General Settings

 

Enable

Select this to enable device insight. Clear this to disable it.

Add

Click this to create a new, user-configured zone.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove a user-configured trunk, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information in this screen.

#

This field is a sequential value, and it is not associated with any interface.

Name

This field displays the name of the device.

Description

If the device insight profile has a description configured, it displays here.

Reference

This field displays the number of times an Object Reference is used in a policy.

Profile Name

Type a name for this device insight profile. You may use 1-31 alphanumeric character, underscores (_), or dashes (-), but the first character cannot be a number. Spaces and duplicate names are not allowed. This value is case-sensitive.

Description

Enter the description of each device insight profile. You can use 1 to 63 single-byte characters, including 0-9a-zA-Z!”#$%’()*+,-/:;=?@_

&.<>[\]^‘{|} are not allowed.

Category

Select the type of device used by the connected client for this profile.

IoT (Internet of Things) is a device with sensors and software that collects and analyzes data. It exchanges the data it collects with other devices over the Internet. IoT is used in many places, such as home assistant, personal care or toys.

For example, a smart watch that your grandparents wear is an IoT. It can detects the heart rate and blood pressure of the person wearing it. It sends out warning to other devices, such as your parents phones, if it detects something wrong.

Operating System

Select the device operating system used by the connected client for this profile.

OK

Click this button to save your changes to the Zyxel Device and return to the summary screen.

Cancel

Click this button to return to the summary screen without saving any changes.

MobilePhone

profile for mobile clients

Mobile Phone/Tablet

LAN2_To_LAN1

LAN1

LAN2

deny

MobilePhone

User Configuration / System Default

The Zyxel Device comes with pre-configured System Default zones that you cannot delete. You can create your own User Configuration zones

Add

Click this to create a new, user-configured zone.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove a user-configured trunk, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information in this screen.

#

This field is a sequential value, and it is not associated with any interface.

Name

This field displays the name of the zone.

Member

This field displays the names of the interfaces that belong to each zone.

Reference

This field displays the number of times an Object Reference is used in a policy.

Name

For a system default zone, the name is read only.

For a user-configured zone, type the name used to refer to the zone. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Member List

Available lists the interfaces and VPN tunnels that do not belong to any zone. Select the interfaces and VPN tunnels that you want to add to the zone you are editing, and click the right arrow button to add them.

Member lists the interfaces and VPN tunnels that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them.

OK

Click OK to save your customized settings and exit this screen.

Cancel

Click Cancel to exit this screen without saving.

Admin Users

 

 

admin

Change Zyxel Device configuration (web, CLI)

WWW, TELNET, SSH, FTP, Console

Access Users

 

 

limited-admin

Look at Zyxel Device configuration (web, CLI)

Perform basic diagnostics (CLI)

Cannot execute commands such as 'show running-config'

WWW, TELNET, SSH, Console

user

Access network services

Browse user-mode commands (CLI)

WWW, TELNET, SSH

guest

Access network services

WWW

ext-user

External user account

WWW

ext-group-user

External group user account

WWW

guest-manager

Create dynamic guest accounts

WWW

dynamic-guest

Access network services

Hotspot Portal

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

Local Administrator

Use this table to view and configure the Zyxel Device admin accounts.

This field is a sequential value, and it is not associated with a specific user.

This field displays the user name of each user.

This field displays the admin accounts the Zyxel Device uses. Admin accounts are users that can look at and change the configuration of the Zyxel Device

This field displays the description for each user.

This field displays the date the account is created.

This field displays - if the account is created before the Zyxel Device upgrades firmware to version 5.10 or later.

This field displays the last time the user changed the account password.

This field displays the account password expiry date. The user should change the password before it expires.

This displays the number of times an object reference is used in a profile.

User

Use this table to configure the Zyxel Device:

This field is a sequential value, and it is not associated with a specific user.

This field displays the user name of each user.

This field displays the types of user accounts the Zyxel Device uses:

This field displays the description for each user.

This field displays the date the account is created.

This field displays the last time the user changes the account password.

This displays the number of times an object reference is used in a profile.

User Name

Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved.

User Type

This field is not available if you’re adding an account to the Local Administrator table.

Select the types of user accounts the Zyxel Device uses from the drop-down list box:

Password

This field is not available if you select the ext-user or ext-group-user type.

Enter a password of from 1 to 64 characters for this user account. If you selected Enable Password Complexity in Configuration > Object > User/Group > Setting, it must consist of at least 8 characters and at most 64. At least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+.

Retype

This field is not available if you select the ext-user or ext-group-user type.

Group Identifier

This field is available for a ext-group-user type user account.

Specify the value of the AD or LDAP server’s Group Membership Attribute that identifies the group to which this user belongs.

Associated AAA Server Object

This field is available for a ext-group-user type user account. Select the AAA server to use to authenticate this account’s users.

Description

Enter the description of each user, if any. You can use 1 to 63 single-byte characters, including 0-9a-zA-Z!”#$%’()*+,-/:;=?@_

&.<>[\]{|}^‘are not allowed. Default descriptions are provided.

Email

Type one or more valid email addresses for this user so that email messages can be sent to this user if required. A valid email address must contain the @ character. For example, this is a valid email address: abc@example.com.

