Zyxel Device using FTP. Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using FTP. |
Zone | Select ALL to allow or prevent any Zyxel Device zones from being accessed using FTP. Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. |
Action | Select Accept to allow the user to access the Zyxel Device from the specified computers. Select Deny to block the user’s access to the Zyxel Device from the specified computers. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
SNMP
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your Zyxel Device supports SNMP agent functionality, which allows a manager station to manage and monitor the Zyxel Device through the network. The Zyxel Device supports SNMP version one (SNMPv1), version two (SNMPv2c) and version 3 (SNMPv3).
An SNMP managed network consists of two main types of component: agents and a manager.
An agent is a management software module that resides in a managed device (the Zyxel Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.
SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:
• Get - Allows the manager to retrieve an object variable from the agent.
• GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
• Set - Allows the manager to set values for object variables within an agent.
• Trap - Used by the agent to inform the manager of some events.
SNMPv3 and Security
SNMPv3 enhances security for SNMP management using authentication and encryption. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions.
Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them.
Supported MIBs
The Zyxel Device supports MIB II that is defined in RFC-1213 and RFC-1215. The Zyxel Device also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the Zyxel Device’s MIBs from www.zyxel.com.
SNMP Traps
The Zyxel Device will send traps to the SNMP manager when any one of the following events occurs.
OBJECT LABEL | OBJECT ID | description |
|---|---|---|
Cold Start | 1.3.6.1.6.3.1.1.5.1 | This trap is sent when the Zyxel Device is turned on or an agent restarts. |
linkDown | 1.3.6.1.6.3.1.1.5.3 | This trap is sent when the Ethernet link is down. |
linkUp | 1.3.6.1.6.3.1.1.5.4 | This trap is sent when the Ethernet link is up. |
authenticationFailure | 1.3.6.1.6.3.1.1.5.5 | This trap is sent when an SNMP request comes from non-authenticated hosts. |
vpnTunnelDisconnected | 1.3.6.1.4.1.890.1.6.22.2.3 | This trap is sent when an IPSec VPN tunnel is disconnected. |
vpnTunnelName | 1.3.6.1.4.1.890.1.6.22.2.2.1.1 | This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the disconnected tunnel’s IPSec SA name. |
vpnIKEName | 1.3.6.1.4.1.890.1.6.22.2.2.1.2 | This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the disconnected tunnel’s IKE SA name. |
vpnTunnelSPI | 1.3.6.1.4.1.890.1.6.22.2.2.1.3 | This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the security parameter index (SPI) of the disconnected VPN tunnel. |
Configuring SNMP
Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable | Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device using this service. |
Server Port | You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. |
Trap | |
Community | Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests. |
Destination | Type the IP address of the station to send your SNMP traps to. |
Trap CAPWAP Event | Select this option to have the Zyxel Device send a trap to the SNMP manager when a managed AP is connected to or disconnected from the Zyxel Device. |
SNMPv2c | Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager. |
Get Community | Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. |
Set Community | Enter the Set community, which is the password for incoming Set requests from the management station. The default is private and allows all requests. |
SNMPv3 | Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager. SNMPv3 (RFCs 3413 to 3415) provides secure access by authenticating and encrypting data packets over the network. The Zyxel Device uses your login password as the SNMPv3 authentication and encryption passphrase. Your login password must consist of at least 8 printable characters for SNMPv3. An error message will display if your login password has fewer characters. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
# | This is the index number of the entry. |
User | This displays the name of the user object to be sent to the SNMP manager along with the SNMP v3 trap. |
Authentication | This displays the authentication algorithm used for this entry. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower. |
Privacy | This displays the encryption method for SNMP communication from this user. Methods available are: • DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data. • AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. |
Privilege | This displays the access rights to MIBs. • Read-Write - The associated user can create and edit the MIBs on the Zyxel Device, except the user account. • Read-Only - The associated user can only collect information from the Zyxel Device MIBs. |
Service Control | This specifies from which computers you can access which Zyxel Device zones. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Move | To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. |
# | This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the Zyxel Device will not have to use the default policy. |
Zone | This is the zone on the Zyxel Device the user is allowed or denied to access. |
Address | This is the object name of the IP address(es) with which the computer is allowed or denied to access. |
Action | This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Add SNMPv3 User
Use the username and password of the login accounts you specify in this screen to create accounts on the SNMP v3 manager.
The following table describes the labels in this screen.
LABEL | Description |
|---|---|
User | Specify the username of a login account on the Zyxel Device. The associated password is used in authentication algorithms and encryption methods. |
Authentication | Select an authentication algorithm. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower. |
Privacy | Specify the encryption method for SNMP communication from this user. You can choose one of the following: • DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data. • AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. |
Privilege | Select the access rights to MIBs. • Read-Write - The associated user can create and edit the MIBs on the Zyxel Device, except the user account. • Read-Only - The associated user can only collect information from the Zyxel Device MIBs. |
OK | Click OK to save the changes. |
Cancel | Click Cancel to begin configuring this screen afresh. |
Service Control Rules
The following table describes the labels in this screen.
Label | Description |
|---|---|
Create new Object | Use this to configure any new settings objects that you need to use in this screen. |
Address Object | Select ALL to allow or deny any computer to communicate with the Zyxel Device using SNMP. Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using SNMP. |
Zone | Select ALL to allow or prevent any Zyxel Device zones from being accessed using SNMP. Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. |
Action | Select Accept to allow the user to access the Zyxel Device from the specified computers. Select Deny to block the user’s access to the Zyxel Device from the specified computers. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
Authentication Server
You can set the Zyxel Device to work as a RADIUS server to exchange messages with a RADIUS client, such as an AP for user authentication and authorization. Use this screen to enable the authentication server feature of the Zyxel Device and specify the RADIUS client’s IP address.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable Authentication Server | Select the check box to have the Zyxel Device act as a RADIUS server. |
Authentication Server Certificate | Select the certificate whose corresponding private key is to be used to identify the Zyxel Device to the RADIUS client. You must have certificates already configured in the My Certificates screen |
Authentication Method | Select an authentication method if you have created any in the Configuration > Object > Auth. Method screen. |
Trusted Client | Use this section to configure trusted clients in the Zyxel Device RADIUS server database. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
# | This is the index number of the entry. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Profile Name | This field indicates the name assigned to the profile. |
IP Address | This is the IP address of the RADIUS client that is allowed to exchange messages with the Zyxel Device. |
Mask | This is the subnet mask of the RADIUS client. |
Description | This is the description of the RADIUS client. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Add/Edit Trusted RADIUS Client
Use this screen to create a new entry or edit an existing one.
The following table describes the labels in this screen.
label | description |
|---|---|
Activate | Select this check box to make this profile active. |
Profile Name | Enter a descriptive name (up to 31 alphanumerical characters) for identification purposes. |
IP Address | Enter the IP address of the RADIUS client that is allowed to exchange messages with the Zyxel Device. |
Netmask | Enter the subnet mask of the RADIUS client. |
Secret | Enter a password (up to 64 alphanumeric characters) as the key to be shared between the Zyxel Device and the RADIUS client. The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device. |
Description | Enter the description of each server, if any. You can use up to 60 printable ASCII characters. |
OK | Click OK to save the changes. |
Cancel | Click Cancel to discard the changes. |
Notification > Mail Server
Use this screen to configure a mail server so you can receive reports and notification emails such as when your password is about to expire. After you configure the screen, you can test the settings in Maintenance > Diagnostics > Network Tool and then select Test Email Server. See Configuration > Log & Report > Email Daily Report to configure what reports to send and to whom.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Mail Server | Type the name or IP address of the outgoing SMTP server. |
Mail Subject | Go to to type a subject line for outgoing email from the Zyxel Device. |
Append system name | Select Append system name to add the Zyxel Device’s system name to the subject. |
Append date time | Select Append date time to add the Zyxel Device’s system date and time to the subject. |
Mail Server Port | Enter the same port number here as is on the mail server for mail traffic. |
TLS Security | Select this option if the mail server uses Transport Layer Security (TLS) for encrypted communications between the mail server and the Zyxel Device. |
STARTTLS | Select this option if the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device. |
Authenticate Server | Select this if the Zyxel Device authenticates the mail server in the TLS handshake. |
Mail From | Type the email address from which the outgoing email is delivered. This address is used in replies. |
SMTP Authentication | Select this check box if it is necessary to provide a user name and password to the SMTP server. |
User Name | This box is effective when you select the SMTP Authentication check box. Type the user name to provide to the SMTP server when the log is emailed. |
Password | This box is effective when you select the SMTP Authentication check box. Type a password of up to 63 characters to provide to the SMTP server when the log is emailed. |
Retype to Confirm | Type the password again to make sure that you have entered is correctly. |
Time for sending report | Select the time of day (hours and minutes) when the log is emailed. Use 24-hour notation. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Notification > SMS
The Zyxel Device supports Short Message Service (SMS) to send short text messages to mobile phone devices.
