Download
Share
Print this page
ZyXEL Communications ZyWall 2 Plus Firmware Release Notes
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Firewall
  5. ADSL 2+ Security Gateway
  6. Firmware release notes

ZyXEL Communications ZyWall 2 Plus Firmware Release Notes

Zyxel zywall 2 plus: release note
Hide thumbs Also See for ZyWall 2 Plus:

Advertisement

Quick Links

Download this manual See also: User Manual
ZyXEL
Firmware Release Note
ZyWALL 2 Plus
Date:
Author:
Project Leader:
Release 4.01(XU.0)
October 16, 2006
Keenboy Xu
Lorin Yeh

Advertisement

loading
Need help?

Need help?

Do you have a question about the ZyWall 2 Plus and is the answer not in the manual?

Questions and answers

Related Manuals for ZyXEL Communications ZyWall 2 Plus

Summary of Contents for ZyXEL Communications ZyWall 2 Plus

  • Page 1 ZyXEL Firmware Release Note ZyWALL 2 Plus Release 4.01(XU.0) Date: Author: Project Leader: October 16, 2006 Keenboy Xu Lorin Yeh...

  • Page 2: Supported Platforms

    C/I command "ip nat loopback off" could turn it off. 7. When UPnP is on, and then reboot the router, Windows XP will not detect UPnP and refresh “My Network Places Local Network”. Plug in network wire again can solve this problem.

  • Page 3: Known Issues

    the myzyxel.com. 13. Support Vantage CNM -- revision 2.2.00.61.03 Known Issues: [UPnP] 1. Sometimes on screen the “Local Area Connection” icon for UPnP disappears. The icon shows again when restarting PC. 2. When you use MSN messenger, sometimes you fail to open special applications, such as whiteboard, file transfer and video etc.
  • Page 4 4. Symptom: PC can't ping remote gateway through VPN tunnel under this special topology. Condition: PC------LAN ZyWALL_A WAN-----------------LAN ZyWALL_B WAN-------Internet (192.168.1.33) (192.168.100.33) (192.168.100.1) (1) VPN configuration in ZyWALL_A: WAN IP Address=192.168.100.33,WAN IP Subnet Mask=255.255.255.0, Gateway IP Address=192.168.100.1. Gateway policy,Name=IKE1,Remote Gateway Address=192.168.100.1, Pre-Shared Key=12345678.
  • Page 5 10. Some pre-define custom service can’t add to firewall rule when configure from Vantage. For example: AX.25, IPv6, VNC, NTP and so on. 11. The “Mail Sender” field on device/Log settings page hasn’t implement on Vantage side. [Symptom] Mbuf double free when add firewall rules by using CI commands. [Condition] (1).
  • Page 6 14. [Symptom] Block ActiveX & Java Applet via IPSec tunnel fails. [Condition] HQ and branch office application scenario PC1------------Branch_1(ZW2+)-----------HQ(ZW2+)----------Branch_2(ZW35)---- (192.168.2.0) ----------PC2 (192.168.4.0) DUT1 (HQ) (1). Register CF service; Enable Content Filter and Content Filter for traffic that matches IPSec Policy. (2).
  • Page 7 4) Select Type of Virtual Address Mapping Rule “Many-to-One”. 5) Click button “Port Forwarding Rules”, then click help page. 6) There is not the help page. 2. [BUG FIX] Symptom: Some information on eWc/Home page is different from ZW5 4.01 Condition: 1) There is on MAC address on System Information.
  • Page 8 5. [ENHANCEMENT] Symptom: Device can accept the blank password of login user. Condition: Device can accept the blank password of login user. For example: eWC/ MAINTENANCE/Password, input Old password and let New password and Retype to Confirm items blank, new password can be applied and it is blank. Modifications in V 4.01(XU.0)b2 | 09/13/2006 1.
  • Page 9 1) DUT1 in bridge mode, create a VPN1 rule. 2) VPN Global Setting Adjust TCP Maximum Segment Size=1000. 3) DUT2 in router mode, Create a VPN2 rule. 4) Ftp from DUT2 PC2 (ftp client) to DUT1 PC1 (ftp server). 5) Sniffer package, always show ftp data size is 536 bytes.
  • Page 10 can set Start port to End port on ZW5. 6) SMT WLAN Zone is different 11. [BUG FIX] 060817054 Symptom: ZW2 Plus V4.01(XU.0)b1 behind the zywall 35 (V4.01) ip alias, VPN tunnel can not work. Topology: pc1---(L)zw2-1(W)---(L)zw35(L)---(W)zw2-2(L)---pc2 zw35 lan ip: ip alias1:10.10.10.1 ip alias2:172.172.172.1 zw2-1 wan ip:10.10.10.200 (bridge mode)
  • Page 11 1) Add a new argument "mss" to configure the MSS value. 2) After finishing the configuration, the interface information will be displayed. Usage: ip ifconfig [iface] [ipaddr</mask bits>] <broadcast [addr]> <mtu [value]> <mss [value]> <dynamic> <showoff> Ex: ip ifconfig enif1 192.168.70.222/24 broadcast 192.168.70.250 mtu 1500 mss 1460.