Mobile Number

Type a valid mobile telephone number for this user so that SMS messages can be sent to this user if required. A valid mobile telephone number can be up to 20 characters in length, including the numbers 1~9 and the following characters in the square brackets [+*#()-].

Send Code

This button is available when the user type is admin or limited-admin.

Click this and an authorization email or SMS message with a code of six digits will be sent to the email addresses or mobile telephone number you put in.

Enter the verification code to verify your email addresses or mobile telephone number.

Authentication Timeout Settings

If you want the system to use default settings, select Use Default Settings. If you want to set authentication timeout to a value other than the default settings, select Use Manual Settings then fill your preferred values in the fields that follow.

Lease Time

If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown.

If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this checkbox on their screen as well. In this case, the session is automatically renewed before the lease time expires.

Reauthentication Time

If you select Use Default Settings in the Authentication Timeout Settings field, the default reauthentication time is shown.

If you select Use Manual Settings, you need to type the number of minutes this user can be logged into the Zyxel Device in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out.

User VLAN ID

This field is available for a ext-group-user type user account.

Select this option to enable dynamic VLAN assignment on the Zyxel Device. When a user is authenticated successfully, all data traffic from this user is tagged with the VLAN ID number you specify here.

This allows you to assign a user of the ext-group-user type to a specific VLAN based on the user credentials instead of using an AAA server.

Configuration Validation

Use a user account from the group specified above to test if the configuration is correct. Enter the account’s user name in the User Name field and click Test.

OK

Click OK to save your changes back to the Zyxel Device and close the screen.

Cancel

Click Cancel to exit this screen without saving your changes.

Save

This button is only available when adding a new user. Click Save to save your changes back to the Zyxel Device and then go to the Two-factor Authentication screen.

VPN

SMS

Code

VPN

Email

Link

VPN

Google Authenticator app

Code

Admin

SMS

Code

Admin

Email

Link

Admin

Google Authenticator app

Code

Enable Two-factor Authentication for VPN Access

Select this to require two-factor authentication for this user to use a pre-configured VPN tunnel for secure access to a network behind the Zyxel Device. Select the types of VPN allowed in Object > Auth. Method > Two-factor Authentication > VPN Access. You may choose from:

Enable Two-factor Authentication for Admin Access

Select this to require two-factor authentication for an admin user to access the Zyxel Device. Select the types of access allowed in Object > Auth. Method > Two-factor Authentication > Admin Access. You may choose from:

Two-factor Auth. Method

Select Default or User Defined and select from PIN code by SMS/Email or Google Authenticator

Set up Google Authenticator

If you chose Google Authenticator for offline two-factor authentication, on your mobile device, go to an app store to download Google Authenticator. To add your account to Google Authenticator, press the plus (+) icon, select Scan Barcode, then use your mobile device's camera to scan the barcode. Finally enter the verification code you receive on your mobile device in Verify your device.

View your backup codes

You see this after successful Google authentication. In the event that you do not have access to email or your mobile device, click Download to create backup codes as second-factor authentication. Make sure to put them in a safe place.

Verify your device

In the event that you do not have access to email or your mobile device, enter a backup code here as second factor authentication. You can use each code only once. If you generate a new set of backup codes (Regenerate backup codes), the old set become obsolete.

Revoke

Click this to cancel Google authentication as second-factor authentication for Admin Access. You must then use a PIN code by SMS or email as second-factor authentication instead.

OK

Click OK to save your changes back to the Zyxel Device and close the screen.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Removing a group does not remove the user accounts in the group.

References

Select an entry and click References to open a screen that shows which settings use the entry

#

This field is a sequential value, and it is not associated with a specific user group.

Group Name

This field displays the name of each user group.

Description

This field displays the description for each user group.

Member

This field lists the members in the user group. Each member is separated by a comma.

Reference

This displays the number of times an object reference is used in a profile.

Name

Type the name for this user group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names.

Description

Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces.

Member List

The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important. Select users and groups from the Available list that you want to be members of this group and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

User Authentication Timeout Settings

Default Authentication Timeout Settings

These authentication timeout settings are used by default when you create a new user account. They also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

#

This field is a sequential value, and it is not associated with a specific entry.

These are the kinds of user account the Zyxel Device supports.

This is the default lease time in minutes for each type of user account. It defines the number of minutes the user has to renew the current session before the user is logged out.

Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically, the users can select this checkbox on their screen as well. In this case, the session is automatically renewed before the lease time expires.

This is the default reauthentication time in minutes for each type of user account. It defines the number of minutes the user can be logged into the Zyxel Device in one session before having to log in again. Unlike Lease Time, the user has no opportunity to renew the session without logging out.

Miscellaneous Settings

Select this checkbox if access users can renew lease time automatically, as well as manually, simply by selecting the Updating lease time automatically checkbox on their screen.

This is applicable for access users.

Select this checkbox if you want the Zyxel Device to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The Zyxel Device automatically logs out the access user once the User idle timeout has been reached.

This is applicable for access users.

This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the Zyxel Device automatically logs out the access user.

Login Security

Enter how often local users of User Type ‘admin’ must change their login passwords. You can choose from once a day to once a year.

Associate the password expiration to a specific Zyxel Device. Default is this Zyxel Device (myrouter) or select Custom and enter the IP address or Fully Qualified Domain Name (FQDN).

Select this to enforce the following conditions in a user password. Requiring a strong password is good for security. The conditions are that the password must consist of at least 8 characters and at most 64. At least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+.

User Logon Settings

Select this checkbox if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses.

This field is effective when Limit ... for administration account is checked. Type the maximum number of simultaneous logins by each admin user.

Select this checkbox if you want to set a limit on the number of simultaneous logins by non-admin users. If you do not select this, access users can login as many times as they want as long as they use different IP addresses.

This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user.

User IP Lockout Settings

Select this checkbox to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time.

This field is effective when Enable logon retry limit is checked. Type the maximum number of times each user can login unsuccessfully before the IP address is locked out for the specified lockout period. The number must be between 1 and 99.

This field is effective when Enable logon retry limit is checked. Type the number of minutes the user must wait to try to login again, if logon retry limit is enabled and the maximum retry count is reached. This number must be between 1 and 65,535 (about 45.5 days).

Apply

Click Apply to save the changes.

Reset

Click Reset to return the screen to its last-saved settings.

User Type

This read-only field identifies the type of user account for which you are configuring the default settings.

Lease Time

Enter the number of minutes this type of user account has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited.

Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this checkbox on their screen as well. In this case, the session is automatically renewed before the lease time expires.

Reauthentication Time

Type the number of minutes this type of user account can be logged into the Zyxel Device in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

User-defined lease time (max ... minutes)

Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified.

Renew

Access users can click this button to reset the lease time, the amount of time remaining before the Zyxel Device automatically logs them out. The Zyxel Device sets this amount of time according to the:

Updating lease time automatically

This box appears if you checked the Allow renewing lease time automatically box in the Setting screen. Access users can select this checkbox to reset the lease time automatically 30 seconds before it expires. Otherwise, access users have to click the Renew button to reset the lease time.

Remaining time before lease timeout

This field displays the amount of lease time that remains, though the user might be able to reset it.

Remaining time before auth. timeout

This field displays the amount of time that remains before the Zyxel Device automatically logs the access user out, regardless of the lease time.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

MAC Address/OUI

This field displays the MAC address or OUI (Organizationally Unique Identifier of computer hardware manufacturers) of wireless clients using MAC authentication with the Zyxel Device local user database.

Description

This field displays a description of the device identified by the MAC address or OUI.

MAC Address/OUI

Type the MAC address (six hexadecimal number pairs separated by colons or hyphens) or OUI (three hexadecimal number pairs separated by colons or hyphens) to identify specific wireless clients for MAC authentication using the Zyxel Device local user database. The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device.

Description

Enter an optional description of the wireless device(s) identified by the MAC or OUI. You can use up to 60 characters, punctuation marks, and spaces.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

type

User Type. Possible Values: admin, limited-admin, dynamic-guest, user, guest.

leaseTime

Lease Time. Possible Values: 1-1440 (minutes).

reauthTime

Reauthentication Time. Possible Values: 1-1440 (minutes).

IPv4 Address Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry

#

This field is a sequential value, and it is not associated with a specific address.

Name

This field displays the configured name of each address object.

Type

This field displays the type of each address object. “INTERFACE” means the object uses the settings of one of the Zyxel Device’s interfaces.

IPv4 Address

This field displays the IPv4 addresses represented by each address object. If the object’s settings are based on one of the Zyxel Device’s interfaces, the name of the interface displays first followed by the object’s current address settings.

Reference

This displays the number of times an object reference is used in a profile.

IPv6 Address Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific address.

Name

This field displays the configured name of each address object.

Type

This field displays the type of each address object. “INTERFACE” means the object uses the settings of one of the Zyxel Device’s interfaces.

IPv6 Address

This field displays the IPv6 addresses represented by each address object. If the object’s settings are based on one of the Zyxel Device’s interfaces, the name of the interface displays first followed by the object’s current address settings.

Reference

This displays the number of times an object reference is used in a profile.

Name

Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Address Type

Select the type of address you want to create.

IP Address

This field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents.

Starting IP Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.

Ending IP Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the end of the range of IP address that this address object represents.

Network

This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the IP address of the network that this address object represents.

Netmask

This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the subnet mask of the network that this address object represents. Use dotted decimal format.

Interface

If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents.

Region

If you selected GEOGRAPHY as the Address Type, use this field to select a country or continent.

A GEOGRAPHY object uses the data from the country-to-IP/continent-to-IP address database. Go to the Configuration > Object > Address/Geo IP > Geo IP screen to configure the custom country-to-IP/continent-to-IP address mappings for a GEOGRAPHY object.

Country

If you selected Geography as the Address Type, use this field to select a country.

FQDN

If you selected FQDN as the Address Type, use this field to enter a fully qualified domain name.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Name

Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Object Type

Select the type of address you want to create.

IPv6 Address

This field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents.

IPv6 Starting Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.

IPv6 Ending Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the end of the range of IP address that this address object represents.

IPv6 Address Prefix

This field is only available if the Address Type is SUBNET. This field cannot be blank. Enter the IPv6 address prefix that the Zyxel Device uses for the LAN IPv6 address.

Interface

If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents.

IPv6 Address Type

Select whether the IPv6 address is a link-local IP address (LINK LOCAL), static IP address (STATIC), an IPv6 StateLess Address Auto Configuration IP address (SLAAC), or is obtained from a DHCPv6 server (DHCPv6).

Region

If you selected Geography as the Address Type, use this field to select a country or continent.

FQDN

If you selected FQDN as the Address Type, use this field to enter a fully qualified domain name.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

IPv4 Address Group Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific address group.

Name

This field displays the name of each address group.

Description

This field displays the description of each address group, if any.

Reference

This displays the number of times an object reference is used in a profile.

IPv6 Address Group Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific address group.

Name

This field displays the name of each address group.

Description

This field displays the description of each address group, if any.

Reference

This displays the number of times an object reference is used in a profile.

Name

Enter a name for the address group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Description

This field displays the description of each address group, if any. You can use up to 60 characters, punctuation marks, and spaces.

Address Type

Select the type of address you want to create.

Member List

The Member list displays the names of the address and address group objects that have been added to the address group. The order of members is not important.

Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Country Database Update

Latest Version

This is the latest country-to-IP address database version on myZyxel.

Current Version

This is the country-to-IP address database version currently on the Zyxel Device.

Update Now

Click this to check for the latest country-to-IP address database version on myZyxel. The latest version is downloaded to the Zyxel Device and replaces the current version if it is newer. There are logs to show the update status.

Auto Update

If you want the Zyxel Device to check weekly for the latest country-to-IP address database version on myZyxel, select the checkbox, choose a day and time each week and then click Apply. The default day and time displayed is the Zyxel Device current day and time.

Custom IPv4/IPv6 to Geography Rules

IPv4/IPv6 to Geography

Enter an IP address, then click this button to query which country this IP address belongs to.

Add

Click this to create a new entry.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

#

This field is a sequential value, and it is not associated with a specific entry.

Geolocation

This field displays the name of the country or region that is associated with this IP address.

Type

This field displays whether this address object is HOST, RANGE or SUBNET.

IPv4/IPv6 Address

This field displays the IPv4/IPv6 addresses represented by the type of address object.

Region vs. Continent

Region

Enter a country name, then click the Region to Continent button to query which continent this country belongs to.

Continent

Select a continent, then click the Region List button to query which countries belong to the continent.

Apply

Click Apply to save the changes.

Reset

Click Reset to return the screen to its last-saved settings.

Region

Select the country or continent that maps to this IP address.

Address Type

Select the type of address you want to create. Choices are: HOST, RANGE, SUBNET.

IP Address

This field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents.

IP Starting Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.

IP Ending Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the end of the range of IP address that this address object represents.

Network / Netmask

These fields are only available if the IPv4 Address Type is SUBNET. They cannot be blank. Enter the network IP and subnet mask that defines the IPv4 subnet.

IPv6 Address Prefix

This field is only available if the IPv6 Address Type is SUBNET. This field cannot be blank. Enter the IPv6 address prefix that the Zyxel Device uses for the LAN IPv6 address.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific service.

Name

This field displays the name of each service.

Content

This field displays a description of each service.

Reference

This displays the number of times an object reference is used in a profile.

Name

Type the name used to refer to the service. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

IP Protocol

Select the protocol the service uses. Choices are: TCP, UDP, ICMP, ICMPv6, and User Defined.

Starting Port

Ending Port

This field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If you fill in both fields, the service uses the range of ports.

ICMP Type

This field appears if the IP Protocol is ICMP or ICMPv6.

Select the ICMP message used by this service. This field displays the message text, not the message number.

IP Protocol Number

This field appears if the IP Protocol is User Defined.

Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific service group.

Family

This field displays the Server Group supported type, which is according to your configurations in the Service Group Add/Edit screen.

There are 3 types of families:

Name

This field displays the name of each service group.

By default, the Zyxel Device uses services starting with “Default_Allow_” in the security policies to allow certain services to connect to the Zyxel Device.

Description

This field displays the description of each service group, if any.

Reference

This displays the number of times an object reference is used in a profile.

Name

Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Description

Enter a description of the service group, if any. You can use 1 to 60 single-byte characters, including 0-9a-zA-Z!”#$%’()*+,-/:;=?@_

&.<>[\]^‘{|} are not allowed.

Configuration

The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important.

Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

One Time

Click this to create a new entry.

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

Select an entry and click References to open a screen that shows which settings use the entry.

This field is a sequential value, and it is not associated with a specific schedule.

This field displays the name of the schedule, which is used to refer to the schedule.

This field displays the date and time at which the schedule begins.

This field displays the date and time at which the schedule ends.

This displays the number of times an object reference is used in a profile.

Recurring

Click this to create a new entry.

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

Select an entry and click References to open a screen that shows which settings use the entry.

This field is a sequential value, and it is not associated with a specific schedule.

This field displays the name of the schedule, which is used to refer to the schedule.

This field displays the time at which the schedule begins.

This field displays the time at which the schedule ends.

This displays the number of times an object reference is used in a profile.

Configuration

Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Day Time

Specify the year, month, and day when the schedule begins.

Specify the hour and minute when the schedule begins.

Specify the year, month, and day when the schedule ends.

Specify the hour and minute when the schedule ends.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Configuration

Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Date Time

Specify the hour and minute when the schedule begins each day.

Specify the hour and minute when the schedule ends each day.

Weekly

Select each day of the week the recurring schedule is effective.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

 

Click this to create a new entry.

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

Select an entry and click References to open a screen that shows which settings use the entry.

This field is a sequential value, and it is not associated with a specific schedule.

This field displays the name of the schedule group, which is used to refer to the schedule.

This field displays the description of the schedule group.

This field lists the members in the schedule group. Each member is separated by a comma.

This displays the number of times an object reference is used in a profile.

 

Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Enter a description of the service group, if any. You can use 1 to 60 single-byte characters, including 0-9a-zA-Z!”#$%’()*+,-/:;=?@_

&.<>[\]^‘{|} are not allowed.

The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important.

Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

Click OK to save your changes back to the Zyxel Device.

Click Cancel to exit this screen without saving your changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific AD or LDAP server.

Name

This field displays the name of the Active Directory.

Server Address

This is the address of the AD or LDAP server.

Base DN

This specifies a directory. For example, o=Zyxel, c=US.

Name

Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.

Description

Enter the description of each server, if any. ou can use 1 to 60 single-byte characters, including 0-9a-zA-Z!”#$%’()*+,-/:;=?@_

&.<>[\]^‘{|} are not allowed.

Server Address

Enter the address of the AD or LDAP server.

Backup Server Address

If the AD or LDAP server has a backup server, enter its address here.

Port

Specify the port number on the AD or LDAP server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.

This port number should be the same on all AD or LDAP server(s) in this group.

Base DN

Specify the directory (up to 127 alphanumerical characters). For example, o=Zyxel, c=US.

This is only for LDAP.

Use SSL

Select Use SSL to establish a secure connection to the AD or LDAP server(s).

Search time limit

Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the AD or LDAP server. In this case, user authentication fails.

Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down.

Case-sensitive User Names

Select this if the server checks the case of the usernames.

Bind DN

Specify the bind DN for logging into the AD or LDAP server. Enter up to 127 alphanumerical characters.

For example, cn=zywallAdmin specifies zywallAdmin as the user name.

Password

If required, enter the password (up to 15 alphanumerical characters) for the Zyxel Device to bind (or log in) to the AD or LDAP server.

Your password will be encrypted when you configure this field.

Retype to Confirm

Retype your new password for confirmation.

Login Name Attribute

Enter the type of identifier the users are to use to log in. For example “name” or “email address”.

Alternative Login Name Attribute

If there is a second type of identifier that the users can use to log in, enter it here. For example “name” or “email address”.

Group Membership Attribute

An AD or LDAP server defines attributes for its accounts. Enter the name of the attribute that the Zyxel Device is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values.

For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.

Domain Authentication for MSChap

Select the Enable checkbox to enable domain authentication for MSChap.

This is only for Active Directory.

User Name

Enter the user name for the user who has rights to add a machine to the domain.

This is only for Active Directory.

User Password

Enter the password for the associated user name.

This is only for Active Directory.

Retype to Confirm

Retype your new password for confirmation.

This is only for Active Directory.

Realm

Enter the realm FQDN.

This is only for Active Directory.

NetBIOS Name

Type the NetBIOS name. This field is optional. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN which allows local computers to find computers on the remote network and vice versa.

Configuration Validation

Use a user account from the server specified above to test if the configuration is correct. Enter the account’s user name in the Username field and click Test.

OK

Click OK to save the changes.

Cancel

Click Cancel to discard the changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field displays the index number.

Name

This is the name of the RADIUS server entry.

Server Address

This is the address of the AD or LDAP server.

Name

Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.

Description

Enter the description of each server, if any. ou can use 1 to 60 single-byte characters, including 0-9a-zA-Z!”#$%’()*+,-/:;=?@_

&.<>[\]^‘{|} are not allowed.

Server Address

Enter the address of the RADIUS server.

Authentication Port

Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.

Backup Server Address

If the RADIUS server has a backup server, enter its address here.

Backup Authentication Port

Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.

Key

Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the Zyxel Device. Your password will be encrypted when you configure this field.

The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device.

Change of Authorization

The external RADIUS server can change its authentication policy and send CoA (Change of Authorization) or RADIUS Disconnect messages in order to terminate the subscriber’s service.

Select this option to allow the Zyxel Device to disconnect wireless clients based on the information (such as client’s user name and MAC address) specified in CoA or RADIUS Disconnect messages sent by the RADIUS server.

Server Address

Enter the IP address or Fully-Qualified Domain Name (FQDN) of the RADIUS accounting server.

Accounting Port

Specify the port number on the RADIUS server to which the Zyxel Device sends accounting information. Enter a number between 1 and 65535.

Backup Server Address

If the RADIUS server has a backup accounting server, enter its address here.

Backup Accounting Port

Specify the port number on the RADIUS server to which the Zyxel Device sends accounting information. Enter a number between 1 and 65535.

Key

Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the Zyxel Device.

The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device.

Maximum Retry Count

At times the Zyxel Device may not be able to use the primary RADIUS accounting server. Specify the number of times the Zyxel Device should reattempt to use the primary RADIUS server before attempting to use the secondary RADIUS server. This also sets how many times the Zyxel Device will attempt to use the secondary RADIUS server.

For example, you set this field to 3. If the Zyxel Device does not get a response from the primary RADIUS server, it tries again up to three times. If there is no response, the Zyxel Device tries the secondary RADIUS server up to three times.

If there is also no response from the secondary RADIUS server, the Zyxel Device stops attempting to authenticate the subscriber. The subscriber will see a message that says the RADIUS server was not found.

Enable Accounting Interim Update

This field is configurable only after you configure a RADIUS accounting server address. Select this to have the Zyxel Device send subscriber status updates to the RADIUS server at the interval you specify.

Interim Interval

Specify the time interval for how often the Zyxel Device is to send a subscriber status update to the RADIUS server.

Timeout

Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the RADIUS server. In this case, user authentication fails.

Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.

NAS IP Address

Type the IP address of the NAS (Network Access Server).

NAS Identifier

If the RADIUS server requires the Zyxel Device to provide the Network Access Server identifier attribute with a specific value, enter it here.

Case-sensitive User Names

Select this if you want configure your username as case-sensitive.

Group Membership Attribute

A RADIUS server defines attributes for its accounts. Select the name and number of the attribute that the Zyxel Device is to check to determine to which group a user belongs. If it does not display, select user-defined and specify the attribute’s number.

This attribute’s value is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values.

For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.

OK

Click OK to save the changes.

Cancel

Click Cancel to discard the changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field displays the index number.

Method Name

This field displays a descriptive name for identification purposes.

Server Profile/Server Type

This field displays the authentication method(s) for this entry.

Name

Specify a descriptive name for identification purposes.

You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”.

Add

Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

Move

To change a method’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.

The ordering of your methods is important as Zyxel Device authenticates the users using the authentication methods in the order they appear in this screen.

#

This field displays the index number.

Method List

Select a server object from the drop-down list box. You can create a server object in the AAA Server screen.

The Zyxel Device authenticates the users using the databases (in the local user database or the external authentication server) in the order they appear in this screen.

If two accounts with the same username exist on two authentication servers you specify, the Zyxel Device does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server.

OK

Click OK to save the changes.

Cancel

Click Cancel to discard the changes.

General Settings

 

Enable

Select the checkbox to require double-layer security to access the Zyxel Device through a VPN tunnel.

Valid Time

Enter the maximum time (in minutes) that the user must tap or click the authorization link in the SMS or email in order to get authorization for the VPN connection.

Two-factor Authentication for Services:

Select which kinds of VPN tunnels require Two-Factor Authentication. You should have configured the VPN tunnel first.

User/Group

This list displays the names of the users and user groups that can be selected for two-factor authentication. The order of members is not important. Select users and groups from the Selectable User/Group Objects list that require two-factor authentication for VPN access to a secured network behind the Zyxel Device and move them to the Selected User/Group Objects list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Similarly, move user/groups that do not you do not require two-factor authentication back to the Selectable User/Group Objects list.

Delivery Settings

Use this section to configure how to send an SMS or email for authorization.

Deliver Authorize Link Method:

The second factor authentication is done by sending a URL link by text (SMS) or email, or using Google Authenticator. Select one or up to three methods. You will get a URL link by text and email, and a authentication code for Google Authenticator if you select all three methods. Log in to the Zyxel Device by either clicking the URL in the text or email you received, or enter the authentication code in Google Authenticator.

Authorize Link URL Address:

Configure the link that the user will receive in the SMS or email. The user must be able to access the link.

Authorized Port

Configure a new port between 1024 to 65535 that is not in use by other services.

Use this port for two-factor authentication of VPN clients to access the network behind the Zyxel Device. VPN clients do not need to change the port number on their devices, because the link to access the network behind the Zyxel Devices will contain the new port number.

For example, if you change this to port 8008 and the link is using a.b.c.d, then VPN clients will see this link in their email or SMS to retrieve settings: https://a.b.c.d:8008.

Message

You can either create a default message in the text box or upload a message file (Use Multilingual file) from your computer. The message file must be named '2FA-msg.txt' and be in UTF-8 format. To create the file, click Download the default 2FA-msg.txt example and edit the file for your needs. (If you make a mistake, use Restore Customized File to Default to restore your customized file to the default.) Use Select a File Path to locate the final file on your computer and then click Upload to transfer it to the Zyxel Device.

The message in either the text box or the file must contain the <url> variable within angle brackets, while the <user>, <host>, and <time> variables are optional.

Apply

Click Apply to save the changes.

Reset

Click Reset to return the screen to its last-saved settings.

General Settings

 

Enable

Select the checkbox to require double-layer security to access the Zyxel Device through the Web Configurator, SSH, or Telnet.

Valid Time

Enter the maximum time (in minutes) that the user must click or tap the authorization link in the SMS or email in order to get authorization for logins through the Web Configurator, SSH, or Telnet.

Two-factor Authentication for Services:

Select which services require Two-Factor Authentication for the admin user.

Delivery Settings

Use this section to configure how to send an SMS or email for authorization.

Verification Code Delivery Method

Select one or both (All) methods:

Apply

Click Apply to save the changes.

Reset

Click Reset to return the screen to its last-saved settings.

PKI Storage Space in Use

This bar displays the percentage of the Zyxel Device’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.

Add

Click this to go to the screen where you can have the Zyxel Device generate a certificate or a certification request.

Edit

Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.

Remove

The Zyxel Device keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.

References

You cannot delete certificates that any of the Zyxel Device’s features are configured to use. Select an entry and click References to open a screen that shows which settings use the entry.

Download

Click this and the following screen will appear.

Type the selected certificate’s password and save the selected certificate to your computer.

Email

Click this to email the selected certificate to the configured email address(es) for SSL connection establishment. This enables you to establish an SSL connection on your laptops, tablets, or smartphones.

 

#

This field displays the certificate index number. The certificates are listed in alphabetical order.

Name

This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name.

Type

This field displays what kind of certificate this is.

REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.

SELF represents a self-signed certificate.

CERT represents a certificate issued by a certification authority.

Subject

This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.

Issuer

This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.

Valid From

This field displays the date that the certificate becomes applicable.

Valid To

This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.

Import

Click Import to open a screen where you can save a certificate to the Zyxel Device.

Refresh

Click Refresh to display the current validity status of the certificates.

Name

Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.

Subject Information

Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although you must specify a Host IP Address, Host IPv6 Address, Host Domain Name, or E-Mail. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.

Select a radio button to identify the certificate’s owner by IP address, domain name or email address. Type the IP address (in dotted decimal notation), domain name or email address in the field provided. The domain name or email address is for identification purposes only and can be any string.

A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods.

An email address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.

Organizational Unit

Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

Organization

Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

Town (City)

Identify the town or city where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

State, (Province)

Identify the state or province where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

Country

Enter a two-letter country code to Identify the nation where the certificate owner is located.

Key Type

This sets the certificate’s encryption algorithm and signature hash algorithm.

Encryption algorithms:

Signature hash algorithms:

RSA and SHA256 are less secure but more compatible with different clients and applications. ECDSA and SHA512 are the more secure but less compatible.

Key Length

Select a number from the drop-down list box to determine how many bits the key should use (1024 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space. ECDSA keys are significant shorter than RSA and DSA keys, while offering equal or higher security.

LifeTimes

Select how long the certificate is valid. It can be valid from 2 to 10 years.

Extended Key Usage

 

Server Authentication

Select this to have Zyxel Device generate and store a request for server authentication certificate.

Client Authentication

Select this to have Zyxel Device generate and store a request for client authentication certificate.

IKE Intermediate

Select this to have Zyxel Device generate and store a request for IKE Intermediate authentication certificate.

Create a self-signed certificate

Select this to have the Zyxel Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.

Create a certification request and save it locally for later manual enrollment

Select this to have the Zyxel Device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.

Copy the certification request from the My Certificate Details screen and then send it to the certification authority.

OK

Click OK to begin certificate or certification request generation.

Cancel

Click Cancel to quit and return to the My Certificates screen.

Name

This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.

Certification Path

This field displays for a certificate, not a certification request.

Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself).

If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The Zyxel Device does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.

Refresh

Click Refresh to display the certification path.

Certificate Information

These read-only fields display detailed information about the certificate.

Type

This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.

Version

This field displays the X.509 version number.

Serial Number

This field displays the certificate’s identification number given by the certification authority or generated by the Zyxel Device.

Subject

This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O), State (ST), and Country (C).

Issuer

This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.

With self-signed certificates, this is the same as the Subject Name field.

“none” displays for a certification request.

Signature Algorithm

This field displays the type of algorithm that was used to sign the certificate. The Zyxel Device uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).

Valid From

This field displays the date that the certificate becomes applicable. “none” displays for a certification request.

Valid To

This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request.

Key Algorithm

This field displays the type of algorithm that was used to generate the certificate’s key pair (the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).

Subject Alternative Name

This field displays the certificate owner‘s IP address (IP), domain name (DNS) or email address (EMAIL).

Key Usage

This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.

Extended Key Usage

This field displays how the Zyxel Device generates and stores a request for server authentication, client authentication, or IKE Intermediate authentication certificate.

Basic Constraint

This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. This field does not display for a certification request.

MD5 Fingerprint

This is the certificate’s message digest that the Zyxel Device calculated using the MD5 algorithm.

SHA1 Fingerprint

This is the certificate’s message digest that the Zyxel Device calculated using the SHA1 algorithm.

Certificate in PEM (Base-64) Encoded Format

This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.

You can copy and paste a certification request into a certification authority’s web page, an email that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.

You can copy and paste a certificate into an email to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (through external storage device for example).

Export Certificate Only

Use this button to save a copy of the certificate without its private key. Click this button and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.

Password

If you want to export the certificate with its private key, create a password and type it here. Make sure you keep this password in a safe place. You will need to use it if you import the certificate to another device.

Export Certificate with Private Key

Use this button to save a copy of the certificate with its private key. Type the certificate’s password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.

OK

Click OK to save your changes back to the Zyxel Device. You can only change the name.

Cancel

Click Cancel to quit and return to the My Certificates screen.

File Path

Type in the location of the file you want to upload in this field or click Browse to find it.

You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device.

Browse

Click Browse to find the certificate file you want to upload.

Password

This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported.

OK

Click OK to save the certificate on the Zyxel Device.

Cancel

Click Cancel to quit and return to the My Certificates screen.

PKI Storage Space in Use

This bar displays the percentage of the Zyxel Device’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.

Edit

Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.

Remove

The Zyxel Device keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.

References

You cannot delete certificates that any of the Zyxel Device’s features are configured to use. Select an entry and click References to open a screen that shows which settings use the entry.

#

This field displays the certificate index number. The certificates are listed in alphabetical order.

Name

This field displays the name used to identify this certificate.

Subject

This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.

Issuer

This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.

Valid From

This field displays the date that the certificate becomes applicable.

Valid To

This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.

Import

Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the Zyxel Device.

Refresh

Click this button to display the current validity status of the certificates.

Name

This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.

Certification Path

Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate. If the issuing certification authority is one that you have imported as a trusted certificate, it may be the only certification authority in the list (along with the end entity’s own certificate). The Zyxel Device does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.

Refresh

Click Refresh to display the certification path.

Enable X.509v3 CRL Distribution Points and OCSP checking

Select this checkbox to turn on/off certificate revocation. When it is turned on, the Zyxel Device validates a certificate by getting Certificate Revocation List (CRL) through HTTP or LDAP (can be configured after selecting the LDAP Server checkbox) and online responder (can be configured after selecting the OCSP Server checkbox).

OCSP Server

Select this checkbox if the directory server uses OCSP (Online Certificate Status Protocol).

Type the protocol, IP address and path name of the OCSP server.

The Zyxel Device may need to authenticate itself in order to assess the OCSP server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority).

Type the password (up to 31 ASCII characters) from the entity maintaining the OCSP server (usually a certification authority).

LDAP Server

Select this checkbox if the directory server uses LDAP (Lightweight Directory Access Protocol). LDAP is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates.

Type the IP address (in dotted decimal notation) of the directory server.

Use this field to specify the LDAP server port number. You must use the same server port number that the directory server uses. 389 is the default server port number for LDAP.

The Zyxel Device may need to authenticate itself in order to assess the CRL directory server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority).

Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority).

Certificate Information

These read-only fields display detailed information about the certificate.

Type

This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.

Version

This field displays the X.509 version number.

Serial Number

This field displays the certificate’s identification number given by the certification authority.

Subject

This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).

Issuer

This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.

With self-signed certificates, this is the same information as in the Subject Name field.

Signature Algorithm

This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).

Valid From

This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.

Valid To

This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.

Key Algorithm

This field displays the type of algorithm that was used to generate the certificate’s key pair (the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).

Subject Alternative Name

This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or email address (EMAIL).

Key Usage

This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.

Extended Key Usage

This field displays the method that the Zyxel Device generates and stores a request for server authentication, client authentication, or IKE Intermediate authentication certificate.Zyxel Device

Basic Constraint

This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path.

MD5 Fingerprint

This is the certificate’s message digest that the Zyxel Device calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.

SHA1 Fingerprint

This is the certificate’s message digest that the Zyxel Device calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.

Certificate

This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.

You can copy and paste the certificate into an email to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (through external storage device for example).

Export Certificate

Click this button and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.

OK

Click OK to save your changes back to the Zyxel Device. You can only change the name.

Cancel

Click Cancel to quit and return to the Trusted Certificates screen.

File Path

Type in the location of the file you want to upload in this field or click Browse to find it.

You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device.

Browse

Click Browse to find the certificate file you want to upload.

OK

Click OK to save the certificate on the Zyxel Device.

Cancel

Click Cancel to quit and return to the previous screen.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific entry.

Profile Name

This field displays the profile name of the ISP account. This name is used to identify the ISP account.

Protocol

This field displays the protocol used by the ISP account.

Authentication Type

This field displays the authentication type used by the ISP account.

User Name

This field displays the user name of the ISP account.

Profile Name

This field is read-only if you are editing an existing account. Type in the profile name of the ISP account. The profile name is used to refer to the ISP account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Protocol

This field is read-only if you are editing an existing account. Select the protocol used by the ISP account. Your ISP will provide you with a related username, password and IP (server) information. Options are:

pppoe - This ISP account uses the PPPoE protocol.

pptp - This ISP account uses the PPTP protocol.

l2tp - This ISP account uses the L2TP protocol.

Authentication Type

Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:

CHAP/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by this remote node.

Chap - Your Zyxel Device accepts CHAP only.

PAP - Your Zyxel Device accepts PAP only.

MSCHAP - Your Zyxel Device accepts MSCHAP only.

MSCHAP-V2 - Your Zyxel Device accepts MSCHAP-V2 only.

Encryption Method

This field is available if this ISP account uses the PPTP protocol. Use the drop-down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are:

nomppe - This ISP account does not use MPPE.

mppe-40 - This ISP account uses 40-bit MPPE.

mppe-128 - This ISP account uses 128-bit MMPE.

User Name

Type the user name given to you by your ISP.

Password

Type the password associated with the user name above. The password can only consist of alphanumeric characters (A-Z, a-z, 0-9). This field can be blank.

Your password will be encrypted when you configure this field.

Retype to Confirm

Type your password again to make sure that you have entered is correctly.

IP Address/FQDN

Enter the IP address or Fully-Qualified Domain Name (FQDN) of the PPTP or L2TP server.

Connection ID

This field is available if this ISP account uses the PPTP protocol. Type your identification name for the PPTP server. This field can be blank.

Service Name

If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank.

If this ISP account uses the PPTP protocol, this field is not displayed.

Compression

Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four.

Idle Timeout

This value specifies the number of seconds that must elapse without outbound traffic before the Zyxel Device automatically disconnects from the PPPoE/PPTP server. This value must be an integer between 0 and 360. If this value is zero, this timeout is disabled.

OK

Click OK to save your changes back to the Zyxel Device. If there are no errors, the program returns to the ISP Account screen. If there are errors, a message box explains the error, and the program stays in the ISP Account Edit screen.

Cancel

Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists).