ZyXEL Communications ZYWALL 35 - V4.03 Technické informace Strana 1

ZyXEL Firmware Release Note ZyWALL 35 Release 4.03(WZ.1)C0 Date: Jan 31，2008 Author: Wgang Wang Project Leader:

(4) ZyWALL crashes. 11. [BUG FIX] SPR ID: 071114969 Symptom: IKE SA Leak in customer site. Topology:

Condition: (1) Enable Collect Statistics of ZyWALL5 under system reports. (2) PC visits a web page on the internet. (3) We can not see the statist

LAN and WAN". Condition: Topology: PC1-----(LAN)ZyWALL2+_1(WAN+PPTP)----VPN---- (Ethernet+WAN)ZyWALL2+_2(LAN)----PC2 (1) Th

| | |WLAN STA Association Again | | |MACAddr:0013026c13a3| ---------------------------------------------

(5) When WAN2 is down, policy route=active, from 192.168.10.33 can access 192.168.1.60 FTP server via WAN1. (6) When WAN2 is up, policy route = acti

certificate can not be exported. Condition: (1) Edit eWC>CERTIFICATES>My Certificates, create a certificate as Certificate Name="DUT

(4) Enable "Check WAN1 Connectivity" and let system PING "www.abcdefg123aabbccdd.com" which doesn't exist. (5) There is log

(8) Then view CF report using URL "http://203.160.254.52?mac=0000AA780145", you will find URL "www.google.cn" in blocked list. I

cannot save. (3) If you add a policy(policy name: aaa) and repeat step 2 again and it works. (4) Add another policy again(policy name: bbb) and save

10. [BUG FIX] SPR ID: 071015779 Symptom: Device hang when input command "ip cf ob add trust aa.aa". Conditions: (1) Input command

ZyXEL ZyWALL 35 Standard Version Release 4.03(WZ.1)C0 Release Note Date: Jan 31, 2008 Supported Platforms: ZyXEL ZyWALL 35 Versions: ZyNOS V

15. [ENHANCEMENT] SPR ID: ITS #:18000 Add a hidden CI command "ipsec maxIkePskLength [31|32]" to turn on 32-byte PSK. After turn on

for FTP, H323 or SIP. Note: The default port of well known service will still work well even if the user customized another port for the same servic

Extend the length of Anti Spam Xtag from 23 to 47. 12. [ENHANCEMENT] SPR ID: 060807425 Enhancement of GUI Home page. (1) Add a link f

19. [BUG FIX] SPR ID: 060705202 Symptom: The format and content of "System Resources" is shown different in eWC>>Home and SNM

Symptom: There will be a large latency in VPN1 if an new SA set up. Condition: Topology: PC1

(1) In SMT menu 4, delete ISP's name. Save it. (2) In SMT menu 11, edit ISP's name as "WAN". Save it. (3) We can&apo

31. [BUG FIX] SPR ID: 060731994, 060731995 Symptom: Policy route is failed in a special topology. Condition: Topology: ZyWALL B

in LAN side. (5) Keep attacking and reboot the device. (6) Check the centralized log, there be lots of "Common TOS double free" lo

(2)omni.net connects with a ISDN simulator, and PPP server is P2002+. (3)When WAN is down and the dialbackup is up, ZyWALL crash occurs. 40. [B

Condition: (1) Add a BM filter for SIP on WAN interface. (2) Enable SIP ALG. (3) SIP connection can be built successfully wi

11. In previous 3.64 firmware, the VID value of DPD is not correct. VID change will cause current version doesn’t work with the wrong value. Please

| | |MACAddr:0013026c13a3 | | | | --------------------------------------------

Symptom: ZyWALL (bridge mode) cannot forward the broadcast fragmented UDP packets. Condition: Topology: Sender --- [WAN]DUT (Brid

CN=zyxel, OU=ms, O=sen, L=hamburg, ST=hamburg, C=de". 8. [BUG FIX] ITS #15262 Symptom: There's an delay of 2 seconds when c

| LAN | | PC2

>sys trcpacket chan enet1 bothway >sys trcpacket switch on >sys trcdisplay brief (3) WAN con

Condition: (1) Configure eWC>Advanced>NAT>NAT Overview, enable WAN1 NAT with SUA (2) Configure eWC>Security>Firewall>Default Rule

Symptom: Device does not log any CF customization events. Condition: (1) Enable content filteting. (2) Enable Web site customization in the Custom

(1) Let device register to Vantage with Ether encapsulation. (2) Change WAN encapsulation from Ether to PPPoE and fill incorrect login name and pa

(1) Setup one VPN between ZW5 and ZW70. (2) Enable the AV and IDP in ZW5, and enable the zip file scan in AV. (3) PC1 start FTP and HTTP download on

(3) But only the first connected VPN client can access ZyWALL 70's LAN side at a time. 8. [BUG FIX] 061128584, 061128585 (ITS#13932) Symptom:

(3) The host can still ping Internet using LAN DHCP address. (4) The scenario will continue about 30secs. 3. When device is writing flash, all the

PC --- [LAN] ZyWALL [WAN] --- Internet (1) In router mode, enable content filter and set the block message but leave the Redirect URL blank. (2) Ena

WAS: Change cnm encryption mode with 2 CLIs: 'cnm encrykey <key>' and 'cnm encrymode <mode>'. IS: Change cnm

(2) Set a static route, let traffic go to some destination A by WAN2. (3) When WAN2 is down, using "ip ro st" to show route table, the sta

Symptom: The "Up Time" shown on the Port Statistics and Home page is quite different when the ZyWALL uptime is more than 100 hours. Cond

10. [BUG FIX] SPR ID: 061024810 Symptom: Multiple PPPoE cannot use the same PPPoE session ID. Condition: Topology: ZyWALL [WAN1] --- PPPoE

SMTP Authentication and set related SMTP settings. (3) The device sends mail will fail on SMTP authentication. 15. [BUG FIX] SPR ID: 060822272 Sy

breaks the first infected file packet and stop track the file session in the previous mechanism. The old one has better performance, but there is a

Engineer note: The bug fix only applies to multiple WAN products. 26. [BUG FIX] SPR ID: 060809598 Symptom: PC can not access the web server (www.

