System
Use the system screens to configure general Zyxel Device settings.
Use the System > Settings screen (see Settings) to configure the Zyxel Device basic system settings.
Use the System > Device HA screens (see Device HA (High Availability)) to configure a backup for the Zyxel Device.
Use the System > DNS & DDNS screen (see DNS & DDNS) to configure the Zyxel Device DNS and DDNS settings.
Use the System > SNMP screen (see SNMP) to configure the Zyxel Device SNMP settings.
Use the System > Notification screen (see Notification) to configure a mail server to receive reports and notification emails.
For an overview of certificates, see Certificate Overview.
Use the System > My Certificates screen (see My Certificates) to generate self-signed certificates or certification requests.
Use the System > Trusted Certificates screens (see Trusted Certificates) to save CA certificates and trusted remote host certificates to the Zyxel Device. The Zyxel Device trusts any valid certificate that you have imported as a trusted certificate. It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate.
Use the System > Advanced screen (see Advanced) to view UDP and ICMP timeout settings on your Zyxel Device and to enable or disable ARP spoofing prevention, device insight, and LLDP functions.
See each section for related background information and term definitions.
Settings
Use the Settings screen to configure the hostname, system time, the Zyxel Device connection settings and language settings.
System Settings
Use this section to configure the Zyxel Device host name. A host name is the unique name by which a device is known on a network.
System Time
Use this section to configure the Zyxel Device time settings. For effective scheduling and logging, the Zyxel Device system time must be accurate. The Zyxel Device’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server.
You can manually set the Zyxel Device’s time and date or have the Zyxel Device get the date and time from a time server.
To manually set the Zyxel Device date and time.
1 Go to System > Settings > System Time.
2 Select Manual in the Time field. Then enter or select the Zyxel Device’s time and date.
3 In the Timezone field, select your timezone from the list.
4 Click Apply.
To get the Zyxel Device date and time from a time server
1 Go to System > Settings > System Time.
2 Select Auto Sync in the Time and Timezone field.
3 Click Apply.
Administration Settings
Use this section to configure secure and insecure connection of the Zyxel Device coming in from the WAN. HTTPS and SSH access are secure. HTTP access is not secure.
*To allow the Zyxel Device to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-Zyxel Device security policy rule to block that traffic.
To stop a service from accessing the Zyxel Device, slide the switch to the left in the corresponding service screen to disable the service.
System Timeout
There is a lease timeout for administrators. The Zyxel Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Each user is also forced to log in the Zyxel Device for authentication again when the reauthentication time expires.
You can change the timeout settings in the User/Group screens.
HTTPS
You can set the Zyxel Device to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions.
HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed).
It relies upon certificates, public keys, and private keys.
HTTPS on the Zyxel Device is used so that you can securely access the Zyxel Device using the Web Configurator. The SSL protocol specifies that the HTTPS server (the Zyxel Device) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the Zyxel Device), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (enable Authenticate Client Certificates in the Administration Settings screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the Zyxel Device a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the Zyxel Device.
*If you disable HTTP in the Administration Settings screen, then the Zyxel Device blocks all HTTP connection attempts.
SSH
You can use SSH (Secure SHell) to securely access the Zyxel Device’s command line interface.
SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the Zyxel Device for a management session.
*To allow an SSH connection to the Zyxel Device, add SSH in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group which defines the default services allowed in the WAN_to_Device security policy.
Your Zyxel Device supports SSH version 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the Zyxel Device for management using port 22 (by default).
You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the Zyxel Device over SSH.
FTP
You can upload and download the Zyxel Device’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.
Device Insight
Use Device Insight to collect status and basic information of the clients connected to the Zyxel Device internal interfaces or IPSec VPN; see The Device Insight Screen for more information.
Settings
Use this section to select a display language for the Zyxel Device’s Web Configurator screens.
The following table describes the labels in this screen.
System > System Settings 
Label
Description
System Settings
 
Host Name
Enter a descriptive name to identify your Zyxel Device device. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes (-) underscores (_) and periods (.) are accepted.
System Time
 
Current Time
This field displays the present date and time of your Zyxel Device.
Time
Select Auto Sync to have the Zyxel Device get the time and date from the time server. The Zyxel Device requests time and date settings from the time server under the following circumstances.
When the Zyxel Device starts up.
When you click Apply after selecting Auto Sync in this screen.
24-hour intervals after starting up.
Select Manual to enter or select the time and date manually. When you enter the time and date settings manually, the Zyxel Device uses the new settings once you click Apply.
Timezone
Select Auto Sync for the Zyxel Device to automatically get its timezone.
Select Manual to choose the timezone of your location. This will set the time difference between your timezone and Greenwich Mean Time (GMT).
Administration Settings
 
HTTP Enable
Enable to allow access to the Zyxel Device using HTTP connections.
HTTP Port
The HTTP server listens on port 80 by default. If you change the HTTP port to a different number on the Zyxel Device, for example 8080, then you must notify people who need to access the Zyxel Device Web Configurator to use “http://Zyxel Device IP Address:8080” as the URL.
If you choose a port already in use, you will see a port conflict message telling you to choose another port.
Redirect to HTTPS
Enable this to redirect all HTTP connection requests to the HTTPS server to allow only secure Web Configurator access.
HTTPS Enable
Enable to allow access to the Zyxel Device Web Configurator using secure HTTPS connections.
HTTPS Port
The HTTPS server listens on port 443 by default. If you change the HTTPS port to a different number on the Zyxel Device, for example 8443, then you must notify people who need to access the Zyxel Device Web Configurator to use “https://Zyxel Device IP Address:8443” as the URL.
If you choose a port already in use, you will see a port conflict message telling you to choose another port.
Authenticate Client Certificates
Enable this to require the SSL client to authenticate itself to the Zyxel Device by sending the Zyxel Device a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the Zyxel Device.
Server Certificate
Select a certificate the HTTPS server (the Zyxel Device) uses to authenticate itself to the HTTPS client. You must have certificates already configured in the My Certificates screen.
SSH Enable
Enable to allow access to the Zyxel Device using SSH connections.
SSH Port
The SSH port is 22 by default. You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
If you choose a port already in use, you will see a port conflict message telling you to choose another port.
Server Certificate
Select a certificate whose corresponding private key is to be used to identify the Zyxel Device for SSH connections. You must have certificates already configured in the My Certificates screen.
FTP Enable
Enable to allow access to the Zyxel Device using FTP connections.
TLS required
Enable to use FTP over TLS (Transport Layer Security) to encrypt communication. This implements TLS as a security mechanism to secure FTP clients and servers.
FTP Port
The FTP port is 21 by default. You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
If you choose a port already in use, you will see a port conflict message telling you to choose another port.
Server Certificate
Select a certificate whose corresponding private key is to be used to identify the Zyxel Device for FTP connections. You must have certificates already configured in the My Certificates screen.
Display
 
Language
Select a display language for the Zyxel Device’s web configurator screens. The web configurator screens will display in the new language after you click Apply.
User LED
The USER LED is located at the front panel of the Zyxel Device. Use this LED to check one of the following:
Admin account login status.
User IP address locked out status.
License status.
New firmware available for update.
Event
Select how you want the USER LED to behave.
Select Admin login (green on) if you want the USER LED to be steady green when there are admin accounts logged into the Zyxel Device.
Select User Lockout (amber on) if you want the USER LED to be steady amber when a user IP address is locked out of the Zyxel Device. A user IP address will be locked out when the user has logged into the Zyxel Device unsuccessfully (for example, wrong password) for more than three times.
Select License Expired (amber on) if you want the USER LED to be steady amber when a Zyxel Device service license has expired.
Select New Firmware Available (green blinking) if you want the USER LED to blink green when there is new firmware available for upload.
Select Off to turn off the USER LED.
Device Insight
Enable Device Insight to collect status and basic information of the clients connected to the Zyxel Device internal interfaces or IPSec VPN.
Apply
Click Apply to save your changes to the Zyxel Device.
Reset
Click Reset to return the screen to its last-saved settings.
Device HA (High Availability)
Device HA lets a passive (secondary) Zyxel Device automatically take over if the active (primary) Zyxel Device fails. Both Zyxel Devices must be the same model with the same firmware version. Device HA pairing occurs when Device HA is set up successfully on both Zyxel Devices.
The primary Zyxel Device is the license controller. Existing licenses on the secondary Zyxel Device are appended to the licenses on the primary Zyxel Device after pairing occurs. When updating licenses, update them on the primary Zyxel Device.
The following features can be transferred to the secondary Zyxel Device when it becomes active using Device HA:
Start-up and Running Configuration
Signatures
Device Insight
External Block List
DHCP Leasing Entries
Two-factor Authentication
Certificates
Licenses Including NCC if applicable
Zyxel Device Time
What You Can Do in These Screens
Use the HA Status screen (HA Status) to see the license status for Device HA, and see the status of the active and passive devices.
Use the HA Configuration screen (HA Configuration) to configure Device HA global settings, monitored interfaces and synchronization settings.
Use the HA Log screen (HA Log) to see logs of the active and passive devices.
Heartbeat
Device HA uses a dedicated heartbeat link between an active and a passive device for status syncing and to trigger failover and backup to the passive device if the active device becomes unresponsive. On the passive device, all ports are disabled except for the port with the heartbeat link.
In the following example, Zyxel Device A is the active device that is connected to passive device Zyxel Device B through a dedicated link that is used for heartbeat control, configuration synchronization and troubleshooting. All links on Zyxel Device B are down except for the dedicated heartbeat link.
*Make sure that the heartbeat port is not already in an interface that is already configured for other features such as LAG, VLAN, Bridge.
*The dedicated heartbeat link port must be the highest-numbered copper Ethernet port on each Zyxel Device for Device HA to work. At the time of writing, these are the models that support HA with associated heartbeat link ports.
Device HA Heartbeat Ports
Model
heartbeat port
USG FLEX 200H / 200 HP
8
USG FLEX 500H / 700 H
12
Failover from the active Zyxel Device to the passive Zyxel Device occurs when:
A monitored interface is down on the active Zyxel Device.
The connectivity check on the heartbeat link exceeds the failure tolerance.
After failover, the initially active Zyxel Device becomes the passive Zyxel Device.
Firmware Upgrade on Paired Zyxel Devices
1 First, upgrade the firmware to the passive device.
2 After upgrade, the passive device becomes the active device and handles all traffic during the firmware upgrade.
3 Firmware is then upgraded to the passive primary device.
4 After the firmware upgrade is complete on both Zyxel Devices, the primary device becomes the active device again.
Preparing to Deploy Device HA
1 Make sure the passive Zyxel Device is offline, then enable Device HA in System > Device HA > HA Configuration in the active Zyxel Device.
2 The management IP addresses for both the active and passive Zyxel Devices must be in the same subnet.
3 Make sure the SSH service in System > SSH is enabled on both Zyxel Devices. SFTP (Secure File Transfer Protocol) is used to transfer files from the active to the passive Zyxel Device.
4 Connect the passive Zyxel Device to the active Zyxel Device using the heartbeat ports. These are the highest-numbered copper Ethernet ports on the Zyxel Devices - see Device HA Heartbeat Ports.
5 If both Zyxel Devices are turned on at the same time with Device HA enabled, then they may send the heartbeat at the same time. In this case, the Zyxel Device with the Primary (License Controller) role becomes the active Zyxel Device.
Using NCC To Manage Device HA
You must register both Zyxel Devices on NCC, that is they must both belong to an organization. The passive Zyxel Device will be registered automatically in NCC if it is not already registered in NCC.
Both Zyxel Devices must be in the same organization and be registered to the same account.
The passive Zyxel Device is removed from the NCC site after Device HA pairing is complete, as a site in NCC can only have one Zyxel Device firewall (at the time of writing).
NCC automatically sends an email to notify users when Zyxel Devices are paired with licenses transferred.
Deployment Overview
Register both Zyxel Devices on NCC if you are using NCC.
1 Set up Device HA on the active Zyxel Device in System > Device HA > HA Configuration. Check the HA status in System > Device HA > HA Status, and view the log of the active Zyxel Device in System > Device HA > HA Log.
2 Configure Device HA on the passive Zyxel Device in System > Device HA > HA Configuration.
3 Connect the heartbeat Ethernet cable between the active and passive Zyxel Devices.
4 Verify the HA status of the active and passive Zyxel Devices in System > Device HA > HA Status.
5 Check the logs on the active Zyxel Device in System > Device HA > HA Log.
When you log into a Zyxel Device after Device HA pairing, you will see a banner to show if you are logged into the active or passive Zyxel Device.
HA Status
After you have configured Device HA in System > Device HA > HA Configuration go to this screen to view Device HA synchronization and failover status.
You may also see Device HA status from the PWR/SYS LED.
Device HA Status: PWR / SYS LED
Device HA Status
Active Zyxel Device
Passive Zyxel Device
Pairing in Progress
Green / Red Alternating
Green Steady On
Pairing Failed
Red Blinking
Green Steady On
Full Synch In Progress
Green Steady On
Amber Blinking
Full Synch Complete
Green Steady On
Amber Steady On
Running
Green Steady On
Amber Steady On
The following table describes the labels in this screen.
System > Device HA > HA Status 
Label
Description
Status
Zyxel Devices are displayed according to role with the active Zyxel Device on the left and the passive Zyxel Device on the right. The active Zyxel Device is the initial active Zyxel Device, and the passive Zyxel Device is the initial passive Zyxel Device. The active becomes passive if failover occurs.
The heartbeat link shows one of the following icons:
Running, indicating that the link is connected and the peer Zyxel Device is replying
 
Disconnect, indicating that the link is not connected
 
 
No response, indicating that the link is connected, but the peer Zyxel Device is not replying
Device HA Status
This displays if Device HA is Enabled or Disabled.
Pairing Status
Device HA pairing occurs when Device HA is set up successfully on both Zyxel Devices. This field displays one of the following:
Pairing, indicating that Device HA is in progress
Paired, indicating that Device HA has completed successfully
Error, showing the reason that Device HA failed.
Synchronization Status
This section displays information on feature transfer status and time after full synchronization occurs.
Last Full Sync Status
This displays In Progress, Success, Fail or none (if Device HA is not enabled or just after the Zyxel Device reboots).
Last Failover Time
This displays the date and time feature transfer occurred or none (if Device HA is not enabled or just after the Zyxel Device reboots).
Failover Status
This section displays the reason for failover and the time it occurred.
Failover Reason
This displays the reason for failover, such as Heartbeats missed, Monitor interface link down, Monitor interface connectivity check fail, Firmware upgrade, Heartbeats conflict. Heartbeats conflict may occur if both Zyxel Devices send heartbeats at the same time, for example, if both Zyxel Devices start up at the same time.
Last Failover Time
This displays the date and time the failover occurred.
HA Configuration
Configure Device HA on the Zyxel Device in System > Device HA > HA Configuration.
The following table describes the labels in this screen.
System > Device HA > HA Configuration 
Label
Description
General Settings
 
