Page 3
www.zyxel.com (Branch has a Dynamic IP Address) ............. 77 Test the IPSec VPN Tunnel ............... 81 What Could Go Wrong? ................ 82 How to Configure IPSec Site to Site VPN while one Site is behind a NAT router ......................84 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) ......................
Page 4
www.zyxel.com Spoke_Branch_A ................... 143 Spoke_Branch_B ..................147 Test the IPSec VPN Tunnel ..............151 What Could Go Wrong? ..............153 How to Configure IPSec VPN with ZyWALL IPSec VPN Client ....156 Set Up the ZyWALL/USG IPSec VPN Tunnel ........157 Set Up the ZyWALL IPSec VPN Client ..........
Page 5
www.zyxel.com (Branch) ....................233 Set up the WAN Trunk (ZyWALL/USG_HQ) ......... 237 Set up the Failover Command Line (ZyWALL/USG HQ) ....238 Test the IPSec VPN Tunnel ..............240 What Could Go Wrong? ..............241 How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router ....................
Page 6
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to iOS Mobile Phone ...................... 304 Set Up the L2TP VPN Tunnel on the iOS Mobile Device ....305 Test the L2TP over IPSec VPN Tunnel ..........308 What Could Go Wrong? ..............309 How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android mobile phone....................
Page 7
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG ........ 355 Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System ..................... 360 Test the SSL VPN Tunnel ................. 364 What Could Go Wrong? ..............367 How To Configure SSL VPN for Remote Access Mobile Devices ..
Page 8
www.zyxel.com How to block HTTPS websites by Domain Filter without applying SSL Inspection ....................414 Set Up the Content Filter on the ZyWALL/USG ........415 Set Up the Security Policy on the ZyWALL/USG ........ 417 Set Up the System Policy on the ZyWALL/USG ........417 Test the Result ..................
Page 9
www.zyxel.com Set Up the ZyWALL/USG Email Daily Report Setting ......449 Test the Daily Log Report ..............450 What Could Go Wrong? ..............451 How to Setup and Configure Email Logs ..........452 Set Up the ZyWALL/USG Email Logs Setting ........452 Test the Email Log ..................
Page 10
www.zyxel.com Test ......................495 How to Perform and Use the Packet Capture Feature on the ZyWALL/USG ........................496 Set Up the Packet Capture Feature ............ 497 Check the Capture Files ..............499 How to Automatically Reboot the ZyWALL/USG by Schedule ..... 501 Set Up the Shell Script ................
Page 11
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Executives ..533 Test the Result ..................536 What Could Go Wrong? ..............537 How To Detect and Prevent TCP Port Scanning with ADP ..... 538 Set Up the ADP Profile on the ZyWALL/USG ........539 Test the Result ..................
Page 12
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System ................. 576 Test the Result ..................581 What Could Go Wrong? ..............582 How To Block the Spotify Music Streaming Service ....... 583 Set Up IDP Profile on the ZyWALL/USG ..........584 Test the Result ..................
Page 13
www.zyxel.com Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG ................... 614 Set Up the Bandwidth Management Global Setting on the ZyWALL/USG ................... 616 Test the Result ..................616 What Could Go Wrong? ..............617 How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address .................
Page 14
www.zyxel.com Upload the Configuration Files from the ZyWALL/USG ....639 What Could Go Wrong? ..............640 How to Manage ZyWALL/USG Firmware ..........641 Download the Current Firmware Version from ZyXEL.com ..... 642 Upload the Firmware on the ZyWALL/USG ........643 What Could Go Wrong? ..............
Page 15
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG ........ 675 Test the Result ..................676 What Could Go Wrong? ..............677 How to Set Up a WiFi Network with ZyXEL APs ........678 Set Up the AP Management on the ZyWALL/USG ......679 Test the Result ..................
Page 16
www.zyxel.com How to Set Up an IPv6 6to4 Tunnel ............716 Set Up the LAN IPv6 Interface on the ZyWALL/USG ......717 Set Up the 6to4 Tunnel on the ZyWALL/USG ........718 Test the Result ..................719 What Could Go Wrong? ..............720 How to Set Up an IPv6-in-IPv4 Tunnel .............
www.zyxel.com How to Configure Site-to-site IPSec VPN with Amazon VPC This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and an Amazon VPC platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the IPSec VPN Tunnel on the Amazon VPC Sign into the Amazon AWS Management Console. Go to Networking > VPC. Amazon AWS Management Console > Networking > VPC In the upper left-hand of the screen, click Start VPC Wizard. Amazon VPC Management Console >...
Page 19
www.zyxel.com Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN Access VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and Private subnet. Click Next. VPC with a Private Subnet Only and Hardware VPN 19/749...
Page 20
www.zyxel.com Configure your VPN, add your ZyWALL/USG public IP address into Customer Gateway IP. Name your Customer Gateway name and VPN Connection name. Click Create VPC at the bottom of the blade. Configure your VPN In the VPC Dashboard, go to VPN Connections. Select Download Configuration from the upper bar.
Page 21
www.zyxel.com VPC Dashboard > VPN Connections Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s setting. Configuration txt. File 21/749...
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Amazon VPC. Click Next. Quick Setup >...
Page 23
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP address (in the example, 52.39.135.203); select My Address to be the interface connected to the Internet. Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time which Amazon VPC supports.
Page 24
www.zyxel.com Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Amazon VPC. Click OK. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 2 Setting) This screen provides a read-only summary of the VPN tunnel.
Page 25
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a Local LAN to AWS VPC private Subnet for verification.
Page 28
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2 setup list. MONITOR >...
www.zyxel.com How to Configure Site-to-site IPSec VPN with Microsoft (MS) Azure This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a Microsoft (MS) Azure platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the MS Azure. Click Next.
Page 31
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP address (in the example, 13.75.42.148);...
Page 32
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1 Setting) Note: For more information about the IPsec Parameters supported in MS Azure, see the Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway connections.
Page 33
www.zyxel.com Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which MS Azure supports. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the MS Azure.
Page 34
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Set Up the IPSec VPN Tunnel on the MS Azure Sign into the Windows Azure Management Portal. In the upper left-hand corner of the screen, click +New > Networking > Virtual Network. Azure portal > New > Networking > Virtual Network Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.
Page 37
www.zyxel.com On the Create virtual network page, enter the NAME for the VPN network. For example, VPN_Vnet_to_USG. Add your Address Space, Subnet name and a single Subnet address range. Click Resource group and either select an existing resource group, or create a new one by typing a name for your new resource group.
Page 38
www.zyxel.com New > Networking > Virtual Network > Create virtual network In the portal, navigate to the virtual network to which you just created. On the blade for your virtual network, click the Settings icon at the top of the blade to expand the Setting blade to Subnets >...
Page 40
www.zyxel.com In the portal, go to New, then Networking. Select Virtual network gateway from the list. On the Create virtual network gateway blade Name field, name your gateway. Next, choose the Virtual network that you want to deploy this gateway to. Click the arrow (>) to open the Choose public IP address blade.
Page 41
www.zyxel.com In the Azure Portal, navigate to New > Networking > Local network gateway. The local network gateway refers to your ZyWALL/USG public IP and local subnet settings. On the Create local network gateway blade, specify a Name for your ZyWALL/USG gateway object.
Page 42
www.zyxel.com Specify public IP address of your ZyWALL/USG. It cannot be behind NAT and has to be reachable by Azure. Address space refers to the address ranges on your ZyWALL/USG local network. For Resource Group, select the resource group that you created before.
Page 43
www.zyxel.com New > Networking > Local network gateway Locate your virtual network gateway (VPN_Connection_to_USG in this example) and click Settings > Connection > Add connection, Name your connection. For Connection type, select Site-to-site (IPSec). For Virtual network gateway, the value is fixed because you are connecting from this gateway (VPN_GW_to_USG in this example).
Page 44
www.zyxel.com For Local network gateway, select the local network gateway that you want to use (VPN_Connection_to_USG in this example). For Shared Key (PSK), the value here must match the value that you are using for your ZyWALL/USG device. For Resource Group, select the resource group that you created before.
www.zyxel.com When the connection is complete, you'll see it appear in the Connections blade for your Gateway. VPN_Connection_to_USG > Settings > Connections Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
Page 46
www.zyxel.com MONITOR > VPN Monitor > IPSec Go to Azure_Vnet_USG > Settings to check the tunnel DATA IN and DATA OUT. VPN > VPN Settings > Currently Active VPN Tunnels To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
www.zyxel.com PC behind MS Azure> Window 7 > cmd > ping 192.77.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the MS Azure IKE Phase 1 setup list.
Page 48
www.zyxel.com MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the MS Azure IKE Phase 2 setup list. MONITOR >...
www.zyxel.com How to Configure GRE over IPSec VPN Tunnel This example shows how to use the VPN Setup Wizard to create a GRE over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site. When the GRE over IPSec VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 52
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 111.250.184.80).
Page 53
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 54
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel > Add Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 56
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 57
www.zyxel.com Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ). Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel.
Page 58
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 59
www.zyxel.com The GRE tunnel runs between the IPsec public interface on the Branch unit and the HQ unit. Go to CONFIGURATION > Network > Interface > Tunnel > Add. Enter the Interface Name (The format is tunnelx, where x is 0 - 3.). Enter the IP Address and Subnet Mask for this interface.
www.zyxel.com Test the GRE over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 61
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2 setup list. MONITOR >...
www.zyxel.com How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Static IP Address. The example instructs how to configure the VPN tunnel between each site.
Page 63
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 64
www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 65
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 67
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 68
www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 69
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
www.zyxel.com PC at HQ Office > Window 7 > cmd > ping 192.168.10.33 PC at Branch Office > Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 72
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
www.zyxel.com How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Dynamic IP Address. The example instructs how to configure the VPN tunnel between each site.
Page 74
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 75
www.zyxel.com Type a secure Pre-Shared Key (8-32 characters). Then, set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG. Quick Setup >...
Page 76
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch has a Dynamic IP Address) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings to create a Site-to-site VPN Rule Name.
Page 78
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 79
www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the ZyWALL/USG local IP address that can use the VPN tunnel and set Remote Policy to the peer ZyWALL/USG local IP address that can use the VPN tunnel.
Page 80
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Test the IPSec VPN Tunnel The Site-to-site VPN with Dynamic Peer can only initiate the VPN tunnel from the peer has a dynamic IP Address. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
www.zyxel.com PC at HQ Office > Window 7 > cmd > ping 192.168.10.33 PC at Branch Office > Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 83
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
www.zyxel.com How to Configure IPSec Site to Site VPN while one Site is behind a NAT router This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router.
Page 85
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 86
www.zyxel.com Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Page 87
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 89
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup >...
Page 90
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 92
www.zyxel.com the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports. CONFIGURATION > Network > NAT > Add Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP protocol = 50 →...
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33 PC behind ZyWALL/USG (Branch) >...
Page 95
www.zyxel.com MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
www.zyxel.com How to Configure Hub-and-Spoke IPSec VPN This is an example of a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ). Traffic can also pass between spoke-and-spoke through the hub.
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG by Using VPN Concentrator Hub_HQ-to-Branch_A In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 98
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) 98/749...
Page 99
www.zyxel.com Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in the example, 172.16.20.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Hub_HQ and Remote Policy to be the IP address range of the network connected to the Branch A.
Page 100
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
www.zyxel.com Hub_HQ-to-Branch_B In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 102
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1).
Page 103
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) 103/749...
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
www.zyxel.com Spoke_Branch_A In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 107
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1).
Page 108
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) 108/749...
Page 109
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
www.zyxel.com Spoke_Branch_B In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 112
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1).
Page 113
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) 113/749...
Page 114
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
www.zyxel.com Test the IPSec VPN Tunnel 115/749...
Page 116
www.zyxel.com Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
www.zyxel.com Spoke_Branch_B > MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE 118/749...
www.zyxel.com If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG and SonicWALL Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. Make sure the all ZyWALL/USG units’...
Page 120
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 120/749...
Page 121
www.zyxel.com Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_B and an address of local network behind Branch A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be HQ-to-Branch_A and Remote Policy to Branch_A which are newly created.
www.zyxel.com Hub_HQ-to-Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1).
Page 123
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 123/749...
Page 124
www.zyxel.com Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_A and an address of local network behind Branch B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be HQ-to-Branch_B and Remote Policy to Branch_B which are newly created.
www.zyxel.com Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
Page 126
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 126/749...
Page 127
www.zyxel.com Click Create new Object on the upper bar to add the address of the local network behind Branch A and the address range of the local network behind Hub_HQ to Branch_B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Branch_A and Remote Policy to HQ-to-Branch_B which are newly created.
www.zyxel.com Spoke_Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
Page 129
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 129/749...
Page 130
www.zyxel.com Click Create new Object on the upper bar to add the address of local network behind Branch B and address range of local network behind Hub_HQ to Branch_A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Branch_B and Remote Policy to HQ-to-Branch_A which are newly created.
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
www.zyxel.com Spoke_Branch_B > MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, 133/749...
Page 134
www.zyxel.com Encryption, Authentication method, DH key group and ID Type to establish the IKE If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG and SonicWALL Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
www.zyxel.com How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator This is an example of using Dual-WAN to perform fail-over on a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ).
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG Hub_HQ-to-Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Branch A’s wan1 IP address (in the example, 172.16.20.1) and Secondary Gateway IP as the Branch A’s wan2 IP address (in the example, 172.100.120.1).
Page 137
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 137/749...
Page 138
www.zyxel.com Click Create new Object to add the address of local network behind Hub_HQ and an address of local network behind Branch A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Hub_HQ and Remote Policy to Branch_A which are newly created.
www.zyxel.com Hub_HQ-to-Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Branch B’s wan1 IP address (in the example, 172.16.30.1) and Secondary Gateway IP as the Branch B’s wan2 IP address (in the example, 172.100.130.1).
Page 140
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to enable VPN Connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 140/749...
Page 141
www.zyxel.com Click Create new Object to add an address of local network behind Hub_HQ and an address of local network behind Branch B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Hub_HQ and Remote Policy to Branch_B which are newly created.
www.zyxel.com Hub_HQ Concentrator In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule. Select VPN tunnels to the same member group and click Save. 142/749...
www.zyxel.com Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1).
Page 144
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 144/749...
Page 145
www.zyxel.com Click Create new Object to add the address of local network behind Branch A and an address of local network behind Hub_HQ CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Spoke_Branch_A_LOCAL and Remote Policy to Hub_HQ which are newly created.
Page 146
www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_A to Spoke_Branch_B. Click Create new Object and set the address to be the local network behind the Spoke_Branch_B. Select Source Address to be the local network behind the Spoke_Branch_A.
www.zyxel.com Spoke_Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1).
Page 148
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 148/749...
Page 149
www.zyxel.com Click Create new Object to add the address of local network behind Branch B and an address of local network behind Hub_HQ. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Spoke_Branch_B_LOCAL and Remote Policy to Hub_HQ which are newly created.
Page 150
www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_B to Spoke_Branch_A. Click Create new Object and set the address to be the local network behind the Spoke_Branch_A. Select Source Address to be the local network behind the Spoke_Branch_B.
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
www.zyxel.com Spoke_Branch_B > MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE 153/749...
Page 154
www.zyxel.com If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
www.zyxel.com How to Configure IPSec VPN with ZyWALL IPSec VPN Client This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a ZyWALL IPSec VPN Client. The example instructs how to configure the VPN tunnel between each site.
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that can be used with the ZyWALL IPSec VPN Client. Click Next. Quick Setup >...
Page 158
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-1 Type a secure Pre-Shared Key (8-32 characters).
Page 159
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-3 Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 160
www.zyxel.com Go to CONFIGURATION > Object > User/Group > Add A User and create a user account for the ZyWALL IPSec VPN Client user. CONFIGURATION > Object > User/Group > Add A User Go to CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning. In the General Settings section, select the Enable Configuration Provisioning.
www.zyxel.com Set Up the ZyWALL IPSec VPN Client Download ZyWALL IPSec VPN Client software from ZyXEL Download Library: http://www.zyxel.com/support/download_landing.shtml 161/749...
Page 162
www.zyxel.com Open ZyWALL IPSec VPN Client, select CONFIGURATION > Get from Server. CONFIGURATION > Get from Server Enter the WAN IP address or URL for the ZyWALL/USG in the Gateway Address. If you changed the default HTTPS Port on the ZyWALL/USG, and then enter the new one here.
Page 163
www.zyxel.com CONFIGURATION > Get from Server > Step 2: Processing 163/749...
Page 164
www.zyxel.com Then, you will see the Configuration successful page, click OK to exit the wizard. CONFIGURATION > Get from Server > Configuration successful Go to VPN Configuration > IKEv1, right click the WIZ_VPN_PROVISIONING and select Open tunnel. You will see the Tunnel opened on the bottom right of the screen.
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC with ZyWALL IPSec VPN Client installed > Window 7 > cmd > ping 192.168.1.33 PC behind ZyWALL/USG >...
Page 167
www.zyxel.com and ZyWALL IPSec VPN Client use the same Pre-Shared Key to establish the IKE SA. MONITOR > Log If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. ZyWALL/USG and ZyWALL IPSec VPN Client must use the same Encryption, Authentication method, DH key group and ID Type/Content to establish the IKE SA.
Page 168
www.zyxel.com Make sure the service HTTPS Port on IPSec VPN Client application is available. Make sure the To-ZyWALL security policies allow IPSec VPN traffic to the ZyWALL/USG. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
www.zyxel.com How to Configure Site-to-site IPSec VPN with FortiGate This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a FortiGate router. The example instructs how to configure the VPN tunnel between each site. The example instructs how to configure the VPN tunnel between each site.
Page 170
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type 170/749...
Page 171
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the FortiGate’s WAN IP address (in the example, 172.100.30.40).
Page 172
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 174
www.zyxel.com Type the Name used to identify this VPN connection, configure Remote Gateway IP as the peer ZyWALL/USG’s WAN IP address. Select the Interface which is connected to the Internet. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Network 174/749...
Page 175
www.zyxel.com Go to Authentication section, enter Pre-shared Key and choose negotiation Mode the same as the peer ZyWALL/USG’s. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Authentication Configure Phase 1 Proposal and Diffie-Hellman Group as the peer ZyWALL/USG Advanced Settings’...
Page 176
www.zyxel.com Go to Phase 2 Selectors > Advanced and configure Phase 2 Proposal as the peer ZyWALL/USG Advanced Settings’ Phase 2 Settings > Proposal. Set Local Address to be the IP address range of the network connected to the FortiGate and Remote Address to be the IP address range of the network connected to the ZyWALL/USG.
Page 177
www.zyxel.com This screen provides a summary of the VPN tunnel. Click OK to exit the configuration page. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) 177/749...
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.2.33 PC behind FortiGate>...
Page 180
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG and FortiGate Phase 2 Settings. Both ZyWALL/USG and FortiGate must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
www.zyxel.com How to Configure Site-to-site IPSec VPN with WatchGuard This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a WatchGuard router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the WatchGuard. Click Next. Quick Setup >...
Page 183
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the WatchGuard’s WAN IP address (in the example, 172.100.30.63).
Page 184
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, click Show Advanced Settings. Configure Authentication > Local ID Type as IPv4 and set the Content as your ZyWALL/USG’s WAN IP Address (in the example, 172.101.30.73). Then, configure Authentication > Remote ID Type as IPv4 and set the Content as your WatchGuard’s External IP Address (in the example, 172.100.30.63).
Page 186
www.zyxel.com In the WatchGuard VPN > Branch Office VPN > Gateway > General Settings create a Site-to-site VPN Gateway Name and set a secure Pre-Shared Key. VPN > Branch Office VPN > Gateway > General Settings > Credential Method To add a Gateway Endpoint, click Add. VPN >...
Page 187
www.zyxel.com The new Gateway Endpoint dialog box appears. Configure your Local Gateway identity as WatchGuard’s External IP Address (in the example, 172.100.30.63) and Remote Gateway identity as your ZyWALL/USG’s WAN IP Address (in the example, 172.101.30.73). Click OK. VPN > Branch Office VPN > Gateway > General Settings > Gateway Endpoints 187/749...
Page 188
www.zyxel.com Then, go to VPN > Branch Office VPN > Gateway > Phase 1 Settings to select negotiation Mode the same as your ZyWALL/USG’s Phase 1 Settings. Make sure you enable both NAT Traversa and Dead Peer Detection options if both options are enabled in the ZyWALL/USG.
Page 189
www.zyxel.com Then, go to VPN > Branch Office VPN > Tunnel to add a Tunnel Route Settings. In the Local IP section, set the Network IP to be the IP address range of the network connected to the WatchGuard. In the Remote IP section, set the Network IP to be the IP address range of the network connected to the ZyWALL/USG.
Page 191
www.zyxel.com Go to VPN > Branch Office VPN > Tunnel > Phase 2 Settings to create a Tunnel Name. Then, select the Gateway. Make sure you enable Perfect Forward Secrecy and select Diffie-Hellman Group 2. Then, scroll down Phase 2 Proposals and add the encryption types to match your ZyWALL/USG’s VPN Connection >...
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 193
www.zyxel.com Go to WatchGuard System Status > VPN Statistics > Branch Office VPN and check the tunnel Status is up and Bytes In (Incoming Data) and Bytes Out (Outgoing Data). System Status > VPN Statistics > Branch Office To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and WatchGuard must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE MONITOR >...
Page 195
www.zyxel.com Make sure the both ZyWALL/USG and WatchGuard security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
www.zyxel.com How to Configure Site-to-site IPSec VPN with Cisco This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a Cisco router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Cisco. Click Next.
Page 198
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Cisco’s Gateway IP address (in the example, 172.100.30.80);...
Page 199
www.zyxel.com Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and Perfect Forward Secrecy (PFS) settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Cisco.
Page 200
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 200/749...
Page 201
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 204
www.zyxel.com Go to VPN > Site-to-site > IKE Policies, click Add to create a new IKE Policy Name. Then, select Encryption, Hash, Pre-shared Key and D-H Group to match your ZyWALL/USG’s VPN Gateway > Phase 1 Settings. Set Lifetime to 24 hours and click OK then click Save to exit the IKE Policies page.
Page 205
www.zyxel.com Go to VPN > Site-to-site > Transform Sets, click Add to create a new Transform Set name. Then, select Integrity and Encryption to match your ZyWALL/USG’s VPN Connection > Phase 2 Settings. Click OK and click Save to exit the Transform Sets page.
Page 206
www.zyxel.com address range of the network connected to the ZyWALL/USG (Address Object created in Step 1) VPN > Site-to-site > IPsec Policies > Basic Settings Then, go to Advanced Settings enable PFS and DPD if you enable both options in the ZyWALL/USG.
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 209
www.zyxel.com To test whether a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.75.33 PC behind Cisco>...
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and Cisco must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE MONITOR >...
www.zyxel.com How to Configure Site-to-site IPSec VPN with a SonicWALL router This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a SonicWALL router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the SonicWALL. Click Next. Quick Setup >...
Page 214
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the SonicWALL’s Gateway IP address (in the example, 172.100.20.23);...
Page 215
www.zyxel.com Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and SA Life Time settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the SonicWALL.
Page 216
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 216/749...
Page 217
www.zyxel.com Note: The Phase 1 and Phase 2 settings established here must match the Phase 1 and Phase 2 settings configured later in the SonicWALL. 217/749...
Page 218
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 219
www.zyxel.com Go to VPN Gateway > Show Advanced Settings > Authentication to configure your Local ID Type and Peer ID Type to match your SonicWALL’s VPN > Settings > VPN Policies > General > IKE Authentication > Local IKE ID and Peer IKE ID. VPN Gateway >...
www.zyxel.com Set Up the IPSec VPN Tunnel on the SonicWALL In the SonicWALL VPN > Settings > VPN Policies, click Add to create a new VPN policy. Select Policy Type to be the Site to Site, select Authentication Method to be the IKE using Preshared Secret.
Page 221
www.zyxel.com In the SonicWALL VPN > Settings > VPN Policies > Network, choose Local Network to be the IP address range of the network connected to the SonicWALL (found under SonicWALL > Network > Interfaces > LAN). Go to Remote Network and create a new address IP address range of the network connected to the ZyWALL/USG.
Page 222
www.zyxel.com In the SonicWALL VPN > Settings > VPN Policies > Proposals > IKE (Phase 1) Proposal and set Exchange, DH Group, Encryption and Authentication to match your ZyWALL/USG’s VPN Gateway > Show Advanced Settings > Phase 1 Settings. Go to IKE (Phase 2) Proposal and set the Protocol, Encryption and Authentication to match your ZyWALL/USG’s VPN Connection >...
Page 223
www.zyxel.com Select Enable VPN and click Refresh Active. VPN > Settings > VPN Global Settings 223/749...
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 225
www.zyxel.com To test whether a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.168.33 PC behind SonicWALL>...
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and SonicWALL must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE MONITOR >...
Page 227
www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG and SonicWALL security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
www.zyxel.com How to Configure IPSec VPN Failover This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with failover. The example instructs how to configure the VPN tunnel between each site if one site has multi-WAN. When the multi-WAN VPN failover is configured, IPSec VPN tunnels automatically fail over to a backup WAN interface if the primary WAN interface becomes unavailable.
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 231
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 232
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 234
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68).
Page 235
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG.
Page 236
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
www.zyxel.com Configuration > VPN > IPSec VPN > VPN Gateway > Gateway Settings Set up the WAN Trunk (ZyWALL/USG_HQ) Go to CONFIGURATION > Interface > Trunk > User Configuration > Add. Select wan1 and wan2 into the trunk Member and set wan2 Mode to be Passive. CONFIGURATION >...
www.zyxel.com Go to CONFIGURATION > Interface > Trunk > Configuration. Select Disconnect Connection before Falling Back. In the Default WAN Trunk, select User Configured Trunk to be the customized WAN trunk added in the previous step (Multi_WAN_Failover in this example). CONFIGURATION >...
Page 239
www.zyxel.com CONFIGURATION > Security Policy > Policy Control > Add corresponding If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control Action should be Accept.
www.zyxel.com Enter the command line in terminal mode (Using Tera Term in this example). Tera Term command Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION >...
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA. MONITOR >...
Page 242
www.zyxel.com the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
www.zyxel.com How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router This example shows how to use the VPN Setup Wizard to create a L2TP over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while the ZyWALL/USG is behind a NAT router.
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices. Click Next. Quick Setup >...
Page 245
www.zyxel.com Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) 15 This screen provides a read-only summary of the VPN tunnel.
Page 246
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 247
www.zyxel.com Go to CONFIGURATION > VPN Connection > Policy > Local Policy, select it be to the NAT router’s WAN IP address (in the example, 172.100.20.30). CONFIGURATION > VPN Connection > Policy > Local Policy Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters).
www.zyxel.com Set Up the NAT Router (Using ZyWALL USG device in this example) Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received. Specified the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports.
Page 249
www.zyxel.com CONFIGURATION > Network > NAT > Add Go to CONFIGURATION > Object > Address > Add, create an address object as the ZyWALL/USU_HQ’s WAN IP address (in the example, 192.168.1.33). CONFIGURATION > Object > Address Go to CONFIGURATION > Object > Service > Service Group, create a service group for the following UDP ports: UDP Port Number = 1701 →...