  • Page 12: Appendix 1 Remote Management Enhancement (Add Snmp & Dns Control)

    (1) The default value for Server access rule is ALL. (2) Under the default setting: You can setup the Menu 15 to forwarding the server to LAN IP address. Thus you can configure the router through the WAN and you don’t need to modify the server management or filter.

  • Page 13: Appendix 2 Trigger Port

    When the requested data wants to come back in through the firewall, the router uses the port mapping rules that are linked to the trigger, and the IP address of the computer that "pulled" the trigger, to get the data back to the proper computer.
  • Page 14 (1) Trigger events can't happen on data coming from outside the firewall because the NAT router's sharing function doesn't work in that direction. (2) Only one computer can use a port or port range at a time on a given real (ISP...

  • Page 15: Appendix 3 Hard-Coded Packet Filter For "Netbios Over Tcp/Ip" (Nbt)

    Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" sub-command. Default values of any direction are “Forward”, and trigger dial is “Disabled”. There are two CI commands: (1) "sys filter netbios disp": It will display the current filter mode. Example ouput: =============== NetBIOS Filter Status =============== LAN to WAN:...

  • Page 16: Appendix 4 Traffic Redirect/Static Route Application Note

    Step 1. PC sends outgoing traffics through ZyWALL because default gateway assigned to it. Step 2. Then, ZyWALL will redirect the traffics to another gateway (ISDN/Router) as we expect. Step 3. But the return traffics do not go through ZyWALL because the gateway (say, P201) and the PC are on the same IP network.
  • Page 17 Figure 4-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 4-3 Gateway on WAN side...

  • Page 18: Appendix 5 Ipsec Fqdn Support

    If ZyWALL A wants to build a VPN tunnel with ZyWALL B by passing through Router C with NAT, A can not see B. It has to secure gateway as C. However, ZyWALL B will send it packet with its own IP and its ID to ZyWALL A. The IP will be NATed by Router C, but the ID will remain as ZyWALL B sent.
  • Page 19 0.0.0.0 a.b.c.d (NOT 0.0.0.0) a.b.c.d Blank a.b.c.d e.f.g.h *Runtime Check: During IKE negotiation, we will check ID of incoming packet and see if it matches our setting of “Peer ID Type” and “Peer ID Content”. Summary: 1. When Local ID Content is blank or 0.0.0.0, during IKE negotiation, my ID content will be “My IP Addr”...