Enable Device HA
You must enable Device HA on both the active and passive Zyxel Devices. Before enabling Device HA, go to Network > Interface to configure the heartbeat link connectivity check between the initial active and initial passive Zyxel Devices. Make sure the passive Zyxel Device is offline when you enable Device HA on the active Zyxel Device.
You cannot use Recovery Manager when you enable Device HA.
Management Configuration
Management IPs allows you to manage whichever is the active Zyxel Device when Device HA is paired. You must configure management IP addresses for both the active and passive Zyxel Devices and they must have the same subnet mask.
Initial Role
Select if this Zyxel Device is the initial active (Primary (License Controller)) or initial passive (Secondary) Zyxel Device.
When you apply Device HA on the Secondary Zyxel Device, the LAN/WAN links will go down and you will be logged out of the web configurator. The following fields will also be grayed out.
You must configure the following fields when you select Primary (License Controller).
HA MAC Address
Enter either the Physical MAC address of the initially active Zyxel Device or the Virtual MAC address. See Dashboard > System for the Physical MAC address of this Zyxel Device. The Zyxel Device automatically generates the Virtual MAC address. It has priority over the Physical MAC address. With a Virtual MAC address, you can hot swap the active Zyxel Device without reconfiguring Device HA.
At the time of writing, the Virtual MAC address begins with “X6”, (X6:XX:XX:XX:XX:XX). You can see the Virtual MAC address generated in Network > Interface > Edit of the active Zyxel Device.
Active Node Management IP
Type the IPv4 address of the highest-numbered copper Ethernet port on the active Zyxel Device (the heartbeat dedicated link port).
Passive Node Management IP
Type the IPv4 address of the highest-numbered copper Ethernet port on the passive Zyxel Device (the heartbeat dedicated link port).
​Management IP Subnet Mask
Primary and Secondary Zyxel Devices must use the same subnet mask. Enter a subnet mask such as 255.255.255.0, of the management IP addresses.
Monitor Interface
 
Member
Member interface types can be Ethernet, VLAN, or Bridge. Select an interface to be monitored by Device HA to determine if a passive Zyxel Device should become active.
Failover on Monitored Interface Link Down
Enable this to have the passive Zyxel Device become the active Zyxel Device when a selected monitored interface fails.
Failover on Monitored Connectivity Check Failure
Enable this to have the passive Zyxel Device become the active Zyxel Device when the connectivity check fails on a selected monitored interface.
Advanced Settings
 
Pause Device HA
Enable this if you want to temporarily stop Device HA without unpairing the active and passive Zyxel Devices. You may do this to troubleshoot the active Zyxel Device for example.
*Before you click Apply in this screen, first make sure to turn off or disconnect ALL cables from the passive Zyxel Device!
After successfully troubleshooting, remember to disable Pause Device HA, then turn on and reconnect ALL cables on the passive Zyxel Device.
Cancel
Click Cancel to return the screen to its last-saved settings.
Apply
Click Apply to save your Device HA configurations back to the Zyxel Device but keep the Zyxel Device using Device HA (general).
HA Log
Use this screen to see Device HA logs on the local and peer Zyxel Devices. The local Zyxel Device is the Zyxel Device that you are currently logged into.
The following table describes the labels in this screen.
System > Device HA > HA Log 
Label
Description
View Logs
 
