System Remote Management
Remote Management Overview
The WWW, SSH, Telnet, FTP, SNMP, Dial-in Mgmt, and Vantage CNM screens allow you to determine which services/protocols can access which ZyWALL zones (if any) from which computers.
See the DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM section for related information on these screens.
Note: To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL firewall rule to block that traffic.
To disable remote management of a service, deselect Enable in the corresponding service screen.
Remote Management Limitations
Remote management will not work when:
- You have disabled that service in the corresponding screen.
- The allowed IP address (address object) in the Service Control table does not match the client IP address (the ZyWALL disconnects the session immediately).
- The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny.
- There is a firewall rule that blocks it.
System Timeout
There is a lease timeout for administrators. The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires.
You can change the timeout settings in the User/Group screens.
HTTPS
You can set the ZyWALL to use HTTP or HTTPS (HTTPS adds security) for web configurator sessions. Specify which zones allow web configurator access and from which IP address the access can come.
HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed).
It relies upon certificates, public keys, and private keys .
HTTPS on the ZyWALL is used so that you can securely access the ZyWALL using the web configurator. The SSL protocol specifies that the HTTPS server (the ZyWALL) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the ZyWALL), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authenticate Client Certificates in the WWW screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL.
Note: If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts.
Configuring WWW
System > WWW
Label
|
Description
|
HTTPS
|
|
Enable
|
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using secure HTTPs connections.
|
Server Port
|
The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL web configurator to use "https://ZyWALL IP Address:8443" as the URL.
|
Authenticate Client Certificates
|
Select Authenticate Client Certificates (optional) to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL.
|
Server Certificate
|
Select a certificate the HTTPS server (the ZyWALL) uses to authenticate itself to the HTTPS client. You must have certificates already configured in the My Certificates screen.
|
Redirect HTTP to HTTPS
|
To allow only secure web configurator access, select this to redirect all HTTP connection requests to the HTTPS server.
|
Admin/User Service Control
|
This specifies from which computers an administrator or non-administrator can access the specified ZyWALL zones.
|
#
|
This the index number of the service control rule.
|
Zone
|
This is the zone on the ZyWALL the user is allowed or denied to access.
|
Address
|
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
|
Action
|
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
|
Add icon
|
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
|
HTTP
|
|
Enable
|
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using HTTP connections.
|
Server Port
|
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
|
Admin/User Service Control
|
This specifies from which computers an administrator or non-administrator can access the specified ZyWALL zones.
|
#
|
This the index number of the service control rule.
|
Zone
|
This is the zone on the ZyWALL the user is allowed or denied to access.
|
Address
|
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
|
Action
|
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
|
Add icon
|
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
|
Authentication
|
|
Client Authentication Method
|
Select a method the HTTPS or HTTP server uses to authenticate a client.
You must have configured the authentication methods in the Auth. method screen.
|
Apply
|
Click Apply to save your changes back to the ZyWALL.
|
Reset
|
Click Reset to begin configuring this screen afresh.
|
Service Control Rules
Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule.
Edit Service Control Rule
Label
|
Description
|
Address Object
|
Select ALL to allow or deny any computer to communicate with the ZyWALL using this service.
Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the ZyWALL using this service.
|
Zone
|
Select ALL to allow or prevent any ZyWALL zones from being accessed using this service.
Select a predefined ZyWALL zone on which a incoming service is allowed or denied.
|
Action
|
Select Accept to allow the user to access the ZyWALL from the specified computers.
Select Deny to block the user's access to the ZyWALL from the specified computers.
|
OK
|
Click OK to save your customized settings and exit this screen.
|
Cancel
|
Click Cancel to exit this screen without saving
|
SSH
You can use SSH (Secure SHell) to securely access the ZyWALL's command line interface. Specify which zones allow SSH access and from which IP address the access can come.
SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session.
How SSH Works
The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.
Once the identification is verified, both the client and server must agree on the type of encryption method to use.
After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.
SSH Implementation on the ZyWALL
Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour and Blowfish). The SSH server is implemented on the ZyWALL for remote management on port 22 (by default).
Requirements for Using SSH
You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH.
Configuring SSH
Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.
System > SSH
Label
|
Description
|
Enable
|
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
|
Version 1
|
Select the check box to have the ZyWALL use both SSH version 1 and version 2 protocols. If you clear the check box, the ZyWALL uses only SSH version 2 protocol.
|
Server Port
|
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
|
Server Certificate
|
Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen .
|
Service Control
|
This specifies from which computers you can access which ZyWALL zones.
|
#
|
This the index number of the service control rule.
|
Zone
|
This is the zone on the ZyWALL the user is allowed or denied to access.
|
Address
|
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
|
Action
|
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
|
Add icon
|
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
|
Apply
|
Click Apply to save your changes back to the ZyWALL.
|
Reset
|
Click Reset to begin configuring this screen afresh.
|
Telnet
You can use Telnet to access the ZyWALL's command line interface. Specify which zones allow Telnet access and from which IP address the access can come.
Configuring Telnet
System > Telnet
Label
|
Description
|
Enable
|
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
|
Server Port
|
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
|
Service Control
|
This specifies from which computers you can access which ZyWALL zones.
|
#
|
This the index number of the service control rule.
|
Zone
|
This is the zone on the ZyWALL the user is allowed or denied to access.
|
Address
|
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
|
Action
|
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
|
Add icon
|
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
|
Apply
|
Click Apply to save your changes back to the ZyWALL.
|
Reset
|
Click Reset to begin configuring this screen afresh.
|
Configuring FTP
You can upload and download the ZyWALL's firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.
System > FTP
Label
|
Description
|
Enable
|
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
|
TLS required
|
Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication.
This implements TLS as a security mechanism to secure FTP clients and/or servers.
|
Server Port
|
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
|
Server Certificate
|
Select the certificate whose corresponding private key is to be used to identify the ZyWALL for FTP connections. You must have certificates already configured in the My Certificates screen.
|
Service Control
|
This specifies from which computers you can access which ZyWALL zones.
|
#
|
This the index number of the service control rule.
|
Zone
|
This is the zone on the ZyWALL the user is allowed or denied to access.
|
Address
|
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
|
Action
|
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
|
Add icon
|
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
|
Apply
|
Click Apply to save your changes back to the ZyWALL.
|
Reset
|
Click Reset to begin configuring this screen afresh.
|
SNMP
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) and version two (SNMPv2c).
An SNMP managed network consists of two main types of component: agents and a manager.
An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.
SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:
- Get - Allows the manager to retrieve an object variable from the agent.
- GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
- Set - Allows the manager to set values for object variables within an agent.
- Trap - Used by the agent to inform the manager of some events.
Supported MIBs
The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the ZyWALL's MIBs from www.zyxel.com.
SNMP Traps
The ZyWALL will send traps to the SNMP manager when any one of the following events occurs.
SNMP Traps
OBJECT LABEL
|
OBJECT ID
|
description
|
Cold Start
|
1.3.6.1.6.3.1.1.5.1
|
This trap is sent when the ZyWALL is turned on or an agent restarts.
|
linkDown
|
1.3.6.1.6.3.1.1.5.3
|
This trap is sent when the Ethernet link is down.
|
linkUp
|
1.3.6.1.6.3.1.1.5.4
|
This trap is sent when the Ethernet link is up.
|
authenticationFailure
|
1.3.6.1.6.3.1.1.5.5
|
This trap is sent when an SNMP request comes from non-authenticated hosts.
|
Configuring SNMP
System > SNMP
Label
|
Description
|
Enable
|
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
|
Server Port
|
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
|
Get Community
|
Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
|
Set Community
|
Enter the Set community, which is the password for incoming Set requests from the management station. The default is private and allows all requests.
|
Trap
|
|
Community
|
Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.
|
Destination
|
Type the IP address of the station to send your SNMP traps to.
|
Service Control
|
This specifies from which computers you can access which ZyWALL zones.
|
#
|
This the index number of the service control rule.
|
Zone
|
This is the zone on the ZyWALL the user is allowed or denied to access.
|
Address
|
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
|
Action
|
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
|
Add icon
|
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
|
Apply
|
Click Apply to save your changes back to the ZyWALL.
|
Reset
|
Click Reset to begin configuring this screen afresh.
|
Dial-in Management
Connect an external serial modem to the DIAL BACKUP port (or AUX port depending on your model) to provide a remote management connection in case the ZyWALL's other WAN connections are down. This is like an auxiliary interface, except it is used for management connections coming into the ZyWALL instead of as a backup WAN connection.
AT Command Strings
For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. Atdt is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to atdp.
DTR Signal
The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH.
Response Strings
The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem. The response strings have not been standardized; please consult the documentation of your serial modem to find the correct tags.
Dial-in Mgmt Configuration
Configure this screen for dial-in management connections.
System > Dial-in Mgmt
Label
|
Description
|
Enable
|
Select this check box to turn on dial-in management.
|
Description
|
Enter some information about this connection.
|
Mute
|
Select this check box to stop the external serial modem from making audible sounds during a dial-in management session.
|
Answer Rings
|
Set how many times the ZyWALL lets the incoming dial-in management session ring before processing it.
|
Port Speed
|
Use the drop-down list box to select the speed of the connection between the ZyWALL's auxiliary port and the external modem. Available speeds are: 9600, 19200, 38400, 57600, or 115200 bps.
|
Initial String
|
Type the AT command string that the ZyWALL returns to the external serial modem connected to the ZyWALL's auxiliary port during connection initialization.
Note: Consult the manual of your external serial modem connected to your ZyWALL's auxiliary port for specific AT commands.
|
Advanced/Basic
|
Click Advanced to display more configuration fields and edit the details of your dial-in management setup.
|
Apply
|
Click Apply to save your changes back to the ZyWALL.
|
Reset
|
Click Reset to begin configuring this screen afresh.
|
Vantage CNM
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details.
If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Vantage CNM is disabled on the device by default.
System > Vantage CNM
Label
|
DESCRIPTION
|
Enable
|
Select this check box to allow Vantage CNM to manage your ZyWALL.
|
Server IP Address/FQDN
|
Enter the IP address or fully qualified domain name of the Vantage server.
If the Vantage CNM server is on a different subnet to the ZyWALL and is behind a NAT router, enter the WAN IP address of the NAT router here and configure the NAT router to forward UDP port 11864 traffic to the Vantage CNM server.
If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this).
|
Transfer Protocol
|
Select whether the Vantage CNM sessions should use regular HTTP connections or secure HTTPS connections.
Note: HTTPS is recommended.
The Vantage CNM server must use the same setting.
|
Device Management IP
|
Select Auto to have the ZyWALL allow Vantage CNM sessions to connect to any of the ZyWALL's IP addresses.
Select Custom to specify the ZyWALL's IP address that allows Vantage CNM sessions. Configure the Custom IP field if you select this. You might for example need to specify the IP address when using a WAN trunk that uses multiple WAN IP addresses.
|
Custom IP
|
Specify the ZyWALL's IP address that allows Vantage CNM sessions. This field applies when you select Custom in the Device Management IP field.
|
Keepalive Interval
|
Set how often the ZyWALL sends a keep alive packet to the Vantage CNM server if there is no other traffic. The keep alive packets maintain the Vantage CNM server's control session.
|
Periodic Inform Interval
|
Select this option to have the ZyWALL periodically send "Inform" messages to the Vantage CNM server.
|
HTTPS Authentication
|
When you are using HTTPs, select this option to have the ZyWALL authenticate the Vantage CNM server's certificate. In order to do this you need to import the Vantage CNM server's public key (certificate) into the ZyWALL's trusted certificates.
|
Vantage Certificate
|
Select the Vantage CNM server's certificate. This applies when you enable HTTPS authentication.
|
Advanced/Basic
|
Click Advanced to display more configuration fields or click Basic to display fewer fields.
|
Apply
|
Click Apply to save your changes back to the ZyWALL.
|
Reset
|
Click Reset to begin configuring this screen afresh.
|
Language
Use this screen to select a display language for the ZyWALL's web configurator screens.
System > Language
Label
|
DESCRIPTION
|
Language Setting
|
Select a display language for the ZyWALL's web configurator screens. You also need to open a new browser session to display the screens in the new language.
|
Apply
|
Click Apply to save your changes back to the ZyWALL.
|
Reset
|
Click Reset to begin configuring this screen afresh.
|