  • Page 20: Appendix 6 Dns Servers For Ipsec Vpn Note

    Appendix 6 DNS servers for IPSec VPN Note DNS Domain Names DNS (Domain Name System), a system for naming computers and network services that is organized into hierarchy of domain. DNS services provided by the DNS server can resolve the name to other information associated with the name, such as an IP address.
  • Page 21 Ethernet Related Command AUX Related Command IPSec Related Command Firewall Related Command Vantage Related Command Flag : R: This command can be used in Router Mode B: This command can be used in Bridge Mode System Related Command Command adjtime cbuf...
  • Page 22 attack [0:none/1:log/2:alert/3:both] display error [0:none/1:log/2:alert/3:both] ipsec [0:none/1:log/2:alert/3:both] ike [0:none/1:log/2:alert/3:both] javablocked [0:none/1:log] mten [0:none/1:log] packetfilter [0:none/1:log] pki [0:none/1:log/2:alert/3:both] tcpreset [0:none/1:log] upnp [0:none/1:log] urlblocked [0:none/1:log/2:alert/3:both] urlforward [0:none/1:log] clear display [access|attack|error|ipsec|ike|javab locked|mten|packetfilter|pki|tcpre set|urlblocked|urlforward] errlog clear disp online load mail alertAddr [mail address] display logAddr [mail address] schedule display schedule hour [0-23]...
  • Page 23 R + B clear system mbuf count R + B R + B switch router and bridge mode R + B Set or display the password error blocking timeout value. load remote node information display remote node information...
  • Page 24 romreset server access <telnet|ftp|web|icmp|snmp|dns> <value> load disp port <telnet|ftp|web|snmp> <port> save secureip <telnet|ftp|web|icmp|snmp|dns> <ip> certificate <https|ssh> [certificate name] auth_client <https> [on|off] fwnotify load save <url> days <days> active <flag> disp check debug <flag> cmgr trace disp <ch-name> clear <ch-name> <ch-name> socket filter netbios...
  • Page 25 POE Related Command (All commands can only be used in Router Mode) status dial drop [0:no/1:yes] R + B <channel_name> <node#> R + B R + B R + B R + B disp <name>...
  • Page 26 PPTP Related Command (All commands can only be used in Router Mode) Command pptp dial drop tunnel AUX Related Command (All commands can only be used in Router Mode) Command atring disp...
  • Page 27 icmp-code <0~255> retrieve firewall save firewall custom-s ervice <entry#> display firewall set <set#> set <set#> attack e-mail custom-s ervice custom-s ervice <entry #> edit firewall e-mail attack rule <rule#> mail-server <mail server IP> return-addr <e-mail address> e-mail-to <e-mail address> policy <full | hourly |daily | weekly>...
  • Page 28 <0~255> max-incomp lete-high <0~255> max-incomp lete-low <0~255> tcp-max-inc omplete <0~255> set <set#> name <desired name> default-perm <forward|blo ck> icmp-timeou t <seconds> udp-idle-tim eout <seconds> connection-t imeout <seconds> fin-wait-tim eout <seconds> tcp-idle-time <seconds> <yes|no> log <yes|no> logone <yes|no> rule <rule#> action <permit | drop | reject>...
  • Page 29 delete firewall e-mail attack set <set#> set <set#> insert firewall e-mail attack set <set#> set <set#> IP Related Command address alias aliasdis disp enable disable siptimeout status dhcp destaddr-single <ip address> destaddr-subnet <ip address> <subnet mask> destaddr-range <start ip address> <end ip address>...
  • Page 30 R + B R + B set http debug flag R + B display icmp statistic counter R + B set icmp router discovery flag R + B configure network interface...
  • Page 31 ping <hostid> route status [if] <dest_addr|default>[/<bits>] <gateway> [<metric>] addiface <dest_addr|default>[/<bits>] <gateway> [<metric>] drop <host addr> [/<bits>] status stroute display [rule # | buf] load <rule #> save config name <site name> destination <dest addr>[/<bits>] <gateway> [<metric>] mask <IP subnet mask> gateway <IP address>...