Page 250
www.zyxel.com Go to CONFIGURATION > Security Policy > Policy Control, add corresponding rule to allow L2TP services. CONFIGURATION > Security Policy > Policy Control 250/749...
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Use a smartphone or a PC to establish a L2TP VPN connection to the ZyWALL/USG. Configure the NAT's public IP address as the L2TP server address on the client. In this example using iOS device to test the result: To configure L2TP VPN in an iOS 8.4 device, go to Menu >...
Page 252
www.zyxel.com Set Secret to the Pre-Shared Key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (xyz12345 in this example). After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. 252/749...
Page 253
www.zyxel.com Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session.
www.zyxel.com Menu > Settings > VPN > ZyXEL_L2TP What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. 254/749...
Page 255
www.zyxel.com If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS Mobile users must use the same Secret as configured in ZyWALL/USG to establish the IKE SA. If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
www.zyxel.com How to Configure L2TP VPN with Android 5.0 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/USG and an Android 5.0 Mobile Device. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices.
Page 258
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Quick Setup >...
Page 259
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 260
www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route Set Up the L2TP VPN Tunnel on the Android Device To configure L2TP VPN on an Android device, go to Menu > Settings > Wireless & Networks > VPN settings > Add VPN > Add L2TP/IPSec PSK VPN and configure as follows.
Page 262
www.zyxel.com Set VPN server to the ZyWALL/USG’s WAN IP address. Set IPSec pre-shared key to the pre-shared key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (zyx12345 in this example). 262/749...
Page 263
www.zyxel.com Leave Enable L2TP secret disabled as default and turn on DNS search domains if you need to use the internal DNS servers once your connection is made, enter the DNS server address here. Click Save. Click the VPN rule ZyXEL_L2TP to begin the VPN connection. 263/749...
Page 264
www.zyxel.com When dialing the L2TP VPN, the user will have to enter Username/Password. They are the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example). 264/749...
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 266
www.zyxel.com Go to Android mobile device Menu > Settings > Wireless & Networks > VPN and verify the connection status. Menu > Settings > Wireless & Networks > VPN 266/749...
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Android Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 268
www.zyxel.com Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the Zone object. This should be set to IPSec_VPN Zone so that security policies are applied properly.
www.zyxel.com How to Configure L2TP VPN with iOS 8.4 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/USG and an iOS 8.4 Mobile Device. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
Page 270
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 271
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN >...
Page 272
www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). CONFIGURATION > VPN > L2TP VPN > Create new Object > User 272/749...
Page 273
www.zyxel.com If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection. Set the Source Address to be the L2TP address pool.
www.zyxel.com Set Up the L2TP VPN Tunnel on the iOS Device To configure L2TP VPN in an iOS 8.4 device, go to Menu > Settings > VPN > Add VPN Configuration and configure as follows. Description is for you to identify the VPN configuration. Set Server to the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example).
www.zyxel.com After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
Page 277
www.zyxel.com Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users 277/749...
Page 278
www.zyxel.com Go to iOS mobile device Menu > Settings > VPN > ZyXEL_L2TP and verify the Assigned IP Address and Connect Time. Menu > Settings > VPN > ZyXEL_L2TP 278/749...
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 280
www.zyxel.com Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the Zone object. This should be set to IPSec_VPN Zone so that security policies are applied properly.
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows 10 This is an example of using the L2TP VPN and VPN client software included in Windows 10 operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from a Windows 10 computer.
Page 282
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 283
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) 283/749...
Page 284
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 285
www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route Export a Certificate from ZyWALL/USG and Import it to Windows 10 Operating System Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION >...
Page 287
www.zyxel.com Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 10 computer. default.p12 In Windows 10 Operating System, go to Start Menu > Search Box. Type mmc and press Enter.
Page 288
www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select Certificates click Add. Then, click Finished. Press OK to close the Snap-ins window. Available snap-ins > Certificates > Add 288/749...
Page 289
www.zyxel.com In the mmc console window, go to Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next. 289/749...
Page 290
www.zyxel.com Click Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. Type zyx123 in the Password field and click Next. 290/749...
Page 291
www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
www.zyxel.com Set Up the L2TP VPN Tunnel on the Windows 10 To configure L2TP VPN in Windows 10 operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in).
Page 293
www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 293/749...
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 297
www.zyxel.com Go to Window 10 operating system Start > Settings > Network & Internet > VPN and show Connected status. Menu > Settings > VPN > ZyXEL_L2TP 297/749...
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 299
www.zyxel.com Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an iOS mobile phone.
Page 301
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 302
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen.
Page 303
www.zyxel.com Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate Go to CONFIGURATION >...
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to iOS Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION >...
www.zyxel.com default.p12 Set Up the L2TP VPN Tunnel on the iOS Mobile Device To configure L2TP VPN in iOS operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in).
Page 306
www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 306/749...
Page 307
www.zyxel.com Go to Network & Internet Settings window, click Connect. 307/749...
www.zyxel.com Test the L2TP over IPSec VPN Tunnel 1. Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection 2.
www.zyxel.com 3. Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users 4. Go to iOS operating system Start > Settings > Network & Internet > VPN and show Connected status.
Page 310
www.zyxel.com 2. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS users must use the same Pre-Shared Key as configured in ZyWALL/USG to establish the IKE SA. 3. If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an Android mobile phone.
Page 312
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 313
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen.
Page 314
www.zyxel.com Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate Go to CONFIGURATION >...
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to Android Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION >...
www.zyxel.com Set Up the L2TP VPN Tunnel on the Android Mobile Device To configure L2TP VPN in Android, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in). Configure Connection name for you to identify the VPN configuration.
Page 318
www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 318/749...
www.zyxel.com Go to Network & Internet Settings window, click Connect. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION >...
Page 321
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR >...
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Android users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 323
www.zyxel.com If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel. Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
www.zyxel.com How to Configure the L2TP VPN with Apple MAC OS X 10.11 Operating System This is an example of using the L2TP VPN and VPN client software included in Apple MAC OS X 10.11 El Capitan operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an Apple computer.
Page 325
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings 325/749...
Page 326
www.zyxel.com Configure the L2TP users’ IP address range from 192.168.30.10 to 192.168.30.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN. Click OK. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Continue to the next page to review your Summary and click Save. Quick Setup >...
Page 327
www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). CONFIGURATION > VPN > L2TP VPN > Create new Object > User 327/749...
Page 328
www.zyxel.com If some of the traffic from the L2TP clients needs to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection. Set the Source Address to be the L2TP address pool.
www.zyxel.com Set Up the L2TP VPN Tunnel on the Apple MAC OS X 10.11 El Capitan Operating System To configure L2TP VPN in OS X 10.11 operation system, go to System Preferences… > Network, click the "+" button at the bottom left of the connections to add a new connection and configure as follows.
Page 331
www.zyxel.com In the User Authentication section, enter Password which should be the same as Allowed User created in ZyWALL/USG (zyx123 in this example). In the Machine Authentication section, enter Shared Secret to be the pre-shared key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (zyx12345 in this example).
www.zyxel.com Go back to Configuration and click Connect. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 333
www.zyxel.com MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users Go to MAC OS X System Preferences… > Network and show Connected status, Connect Time and assigned IP Address.
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Apple MAC OS X El Capitan operating system users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN.
Page 335
www.zyxel.com If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG unit must set correct Local Policy to establish the IKE SA. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
www.zyxel.com How to configure if I want user can only see SSL VPN Login button in web portal login page This example shows how to strict portal access for SSL VPN clients. The example instructs how to allow end users to only see the SSL VPN Login button in the web portal login screen and the administrator can only manage the device from LAN.
www.zyxel.com Set Up the DNS Service In this scenario, you need to have a DNS host to fulfill the requirement. In this example, go to https://www.noip.com/ to register an account and create a DNS host. The following mapping IP address is the public IP of the ZyWALL/USG's WAN IP address.
www.zyxel.com CONFIGURATION > Security Policy > Policy Control Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. CONFIGURATION >...
www.zyxel.com Test the SSL VPN Type in the URL (https://sslvpnzyxeltest.ddns.net) and you will only see the SSL VPN Login button in the web portal screen. Type in the URL (https://sslvpnzyxeltest.ddns.net) 339/749...
Page 340
www.zyxel.com Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password.
Page 341
www.zyxel.com Login to the device via the LAN interface 341/749...
Page 342
www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. MONITOR > 342/749...
www.zyxel.com How to Deploy SSL VPN with Windows 10 Operating System This is an example of using the ZyWALL/USG SSL VPN client software in Windows 10 operating systems for secure connections to the network behind the ZyWALL/USG. When the VPN tunnel is configured, users can securely access the network from a Windows 10 computer.
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION >...
Page 345
www.zyxel.com Go to Create new Object > Application to add servers that you will allow SSL_VPN_1_Users to access, click OK. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application 345/749...
Page 346
www.zyxel.com Go to Create new Object > Address to add IP address pool for SSL_VPN_1_Users. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Address 346/749...
Page 347
www.zyxel.com Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Appellation Objects. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > User/Group &...
www.zyxel.com Set Up the SSL VPN Tunnel on the Windows 10 Operating System Type the ZyWALL/USG’s WAN IP into the browser, then the login screen appears. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 349
www.zyxel.com The Welcome dialog box appears. Click OK to start ZyWALL SecuExtender installation. Click Continue if you see Security Warning. Click Run. 349/749...
Page 350
www.zyxel.com The ZyWALL SecuExtender Setup Wizard dialog box appears. Click Next and Install to complete the installation. Then, click Yes to restart your system with the configuration changes or No if you plan to manually restart later. 350/749...
Page 351
www.zyxel.com After restart your system. Type ZyWALL/USG’s WAN IP into the browser, to display the login screen. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example). Click SSL VPN. Click Allow if you see Internet Explorer Security warning.
www.zyxel.com Test the SSL VPN Tunnel Go to ZyWALL/USG MONITOR > VPN Monitor > SSL and verify the tunnel Login Address, Connected Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > SSL > SSL_VPN_1_Users Go to Windows 10 ZyWALL SecuExtender Status, you can check Connection Status, Connect Time, Transmitted and Received traffic.
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
www.zyxel.com How to Deploy SSL VPN with Apple Mac OS X 10.10 Operating System This is an example of using the ZyWALL/USG SSL VPN client software in Apple MAC OS X 10.10 Yosemite operating systems for secure connections to the network behind the ZyWALL/USG.
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION >...
Page 356
www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > User Go to Create new Object > Application to add servers you allow SSL_VPN_1_Users to access, click OK. 356/749...
Page 357
www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Go to Create new Object > Address to add the IP address pool for SSL_VPN_1_Users. 357/749...
Page 358
www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Address Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Appellation Objects.
Page 359
www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > User/Group & SSL Application Scroll down to Network Extension (Optional) to select Enable Network Extension to allow SSL VPN users to access the resources behind the ZyWALL/USG local network. Select network(s) name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list.
www.zyxel.com Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System Download SSL VPN Client software: ZyWALL SecuExtender for MAC from the ZyXEL Global Website and double-click on the downloaded file to install it. 360/749...
Page 361
www.zyxel.com Go to ZyWALL SecuExtender > Preferences, click the "+" button at the bottom left to add a new SSL VPN connection. 361/749...
Page 362
www.zyxel.com Configure the Connection Name for you to identify the SSL VPN configuration. Then, set the Remote Server Address to be the WAN IP of ZyWALL/USG (172.16.1.33 in this example). Click Save. 362/749...
Page 363
www.zyxel.com Here are two methods to initiate SSL VPN connections: From ZyWALL SecuExtender From a Web Browser From ZyWALL SecuExtender Go to ZyWALL SecuExtender > Connect > SSL_VPN, to display the username and password dialog box. Set Username and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
www.zyxel.com Test the SSL VPN Tunnel Go to ZyWALL/USG MONITOR > VPN Monitor > SSL and verify the tunnel Login Address, Connected Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > SSL > SSL_VPN_1_Users Go to ZyWALL SecuExtender > Details and check Traffic Graph, Network Traffic Statics and Log Details.
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. MAC OS X 10.10 Yosemite users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 368
www.zyxel.com If you uploaded a logo to show in the SSL VPN user screens but it does not display properly, check that the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The ZyWALL/USG automatically resizes a graphic of a different resolution to 103 x 29 pixels.
www.zyxel.com How To Configure SSL VPN for Remote Access Mobile Devices This is an example of using the ZyWALL/USG SSL VPN for remote access mobile devices to securely connect to the File Sharing Server behind the ZyWALL/USG. ZyWALL/USG SSL VPN for Secure External Access to Network Resources Note: All network IP addresses and subnet masks are used as examples in this article.
Page 370
www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Configuration Go to Create new Object >...
Page 371
www.zyxel.com Go to Create new Object > Application to add servers that you will allow SSL_VPN_1_Users to access. Click OK. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Application Objects.
www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > User/Group & SSL Application Test the SSL VPN Tunnel Type the ZyWALL/USG’s WAN IP into the browser, then the login screen appears. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 373
www.zyxel.com The File Sharing server appears. Click the File Sharing folder you want to access, enter User Name/ Password of your File Sharing server and click Login. 373/749...
Page 374
www.zyxel.com Now you can securely access the files. 374/749...
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
www.zyxel.com How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System Set up the SSL VPN Tunnel with Windows 10 Please download SecuExtender version 4.0.0.1 from the download library of ZyXEL’s official website. Before you start installing the SecuExtender, it is required to install the “Visual C++ 2015 Redistributable”...