Local
This displays Device HA logs on the Zyxel Device that you are currently logged into.
Peer
This displays Device HA logs on the Zyxel Device that has a heartbeat link to the Zyxel Device that you are currently logged into, that is, the Device HA peer.
Refresh
Click Refresh to update information in this screen.
Disabling Device HA
Turning off an active or passive Zyxel Device alone does not disable Device HA. To disable Device HA, you must use System > Device HA > HA Configuration in the web configurator or CLI commands.
*Before disabling Device HA, you should turn off the passive Zyxel Device or disconnect all network cables from it.
When you disable Device HA, you will see the following warning screen.
DNS & DDNS
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Similarly, Dynamic DNS (DDNS) maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current (dynamic) IP address.
*You must have a public WAN IP address to use Dynamic DNS.
You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the Zyxel Device. When registration is complete, the DNS service provider gives you a password or key. At the time of writing, the Zyxel Device supports the following DNS service providers. See the listed websites for details about the DNS services offered by each.
DDNS Service Providers 
provider
Service Types supported
Website
DynDNS
Dynamic DNS, Static DNS, and Custom DNS
www.dyndns.com
Dynu
Basic, Premium
www.dynu.com
No-IP
No-IP
www.no-ip.com
Peanut Hull
Peanut Hull
www.oray.cn
3322
3322 Dynamic DNS, 3322 Static DNS
www.3322.org
Selfhost
Selfhost
selfhost.de
*Record your DDNS account’s user name, password, and domain name to use to configure the Zyxel Device.
After you configure the Zyxel Device, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly.
DNS Server Address Assignment
The Zyxel Device can get the DNS server addresses in the following ways.
The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
If your ISP dynamically assigns the DNS server IP addresses (along with the Zyxel Device’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
You can manually enter the IP addresses of other DNS servers.
The DNS Screen
Use the DNS screen to configure the Zyxel Device to use a DNS server to resolve domain names for Zyxel Device system features like VPN, DDNS and the time server. You can also configure the Zyxel Device to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the Zyxel Device sends to the specified DHCP client devices.A name query begins at a client computer and is passed to a resolver, a DNS client service, for resolution. The Zyxel Device can be a DNS client service. The Zyxel Device can resolve a DNS query locally using cached Resource Records (RR) obtained from a previous query (and kept for a period of time). If the Zyxel Device does not have the requested information, it can forward the request to DNS servers. This is known as recursion.
The Zyxel Device can ask a DNS server to use recursion to resolve its DNS client requests. If recursion on the Zyxel Device or a DNS server is disabled, they cannot forward DNS requests for resolution.
A Domain Name Server (DNS) amplification attack is a kind of Distributed Denial of Service (DDoS) attack that uses publicly accessible open DNS servers to flood a victim with DNS response traffic. An open DNS server is a DNS server which is willing to resolve recursive DNS queries from anyone on the Internet.
In a DNS amplification attack, an attacker sends a DNS name lookup request to an open DNS server with the source address spoofed as the victim’s address. When the DNS server sends the DNS record response, it is sent to the victim. Attackers can request as much information as possible to maximize the amplification effect.
Configure the Security Option Control section in the System > DNS & DDNS > DNS screen if you suspect the Zyxel Device is being used (either by hackers or by a corrupted open DNS server) in a DNS amplification attack.
The following table describes the labels in this screen.
System > DNS & DDNS > DNS  
Label
Description
Address/PTR Record
This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Add
Click this to create a new entry.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Edit icon
Double-click an entry or select it to display an Edit icon that allows you to modify the entry’s settings.
Hostname
This is the name of the host.
Domain
This is the host’s fully qualified domain name.
IP Address
This is the IP address of a host.
CNAME Record
This record specifies an alias for a FQDN. Use this record to bind all subdomains with the same IP address as the FQDN without having to update each one individually, which increases chance for errors. See CNAME Record (CNAME Record) for more details.
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Hostname
This is the name of the host.
Domain
This is the host’s fully qualified domain name.
Alias Name
This displays the alias name.
MX Record (for My FQDN)
A MX (Mail eXchange) record identifies a mail server that handles the mail for a particular domain.
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Hostname
This is the name of the host.
Domain
This is the domain name where the mail is destined for.
IP/FQDN
This is the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above.
Domain Zone Forwarder
This specifies a DNS server’s IP address. The Zyxel Device can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server.
When the Zyxel Device needs to resolve a domain zone, it checks it against the domain zone forwarder entries in the order that they appear in this list.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Move
To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Priority
This is the index number of the domain zone forwarder record. The ordering of your rules is important as rules are applied in sequence.
A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records.
Domain
A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
A “*” means all domain zones.
Type
This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-defined).
DNS Server
This is the IP address of a DNS server. This field displays N/A if you have the Zyxel Device get a DNS server IP address from the ISP dynamically but the specified interface is not active.
Query Via
This is the interface through which the Zyxel Device sends DNS queries to the entry’s DNS server. If the Zyxel Device connects through a VPN tunnel, tunnel displays.
Security Option Control
Click the arrow in the Advanced Settings field to display this part of the screen. There are two control policies: Default Action and Customize Action.
Query Recursion
This displays if the Zyxel Device is allowed or denied to forward DNS client requests to DNS servers for resolution.
Additional Info from Cache
This displays if the Zyxel Device is allowed or denied to cache Resource Records (RR) obtained from previous DNS queries.
Source Address
These are the object addresses used in the control policy. RFC1918 refers to private IP address ranges. It can be modified in Object > Address.
Address/PTR Record
An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address.
The Zyxel Device allows you to configure address records about the Zyxel Device itself or another device. This way you can keep a record of DNS names and addresses that people on your network may use frequently. If the Zyxel Device receives a DNS query for an FQDN for which the Zyxel Device has an address record, the Zyxel Device can send the IP address in a DNS response without having to query a DNS name server.
A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name.
Adding an Address/PTR Record
The following table describes the labels in this screen.
System > DNS & DDNS > DNS > Address/PTR Record > Add
label
description
Hostname
Enter the hostname of a server.
Domain
Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Underscores are not allowed.
Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com).
IP Address
Enter the IP address of the host in dotted decimal notation.
Save changes
Click the Save changes icon to save your customized settings and exit this screen.
Cancel changes
Click the Cancel changes icon to exit this screen without saving.
CNAME Record
A Canonical Name Record or CNAME record is a type of resource record in the Domain Name System (DNS) that specifies that the domain name is an alias of another, canonical domain name. This allows users to set up a record for a domain name which translates to an IP address, in other words, the domain name is an alias of another. This record also binds all the subdomains to the same IP address without having to create a record for each, so when the IP address is changed, all subdomain’s IP address is updated as well, with one edit to the record.
For example, the domain name zyxel.com is hooked up to a record named A which translates it to 11.22.33.44. You also have several subdomains, like mail.zyxel.com, ftp.zyxel.com and you want this subdomain to point to your main domain zyxel.com. Edit the IP Address in record A and all subdomains will follow automatically. This eliminates chances for errors and increases efficiency in DNS management.
The following table describes the labels in this screen.
System > DNS & DDNS > DNS > CNAME Record > Add
label
description
Hostname
Enter the hostname of a server.
Domain
Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Underscores are not allowed.
Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com).
Alias name
Enter an Alias Name. Use "*." as a prefix in the Alias name for a wildcard domain name (for example, *.example.com).
Save changes
Click the Save changes icon to save your customized settings and exit this screen.
Cancel changes
Click the Cancel changes icon to exit this screen without saving.
MX Record
A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is sent for that domain. If you do not configure proper MX records for your domain or other domain, external email from other mail servers will not be able to be delivered to your mail server and vice versa. Each host or domain can have only one MX record, that is, one domain is mapping to one host.
Adding a MX Record
Click the Add icon in the MX Record table to add a MX record.
The following table describes the labels in this screen.
System > DNS & DDNS > MX Record > Add 
Label
Description
Hostname
Enter the hostname of a server.
Domain
Enter the domain name where the mail is destined for.
IP/FQDN
Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above.
Save changes
Click the Save changes icon to save your customized settings and exit this screen.
Cancel changes
Click the Cancel changes icon to exit this screen without saving.
Domain Zone Forwarder
A domain zone forwarder contains a DNS server’s IP address. The Zyxel Device can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Adding a Domain Zone Forwarder
The following table describes the labels in this screen.
System > DNS & DDNS > DNS > Domain Zone Forwarder > Add 
Label
Description
Domain
A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the Zyxel Device receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.
Enter * if all domain zones are served by the specified DNS server(s).
Type
This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-defined).
DNS Server
Select DNS Server(s) from ISP if your ISP dynamically assigns DNS server information. You also need to select an interface through which the ISP provides the DNS server IP address(es). The interface should be activated and set to be a DHCP client. The fields below display the (read-only) DNS server IP address(es) that the ISP assigns. N/A displays for any DNS server IP address fields for which the ISP does not assign an IP address.
Select Public DNS Server if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. The Zyxel Device must be able to connect to the DNS server without using a VPN tunnel. The DNS server could be on the Internet or one of the Zyxel Device’s local networks. You cannot use 0.0.0.0.
Select Private DNS Server if you have the IP address of a DNS server to which the Zyxel Device connects through a VPN tunnel. Enter the DNS server's IP address in the field to the right. You cannot use 0.0.0.0.
Query Via
Use the Query Via field to select the interface through which the Zyxel Device sends DNS queries to a DNS server.
Save changes
Click the Save changes icon to save your customized settings and exit this screen.
Cancel changes
Click the Cancel changes icon to exit this screen without saving.
Security Option Control
Configure the Security Option Control section in the System > DNS & DDNS > DNS screen if you suspect the Zyxel Device is being used by hackers in a DNS amplification attack.
One possible strategy would be to deny Query Recursion and Additional Info from Cache in the default policy and allow Query Recursion and Additional Info from Cache only from trusted DNS servers identified by address objects and added as members in the customized policy.
Editing a Security Option Control
Use this screen to change allow or deny actions for Query Recursion and Additional Info from Cache.
The following table describes the labels in this screen.
System > DNS & DDNS > DNS >Security Option Control
Label
Description
Query Recursion
Choose if the Zyxel Device is allowed or denied to forward DNS client requests to DNS servers for resolution. This can apply to specific open DNS servers using the address objects in a customized rule.
Additional Info from Cache
Choose if the Zyxel Device is allowed or denied to cache Resource Records (RR) obtained from previous DNS queries.
Source Address
This field displays address objects created in Object > Address. Select one or more address object(s) to have it (them) to apply to this rule. For example, you could specify an open DNS server suspect of sending compromised resource records by adding an address object for that server to the member list.
Apply
Click Apply to save your customized settings and exit this screen.
Cancel
Click Cancel to return the screen to its last-saved settings.
The DDNS Screen
The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. The following table describes the labels in this screen.
System > DNS & DDNS > DDNS 
Label
Description
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Profile Name
This field displays the descriptive profile name for this entry.
DDNS Type
This field displays which DDNS service you are using.
Domain Name
This field displays each domain name the Zyxel Device can route.
Primary Interface/IP
This field displays the interface to use for updating the IP address mapped to the domain name followed by how the Zyxel Device determines the IP address for the domain name.
from interface - The IP address comes from the specified interface.
auto detected -The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name.
custom - The IP address is static.
Backup Interface/IP
This field displays the alternate interface to use for updating the IP address mapped to the domain name followed by how the Zyxel Device determines the IP address for the domain name. The Zyxel Device uses the backup interface and IP address when the primary interface is disabled, its link is down or its connectivity check fails.
from interface - The IP address comes from the specified interface.
auto detected -The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name.
custom - The IP address is static.
Apply
Click this button to save your changes to the Zyxel Device.
Cancel
Click this button to return the screen to its last-saved settings.
The DDNS Add/Edit Screen
The DDNS Add/Edit screen allows you to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name. he following table describes the labels in this screen.
System > DNS & DDNS > DDNS > Add/Edit 
Label
Description
Enable Profile
Slide the switch to the right to use this DDNS entry.
Profile Name
When you are adding a DDNS entry, type a descriptive name for this DDNS entry in the Zyxel Device. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
This field is read-only when you are editing an entry.
DDNS Type
Select the type of DDNS service you are using.
Select User custom to create your own DDNS service and configure the DDNS Server URL Hostname, URL Path, and Additional DDNS Options fields below.
HTTPS
Enable this to encrypt traffic using SSL (port 443), including traffic with username and password, to the DDNS server. Not all DDNS providers support this option.
Username
Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and (:_.-@). Spaces are not allowed.
For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website.
Password
Type the password provided by the DDNS provider. You can use up to 64 alphanumeric characters and the underscore. Spaces are not allowed.
Your password will be encrypted when you configure this field.
Retype to Confirm
Type the password again to confirm it.
DDNS Settings
 