  • Page 32 exemptZone reset reset webControl enable display logAndBlock [log/block/both] category serverList display serverList refresh queryURL [url][Server/localCache] cache display cache delete [entrynum/All] cache timeout [hour] blockonerror [log/block][on/off] unratedwebsite[block|log][on|off] waitingTime [sec] reginfo display reginfo refresh zssw tredir failcount <count> partner <ipaddr> target <ipaddr> timeout <timeout>...
  • Page 33 tcpother [timeout] udp [port] <value> update iamt <iface> iface <iface> lookup <rule set> new-lookup <rule set> loopback [on|off] reset <iface> server disp load <set id> save clear <set id> edit active <yes|no> edit svrport <start port> [end port] edit intport <start port> [end port] edit remotehost <start ip>...
  • Page 34 <rule index> <policy index> ikeDispla <rule #> (All commands can only be used in Router Mode) <0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]|on|off | 4:XAUTH on|off | 5:CERT on|off | 6: All> <0:None | 1:User | 2:Low | 3:High>...
  • Page 35 ikeAdd ikeEdit <rule #> ikeSave ikeList ikeDelete <rule #> ikeConfig name <string> negotiationMod <0:Main | 1:Aggressive> natTraversal <Yes| No> multiPro <Yes|No> lcIdType <0:IP | 1:DNS | 2:Email> lcIdContent <string> myIpAddr <IP address> peerIdType <0:IP | 1:DNS | 2:Email> peerIdContent <string> secureGwAddr <IP address | Domain name>...
  • Page 36 <0:None | 1:DH1 | 2:DH2> antiReplay <Yes | No> controlPing <Yes|No> logControlPing <Yes|No> controlPingAdd <IP> protocol <1:ICMP | 6:TCP | 17:UDP> lcAddrType <0:single | 1:range | 2:subnet> lcAddrStart <IP> lcAddrEndMask <IP> lcPortStart <port> lcPortEnd <port> rmAddrType <0:single | 1:range | 2:subnet> rmAddrStart <IP>...
  • Page 37 Drop Firewall Related Command (All command can be used in both Router Mode and Bridge Command Firewa disp active <yes|no> clear disp clear disp online dynamicr display smtp display ignore ignore triangle schedule load [ set # rule #]...
  • Page 38 Certificate Management (PKI) Command (All commands can be used in both Router Mode and Bridge Mode) Command certificates my_ce create import [name] selfsigned <name> <subject> Create a self-signed local host certificate. <name> [key size] specifies a descriptive name for the generated certificate.
  • Page 39 export <name> view <name> verify <name> [timeout] delete <name> list rename <old name> <new name> def_selfsigned [name] ca_tru sted import <name> export <name> view <name> verify <name> [timeout] delete <name> list rename <old name> <new name> crl_issuer <name> [on|off] remote _truste import <name>...
  • Page 40 Bandwidth management Related Command (All commands can be used in both Router Mode and Bridge Mode) Command interface enable Export the PEM-encoded certificate to stdout for user to copy and paste. <name> specifies the name of the certificate to be exported.
  • Page 41 disable enable <bandwidth xxx> <wrr|prr> <efficient> disable class add # bandwidth xxx mod # <bandwidth xxx> <name xxx> <priority x> <borrow on|off> del # add # bandwidth xxx mod # <bandwidth xxx> <name xxx> <priority x> <borrow on|off> del # filter add # Daddr <mask...
  • Page 42 filter statistics monitor <#> <#> config save load clear Bridge Related Command Command bridge disp clear iface active address dns1 dns2 dns3 mask gateway display stat disp clear myZyXEL.com Command myZyxelCom checkUserName register trialService Flag R + B R + B R + B R + B R + B...
  • Page 43 serviceUpgrade serviceRefresh display serviceDisplay Vantage Related Command Command active [0/1] sgid [ID] managerIP [addr] Debug [0/1] version keepalive [seconds] <licence key> Inout license key that you want to let service from trial to standard NULL Refresh the myZyXEL.com service status NULL Display all myZyXEL.com...