Page 379
www.zyxel.com Double-click the shortcut icon on your desktop. It is the same as the SSL VPN standalone software on MAC OS X. Enter the server’s IP or domain name, user name, 379/749...
www.zyxel.com and password to connect to the server. The example below shows that the client IP is 7.7.7.1 and you can also check the traffic statistic in the Status screen. You can verify the connection status from the computer’s taskbar icon. When connected, the icon is blue.
Page 381
www.zyxel.com If you have uploaded a logo to show on the SSL VPN user screens but it does not display properly, check if the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The ZyWALL/USG automatically resizes a graphic of a different resolution to 103 x 29 pixels.
www.zyxel.com How to redirect multiple LAN interface traffic to the VPN tunnel This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 384
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 385
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 387
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68).
Page 388
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set up the Policy Route (ZyWALL/USG_HQ) Go to ZyWALL/USG_HQ CONFIGURATION > Network > Routing > Add. Set Source Address to be the subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel.
www.zyxel.com CONFIGURATION > Network > Routing > Add Set up the Policy Route (ZyWALL/USG_Branch) Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add, create Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. CONFIGURATION >...
www.zyxel.com Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add. Set Source Address to be the local subnet (192.168.10.0/24 in this example). Set Destination Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. CONFIGURATION >...
Page 392
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC at HQ Office > Window 7 > cmd > ping 192.168.10.33 PC at Branch Office >...
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 394
www.zyxel.com Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
www.zyxel.com How to Create VTI and Configure VPN Failover with VTI This example illustrates how to create a VTI object and configure a policy route with the VTI. Furthermore, it applies the VTI to the WAN trunk to achieve VPN load balancing.
www.zyxel.com Set Up the ZyWALL/USG VTI of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add to create the VPN gateway HQ1 with wan1. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add In the same screen, create the VPN gateway HQ2 with wan2.
Page 397
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway HQ1. Select VPN Tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add In the same screen, create a VPN tunnel for the VPN gateway HQ2.
Page 398
www.zyxel.com Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel HQ1. Enable the connectivity check. Enter the IP address of vti1, which is configured on USG2. CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION >...
Page 399
www.zyxel.com CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION > Network > Interface > VTI > vti2 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 400
www.zyxel.com Source Address: LAN1_SUBNET (192.168.1.0/24) Destination Address: BO_subnet (192.168.11.0/24) Next-Hop: HQ_vti_trunk SNAT: none CONFIGURATION > Network > Routing > Policy Route > Add Connect the VPN tunnels when the VTIs are ready. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to connect the VPN tunnels. CONFIGURATION >...
www.zyxel.com 10 Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION > Network > Interface > VTI Set Up the ZyWALL/USG VTI of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >...
Page 402
www.zyxel.com In the same screen, create the VPN gateway BO2 with wan2. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway BO1. Select VPN Tunnel Interface as the application scenario.
Page 403
www.zyxel.com In the same screen, create a VPN tunnel for the VPN gateway BO2. Select VPN tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel BO1.
Page 404
www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti1 > Connectivity Check In the same screen, create a VTI for the VPN tunnel BO2. Be aware that the IP address of this VTI must be in the same subnet as vti2 on USG1. In this example, the IP address and subnet mask of vti2 on USG1 is 10.10.11.10 and 255.255.255.0 respectively.
Page 405
www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti1 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 406
www.zyxel.com Go to CONFIGURATION > Network > Routing > Policy Route > Add to configure a policy route. Source Address: LAN1_SUBNET (192.168.11.0/24) Destination Address: HQ_subnet (192.168.1.0/24) Next-Hop: BO_vti_trunk SNAT: none CONFIGURATION > Network > Routing > Policy Route > Add Connect the VPN tunnels when the VTIs are ready.
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Connection > Connect 10 Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION >...
Page 408
www.zyxel.com To test whether or not VPN failover is working, unplug wan1 of USG1. Then ping from a PC in LAN1 of USG1 to a PC in LAN1 of USG2 and vice versa. Check the VPN status of the USG1 in the MONITOR > VPN Monitor > IPSec screen. PC of USG1 (192.168.1.34) >...
www.zyxel.com What Can Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 410
www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
www.zyxel.com How to configure the USG when using a Cloud Based SIP system This example shows how to configure USG when there is a Cloud Based SIP system. The IP phones are more and more popular nowadays. USG supports the scenario as IP phones located in LAN and connect to internet to register the SIP server.
www.zyxel.com Set Up the SIP ALG Go to CONFIGURATION > Network > ALG, and check “Enable SIP ALG”. Also, check the “Enable SIP Transformations” if the SIP content which is needed to be transform. Then click “Apply”. CONFIGURATION > Network > ALG Direct-media and Direct-signalling are activated after ZLD 4.25.
www.zyxel.com Router(config)# no alg sip direct-signalling Router(config)# no alg sip direct-media Test result Connect SIP phone to the USG, and check the register status. Register successfully. Check the SIP register status on PBX. What could go wrong? SIP phone does not support transform itself, but the “SIP Transformations” does not be checked.
www.zyxel.com How to block HTTPS websites by Domain Filter without applying SSL Inspection The Content Filter with HTTPs Domain Filter allows you to block HTTPs websites by category service without SSL-Inspection. The filtering feature is based on more than 50 Managed Categories built in ZyWALL/USG such as pornography, gambling, hacking, etc.
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG Go to CONFIGURATION > UTM Profile> Content Filter > Profile > General Settings. Select Enable HTTPS Domain Filter for HTTPS traffic. Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter Profile >...
Page 416
www.zyxel.com Scroll down to the Managed Categories section, select categories in this section to control access to specific types of Internet content. You must have the Content Filtering license to filter these categories. 416/749...
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Social_Net_Block in this example). Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION >...
www.zyxel.com Test the Result Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs. 418/749...
Page 419
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field. Monitor > Log 419/749...
www.zyxel.com How to Configure Content Filter 2.0 with Geo IP Blocking The Content Filter 2.0 - Geo IP blocking offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy.
www.zyxel.com Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION > Object > Address/Geo IP > Address > Add Address Rule. Go to CONFIGURATION > Object > Address/Geo IP > Address, you can see the customized GEOGRAPHY address.
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set Geo IP traffic from WAN to LAN allow source from local country (geo_allow_policy in this example). Go to CONFIGURATION >...
www.zyxel.com Test the Result Type http://csosuppport.ddns.net/ into the browser, and the http can be reached. Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. 423/749...
www.zyxel.com What Could Go Wrong? 1. The Security Policy configured wrong. The traffic cannot access the LAN server. 2. The Content-Filter service ix expired. Since Geo-IP server is bind with Content-Filter license, there must be available date for Content-Filter service. 424/749...
www.zyxel.com How to Configure Content Filter 2.0 with HTTPs Domain Filter Application Scenario The Content Filter with HTTPs Domain Filter allows you to block HTTPs websites by category service without SSL-Inspection. The filtering feature is based on 64 categories built in ZyWALL/USG such as pornography, gambling, hacking, etc. When user makes HTTPS request, the information contains a Server Name Indication (SNI) extension fields in server FQDN.
Page 426
www.zyxel.com Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter Profile > Test Web Site Category. Type URL to test the category and click Test Against Content Filter Category Server. You will see the category recorded in the external content filter server’s database for both HTTP and HTTPS Domain you specified.
www.zyxel.com Scroll down to the Managed Categories section, select categories in this section to control access to specific types of Internet content. You must have the Content Filtering license to filter these categories. Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION >...
www.zyxel.com Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION > System > WWW > Show Advanced Settings > Other, click Enable Content Filter HTTPS Domain Filter Block/Warn Page. 428/749...
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field. Monitor > Log What Could Wrong? “Enable HTTPS Domain Filter for HTTPS traffic”...
www.zyxel.com How to block the client accessing to certain country using Geo IP and Content Filter The Content Filter with Geo IP offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy. When user makes HTTP or HTTPS request, ZyWALL/USG query IP address from MaxMind database, then take action when it matches the block country in Content Filter profile.
www.zyxel.com Check Geo IP License Status on the ZyWALL/USG Go to CONFIGURATION > Licensing > Registration > Service, the Geo IP Service should be Licensed to configure this feature. Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION >...
www.zyxel.com Group Rule, add all customized GEOGRAPHY address into the same Member object. Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set deny Geo IP traffic from LAN to WAN (geo_block_policy in this example).
www.zyxel.com Test the Result Type http://www.pku.edu.cn/ https://www.rwth-aachen.de/ into the browser, sites can’t be reached. 434/749...
Page 435
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. 435/749...
www.zyxel.com How to set up Link Aggregation Group (LAG) A Link Aggregation Group (LAG) allows you to combine a number of physical ports together to create a single high bandwidth data path. It helps to implement the traffic to perform load balancing or failover features, depending on the situation of the actual case.
Page 438
www.zyxel.com On the USG, go to Configuration > Network > Interface > LAG. Choose the proper interface type and zone depending on the case. Also, select the slave ports that will be added in the LAG interface. The interface format will be lagx (x = 0~3). Link Monitoring: You can choose link up/down detection (specify the MII link monitoring frequency or ARP interval time).
Page 439
www.zyxel.com Updelay is the time to wait to enable the slave port after the device detects the link recovery. Downdelay is the time to wait to disable the slave port after the device detects the link failure. The taget IP can be the Layer 3 device or the host IP, can be reachable by the USG. 802.3ad (LACP) Mode: (Both devices need to be configured.
Page 440
www.zyxel.com Xmit Hash Policy: Xmit Hash policy: Select layer2 or layer2+3. Select layer 2 if the LAG interface is connect to a layer 2 subnet. Select layer 2+3 if the LAG interface is connect to a network with a router or a L3 switch.
www.zyxel.com LACP rate: The interval can be fast (every second) or slow (every 30 seconds). Balance-alb Mode: (Does not require configuration on the switch and one or multiple switches can be used.) Set up the active-backup mode. The VLAN interface is cross-connected to different switches and the link statuses on both switches are active.
Page 442
www.zyxel.com The VLAN interface is cross-connected to different switches (fault tolerance). Only one link connection is up and the other is down. In this case, you will need to use the active-backup mode. You can find the LAG interface in the VLAN interface. 442/749...
www.zyxel.com Test the Result After the deployment you can see the interface status through Monitor>interface Status Below we are using 802.3ad LAG interface with Vlan66 for the example, unplug one of the network cable during the ping, the connection should still alive after one ping lost. What can go wrong 1.
www.zyxel.com How to Restrict Web Portal access from the Internet This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
www.zyxel.com Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1 445/749...
www.zyxel.com Test the Web Access Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password.
Page 447
www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. MONITOR > Log 447/749...
www.zyxel.com How to Setup and Configure Daily Report This example shows how to set up the data collection and view various statistics about traffic passing through your ZyWALL/USG. When the Daily Report is configured, you will receive statistics report every day. ZyWALL/USG Setup and Configure Daily Report Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com Set Up the ZyWALL/USG Email Daily Report Setting Go to CONFIGURATION > Log & Report > Email Daily Report > General Settings. Select Enable Email Daily Report to send reports by e-mail every day. CONFIGURATION > Log & Report > Email Daily Report > General Settings Type the SMTP server name or IP address.
www.zyxel.com Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period. CONFIGURATION > Log & Report > Email Daily Report > Report Items Test the Daily Log Report Click Send Report Now to have the ZyWALL/USG send the daily e-mail report immediately.
www.zyxel.com ZyXEL Daily Report Mail What Could Go Wrong? Make sure your Email settings are all correct. CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow. 451/749...
www.zyxel.com How to Setup and Configure Email Logs This example shows how to set up the e-mail profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to e-mail, and where and how often to e-mail them. When the Email Logs is configured, you will receive logs email report base on customized schedule.
Page 453
www.zyxel.com type the e-mail address from which the outgoing e-mail is delivered. In Mail To, type the e-mail address to which the outgoing e-mail is delivered. 2. Day for Sending Log is available if the log is e-mailed weekly. Select the day of the week the log is e-mailed.
www.zyxel.com What Could Go Wrong? Make sure your Email settings are all correct. CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow. 455/749...
www.zyxel.com How to Setup and send logs to a Syslog Server This example shows how to set up the syslog server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to syslog server. When the syslog server is configured, you will receive the real time system logs.
Page 457
www.zyxel.com Go to Dashboard > Add Systems. Dashboard > Add Systems Select Not shown here? and My syslog daemon only sends to port 514. Dashboard > Add Systems > I’m using Select My syslogd only uses the default port, set ZyWALL/USG public IP address (111.250.188.9 in this example) and name the log system.
Page 458
www.zyxel.com Write down the Papertrail-provided domain name (logs.papertrialpp.com in this example). Dashboard > Add Systems > > I’m using > Choose your situation > System Created 458/749...
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be CEF/Syslog. Type the Server Address to be the Papertrail-provided domain name (logs.papertrialpp.com in this example). 2.
www.zyxel.com What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 461/749...
www.zyxel.com How to Setup and send logs to a Vantage Reports Server This example shows how to set up the Vantage Report Server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to Vantage Report Server. When the Vantage Report Server is configured, you will receive the real time system logs.
www.zyxel.com Set Up the VRPT Server 1. The Vantage Report server must have register an account in http://www.myZyXEL.com. 2. Install VRPT software: http://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M-01 339&md=VRPT 4. Unzipped the file and click Vantage Reeport.exe to start installing Vantage Report. Then, the Vantage Report installation wizard appears. Click Next. 5.
Page 464
www.zyxel.com Check if any applications also use port 3316 (TCP), 514 (UDP) or 8080 (UDP) by entering “netstat -a” into the command line. Uninstall them if any. Click OK. When you finish installing Vantage Report, restart the Vantage Report server. 7.
Page 465
www.zyxel.com Go to Dashboard > License Information > Manage Device, click Add Device, the Add Device screen appears on the left side. Enter the Name of the device you want to add to Vantage Report. Enter the LAN MAC address of the device you want to add.
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be VRPT/Syslog. Type the Server Address to be the Vantage Report server IP address (10.251.30.61 in this example).
www.zyxel.com VRPT Server > Logs > Log Viewer What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 467/749...
www.zyxel.com How to Setup and send logs to the USB storage This example shows how to use the USB device to store the system log information. ZyWALL/USG enable and send logs to the USB storage Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system.
www.zyxel.com Set Up the USB System Settings Go to CONFIGURATION > System > USB Storage > Settings > General. Select Activate USB storage service if you want to use the connected USB device(s). Set a number and select a unit (MB or %) to have the ZyWALL/USG send a warning message when the remaining USB storage space is less than the value you set here.
www.zyxel.com Go to CONFIGURATION > Log & Report > Log Settings > USB Storage > Edit. Select Duplicate logs to USB storage (if ready) to have the ZyWALL/USG save a copy of its system logs to a connected USB storage device. Use the Selection drop-down list to change the log settings for all of the log categories.
www.zyxel.com How to Activate a Free Access Hotspot Some hotels need to provide free Internet services to hundreds of guests on a daily basis, and managing the Internet access for so many people can be very complicated without the right equipment. With web authentication methods such as user agreement and web portal, hotel guests are redirected to a web-based authentication portal upon the first attempt to access the network.
www.zyxel.com Configuration Guide Network Conditions WAN: 10.251.31.112 LAN 1: 192.168.1.1/255.255.255.0 User’s laptop: 192.168.1.33 Set up the Free Access Hotspot Configurations on the USG1100 The user agreement of this feature allows clients to access the Internet without a guest account.
Page 473
www.zyxel.com 2. Go to Configuration > Hotspot > Advertisement. (1) Select Enable Advertisement. (2) Add the URL of the website that you want to advertise. 473/749...
www.zyxel.com Test the User Agreement and Advertisement Webpage 1. When a client attempts to access the Internet via a browser, he/she will be redirected to the user agreement page. 2. The advertisement webpage will be displayed in a new window and it is the first page that appears whenever the user connects to the Internet.
www.zyxel.com What could Go Wrong? If users can access the internet without any Authentication, please make sure the Source Address is configured on the correct the subnet. For example, if you want users to be controlled via authentication in Subnet 192.168.1.0/24, you need to make sure the Source Address should be 192.168.1.0/24 475/749...
www.zyxel.com Set up Enable the Free Time Feature Configurations on the USG1100 On the USG1100, you need to enable the SMS service and select SMS as the delivery method in the Free Time feature. 1. Register for a ViaNett account at http://www.vianett.com.
Page 477
www.zyxel.com 3. After the form has been submitted, the account information will be sent to your E-mail address. 477/749...
Page 478
www.zyxel.com 4. Enter the activation code and proceed to make the payment. 5. Fill-in the credit card information to complete the payment. 478/749...
Page 479
www.zyxel.com The payment is complete. 6. After the ViaNett account is ready, go to the USG1100’s Configuration > Hotspot > SMS screen. (1)Enable SMS. (2)Fill-in your local phone country code as the default country code. 479/749...
Page 480
www.zyxel.com (3) Add authentication policy for every source. 7. Go to Configuration > Hotspot > Free Time. (1) Select Enable Free Time and set up the free time period. By default, the Reset Time is at AM 00:00. You can also set up how many times a MAC address can access the Internet.
www.zyxel.com 9. Select Enable Policy, Force User Authentication, and then select default-web-portal as the Authentication Type. Test Free Time Feature 1. The user will be redirected to the Login screen before he/she is permitted to access the Internet. Click on the link to get a free account. 481/749...
Page 482
www.zyxel.com Select Free Time as the service plan. Then submit your country code and mobile phone number. 3. The account and password will be sent to your mobile phone. 482/749...
Page 483
www.zyxel.com 4. Check your account information. 5. Fill-in the account information received on your mobile phone and click Login. 483/749...
www.zyxel.com 6. Now the client can start accessing the Internet. What Can Go Wrong? If client cannot get the SMS message from ViaNett, please make sure the Country code, Username and Password are all correct. 484/749...
www.zyxel.com How to Setup IPv6 Interfaces for Pure IPv6 Routing This example shows how to configure your USG Z’s WAN and LAN interfaces which connects two IPv6 networks. USG Z periodically advertises a network prefix of 2006:1111:1111:1111::/64 to the LAN through router advertisements. ZyWALL/USG access the internet via IPv6 Note: Instead of using router advertisement, you can use DHCPv6 to pass the...
www.zyxel.com Setting Up the IPv6 Interface 1. In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. 2. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Auto-Configuration. Click OK. Note: Your ISP or uplink router should enable router advertisement.
Page 488
www.zyxel.com 3. Using command line ipconfig to check. 488/749...
www.zyxel.com Set up the Prefix Delegation and Router Advertisement This example shows how to configure prefix delegation on the ZyWALL’s WAN and router advertisement on the LAN. Apply a network Prefix From Your ISP First of all, you have to apply a network prefix from your ISP or the uplink router’s administrator.
Page 490
www.zyxel.com Click Add in the DHCPv6 Request Options table and select the DHCPv6 request object you just created. You cannot see the prefix your ISP gave you in the Value field until you click OK and then come back to this screen again. It is 2001:b050:2d::/48 in this example. Note: Your ISP or a DHCPv6 server in the same network as the WAN should assign an IPv6 IP address for the WAN interface.
Page 491
www.zyxel.com Setting Up the WAN IPv6 Interface 1. In the Configuration > Network > Interface > Ethernet screen, double-click the lan interface in the IPv6 Configuration section. 2. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen.
Page 492
www.zyxel.com Address field. (The combined prefix 2001:b050:2d:1111::/64 will display for the LAN1’s network prefix after you click OK and come back to this screen again). 492/749...
www.zyxel.com Test 1. Connect a computer to the ZyWALL’s LAN interface. 2. Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel >...
Page 494
www.zyxel.com 3. If the Value field in the WAN1’s DHCPv6 Request Options table displays n/a, contact your ISP for further support. 4. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels. It may cause your computer to handle IPv6 packets in an unexpected way.
www.zyxel.com How to Perform and Use the Packet Capture Feature on the ZyWALL/USG This example shows how to use the Packet Capture feature to capture network traffic going through the ZyWALL/USG’s interfaces. Studying these packet captures may help you identify network problems. ZyWALL/USG Packet Capture Feature Settings Note: New capture files overwrite existing files of the same name.
www.zyxel.com Set Up the Packet Capture Feature Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list. Go to MAINTENANCE >...
Page 498
www.zyxel.com 10 Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Misc setitng. Select Continuously capture and overwrite old ones to have the ZyWALL/USG keep capturing traffic and overwriting old packet capture entries when the available storage space runs out. Select Save data to onboard storage only or Save data to USB storage (If status shows service deactivated, go to CONFIGURATION >...
www.zyxel.com How to Automatically Reboot the ZyWALL/USG by Schedule This example shows how to use shell script and schedule run to reboot device automatically for maintenance purpose. ZyWALL/USG Auto Schedule Reboot Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.25). 501/749...
www.zyxel.com Set Up the Shell Script Run Windows Notepad application and input below command: Save this file as "reboot_device.zysh" In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the reboot_device.zysh file. Click Upload to begin the upload process. 502/749...
www.zyxel.com Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) Issuing below commands based on three different (daily, weekly and monthly) user scenarios: a. Router(config)# schedule-run 1 reboot_device.zysh daily 10:00 (The device will reboot at 10:00 everyday) 503/749...
www.zyxel.com b. Router(config)# schedule-run 1 reboot_device.zysh weekly 10:00 sun (The device will reboot at 10:00 every Sunday) c. Router(config)# schedule-run 1 reboot_device.zysh monthly 10:00 23 (The device will reboot at 10:00 every month on 23th) Check the Reboot Status Login the device via console/telnet/SSH (using PuTTY in this example), the reboot runs as scheduled 504/749...
Page 505
www.zyxel.com Figure Putty Go to DASHBOARD > System Status, check System Uptime, Current Date/Time and Boot Status. Figure DASHBOARD > System Status 505/749...
www.zyxel.com How To Schedule YouTube Access This is an example of using the ZyWALL/USG UTM Profile and Security Policy to control access to the network. If an application should not have network access during certain hours, you can use Application Patrol, SSL Inspection and Schedule settings to make sure that these applications cannot access the Internet.
www.zyxel.com Create the Application Objects on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
www.zyxel.com Set Up the Application Patrol Profile on the ZyWALL/USG Go to CONFIGURATION > UTM Profile > App Patrol > Add rule, configure a Name for you to identify the App Patrol profile. Then, go to the Profile Management and click Add to configure profile General Settings.
www.zyxel.com Set Up SSL Inspection on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile. Then, select the CA Certificate to be the certificate used in this profile. Select Block select Log type to be log alert.
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. 510/749...
Page 511
www.zyxel.com Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example). CONFIGURATION > Object > Certificate > default CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 7 Operation System.
Page 512
www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
Page 513
www.zyxel.com Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next, Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next.
Page 514
www.zyxel.com Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. 514/749...
Page 515
www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to the default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
www.zyxel.com Test the Result Type http://www.youtube.com/ or https://www.youtube.com/ into the browser. An error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. What Could Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons: You have not subscribed for the Application Patrol service.
Page 517
www.zyxel.com the portal page (https://portal.myzyxel.com/) to register or extend your Application Patrol license. After you apply the Application Patrol service, the running session will continue till it’s finished. 517/749...
www.zyxel.com How to continuously run a ZySH script This example shows how to use shell script and continuously run a ZySH script automatically for maintenance purpose. ZyWALL/USG continuously run a ZySH script Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.25). 518/749...
www.zyxel.com Set Up the Shell Script Run Windows Notepad application and input below command: Save this file as "disable_firewall.zysh" Run Windows Notepad application and input below command: Save this file as "enable_firewall.zysh" 519/749...
www.zyxel.com In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the disable_firewall.zysh and enable_firewall.zysh file. Click Upload to begin the upload process. Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) 520/749...
www.zyxel.com Issuing below commands: Router> configure terminal Router(config)# schedule-run 1 disable_firewall.zysh daily 01:00 Check the Result In the ZyWALL/USG, go to DASHBOARD. Refresh the Secure Service Status, the Security Policy Control is disabled at 1:00. DASHBOARD 521/749...
Page 522
www.zyxel.com In the ZyWALL/USG, go to DASHBOARD. Refresh the Secure Service Status, the Security Policy Control is enabled at 2:00. DASHBOARD 522/749...
www.zyxel.com How To Register Your Device and Services at myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your ZyXEL device and manage subscription services available for the device. To update signature files or use a subscription service, you have to register the device and activate the corresponding service at myZyXEL.com.
www.zyxel.com Account Creation After you click the link from the Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/), the Sign In screen displays. CONFIGURATION > Licensing > Registration Click Not a Member Yet to open the Sign Up screen where you can create an account.
Page 525
www.zyxel.com Select Registration Type to create an Individual account or a Business account. Individual account is for non-commercial, end user of ZyXEL products. Business account is for commercial users; VAT # is required (the requirement varies in selection of different countries) myZyXEL.com >...
www.zyxel.com After you click Submit, myZyXEL.com 2.0 will send you an account activation notification e-mail. Click the URL link from the e-mail to activate your account and log into myZyXEL.com 2.0. After E-mail activate, sign in myZyXEL.com 2.0 to register or mange your devices and services.
www.zyxel.com If you access myZyXEL.com from the Registration screen of your ZyXEL device’s Web Configurator, the device MAC Address and Serial Number displays automatically. Service Registration (In the Case of Standard License) Click Service Registration in the navigation panel to open the screen. Fill in the License Key as shown on E-iCard License.
www.zyxel.com Go to the Service Management page and click the Link button. Select the device then click the Activate button to initiate the services license. You will get a Service Activation Notice Email when you activate a new service. Device Management (In the Case of Registering Bundled Licenses) Go to Device Management and click on the MAC Address hyper link of your device.
www.zyxel.com Refresh Service After service activated, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status. What Could Go Wrong? If you can’t activate your device’s service license, please check if you entered a correct license key.
Page 530
www.zyxel.com If you forget your registered email address on myZyXEL.com, please go to the link below and submit a request to ZyXEL support team for further support: http://www.zyxel.com/form/Support_Feedback.shtml 530/749...
www.zyxel.com How To Exempt Specific Users From Security Control This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from security control, while controlling Internet access for other employees’ accounts. Exempt Specific Users from Security Control Example Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Employees In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. CONFIGURATION > Object > Address > Add Address Rule Set up Security Policy for employees, go to CONFIGURATION >...
www.zyxel.com non-productive services, such as Advertisement & Pop-Ups, Gambling and Peer to Peer services…etc.). CONFIGURATION > Security Policy > Policy Control > Add corresponding > Employees_Security Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > Add A User to create User Name/Password for each executive.
Page 534
www.zyxel.com Then, go to CONFIGURATION > Object > User/Group > Group > Add Group to create a Group Members’ Name and move the just created executives user object to Member. CONFIGURATION > Object > Address Group > Add Address Group Rule 534/749...
Page 535
www.zyxel.com Set up Security Policy for executives, go to CONFIGURATION > Security Policy > Policy Control > Add corresponding, configure a Name for you to identify the executives’ Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies.
www.zyxel.com Test the Result Connect to the Internet from two computers: one from executive_1 and one from an employee address (192.168.30.9). 536/749...
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. In this example result, a connection from executive_1 has user login message and always with ACCESS FORWARD information. A connection from employee address (192.168.30.9) and some of the services are with ACCESS BLOCK information Monitor >...
www.zyxel.com How To Detect and Prevent TCP Port Scanning with ADP This is an example of using a ZyWALL/USG ADP (Anomaly Detection and Prevention) Profile to protect against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans.
www.zyxel.com Set Up the ADP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > ADP > Profile, click the Add icon. A pop-up screen will appear allowing you to choose a base profile. Select a base profile to go to the profile details screen. CONFIGURATION >...
Page 540
www.zyxel.com Click the Protocol Anomaly tab. A Name is automatically generated that you can edit. Enable or disable individual rules by selecting a row and clicking Activate or Inactivate. Edit the default log options and actions by selecting a row and making a selection in the Log or Action drop-down menus.
Page 541
www.zyxel.com CONFIGURATION > Security Policy > ADP > Profile > Base Profile > Protocol Anomaly Go to CONFIGURATION > Security Policy > ADP > General, select Enable Anomaly Detection and Prevention. Then, select the just created Anomaly Profile and click Apply.
www.zyxel.com Test the Result Download Nmap free security scanner for testing the result: https://nmap.org/download.html Open the Nmap GUI, set the Target to be the WAN IP of ZyWALL/USG (172.124.163.150 in this example) and set Profile to be Intense Scan. Click Scan. Go to the ZyWALL/USG Monitor >...
www.zyxel.com What Could Go Wrong? You may find that certain rules are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL/USG. As each network is different, false positives and false negatives are common on initial ADP deployment.
www.zyxel.com How To Block Facebook This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific social network service. You can use Content Filter, SSL Inspection and Policy Control to make sure that a certain web page cannot be accessed through both HTTP and HTTPS protocols.
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Custom Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service. CONFIGURATION >...
www.zyxel.com Then, select the CA Certificate to be the certificate used in this profile. Select Block to Action for Connection with SSL v2 and select Log type to be log alert. Leave other actions as default settings. CONFIGURATION > UTM Profile > SSL Inspection > Add rule Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 549
www.zyxel.com In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... 549/749...
Page 550
www.zyxel.com In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate >...
Page 551
www.zyxel.com Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. 551/749...
Page 552
www.zyxel.com Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. 552/749...
www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service.
www.zyxel.com How To Exempt Specific Users From a Blocked Website This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from a blocked Website, while controlling Internet access for other employees’ accounts. With executives connect to a blocked Website using PCs with static IP addresses, you could set up address group to allow their traffic.
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Employees In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. CONFIGURATION > Object > Address > Add Address Rule Set up Security Policy for employees, go to CONFIGURATION >...
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address for each executives. CONFIGURATION > Object > Address > Add Address Rule 557/749...
Page 558
www.zyxel.com Then, go to CONFIGURATION > Object > Address Group > Add Address Group Rule to create a Group Members’ Name and move the just created executives address object to Member. CONFIGURATION > Object > Address Group > Add Address Group Rule Set up Security Policy for executives, go to CONFIGURATION >...
Page 559
www.zyxel.com policy applies. Select Source to be the Executives to apply the policy to all traffic coming from them. In order to view the results later, to have the ZyWALL/USG generate Log matched traffic (log). Leave all UTM Profiles disabled. CONFIGURATION >...
www.zyxel.com Test the Result Connect to the Internet from two computers: one from executive_2 address (192.168.10.2) and one from an employee address (192.168.20.1) and both access to https://hangouts.google.com/. Go to the ZyWALL/USG Monitor > Log, you will see [notice] and [info] log message such as below.
www.zyxel.com How To Control Access To Google Drive This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific file transfer service. You can use Application Patrol and Policy Control to make sure that a certain file transfer service cannot be accessed through both HTTP and HTTPS protocols.
www.zyxel.com Set Up the Application Patrol on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
Page 563
www.zyxel.com In the General Settings, select Application name of the policy (Google_Drive_Control in this example). Select Action to be drop or reject that the ZyWALL/USG will drops packets that matches these signatures without or with notification. Select desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
www.zyxel.com Set Up the SSL Inspection on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile. Then, select the CA Certificate to be the certificate used in this profile. Select Block select Log type to be log alert.
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Facebook_Block in this example).
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 567
www.zyxel.com In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... 567/749...
Page 568
www.zyxel.com In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate >...
Page 569
www.zyxel.com Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities.
www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons: You have not subscribed for the Application Patrol service.
www.zyxel.com How To Block HTTPS Websites Using Content Filtering and SSL Inspection This is an example of using a ZyWALL/USG Content Filtering, SSL Inspection and Security Policy to block access to malicious or not business-related websites. ZyWALL/USG with Block HTTPS Websites Using Content Filtering and SSL Inspection Settings Example Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Category Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service. CONFIGURATION >...
www.zyxel.com If you are not sure which category a web page belongs to, you can enter a web site URL in the text box of Test Web Site Category. CONFIGURATION > UTM Profile> Content Filter > Profile > Profile Management > Add Filter File >...
www.zyxel.com Select desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches this policy. CONFIGURATION > UTM Profile > SSL Inspection > Add rule Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 577
www.zyxel.com CONFIGURATION > Object > Certificate > default CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 7 Operation System. default.p12 In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter.
Page 578
www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
Page 579
www.zyxel.com In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. 579/749...
Page 580
www.zyxel.com Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. 580/749...
www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
www.zyxel.com Go to the ZyWALL/USG Monitor > Log to see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service.
www.zyxel.com How To Block the Spotify Music Streaming Service This is an example of using a ZyWALL/USG IDP Profile to block DNS query packet. When the Spotify software launches, it will send a DNS query for Spofity's public server. In this example, you can create a custom IDP to block DNS query packet if this packet includes the Spotify signature.
www.zyxel.com Set Up IDP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > IDP > Custom Signatures > Add Custom Signatures, configure a Name for you to identify the IDP Profile. Select medium as the Severity level. Select all Platform. Select Policy Type to be Access-Control here to limit access network resources such as servers.
www.zyxel.com CONFIGURATION > UTM Profile > IDP > Profile > Base Profile Configure a Name for you to identify the IDP Profile. Activate the newly created IDP Profile and select Action to be drop. Select Log type to be log alert in order to view the result later.
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [crit] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any IDP policies or it’s not working, there are two possible reasons: You have not subscribed for the IDP service.
www.zyxel.com How To Test the EICAR Anti-Virus Test File This is an example of using a ZyWALL/USG Anti-Virus Profile to against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans. ZyWALL/USG with Anti-Virus Setting and EICAR Test Example Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com Set Up the Anti-Virus Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Virus > Profile > Profile Management > Add rule, configure a Name for you to identify the Anti-Virus Profile. Select Log type to be log alert in order to view the result later. CONFIGURATION >...
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Anti-Virus and select a profile from the list box (EICAR in this example).
www.zyxel.com Go to the ZyWALL/USG Monitor > Log to see [crit] log message such as below. Monitor > Log What Could Go Wrong? If you are not able to see the Log message, the EICAR virus file might be detected and blocked by other Anti-Virus software before ZyWALL/USG scans the virus file.
www.zyxel.com How To Block Downloading of DOC, PDF, XLS and ZIP Files This is an example of using a ZyWALL/USG UTM Profile to block accessing and downloading files from a FTP or HTTP server. Use the Anti-Virus Black List to set up the blocked list of file patterns to restrict accessing and downloading of certain files.
www.zyxel.com Set Up the Anti-Virus Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Virus > Black/White List > Black List, click the Add icon. Use wildcards (*) to configure File Pattern. CONFIGURATION > UTM Profile > Anti-Virus > Black/White List > Black List > Add rule Go to CONFIGURATION >...
Page 594
www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Virus > Profile > Profile Management > Add rule and configure a Name for you to identify the Anti-Virus Profile. Select Log type to be log alert in order to view the result later. Make sure you select Check Black List and click OK.
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Anti-Virus and select a profile from the list box (Block_FTP_HTTP_Download in this example).
www.zyxel.com When you download a PDF file from the FTP server, the browser won’t be able to display content. Go to the ZyWALL/USG Monitor > Log to see [info] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to If you are not be able to configure any Anti-Virus policies or it’s not working, there are two possible reasons: 597/749...
Page 598
www.zyxel.com You have not subscribed for the Anti-Virus service. You have subscribed for the Anti-Virus service but the license is expired. You can click the link from the CONFIGURATION > Licensing > Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/) to register or extend your Anti-Virus license.
www.zyxel.com How To Configure an Anti-Spam Policy with Mail Scan and DNSBL This is an example of using ZyWALL/USG UTM Profile to mark or discard spam (unsolicited commercial or junk e-mail). Use the Anti-Spam white list to identify legitimate e-mail. Use the Anti-Spam black list to identify spam e-mail. The ZyWALL/USG can also check e-mail against a DNS Black List (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
www.zyxel.com Set Up the Anti-Spam Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Spam> Profile > Profile Management > Add rule, configure a Name for you to identify the Anti-Spam profile. Select from the list of available Scan Options and desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches this policy.
Page 601
www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Spam> Mail Scan. Select Enable Sender Reputation Checking (SMTP only) to have the ZyWALL/USG scan for spam e-mail by IP Reputation. Select Enable Mail Content Analysis to identify Spam Email by content, such as malicious content. Select Enable Virus Outbreak Detection to Leave Query Timeout Settings to scan viruses attached in emails.
Page 602
www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Spam> Black/White List > Black List > General Settings, select Enable Black List Checking to have the ZyWALL/USG treat e-mail that matches (an active) black list entry as spam. CONFIGURATION >...
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Anti-Virus and select a profile from the list box (Anti_Spam_Check in this example).
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to If you are not be able to configure any Anti-Spam policies or it’s not working, there are two possible reasons: You have not subscribed for the Anti- Spam service.
www.zyxel.com How to Configure Bandwidth Management for FTP and HTTP Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for FTP and HTTP traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
www.zyxel.com Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-WAN as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management for HTTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type HTTP Any-to-WAN as the policy’s Description (Optional).
Page 609
www.zyxel.com Leave the Incoming Interface to any and select the Outgoing Interface to be wan1. Select Service Type to be the Service Object and select HTTP from the list box. Set the Guaranteed Bandwidth Inbound to 600 (kbps) and set higher Priority 3. Set the Maximum to 800 (kbps).
www.zyxel.com Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management Global Setting on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > BWM Global Setting, select Enable. CONFIGURATION > BWM > BWM Global Setting Test the Result Access the Internet to generate FTP traffic and HTTP traffic.
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. “Inbound” refers to the reverse direction.
www.zyxel.com How to Limit BitTorrent or Other Peer-to-Peer Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for peer-to-peer traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
www.zyxel.com Set Up the Application Patrol Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
www.zyxel.com Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type BitTorrent Any-to-Any as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
Page 615
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). 615/749...
www.zyxel.com Set Up the Bandwidth Management Global Setting on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > BWM Global Setting, select Enable. CONFIGURATION > BWM > BWM Global Setting Test the Result Download BitTorrent application for testing the result: http://www.bittorrent.com/downloads In this example, an 826 MB file is downloading, the Down Speed limited to maximum 65 kB/s.
www.zyxel.com What Could Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. “Inbound” refers to the reverse direction. Make sure you have registered the Application Patrol service on the ZyWALL/USG to use Application Object as the Service Type in the bandwidth management rules.
www.zyxel.com How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address This is an example of using ZyWALL/USG Trunk for two WAN connections to the Internet. The available bandwidth for the connections is 1000 kbps (wan1 with static IP address) and 512 Kbps (wan2 with dynamic IP address) respectively.
www.zyxel.com Set Up the Available Bandwidth on WAN1 Interfaces on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN1 > Egress Bandwidth and enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. CONFIGURATION >...
www.zyxel.com Set Up the Available Bandwidth on WAN2 Interfaces on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN2 > Egress Bandwidth and enter the available bandwidth (512 kbps) in the Egress Bandwidth field. Click OK. CONFIGURATION >...
www.zyxel.com CONFIGURATION > Interface > Trunk > User Configuration > Add Trunk In the Configuration screen, go to Default WAN Trunk section, select User Configured Trunk and select the newly created Trunk from the list box. Click Apply. CONFIGURATION > Interface > Trunk > Default WAN Trunk Test the Result Browse any website to test the result.
www.zyxel.com What Could Go Wrong? If there is no traffic passing through either WAN1 or WAN2 interfaces, check that the Mode of both WAN1 & WAN2 should be Active. If a trunk is in Passive mode, the ZyWALL/USG will use this connection only when all of the connections set to Active mode are down.
www.zyxel.com How to Configure DNS Inbound Load Balancing to balance DNS Queries Among Interfaces This is an example of using the ZyWALL/USG dynamically responding to DNS query messages with its least loaded interface’s IP address. The DNS query senders will then transmit packets to that interface instead of an interface that has a heavy load.
www.zyxel.com Set Up the DNS Inbound Load Balancing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > DNS Inbound LB. Edit the Query Domain Name, set the Load Balancing Algorithm field to be the Least Load - Total.
www.zyxel.com CONFIGURATION > Network > DNS Inbound LB Go to the Global Setting page to select Enable DNS Load Balancing. CONFIGURATION > Network > DNS Inbound LB Set Up the NAT Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > NAT. Configure the Virtual Server to forward the traffic from WAN to Internal Server (192.168.1.33).
www.zyxel.com Create a Security Policy in order to view the testing result. Set Destination to be the Internal Server IP address (192.168.1.33 in this example) and set Log type to be the Log Alert. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
www.zyxel.com How to Manage Voice Traffic This is an example of using Application Layer Gateway (ALG) to allow the SIP (Session Initiation Protocol) voice traffic through the ZyWALL/USG. To achieve high-quality voice transmissions, use ZyWALL/USG provides Bandwidth Management (BWM) function to effectively manage bandwidth according to flexible criteria.
www.zyxel.com Set Up the SIP ALG on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > SIP > SIP Settings, select Enable SIP ALG, Enable SIP Transformations (optional), Restrict Peer to Peer Signaling Connection and Restrict Peer to Peer Media Connection. Make sure the SIP Signaling Port is configured the same as your VoIP phone SIP signaling port.
www.zyxel.com Set Up the Bandwidth Management for P2P on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type P2P Any-to-WAN as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be WAN1.
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Shaping, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-Any as the policy’s Description.
Page 632
www.zyxel.com Leave the Incoming Interface to any and select the Outgoing Interface to be WAN1. Select Service Type to be the Service Object and select FTP from the list box. Set the Guaranteed Bandwidth Inbound to 150 (kbps) and set Priority 5. Set the Maximum to 200 (kbps).
www.zyxel.com Test the Result Add a Security Policy rule to view the SIP log: CONFIGURATION > BWM > Configuration > Add Policy Dial Phone Number 1001 (192.168.10.2 in this example) from Phone Number 1002 (192.168.100.2 in this example), go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, the voice traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy the traffic matches. If the voice traffic matches a policy that comes earlier in the list, it may be unexpectedly blocked.
www.zyxel.com How to Manage ZyWALL/USG Configuration Files This is an example of how to rename, download, copy, apply and upload configuration files. Once your ZyWALL/USG is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes.
www.zyxel.com Note: This example was using USG310 (Firmware Version: ZLD 4.25). Rename the Configuration Files from the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Rename. A pop-up screen will appear allowing you to edit the Target file name.
www.zyxel.com Download the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Download to back up your configuration file from ZyWALL/USG to your computer. MAINTENANCE > File Manager > Configuration File Copy the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE >...
www.zyxel.com Apply the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select a specific configuration file to have ZyWALL/USG use it. For example, select the system-default.conf file and click Apply to reset all of the ZyWALL/USG settings to the factory defaults.
www.zyxel.com A pop-up screen will appear allowing you to edit the Target file name. Select Immediately stop applying the configuration file and roll back to the previous configuration to get the ZyWALL/USG started with a fully valid configuration file as quickly as possible.
www.zyxel.com Upload Configuration File, select Browse to upload a new or previously saved configuration file from your computer to your ZyWALL/USG. You cannot upload a configuration file named system-default.conf or lastgood.conf. If you upload startup-config.conf, it will replace the current configuration and immediately apply the new settings.
www.zyxel.com How to Manage ZyWALL/USG Firmware This is an example of using ZyWALL/USG to check your current firmware version and upload firmware to the ZyWALL/USG. You can upload firmware to be the Running firmware or Standby firmware. ZyWALL/USG with Firmware Management Example Note: The firmware update can take up to five minutes.
www.zyxel.com Download the Current Firmware Version from ZyXEL.com Go to www.zyxel.com/support/download_landing.shtml and download the current firmware package. Extract firmware zip file. 642/749...
www.zyxel.com Upload the Firmware on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Firmware Package > Upload File. Click the To upload image file in system space pull-down menu and select (1) or (2). The default Standby system space is (2), so if you want to upload new firmware to be the Running firmware, then select the Running system space (1).
Page 644
www.zyxel.com MAINTENANCE > File Manager > Firmware Package > Upload File > (2) To upload firmware, click Browse to the location of the file (*.bin) and then click Upload. 644/749...
Page 645
www.zyxel.com Note: The default Running system space is (1), the Standby system space is (2). If you select the Standby firmware and click Reboot now or you upload file to Standby system space (2) and select Boot Options to be Reboot now. After reboot process complete, the Running system space will be (2).
www.zyxel.com What Could Go Wrong? If you cannot download the firmware, please check if you enable the Destroy compressed files that could not be decompressed function in Anti-Virus. ZyWALL/USG firmware package is ZIP file, the ZyWALL/USG classifies the firmware package as not being able to decompress will delete it. Please disable this option while downloading the firmware package.
www.zyxel.com How to Get Started Using the Wizards When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its default configuration, the Installation Setup Wizard screen displays. This is an example of using ZyWALL/USG Wizards to configure Internet connection settings, wireless settings and device registration services.
Page 648
www.zyxel.com In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one. 648/749...
Page 649
www.zyxel.com Choose the Encapsulation option to be Ethernet, leave Zone as default setting Internet connection belongs to the WAN zone. In the IP Address Assignment section, select Auto if your ISP did not assign you a fixed IP address or select Static if your ISP did assign you a fixed IP address. Click Next.
Page 650
www.zyxel.com The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface or continue to the Wireless Settings page.
www.zyxel.com Set Up the Internet Access (PPPoE) Wizard on the ZyWALL/USG In the ZyWALL/USG Installation Setup Wizard Welcome page, click Next to start configuring for Internet. Click the double arrow in the upper right corner to display (≪) or hide (≫) the help. Installation Setup Wizard >...
Page 652
www.zyxel.com Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator. Select Nailed-UP if you want to keep the connection always up or type the desired Idle Timeout value in seconds.
www.zyxel.com Next to configure the second WAN interface. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed Set Up the Internet Access (PPTP) Wizard on the ZyWALL/USG In the ZyWALL/USG Installation Setup Wizard Welcome page, click Next to start configuring for Internet.
Page 654
www.zyxel.com In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one. Choose the Encapsulation option to be the PPTP, leave Zone as default setting Internet connection belongs to the WAN zone.
Page 655
www.zyxel.com Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator. Select Nailed-UP if you want to keep the connection always up or type the desired Idle Timeout value in seconds.
www.zyxel.com The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed Set Up the Wireless Settings Wizard on the ZyWALL/USG In the Wireless Settings page, select Yes if you want the ZyWALL/USG to enable AP Controller feature in your network;...
Page 657
www.zyxel.com Configure descriptive SSID name (1-32 characters) for the wireless LAN. Select Pre-Shared Key (8-63 characters) to add security on this wireless network. Otherwise, select None to allow any wireless client to associate this network without authentication. Select Hidden SSID to hide the SSID from site tool scanning. Select Enable Intra-BSS Traffic blocking if you want to prevent crossover traffic from within the same wireless network.
www.zyxel.com devices in the AP wireless network. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings Set Up the Device Registration on the ZyWALL/USG The ZyWALL/USG must be connected to the Internet in order to register. Click portal.myzyxel.com to register the device, you need the ZyWALL/USG’s serial number and LAN MAC address to register it.
Page 659
www.zyxel.com Services at myZyXEL.com for more details. Use the Configuration > Licensing > Registration > Service screen to update your service subscription status. Click Finish. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings > Device Registration 659/749...
www.zyxel.com How to Configure the 3G/LTE Interface on the ZyWALL/USG as a WAN Backup This is an example of using ZyWALL/USG to configure 3G/LTE interface as a WAN backup that ensures the ZyWALL/USG provides the continuously Internet connections when the primary WAN interface is down. After configuration, it can provide additional mobile broadband WAN connectivity or a redundant link for maximum reliability.
www.zyxel.com Set Up the 3G/LTE Interface on the ZyWALL/USG Connect a compatible mobile broadband USB device to use a cellular connection. In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Cellular, the connected device will automatically display in the Cellular Interface Summary. Click Activate and then the Apply button at the bottom of this page.
www.zyxel.com Set Up the Trunk on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add Trunk, configure a Name for you to identify the Trunk profile and set the Load Balancing Algorithm field to be the Weighted Round Robin. Add wan1 and enter 3 in the Weight column.
www.zyxel.com Test the Result Check the Interface Statistics when wan1 and wan2 connections are up. You can see both wan1 and wan2 Status are up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed; cellular1 Status is connected but there is no traffic going through this interface.
www.zyxel.com What Could Go Wrong? If there is no traffic going through cellular interface when other interfaces are down, please make sure you have a compatible mobile broadband device installed or connected. Go to http://www.zyxel.com/support/download_landing.shtml and see the 3G Dongle Document to check the compatible mobile broadband devices.
www.zyxel.com How to Configure Two Different WAN Interfaces with Different IP Addresses in the Same VLAN This is an example of using ZyWALL/USG to configure two different WAN interfaces with different IP addresses in the same VLAN. After configuration, you can have the same VLAN ID for two different WAN interfaces.
www.zyxel.com Set Up the Port Grouping on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Port Grouping, select the ports that you want to assign to a representative Interface (in this example, Port 4 and Port 5 are configured as ge5). CONFIGURATION >...
Page 667
www.zyxel.com In the Configuration page, select the vlan1 entry and click Create Virtual Interface on the upper bar. Configure the Fixed IP address (192.168.15.33/24 in this example). Click OK. CONFIGURATION > Network > Interface > VLAN > vlan1 CONFIGURATION > Network > Interface > VLAN > vlan1:1 667/749...
www.zyxel.com Set Up the Routing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing, set Next-Hop Type to be Interface and set Interface to be the vlan1. CONFIGURATION > Network > Routing Test the Result Check the Interface Statistics, you can see vlan1 Status is up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed.
www.zyxel.com What Could Go Wrong? If you cannot configure a particular VLAN interface on top of an Ethernet interface, please whether this VLAN has just been created on top of other Ethernet interface. 669/749...
www.zyxel.com How to Let a Server Use the Same Public IP Address as the WAN Interface Using the Bridge Interface This is an example of using ZyWALL/USG to configure an internal server in bridge mode without applying network address translation (NAT). The Internet users can reach this server directly by its public IP address.
www.zyxel.com Set Up the Bridge Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Bridge > add Bridge, select Interface Type to be the general type, select Zone to be the LAN zone. In the Member Configuration, select internal server (IntServer1 interface in this example) and public IP address (Public WAN interface in this example) to be in the same member group.
www.zyxel.com After creating the bridge interface, connect the server's network cable to IntServer1 port and set the server's IP to be in the same subnet (172.124.163.158 in this example). Test the Result Check the Interface Statistics, you can see br1 Status is up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed.
www.zyxel.com What Could Go Wrong? If you cannot configure a particular bridge IP address, please check is this IP address already created on other Ethernet interface. 673/749...
www.zyxel.com How to Allow Public Access to a Server Behind ZyWALL/USG This is an example of using ZyWALL/USG to configure a securely access to internal server behind ZyWALL/USG with network address translation (NAT). The Internet users can reach this server directly by its public IP address and a NAT mapping rule will forward the traffic from the Internet to the Intranet.
www.zyxel.com Set Up the NAT on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > NAT > add NAT, select Enable Rule. Select 1:1 NAT. Set Incoming Interface to be the wan1 interface. Type User-Defined Original IP (172.251.31.90 in this example) and type User-Defined Mapped IP (192.168.1.34 in this example).
www.zyxel.com What Could Go Wrong? If you cannot access your server via public IP address, please make sure all your public IP addresses are routing properly. To do one by one assign them to the ZyWALL’s WAN port. Test to make sure you have internet access with the public IP address.
www.zyxel.com How to Set Up a WiFi Network with ZyXEL APs This is an example of using ZyWALL/USG to manage the Access Points (APs) and allow wireless access to the network. ZyWALL/USG as AP Controller Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
www.zyxel.com Set Up the AP Management on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Wireless > Controller > Configuration, set Registration Type to Manual. This is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue APs. CONFIGURATION >...
Page 680
www.zyxel.com Go to CONFIGURATION > Object > AP Profile > SSID > Security List to select the Security Mode to be the wpa2. Then, set a Pre-Shared Key (8-63 characters) and select the Cipher Type to be the auto to have ZyWALL/USG automatically chooses the best available cipher based on the cipher currently in use by the wireless network.
www.zyxel.com Test the Result Go to the ZyWALL/USG Monitor > Wireless > AP Information > AP List, you can check the list of APs which are currently connected to it and the details information such as Registration type, Model and Recent On-line Time /Last Off-line Time.
Page 682
www.zyxel.com number it can support. You can check the maximum support number of each ZyWALL/USG in the Datasheet from ZyXEL Download Library - http://www.zyxel.com/support/download_landing.shtml If your mobile device can’t find the AP SSID you configured, please go to CONFIGURATION > Object > AP Profile > SSID > SSID List and check if the Hidden SSID option is enabled.
www.zyxel.com How to Set Up Guest WiFi Network Accounts This is an example of using ZyWALL/USG to configure guest WiFi accounts to allow limited wireless access to the Internet using only HTTP, HTTPS, and DNS protocols. For the wireless network setup, please see the tutorial about How to Set Up WiFi with ZyXEL AP.
www.zyxel.com Set Up the WiFi Guest Account, Address Range and Service Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User > Add A User to configure the User Name the guest Wi-Fi user and set User Type to guest. Set a secured Password (4-31 characters) and enter it again for confirmation.
Page 685
www.zyxel.com CONFIGURATION > Object > Address > Add Address Rule In the ZyWALL/USG, go to CONFIGURATION > Object > Service > Service Group > Add Service Group Rule to create the allowed protocols for guest Wi-Fi user. Configure the Name for you to identify the Service Group. Set HTTP, HTTPS and DNS to be in the same member group and click OK.
www.zyxel.com Set Up the Web Authentication on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > Web Authentication Policy Summary > Auth. Policy Add to configure policy to redirect HTTP traffic to the user login screen. Configure the Description (Optional) for you to identify the auth.
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy > Add corresponding. Configure a Name for you to identify the Security Policy profile. Set From: LAN and To: any (Excluding ZyWALL). Set Service to be the Service Group Rule (wifi_guest_access in this example).
www.zyxel.com Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. Type the Wi-Fi guest User Name and Password, click Login. 688/749...
Page 689
www.zyxel.com The access session page will appear. 689/749...
www.zyxel.com Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list shown as below. Monitor > System Status > Login Users Attempt to access FTP server (prohibited service in this example) and it gets an error message.
Page 691
www.zyxel.com matches a policy that comes earlier in the list, it may be unexpectedly blocked. Please change your policy setting or move the Wi-Fi guest policy to the higher priority. Monitor > Log Note: The default setting of Security Policy is without log notification (except PolicyDefault), if you want to check which policy may potentially block the traffic, please select this policy and set the Log matched traffic to be log or log alert.
www.zyxel.com How to create a Wi-Fi VLAN interfaces to separate staff network and Guest network This example shows how to create Wi-Fi VLAN interfaces to separate staff network and Guest network. Suppose there should be no limitation for the staff network, but restrict the guests not access the USG.
www.zyxel.com Set up Wi-Fi VLAN interfaces Create VLAN interfaces Go to CONFIGURATION > Object > Zone. Create a zone for the guest. CONFIGURATION > Object > Zone Go to CONFIGURATION > Network > Interface > VLAN. Create VLAN16 for Staff_WiFi and VLAN17 for Guest_WiF CONFIGURATION >...
Page 694
www.zyxel.com CONFIGURATION > Network > Interface > VLAN > VLAN17 There will be two VLAN interfaces. CONFIGURATION > Network > Interface > VLAN 694/749...
Page 695
www.zyxel.com Set Up the User Go to Configuration > Object > User/Group > User, and create users for the staff and the guest Configuration > Object > User/Group > User > staff Configuration > Object > User/Group > User > guest 695/749...
Page 696
www.zyxel.com There will be two users. Set Up the AP Profile Go to CONFIGURATION > Object > AP Profile > SSID > Security List, and create two security profiles. CONFIGURATION > Object > AP Profile > SSID > Security List > Guest_WPA2 696/749...
Page 697
www.zyxel.com CONFIGURATION > Object > AP Profile > SSID > Security List > Staff_WPA2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and create two SSID profiles. CONFIGURATION > Object > AP Profile > SSID > SSID List > Staff_Wifi CONFIGURATION >...
Page 698
www.zyxel.com Go to CONFIGURATION > Wireless > AP Management > AP Group, and add an AP Group as WiFi. CONFIGURATION > Wireless > AP Management > AP Group Go to CONFIGURATION > Wireless > AP Management > Mgnt. AP List, and Edit the AP List.
Page 699
www.zyxel.com CONFIGURATION > Wireless > AP Management > Mgnt. AP List, Set Up the Security policy rule Go to CONFIGURATION > Security Policy > Policy Control > Policy. Add one rule to restrict Guest access USG, and another one to allow to access internet. CONFIGURATION >...
www.zyxel.com CONFIGURATION > Security Policy > Policy Control > Policy > Guest_Internet Test result Connect to the SSID Staff_WiFi, and ping the USG interface. 700/749...
www.zyxel.com Connect to the SSID Guest_WiFi, and ping the USG interface What could go wrong Choose the wrong zone for the Guest VLAN interface. 701/749...
Page 702
www.zyxel.com Not change the AP to the correct group Not create the correct rule to block the Guest to access USG 702/749...
www.zyxel.com How to Set Up WiFi Networks with Microsoft Active Directory Authentication This is an example of using ZyWALL/USG to configure guest WiFi accounts with Microsoft Active Directory (AD) to authenticate your WiFi guests. For the wireless network setup, please go to How to Set Up WiFi with ZyXEL AP. ZyWALL/USG with AD Guest WiFi Accounts Example Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com Set Up the Wi-Fi Guest Account and Authentication Method on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User > ad-users, set the Authentication Timeout Settings to Use Manual Settings and enter the number of minutes this user has to renew the current session before the user is logged out.
www.zyxel.com CONFIGURATION > Web Authentication > General Settings Set Up the Active Directory Server Account on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > AAA Server > Active Directory > Add Active Directory to configure the AD sever. Enter the Server Address (192.168.1.33 in this example) and Based DN (dc=cso,dc=net in this example).
www.zyxel.com CONFIGURATION > Object > AAA Server > Active Directory > Add Active Directory Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy > Add corresponding. Configure a Name for you to identify the Security Policy profile. Set From: LAN and To: any (Excluding ZyWALL).
www.zyxel.com Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. 707/749...
Page 708
www.zyxel.com Type the Wi-Fi guest User Name and Password, click Login. The access session page will appear. 708/749...
www.zyxel.com Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list as below. Monitor > System Status > Login Users What Could Go Wrong? If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy.
www.zyxel.com How to Set Up IPv6 Interfaces for Pure IPv6 Routing This example shows how to configure your ZyWALL/USG WAN and LAN interfaces which connects two IPv6 networks. ZyWALL/USG periodically advertises a network prefix of 2002:1111:1111:1111::/64 to the LAN through router advertisements. ZyWALL/USG with Pure IPv6 Network Example Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com Enable the IPv6 on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > System > IPv6 > Global Setting, select the Enable IPv6 and click Apply at the bottom of the screen. CONFIGURATION > System > IPv6 > Global Setting Set Up the WAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > wan1 Note: Your ISP or uplink router should enable router advertisement. Set Up the LAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1. Select Enable Interface and Enable IPv6.
www.zyxel.com Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen Your computer should get an IPv6 IP address (starting with 2002:1111:1111:1111: for this example) from the ZyWALL/USG.
www.zyxel.com What Could Go Wrong? If your IPv6 connection is not working, please make sure you enable Auto-Configuration on the WAN1 IPv6 interface. If not, you will not have any default route to forward the LAN’s IPv6 packets. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels.
www.zyxel.com How to Set Up an IPv6 6to4 Tunnel This example shows how to configure your ZyWALL/USG to create IPv6 6to4 Tunnel. In this example, the ZyWALL/USG acts as a 6to4 router which connects the IPv4. After configuration, the ZyWALL/USG can assign an IPv6 to clients behind it and pass IPv6 traffic through IPv4 environment to access remote IPv6 network.
www.zyxel.com Set Up the LAN IPv6 Interface on the ZyWALL/USG The second and third sets of 16-bit IP address from the left must be converted from wan1 IP (122.100.220.238 in this example). It becomes 7a64:dcee in hexadecimal. (You can go to https://isc.sans.edu/tools/ipv6.html#form to convert an IPv4 address into it's default 6-to-4 equivalent).
www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add, Select Enable. Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode.
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default.
www.zyxel.com Type ping -6 ipv6.google.com in a Command Prompt to test. You should get a response. Window 7 > cmd > ping -6 ipv6.google.com What Could Go Wrong? If your IPv6 connection is not working, please make sure you disable Auto-Configuration on the LAN1 IPv6 interface.
www.zyxel.com How to Set Up an IPv6-in-IPv4 Tunnel This example shows how to configure your ZyWALL/USG to create IPv6-in-IPv4 Tunnel. In this example, the ZyWALL/USG acts as IPv6-in-IPv4 routers which connect the IPv4 Internet and an individual IPv6 network. This configuration example only shows the settings on ZyWALL/USG_Z.
www.zyxel.com Set Up the LAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1. Select Enable Interface and Enable IPv6. Type 2002:7a64:dcee:1::111/128 in the IPv6 Address/Prefix Length field for the LAN1’s IP address. Enable Router Advertisement.
www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add and select Enable. Enter tunnel0 as the Interface Name and select IPv6-in-IPv4 as the Tunnel Mode.
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel Set Up the Policy Route on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing > IPv6 Configuration > Add, click Create New Object to create an IPv6 address object with the address prefix of 2002:7a64:dcee:1::/64.
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route > IPv6 Configuration Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default.
www.zyxel.com Use the ping -6 [IPv6 IP address] command in a Command Prompt to test whether you can ping a computer behind ZyWALL/USG_Y. You should get a response. Window 7 > cmd > ping -6 2001:b020:0:71::46 What Could Go Wrong? If your IPv6 connection is not working, please make sure you enable the WAN1 IPv4 interface.
www.zyxel.com How to Update Firmware Automatically from a USB Storage This example illustrates how to update the ZyWALL/USG’s firmware automatically from a USB storage. With this feature, it is more efficient for users to upgrade the firmware for numerous devices without Internet or GUI access. The user can also downgrade the firmware by using this feature.
www.zyxel.com Enable the USB Firmware Upgrade Function by CLI Command For security concerns, the function is disabled by default. The administrator needs to enable the function by the following CLI command: Router(config)# usb-storage update-firmware enable Save the Firmware on the USB There are two ways to create the firmware folder on the USB storage.
www.zyxel.com diagnostic_info firmware packet_trace Firmware Folder is Created Automatically Plug the USB into the Device Once the .bin file in the firmware folder is detected, the device will copy it to the RAM. Plug the USB storage into the USB port The following message shows on the console if the device fails to copy the .bin file.
www.zyxel.com The device checks the USB firmware with the running partition only. It does not check the standby partition. Check model ID: If incompatible, the device deletes the firmware in the RAM. If compatible, the device checks the firmware version. Check firmware version: If it is the same as the running firmware, the device deletes the firmware in the RAM.
www.zyxel.com Check the Firmware Version on the Dashboard MONITOR > Log > View log What Can Go Wrong? The USB storage must use the FAT16, FAT32, EXT2, or EXT3 file system. Otherwise, it may not be detected by the ZyWALL/USG. The device only checks the firmware under the specific folder.
Page 732
www.zyxel.com Multiple firmware files of one model in the same folder is not supported. Make sure the product model ID of the USB firmware is compatible with the device. The device writes logs on the console and device log if the firmware model ID is incompatible.
Page 733
www.zyxel.com Make sure the version of the USB firmware is different from that of the running partition. The device writes logs on the console and device log if the firmware version is the same as the running firmware. Console Message MONITOR >...
www.zyxel.com How to Configure DHCP Option 60 – Vendor Class Identifier The following figure depicts how the ZyWALL/USG uses DHCP option 60. By matching the VCI strings, a DHCP client can choose one specific DHCP server on the WAN network. This function is useful when there are several DHCP servers providing different services in an environment.
Page 735
www.zyxel.com In the ZyWALL/USG’s navigation panel, go to Configuration > Network > Interface. Click the Ethernet tab, go to WAN > Edit. Enter the VCI string in the Advance section of DHCP Option 60. 735/749...
www.zyxel.com Setting Up DHCP Option 60 on the CLI Under the specific interface path, use these commands to: Enable option 60 Router(config-if-wan1)# ip address dhcp option-60 {VCI_STRING} Disable option 60 Router(config-if-wan1)# no ip address dhcp option-60 Test DHCP Option 60 To test the DHCP option 60 function, use a packet capture software to check if option 60 string exists in the DHCP discover message sent from the ZyWALL/USG WAN port.
www.zyxel.com What Can Go Wrong? Avoid using the same option 60 string on two or more DHCP servers. It may cause duplicate DHCP serving confliction. Since packets with option 60 are clear, do not consider it as a secure way for DHCP server authentication.
www.zyxel.com How to Configure Device HA Pro The Device HA feature acts as a failover when one of the devices in the network is dead or can’t access the Internet. Therefore, this is a popular feature for network environments. previous firmware version, supports...
www.zyxel.com Device HA Pro License The Device HA Pro feature is license required. You must register both of your devices on the myZyXEL.com server first. Then make sure the Device HA Pro license is available on both of your devices. 739/749...
www.zyxel.com Behavior of the Device HA Pro The behavior of the Device HA Pro includes a heartbeat link to monitor the “activate” device’s interface status. If one of the monitored interfaces is dead or fails, the “passive” device’s status will become “activate”. (This means only 1 device’s status can be “activate”...
www.zyxel.com The Main Function of the Device HA Pro Heartbeat Link The heartbeat port is a new physical port on the device. After you have enabled Device HA Pro, the devices will transmit multicast packets (UDP 694) to check each device’s status. When the passive device is working properly, the system LED light will be on.
www.zyxel.com How do I Configure Device HA Pro in My Current Environment? License The Device HA Pro feature is license required. Please go to register both of your devices on myZyXEL.com and make sure the devices have the license after syncing with the myZyXEL.com server.
Page 744
www.zyxel.com Configurations on the Primary Device 1. Go to the Configuration > Device HA > Device HA Pro screen. 2. Enter the device’s license serial number from the myZyXEL.com server. 3. Enter the management IP address after enabling the Device HA Pro feature. 4.
Page 745
www.zyxel.com Go to the Configuration > Device HA > General screen. Select Enable Device HA and click Apply to enable Device HA Pro. 745/749...
Page 747
www.zyxel.com Configurations on the Secondary Device Go to the Configuration > Device HA > Device-HA Pro screen. Select Enable Configuration Provisioning from Active Device. Click Apply. 747/749...
Page 748
www.zyxel.com Go to the Configuration > Device HA > General screen. Select Enable Device HA and click Apply. Before the Device HA Pro feature is enabled on the secondary device, a warning message will pop-up for you to confirm. Click OK to enable it. Connecting the Device HA Pro Port The Device HA Pro port is a new physical port on the DUT.
www.zyxel.com What can go wrong? Why I can’t see correct license status from myzyxel.com server? On the Device-HA Pro setting, there is a function “Serial number of the licensed device for license synchronization”. You should entering device’s S/N which with licenses.