Domain
Type the domain name you registered. You can use up to 255 characters.
Primary Address
Use these fields to set how the Zyxel Device determines the IP address that is mapped to your domain name in the DDNS server. The Zyxel Device uses the Backup Address if the interface specified by these settings is not available.
Interface
Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface.
IP Address
The options available in this field vary by DDNS provider.
Interface -The Zyxel Device uses the IP address of the specified interface. This option appears when you select a specific interface in the Primary Binding Address Interface field.
Auto - If the interface has a dynamic IP address, the DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the Zyxel Device and the DDNS server.
*The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server.
Custom IP - If you have a static IP address, you can select this to use it for the domain name. The Zyxel Device still sends the static IP address to the DDNS server. Type the IP address in the user defined field or you can select an address object to use for the domain name.
Public IP - Select this if your Zyxel Device is behind a NAT router, and the NAT router has a public WAN IP address. The DDNS provider will use the public WAN IP address of the NAT router for domain name mapping of the Zyxel Device.
Backup Address
Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary Interface settings is not available.
Interface
Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address.
IP Address
The options available in this field vary by DDNS provider.
Interface -The Zyxel Device uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field.
Auto -The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the Zyxel Device and the DDNS server.
*The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server.
Custom IP - If you have a static IP address, you can select this to use it for the domain name. The Zyxel Device still sends the static IP address to the DDNS server. Type the IP address in the user defined field or you can select an address object to use for the domain name.
Public IP - Select this if your Zyxel Device is behind a NAT router, and the NAT router has a public WAN IP address. The DDNS provider will use the public WAN IP address of the NAT router for domain name mapping of the Zyxel Device.
Enable Checking Public IP
Checking Public IP URL
Type the URL the Zyxel Device uses to check its public WAN IP address for DDNS updates. Use “http://” or “https://” followed by up to 255 characters (a-zA-Z0-9/?@=.&_-). This field is only available when the IP Address is Public IP.
Check Period
Type the number of minutes between URL check attempts. Enter a number between 5 and 1440. This field is only available when the IP Address is Public IP.
URL Hostname
This field is only available when the DDNS Type is User Custom. Type the FQDN of the server that will host the DDSN service.
URL Path
This field is only available when the DDNS Type is User Custom. Type the URL that can be used to access the server that will host the DDSN service.
Additional DDNS Options
These are the options supported at the time of writing:
dyndns_system to specify the DYNDNS Server type - for example, dyndns@dyndns.org
ip_server_name which should be the URL to get the server’s public IP address - for example, http://myip.easylife.tw/
Advanced Settings
Click the arrow in the Advanced Settings field to show the following options.
Enable Wildcard
Enable the wildcard feature to alias subdomains to be aliased to the same IP address as your (dynamic) domain name. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.
Mail Exchanger
DynDNS can route email for your domain name to a mail server (called a mail exchanger). For example, DynDNS routes email for john-doe@yourhost.dyndns.org to the host record specified as the mail exchanger.
If you are using this service, type the host record of your mail server here. Otherwise leave the field blank.
See www.dyndns.org for more information about mail exchangers.
Backup Mail Exchanger
Select this check box if you are using DynDNS’s backup service for email. With this service, DynDNS holds onto your email if your mail server is not available. Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service.
Apply
Click this button to save your changes to the Zyxel Device.
Cancel
Click this button to return the screen to its last-saved settings.
SNMP
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your Zyxel Device supports SNMP agent functionality, which allows a manager station to manage and monitor the Zyxel Device through the network. The Zyxel Device supports SNMP version one (SNMPv1), version two (SNMPv2c) and version 3 (SNMPv3).
An SNMP managed network consists of two main types of component: agents and a manager.
An agent is a management software module that resides in a managed device (the Zyxel Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.
SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:
Get - Allows the manager to retrieve an object variable from the agent.
GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Set - Allows the manager to set values for object variables within an agent.
Trap - Used by the agent to inform the manager of some events.
SNMPv3 and Security
SNMPv3 enhances security for SNMP management using authentication and encryption. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions.
Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them.
Supported MIBs
The Zyxel Device supports MIB II that is defined in RFC-1213 and RFC-1215. The Zyxel Device also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the Zyxel Device’s MIBs from www.zyxel.com.
SNMP Traps
The Zyxel Device will send traps to the SNMP manager when any one of the following events occurs.
SNMP Traps 
OBJECT LABEL
OBJECT ID
description
Cold Start
1.3.6.1.6.3.1.1.5.1
This trap is sent when the Zyxel Device is turned on or an agent restarts.
linkDown
1.3.6.1.6.3.1.1.5.3
This trap is sent when the Ethernet link is down.
linkUp
1.3.6.1.6.3.1.1.5.4
This trap is sent when the Ethernet link is up.
authenticationFailure
1.3.6.1.6.3.1.1.5.5
This trap is sent when an SNMP request comes from non-authenticated hosts.
vpnTunnelDisconnected
1.3.6.1.4.1.890.1.6.22.2.3
This trap is sent when an IPSec VPN tunnel is disconnected.
vpnTunnelName
1.3.6.1.4.1.890.1.6.22.2.2.1.1
This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the disconnected tunnel’s IPSec SA name.
vpnIKEName
1.3.6.1.4.1.890.1.6.22.2.2.1.2
This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the disconnected tunnel’s IKE SA name.
vpnTunnelSPI
1.3.6.1.4.1.890.1.6.22.2.2.1.3
This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the security parameter index (SPI) of the disconnected VPN tunnel.
Configuring SNMP
Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come.
The following table describes the labels in this screen.
System > SNMP 
Label
Description
SNMP
Enable this to allow to access the Zyxel Device using this service.
Server Port
The SSH port is 161 by default. You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
SNMP V1
SNMP version 1 is a basic protocol used for network management, enabling devices to communicate status and performance data to a central management system.
The SNMP version on the Zyxel Device must match the version on the SNMP manager.
SNMP V2C
SNMP V2C improves on SNMPv1 with enhanced performance, error handling, and support for bulk data retrieval, using community-based security for network management.
Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager.
SNMP Community
 
Community 1/2
Enter the community, which is the password for the incoming Get or Set requests from the management station. You can use up to 64 single-byte characters, including 0-9a-zA-Z_.-. The first character cannot be a period (.).
Community 1/2 Authorization
Select the access rights to the community.
read-write: A read-write community string enables users to both retrieve and modify device data, allowing for comprehensive network management and configuration.
read-only: A read-only community string allows the retrieval of device data for monitoring but prevents any configuration changes
Trap
 
Destination
Type the IP address of the station to send your SNMP traps to.
Community
A Trap community in SNMP is a string used to define the group or community to which an SNMP agent sends trap messages (alerts). It acts as a password-like identifier, ensuring that trap notifications are sent to authorized network management systems (NMS) that belong to the specified community.
The community string of the Trap is not mandatory. If filled in, it must be consistent with the string of SNMP community 1 or community 2.
SNMPV3
Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager. SNMPv3 (RFCs 3413 to 3415) provides secure access by authenticating and encrypting data packets over the network. The Zyxel Device uses your login password as the SNMPv3 authentication and encryption passphrase.
*Your login password must consist of at least 8 printable characters for SNMPv3. An error message will display if your login password has fewer characters.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
User
This displays the name of the user object to be sent to the SNMP manager along with the SNMP v3 trap.
Authentication
This displays the authentication algorithm used for this entry. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower.
Privacy
This displays the encryption method for SNMP communication from this user. Methods available are:
DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data.
AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.
Apply
Click Apply to save your changes back to the Zyxel Device.
Cancel
Click Cancel to return the screen to its last-saved settings.
Add SNMP V3 User
Use the username and password of the login accounts you specify in this screen to create accounts on the SNMP v3 manager.
The following table describes the labels in this screen.
System > SNMPV3 > Add  
LABEL
Description
User
Specify the username of a login account on the Zyxel Device. The associated password is used in authentication algorithms and encryption methods. It must begin with a letter and cannot exceed 31 characters. The valid characters are [0-9][a-z][A-Z][_-.].
Password
Enters a password consists of eight characters. Your login password must consist of at least 8 printable characters for SNMPv3.
User Authentication
Select an authentication algorithm. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower.
Privacy
Specify the encryption method for SNMP communication from this user. You can choose one of the following:
DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data.
AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.
Group
Select the access rights to MIBs:
read-write - The associated user can create and edit the MIBs on the Zyxel Device, except the user account.
read-only - The associated user can only collect information from the Zyxel Device.
Apply
Click Apply to save your changes back to the Zyxel Device.
Cancel
Click Cancel to return the screen to its last-saved settings.
Notification
Use these screens to configure the mail server settings and alert settings.
The Mail Server Screen
Use this screen to configure a mail server so you can receive reports and notification emails such as when your password is about to expire. After you configure the screen, you can test the settings in Maintenance > Diagnostics > Network Tool and then select Test Email Server. See Log & Report > Email Daily Report to configure what reports to send and to whom.
The following table describes the labels in this screen.
System > Notification > Mail Server 
Label
Description
Mail Server
Type the name or IP address of the outgoing SMTP server.
Port
Enter the same port number here as is on the mail server for mail traffic.
TLS Security
Enable this if the mail server uses Transport Layer Security (TLS) for encrypted communications between the mail server and the Zyxel Device.
STARTTLS
Enable this if the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device.
Authenticate Server
Enable this if the Zyxel Device authenticates the mail server in the TLS handshake.
SMTP Authentication
Select this check box if it is necessary to provide a user name and password to the SMTP server.
User Name
This box is effective when you select the SMTP Authentication check box. Type the user name to provide to the SMTP server when the log is emailed. Use up to 30 characters, including 0-9a-zA-Z@._-
Password
This box is effective when you select the SMTP Authentication check box. Type a password to provide to the SMTP server when the log is emailed. Use 4 to 63 characters, including 0-9a-zA-Z‘~!@#$%^&*()_+={}|\;:”<>’./
Retype
Type the password again to make sure that you have entered is correctly.
Default Sender and Recipient
Send From
Type the default email address from which the outgoing email is delivered. This address is used in replies. The value should be an email address. It can be up to 83 characters. The valid characters are [a-z][A-Z][/=?^_.{|}~w-!#$%*+].
The entry will be automatically filled into other sender fields in the web configurator and cannot be edited:
The Email From field in the Log & Report > Email Daily Report.
The Send From field in System > Notification > Alert > Event Notification/Log Alert.
Recipient
Enter the email address of the recipient to whom the outgoing email is sent. This is the address that will receive the email. It can be up to 83 characters. The valid characters are [a-z][A-Z][/=?^_.{|}~w-!#$%*+].
The entry will be automatically filled into other recipient fields in the web configurator and can be edited:
The Email To field in Log & Report > Email Daily Report.
The Recipients field in System > Notification > Alert > Event Notification/Log Alert.
The Recipients field in Maintenance > Firmware/File Manager > Configuration File.
Send Test Email
Click this button to send an email to the default mail to recipient to test if the email can be successfully received.
Apply
Click Apply to save your changes back to the Zyxel Device.
Cancel
Click Cancel to return the screen to its last-saved settings.
The Alert Screen
The following table describes the labels in this screen.
System > Notification > Alert
Label
Description
Event Notification
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms if you want to remove it before doing so.
Active
To turn on an entry, select it and click Activate.
Inactive
To turn off an entry, select it and click Inactivate.
#
This field is a sequential value and is not associated with any entry.
Status
This field displays the current status of each profile.
Event
This field displays the type(s) of event to create a log or send an email notification.
Action
This field displays the action to take when specified type(s) of events occur:
Email: Create a log and send an email notification.
Log: Create a log.
Description
This field displays the profile’s description.
Log Alert
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms if you want to remove it before doing so.
Active
To turn on an entry, select it and click Activate.
Inactive
To turn off an entry, select it and click Inactivate.
#
This field is a sequential value and is not associated with any entry.
Status
This field displays the current status of each profile.
Category
This field displays the type(s) of log to send an email notification.
Description
This field displays the profile’s description.
The Event Notification Add/Edit Screen
Event Notification Add/Edit Event Notification Add/EditThe following table describes the labels in this screen.
System > Notification > Alert Event Notification Add/Edit  
Label
Description
Enable
Enable this to create a log or send an email notification when the specified type(s) of event occur.
Event
Select the type(s) of event to create a log or send an email notification.
Description
Enter a description of this policy to identify it. You can use up to 512 single-byte characters, special characters and spaces are allowed.
Alert Inhibition
Enable this to temporarily stop receiving notifications for CPU Usage over Threshold, Memory Usage over Threshold, Temperature too high (CPU, Switch, Board), USB Disk Full Alert, USB Disk Full Warning, and Storage Usage over Threshold. Other event types will not be affected.
Interval
Specify how long to stop receiving the above notifications. The range is from 5 to 1440 minutes. The default is 60 minutes.
Action
Select the action to take when specified type(s) of event occur:
Email: Create a log and send an email notification when the selected type(s) of event occur.
Log: Create a log when the selected type(s) of event occur.
Email Subject
Enter the subject line for the outgoing email with 1-128 characters. It may consist of letters, numbers, and the following special characters: '()+,./:=?;!*#@$_%-. If you leave this field blank, the email subject will be the event name(s).
Send From
Enter the email address from which the outgoing email is delivered. This address is used in replies.
Recipients
Enter up to 83 characters for the email address of the receiver. It may consist of letters, numbers, and the following special characters: /=?^_.{|}~w-!#$%*+. You can enter up to five recipients.
Cancel
Click Cancel to return the screen to its last-saved settings.
Apply
Click Apply to save your settings to the Zyxel Device.
The Log Alert Add/Edit Screen
Log Alert Add/Edit Log Alert Add/EditThe following table describes the labels in this screen.
System > Notification > Alert Log Alert Add/Edit
Label
Description
Send Alert
Enable this to send an email notification when the specified type(s) of log occur.
Category
Select the type(s) of log to send an email notification.
Description
Enter a description of this policy to identify it. You can use up to 512 single-byte characters, special characters and spaces are allowed.
Email Subject
Enter the subject line for the outgoing email with 1-128 characters. It may consist of letters, numbers, and the following special characters: '()+,./:=?;!*#@$_%-
Send From
Enter the email address from which the outgoing email is delivered. This address is used in replies.
Recipients
Enter up to 83 characters for the email address of the receiver. It may consist of letters, numbers, and the following special characters: /=?^_.{|}~w-!#$%*+. You can enter up to five recipients.
Cancel
Click Cancel to return the screen to its last-saved settings.
Apply
Click Apply to save your settings to the Zyxel Device.
Certificate Overview
The Zyxel Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure.
These keys work like a handwritten signature (in fact, certificates are often referred to as “digital signatures”). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether something was signed by you, or by someone else. In the same way, your private key “writes” your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows.
1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key).
2 Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not.
3 Tim uses his private key to sign the message and sends it to Jenny.
4 Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim’s private key).
5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to verify the message.
The Zyxel Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a certificate. The Zyxel Device does not trust a certificate if any certificate on its path has expired or been revoked.
Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The Zyxel Device can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).
Advantages of Certificates
Certificates offer the following benefits.
The Zyxel Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.
Self-signed Certificates
You can have the Zyxel Device act as a certification authority and sign its own certificates.
Factory Default Certificate
The Zyxel Device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate.
Certificate File Formats
Any certificate that you want to import has to be in one of these file formats:
Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The Zyxel Device currently allows the importation of a PKS#7 file that contains a single certificate.
PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.
Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the Zyxel Device.
*Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.
Verifying a Certificate
Before you import a trusted certificate into the Zyxel Device, you should verify that you have the correct certificate. You can do this using the certificate’s fingerprint. A certificate’s fingerprint is a message digest calculated using the MD5 or SHA1 algorithm. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate.
1 Browse to where you have the certificate saved on your computer.
2 Make sure that the certificate has a “.cer” or “.crt” file name extension.
3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.
4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
My Certificates
This is the Zyxel Device’s summary list of certificates and certification requests.
The following table describes the labels in this screen.
System > My Certificates 
Label
Description
Add
Click this to go to the screen where you can have the Zyxel Device generate a certificate or a certification request.
Edit
Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.
Remove
The Zyxel Device keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.
Reference
Select an entry and click Reference to check which settings use the entry.
Email
Click this to email the selected certificate to the configured email address(es) for SSL or site to site VPN connection establishment. This enables you to establish an connection on your laptops, tablets, or smartphones.
Click this and the following screen will appear.
Here are the field descriptions:
Email Subject: Type the subject line for outgoing email from the Zyxel Device. Enter a email subject text of 1-60 characters. It may consist of letters, numbers, and the following special characters: ‘()+,./:=?;!*#@$%-
Email To: Type the email address to which the outgoing email is delivered using up to 83 characters.
Email Content: Create the email content in English, and use up to 250 keyboard characters. The special characters listed in the brackets [0-9a-zA-Z!”#$%&’()*+,-./:;<=>@\[]^_‘{}|] are allowed.
Cancel: Click this to return to the previous screen without saving your changes.
Send Email: Click this to send the selected certificate.
 
Import
Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the Zyxel Device.
Export
Click this and the following screen will appear.
Type the selected certificate’s password and save the selected certificate to your computer.
Name
This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name.
Type
This field displays what kind of certificate this is.
REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
SELF represents a self-signed certificate.
CERT represents a certificate issued by a certification authority.
Subject
This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Issuer
This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
Valid From
This field displays the date that the certificate becomes applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.
Reference
You cannot delete certificates that any of the Zyxel Device’s features are configured to use. Select an entry and click References to open a screen that shows which settings use the entry.
The My Certificates Add Screen
Use this screen to have the Zyxel Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.
If you configured the My Certificate > Add screen to have the Zyxel Device enroll a certificate and the certificate enrollment is not successful, you will not see the certificate you configured in the My Certificates screen after you click Apply. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the Zyxel Device to enroll a certificate online.
The following table describes the labels in this screen.
System > My Certificates > Add 
Label
Description
Name
Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Subject Information
Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although you must specify a Host IP Address, Host Domain Name, or E-Mail. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.
Select a radio button to identify the certificate’s owner by IP address, domain name or email address. Type the IP address (in dotted decimal notation), domain name or email address in the field provided. The domain name or email address is for identification purposes only and can be any string.
A domain name can be up to 30 characters. You can use alphanumeric characters and periods.
An email address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.
Organizational Unit
Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Organization
Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Town (City)
Identify the town or city where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
State (Province)
Identify the state or province where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Country
Enter a two-letter country code to Identify the nation where the certificate owner is located.
Key Type
This sets the certificate’s encryption algorithm and signature hash algorithm.
Encryption algorithms:
RSA: Rivest, Shamir and Adleman public-key algorithm.
DSA: Digital Signature Algorithm public-key algorithm.
ECDSA: Elliptic Curve Digital Signature Algorithm.
Signature hash algorithms:
SHA256
SHA384
SHA512
RSA and SHA256 are less secure but more compatible with different clients and applications. ECDSA and SHA512 are the more secure but less compatible.
Key Length
Select a number from the drop-down list box to determine how many bits the key should use (256 to 384). The longer the key, the more secure it is. A longer key also uses more PKI storage space. ECDSA keys are significant shorter than RSA and DSA keys, while offering equal or higher security.
LifeTimes
Select how long the certificate is valid. It can be valid from 1 to 10 years.
Extended Key Usage
 
Server Authentication
Select this to have Zyxel Device generate and store a request for server authentication certificate.
Client Authentication
Select this to have Zyxel Device generate and store a request for client authentication certificate.
IKE Intermediate
Select this to have Zyxel Device generate and store a request for IKE Intermediate authentication certificate.
Create a self-signed certificate
Select this to have the Zyxel Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.
Create a certification request and save it locally for later manual enrollment
Select this to have the Zyxel Device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.
Copy the certification request from the My Certificate Details screen and then send it to the certification authority.
Apply
Click Apply to save your changes back to the Zyxel Device.
Cancel
Click Cancel to return the screen to its last-saved settings.
The My Certificates Edit Screen
You can use this screen to view in-depth certificate information and change the certificate’s name.
The following table describes the labels in this screen.
System > My Certificates > Edit 
Label
Description
Name
This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Type
This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
Version
This field displays the X.509 version number.
Serial Number
This field displays the certificate’s identification number given by the certification authority or generated by the Zyxel Device.
Subject
This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O), State (ST), and Country (C).
Issuer
This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.
With self-signed certificates, this is the same as the Subject Name field.
“none” displays for a certification request.
Signature Algorithm
This field displays the type of algorithm that was used to sign the certificate. The Zyxel Device uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. “none” displays for a certification request.
Valid To
This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request.
Key Algorithm
This field displays the type of algorithm that was used to generate the certificate’s key pair (the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Subject Alternative Name
This field displays the certificate owner‘s IP address (IP), domain name (DNS) or email address (EMAIL).
Key Usage
This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.
Extended Key Usage
This field displays how the Zyxel Device generates and stores a request for server authentication, client authentication, or IKE Intermediate authentication certificate.
Basic Constraint
This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. This field does not display for a certification request.
PEM Encoded Format
This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.
You can copy and paste a certification request into a certification authority’s web page, an email that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.
You can copy and paste a certificate into an email to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via external storage device for example).
MD5 Fingerprint
It is a unique 128-bit checksum value generated by the MD5 hashing algorithm, used to verify data integrity and identify cryptographic keys, though it is no longer considered secure.
SHA1 Fingerprint
It is a 160-bit hash value produced by the SHA-1 hashing algorithm, commonly used to verify data integrity and identify cryptographic keys, although it is now considered weak due to vulnerabilities.
Apply
Click Apply to save your changes back to the Zyxel Device.
Cancel
Click Cancel to return the screen to its last-saved settings.
The My Certificates Import Screen
Follow the instructions in this screen to save an existing certificate to the Zyxel Device.
*You can import a certificate that matches a corresponding certification request that was generated by the Zyxel Device. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys.
The certificate you import replaces the corresponding request in the My Certificates screen.
You must remove any spaces from the certificate’s filename before you can import it.
The following table describes the labels in this screen.
System > Certificate > My Certificates > Import 
Label
Description
File Path
Type in the location of the file you want to upload in this field or click Browse to find it.
You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device.
Browse
Click Browse to find the certificate file you want to upload.
Password
This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported.
OK
Click OK to save the certificate on the Zyxel Device.
Trusted Certificates
This screen displays a summary list of certificates that you have set the Zyxel Device to accept as trusted. The Zyxel Device also accepts any valid certificate signed by a certificate on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates.
The following table describes the labels in this screen.
System > Certificate > Trusted Certificates 
Label
Description
Edit
Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.
Remove
The Zyxel Device keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.
Import
Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the Zyxel Device.
Export
Click this and the following screen will appear.
Type the selected certificate’s password and save the selected certificate to your computer.
Name
This field displays the name used to identify this certificate.
Subject
This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Issuer
This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
Valid From
This field displays the date that the certificate becomes applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.
The Trusted Certificates Edit Screen
Use this screen to view in-depth information about the certificate.
The following table describes the labels in this screen.
System > Certificate > Trusted Certificates > Edit 
Label
Description
Certification Path
Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate. If the issuing certification authority is one that you have imported as a trusted certificate, it may be the only certification authority in the list (along with the end entity’s own certificate). The Zyxel Device does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.
Refresh
Click Refresh to display the certification path.
Name
This field displays the identifying name of this certificate.
Type
This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
Version
This field displays the X.509 version number.
Serial Number
This field displays the certificate’s identification number given by the certification authority.
Subject
This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
Issuer
This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.
With self-signed certificates, this is the same information as in the Subject Name field.
Signature Algorithm
This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Valid From
This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
Key Algorithm
This field displays the type of algorithm that was used to generate the certificate’s key pair (the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Subject Alternative Name
This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or email address (EMAIL).
Key Usage
This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.
Extended Key Usage
This field displays the method that the Zyxel Device generates and stores a request for server authentication, client authentication, or IKE Intermediate authentication certificate.
Basic Constraint
This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path.
MD5 Fingerprint
It is a unique 128-bit checksum value generated by the MD5 hashing algorithm, used to verify data integrity and identify cryptographic keys, though it is no longer considered secure.
SHA1 Fingerprint
It is a 160-bit hash value produced by the SHA-1 hashing algorithm, commonly used to verify data integrity and identify cryptographic keys, although it is now considered weak due to vulnerabilities.
Certificate in PEM (Base-64) Encoded Format
This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.
You can copy and paste the certificate into an email to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via external storage device for example).
The Trusted Certificates Import Screen
Follow the instructions in this screen to save a trusted certificate to the Zyxel Device.
*You must remove any spaces from the certificate’s filename before you can import the certificate.
The following table describes the labels in this screen.
System > Certificate > Trusted Certificates > Import 
Label
Description
File Path
Type in the location of the file you want to upload in this field or click Browse to find it.
You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device.
Browse
Click Browse to find the certificate file you want to upload.
OK
Click OK to save the certificate on the Zyxel Device.
Advanced
Use this screen to view UDP and ICMP timeout settings on your Zyxel Device and to enable or disable ARP spoofing prevention, device insight, and LLDP functions.
The following table describes the labels in this screen.
System > Advanced 
Label
Description
System Parameters
Name
This field displays the name of the system parameter.
UDP Timeout: After the UDP client sends a request to the server, if there is no response from the server within this set time, the Zyxel Device ends the UDP connection.
UDP Timeout Stream: The UDP client sends a request to the server and receives a response, but the connection is interrupted. If there is no further response from the server within this set time, the Zyxel Device ends the UDP connection
ICMP Timeout: This shows how long the Zyxel Device waits before considering the ICMP connection attempt a failure.
Description
This field displays the description of the system information.
Value
This field displays the value of the system information. Click the Edit icon to modify the value.
Additional Features
Enabled
Click this switch to enable or disable the feature. When the switch turns green, the function is enabled.
Name
This field displays the name of the following features.
ARP Spoofing Prevention
Enable this feature to prevent and create a log on the Zyxel Device when there is a fake ARP message that failed the ARP verification.
Category Query Fail-open
A category server classifies IP addresses and URLs to different categories, such as anonymizers, browser exploits, and malicious downloads. Enable this feature to allow traffic to bypass if the Zyxel Device cannot access the category server. Click on the Edit icon next to this field to configure more settings.
Use Log to generate a log (log)or not (no) when the query to the category server failed.
Device Insight
Enable this feature to collect status and basic information of the clients connected to the Zyxel Device.
Drop Invalid TCP Flags Pkt
Enable this feature to allow the Zyxel Device to inspect TCP packets and drop any with invalid flags, such as FIN + SYN, FIN + RST, and SYN + RST flag combinations. Click on the Edit icon next to this field to configure more settings.
Use Log to generate a log (log), log and alert (log alert) or not (no) when the Zyxel Device detects an invalid TCP flag.
Drop SYN with Payload Pkt
When setting up a TCP connection, a SYN packet is used during the initial handshake to establish connection between two network devices, and typically does not carry any data payload. A SYN packet with a payload may indicate a potential attack, such as a SYN flood. Enable this feature to allow your Zyxel Device to drop SYN packets with a payload. Click on the Edit icon next to this field to configure more settings.
Log: Generate a log (log), log and alert (log alert) or not (no) when there is a SYN packet with payload detected by the Zyxel Device.
Destination Port: Specify a destination port number to drop SYN packets with a payload sent to that port. If set to 0, SYN packets with a payload sent to any port will be dropped.
Payload Size (greater than or equal to): Specify the size (in bytes) to drop SYN packets with a payload of this size or larger.
LLDP
Link Layer Discovery Protocol (LLDP, IEEE 802.1AB) is a Layer 2 protocol that allows network devices to advertise their identity and capabilities on a LAN. Enable this feature to allow your Zyxel Device to share its identity and capabilities on the local network.
Description
This field displays what the feature does.