System Remote Management

Remote Management Overview

The WWW, SSH, Telnet, FTP, SNMP, Dial-in Mgmt, and Vantage CNM screens allow you to determine which services/protocols can access which ZyWALL zones (if any) from which computers.

See the DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM section for related information on these screens.

Note: To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL firewall rule to block that traffic.

To disable remote management of a service, deselect Enable in the corresponding service screen.

Remote Management Limitations

Remote management will not work when:

System Timeout

There is a lease timeout for administrators. The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.

Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires.

You can change the timeout settings in the User/Group screens.

HTTPS

You can set the ZyWALL to use HTTP or HTTPS (HTTPS adds security) for web configurator sessions. Specify which zones allow web configurator access and from which IP address the access can come.

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys .

HTTPS on the ZyWALL is used so that you can securely access the ZyWALL using the web configurator. The SSL protocol specifies that the HTTPS server (the ZyWALL) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the ZyWALL), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authenticate Client Certificates in the WWW screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL.

Note: If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts.

Configuring WWW

System > WWW 

Label
Description
HTTPS
 
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using secure HTTPs connections.
Server Port
The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL web configurator to use "https://ZyWALL IP Address:8443" as the URL.
Authenticate Client Certificates
Select Authenticate Client Certificates (optional) to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL.
Server Certificate
Select a certificate the HTTPS server (the ZyWALL) uses to authenticate itself to the HTTPS client. You must have certificates already configured in the My Certificates screen.
Redirect HTTP to HTTPS
To allow only secure web configurator access, select this to redirect all HTTP connection requests to the HTTPS server.
Admin/User Service Control
This specifies from which computers an administrator or non-administrator can access the specified ZyWALL zones.
#
This the index number of the service control rule.
Zone
This is the zone on the ZyWALL the user is allowed or denied to access.
Address
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Action
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
Add icon
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
HTTP
 
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using HTTP connections.
Server Port
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Admin/User Service Control
This specifies from which computers an administrator or non-administrator can access the specified ZyWALL zones.
#
This the index number of the service control rule.
Zone
This is the zone on the ZyWALL the user is allowed or denied to access.
Address
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Action
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
Add icon
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
Authentication
 
Client Authentication Method
Select a method the HTTPS or HTTP server uses to authenticate a client.
You must have configured the authentication methods in the Auth. method screen.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.

Service Control Rules

Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule.

Edit Service Control Rule

Label
Description
Address Object
Select ALL to allow or deny any computer to communicate with the ZyWALL using this service.
Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the ZyWALL using this service.
Zone
Select ALL to allow or prevent any ZyWALL zones from being accessed using this service.
Select a predefined ZyWALL zone on which a incoming service is allowed or denied.
Action
Select Accept to allow the user to access the ZyWALL from the specified computers.
Select Deny to block the user's access to the ZyWALL from the specified computers.
OK
Click OK to save your customized settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving

SSH

You can use SSH (Secure SHell) to securely access the ZyWALL's command line interface. Specify which zones allow SSH access and from which IP address the access can come.

SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session.

How SSH Works

The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.
Once the identification is verified, both the client and server must agree on the type of encryption method to use.
After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.

SSH Implementation on the ZyWALL

Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour and Blowfish). The SSH server is implemented on the ZyWALL for remote management on port 22 (by default).

Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH.

Configuring SSH

Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.

System > SSH 

Label
Description
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Version 1
Select the check box to have the ZyWALL use both SSH version 1 and version 2 protocols. If you clear the check box, the ZyWALL uses only SSH version 2 protocol.
Server Port
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Server Certificate
Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen .
Service Control
This specifies from which computers you can access which ZyWALL zones.
#
This the index number of the service control rule.
Zone
This is the zone on the ZyWALL the user is allowed or denied to access.
Address
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Action
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
Add icon
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.

Telnet

You can use Telnet to access the ZyWALL's command line interface. Specify which zones allow Telnet access and from which IP address the access can come.

Configuring Telnet

System > Telnet 

Label
Description
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Server Port
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Service Control
This specifies from which computers you can access which ZyWALL zones.
#
This the index number of the service control rule.
Zone
This is the zone on the ZyWALL the user is allowed or denied to access.
Address
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Action
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
Add icon
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.

Configuring FTP

You can upload and download the ZyWALL's firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.

System > FTP 

Label
Description
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
TLS required
Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication.
This implements TLS as a security mechanism to secure FTP clients and/or servers.
Server Port
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Server Certificate
Select the certificate whose corresponding private key is to be used to identify the ZyWALL for FTP connections. You must have certificates already configured in the My Certificates screen.
Service Control
This specifies from which computers you can access which ZyWALL zones.
#
This the index number of the service control rule.
Zone
This is the zone on the ZyWALL the user is allowed or denied to access.
Address
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Action
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
Add icon
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.

SNMP

Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) and version two (SNMPv2c).

An SNMP managed network consists of two main types of component: agents and a manager.

An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.

The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.

SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

Supported MIBs

The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the ZyWALL's MIBs from www.zyxel.com.

SNMP Traps

The ZyWALL will send traps to the SNMP manager when any one of the following events occurs.

SNMP Traps 

OBJECT LABEL
OBJECT ID
description
Cold Start
1.3.6.1.6.3.1.1.5.1
This trap is sent when the ZyWALL is turned on or an agent restarts.
linkDown
1.3.6.1.6.3.1.1.5.3
This trap is sent when the Ethernet link is down.
linkUp
1.3.6.1.6.3.1.1.5.4
This trap is sent when the Ethernet link is up.
authenticationFailure
1.3.6.1.6.3.1.1.5.5
This trap is sent when an SNMP request comes from non-authenticated hosts.

Configuring SNMP

System > SNMP 

Label
Description
Enable
Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
Server Port
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Get Community
Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
Set Community
Enter the Set community, which is the password for incoming Set requests from the management station. The default is private and allows all requests.
Trap
 
Community
Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.
Destination
Type the IP address of the station to send your SNMP traps to.
Service Control
This specifies from which computers you can access which ZyWALL zones.
#
This the index number of the service control rule.
Zone
This is the zone on the ZyWALL the user is allowed or denied to access.
Address
This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Action
This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
Add icon
Click the Add icon in the heading row to open a screen where you can add a new rule. Click the Edit icon to go to the screen where you can edit the rule.
Click the Add icon in an entry to add a rule below the current entry.
Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule. Note that subsequent rules move up by one when you take this action.
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.

Dial-in Management

Connect an external serial modem to the DIAL BACKUP port (or AUX port depending on your model) to provide a remote management connection in case the ZyWALL's other WAN connections are down. This is like an auxiliary interface, except it is used for management connections coming into the ZyWALL instead of as a backup WAN connection.

AT Command Strings

For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. Atdt is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to atdp.

DTR Signal

The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH.

Response Strings

The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem. The response strings have not been standardized; please consult the documentation of your serial modem to find the correct tags.

Dial-in Mgmt Configuration

Configure this screen for dial-in management connections.

System > Dial-in Mgmt  

Label
Description
Enable
Select this check box to turn on dial-in management.
Description
Enter some information about this connection.
Mute
Select this check box to stop the external serial modem from making audible sounds during a dial-in management session.
Answer Rings
Set how many times the ZyWALL lets the incoming dial-in management session ring before processing it.
Port Speed
Use the drop-down list box to select the speed of the connection between the ZyWALL's auxiliary port and the external modem. Available speeds are: 9600, 19200, 38400, 57600, or 115200 bps.
Initial String
Type the AT command string that the ZyWALL returns to the external serial modem connected to the ZyWALL's auxiliary port during connection initialization.

Note: Consult the manual of your external serial modem connected to your ZyWALL's auxiliary port for specific AT commands.

Advanced/Basic
Click Advanced to display more configuration fields and edit the details of your dial-in management setup.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.

Vantage CNM

Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details.

If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.

Vantage CNM is disabled on the device by default.

System > Vantage CNM 

Label
DESCRIPTION
Enable
Select this check box to allow Vantage CNM to manage your ZyWALL.
Server IP Address/FQDN
Enter the IP address or fully qualified domain name of the Vantage server.
If the Vantage CNM server is on a different subnet to the ZyWALL and is behind a NAT router, enter the WAN IP address of the NAT router here and configure the NAT router to forward UDP port 11864 traffic to the Vantage CNM server.
If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this).
Transfer Protocol
Select whether the Vantage CNM sessions should use regular HTTP connections or secure HTTPS connections.

Note: HTTPS is recommended.

The Vantage CNM server must use the same setting.
Device Management IP
Select Auto to have the ZyWALL allow Vantage CNM sessions to connect to any of the ZyWALL's IP addresses.
Select Custom to specify the ZyWALL's IP address that allows Vantage CNM sessions. Configure the Custom IP field if you select this. You might for example need to specify the IP address when using a WAN trunk that uses multiple WAN IP addresses.
Custom IP
Specify the ZyWALL's IP address that allows Vantage CNM sessions. This field applies when you select Custom in the Device Management IP field.
Keepalive Interval
Set how often the ZyWALL sends a keep alive packet to the Vantage CNM server if there is no other traffic. The keep alive packets maintain the Vantage CNM server's control session.
Periodic Inform Interval
Select this option to have the ZyWALL periodically send "Inform" messages to the Vantage CNM server.
HTTPS Authentication
When you are using HTTPs, select this option to have the ZyWALL authenticate the Vantage CNM server's certificate. In order to do this you need to import the Vantage CNM server's public key (certificate) into the ZyWALL's trusted certificates.
Vantage Certificate
Select the Vantage CNM server's certificate. This applies when you enable HTTPS authentication.
Advanced/Basic
Click Advanced to display more configuration fields or click Basic to display fewer fields.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.

Language

Use this screen to select a display language for the ZyWALL's web configurator screens.

System > Language

Label
DESCRIPTION
Language Setting
Select a display language for the ZyWALL's web configurator screens. You also need to open a new browser session to display the screens in the new language.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.