(2) System crashes sometimes. 30. [BUG FIX] SPR ID: 060831744 Symptom: PC cannot ping WLAN interface IP. Condition: Topology: PC1(10.0.0.1)----(1

Support 60 categories in content filtering. New categories: ""Hacking", Phishing", "Spyware/Malware Sources",

displayed on console. This is because some predefined CI commands in autoexec.net is forbidden to execute in Bridge Mode. 2. In the following topol

Symptom: The packet will be dropped if the device does not have the ARP entry of the receiver of this packet. Condition: (1) Clear ARP

PC-----(LAN)ZW70(WAN) (1) On PC, try trace route a host(www.yahoo.com). (2) Trace route cannot get response from our device. 15. [BUG FIX]

(1) Goto eWC>Maintenance to upload F/W. (2) ZyWALL should show a progress page, but it is not. (3) ZyWALL should di

(2) Disable Outlook SMTP authentication in PC. (3) PC on LAN and sent out Microsoft Outlook testing mail. (4) Device will crash immediately. 13. [B

18. [BUG FIX] Symptom: The ZyWALL should use user configured time server to do daily time adjustment. Condition: (1) Reboot the ZyWALL, set &a

Modifications in V 4.01(WZ.0)b2 | 05/22/2006 1. [FEATURE CHANGE] The multicast AH or ESP packet will not pass to the VPN module in ZyWALL. 2. [

DMZ link to eWC>Network>DMZ>DMZ page IP alias1/2 link to eWC>DMZ>IP alias 1/2 page (6) Remove underlines from the l

Enable Nail up SA lifetime = 28800 seconds Policy 2: Local network: 192.168.1.33/24 Remote network: 192.168.2.33/24

13. [BUG FIX][060427219] Symptom: In PPTP encapsulation, enable VPN, AV and AS, PC can not receive the mail via VPN tunnel. Condition: PC1(mai

Local ID: Type=DNS Content = d.c.b.a Peer ID: Type=DNS Content = a.b.c.d IPSEC Policy: Local=Single 1.1.1.

(2) In eWC->SECURITY->CONTENT FILTER->Customization page, enable "Web site customization" and "Don't block Java/ActiveX

End Port=21. (4) Disable Firewall. (5) PC1 ftp to PC2, and then PC2 ftp to PC1. (6) PC2 disconnects ftp session and then reconnects t

(2) Go to eWC/Network/Wireless Card/Wireless Card, enable wireless card and set ESSID as "testWlan". (2) Wireless Client can s

Condition: (1) Put PC1 and PC2 on LAN side of ZyWALL. (2) ZyWALL enables Anti-Spam and disables External Database. (3) PC2 installs the Merak

WLAN has a mail client. All of them are on IxLoad (3) Run IxLoad 10 minutes，device crash 34. [BUG FIX][060418336] Symptom: Traffic can

WLAN Zone enhancement. (1) ZyWALL has an independent WLAN Zone interface, no matter WLAN card. (2) WLAN card is not the independent WLAN interfa

Appendix 1 Remote Management Enhancement (Add SNMP & DNS Control) New function (1) You can change the server port. (2) You can set

Press ENTER to Confirm or ESC to Cancel:

Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered"

"Incoming Port". If it matches, Prestige will forward the packet to the recorded IP address in the internal table for this port. (This beh

Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" su

(1) Type CI “ip icmp death 1000” or “ip icmp death 1500”. (2) PC1 ping PC2 with DOS command “ping 172.25.21.254 –l 1600”, the log is shown as: “ping

Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway

normal function. Figure 5-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on W

contents are consistent and they can connect. Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will u

1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s

ISP(or network). This secondary WAN port can be used in “active-active” load sharing or fail-over configuration providing a highly efficient meth

Appendix 9 IPSec IP Overlap Support ZyWALL BIP Alias 1.1.2.0/24LAN1.1.1.0/24LAN 1.1.2.0/28WANPCA 1.1.1.33PCB 1.1.2.250PCC 1.1.2.250ZyWALL A Figure

Appendix 10 VPN Local IP Address Limitation ZyWALL BIP Alias 1.1.2.0/24LAN1.1.1.0/24LAN 1.1.2.0/28WANPCA 1.1.1.33PCB 1.1.2.250PCC 1.1.2.250ZyWALL

ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why

on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping into the ARP table, otherwise if turn off forceUpdate,

(2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway

b) Mail Subject = test c) Mail Sender = [email protected] d) Send Log to = [email protected] e) Send Alerts to = your_email_

Figure 1. But there are still some limitations remain that we need to overcome in the future. When you deploy your SIP server on LAN for SIP servic

Figure 2. (2) Try not use different global IPs for SIP client and SIP server on NAT. Currently, there are still some limitations when use differen

phone B. Thus will be fail on call setup. This limitation is SIP client related issue, some SIP clients will send ACK request direct to the remote c

(4) "Update Server" will reply a file list to the PC, the download address of the fill will be "File Server", at the same time &

If we set the timeout value as "10 seconds", 5 seconds is not timeout. The device will route the new session to the same interface.

Is: Update error: The hostname specified does not exist. |DDNS 6. [ENHANCEMENT] DDNS client will force update with Dyndns.org server in ever