Label | Description |
|---|---|
General Settings | |
Enable SMS | Select the check box to turn on the SMS service. |
Default country code for phone number | Enter the default country code for the mobile phone number to which you want to send SMS messages. |
SMS Provider | The Zyxel Device uses Email-to-SMS Provider to forward SMS messages. Go to the Configuration > System > Notification > Mail Server screen to configure a mail server to allow the Zyxel Device to send SMS messages to the SMS service provider using emails. |
Provider Domain | Enter the domain name of your SMS service provider. The domain name can be of up to 252 characters. Select auto append to "Mail to" to add the domain name of your SMS service provider after the mobile phone number in the Mail To field. |
Mail Subject | Type the subject line of up to 128 characters for outgoing e-mail from the Zyxel Device. |
Mail From | Enter the sender’s email address of up to 64 characters. This email address needs to be in your SMS provider’s allowed sender address list. If you leave this field blank, the Zyxel Device will use the IP address or domain name of the Mail Server field in the Configuration > System > Notification > Mail Server screen. |
Mail To | Enter the mobile phone number of up to 80 characters. You can only have one receiver. Use this variable in brackets [$mobile_number$], and the Zyxel Device will use the mobile phone number of the user logging in. Go to the Configuration > Object > User/Group > User screen to add a valid mobile telephone number for a user. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
Notification > Response Message
Use this screen to create a web page when access to a website is restricted due to a security service.
Label | Description |
|---|---|
Message | Use this part of the screen to create a message to display when access to a website is blocked due to a security service. |
Edit | Double-click an entry or select it and click Edit to be able to modify the entry’s settings. |
# | This is the index number of the entry. |
Service | This is the security service that may restrict access to a website. |
Denied Access Message | Type a message to display when access to a website is blocked due to this security service. You may type up to 127 characters. |
Page Layout | Use this part of the screen to create a web page to display when access to a website is blocked due to a security service. |
Use Customized | Select this if you want to specify a logo and colors in the access blocked web page. You cannot change the banner message. |
Preview Web Page | Use this to see how the colors look in your customized access blocked web page. The below example also shows the location of the access blocked message, the logo and banner.  |
File Path | Type the path to the access blocked web page file or use Browse to find it on your computer. After, click Upload to send the file to the Zyxel Device. |
Message Color | Specify the font color of the message. You can use the Color palette chooser, or enter a CSS hex color code. For example, the CSS hex color code for blue is #0000FF. |
Background Color | Specify the color of the access blocked web page background. You can use the Color palette chooser, or enter a CSS hex color code. For example, the CSS hex color code for blue is #0000FF. |
Banner Color | Specify the color of the access blocked web page banner. You can use the Color palette chooser, or enter a CSS hex color code. For example, the CSS hex color code for blue is #0000FF. |
Banner Message Color | Specify the color of the access blocked web page banner text. You can use the Color palette chooser, or enter a CSS hex color code. For example, the CSS hex color code for blue is #0000FF. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
Language
Use this screen to select a display language for the Zyxel Device’s Web Configurator screens.
The following table describes the labels in this screen.
Label | DESCRIPTION |
|---|---|
Language Setting | Select a display language for the Zyxel Device’s Web Configurator screens. You also need to open a new browser session to display the screens in the new language. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
IPv6
Use this screen to enable IPv6 support for the Zyxel Device’s Web Configurator screens.
The following table describes the labels in this screen.
Label | DESCRIPTION |
|---|---|
Enable IPv6 | Select this to have the Zyxel Device support IPv6 and make IPv6 settings be available on the screens that the functions support, such as the Configuration > Network > Interface > Ethernet, VLAN, and Bridge screens. The Zyxel Device discards all IPv6 packets if you clear this check box. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Zyxel One Network (ZON) Utility
The Zyxel One Network (ZON) utility uses the Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices in the same broadcast domain as the computer on which ZON is installed.
The ZON Utility issues requests via ZDP and in response to the query, the Zyxel device responds with basic information including IP address, firmware version, location, system and model name. The information is then displayed in the ZON Utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it. You can download the ZON Utility at www.zyxel.com and install it on a computer.
Requirements
Before installing the ZON Utility on your computer, please make sure it meets the requirements listed below.
Operating System
At the time of writing, the ZON Utility is compatible with:
• Windows 7 (both 32-bit / 64-bit versions)
• Windows 8 (both 32-bit / 64-bit versions)
• Windows 8.1 (both 32-bit / 64-bit versions)
• Window 10 (both 32-bit / 64-bit versions)
Note: To check for your Windows operating system version, right-click on My Computer > Properties. You should see this information in the General tab.
Hardware
Here are the minimum hardware requirements to use the ZON Utility on your computer.
• Core i3 processor
• 2GB RAM
• 100MB free hard disk
• WXGA (Wide XGA 1280x800)
The following table describes the icons numbered from left to right in the ZON Utility screen.
icon | DESCRIPTION |
|---|---|
1 IP configuration | Change the selected device’s IP address. |
2 Renew IP Address | Update a DHCP-assigned dynamic IP address. |
3 Reboot Device | Use this icon to restart the selected device(s). This may be useful when troubleshooting or upgrading new firmware. |
4 Reset Configuration to Default | If you forget your password or cannot access the Web Configurator, you can use this icon to reload the factory-default configuration file. This means that you will lose all configurations that you had previously. |
5 Locator LED | Use this icon to locate the selected device by causing its Locator LED to blink. |
6 Web GUI | Use this to access the selected device web configurator from your browser. You will need a username and password to log in. |
7 Firmware Upgrade | Use this icon to upgrade new firmware to selected device(s) of the same model. Make sure you have downloaded the firmware from the Zyxel website to your computer and unzipped it in advance. If your Zyxel Device supports dual firmware images, the standby image will be upgraded. After the new firmware is uploaded, you Zyxel Device will reboot, and the new firmware will be the running firmware. |
8 Change Password | Use this icon to change the admin password of the selected device. You must know the current admin password before changing to a new one. |
9 Configure NCC Discovery | You must have Internet access to use this feature. Use this icon to enable or disable the Nebula Control Center (NCC) discovery feature on the selected device. If it’s enabled, the selected device will try to connect to the NCC. Once the selected device is connected to and has registered in the NCC, it’ll go into the cloud management mode. |
10 ZAC | Use this icon to run the Zyxel AP Configurator of the selected AP. |
11 Clear and Rescan | Use this icon to clear the list and discover all devices on the connected network again. |
12 Save Configuration | Use this icon to save configuration changes to permanent memory on a selected device. |
13 Settings | Use this icon to select a network adaptor for the computer on which the ZON utility is installed, and the utility language. |
The following table describes the fields in the ZON Utility main screen.
label | description |
|---|---|
Type | This field displays an icon of the kind of device discovered. |
Model | This field displays the model name of the discovered device. |
Firmware Version | This field displays the firmware version of the discovered device. |
MAC Address | This field displays the MAC address of the discovered device. |
IP Address | This field displays the IP address of an internal interface on the discovered device that first received an ZDP discovery request from the ZON utility. |
System Name | This field displays the system name of the discovered device. |
Location | This field displays where the discovered device is. |
Status | This field displays whether changes to the discovered device have been done successfully. As the Zyxel Device does not support IP Configuration, Renew IP address and Flash Locator LED, this field displays “Update failed”, “Not support Renew IP address” and “Not support Flash Locator LED” respectively. |
NCC Discovery | This field displays if the discovered device supports the Nebula Control Center (NCC) discovery feature. If it’s enabled, the selected device will try to connect to the NCC. Once the selected device is connected to and has registered in the NCC, it’ll go into the cloud management mode. |
Serial Number | Enter the admin password of the discovered device to display its serial number. |
Hardware Version | This field displays the hardware version of the discovered device. |
Zyxel One Network (ZON) System Screen
Enable ZDP (ZON) and Smart Connect (Ethernet Neighbor) in the System > ZON screen.
See Monitor > System Status > Ethernet Neighbor for information on using Smart Connect (Link Layer Discovery Protocol (LLDP)) for discovering and configuring LLDP-aware devices in the same broadcast domain as the Zyxel Device that you’re logged into using the web configurator.
The following table describes the labels in this screen.
Label | DESCRIPTION |
|---|---|
ZDP | Zyxel Discovery Protocol (ZDP) is the protocol that the Zyxel One Network (ZON) utility uses for discovering and configuring ZDP-aware Zyxel devices in the same broadcast domain as the computer on which ZON is installed. |
Enable | Select to activate ZDP discovery on the Zyxel Device. |
Smart Connect | Smart Connect uses Link Layer Discovery Protocol (LLDP) for discovering and configuring LLDP-aware devices in the same broadcast domain as the Zyxel Device that you’re logged into using the web configurator. |
Enable | Select to activate LLDP discovery on the Zyxel Device. See also Monitor > System Status > Ethernet Discovery. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |