ZyXEL Communications ZyWall ATP series User Manual

Table of Contents

Quick Links

User's Guide

ZyWALL ATP Series

Version 4.32 Edition 2, 11/2018

Default Login Details

LAN Port IP Address

https://192.168.1.1

User Name

admin

Password

1234

Table of Contents

Troubleshooting

Summary of Contents for ZyXEL Communications ZyWall ATP series

Page 1 User’s Guide ZyWALL ATP Series Version 4.32 Edition 2, 11/2018 Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Copyright © 2018 Zyxel Communications Corporation...
Page 2 Note: It is recommended you use the Web Configurator to configure the Zyxel Device. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • More Information Zyxel Device. Go to support.zyxel.com to find other information on ZyWALL ATP Series User’s Guide...
Page 3: Document Conventions
Figures in this user guide may use the following generic icons. The Zyxel Device icon is not an exact representation of your device. Zyxel Device Generic Router Wireless Router / Access Point Switch Firewall Server Internet Network Cloud Smartphone USB Dongle ZyWALL ATP Series User’s Guide...
Page 4: Table Of Contents
IDP ................................ 537 Sandboxing ............................554 Email Security ............................556 SSL Inspection ............................567 Object ..............................579 Device HA ............................675 Cloud CNM ............................682 System ..............................689 Log and Report ........................... 749 File Manager ............................762 ZyWALL ATP Series User’s Guide...
Page 5 Contents Overview Diagnostics ............................777 Packet Flow Explore .......................... 794 Shutdown ............................. 801 Troubleshooting ..........................802 ZyWALL ATP Series User’s Guide...
Page 6: Table Of Contents
2.1.9 Register Device ........................57 2.1.10 Activate Service ........................59 2.1.11 Service Settings ........................60 2.1.12 Wireless Settings: AP Controller ..................61 2.1.13 Wireless Settings: SSID & Security ..................62 2.1.14 Remote Management ...................... 62 ZyWALL ATP Series User’s Guide...
Page 7 4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2 ....96 4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard - Summary ....96 4.4.9 VPN Settings for Configuration Provisioning Advanced Wizard- Finish ......99 4.5 VPN Settings for L2TP VPN Settings Wizard ................... 99 ZyWALL ATP Series User’s Guide...
Page 8 6.8 The DDNS Status Screen ....................... 128 6.9 IP/MAC Binding ..........................128 6.10 Cellular Status Screen ........................ 129 6.10.1 More Information ......................132 6.11 The UPnP Port Status Screen ..................... 133 6.12 USB Storage Screen ........................134 ZyWALL ATP Series User’s Guide...
Page 9 7.1.1 What you Need to Know ....................179 7.1.2 Registration Screen ......................180 7.1.3 Service Screen ........................180 7.2 Signature Update ......................... 182 7.2.1 What you Need to Know ....................182 7.2.2 The Signature Screen ......................182 7.2.3 Auto Update ........................183 ZyWALL ATP Series User’s Guide...
Page 10 9.4.2 PPP Interface Add or Edit ....................235 9.5 Cellular Configuration Screen ..................... 240 9.5.1 Cellular Choose Slot ......................243 9.5.2 Add / Edit Cellular Configuration ..................243 9.6 Tunnel Interfaces .......................... 249 9.6.1 Configuring a Tunnel ......................251 ZyWALL ATP Series User’s Guide...
Page 11 10.8 BGP (Border Gateway Protocol) ....................320 10.8.1 Allow BGP Packets to Enter the Zyxel Device ..............321 10.8.2 Configuring the BGP Screen .................... 321 10.8.3 The BGP Neighbors Screen ....................323 10.8.4 Example Scenario ......................324 Chapter 11 DDNS ..............................326 ZyWALL ATP Series User’s Guide...
Page 12 15.2.2 Cautions with UPnP and NAT-PMP .................. 354 15.3 UPnP Screen ..........................354 15.4 Technical Reference ........................355 15.4.1 Turning on UPnP in Windows 7 Example ................. 355 15.4.2 Using UPnP in Windows XP Example ................357 ZyWALL ATP Series User’s Guide...
Page 13 20.1.2 What You Need to Know ....................381 20.1.3 Before You Begin ....................... 384 20.2 The VPN Connection Screen ..................... 384 20.2.1 The VPN Connection Add/Edit Screen ................386 20.3 The VPN Gateway Screen ......................393 ZyWALL ATP Series User’s Guide...
Page 14 24.2 Web Authentication General Screen ..................442 24.2.1 User-aware Access Control Example ................447 24.2.2 Authentication Type Screen .................... 453 24.2.3 Custom Web Portal / User Agreement File Screen ............457 24.3 SSO Overview ..........................458 ZyWALL ATP Series User’s Guide...
Page 15 26.2.3 The Application Patrol Profile Add/Edit Screen - Query Result ........503 Chapter 27 Content Filter ............................505 27.1 Overview ............................. 505 27.1.1 What You Can Do in this Chapter ................... 505 27.1.2 What You Need to Know ....................505 ZyWALL ATP Series User’s Guide...
Page 16 30.3.1 Add / Edit Custom Signatures ..................544 30.3.2 Custom Signature Example ..................... 548 30.3.3 Applying Custom Signatures .................... 550 30.3.4 Verifying Custom Signatures .................... 551 30.4 IDP Technical Reference ......................551 Chapter 31 Sandboxing ............................554 31.1 Overview ............................. 554 ZyWALL ATP Series User’s Guide...
Page 17 34.2.4 User/Group Setting Screen ..................... 589 34.2.5 User/Group MAC Address Summary Screen ..............594 34.2.6 User /Group Technical Reference .................. 596 34.3 AP Profile Overview ........................596 34.3.1 Radio Screen ........................597 34.3.2 SSID Screen ........................603 ZyWALL ATP Series User’s Guide...
Page 18 34.11.4 The Trusted Certificates Screen ..................663 34.11.5 Certificates Technical Reference ................. 668 34.12 ISP Account Overview ......................668 34.12.1 ISP Account Summary ....................668 34.13 DHCPv6 Overview ........................671 34.13.1 The DHCPv6 Request Screen ..................671 ZyWALL ATP Series User’s Guide...
Page 19 37.6.8 Domain Zone Forwarder ....................702 37.6.9 Adding a Domain Zone Forwarder ................. 702 37.6.10 MX Record ........................703 37.6.11 Adding a MX Record ...................... 703 37.6.12 Security Option Control ....................704 37.6.13 Editing a Security Option Control .................. 704 ZyWALL ATP Series User’s Guide...
Page 20 37.17 Zyxel One Network (ZON) Utility ..................... 744 37.17.1 Requirements ........................744 37.17.2 Run the ZON Utility ......................745 37.17.3 Zyxel One Network (ZON) System Screen ..............748 Chapter 38 Log and Report..........................749 38.1 Overview ............................. 749 ZyWALL ATP Series User’s Guide...
Page 21 40.9 The Wireless Frame Capture Screen ..................791 40.9.1 The Wireless Frame Capture Files Screen ..............793 Chapter 41 Packet Flow Explore ........................794 41.1 Overview ............................. 794 41.1.1 What You Can Do in this Chapter ................... 794 ZyWALL ATP Series User’s Guide...
Page 22 Troubleshooting..........................802 43.1 Resetting the Zyxel Device ......................814 43.2 Getting More Troubleshooting Help ..................814 Appendix A Customer Support ..................... 815 Appendix B Product Features ......................821 Appendix C Legal Information ...................... 825 Index ..............................833 ZyWALL ATP Series User’s Guide...
Page 23: Part I: User's Guide
User’s Guide...
Page 24: Introduction
Device and activating the corresponding service at myZyxel (through your Zyxel Device). However, it is highly recommended to at least register your Zyxel Device. At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications, is free when you register your Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 25: Grace Period
New license(s) are valid for 1 year from the date of purchase. 1.2.2 Applications These are some Zyxel Device application scenarios. Security Router Security includes a Stateful Packet Inspection (SPI) firewall. ZyWALL ATP Series User’s Guide...
Page 26 Figure 3 Applications: IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. AS is an Authentication Server in the below figure. ZyWALL ATP Series User’s Guide...
Page 27 User B has a lower level of access and can only access the Internet. User C is not even logged in, so and cannot access either the Internet or the file server. Figure 6 Applications: User-Aware Access Control ZyWALL ATP Series User’s Guide...
Page 28: Management Overview
You can manage the Zyxel Device in the following ways. Web Configurator The Web Configurator allows easy Zyxel Device setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. Figure 8 Managing the Zyxel Device: Web Configurator ZyWALL ATP Series User’s Guide...
Page 29: Web Configurator
• Internet Explorer 10.x, 11.x • Chrome latest version (45 or above) • Firefox latest version (45 or above) • Safari latest version (9.0 or above) • Allow pop-up windows (blocked by default in some browsers) ZyWALL ATP Series User’s Guide...
Page 30: Web Configurator Access
!@#$%^&*()_+. You can also require periodic changing of the password in that screen by configuring Password must changed every (days). Make a note of your new password, enter it in the following screen, then click Apply. ZyWALL ATP Series User’s Guide...
Page 31 The Network Risk Warning screen displays any unregistered or disabled security services. If your Zyxel Device is not registered, you will see a prompt to register it. Select how often to display the screen and click OK. ZyWALL ATP Series User’s Guide...
Page 32 Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears. ZyWALL ATP Series User’s Guide...
Page 33: Web Configurator Screens Overview
Click this to go to the forum website for product discussions. About Click this to display basic information about the Zyxel Device. Site Map Click this to see an overview of links to the Web Configurator screens. ZyWALL ATP Series User’s Guide...
Page 34 This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released. Click this to close the screen. Site Map Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen. ZyWALL ATP Series User’s Guide...
Page 35 This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. This field is a sequential value, and it is not associated with any entry. ZyWALL ATP Series User’s Guide...
Page 36: Navigation Panel
Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the Zyxel Device’s navigation panel menus and their screens. ZyWALL ATP Series User’s Guide...
Page 37 Lists the devices that have received an IP address from Zyxel Device Binding interfaces using IP/MAC binding. Cellular Status Cellular Displays details about the Zyxel Device’s mobile broadband connection Status status. UPnP Port Status Port Statistics Displays details about UPnP connections going through the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 38 Displays the IP addresses and URLs that are blocked by the Zyxel Device. Sandboxing Summary Displays the sandboxing statistics. SSL Inspection Report Collect and display SSL Inspection statistics. Certificate Displays traffic to destination servers using certificates. Cache List ZyWALL ATP Series User’s Guide...
Page 39 Create and manage VLAN interfaces and virtual VLAN interfaces. Bridge Create and manage bridges and virtual bridge interfaces. Configure IP address assignment and interface parameters for VTI (Virtual Tunnel Interface). Trunk Create and manage trunks (groups of interfaces) for load balancing. ZyWALL ATP Series User’s Guide...
Page 40 Create and manage level-3 traffic rules and apply Security Service profiles. General Display and manage ADP bindings. Profile Create and manage ADP profiles. Session Control Session Control Limit the number of concurrent client NAT/security policy sessions. ZyWALL ATP Series User’s Guide...
Page 41 MON Profile MON Profile Create and manage rogue AP monitoring files that can be associated with different APs. ZyMesh Profile ZyMesh Profile Create and manage ZyMesh files that can be associated with different APs. ZyWALL ATP Series User’s Guide...
Page 42 Configure the Zyxel Device to act as a RADIUS server. Notification Mail Server Configure a mail server with authentication to send reports and password expiration notification emails. Language Language Select the Web Configurator language. IPv6 IPv6 Enable IPv6 globally on the Zyxel Device here. ZyWALL ATP Series User’s Guide...
Page 43: Tables And Lists
Turn off the Zyxel Device. 1.4.4 Tables and Lists Web Configurator tables and lists are flexible with several options for how to display their entries. Click a column heading to sort the table’s entries according to that column’s criteria. ZyWALL ATP Series User’s Guide...
Page 44 Figure 17 Resizing a Table Column Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. ZyWALL ATP Series User’s Guide...
Page 45 [ENTER] to move the entry to the number that you typed. For example, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one. ZyWALL ATP Series User’s Guide...
Page 46 In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 21 Working with Lists ZyWALL ATP Series User’s Guide...
Page 47: Initial Setup Wizard
Figure 22 Initial Setup Wizard 2.1.1 Internet Access Setup - WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment. ZyWALL ATP Series User’s Guide...
Page 48: Internet Access: Ethernet
• IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen. The following fields display if you selected static IP address assignment. • IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address. ZyWALL ATP Series User’s Guide...
Page 49: Internet Access: Pppoe
PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long. • Authentication Type - Select an authentication protocol for outgoing connection requests. Options are: • Chap/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node. ZyWALL ATP Series User’s Guide...
Page 50 • If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL ATP Series User’s Guide...
Page 51: Internet Access: Pptp
• Type the IP Subnet Mask assigned to you by your ISP (if given). • Gateway IP Address: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway). • Server IP: Type the IP address of the PPTP server. ZyWALL ATP Series User’s Guide...
Page 52 • If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL ATP Series User’s Guide...
Page 53: Internet Access: L2Tp
PPPoE server. 2.1.5.2 L2TP Configuration • Base Interface: This identifies the Ethernet interface you configure to connect with a modem or router. • Type a Base IP Address (static) assigned to you by your ISP. ZyWALL ATP Series User’s Guide...
Page 54 • If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL ATP Series User’s Guide...
Page 55: Internet Access Setup - Second Wan Interface
If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 2.1.1 on page 47). ZyWALL ATP Series User’s Guide...
Page 56: Internet Access: Congratulations
Connection Test to check that you can access the Internet. If you cannot, click Back and confirm that you entered the settings correctly. If you have, check that you got the correct settings from your ISP or network administrator. Figure 29 Internet Access: Summary ZyWALL ATP Series User’s Guide...
Page 57: Date And Time Settings
Figure 30 Date and Time Settings 2.1.9 Register Device Click the Register button in this screen to register your device at portal.myzyxel.com. Note: The Zyxel Device must be connected to the Internet in order to register. ZyWALL ATP Series User’s Guide...
Page 58 Refer to the label at the back of the Zyxel Device’s for details. Figure 32 myZyxel Login Click Refresh or use the Configuration > Licensing > Registration screen to update your Zyxel Device registration status. ZyWALL ATP Series User’s Guide...
Page 59: Activate Service
Internet connection is working and click Refresh again. To check your Internet connection, try to access the Internet from a computer connected to a LAN port on the Zyxel Device. If you cannot, then check your Internet access settings on the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 60: Service Settings
• Botnet Filter: Use this feature to detect and block connection attempts to or from the C&C server or known botnet IP addresses. • Anti-Malware: Use this feature to protect your connected network from virus/spyware infection. • IDP: Use this feature to detect malicious or suspicious packets and respond instantaneously. ZyWALL ATP Series User’s Guide...
Page 61: Wireless Settings: Ap Controller
The Zyxel Device can act as an AP Controller that can manage APs in the same network as the Zyxel Device. Select Yes if you want your Zyxel Device to manage APs in your network; otherwise select No. Figure 37 Wireless Settings: AP Controller ZyWALL ATP Series User’s Guide...
Page 62: Wireless Settings: Ssid & Security
AP wireless network. Devices connected to this interface will then be in the same broadcast domain as devices in the AP wireless network. Figure 38 Wireless Settings: SSID & Security 2.1.14 Remote Management Select this to allow access to the Zyxel Device using HTTP or HTTPS from the Internet. ZyWALL ATP Series User’s Guide...
Page 63 Chapter 2 Initial Setup Wizard Figure 39 Remote Management HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object > Service > Service Group screen when you enable Remote Management. Figure 40 Object > Service > Service Group - HTTPS ZyWALL ATP Series User’s Guide...
Page 64: Hardware, Interfaces And Zones
The Zyxel Device is turned on. There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device. If the LED turns red again, then please contact your vendor. ZyWALL ATP Series User’s Guide...
Page 65: Rear Panels
Connect a storage device for system logs (see Maintenance > Diagnostics > System Log) and storage (see Configuration > System > USB Storage). P2-P7 (ATP200) These are 1G RJ-45 Ethernet ports. P2-P8 (ATP500) P1-P12 (ATP800) 3.1.2 Rear Panels The connection ports are located on the rear panel. ZyWALL ATP Series User’s Guide...
Page 66: Mounting
Using a 4-wire Ethernet cable limits your connection to 100 Mbps. Note that the connection speed also depends on what the Ethernet device at the other end can support. 3.2 Mounting The Zyxel Device can be mounted in a rack. ZyWALL ATP Series User’s Guide...
Page 67: Rack-Mounting
Drill two holes 3 mm ~ 4 mm (0.12" ~ 0.16") wide, 20 mm ~ 30 mm (0.79” ~ 1.18”) deep and 150 mm (5.90”) apart, into a wall. Place two screw anchors in the holes. ZyWALL ATP Series User’s Guide...
Page 68: Default Zones, Interfaces, And Ports
For example, this guide may use “the WAN interface” rather than “wan1” or “wan2”, “ge2” or” ge3”. An OPT (optional) Ethernet port can be configured as an additional WAN port, LAN, WLAN, or DMZ port. ZyWALL ATP Series User’s Guide...
Page 69: Stopping The Zyxel Device
3.4 Stopping the Zyxel Device Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the Zyxel Device or remove the power. Not doing so can cause the firmware to become corrupt. ZyWALL ATP Series User’s Guide...
Page 70: Quick Setup Wizards
IP address of the Zyxel Device in the IPSec VPN Client to get all VPN settings automatically from the Zyxel Device. See Section 4.3 on page 77.Use VPN Settings for L2TP VPN Settings to configure the L2TP VPN for clients. ZyWALL ATP Series User’s Guide...
Page 71: Wan Interface Quick Setup
Welcome screen. Use these screens to configure an interface to connect to the Internet. Click Next. Figure 49 WAN Interface Quick Setup Wizard 4.2.1 Choose an Ethernet Interface Select a WAN interface (names vary by model) that you want to configure for a WAN connection and click Next. ZyWALL ATP Series User’s Guide...
Page 72: Select Wan Type
Note: Enter the Internet access information exactly as your ISP gave it to you. 4.2.3 Configure WAN IP Settings Use this screen to select whether the interface should use a fixed or dynamic IP address. ZyWALL ATP Series User’s Guide...
Page 73: Isp And Wan And Isp Connection Settings
Ethernet and set the IP Address Assignment to Auto. If you set the IP Address Assignment to static and/or select PPTP or PPPoE, enter the Internet access information exactly as your ISP gave it to you. Note: Enter the Internet access information exactly as your ISP gave it to you. ZyWALL ATP Series User’s Guide...
Page 74 Chapter 4 Quick Setup Wizards Figure 54 WAN and ISP Connection Settings: (PPTP) Figure 55 WAN and ISP Connection Settings: (PPPoE) ZyWALL ATP Series User’s Guide...
Page 75 • Base Interface: This displays the identity of the Ethernet interface you configure to connect with a modem or router. • Base IP Address: Type the (static) IP address assigned to you by your ISP. ZyWALL ATP Series User’s Guide...
Page 76: Quick Setup Interface Wizard: Summary
4.2.5 Quick Setup Interface Wizard: Summary This screen displays an example WAN interface’s settings. Figure 57 Interface Wizard: Summary WAN • Encapsulation: This displays what encapsulation this interface uses to connect to the Internet. ZyWALL ATP Series User’s Guide...
Page 77: Vpn Setup Wizard
Configuration > VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the Configuration > VPN > IPSec VPN > VPN Connection screen. • VPN Settings configures a VPN tunnel for a secure connection to another computer or network. ZyWALL ATP Series User’s Guide...
Page 78: Vpn Setup Wizard: Wizard Type
ZLD-based Zyxel Device using a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. Figure 60 VPN Setup Wizard: Wizard Type ZyWALL ATP Series User’s Guide...
Page 79: Vpn Express Wizard - Scenario
IPSec device can initiate the VPN tunnel. • Remote Access (Server Role) - Allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. ZyWALL ATP Series User’s Guide...
Page 80: Vpn Express Wizard - Configuration
4.3.5 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and commands that you can copy and paste into another ZLD-based Zyxel Device’s command line interface to configure it. ZyWALL ATP Series User’s Guide...
Page 81: Vpn Express Wizard - Finish
Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. ZyWALL ATP Series User’s Guide...
Page 82: Vpn Advanced Wizard - Scenario
Click Close to exit the wizard. 4.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 60 on page 78 to display the following screen. Figure 65 VPN Advanced Wizard: Scenario ZyWALL ATP Series User’s Guide...
Page 83: Vpn Advanced Wizard - Phase 1 Settings
4.3.8 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). ZyWALL ATP Series User’s Guide...
Page 84 • SA Life Time: Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices). ZyWALL ATP Series User’s Guide...
Page 85: Vpn Advanced Wizard - Phase 2
• Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device. ZyWALL ATP Series User’s Guide...
Page 86: Vpn Advanced Wizard - Summary
• Local Policy: IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel. • Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. ZyWALL ATP Series User’s Guide...
Page 87 • Null uses no encryption. • Authentication Algorithm: This displays the authentication algorithm used. The stronger the algorithm, the slower it is. • MD5 gives minimal security. • SHA1 gives higher security • SHA256 gives the highest security. ZyWALL ATP Series User’s Guide...
Page 88: Vpn Advanced Wizard - Finish
Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Figure 69 VPN Wizard: Finish Click Close to exit the wizard. ZyWALL ATP Series User’s Guide...
Page 89: Vpn Settings For Configuration Provisioning Wizard: Wizard Type
Figure 70 VPN Settings for Configuration Provisioning Express Wizard: Wizard Type 4.4.1 Configuration Provisioning Express Wizard - VPN Settings Click the Express radio button as shown in the previous screen to display the following screen. ZyWALL ATP Series User’s Guide...
Page 90: Configuration Provisioning Vpn Express Wizard - Configuration
• Application Scenario: Only the Remote Access (Server Role) is allowed in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client. 4.4.2 Configuration Provisioning VPN Express Wizard - Configuration Click Next to continue the wizard. ZyWALL ATP Series User’s Guide...
Page 91: Vpn Settings For Configuration Provisioning Express Wizard - Summary
4.4.3 VPN Settings for Configuration Provisioning Express Wizard - Summary This screen has a read-only summary of the VPN tunnel’s configuration and commands you can copy and paste into another ZLD-based Zyxel Device’s command line interface to configure it. ZyWALL ATP Series User’s Guide...
Page 92: Vpn Settings For Configuration Provisioning Express Wizard - Finish
VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the Configuration > VPN > IPSec VPN > VPN Connection screen. Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 93: Vpn Settings For Configuration Provisioning Advanced Wizard - Scenario
Click Close to exit the wizard. 4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario Click the Advanced radio button as shown in the screen shown in Figure 70 on page 89 to display the following screen. ZyWALL ATP Series User’s Guide...
Page 94: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 1 Settings
4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). ZyWALL ATP Series User’s Guide...
Page 95 • SA Life Time: Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the Zyxel Device’s certificates. ZyWALL ATP Series User’s Guide...
Page 96: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 2
• Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the Zyxel Device automatically renegotiate the IPSec SA when the SA life time expires. 4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. ZyWALL ATP Series User’s Guide...
Page 97 • Remote Policy: Any displays in this field because it is not configurable in this wizard. Phase 1 • Negotiation Mode: This displays Main or Aggressive: • Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to establish the IKE SA ZyWALL ATP Series User’s Guide...
Page 98 • SHA1 gives higher security • SHA256 gives the highest security. The Configuration for Secure Gateway displays the configuration that the Zyxel Device IPSec VPN Client will get from the Zyxel Device. Click Save to save the VPN rule. ZyWALL ATP Series User’s Guide...
Page 99: Vpn Settings For Configuration Provisioning Advanced Wizard- Finish
Use VPN Settings for L2TP VPN Settings to set up an L2TP VPN rule. Click Configuration > Quick Setup > VPN Setup and select VPN Settings for L2TP VPN Settings to see the following screen. ZyWALL ATP Series User’s Guide...
Page 100: L2Tp Vpn Settings
1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. • My Address (interface): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule. ZyWALL ATP Series User’s Guide...
Page 101: L2Tp Vpn Settings
DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. 4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary This is a read-only summary of the L2TP VPN settings. ZyWALL ATP Series User’s Guide...
Page 102 • My Address (Interface): This displays the interface to use on your Zyxel Device for the L2TP tunnel. • IP Address Pool: This displays the IP address pool used to assign to the L2TP VPN clients. Click Save to complete the L2TP VPN Setting and the following screen will show. ZyWALL ATP Series User’s Guide...
Page 103: Vpn Settings For L2Tp Vpn Setting Wizard Completed
Now the rule is configured on the Zyxel Device. The L2TP VPN rule settings appear in the Configuration > VPN > L2TP VPN screen and also in the Configuration > VPN > IPSec VPN > VPN Connection and VPN Gateway screen. ZyWALL ATP Series User’s Guide...
Page 104: Dashboard
Click on the icon to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. The following screen is an example of a Brand 2.0 web configurator web style. ZyWALL ATP Series User’s Guide...
Page 105 Section 9.5 on page 240 for the status that can appear. For the auxiliary interface: Inactive - The auxiliary interface is disabled. Connected - The auxiliary interface is enabled and connected. Disconnected - The auxiliary interface is not connected. ZyWALL ATP Series User’s Guide...
Page 106: Device Information Screen
MAC address is assigned to physical port 2, and so on. Firmware Version This field displays the version number and date of the firmware the Zyxel Device is currently running. Click the link to open the Firmware Package screen where you can upload firmware. ZyWALL ATP Series User’s Guide...
Page 107: System Status Screen
Click on the link to see the Date/Time screen where you can make edits and changes to the date, time and time zone information. 5.2.3 Tx/Rx Statistics This screen displays a line graph of packet statistics for each physical port. Figure 88 Dashboard > Tx/Rx Statistics ZyWALL ATP Series User’s Guide...
Page 108: The Latest Logs Screen
This field displays the destination address (if any) in the packet that generated the log. 5.2.5 System Resources Screen Click the bar to see a graphic on that resource. Figure 90 Dashboard > System Resources ZyWALL ATP Series User’s Guide...
Page 109: Dhcp Table Screen
Click this to update the information in the window right away. This field is a sequential value, and it is not associated with a specific entry. Interface This field identifies the interface that assigned an IP address to a DHCP client. ZyWALL ATP Series User’s Guide...
Page 110: Number Of Login Users Screen
This shows unlimited for an administrator account. Type This field displays the way the user logged in to the Zyxel Device. IP address This field displays the IP address of the computer used to log in to the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 111: Current Login User
5.2.10 SSL VPN Status The first number is the actual number of VPN tunnels up and the second number is the maximum number of SSL VPN tunnels allowed. Figure 95 Dashboard > SSL VPN Status ZyWALL ATP Series User’s Guide...
Page 112: The Advanced Threat Protection Screen
• Top 5 applications that are used the most • Top 5 URLs that are detected the most • Botnet filtering reports • Sandboxing reports • Threat statistics Click the Refresh icon to update the information in the window right away. ZyWALL ATP Series User’s Guide...
Page 113: Part Ii: Technical Reference
Technical Reference...
Page 114: Monitor
Zyxel Device. • Use the Wireless > AP Information > Radio List screen (Section 6.16 on page 145) to display statistics about the wireless radio transmitters in each of the APs connected to the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 115 You can change the way the log is displayed, you can email the log, and you can also clear the log in this screen. • Use the Log > View AP Log screen (see Section 6.36.2 on page 176) to view the Zyxel Device’s current wireless AP log messages. ZyWALL ATP Series User’s Guide...
Page 116: The Port Statistics Screen
Up Time This field displays how long the physical port has been connected. System Up Time This field displays how long the Zyxel Device has been running since it last restarted or was turned on. ZyWALL ATP Series User’s Guide...
Page 117: The Port Statistics Graph Screen
This line represents the traffic received by the Zyxel Device on the physical port since it was last connected. Last Update This field displays the date and time the information in the window was last updated. ZyWALL ATP Series User’s Guide...
Page 118: Interface Status Screen
This field displays the name of each interface. If there is an Expand icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface. Port/Binding This field displays the physical port number. ZyWALL ATP Series User’s Guide...
Page 119 This displays the details of the Zyxel Device’s configured tunnel interfaces. Name This field displays the name of the interface. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL ATP Series User’s Guide...
Page 120 If this interface is a member of an active virtual router, this field displays the IPv6 address it is currently using. This is either the static IPv6 address of the interface (if it is the master) or the management IPv6 address (if it is a backup). ZyWALL ATP Series User’s Guide...
Page 121: The Traffic Statistics Screen
You use the Traffic Statistics screen to tell the Zyxel Device when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. ZyWALL ATP Series User’s Guide...
Page 122 The unit of measure is bytes, Kbytes, Mbytes or Gbytes, depending on the amount of traffic for the particular IP address or user. The count starts over at zero if the number of bytes passes the byte count limit. See Table 30 on page 123. ZyWALL ATP Series User’s Guide...
Page 123 Table 30 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records Byte Count Limit bytes; this is just less than 17 million terabytes. Hit Count Limit hits; this is over 1.8 x 10 hits. ZyWALL ATP Series User’s Guide...
Page 124: The Session Monitor Screen
- filter the active sessions by the User, Service, Source Address, and Destination Address, and display each session individually (sorted by user). Refresh Click this button to update the information on the screen. The screen also refreshes automatically when you open and close the screen. ZyWALL ATP Series User’s Guide...
Page 125 This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. Duration This field displays the length of the active session in seconds. ZyWALL ATP Series User’s Guide...
Page 126: The Login Users Screen
This field displays the types of user accounts the Zyxel Device uses. If the user type is ext- user (external user), this field will show its external-group information when you move your mouse over it. If the external user matches two external-group objects, both external-group object names will be shown. ZyWALL ATP Series User’s Guide...
Page 127: Igmp Statistics
This field displays the size of the data being transferred in Byes. Outgoing Interface This field displays the outgoing interface that’s connected on the IGMP. Refresh Click this button to update the information in the screen. ZyWALL ATP Series User’s Guide...
Page 128: The Ddns Status Screen
IP address from Zyxel Device interfaces with IP/MAC binding enabled and have ever established a session with the Zyxel Device. Devices that have never established a session with the Zyxel Device do not display in the list. ZyWALL ATP Series User’s Guide...
Page 129: Cellular Status Screen
Click this button to update the information in the screen. 6.10 Cellular Status Screen This screen displays your mobile broadband connection status. Click Monitor > System Status > Cellular Status to display this screen. Figure 106 Monitor > System Status > Cellular Status ZyWALL ATP Series User’s Guide...
Page 130 This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. Connected Device This field displays the model name of the cellular card. ZyWALL ATP Series User’s Guide...
Page 131 This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the mobile broadband card. For example if the bill has not been paid or the account has expired. ZyWALL ATP Series User’s Guide...
Page 132: More Information
This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the mobile broadband card. For example if the bill has not been paid or the account has expired. ZyWALL ATP Series User’s Guide...
Page 133: The Upnp Port Status Screen
Table 38 Monitor > System Status > UPnP Port Status LABEL DESCRIPTION Remove Select an entry and click this button to remove it from the list. This is the index number of the UPnP-created NAT mapping rule entry. ZyWALL ATP Series User’s Guide...
Page 134: Usb Storage Screen
This is a basic description of the type of USB device. Usage This field displays how much of the USB storage device’s capacity is currently being used out of its total capacity and what percentage that makes. ZyWALL ATP Series User’s Guide...
Page 135: Ethernet Neighbor Screen
Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices in the same network as the computer on which the ZON utility is installed. Click Monitor > System Status > Ethernet Neighbor to see the following screen ZyWALL ATP Series User’s Guide...
Page 136: Fqdn Object Screen
DNS name server. The Zyxel Device updates FQDN-to-IP address mappings when the TTL (Time To Live) setting expires. You can configure FQDN objects in Configuration > Object > Address/Geo IP > Address or Configuration > Object > Address/Geo IP > Address Group. ZyWALL ATP Series User’s Guide...
Page 137 The mapping is updated when the TTL (Time To Live) setting expires. IPv6 FQDN Object Cache List You must first configure IPv6 FQDN objects in Configuration > Object > Address/Geo IP in the IPv6 Address Configuration field. ZyWALL ATP Series User’s Guide...
Page 138: Ap Information: Ap List
APs and there may be interference. Note: You should have enabled DCS in the applied AP radio profile before the APs can use DCS. Note: DCS is not supported on the radio which is working in repeater AP mode. ZyWALL ATP Series User’s Guide...
Page 139 Mgmnt. VLAN ID(AC). This field displays n/a if the Zyxel Device cannot get VLAN information from the AP. Last Off-line Time This field displays the date and time that the AP was last logged out. ZyWALL ATP Series User’s Guide...
Page 140: Ap List: More Information
Use this screen to look at station statistics for the connected AP. To access this screen, select an entry and click the More Information button in the AP List screen. Use this screen to look at configuration ZyWALL ATP Series User’s Guide...
Page 141 It displays n/a if none of the AP’s configuration conflicts with the Zyxel Device’s settings for the AP. Port Status Port This shows the name of the physical Ethernet port on the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 142 This field displays the date and time the information in the window was last updated. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 143: Ap List: Config Ap
Select an AP and click the Config AP button in the Monitor > Wireless > AP Information > AP List table to display this screen. Figure 114 Monitor > Wireless > AP Information > AP List > Config AP ZyWALL ATP Series User’s Guide...
Page 144 If the check box is unchecked, it means the LEDs will stay lit after the AP is ready. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to close the window with changes unsaved. ZyWALL ATP Series User’s Guide...
Page 145: Ap Information: Radio List
AP profile. AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the Zyxel Device to be managed (or subsequently passed on to an upstream gateway for managing). ZyWALL ATP Series User’s Guide...
Page 146 This indicates the antenna orientation for the radio (Wall or Ceiling). This shows N/A if the AP does not allow you to adjust coverage depending on the orientation of the antenna for each radio using the web configurator or a physical switch. ZyWALL ATP Series User’s Guide...
Page 147: Radio List: More Information
24 hours. To access this window, select an entry and click the More Information button in the Radio List screen. Figure 116 Monitor > Wireless > AP Information > Radio List > More Information ZyWALL ATP Series User’s Guide...
Page 148: Ap Information: Top N Aps
Use this screen to view the top five or top ten wireless traffic usage and associated wireless stations for the preceding 24 hours. Click Monitor > Wireless > AP Information > Top N APs to display the Top N APs screen. ZyWALL ATP Series User’s Guide...
Page 149 AP for the preceding 24 hours. y-axis The y-axis represents the number of connected wireless stations. x-axis The x-axis represents the time over which a wireless client was connected. Refresh Click Refresh to update this screen. ZyWALL ATP Series User’s Guide...
Page 150: Ap Information: Single Ap
AP for the preceding 24 hours. y-axis The y-axis represents the number of connected wireless stations. x-axis The x-axis represents the time over which a wireless client was connected. Refresh Click Refresh to update this screen. ZyWALL ATP Series User’s Guide...
Page 151: Zymesh
This field displays the maximum transmission rate of the root AP or repeater to which the managed AP is connected. Rx Rate This field displays the maximum reception rate of the root AP or repeater to which the managed AP is connected. Refresh Click Refresh to update this screen. ZyWALL ATP Series User’s Guide...
Page 152: Ssid Info
The Station Info menu contains Station List, Top N Stations and Single Station screens. This screen displays information about connected wireless stations. Click Monitor > Wireless > Station Info > Station List to display this screen. ZyWALL ATP Series User’s Guide...
Page 153: Station Info: Top N Stations
6.22 Station Info: Top N Stations Use this screen to view the top five or top ten traffic statistics of the wireless stations. Click Monitor > Wireless > Station Info > Top N Stations to display this screen. ZyWALL ATP Series User’s Guide...
Page 154: Station Info: Single Station
Click Refresh to update this screen. 6.23 Station Info: Single Station Use this screen to view traffic statistics of the wireless station you specified. Click Monitor > Wireless > Station Info > Single Station to display this screen. ZyWALL ATP Series User’s Guide...
Page 155: Detected Device
Note: At least one radio of the APs connected to the Zyxel Device must be set to monitor mode (in the Configuration > Wireless > AP Management screen) in order to detect other wireless devices in its vicinity. Figure 124 Monitor > Wireless > Detected Device ZyWALL ATP Series User’s Guide...
Page 156: The Ipsec Screen
Monitor > VPN Monitor > IPSec. The following screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 125 Monitor > VPN Monitor > IPSec ZyWALL ATP Series User’s Guide...
Page 157 “abc” and ending in “123” matches, no matter how many characters are in between. The whole VPN connection or policy name has to match if you do not use a question mark or asterisk. ZyWALL ATP Series User’s Guide...
Page 158: The Ssl Screen
6.27 The L2TP over IPSec Screen Click Monitor > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen to display and manage the Zyxel Device’s connected L2TP VPN sessions. ZyWALL ATP Series User’s Guide...
Page 159: The Content Filter Screen
This field displays the public IP address that the remote user is using to connect to the Internet. 6.28 The Content Filter Screen Click Monitor > Security Statistics > Content Filter to display the following screen. This screen displays content filter statistics. ZyWALL ATP Series User’s Guide...
Page 160 Category Hit Summary Managed Web Pages This is the number of requested web pages that the Zyxel Device’s content filtering service identified as belonging to a category that was selected to be managed. Block Hit Summary ZyWALL ATP Series User’s Guide...
Page 161: The App Patrol Screen
Zyxel Device or click Flush Data. Collecting starts over and a new collection start time displays. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 162: The Anti-Malware Screen
6.30 The Anti-Malware Screen Click Monitor > Security Statistics > Anti-Malware > Summary to display the following screen. This screen displays anti-malware statistics. Figure 130 Monitor > Security Statistics > Anti-Malware > Summary: Virus Name ZyWALL ATP Series User’s Guide...
Page 163 IPv6 address of virus-infected files that the Zyxel Device has detected. Occurrences This field displays how many times the Zyxel Device has detected the event described in the entry. The statistics display as follows when you display the top entries by source IP. ZyWALL ATP Series User’s Guide...
Page 164: The Idp Screen
Figure 134 Monitor > Security Statistics > Anti-Malware: Destination IPv6 6.31 The IDP Screen Click Monitor > Security Statistics > IDP > Summary to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. ZyWALL ATP Series User’s Guide...
Page 165 This field displays the entry’s rank in the list of the top entries. Signature Name This column displays when you display the entries by Signature Name. The signature name identifies the type of intrusion pattern. Click the hyperlink for more detailed information on the intrusion. ZyWALL ATP Series User’s Guide...
Page 166: The Email Security Screens
6.32 The Email Security Screens The Email Security menu contains the Summary and Status screens. 6.32.1 Email Security Summary Click Monitor > Security Statistics > Email Security > Summary to display the following screen. This screen displays spam statistics. ZyWALL ATP Series User’s Guide...
Page 167 This is the number of emails that the Zyxel Device has determined to be spam. Spam Mails Detected by This is the number of emails that matched an entry in the Zyxel Device’s email security Black List black list. ZyWALL ATP Series User’s Guide...
Page 168: The Email Security Status Screen
This field displays how many spam emails the Zyxel Device detected from the sender. 6.32.2 The Email Security Status Screen Click Monitor > Security Statistics > Email Security > Status to display the Email Security Status screen. ZyWALL ATP Series User’s Guide...
Page 169 This is the average for how long it takes to receive a reply from this DNSBL. No Response This is how many DNS queries the Zyxel Device sent to this DNSBL without receiving a reply. ZyWALL ATP Series User’s Guide...
Page 170: The Botnet Filter Screen
This field displays the IP address of a botnet command and control (C&C) server. Botnet URL This field displays the URL of an infected website or a botnet C&C server. Threat Category This field displays the category of the entry. ZyWALL ATP Series User’s Guide...
Page 171: The Sandboxing Screen
This shows the number of suspicious files that have been detected. Safe File This shows the number of clean files that have been detected. Other This shows the number of internal and external networks errors. ZyWALL ATP Series User’s Guide...
Page 172: The Ssl Inspection Screens
Zyxel Device last rebooted after Collect Statistics was enabled. Sessions Inspected This shows the total number of SSL sessions inspected since data was last flushed or the Zyxel Device last rebooted after Collect Statistics was enabled ZyWALL ATP Series User’s Guide...
Page 173: Certificate Cache List
This is the latest date (yyyy-mm-dd) and time (hh-mm-ss) that the record in the certificate cache list was met. Common Name This displays the common name in the certificate of the SSL traffic destination server. ZyWALL ATP Series User’s Guide...
Page 174: Log Screens
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL ATP Series User’s Guide...
Page 175 This displays when you show the filter. Select the service whose log messages you would like to see. The Web Configurator uses the protocol and destination port number(s) of the service to select which log messages you see. ZyWALL ATP Series User’s Guide...
Page 176: View Ap Log
This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. 6.36.2 View AP Log Click on Monitor > Log > View AP Log to open the following screen. ZyWALL ATP Series User’s Guide...
Page 177 Select a policy service available from from the pull down menu. Zyxel Device Keyword Type a keyword of the policy service available from to search for a log. Protocol Select the protocol of the AP from the pull down menu. ZyWALL ATP Series User’s Guide...
Page 178 Source This displays the source IP address of the selected log message. Destination This displays the source IP address of the selected log message. Note This field displays any additional information about the log message. ZyWALL ATP Series User’s Guide...
Page 179: Licensing
Managed AP Service Wireless Controller V (Unlimited) SecuReporter SecuReporter 1-Year Standard Service • Unlimited log retention period • Log analysis for 30 days You can purchase an iCard and enter its license key at myZyxel to extend a service. ZyWALL ATP Series User’s Guide...
Page 180: Registration Screen
Click Activate in this screen to enable both Trial and Standard services on this Zyxel Device. Click Configuration > Licensing > Registration > Service to open the screen as shown next. Figure 147 Configuration > Licensing > Registration > Service ZyWALL ATP Series User’s Guide...
Page 181 Then, click Activate to connect with the myZyxel server to activate the new license. Service License Refresh Click this button to renew service license information (such as the registration status and expiration day). Note: It is recommended you use this button after you register for a new service. ZyWALL ATP Series User’s Guide...
Page 182: Signature Update
This field displays the signatures version number currently used by the Zyxel Device. This number gets larger as new signatures are added. Released Date This field displays the date and time the set was released. ZyWALL ATP Series User’s Guide...
Page 183: Auto Update
Weekly Select this option to have the Zyxel Device check for new signatures once a week on the day and at the time specified. Click this button to save your changes to the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 184: Wireless
8.2 Controller Screen Use this screen to set how the Zyxel Device allows new APs to connect to the network. Click Configuration > Wireless > Controller to access this screen. Figure 150 Configuration > Wireless > Controller ZyWALL ATP Series User’s Guide...
Page 185: Ap Management Screens
Click on the icon to go to the OneSecurity website where there is guidance on configuration walkthroughs and other information. 8.3.1 Mgnt. AP List Figure 151 Configuration > Wireless > AP Management > Mgnt. AP List ZyWALL ATP Series User’s Guide...
Page 186 AP’s management VLAN ID does not match the Mgnt. VLAN ID(AC). This field displays n/ a if the Zyxel Device cannot get VLAN information from the AP. Description This field displays the AP’s description, which you can configure by selecting the AP’s entry and clicking the Edit button. ZyWALL ATP Series User’s Guide...
Page 187 Select an AP and click the Edit button in the Configuration > Wireless > AP Management table to display this screen. Figure 152 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List ZyWALL ATP Series User’s Guide...
Page 188 The managed APs in the same ZyMesh must use the same static VLAN ID. Override Group Select this option to overwrite the AP output power setting with the setting you configure Output Power here. Setting ZyWALL ATP Series User’s Guide...
Page 189: Ap Policy
APs take if the current AP controller fails. Click Configuration > Wireless > AP Management > AP Policy to access this screen. Figure 153 Configuration > Wireless > AP Management > AP Policy ZyWALL ATP Series User’s Guide...
Page 190: Ap Group
APs in the group. An AP can belong to one AP group at a time. Click Configuration > Wireless > AP Management > AP Group to access this screen. Figure 154 Configuration > Wireless > AP Management > AP Group ZyWALL ATP Series User’s Guide...
Page 191 This is the total number of APs which belong to this group. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 192 Click Add or select an AP group and click the Edit button in the Configuration > Wireless > AP Management > AP Group table to display this screen. Figure 155 Configuration > Wireless > AP Management > AP Group > Add/Edit ZyWALL ATP Series User’s Guide...
Page 193 APs. Note: Reducing the output power also reduces the Zyxel Device’s effective broadcast radius. Edit Select an SSID and click this button to reassign it. The selected SSID becomes editable immediately upon clicking. ZyWALL ATP Series User’s Guide...
Page 194 Use this section to configure wireless network traffic load balancing between the managed APs in this group. Note: Load balancing is not supported on the radio which is working in root AP or repeater AP mode. ZyWALL ATP Series User’s Guide...
Page 195 Click this button to overwrite the settings of all managed APs in this group with the settings Setting you configure here. All Override Group check boxes on the AP Management > Mgnt. AP List > Edit AP List screen for the APs in this group will be deselected. ZyWALL ATP Series User’s Guide...
Page 196: Firmware
Zyxel Device will delete an existing firmware that no AP is using before downloading the new AP firmware. Click Configuration > Wireless > AP Management > Firmware to access this screen. Figure 156 Configuration > Wireless > AP Management > Firmware ZyWALL ATP Series User’s Guide...
Page 197: Mon Mode
Click Configuration > Wireless > MON Mode to access this screen. ZyWALL ATP Series User’s Guide...
Page 198 Once the File Path field has been populated, click Importing to bring the list into the Zyxel Device. Exporting Click this button to export the current list of either rogue APs or friendly APS. ZyWALL ATP Series User’s Guide...
Page 199: Add/Edit Rogue/Friendly List
Enter up to 60 characters for the AP’s description. Spaces and underscores are allowed. Role Select either Rogue AP or Friendly AP for the AP’s role. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to close the window with changes unsaved. ZyWALL ATP Series User’s Guide...
Page 200: Auto Healing
Zyxel Device to create maps, alerts, and reports. The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements. Use the Zyxel ZyWALL ATP Series User’s Guide...
Page 201: What You Can Do In This Chapter
RTLS Controller is behind a firewall. For example, if the Ekahau RTLS Controller is behind a firewall, open ports 8550, 8553, and 8569 to allow traffic the APs send to reach the Ekahau RTLS Controller. ZyWALL ATP Series User’s Guide...
Page 202: Configuring Rtls
Server Port Specify the server port number of the Ekahau RTLS Controller. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 203: Technical Reference
AP, signal strength, activity, and so on. Finally, there is an alternative four channel scheme for ETSI, consisting of channels 1, 5, 9, 13. This offers significantly less overlap that the other one. ZyWALL ATP Series User’s Guide...
Page 204: Load Balancing
AP has the bandwidth to spare. If too many people connect and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP. ZyWALL ATP Series User’s Guide...
Page 205: Interfaces
9.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entity through which (layer-3) packets pass. ZyWALL ATP Series User’s Guide...
Page 206 Table 87 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET CELLULAR VLAN BRIDGE VIRTUAL Name* wan1, wan2 lan1, lan2, pppx cellularx vlanx Configurable Zone IP Address Assignment Static IP address DHCP client Routing metric Interface Parameters ZyWALL ATP Series User’s Guide...
Page 207 Table 88 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT / INTERFACE Ethernet interface physical port VLAN interface Ethernet interface bridge interface Ethernet interface* VLAN interface* PPP interface Ethernet interface* VLAN interface* bridge interface WAN1, WAN2, OPT* ZyWALL ATP Series User’s Guide...
Page 208 (start from the left) in the address compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) from the left is the network prefix. ZyWALL ATP Series User’s Guide...
Page 209 The hosts then can use the prefix to generate their IPv6 addresses. IPv6 Router Advertisement An IPv6 router sends router advertisement messages periodically to advertise its presence and other parameters to the hosts in the same network. ZyWALL ATP Series User’s Guide...
Page 210: What You Need To Do First
Zyxel Device's lan1, lan2, ext-wlan, ext-lan or dmz IP address. • Use the appropriate lan1, lan2, ext-wlan, ext-lan or dmz IP address to access the Zyxel Device. Figure 165 Configuration > Network > Interface > Port Role Physical Ports Default interface (ZONE) ZyWALL ATP Series User’s Guide...
Page 211: Ethernet Summary Screen
The Zyxel Device supports the following routing protocols: RIP, OSPF and BGP. See Chapter 10 on page 310 for background information about these routing protocols. ZyWALL ATP Series User’s Guide...
Page 212 This field is a sequential value, and it is not associated with any interface. Status This icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface. ZyWALL ATP Series User’s Guide...
Page 213: Ethernet Edit
• Override the default link cost and authentication method for the selected area. • Select in which direction(s) routing information is exchanged - The Zyxel Device can receive routing information, send routing information, or do both. ZyWALL ATP Series User’s Guide...
Page 214 • Enable IGMP Upstream (US) on the Zyxel Device interface that connects to a router (R) running IGMP that is closer to the multicast server (MS). • Enable IGMP Downstream on the Zyxel Device interface which connects to the multicast hosts. Figure 167 IGMP Proxy ZyWALL ATP Series User’s Guide...
Page 215 Chapter 9 Interfaces Figure 168 Configuration > Network > Interface > Ethernet > Edit (External Type) ZyWALL ATP Series User’s Guide...
Page 216 Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (External Type ZyWALL ATP Series User’s Guide...
Page 217 Chapter 9 Interfaces Figure 169 Configuration > Network > Interface > Ethernet > Edit (Internal Type) Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL ATP Series User’s Guide...
Page 218 Chapter 9 Interfaces Figure 170 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL ATP Series User’s Guide...
Page 219 Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen. General Settings ZyWALL ATP Series User’s Guide...
Page 220 Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. ZyWALL ATP Series User’s Guide...
Page 221 Select an entry and click References to check which settings use the entry. This field is a sequential value, and it is not associated with any entry. Delegated Select the DHCPv6 request object to use from the drop-down list. Prefix ZyWALL ATP Series User’s Guide...
Page 222 (Client is selected). Interface When Relay is selected, select this check box and an interface from the drop-down list if you want to use it as the relay server. ZyWALL ATP Series User’s Guide...
Page 223 Select an entry in this table and click this to delete it. This field is a sequential value, and it is not associated with any entry. Delegated Select the DHCPv6 request object to use for generating the network prefix for the network. Prefix ZyWALL ATP Series User’s Guide...
Page 224 This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. DHCP Setting This section appears when Interface Type is internal or general. ZyWALL ATP Series User’s Guide...
Page 225 This table is available if you selected DHCP server. Options Configure this table if you want to send more information to DHCP clients through DHCP packets. Click this to create an entry in this table. See Section 9.3.6 on page 232. ZyWALL ATP Series User’s Guide...
Page 226 Choices are 1, 2, and 1 and 2. Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 and 2. ZyWALL ATP Series User’s Guide...
Page 227 Enable Proxy ARP Select this to allow the Zyxel Device to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are: • Ethernet • VLAN • Bridge Section 9.3.2 on page 228 for more information. ZyWALL ATP Series User’s Guide...
Page 228: Proxy Arp
From then on the sender will send packets containing that target IP address directly to the external interface of the Zyxel Device. The Zyxel Device then forwards the packet to the correct target IP address in its LAN. ZyWALL ATP Series User’s Guide...
Page 229: Virtual Interfaces
Like other interfaces, virtual interfaces have an IP address, subnet mask, and gateway used to make routing decisions. However, you have to manually specify the IP address and subnet mask; virtual ZyWALL ATP Series User’s Guide...
Page 230: References
When a configuration screen includes an References icon, select a configuration object and click References to open the References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. ZyWALL ATP Series User’s Guide...
Page 231: Add/Edit Dhcpv6 Request/Release Options
Figure 175 Configuration > Network > Interface > Ethernet > Edit > Add DHCPv6 Request/Lease Options Select a DHCPv6 request or lease object in the Select one object field and click OK to save it. Click Cancel to exit without saving the setting. ZyWALL ATP Series User’s Guide...
Page 232: Add/Edit Dhcp Extended Options
If you selected VIVC (124), enter the details of the hardware configuration of the host on which Class the client is running, or of industry consortium compliance. First Information, If you selected VIVS (125), enter additional information for the corresponding enterprise Second number in these fields. Information ZyWALL ATP Series User’s Guide...
Page 233: Ppp Interfaces
TFTP; however, the option may be used for purposes other than contacting a VoIP configuration server. 9.4 PPP Interfaces Use PPPoE/PPTP/L2TP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP/L2TP software on each computer in the network. ZyWALL ATP Series User’s Guide...
Page 234: Ppp Interface Summary
ISP as a gateway. 9.4.1 PPP Interface Summary This screen lists every PPPoE/PPTP/L2TP interface. To access this screen, click Configuration > Network > Interface > PPP. Figure 178 Configuration > Network > Interface > PPP ZyWALL ATP Series User’s Guide...
Page 235: Ppp Interface Add Or Edit
> System > IPv6 screen, you can also configure PPP interfaces used for your IPv6 networks on this screen. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen. ZyWALL ATP Series User’s Guide...
Page 236 Chapter 9 Interfaces Figure 179 Configuration > Network > Interface > PPP > Add ZyWALL ATP Series User’s Guide...
Page 237 Use Fixed IP Select this if you want to specify the IP address manually. Address IP Address This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. ZyWALL ATP Series User’s Guide...
Page 238 This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 210 for more information. ZyWALL ATP Series User’s Guide...
Page 239 Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Enter the number of consecutive failures before the Zyxel Device stops routing through the Tolerance gateway. Check Default Select this to use the default gateway for the connectivity check. Gateway ZyWALL ATP Series User’s Guide...
Page 240: Cellular Configuration Screen
Note: The actual data rate you obtain varies depending on your mobile environment. The environmental factors may include the number of mobile devices which are currently connected to the mobile network, the signal strength to the mobile network, and so on. ZyWALL ATP Series User’s Guide...
Page 241 To change your mobile broadband WAN settings, click Configuration > Network > Interface > Cellular. Note: Install (or connect) a compatible mobile broadband USB device to use a cellular connection. Note: The WAN IP addresses of a Zyxel Device with multiple WAN interfaces must be on different subnets. ZyWALL ATP Series User’s Guide...
Page 242 You should have an Internet connection to access this Dongle Support website. Latest Version This displays the latest supported mobile broadband dongle list version number. Current This displays the currently supported (by the Zyxel Device) mobile broadband dongle list Version version number. ZyWALL ATP Series User’s Guide...
Page 243: Cellular Choose Slot
(or Edit). In the pop-up window that displays, select the slot that contains the mobile broadband device, then the Add Cellular configuration screen displays. 9.5.2 Add / Edit Cellular Configuration This screen displays after you select the slot that contains the mobile broadband device in the previous pop-up window. ZyWALL ATP Series User’s Guide...
Page 244 Chapter 9 Interfaces Figure 181 Configuration > Network > Interface > Cellular > Add / Edit ZyWALL ATP Series User’s Guide...
Page 245 Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: None: No authentication for outgoing calls. CHAP - Your Zyxel Device accepts CHAP requests only. PAP - Your Zyxel Device accepts PAP requests only. ZyWALL ATP Series User’s Guide...
Page 246 Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. ZyWALL ATP Series User’s Guide...
Page 247 (respectively). You may want to do this if you want to make sure the interface does not use the GSM network. Select LTE only to have this interface only use a 4G LTE network. This option only appears when a USG dongle for 4G technology is inserted. ZyWALL ATP Series User’s Guide...
Page 248 Enter a number from 1 to 99 in the percentage fields. If you of data budget change the value after you configure and enable budget control, the Zyxel Device resets the statistics. ZyWALL ATP Series User’s Guide...
Page 249: Tunnel Interfaces
To route traffic between two IPv6 networks over an IPv4 network, an IPv6 over IPv4 tunnel has to be used. Figure 183 IPv6 over IPv4 Network On the Zyxel Device, you can either set up a manual IPv6-in-IPv4 tunnel or an automatic 6to4 tunnel. The following describes each method: ZyWALL ATP Series User’s Guide...
Page 250 An IPv6 address using the 6to4 mode consists of an IPv4 address, the format is as the following: 2002:[a public IPv4 address in hexadecimal]::/48 For example, a public IPv4 address is 202.156.30.41. The converted hexadecimal IP string is ca.9c.1Ee.29. The IPv6 address prefix becomes 2002:ca9c:1e29::/48. ZyWALL ATP Series User’s Guide...
Page 251: Configuring A Tunnel
This field is a sequential value, and it is not associated with any interface. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface. ZyWALL ATP Series User’s Guide...
Page 252: Tunnel Add Or Edit Screen
Click Reset to begin configuring this screen afresh. 9.6.2 Tunnel Add or Edit Screen This screen lets you configure a tunnel interface. Click Configuration > Network > Interface > Tunnel > Add (or Edit) to open the following screen. ZyWALL ATP Series User’s Guide...
Page 253 Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings Enable Select this to enable this interface. Clear this to disable this interface. Interface Properties ZyWALL ATP Series User’s Guide...
Page 254 My Address Specify the interface or IP address to use as the source address for the packets this interface tunnels to the remote gateway. The remote gateway sends traffic to this interface or IP address. ZyWALL ATP Series User’s Guide...
Page 255 Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 256: Vlan Interfaces
In addition, broadcasts are limited to smaller, more logical groups of users. • Higher security - If each computer has a separate physical connection to the switch, then broadcast traffic in each VLAN is never sent to computers in another VLAN. ZyWALL ATP Series User’s Guide...
Page 257: Vlan Summary Screen
IPv6 in the Configuration > System > IPv6 screen, you can also configure VLAN interfaces used for your IPv6 networks on this screen. To access this screen, click Configuration > Network > Interface > VLAN. Figure 190 Configuration > Network > Interface > VLAN ZyWALL ATP Series User’s Guide...
Page 258: Vlan Add/Edit
Click Reset to return the screen to its last-saved settings. 9.7.2 VLAN Add/Edit Select an existing entry in the previous screen and click Edit or click Add to create a new entry. The following screen appears. ZyWALL ATP Series User’s Guide...
Page 259 Chapter 9 Interfaces Figure 191 Configuration > Network > Interface > VLAN > Add /Edit ZyWALL ATP Series User’s Guide...
Page 260 Chapter 9 Interfaces ZyWALL ATP Series User’s Guide...
Page 261 Select this if this interface is a DHCP client. In this case, the DHCP server configures the IP Automatically address, subnet mask, and gateway automatically. You should not select this if the interface is assigned to a VRRP group. ZyWALL ATP Series User’s Guide...
Page 262 Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first. ZyWALL ATP Series User’s Guide...
Page 263 This field is available if you set this interface to DHCPv6 Client. Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6. ZyWALL ATP Series User’s Guide...
Page 264 Click this to create an IPv6 prefix address. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. ZyWALL ATP Series User’s Guide...
Page 265 Select icmp to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available. Select tcp to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. ZyWALL ATP Series User’s Guide...
Page 266 Type the IP address of the WINS (Windows Internet Naming Service) server that you want to Second WINS send to the DHCP clients. The WINS server keeps a mapping table of the computer names Server on your network and the IP addresses that they are currently using. ZyWALL ATP Series User’s Guide...
Page 267 Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. RIP Setting Section 10.6 on page 311 for more information about RIP. Enable RIP Select this to enable RIP on this interface. ZyWALL ATP Series User’s Guide...
Page 268 It will not change unless you change the setting or upload a different configuration file. Proxy ARP Proxy ARP is available for external or general interfaces on the Zyxel Device. See Section on page 219 for more information on Proxy ARP. ZyWALL ATP Series User’s Guide...
Page 269: Bridge Interfaces
Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. 9.8 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. ZyWALL ATP Series User’s Guide...
Page 270 The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole Zyxel Device as a transparent bridge, add all of the Zyxel Device’s interfaces to a bridge interface. ZyWALL ATP Series User’s Guide...
Page 271: Bridge Summary
IPv6 in the Configuration > System > IPv6 screen, you can also configure bridge interfaces used for your IPv6 network on this screen. To access this screen, click Configuration > Network > Interface > Bridge. Figure 192 Configuration > Network > Interface > Bridge ZyWALL ATP Series User’s Guide...
Page 272: Bridge Add/Edit
This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add or Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL ATP Series User’s Guide...
Page 273 Chapter 9 Interfaces Figure 193 Configuration > Network > Interface > Bridge > Add / Edit ZyWALL ATP Series User’s Guide...
Page 274 Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. View / IPv6 View Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings ZyWALL ATP Series User’s Guide...
Page 275 Type a string using up to 64 of these characters [a-zA-Z0-9!\"#$%&\'()*+,-./ :;<=>?@\[\\\]^_`{|}~] to identify this Zyxel Device to the DHCP server. For example, Zyxel- Use Fixed IP Select this if you want to specify the IP address, subnet mask, and gateway manually. Address ZyWALL ATP Series User’s Guide...
Page 276 Assign the prefix delegation to an internal interface and enable router advertisement on that interface. Click this to create an entry. Edit Select an entry and click this to change the settings. Remove Select an entry and click this to delete it from this table. ZyWALL ATP Series User’s Guide...
Page 277 Section 9.3.4 on page 230 for an example. This field is a sequential value, and it is not associated with any entry. Name This field displays the name of the DHCPv6 request or lease object. ZyWALL ATP Series User’s Guide...
Page 278 Click this to create an entry in this table. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. ZyWALL ATP Series User’s Guide...
Page 279 If this field is blank, the Pool Size must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL ATP Series User’s Guide...
Page 280 A boot loader is a computer program that loads the operating system for the computer. File Type the exact file name of the boot loader software file, including filename extension, that is on the PXE server. If the wrong filename is typed, then the client computers cannot boot. ZyWALL ATP Series User’s Guide...
Page 281 Enable Proxy ARP Select this to allow the Zyxel Device to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are: • Ethernet • VLAN • Bridge Section 9.3.2 on page 228 for more information. ZyWALL ATP Series User’s Guide...
Page 282: Vti
In the following example configure VPN tunnels with static IP addresses or DNS on both Zyxel Devices (or IPSec routers at the end of the tunnel). Also configure VTI and a trunk on both Zyxel Devices. Figure 194 VTI and Trunk for VPN Load Balancing ZyWALL ATP Series User’s Guide...
Page 283: Restrictions For Ipsec Virtual Tunnel Interface
This shows the name of the associated IPSec VPN rule with VPN Tunnel Interface application scenario. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 284: Vti Add/Edit
Note: You should have created a VPN tunnel for a VPN Tunnel Interface scenario first. To access this screen, click the Add or Edit icon in Network > Interface > VTI. The following screen appears. Figure 196 Configuration > Network > Interface > VTI > Add ZyWALL ATP Series User’s Guide...
Page 285 Select tcp to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Check Period Enter the number of seconds between connection check attempts. ZyWALL ATP Series User’s Guide...
Page 286 This field is available if the Authentication is MD5. Type the password for MD5 authentication. Authentication The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. Related Setting ZyWALL ATP Series User’s Guide...
Page 287: Trunk Overview
Zyxel Device can automatically send its traffic through another interface. You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. ZyWALL ATP Series User’s Guide...
Page 288 The outbound bandwidth utilization is used as the load balancing index. In this example, the measured (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The Zyxel Device calculates the load balancing index as shown in the table below. ZyWALL ATP Series User’s Guide...
Page 289 Spillover load balancing only uses the second interface when the traffic load exceeds the threshold on the first interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface. ZyWALL ATP Series User’s Guide...
Page 290: The Trunk Summary Screen
Click Configuration > Network > Interface > Trunk to open the Trunk screen. The Trunk Summary screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 200 Configuration > Network > Interface > Trunk ZyWALL ATP Series User’s Guide...
Page 291: Configuring A User-Defined Trunk
Click Configuration > Network > Interface > Trunk, in the User Configuration table click the Add (or Edit) icon to open the following screen. Use this screen to create or edit a WAN trunk entry. ZyWALL ATP Series User’s Guide...
Page 292 This column displays the priorities of the group’s interfaces. The order of the interfaces in the list is important since they are used in the order they are listed. ZyWALL ATP Series User’s Guide...
Page 293: Configuring The System Default Trunk
Edit to open the following screen. Use this screen to change the load balancing algorithm and view the bandwidth allocations for each member interface. Note: The available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk. ZyWALL ATP Series User’s Guide...
Page 294 Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm. It displays the maximum number of kilobits of data the Zyxel Device is to send out through the interface per second. ZyWALL ATP Series User’s Guide...
Page 295: Interface Technical Reference
In many interfaces, you can also let the IP address and subnet mask be assigned by an external DHCP server on the network. In this case, the interface is a DHCP client. Virtual interfaces, however, cannot be DHCP clients. You have to assign the IP address and subnet mask manually. ZyWALL ATP Series User’s Guide...
Page 296 DHCP request. The DHCP servers get the request; assign an IP address; and provide the IP address, subnet mask, gateway, and available network information to the DHCP client. When the DHCP client leaves the network, the DHCP servers can assign its IP address to another DHCP client. ZyWALL ATP Series User’s Guide...
Page 297 IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. ZyWALL ATP Series User’s Guide...
Page 298 It supports up to 256 bit session keys using the IPSec protocol. When security is a priority, L2TP is a good option as it requires certificates unlike PPTP. It uses the following ports: UDP 500, Protocol 50, UDP 1701 and UDP 4500. ZyWALL ATP Series User’s Guide...
Page 299: Routing
• Use the Policy Route screens (see Section 10.2 on page 301) to list and configure policy routes. • Use the Static Route screens (see Section 10.3 on page 308) to list and configure static routes. ZyWALL ATP Series User’s Guide...
Page 300: What You Need To Know
QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of ZyWALL ATP Series User’s Guide...
Page 301: Policy Route Screen
If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure policy routes used for your IPv6 networks on this screen. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. ZyWALL ATP Series User’s Guide...
Page 302 [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. ZyWALL ATP Series User’s Guide...
Page 303: Policy Route Edit Screen
IPv4 Configuration or IPv6 Configuration section. The Add Policy Route or Policy Route Edit screen opens. Use this screen to configure or edit a policy route. Both IPv4 and IPv6 policy route have similar settings except the Address Translation (SNAT) settings. ZyWALL ATP Series User’s Guide...
Page 304 Chapter 10 Routing Figure 206 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) ZyWALL ATP Series User’s Guide...
Page 305 If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the Zyxel Device uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL ATP Series User’s Guide...
Page 306 Zyxel Device send the packets via the interfaces in the group. Interface This field displays when you select Interface in the Type field. Select an interface to have the Zyxel Device send traffic that matches the policy route through the specified interface. ZyWALL ATP Series User’s Guide...
Page 307 Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 308: Ip Static Route Screen
10.3.1 Static Route Add/Edit Screen Select a static route index number and click Add or Edit. The screen shown next appears. Use this screen to configure the required information for a static route. ZyWALL ATP Series User’s Guide...
Page 309 The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 310: Policy Routing Technical Reference
Routing protocols give the Zyxel Device routing information about the network from other routers. The Zyxel Device stores this routing information in the routing table it uses to make routing decisions. In turn, the Zyxel Device can also use routing protocols to propagate routing information to other routers. ZyWALL ATP Series User’s Guide...
Page 311: What You Need To Know
Metric field to specify the cost in RIP terms. • RIP uses UDP port 520. Use the RIP screen to specify the authentication method and maintain the policies for redistribution. Click Configuration > Network > Routing > RIP to open the following screen. ZyWALL ATP Series User’s Guide...
Page 312 0 and 16. In practice, 2 or 3 is usually used. Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 313: The Ospf Screen
OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. Each type of area is illustrated in the following figure. ZyWALL ATP Series User’s Guide...
Page 314 • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR. Each type of router is illustrated in the following example. ZyWALL ATP Series User’s Guide...
Page 315 ABR in area 10. The virtual link becomes the connection between area 100 and the backbone. You cannot create a virtual link to a router in a different area. OSPF Configuration Follow these steps when you configure OSPF on the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 316: Configuring The Ospf Screen
Select how OSPF calculates the cost associated with routing information from RIP. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored. ZyWALL ATP Series User’s Guide...
Page 317: Ospf Area Add/Edit Screen
The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 10.7 on page 313), and click either the Add icon or an Edit icon. Figure 216 Configuration > Network > Routing > OSPF > Add ZyWALL ATP Series User’s Guide...
Page 318 This field is a sequential value, and it is not associated with a specific area. Peer Router ID This is the 32-bit ID (in IP address format) of the other ABR in the virtual link. ZyWALL ATP Series User’s Guide...
Page 319: Virtual Link Add/Edit Screen
317) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following. Figure 217 Configuration > Network > Routing > OSPF > Add > Add ZyWALL ATP Series User’s Guide...
Page 320: Bgp (Border Gateway Protocol)
Autonomous Systems (AS). An AS number is a number from 1 to 4294967295), that identifies an autonomous system. 4200000000 – 4294967294 are private AS numbers. Section 10.7 on page 313 for more information on autonomous systems. Figure 218 eBGP Concept ZyWALL ATP Series User’s Guide...
Page 321: Allow Bgp Packets To Enter The Zyxel Device
Figure 219 Allow BGP to the Zyxel Device 10.8.2 Configuring the BGP Screen Use this screen to configure BGP information about the Zyxel Device and its peer BGP routers. Click Configuration > Network > Routing > BGP to open the following screen. ZyWALL ATP Series User’s Guide...
Page 322 Note: You may configure up to 16 network routes. Click this to configure network information for a new route. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. ZyWALL ATP Series User’s Guide...
Page 323: The Bgp Neighbors Screen
Multihop is not established if the only route to the multihop peer is a default route. This avoids loop formation. EBGP Maximum Enter a maximum hop count from <1-255>. The default is 255. Hops ZyWALL ATP Series User’s Guide...
Page 324: Example Scenario
• PE: The provider edge router is located at the edge of the service provider MPLS network. • MPLS: MultiProtocol Label Switching (MPLS) forwards data from one network node to the next based on path labels rather than network addresses. ZyWALL ATP Series User’s Guide...
Page 325 Configuration > Network > Routing > BGP > Add Neighbors. Note: The maximum number of neighboring BGP routers supported by the Zyxel Device is 5. Configure the network for BGP routes in the neighboring AS. Note: You may configure up to 16 network routes. ZyWALL ATP Series User’s Guide...
Page 326: Ddns
Note: Record your DDNS account’s user name, password, and domain name to use to configure the Zyxel Device. After you configure the Zyxel Device, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. ZyWALL ATP Series User’s Guide...
Page 327: The Ddns Screen
- The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name. custom - The IP address is static. ZyWALL ATP Series User’s Guide...
Page 328: The Dynamic Dns Add/Edit Screen
The DDNS Add/Edit screen allows you to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 224 Configuration > Network > DDNS > Add ZyWALL ATP Series User’s Guide...
Page 329 Spaces are not allowed. For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website. ZyWALL ATP Series User’s Guide...
Page 330 Enable the wildcard feature to alias subdomains to be aliased to the same IP address as your (dynamic) domain name. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. ZyWALL ATP Series User’s Guide...
Page 331 URL to get the server’s public IP address - for example, http://myip.easylife.tw/ Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 332: Nat
The following list specifies the ports used by the server process as its contact ports. See Section 34.7 on page 628 (Configuration > Object > Service) for more information about service objects. ZyWALL ATP Series User’s Guide...
Page 333: The Nat Screen
The NAT summary screen provides a summary of all NAT rules and their configuration. In addition, this screen allows you to create new NAT rules and edit and delete existing NAT rules. To access this screen, ZyWALL ATP Series User’s Guide...
Page 334 This field displays the original destination IP address (or address object) of traffic that matches this NAT entry. It displays any if there is no restriction on the original destination IP address. Internal IP This field displays the new destination IP address for the packet. ZyWALL ATP Series User’s Guide...
Page 335: The Nat Add/Edit Screen
Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1- 31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL ATP Series User’s Guide...
Page 336 This field displays for Many 1:1 NAT. Select to which translated destination IP address subnet Range or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. ZyWALL ATP Series User’s Guide...
Page 337 Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to return to the NAT summary screen without creating the NAT rule (if it is new) or saving any changes (if it already exists). ZyWALL ATP Series User’s Guide...
Page 338: Nat Technical Reference
The LAN user’s computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the Zyxel Device’s LAN interface (192.168.1.1) as the source address of the traffic going from the LAN users to the LAN SMTP server. ZyWALL ATP Series User’s Guide...
Page 339 NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 231 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL ATP Series User’s Guide...
Page 340: Redirect Service
Device and wants to send an email, its SMTP message is redirected to SMTP server A. SMTP server A then sends it to a mail server, where the message will be delivered to the recipient. The Zyxel Device forwards SMTP traffic using TCP port 25. ZyWALL ATP Series User’s Guide...
Page 341: What You Can Do In This Chapter
If it is not found, the proxy gets it from the specified server and forwards the response to the client. HTTP Redirect, Security Policy and Policy Route With HTTP redirect, the relevant packet flow for HTTP traffic is: Security Policy Application Patrol HTTP Redirect Policy Route ZyWALL ATP Series User’s Guide...
Page 342 You also need to manually configure a policy route to forward the SMTP traffic from the SMTP server to the Internet. To make the example in Figure 233 on page 341 work, make sure you have the following settings. ZyWALL ATP Series User’s Guide...
Page 343: The Redirect Service Screen
The ordering of your rules is important as they are applied in order of their numbering. This field is a sequential value, and it is not associated with a specific entry. ZyWALL ATP Series User’s Guide...
Page 344: The Redirect Service Edit Screen
Click Network > Redirect Service to open the Redirect Service screen. Then click the Add or Edit icon to open the Redirect Service Edit screen where you can configure the rule. Figure 235 Network > Redirect Service > Edit ZyWALL ATP Series User’s Guide...
Page 345 Enter the IP address of the HTTP proxy or SMTP server. Port Enter the port number that the HTTP proxy or SMTP server uses. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 346: Alg
Zyxel Device dynamically creates an implicit NAT session and security policy session for the application’s traffic from the WAN to the LAN. The ALG on the Zyxel Device supports all of the Zyxel Device’s NAT mapping types. ZyWALL ATP Series User’s Guide...
Page 347 LAN zone to go to the WAN zone and blocks peer to peer calls from the WAN zone to the LAN zone. • The SIP ALG allows UDP packets with a specified port destination to pass through. • The Zyxel Device allows SIP audio connections. ZyWALL ATP Series User’s Guide...
Page 348 For example, you configure security policy and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different security policy and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2. You configure corresponding ZyWALL ATP Series User’s Guide...
Page 349: Before You Begin
SIP ALG time outs. Note: If the Zyxel Device provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service’s traffic. ZyWALL ATP Series User’s Guide...
Page 350 If no voice packets go through the SIP ALG before the timeout period expires, the Zyxel Device deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation. ZyWALL ATP Series User’s Guide...
Page 351: Alg Technical Reference
Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 14.3 ALG Technical Reference Here is more detailed information about the Application Layer Gateway. ZyWALL ATP Series User’s Guide...
Page 352 When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL ATP Series User’s Guide...
Page 353: Upnp
• Dynamic port mapping • Learning public IP addresses • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT. ZyWALL ATP Series User’s Guide...
Page 354: Cautions With Upnp And Nat-Pmp
Disable UPnP or NAT-PMP if this is not your intention. 15.3 UPnP Screen Use this screen to enable UPnP and NAT-PMP on your Zyxel Device. Click Configuration > Network > UPnP to display the screen shown next. Figure 241 Configuration > Network > UPnP ZyWALL ATP Series User’s Guide...
Page 355: Technical Reference
Make sure the computer is connected to a LAN port of the Zyxel Device. Turn on your computer and the Zyxel Device. Click the start icon, Control Panel and then the Network and Sharing Center. ZyWALL ATP Series User’s Guide...
Page 356 Select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers. ZyWALL ATP Series User’s Guide...
Page 357: Using Upnp In Windows Xp Example
In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Figure 243 Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings. ZyWALL ATP Series User’s Guide...
Page 358 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. Figure 246 System Tray Icon Double-click on the icon to display your current Internet connection status. ZyWALL ATP Series User’s Guide...
Page 359: Web Configurator Easy Access
Zyxel Device first. This comes helpful if you do not know the IP address of the Zyxel Device. Follow the steps below to access the web configurator. Click Start and then Control Panel. Double-click Network Connections. Select My Network Places under Other Places. ZyWALL ATP Series User’s Guide...
Page 360 Right-click on the icon for your Zyxel Device and select Invoke. The web configurator login screen displays. Figure 249 Network Connections: My Network Places Right-click on the icon for your Zyxel Device and select Properties. A properties window displays with basic information about the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 361 Chapter 15 UPnP Figure 250 Network Connections: My Network Places: Properties: Example ZyWALL ATP Series User’s Guide...
Page 362: Ip/Mac Binding
366) to configure ranges of IP addresses to which the Zyxel Device does not apply IP/MAC binding. 16.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the Zyxel Device’s dynamic and static DHCP entries. ZyWALL ATP Series User’s Guide...
Page 363: Ip/Mac Binding Summary
Interface This is the name of an interface that supports IP/MAC binding. Number of This field displays the interface’s total number of IP/MAC bindings and IP addresses that the Binding interface has assigned by DHCP. ZyWALL ATP Series User’s Guide...
Page 364: Ip/Mac Binding Edit
Device assigns the corresponding IP address. You can also access this table from the interface’s edit screen. Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. ZyWALL ATP Series User’s Guide...
Page 365: Static Dhcp Edit
Enter up to 64 printable ASCII characters to help identify the entry. For example, you may want to list the computer’s owner. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 366: Ip/Mac Binding Exempt List
Click the Add icon to add a new entry. Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Apply Click Apply to save your changes back to the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 367: Layer 2 Isolation
368) to enable and configures the white list. 17.2 Layer-2 Isolation General Screen This screen allows you to enable Layer-2 isolation on the Zyxel Device and specific internal interface(s). To access this screen click Configuration > Network > Layer 2 Isolation. ZyWALL ATP Series User’s Guide...
Page 368: White List Screen
IP addresses that are not listed in the white list are blocked from communicating with other devices in the layer-2-isolation-enabled internal interface(s) except for broadcast packets. To access this screen click Configuration > Network > Layer 2 Isolation > White List. ZyWALL ATP Series User’s Guide...
Page 369: Add/Edit White List Rule
Note: You can configure up to 100 white list rules on the Zyxel Device. Note: You need to know the IP address of each connected device that you want to allow to be accessed by other devices when layer-2 isolation is enabled. ZyWALL ATP Series User’s Guide...
Page 370 Specify a description for the IP address associated with this rule. Enter up to 60 characters, spaces and underscores allowed. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 371: Dns Inbound Lb
Section 18.2 on page 372) to view a list of the configured DNS load balancing rules. • Use the Inbound LB Add/Edit screen (see Section 18.2.1 on page 373) to add or edit a DNS load balancing rule. ZyWALL ATP Series User’s Guide...
Page 372: The Dns Inbound Lb Screen
This field displays the order in which the Zyxel Device checks the member interfaces of this DNS load balancing rule. Query Domain Name This field displays the domain name for which the Zyxel Device manages load balancing between the specified interfaces. ZyWALL ATP Series User’s Guide...
Page 373: The Dns Inbound Lb Add/Edit Screen
You can configure the Zyxel Device to apply DNS load balancing to some specific hosts only by configuring the Query From settings. Click Configuration > Network > Inbound LB and then the Add or Edit icon to open this screen. ZyWALL ATP Series User’s Guide...
Page 374 DNS server contacting other DNS servers. If the primary DNS server cannot provide the best answer, the client makes iteration queries to other configured DNS servers to resolve the name. You have to configure this field to the client’s IP address when iteration is used. ZyWALL ATP Series User’s Guide...
Page 375: The Dns Inbound Lb Add/Edit Member Screen
The Add Load Balancing Member screen allows you to add a member interface for the DNS load balancing rule. Click Configuration > Network > DNS Inbound LB > Add or Edit and then an Add or Edit icon to open this screen. ZyWALL ATP Series User’s Guide...
Page 376 Custom Select this and enter another IP address to send to the DNS query senders. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 377: Ipnp
Zyxel Device are not in the same subnet. Figure 264 IPnP Application 19.1.1 What You Can Do in this Chapter Use the IPnP screen (Section 19.2 on page 378) to enable IPnP on the Zyxel Device and the internal interface(s). ZyWALL ATP Series User’s Guide...
Page 378: Ipnp Screen
To remove an interface, select the name(s) in the Member list and click the left arrow button. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 379: Ipsec Vpn
Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt IKE communications. This negotiation results in one single bi- directional ISAKMP Security Association (SA). The authentication can be performed using either pre- ZyWALL ATP Series User’s Guide...
Page 380 Here a user uses his browser to securely connect to network resources in the same way as if he were part of the internal network. See Chapter 21 on page 415 for more on SSL VPN. Figure 267 SSL VPN LAN (192.168.1.X) Non-Web Web Mail File Share https:// Application Server Web-based Application ZyWALL ATP Series User’s Guide...
Page 381: What You Can Do In This Chapter
IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which the Zyxel Device and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. ZyWALL ATP Series User’s Guide...
Page 382 Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL ATP Series User’s Guide...
Page 383 Only this Zyxel Device can initiate the VPN tunnel. Finding Out More • See Section 20.6 on page 405 for IPSec VPN background information. • See the help in the IPSec VPN quick setup wizard screens. ZyWALL ATP Series User’s Guide...
Page 384: Before You Begin
SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information. ZyWALL ATP Series User’s Guide...
Page 385 To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Connect To connect an IPSec SA, select it and click Connect. Disconnect To disconnect an IPSec SA, select it and click Disconnect. ZyWALL ATP Series User’s Guide...
Page 386: The Vpn Connection Add/Edit Screen
The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an existing one. To access this screen, go to the Configuration > VPN Connection screen (see Section 20.2 on page 384), and click either the Add icon or an Edit icon. ZyWALL ATP Series User’s Guide...
Page 387 Chapter 20 IPSec VPN Figure 271 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit ZyWALL ATP Series User’s Guide...
Page 388 Here are some examples. Zyxel Device (local policy) Remote IPSec router IKEv2 SA-1 192.168.20.0/24 192.168.20.1 ~ 192.168.20.20 Narrowed 192.168.20.1 ~ 192.168.20.20 IKEv2 SA- 2 192.168.30.50 ~ 192.168.30.70 192.168.30.60 ~ 192.168.30.80 Narrowed 192.168.30.60 ~ 192.168.30.70 VPN Gateway ZyWALL ATP Series User’s Guide...
Page 389 Access (Server Role). Enable Configuration Select this to have at least have the IP address pool included in the VPN setup data. Payload IP Address Pool: Select an address object from the drop-down list box. ZyWALL ATP Series User’s Guide...
Page 390 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. ZyWALL ATP Series User’s Guide...
Page 391 Select tcp to have the Zyxel Device regularly perform a TCP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP connection. ZyWALL ATP Series User’s Guide...
Page 392 Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. ZyWALL ATP Series User’s Guide...
Page 393: The Vpn Gateway Screen
In addition, it also lets you activate and deactivate each VPN gateway. To access this screen, click Configuration > VPN > Network > IPSec VPN > VPN Gateway. The following screen appears. Figure 272 Configuration > VPN > IPSec VPN > VPN Gateway ZyWALL ATP Series User’s Guide...
Page 394: The Vpn Gateway Add/Edit Screen
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 20.3 on page 393), and click either the Add icon or an Edit icon. ZyWALL ATP Series User’s Guide...
Page 395 Chapter 20 IPSec VPN Figure 273 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit ZyWALL ATP Series User’s Guide...
Page 396 Select Dynamic Address if the remote IPSec router has a dynamic IP address (and does not use DDNS). Authentication Note: The Zyxel Device and remote IPSec router must use the same authentication method to establish the IKE SA. ZyWALL ATP Series User’s Guide...
Page 397 E-mail - the Zyxel Device is identified by the string you specify here; you can use up to 63 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL ATP Series User’s Guide...
Page 398 The Zyxel Device and the remote IPSec router must use the same negotiation mode. Proposal Use this section to manage the encryption algorithm and authentication algorithm pairs the Zyxel Device accepts from the remote IPSec router for negotiating the IKE SA. Click this to create a new entry. ZyWALL ATP Series User’s Guide...
Page 399 This field applies for IKEv1 only. Dead Peer Detection (DPD) is always performed when you use IKEv2. X Auth / Extended This part of the screen displays X-Auth when using IKEv1 and Extended Authentication Authentication Protocol when using IKEv2. Protocol ZyWALL ATP Series User’s Guide...
Page 400 Type the exact same password again here to make sure an error was not made when Confirm typing it originally. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 401: Vpn Concentrator
• To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your security policies can still block VPN packets. ZyWALL ATP Series User’s Guide...
Page 402: Vpn Concentrator Screen
Use the VPN Concentrator Add/Edit screen to create or edit a VPN concentrator. To access this screen, go to the VPN Concentrator summary screen (see Section 20.4 on page 401), and click either the Add icon or an Edit icon. ZyWALL ATP Series User’s Guide...
Page 403: Zyxel Device Ipsec Vpn Client Configuration Provisioning
You do not need to manually configure all rule settings in the Zyxel Device IPSec VPN client. VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must not contain the following settings: • AH active protocol • NULL encryption • SHA512 authentication ZyWALL ATP Series User’s Guide...
Page 404 User pair in a new entry if the same pair exists in a previous entry. You can bind different rules to the same user, but the Zyxel Device will only allow VPN rule setting retrieval for the first match found. ZyWALL ATP Series User’s Guide...
Page 405: Ipsec Vpn Background Information
The IKE SA provides a secure connection between the Zyxel Device and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. ZyWALL ATP Series User’s Guide...
Page 406 In most Zyxel Devices, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest. • Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit key to each 64-bit block of data. ZyWALL ATP Series User’s Guide...
Page 407 In main mode, the Zyxel Device and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the Zyxel Device and remote IPSec router selected in previous steps. ZyWALL ATP Series User’s Guide...
Page 408 REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com ZyWALL ATP Series User’s Guide...
Page 409 IPSec router may be a telecommuter who does not have a static IP address. VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. ZyWALL ATP Series User’s Guide...
Page 410 If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode). ZyWALL ATP Series User’s Guide...
Page 411 Note: The Zyxel Device and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 282 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data ZyWALL ATP Series User’s Guide...
Page 412 For authentication, the Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The Zyxel Device and remote IPSec router must use the same SPI. ZyWALL ATP Series User’s Guide...
Page 413 Source Address in Inbound Packets (Inbound Traffic, Source NAT) You can set up this translation if you want to change the source address of computers in the remote network. To set up this NAT, you have to specify the following information: ZyWALL ATP Series User’s Guide...
Page 414 • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. IPSec VPN Example Scenario Here is an example site-to-site IPSec VPN scenario. Figure 284 Site-to-site IPSec VPN Example ZyWALL ATP Series User’s Guide...
Page 415: Ssl Vpn
• limit user access to specific applications or file sharing server on the network. • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. ZyWALL ATP Series User’s Guide...
Page 416: The Ssl Access Privilege Screen
Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information. Figure 286 VPN > SSL VPN > Access Privilege ZyWALL ATP Series User’s Guide...
Page 417: The Ssl Access Privilege Policy Add/Edit Screen
Click Reset to discard all changes. 21.2.1 The SSL Access Privilege Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. ZyWALL ATP Series User’s Guide...
Page 418 Select the zone to which to add this SSL access policy. You use zones to apply security settings such as security policy and remote management. Description Enter additional information about this SSL access policy. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_"). ZyWALL ATP Series User’s Guide...
Page 419: The Ssl Global Setting Screen
Click VPN > SSL VPN and click the Global Setting tab to display the following screen. Use this screen to set the IP address of the Zyxel Device (or a gateway device) on your network for full tunnel mode access. ZyWALL ATP Series User’s Guide...
Page 420 Leave this field to the default settings unless it conflicts with another interface. Apply Click Apply to save the changes and/or start the logo file upload process. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 421: L2Tp Vpn
You must configure an IPSec VPN connection prior to proper L2TP VPN usage (see Chapter 22 on page for details). The IPSec VPN connection must: • Be enabled. • Use transport mode. • Use Pre-Shared Key authentication. ZyWALL ATP Series User’s Guide...
Page 422: L2Tp Vpn Screen
Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. ZyWALL ATP Series User’s Guide...
Page 423 Select the certificate to use to identify the Zyxel Device for L2TP VPN connections. You must Server Certificate have certificates already configured in the My Certificates screen. The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols. ZyWALL ATP Series User’s Guide...
Page 424: Example: L2Tp And Zyxel Device Behind A Nat Router
Zyxel Device (Z) using L2TP over IPv4. Figure 292 L2TP and Zyxel Device Behind a NAT Router Create an address object in Configuration > Object > Address/GEO IP > Address for the WAN IP address of the NAT router. ZyWALL ATP Series User’s Guide...
Page 425 Select Remote Access (Server Role) as the VPN scenario for the remote client. Select the NAT router WAN IP address object as the Local Policy. Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured. ZyWALL ATP Series User’s Guide...
Page 426: Bwm (Bandwidth Management)
If the BWM type is set to Per user in a rule, each user that matches the rule can use up to the configured bandwidth by his/her own. Select the Per-Source-IP type when you want to set the maximum bandwidth for traffic from an individual source IP address. ZyWALL ATP Series User’s Guide...
Page 427 WAN interface on the Zyxel Device. • Inbound traffic comes back from the WAN device to the LAN1 device. Bandwidth management is applied before sending the traffic out a LAN1 interface. ZyWALL ATP Series User’s Guide...
Page 428 • The Zyxel Device uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority. • The Zyxel Device automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority). ZyWALL ATP Series User’s Guide...
Page 429 In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 169 Configured Rate Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 300 kbps 300 kbps 200 kbps 200 kbps ZyWALL ATP Series User’s Guide...
Page 430: The Bandwidth Management Configuration
Zyxel Device handles the DSCP value and allocate bandwidth for the matching packets. Click Configuration > BWM to open the following screen. This screen allows you to enable/disable bandwidth management and add, edit, and remove user-defined bandwidth management policies. ZyWALL ATP Series User’s Guide...
Page 431 This is the schedule that defines when the policy applies. none means the policy always applies. Incoming Interface This is the source interface of the traffic to which this policy applies. Outgoing Interface This is the destination interface of the traffic to which this policy applies. ZyWALL ATP Series User’s Guide...
Page 432 The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 433: The Bandwidth Management Add/Edit Screen
To access this screen, go to the Configuration > Bandwidth Management screen (see Section 23.2 on page 430), and click either the Add icon or an Edit icon. Figure 298 Configuration > Bandwidth Management > Edit (For the Default Policy) ZyWALL ATP Series User’s Guide...
Page 434 • Shared, when the policy is set for all users • Per User, when the policy is set for an individual user or a user group • Per Source IP, when the policy is set for a source IP ZyWALL ATP Series User’s Guide...
Page 435 Select preserve to have the Zyxel Device keep the packets’ original DSCP value. Select default to have the Zyxel Device set the DSCP value of the packets to 0. Bandwidth Shaping Configure these fields to set the amount of bandwidth the matching traffic can use. ZyWALL ATP Series User’s Guide...
Page 436 Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when any traffic matches this policy. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 437 User Name Type a user or user group object name of the rule. User Type Select a user type from the drop down menu. The user types are Admin, Limited admin, User, Guest, Ext-user, Ext-group-user. ZyWALL ATP Series User’s Guide...
Page 438 This shows the Lease Time setting for the user, by default it is 1,440 minutes. Reauthentication Time This shows the Reauthentication Time for the user, by default it is 1,440 minutes. Click OK to save the setting. Cancel Click Cancel to abandon this screen. ZyWALL ATP Series User’s Guide...
Page 439 Stop Date Click the icon menu on the right to choose a Stop Date for schedule object. Stop Time Click the icon menu on the right to choose a Stop Time for the schedule object. ZyWALL ATP Series User’s Guide...
Page 440 Select an Address Type from the drop down menu on the right. The Address Types are Host, Range, Subnet, Interface IP, Interface Subnet, and Interface Gateway. IP Address Enter an IP address for the Address object. Click OK to save the setting. Cancel Click Cancel to abandon the setting. ZyWALL ATP Series User’s Guide...
Page 441: Web Authentication
442) to create and manage web authentication policies. • Use the Configuration > Web Authentication > SSO screen (Section 24.3 on page 458) to configure how the Zyxel Device communicates with a Single Sign-On agent. ZyWALL ATP Series User’s Guide...
Page 442: What You Need To Know
24.2 Web Authentication General Screen The Web Authentication General screen displays the general web portal settings and web authentication policies you have configured on the Zyxel Device. Use this screen to enable web authentication on the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 443 User Agreement General Setting Enforce data Select this to require users to fill in their registration information (name, telephone number, collection address and email address) on the User Agreement (PC or mobile) page. ZyWALL ATP Series User’s Guide...
Page 444 This displays the destination address object, including geographic address and FQDN (group) objects, to which this policy applies. Schedule This field displays the schedule object that dictates when the policy applies. none means the policy is active at all times if enabled. ZyWALL ATP Series User’s Guide...
Page 445 Then click OK to apply the changes and return to the main Web Authentication screen. Alternatively, click Cancel to discard the changes and return to the main Web Authentication screen. Figure 306 Configuration > Web Authentication > General > Add Exceptional Service ZyWALL ATP Series User’s Guide...
Page 446 This is any and not configurable for the default policy. Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy. ZyWALL ATP Series User’s Guide...
Page 447: User-Aware Access Control Example
Click Configuration > Object > User/Group > User. Click the Add icon. Enter the same user name that is used in the RADIUS server, and set the User Type to ext-user because this user account is authenticated by an external server. Click OK. ZyWALL ATP Series User’s Guide...
Page 448 Member list. This example only has one member in this group, so click OK. Of course you could add more members later. Figure 309 Configuration > Object > User/Group > Group > Add Repeat this process to set up the remaining user groups. ZyWALL ATP Series User’s Guide...
Page 449 Figure 311 Configuration > Object > Auth. method > Edit Click Configuration > Web Authentication. In the Web Authentication > General screen, select Enable Web Authentication to turn on the web authentication feature and click Apply. ZyWALL ATP Series User’s Guide...
Page 450 Force User Authentication is selected. Select an authentication type profile (“default-web-portal” in this example). Keep the rest of the default settings, and click OK. Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN. ZyWALL ATP Series User’s Guide...
Page 451 Zyxel Device is to check to determine to which group a user belongs. This example uses Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. ZyWALL ATP Series User’s Guide...
Page 452 Group > User. Click the Add icon. Enter a user name and set the User Type to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius. ZyWALL ATP Series User’s Guide...
Page 453: Authentication Type Screen
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. ZyWALL ATP Series User’s Guide...
Page 454 Click the Add icon or select an entry in the Web Authentication > Authentication Type screen and click the Edit icon to display the screen. The screen differs depending on what you select in the Type field. Figure 317 Configuration > Web Authentication > Authentication Type: Add/Edit (Web Portal) ZyWALL ATP Series User’s Guide...
Page 455 Select the file name of the web portal file in the Zyxel Device. Note: You can upload zipped custom web portal files to the Zyxel Device using the Configuration > Web Authentication > Web Portal Customize File screen. ZyWALL ATP Series User’s Guide...
Page 456 Zyxel Device. You can configure the look and feel of the user agreement page. Agreement Specify the user agreement page’s URL; for example, http://IIS server IP Address/logout.html. The Internet Information Server (IIS) is the web server on which the user agreement files are installed. ZyWALL ATP Series User’s Guide...
Page 457: Custom Web Portal / User Agreement File Screen
Click Configuration > Web Authentication and then select the Custom Web Portal File or Custom User Agreement File tab to display the screen. Figure 319 Configuration > Web Authentication > Custom Web Portal File ZyWALL ATP Series User’s Guide...
Page 458: Sso Overview
SSO agent. The SSO agent checks that these credentials are correct with the AD server, and if the AD server confirms so, the SSO then notifies the Zyxel Device to allow access for the user to the permitted resource (Internet access, for example). ZyWALL ATP Series User’s Guide...
Page 459 Install the SSO Agent on one of the following platforms: • Windows 7 Professional (32-bit and 64-bit) • Windows Server 2008 Enterprise (32-bit and 64-bit) • Windows 2008 R2 (64-bit) • Windows Server 2012 (64-bit) ZyWALL ATP Series User’s Guide...
Page 460: Sso - Zyxel Device Configuration
Configure Active Directory on page 466 24.4.2 Configure the Zyxel Device to Communicate with SSO Use Configuration > Web Authentication > SSO to configure how the Zyxel Device communicates with the Single Sign-On (SSO) agent. ZyWALL ATP Series User’s Guide...
Page 461: Enable Web Authentication
Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings 24.4.3 Enable Web Authentication Enable Web Authentication and add a web authentication policy. ZyWALL ATP Series User’s Guide...
Page 462 Chapter 24 Web Authentication Make sure you select Enable Policy, Single Sign-On and choose required in Authentication. Do NOT select any as the source address unless you want all incoming connections to be authenticated! ZyWALL ATP Series User’s Guide...
Page 463: Create A Security Policy
SSO web authentication traffic direction. Configure the fields as shown in the following screen. Configure the source and destination addresses according to the SSO web authentication traffic in your network. ZyWALL ATP Series User’s Guide...
Page 464: Configure User Information
Chapter 24 Web Authentication 24.4.5 Configure User Information Configure a User account of the ext-group-user type. Configure Group Identifier to be the same as Group Membership on the SSO agent. ZyWALL ATP Series User’s Guide...
Page 465: Configure An Authentication Method
Chapter 24 Web Authentication 24.4.6 Configure an Authentication Method Configure Active Directory (AD) for authentication with SSO. Choose group ad as the authentication server for SSO. ZyWALL ATP Series User’s Guide...
Page 466: Configure Active Directory
Configure the Base DN exactly the same as on the Domain Controller and SSO. Bind DN is a user name and password that allows the Zyxel Device to join the domain with administrative privileges. It is a required field. ZyWALL ATP Series User’s Guide...
Page 467: Sso Agent Configuration
Configure the Agent Listening Port, AD server exactly as you have done on the Zyxel Device. Add the Zyxel Device IP address as the Gateway. Make sure the Zyxel Device and SSO agent are able to communicate with each other. ZyWALL ATP Series User’s Guide...
Page 468 Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the Zyxel Device. Group Membership is called Group Identifier on the Zyxel Device. LDAP/AD Server Configuration ZyWALL ATP Series User’s Guide...
Page 469 SSO create a random password, select Check to show PreShareKey as clear Text so as to see the password, then copy and paste it to the Zyxel Device. After all SSO agent configurations are done, right-click the SSO icon in the system tray and select Enable Zyxel SSO Agent. ZyWALL ATP Series User’s Guide...
Page 470: Security Policy
Telnet session from within the LAN zone and the Zyxel Device allows the response. However, the Zyxel Device blocks incoming Telnet traffic initiated from the WAN zone and destined for the LAN zone. Figure 323 Default Directional Security Policy Example ZyWALL ATP Series User’s Guide...
Page 471: One Security
OneSecurity is a website with guidance on configuration walkthroughs, troubleshooting, and other information. This is an example of a port forwarding configuration walkthrough. Figure 324 Example of a Port Forwarding Configuration Walkthrough. This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting. ZyWALL ATP Series User’s Guide...
Page 472 Chapter 25 Security Policy Figure 325 Example of L2TP over IPSec Troubleshooting - 1 ZyWALL ATP Series User’s Guide...
Page 473 Security Service > Content Filter • Security Service > IDP • Security Service > Anti-Malware • Security Service > Email Security • VPN > IPSec VPN • VPN > SSL VPN • VPN > L2TP VPN ZyWALL ATP Series User’s Guide...
Page 474: What You Can Do In This Chapter
Zones A zone is a group of interfaces. Group the Zyxel Device’s interfaces into different zones based on your needs. You can configure security policies for data passing between zones or even between interfaces. ZyWALL ATP Series User’s Guide...
Page 475 IP address and object, IP protocol type of network traffic (service) and Security Service profile criteria against the Security Policies (in the order you list them). When the traffic matches a policy, the Zyxel Device takes the action specified in the policy. ZyWALL ATP Series User’s Guide...
Page 476: The Security Policy Screen
The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2. The reply from the WAN goes to the Zyxel Device. The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1. ZyWALL ATP Series User’s Guide...
Page 477: Configuring The Security Policy Control Screen
Security Policy to allow the traffic, you need to set the LAN IP address as the destination. • The ordering of your policies is very important as policies are applied in sequence. The following screen shows the Security Policy summary screen. ZyWALL ATP Series User’s Guide...
Page 478 Chapter 25 Security Policy Figure 328 Configuration > Security Policy > Policy Control ZyWALL ATP Series User’s Guide...
Page 479 To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL ATP Series User’s Guide...
Page 480 Security policy. Click an applied Security Service profile icon to edit the profile directly. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 481: The Security Policy Control Add/Edit Screen
Select any to apply the policy to all traffic going to IPv4 / IPv6 addresses. Service Select a service or service group from the drop-down list box. ZyWALL ATP Series User’s Guide...
Page 482: Anomaly Detection And Prevention Overview
Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware. ZyWALL ATP Series User’s Guide...
Page 483: The Anomaly Detection And Prevention General Screen
[ENTER] to move the entry to the number that you typed. This is the entry’s index number in the list. ZyWALL ATP Series User’s Guide...
Page 484: Creating New Adp Profiles
OK to go to the profile details screen. Type a new profile name, enable or disable individual policies and then edit the default log options and actions. Click Configuration > Security Policy > ADP > Profile to view the following screen. ZyWALL ATP Series User’s Guide...
Page 485: Traffic Anomaly Profiles
Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. In the Configuration > Security Policy > ADP > Profile screen, click the Edit or Add icon and choose a base profile. Traffic Anomaly is the first tab in the profile. ZyWALL ATP Series User’s Guide...
Page 486 • mYProfile • Mymy12_3-4 • These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 Description In addition to the name, type additional information to help you identify this ADP profile. ZyWALL ATP Series User’s Guide...
Page 487 Click Save to save the configuration to the Zyxel Device but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. ZyWALL ATP Series User’s Guide...
Page 488: Protocol Anomaly Profiles
• In an IP Spoof from the WAN, the source address appears to be in the same subnet as a Zyxel Device LAN interface. • In an IP Spoof from a LAN interface, the source address appears to be in a different subnet from that Zyxel Device LAN interface. ZyWALL ATP Series User’s Guide...
Page 489 Chapter 25 Security Policy Figure 333 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly ZyWALL ATP Series User’s Guide...
Page 490 The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Name This is the name of the anomaly policy. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly policy name. ZyWALL ATP Series User’s Guide...
Page 491: The Session Control Screen
You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. Figure 334 Configuration > Security Policy > Session Control ZyWALL ATP Series User’s Guide...
Page 492: The Session Control Add/Edit Screen
Click Configuration > Security Policy > Session Control and the Add or Edit icon to display the Add or Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses. ZyWALL ATP Series User’s Guide...
Page 493: Security Policy Example Applications
LAN to WAN Security Policy that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the Security Policy to always be in effect. The following figure shows the results of this policy. ZyWALL ATP Series User’s Guide...
Page 494 (172.16.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the security policy to always be in effect. The following figure shows the results of your two custom policies. ZyWALL ATP Series User’s Guide...
Page 495 The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic. If the policy that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC traffic would match that policy and the Zyxel Device would drop it and not check any other security policies. ZyWALL ATP Series User’s Guide...
Page 496: Application Patrol
Device looks at the IP payload (OSI level-7 inspection) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the Zyxel Device examines several packets to make sure the match ZyWALL ATP Series User’s Guide...
Page 497: Application Patrol Profile
A profile is an application object(s) or application group(s) that has customized action and log settings. Click Configuration > Security Service > App Patrol to open the following screen. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information. ZyWALL ATP Series User’s Guide...
Page 498 Released Date This field displays the date and time the set was released. Update Click this link to go to the screen you can use to download signatures from the update server. Signatures ZyWALL ATP Series User’s Guide...
Page 499: Apply To A Security Policy
Click the icon in the Action field of an existing application patrol file to apply the profile to a security policy. Go to the Configuration > Security Policy > Policy Control screen to check the result. Figure 339 Configuration > Security Service > App Patrol > Action ZyWALL ATP Series User’s Guide...
Page 500 This is the user name or user group name to which this Security Policy applies. Schedule This field tells you the schedule object that the policy uses. none means the policy is active at all times if enabled. ZyWALL ATP Series User’s Guide...
Page 501: The Application Patrol Profile Add/Edit Screen - My Application
Use this screen to configure profile settings. Click Configuration > Security Service > App Patrol > Add/ Edit, then click My Application to open the following screen. Figure 340 Configuration > Security Service > App Patrol > Add/Edit > My Application ZyWALL ATP Series User’s Guide...
Page 502 Click Cancel to return to the profile summary page without saving any changes. Save If you want to configure more than one category for a profile, click Save to save your settings to the Zyxel Device without leaving this page. ZyWALL ATP Series User’s Guide...
Page 503: The Application Patrol Profile Add/Edit Screen - Query Result
( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional. Search Application(s) Enter a name to search for relevant applications. By Name ZyWALL ATP Series User’s Guide...
Page 504 Select an application(s) to show in the My Application profile screen. Application Reset Click this button to reset the fields to default settings. Cancel Click Cancel to return to the profile summary page without saving any changes. ZyWALL ATP Series User’s Guide...
Page 505: Content Filter
A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The Zyxel Device can block access to particular categories of web site content, such as pornography or racial intolerance. ZyWALL ATP Series User’s Guide...
Page 506 For example, with the URL www.zyxel.com.tw/news/pressroom.php, the Zyxel Device would find “tw” in the domain name (www.zyxel.com.tw). It would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”. ZyWALL ATP Series User’s Guide...
Page 507: Before You Begin
URL and check your external web filtering service registration status. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information. Figure 342 Configuration > Security Service > Content Filter > Profile ZyWALL ATP Series User’s Guide...
Page 508: Apply To A Security Policy
27.2.1 Apply to a Security Policy Click the icon in the Action field to apply the entry to a security policy. Go to the Configuration > Security Policy > Policy Control screen to check the result. ZyWALL ATP Series User’s Guide...
Page 509 Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on Configuration direction, application, user, source, destination and/or schedule. From / To Select a zone to view all security policies from a particular zone and/or to a particular zone. any means all zones. ZyWALL ATP Series User’s Guide...
Page 510 Security policy. Click an applied Security Service profile icon to edit the profile directly. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 511: Content Filter Add Profile Category Service
27.2.2 Content Filter Add Profile Category Service Click Configuration > Security Service > Content Filter > Profile > Add or Edit to open the Add Filter Profile screen. Figure 344 Content Filter > Profile > Add Filter Profile > Category Service ZyWALL ATP Series User’s Guide...
Page 512 Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Select Log to record attempts to access web pages that are not categorized. ZyWALL ATP Series User’s Guide...
Page 513 Sites that provide advertising graphics or other ad content files such as banners and pop-ups. For example, pagead2.googlesyndication.com, ad.yieldmanager.com. Alcohol & Tobacco Sites that promote or sell alcohol- or tobacco-related products or services. For example, www.drinks.com.tw, www.p9.com.tw, beer.ttl.com.tw. ZyWALL ATP Series User’s Guide...
Page 514 Hate & Intolerance Sites that promote a supremacist political agenda, encouraging oppression of people or groups of people based on their race, religion, gender, age, disability, sexual orientation or nationality. For example, www.racist-jokes.com, aryan- nations.org, whitepower.com. ZyWALL ATP Series User’s Guide...
Page 515 & medicine. For example, shopping.pchome.com.tw, buy.yahoo.com.tw, www.tkec.com.tw. Social Networking Sites that enable social networking for online communities of various topics, for friendship, dating, or professional reasons. For example, www.facebook.com, www.flickr.com, www.groups.google.com. ZyWALL ATP Series User’s Guide...
Page 516 Sites that enable logging in to instant messaging services such as ICQ, AOL Instant Messenger, IRC, MSN, Jabber, Yahoo Messenger, and the like. For example, www.meebo.com, www.aim.com, www. ebuddy.com. Peer-to-Peer Sites that enable direct exchange of files between users without dependence on a central server. For example, www.eyny.com. ZyWALL ATP Series User’s Guide...
Page 517: Content Filter Add Filter Profile Custom Service
(blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. ZyWALL ATP Series User’s Guide...
Page 518 When this box is selected, the Zyxel Device blocks Web access to sites that are sites only not on the Trusted Web Sites list. If they are chosen carefully, this is the most effective way to block objectionable material. ZyWALL ATP Series User’s Guide...
Page 519 Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This displays the index number of the forbidden web sites. ZyWALL ATP Series User’s Guide...
Page 520: Content Filter Trusted Web Sites Screen
You can create a common list of good (allowed) web site addresses. When you configure Filter Profiles, you can select the option to check the Common Trusted Web Sites list. Use this screen to add or remove specific sites from the filter list. ZyWALL ATP Series User’s Guide...
Page 521: Content Filter Forbidden Web Sites Screen
Sites screen. You can create a common list of bad (blocked) web site addresses. When you configure Filter Profiles, you can select the option to check the Common Forbidden Web Sites list. Use this screen to add or remove specific sites from the filter list. ZyWALL ATP Series User’s Guide...
Page 522: Content Filter Technical Reference
Click Reset to return the screen to its last-saved settings. 27.5 Content Filter Technical Reference This section provides content filtering background information. External Content Filter Server Lookup Procedure The content filter lookup process is described below. ZyWALL ATP Series User’s Guide...
Page 523 The external content filter server sends the category information back to the Zyxel Device, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site’s address and category are then stored in the Zyxel Device’s content filter cache. ZyWALL ATP Series User’s Guide...
Page 524: Anti-Malware
In addition, you can set up anti-malware black (blocked) and white (allowed) lists of malware patterns. • Use the Signature screen (Section 28.3 on page 530) to search for particular signatures and get more information about them. ZyWALL ATP Series User’s Guide...
Page 525: What You Need To Know
The uninfected portion of the file before a malware pattern was matched Since the Zyxel Device erases the infected portion of the file before still goes through. sending it, you may not be able to open the file. ZyWALL ATP Series User’s Guide...
Page 526: Anti-Malware Screen
• Traffic a server or client compressed or encoded using a method the Zyxel Device does not support. Finding Out More • See Section 28.4 on page 531 for anti-malware background information. 28.2 Anti-Malware Screen Click Configuration > Security Service > Anti-Malware to display the configuration screen as shown next. ZyWALL ATP Series User’s Guide...
Page 527 Besides straightforward detection, the EICAR file can also be compressed to test whether the anti-malware software can detect it in a compressed file. The test string consists of the following human-readable ASCII characters. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* ZyWALL ATP Series User’s Guide...
Page 528 “zip” or “rar” file extension). The Zyxel Device first decompresses the ZIP file and then scans and RAR) the contents for malware. Note: The Zyxel Device decompresses a ZIP file once. The Zyxel Device does NOT decompress any ZIP file(s) within a ZIP file. ZyWALL ATP Series User’s Guide...
Page 529: Anti-Malware Black List Or White List Add/Edit
• For a black list entry, enter a file pattern that should cause the Zyxel Device to log and then destroy a file. • For a white list entry, enter a file pattern that should cause the Zyxel Device to allow a file. Figure 351 Configuration > Security Service > Anti-Malware > Black/White List > Add ZyWALL ATP Series User’s Guide...
Page 530: Anti-Malware Signature Searching
No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 352 Configuration > Security Service > Anti-Malware > Signature ZyWALL ATP Series User’s Guide...
Page 531: Anti-Malware Technical Reference
The malware is harmless until the execution of an infected program. The malware spreads to other files and programs on the computer. The infected files are unintentionally sent to another computer thus starting the spread of the malware. ZyWALL ATP Series User’s Guide...
Page 532 • NAM scanners stops malware threats at the network edge before they enter or exit a network. • NAM scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL ATP Series User’s Guide...
Page 533: Botnet Filter
Click Configuration > Security Service > Botnet Filter to display the configuration screen as shown next. Use this screen to enable botnet filtering and specify the action the Zyxel Device takes when it detects a suspicious activity or a connection attempt to or from a botnet C&C server. ZyWALL ATP Series User’s Guide...
Page 534 TCP RST to the receiver when a packet contains a botnet IP address. reject-both: Select this action to have the Zyxel Device deny the packets and send a TCP RST to both the sender and receiver when a packet contains a botnet IP address. ZyWALL ATP Series User’s Guide...
Page 535 Do not create a log when it detects a connection attempt to or from the web pages of the specified categories. log: Create a log on the Zyxel Device when it detects a connection attempt to or from the web pages of the specified categories. ZyWALL ATP Series User’s Guide...
Page 536 Click this to go to the Configuration > Licensing > Signature Update screen to check for new signatures at myZyxel. You can schedule or immediately download signatures. Apply Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 537: Idp
This is important as new signatures are created as new attacks evolve. When the trial subscription expires, purchase and enter a license key using the same screens to continue the subscription. 30.2 The IDP Screen An IDP profile is a set of packet inspection signatures. ZyWALL ATP Series User’s Guide...
Page 538 If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information. Figure 354 Configuration > Security Service > IDP ZyWALL ATP Series User’s Guide...
Page 539 To save an entry or entries as a file on your computer, select them and click Export. Click Save in the file download dialog box and then select a location and name for the file. Custom signatures must end with the ‘rules’ file name extension, for example, MySig.rules. ZyWALL ATP Series User’s Guide...
Page 540 Although a virus, a worm and a Trojan are different types of attacks, they can be blended into one attack. For example, W32/Blaster and W32/Sasser are blended attacks that feature a combination of a worm and a Trojan. ZyWALL ATP Series User’s Guide...
Page 541 This method infiltrates standard security measures through IPv6 tunnels, passing through IPv4 undetected. An external signal then triggers the malware to spring to life and wreak havoc from inside the network. ZyWALL ATP Series User’s Guide...
Page 542: Query Example
MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP ICMP FINGER 30.2.1 Query Example This example shows a search with these criteria: • Severity: Severe • Classification Type: Misc • Platform: Windows • Service: Any • Actions: Any ZyWALL ATP Series User’s Guide...
Page 543: Idp Custom Signatures
You need some knowledge of packet headers and attack types to create your own custom signatures. IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header. Figure 356 IP v4 Packet Headers ZyWALL ATP Series User’s Guide...
Page 544: Add / Edit Custom Signatures
30.3.1 Add / Edit Custom Signatures Click the Add icon to create a new signature or click the Edit icon to edit an existing signature in the screen as shown in Figure 354 on page 538. ZyWALL ATP Series User’s Guide...
Page 545 Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 357 Configuration > Security Service > IDP > Custom Signatures > Add/Edit ZyWALL ATP Series User’s Guide...
Page 546 Usually it’s used to set an upper limit on the number of routers a datagram can pass through. Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number. ZyWALL ATP Series User’s Guide...
Page 547 ICMP fields when they communicate. Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. ZyWALL ATP Series User’s Guide...
Page 548: Custom Signature Example
Click this button to save your changes to the Zyxel Device and return to the summary screen. Cancel Click this button to return to the summary screen without saving any changes. 30.3.2 Custom Signature Example Before creating a custom signature, you must first clearly understand the vulnerability. ZyWALL ATP Series User’s Guide...
Page 549 30.3.2.2 Analyze Packets Use the packet capture screen and a packet analyzer (also known as a network or protocol analyzer) such as Wireshark or Ethereal to investigate some more. Figure 358 DNS Query Packet Details ZyWALL ATP Series User’s Guide...
Page 550: Applying Custom Signatures
Search for, then activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone. ZyWALL ATP Series User’s Guide...
Page 551: Verifying Custom Signatures
If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating ZyWALL ATP Series User’s Guide...
Page 552 Port (In Snort rule header) Flow flow Flags flags Sequence Number Ack Number Window Size window Transport Protocol: UDP (In Snort rule header) Port (In Snort rule header) Transport Protocol: ICMP Type itype Code icode ZyWALL ATP Series User’s Guide...
Page 553 Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Note: Not all Snort functionality is supported in the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 554: Sandboxing
Click Configuration > Security Service > Sandboxing to display the configuration screen as shown next. Use this screen to enable sandboxing, and specify the actions the Zyxel Device takes when malicious or suspicious files are detected. Figure 361 Configuration > Security Service > Sandboxing ZyWALL ATP Series User’s Guide...
Page 555 Select this option to have the Zyxel Device send an alert when a suspicious file is detected. File Submission Specify the type of files to be sent for sandboxing inspection. Options Apply Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 556: Email Security
If an email matches a blacklist entry, the Zyxel Device does not perform any more email security checking on that individual email. A properly configured black list helps catch spam email and increases the Zyxel Device’s email security speed and efficiency. ZyWALL ATP Series User’s Guide...
Page 557: Before You Begin
32.2 Before You Begin • Before using the email security features (IP Reputation, Mail Content Analysis and Virus Outbreak Detection) you must activate your email security Service license. • Configure your zones before you configure email security. ZyWALL ATP Series User’s Guide...
Page 558: The Email Security Screen
Zyxel Device takes when the mail sessions threshold is reached. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information. Figure 362 Configuration > Security Service > Email Security ZyWALL ATP Series User’s Guide...
Page 559 To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry’s index number in the list. ZyWALL ATP Series User’s Guide...
Page 560 Specify the name and value for the X-Header to be added when queries to the mail scan servers time out. Max. IPs Checking Set the maximum number of sender and relay server IP addresses in the mail header to check Per Mail against the DNSBL domain servers. ZyWALL ATP Series User’s Guide...
Page 561: The Black List / White List Screen
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry’s index number in the list. Type This field displays whether the entry is based on the email’s subject, source or relay IP address, source email address, or header. ZyWALL ATP Series User’s Guide...
Page 562: The Black Or White List Add/Edit Screen
Configure black list header entries to check for email from bulk mail programs or with content commonly used in spam. Configure white list header entries to allow certain header values that identify the email as being from a trusted source. ZyWALL ATP Series User’s Guide...
Page 563: Regular Expressions In Black Or White List Entries
• The Zyxel Device checks the first header with the name you specified in the entry. So if the email has more than one “Received” header, the Zyxel Device checks the first one. 32.5 Email Security Technical Reference Here is more detailed email security information. ZyWALL ATP Series User’s Guide...
Page 564 The Zyxel Device sends another separate query to each of its DNSBL domains for IP address b.b.b.b. DNSBL A replies that IP address a.a.a.a does not match any entries in its list (not spam). ZyWALL ATP Series User’s Guide...
Page 565 Device does not wait for any more DNSBL replies. If the Zyxel Device receives conflicting DNSBL replies for an email routing IP address, the Zyxel Device classifies the email as spam. Here is an example. ZyWALL ATP Series User’s Guide...
Page 566 The Zyxel Device immediately classifies the email as spam and takes the action for spam that you defined in the email security policy. In this example it was an SMTP mail and the defined action was to drop the mail. The Zyxel Device does not wait for any more DNSBL replies. ZyWALL ATP Series User’s Guide...
Page 567: Ssl Inspection
• Use the Security Service > SSL Inspection > Exclude List screens (Section 33.3 on page 573) to create a whitelist of destination servers to which traffic is passed through uninspected. 33.1.2 What You Need To Know • Supported Cipher Suite • DES (Data Encryption Standard) ZyWALL ATP Series User’s Guide...
Page 568: Before You Begin
Table 227 Configuration > Security Service > SSL Inspection > Profile LABEL DESCRIPTION Profile Management Click Add to create a new profile. Edit Select an entry and click this to be able to modify it. ZyWALL ATP Series User’s Guide...
Page 569: Apply To A Security Policy
33.2.1 Apply to a Security Policy Click the icon in the Action field to apply the entry to a security policy. Go to the Configuration > Security Policy > Policy Control screen to check the result. ZyWALL ATP Series User’s Guide...
Page 570 Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on Configuration direction, application, user, source, destination and/or schedule. From / To Select a zone to view all security policies from a particular zone and/or to a particular zone. any means all zones. ZyWALL ATP Series User’s Guide...
Page 571 Security policy. Click an applied Security Service profile icon to edit the profile directly. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 572: Add / Edit Ssl Inspection Profiles
An alert is an emailed log for more serious events that may need more immediate attention. They also appear in red in the Monitor > Log screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy. ZyWALL ATP Series User’s Guide...
Page 573: Exclude List Screen
Click Configuration > Security Service > SSL Inspection > Exclude List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry. ZyWALL ATP Series User’s Guide...
Page 574 Add to Exclude List. The item will then appear here. Apply Click Apply to save your settings to the Zyxel Device. Reset Click Reset to return to the profile summary page without saving any changes. ZyWALL ATP Series User’s Guide...
Page 575: Certificate Update Screen
Figure 373 SSL Inspection Certificate Update Overview Click Configuration > Security Service > SSL Inspection > Certificate Update to display the following screen. Figure 374 Configuration > Security Service > SSL Inspection > Certificate Update ZyWALL ATP Series User’s Guide...
Page 576: Install A Ca Certificate In A Browser
Windows operating system (PC). First, save the certificate to your computer. Run the certificate manager using certmgr.msc. Go to Trusted Root Certification Authorities > Certificates. ZyWALL ATP Series User’s Guide...
Page 577 Chapter 33 SSL Inspection From the main menu, select Action > All Tasks > Import and run the Certificate Import Wizard to install the certificate on the PC. ZyWALL ATP Series User’s Guide...
Page 578 Click Tools > Options > Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import. See the browser's help for further information. ZyWALL ATP Series User’s Guide...
Page 579: Object
Use the Zone screens (see Section 34.8.2 on page 633) to manage the Zyxel Device’s zones. 34.1.1 What You Need to Know Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic. ZyWALL ATP Series User’s Guide...
Page 580: The Zone Screen
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a user-configured trunk, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. ZyWALL ATP Series User’s Guide...
Page 581 Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL ATP Series User’s Guide...
Page 582: User/Group Overview
Create dynamic guest accounts dynamic-guest Access network services Hotspot Portal Note: The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 34 on page 647 for more information about authentication methods.) ZyWALL ATP Series User’s Guide...
Page 583 Free Time function. ZyWALL ATP Series User’s Guide...
Page 584: User/Group User Summary Screen
Table 235 Configuration > Object > User/Group > User LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. ZyWALL ATP Series User’s Guide...
Page 585 • debug • devicehaecived • • games • halt • ldap-users • • mail • news • nobody • operator • radius-users • root • shutdown • sshd • sync • uucp • zyxel ZyWALL ATP Series User’s Guide...
Page 586 Specify the value of the AD or LDAP server’s Group Membership Attribute that identifies the group to which this user belongs. Associated AAA This field is available for a ext-group-user type user account. Select the AAA server to use to Server Object authenticate this account’s users. ZyWALL ATP Series User’s Guide...
Page 587: User/Group Group Summary Screen
The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Group. ZyWALL ATP Series User’s Guide...
Page 588 The Group Add/Edit screen allows you to create a new user group or edit an existing one. To access this screen, go to the Group screen (see Section 34.2.3 on page 587), and click either the Add icon or an Edit icon. Figure 381 Configuration > Object > User/Group > Group > Add ZyWALL ATP Series User’s Guide...
Page 589: User/Group Setting Screen
Zyxel Device. You can also use this screen to specify when users must log in to the Zyxel Device before it routes traffic for them. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. ZyWALL ATP Series User’s Guide...
Page 590 You can still manually configure any user account’s authentication timeout settings. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. ZyWALL ATP Series User’s Guide...
Page 591 8 characters and at most 64. At least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+. ZyWALL ATP Series User’s Guide...
Page 592 To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 34.2.4 on page 589), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 383 Configuration > Object > User/Group > Setting > Edit ZyWALL ATP Series User’s Guide...
Page 593 Click Cancel to exit this screen without saving your changes. 34.2.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the Zyxel Device. Instead, after access users log into the Zyxel Device, the following screen appears. ZyWALL ATP Series User’s Guide...
Page 594: User/Group Mac Address Summary Screen
Address to open this screen. Note: You need to configure an SSID security profile’s MAC authentication settings to have the AP use the Zyxel Device’s local database to authenticate wireless clients by their MAC addresses. ZyWALL ATP Series User’s Guide...
Page 595 Enter an optional description of the wireless device(s) identified by the MAC or OUI. You can use up to 60 characters, punctuation marks, and spaces. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 596: User /Group Technical Reference
• The SSID screen (Section 34.3.2 on page 603) configures three different types of profiles for your networked APs. 34.3.0.1 What You Need To Know The following terms and concepts may help as you read this section. ZyWALL ATP Series User’s Guide...
Page 597: Radio Screen
AP (NWA5121-N for example) can use to configure either one of its two radio transmitters. To access this screen click Configuration > Object > AP Profile. Note: You can have a maximum of 32 radio profiles on the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 598 This field displays the schedule object which defines when this radio profile can be used. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 599 Hide / Show Click this to hide or show the Advanced Settings in this window. Advanced Settings Create New Object Use this to configure any new settings objects that you need to use in this screen. ZyWALL ATP Series User’s Guide...
Page 600 Select this to have the AP wait until all connected clients have disconnected before switching channels. If you disable this then the AP switches channels immediately regardless of any client connections. In this instance, clients that are connected to the AP when it switches channels are dropped. ZyWALL ATP Series User’s Guide...
Page 601 The available channels vary depending on the country you selected. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems. ZyWALL ATP Series User’s Guide...
Page 602 -20 dBm is the strongest signal you can require and -90 is the weakest. Allow Station Select this option to allow a wireless client to try to associate with the AP again after it is Connection after disconnected due to weak signal strength. Multiple Retries ZyWALL ATP Series User’s Guide...
Page 603: Ssid Screen
To access this screen click Configuration > Object > AP Profile > SSID. Note: You can have a maximum of 32 SSID profiles on the Zyxel Device. Figure 391 Configuration > Object > AP Profile > SSID List ZyWALL ATP Series User’s Guide...
Page 604 This screen allows you to create a new SSID profile or edit an existing one. To access this screen, click the Add button or select an SSID profile from the list and click the Edit button. Figure 392 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile ZyWALL ATP Series User’s Guide...
Page 605 Rate) Downlink: Define the maximum incoming transmission data rate (either in Mbps or Kbps) on a per-station basis. Uplink: Define the maximum outgoing transmission data rate (either in Mbps or Kbps) on a per-station basis. ZyWALL ATP Series User’s Guide...
Page 606 Wireless security is implemented strictly between the AP broadcasting the SSID and the stations that are connected to it. To access this screen click Configuration > Object > AP Profile > SSID > Security List. ZyWALL ATP Series User’s Guide...
Page 607 This field is a sequential value, and it is not associated with a specific profile. Profile Name This field indicates the name assigned to the security profile. Security Mode This field indicates this profile’s security mode (if any). ZyWALL ATP Series User’s Guide...
Page 608 Note: This screen’s options change based on the Security Mode selected. Only the default screen is displayed here. Figure 394 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile ZyWALL ATP Series User’s Guide...
Page 609 An external server can use the wireless client’s account (username/password) or Calling Station ID for MAC authentication. Configure the ones the external server uses. Delimiter Select the separator the external server uses for the two-character pairs within account (Account) MAC addresses. ZyWALL ATP Series User’s Guide...
Page 610 Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued. Group Key Update Enter the interval (in seconds) at which the AP updates the group WPA encryption key. Timer ZyWALL ATP Series User’s Guide...
Page 611 This field is a sequential value, and it is not associated with a specific profile. Profile Name This field indicates the name assigned to the MAC filtering profile. Filter Action This field indicates this profile’s filter action (if any). ZyWALL ATP Series User’s Guide...
Page 612: Mon Profile
This screen allows you to set up monitor mode configurations that allow your connected APs to scan for other wireless devices in the vicinity. Once detected, you can use the MON Mode screen (Section 8.4 on page 197) to classify them as either rogue or friendly and then manage them accordingly. ZyWALL ATP Series User’s Guide...
Page 613: Configuring Mon Profile
AP management profile). This field is a sequential value, and it is not associated with a specific user. Status This icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL ATP Series User’s Guide...
Page 614: Add/Edit Mon Profile
Table 254 Configuration > Object > MON Profile > Add/Edit MON Profile LABEL DESCRIPTION Activate Select this to activate this monitor mode profile. Profile Name This field indicates the name assigned to the monitor mode profile. ZyWALL ATP Series User’s Guide...
Page 615: Technical Reference
AP’s weaker (or non-existent) security to gain access to the network, or set up their own rogue APs in order to capture information from wireless clients. If a scan reveals a rogue AP, you can use commercially-available software to physically locate it. ZyWALL ATP Series User’s Guide...
Page 616: Zymesh Overview
APs (in repeater mode) are provisioned hop by hop. The managed APs in a ZyMesh must use the same SSID, channel number and pre-shared key. A manged AP can be either a root AP or repeater in a ZyMesh. ZyWALL ATP Series User’s Guide...
Page 617 Ethernet port(s). The repeater then could only receive power from a PoE device if you use PoE to provide power to the managed AP via an 8-ping Ethernet cable. ZyWALL ATP Series User’s Guide...
Page 618: Zymesh Profile
Click this to add a new profile. Edit Click this to edit the selected profile. Remove Click this to remove the selected profile. This field is a sequential value, and it is not associated with a specific profile. ZyWALL ATP Series User’s Guide...
Page 619: Add/Edit Zymesh Profile
Edit screen, to maintain address groups in the Zyxel Device. • Use the Geo IP screen (Section 34.6.4 on page 626) to update the database of country-to-IP address mappings and to manually configure country-to-IP address mappings. ZyWALL ATP Series User’s Guide...
Page 620: What You Need To Know
The Address screen provides a summary of all addresses in the Zyxel Device. To access this screen, click Configuration > Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL ATP Series User’s Guide...
Page 621 This field displays the IPv4 addresses represented by each address object. If the object’s settings are based on one of the Zyxel Device’s interfaces, the name of the interface displays first followed by the object’s current address settings. ZyWALL ATP Series User’s Guide...
Page 622 Starting IP This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the Address beginning of the range of IP addresses that this address object represents. ZyWALL ATP Series User’s Guide...
Page 623 IP addresses that this address object represents. IPv6 Ending This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the end Address of the range of IP address that this address object represents. ZyWALL ATP Series User’s Guide...
Page 624: Address Group Summary Screen
This field displays the name of each address group. Description This field displays the description of each address group, if any. Reference This displays the number of times an object reference is used in a profile. IPv6 Address Group Configuration ZyWALL ATP Series User’s Guide...
Page 625 ), or dashes (-), but the first character cannot be a number. This value is case- sensitive. Description This field displays the description of each address group, if any. You can use up to 60 characters, punctuation marks, and spaces. ZyWALL ATP Series User’s Guide...
Page 626: Geo Ip Summary Screen
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 407 Configuration > Object > Address/Geo IP > Geo IP ZyWALL ATP Series User’s Guide...
Page 627 Geo IP screen (see Section 34.6.4 on page 626), and click the Add icon in the Custom IPv4 to Geography Rules or Custom IPv6 to Geography Rules section. Figure 408 Geo IP > Add ZyWALL ATP Series User’s Guide...
Page 628: Service Overview
Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. ZyWALL ATP Series User’s Guide...
Page 629: The Service Summary Screen
To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 409 Configuration > Object > Service > Service ZyWALL ATP Series User’s Guide...
Page 630 Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 631: The Service Group Summary Screen
Zyxel Device. Description This field displays the description of each service group, if any. Reference This displays the number of times an object reference is used in a profile. ZyWALL ATP Series User’s Guide...
Page 632: Schedule Overview
Both types of schedules are based on the current date and time in the Zyxel Device. Note: Schedules are based on the Zyxel Device’s current date and time. ZyWALL ATP Series User’s Guide...
Page 633: What You Need To Know
Table 269 Configuration > Object > Schedule LABEL DESCRIPTION One Time Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. ZyWALL ATP Series User’s Guide...
Page 634 To access this screen, go to the Schedule screen (see Section 34.8.2 on page 633), and click either the Add icon or an Edit icon in the One Time section. Figure 414 Configuration > Object > Schedule > Edit (One Time) ZyWALL ATP Series User’s Guide...
Page 635 To access this screen, go to the Schedule screen (see Section 34.8.2 on page 633), and click either the Add icon or an Edit icon in the Recurring section. Figure 415 Configuration > Object > Schedule > Edit (Recurring) ZyWALL ATP Series User’s Guide...
Page 636: The Schedule Group Screen
References Select an entry and click References to open a screen that shows which settings use the entry. This field is a sequential value, and it is not associated with a specific schedule. ZyWALL ATP Series User’s Guide...
Page 637 Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them. Move any members you do not want included to the Available list. ZyWALL ATP Series User’s Guide...
Page 638: Aaa Server Overview
(or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. ZyWALL ATP Series User’s Guide...
Page 639: Asas
The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server. ZyWALL ATP Series User’s Guide...
Page 640 DN is used in conjunction with a bind password. When a bind DN is not specified, the Zyxel Device will try to log in as an anonymous user. If the bind password is incorrect, the login will fail. ZyWALL ATP Series User’s Guide...
Page 641: Active Directory Or Ldap Server Summary
Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. ZyWALL ATP Series User’s Guide...
Page 642 Enter the description of each server, if any. You can use up to 60 printable ASCII characters. Server Address Enter the address of the AD or LDAP server. Backup Server If the AD or LDAP server has a backup server, enter its address here. Address ZyWALL ATP Series User’s Guide...
Page 643 Type the NetBIOS name. This field is optional. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN which allows local computers to find computers on the remote network and vice versa. ZyWALL ATP Series User’s Guide...
Page 644: Radius Server Summary
Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. ZyWALL ATP Series User’s Guide...
Page 645 If the RADIUS server has a backup server, enter its address here. Address Backup Specify the port number on the RADIUS server to which the Zyxel Device sends authentication Authentication requests. Enter a number between 1 and 65535. Port ZyWALL ATP Series User’s Guide...
Page 646 If the RADIUS server requires the Zyxel Device to provide the Network Access Server identifier attribute with a specific value, enter it here. Case-sensitive Select this if you want configure your username as case-sensitive. User Names ZyWALL ATP Series User’s Guide...
Page 647: Auth. Method Overview
Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. Click Show Advance Setting and select Enable Extended Authentication. Select Server Mode and select an authentication method object from the drop-down list box. Click OK to save the settings. ZyWALL ATP Series User’s Guide...
Page 648: Authentication Method Objects
Method List This field displays the authentication method(s) for this entry. 34.10.3.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. Click Configuration > Object > Auth. Method. Click Add. ZyWALL ATP Series User’s Guide...
Page 649 The ordering of your methods is important as Zyxel Device authenticates the users using the authentication methods in the order they appear in this screen. This field displays the index number. ZyWALL ATP Series User’s Guide...
Page 650: Two-Factor Authentication
Figure 428 Two-Factor Authentication A user runs a VPN client and logs in with the user name and password for this VPN tunnel. The VPN tunnel is created from the VPN client device to the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 651 • The authorization timed out. Extend the Valid Time in Configuration > Object > Auth. Method > Two- factor Authentication. Configuration Go to Configuration > Object > Auth. Method > Two-factor Authentication and configure the following screen as shown. ZyWALL ATP Series User’s Guide...
Page 652 Similarly, move user/groups that do not you do not require two-factor authentication back to the Selectable User/Group Objects list. Delivery Settings Use this section to configure how to send an SMS or email for authorization. ZyWALL ATP Series User’s Guide...
Page 653: Certificate Overview
In the same way, your private key “writes” your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows. ZyWALL ATP Series User’s Guide...
Page 654 You can have the Zyxel Device act as a certification authority and sign its own certificates. Factory Default Certificate The Zyxel Device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. ZyWALL ATP Series User’s Guide...
Page 655: Verifying A Certificate
Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 430 Remote Host Certificates Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. ZyWALL ATP Series User’s Guide...
Page 656: The My Certificates Screen
Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the Zyxel Device’s summary list of certificates and certification requests. Figure 432 Configuration > Object > Certificate > My Certificates ZyWALL ATP Series User’s Guide...
Page 657 Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the Zyxel Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL ATP Series User’s Guide...
Page 658 @ symbol, periods and the underscore. Organizational Unit Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. ZyWALL ATP Series User’s Guide...
Page 659 Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. ZyWALL ATP Series User’s Guide...
Page 660 If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The Zyxel Device does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. ZyWALL ATP Series User’s Guide...
Page 661 MD5 Fingerprint This is the certificate’s message digest that the Zyxel Device calculated using the MD5 algorithm. SHA1 Fingerprint This is the certificate’s message digest that the Zyxel Device calculated using the SHA1 algorithm. ZyWALL ATP Series User’s Guide...
Page 662 The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. Figure 435 Configuration > Object > Certificate > My Certificates > Import ZyWALL ATP Series User’s Guide...
Page 663: The Trusted Certificates Screen
You cannot delete certificates that any of the Zyxel Device’s features are configured to use. Select an entry and click References to open a screen that shows which settings use the entry. This field displays the certificate index number. The certificates are listed in alphabetical order. ZyWALL ATP Series User’s Guide...
Page 664 Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the Zyxel Device to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL ATP Series User’s Guide...
Page 665 Chapter 34 Object Figure 437 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL ATP Series User’s Guide...
Page 666 Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field. ZyWALL ATP Series User’s Guide...
Page 667 Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the Zyxel Device. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. ZyWALL ATP Series User’s Guide...
Page 668: Certificates Technical Reference
668) to create and manage ISP accounts in the Zyxel Device. 34.12.1 ISP Account Summary This screen provides a summary of ISP accounts in the Zyxel Device. To access this screen, click Configuration > Object > ISP Account. ZyWALL ATP Series User’s Guide...
Page 669 To open this window, open the ISP Account screen. (See Section 34.12.1 on page 668.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below. ZyWALL ATP Series User’s Guide...
Page 670 - This ISP account does not use MPPE. mppe-40 - This ISP account uses 40-bit MPPE. mppe-128 - This ISP account uses 128-bit MMPE. User Name Type the user name given to you by your ISP. ZyWALL ATP Series User’s Guide...
Page 671: Dhcpv6 Overview
The Request screen allows you to add, edit, and remove DHCPv6 request type objects. To access this screen, login to the Web Configurator, and click Configuration > Object > DHCPv6 > Request. Figure 441 Configuration > Object > DHCPv6 > Request ZyWALL ATP Series User’s Guide...
Page 672 Server, NTP Server, or SIP Server. Interface Select the interface for this request object. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 673: The Dhcpv6 Lease Screen
The Lease Add/Edit screen allows you to create a new lease object or edit an existing one. To access this screen, go to the Lease screen (see Section 34.13.2 on page 673), and click either the Add icon or an Edit icon. Figure 444 Configuration > DHCPv6 > Lease > Add ZyWALL ATP Series User’s Guide...
Page 674 If you select DNS Server, NTP Server, or SIP Server as your lease type, you must enter the IP Address address of the server your selected. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 675: Device Ha
H A P T E R Device HA 35.1 Device HA Overview Device HA lets a backup (or passive) Zyxel Device (B) automatically take over if the master (or active) Zyxel Device (A) fails. Figure 445 Device HA Backup Taking Over for the Master 35.1.1 What You Can Do in These Screens •...
Page 676 Chapter 35 Device HA Figure 446 Configuration > Device HA > Device HA Status The following table describes the labels in this screen. Table 294 Configuration > Device HA > Device HA Status LABEL DESCRIPTION Active Device Status This section displays information on the active Zyxel Device with an activated Device HA Pro license.
Page 677: Device Ha Pro
Chapter 35 Device HA Table 294 Configuration > Device HA > Device HA Status (continued) LABEL DESCRIPTION Service Status This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired.
Page 678: Deploying Device Ha Pro
Chapter 35 Device HA After failover, the initial active Zyxel Device becomes the passive Zyxel Device after it recovers. 35.3.1 Deploying Device HA Pro Register either the active or passive Zyxel Device with a Device HA Pro license at myZyxel. Check that it’s properly licensed in Licensing >...
Page 679 Chapter 35 Device HA Figure 448 Configuration > Device HA > Device HA Pro The following table describes the labels in this screen. Table 295 Configuration > Device HA > Device HA Pro LABEL DESCRIPTION Enable Device HA Select this to turn the Zyxel Device’s Device HA Pro feature on. Enable Configuration Select this to have a passive Zyxel Device copy the active Zyxel Device’s Provisioning From Active...
Page 680: View Log
Chapter 35 Device HA Table 295 Configuration > Device HA > Device HA Pro (continued) LABEL DESCRIPTION Password Type a synchronization password of between 1 and 32 single-byte printable characters. You will be prompted for the password before synchronization takes place.
Page 681 Chapter 35 Device HA Figure 449 Configuration > Device HA > View Log The following table describes the labels in this screen. Table 296 Configuration > Device HA > View Log LABEL DESCRIPTION Logs Active Device This displays Device HA Pro logs on the active Zyxel Device. Passive Device This displays Device HA Pro logs on the passive Zyxel Device.
Page 682: Cloud Cnm
ZyWALL/USG devices for management and monitoring; these devices must have firmware that supports the TR-069 protocol. In the following figure, SP is the management service provider, while A and B are sites with devices being managed by SP. ZyWALL ATP Series User’s Guide...
Page 683 • The Zyxel Device must be able to communicate with the Cloud CNM SecuManager server. You must configure Configuration > Cloud CNM > SecuManager to allow the Zyxel Device to find the Cloud CNM SecuManager server. ZyWALL ATP Series User’s Guide...
Page 684 1.1.1.1:7547. If you enter 1.1.1.1:7549 as the CNM URL, you must choose HTTP as the Transfer Protocol, and then the whole CNM URL is http://1.1.1.1:7549. Periodic Inform Enable this to have the Zyxel Device inform the Cloud CNM SecuManager server of its presence at regular intervals. ZyWALL ATP Series User’s Guide...
Page 685: Cloud Cnm Secureporter
You need to buy a license for SecuReporter for your Zyxel Device and register it at myZyxel. You must be a registered user at myZyxel. You can access the portal from a web browser and also get notifications sent to an app on your mobile phone. ZyWALL ATP Series User’s Guide...
Page 686 Figure 452 Cloud CNM SecuReporter Application Scenario Your SecuReporter license displays in Configuration > Licensing > Registration > Service after you purchase a license and register it at myZyxel. The Zyxel Device must be able to communicate with the myZyxel server. ZyWALL ATP Series User’s Guide...
Page 687 Click Configuration > Cloud CNM > SecuReporter to enable SecuReporter logging on your Zyxel Device, see license status, type, expiration date and access a link to the SecuReporter web portal. Figure 454 Configuration > Cloud CNM > SecuReporter ZyWALL ATP Series User’s Guide...
Page 688 Launch Portal Click this to go to the SecuReporter security analytics portal. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 689: System
Device in order to send dynamic guest account information in text messages and authorization for VPN tunnel access to a secured network. • Use the System > Language screen (see Section 37.15 on page 743) to set a language for the Zyxel Device’s Web Configurator screens. ZyWALL ATP Series User’s Guide...
Page 690: Host Name
Use this screen to turn on this feature and set a disk full warning limit. Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system. ZyWALL ATP Series User’s Guide...
Page 691: Date And Time
To change your Zyxel Device’s time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the Zyxel Device’s time and date or have the Zyxel Device get the date and time from a time server. ZyWALL ATP Series User’s Guide...
Page 692 This field displays the last updated time from the time server or the last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. ZyWALL ATP Series User’s Guide...
Page 693 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, October. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). ZyWALL ATP Series User’s Guide...
Page 694: Pre-Defined Ntp Time Servers List
If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/Time screen. To manually set the Zyxel Device date and time. Click System > Date/Time. Select Manual under Time and Date Setup. ZyWALL ATP Series User’s Guide...
Page 695: Console Port Speed
This section shows you how to set the console port speed when you connect to the Zyxel Device via the console port using a terminal emulation program. Click Configuration > System > Console Speed to open the Console Speed screen. Figure 459 Configuration > System > Console Speed ZyWALL ATP Series User’s Guide...
Page 696: Dns Overview
DNS servers to flood a victim with DNS response traffic. An open DNS server is a DNS server which is willing to resolve recursive DNS queries from anyone on the Internet. ZyWALL ATP Series User’s Guide...
Page 697 Advanced Settings to display it) if you suspect the Zyxel Device is being used (either by hackers or by a corrupted open DNS server) in a DNS amplification attack. Figure 460 Configuration > System > DNS ZyWALL ATP Series User’s Guide...
Page 698 A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. ZyWALL ATP Series User’s Guide...
Page 699 To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. ZyWALL ATP Series User’s Guide...
Page 700: Ipv6) Address Record
37.6.5 Adding an (IPv6) Address/PTR Record Click the Add icon in the Address/PTR Record or IPv6 Address/PTR Record table to add an IPv4 or IPv6 address/PTR record. Figure 461 Configuration > System > DNS > Address/PTR Record Edit ZyWALL ATP Series User’s Guide...
Page 701: Cname Record
Click the Add icon in the CNAME Record table to add a record. Use “*.” as a prefix for a wildcard domain name. For example *.zyxel.com. Figure 462 Configuration > System > DNS > CNAME Record > Add ZyWALL ATP Series User’s Guide...
Page 702: Domain Zone Forwarder
37.6.9 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 463 Configuration > System > DNS > Domain Zone Forwarder Add ZyWALL ATP Series User’s Guide...
Page 703: Mx Record
Each host or domain can have only one MX record, that is, one domain is mapping to one host. 37.6.11 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 464 Configuration > System > DNS > MX Record Add ZyWALL ATP Series User’s Guide...
Page 704: Security Option Control
Click a control policy and then click Edit to change allow or deny actions for Query Recursion and Additional Info from Cache. Figure 465 Configuration > System > DNS > Security Option Control Edit (Customize) ZyWALL ATP Series User’s Guide...
Page 705: Adding A Dns Service Control Rule
DNS queries to the Zyxel Device. Zone Select ALL to allow or prevent DNS queries through any zones. Select a predefined zone on which a DNS query to the Zyxel Device is allowed or denied. ZyWALL ATP Series User’s Guide...
Page 706: Www Overview
37.7.3 HTTPS You can set the Zyxel Device to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. Specify which zones allow Web Configurator access and from which IP address the access can come. ZyWALL ATP Series User’s Guide...
Page 707: Configuring Www Service Control
Zyxel Device using HTTP or HTTPS. You can also specify which IP addresses the access can come from. Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the Zyxel Device (logging into SSL VPN for example). ZyWALL ATP Series User’s Guide...
Page 708 Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device Web Configurator using secure HTTPs connections. ZyWALL ATP Series User’s Guide...
Page 709 Device (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the Zyxel Device. Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. ZyWALL ATP Series User’s Guide...
Page 710: Service Control Rules
Click Reset to return the screen to its last-saved settings. 37.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. ZyWALL ATP Series User’s Guide...
Page 711: Customizing The Www Login Page
Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. ZyWALL ATP Series User’s Guide...
Page 712 Chapter 37 System Figure 470 Configuration > System > WWW > Login Page (Desktop View) ZyWALL ATP Series User’s Guide...
Page 713 Chapter 37 System Figure 471 Configuration > System > WWW > Login Page (Mobile View) The following figures identify the parts you can customize in the login and access pages. ZyWALL ATP Series User’s Guide...
Page 714 (last line of text) Window Background You can specify colors in one of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. ZyWALL ATP Series User’s Guide...
Page 715 Browse to locate it. The picture’s size cannot be over 438 x 337 pixels. Note: Use a GIF, JPG, or PNG of 100 kilobytes or less. To use a color, select Color and specify the color. ZyWALL ATP Series User’s Guide...
Page 716: Https Example
Click Technical Details if you want to verify more information about the certificate from the Zyxel Device. Select I Understand the Risks and then click Add Exception to add the Zyxel Device to the security exception list. Click Confirm Security Exception. ZyWALL ATP Series User’s Guide...
Page 717 37.7.7.4 Login Screen After you accept the certificate, the Zyxel Device login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. ZyWALL ATP Series User’s Guide...
Page 718 The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 37.7.7.5.1 Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next. ZyWALL ATP Series User’s Guide...
Page 719 You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next Click Next to begin the wizard. ZyWALL ATP Series User’s Guide...
Page 720 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 481 Personal Certificate Import Wizard 2 Enter the password given to you by the CA. ZyWALL ATP Series User’s Guide...
Page 721 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 483 Personal Certificate Import Wizard 4 Click Finish to complete the wizard and begin the import process. ZyWALL ATP Series User’s Guide...
Page 722 When Authenticate Client Certificates is selected on the Zyxel Device, the following screen asks you to select a personal certificate to send to the Zyxel Device. This screen displays even if you only have a single certificate as in the example. ZyWALL ATP Series User’s Guide...
Page 723: Ssh
In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the Zyxel Device for a management session. ZyWALL ATP Series User’s Guide...
Page 724: How Ssh Works
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. ZyWALL ATP Series User’s Guide...
Page 725: Ssh Implementation On The Zyxel Device
If you clear the check box, the Zyxel Device uses only SSH version 2 protocol. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. ZyWALL ATP Series User’s Guide...
Page 726: Service Control Rules
Zyxel Device using SSH. Zone Select ALL to allow or prevent any Zyxel Device zones from being accessed using SSH. Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. ZyWALL ATP Series User’s Guide...
Page 727: Secure Telnet Using Ssh Examples
Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the Zyxel Device (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 728: Telnet
Click Configuration > System > TELNET to configure your Zyxel Device for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the Zyxel Device. You can also specify from which IP addresses the access can come. ZyWALL ATP Series User’s Guide...
Page 729 This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 730: Service Control Rules
To change your Zyxel Device’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come. ZyWALL ATP Series User’s Guide...
Page 731 This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL ATP Series User’s Guide...
Page 732: Service Control Rules
Zyxel Device through the network. The Zyxel Device supports SNMP version one (SNMPv1), version two (SNMPv2c) and version 3 (SNMPv3). The next figure illustrates an SNMP management operation. ZyWALL ATP Series User’s Guide...
Page 733: Snmpv3 And Security
• Trap - Used by the agent to inform the manager of some events. 37.11.1 SNMPv3 and Security SNMPv3 enhances security for SNMP management using authentication and encryption. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions. ZyWALL ATP Series User’s Guide...
Page 734: Supported Mibs
Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come. ZyWALL ATP Series User’s Guide...
Page 735 The default is public and allows all requests. Enter the Set community, which is the password for incoming Set requests from the Community management station. The default is private and allows all requests. ZyWALL ATP Series User’s Guide...
Page 736 This displays whether the computer with the IP address specified above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 737: Add Snmpv3 User
Click OK to save the changes. Cancel Click Cancel to begin configuring this screen afresh. 37.11.6 Service Control Rules Click the Add or Edit icon in the Service Control table to add a service control rule. ZyWALL ATP Series User’s Guide...
Page 738: Authentication Server
AP for user authentication and authorization. Click Configuration > System > Auth. Server tab. The screen appears as shown. Use this screen to enable the authentication server feature of the Zyxel Device and specify the RADIUS client’s IP address. ZyWALL ATP Series User’s Guide...
Page 739 This is the subnet mask of the RADIUS client. Description This is the description of the RADIUS client. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 740: Add/Edit Trusted Radius Client
Maintenance > Diagnostics > Network Tool and then select Test Email Server. See Configuration > Log & Report > Email Daily Report to configure what reports to send and to whom. Click Configuration > System > Notification to display the Mail Server screen. ZyWALL ATP Series User’s Guide...
Page 741 Select the time of day (hours and minutes) when the log is emailed. Use 24-hour notation. report Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 742: Notification > Sms
Type the Password associated with the user name. Retype to Type your password again for confirmation. Confirm Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 743: Language Screen
37.16 IPv6 Screen Click Configuration > System > IPv6 to open the following screen. Use this screen to enable IPv6 support for the Zyxel Device’s Web Configurator screens. Figure 509 Configuration > System > IPv6 ZyWALL ATP Series User’s Guide...
Page 744: Zyxel One Network (Zon) Utility
Properties. You should see this information in the General tab. Hardware Here are the minimum hardware requirements to use the ZON Utility on your computer. • Core i3 processor • 2GB RAM • 100MB free hard disk • WXGA (Wide XGA 1280x800) ZyWALL ATP Series User’s Guide...
Page 745: Run The Zon Utility
If your device is not listed here, see the device release notes for ZON utility support. The release notes are in the firmware zip file on the Zyxel web site. Figure 511 ZON Utility Screen Select a network adapter to which your supported devices are connected. ZyWALL ATP Series User’s Guide...
Page 746 The following table describes the icons numbered from left to right in the ZON Utility screen. Table 330 ZON Utility Icons ICON DESCRIPTION 1 IP configuration Change the selected device’s IP address. 2 Renew IP Address Update a DHCP-assigned dynamic IP address. ZyWALL ATP Series User’s Guide...
Page 747 Once the selected device is connected to and has registered in the NCC, it’ll go into the cloud management mode. Serial Number Enter the admin password of the discovered device to display its serial number. Hardware Version This field displays the hardware version of the discovered device. ZyWALL ATP Series User’s Guide...
Page 748: Zyxel One Network (Zon) System Screen
Select to activate LLDP discovery on the Zyxel Device. See also Monitor > System Status > Ethernet Discovery. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 749: Log And Report
Note: Data collection may decrease the Zyxel Device’s traffic throughput rate. Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the Zyxel Device email you system statistics every day. ZyWALL ATP Series User’s Guide...
Page 750 Table 333 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Daily Select this to send reports by email every day. Report Mail Subject Type the subject line for outgoing email from the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 751: Log Setting Screens
Use the Log Category Settings screen to edit what information is included in the system log, USB storage, email profiles, and remote servers. 38.3.1 Log Setting Summary To access this screen, click Configuration > Log & Report > Log Setting. ZyWALL ATP Series User’s Guide...
Page 752: Edit System Log Settings
The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the email profiles). Go to the Log Settings Summary screen (see Section 38.3.1 on page 751), and click the system log Edit icon. ZyWALL ATP Series User’s Guide...
Page 753 Chapter 38 Log and Report Figure 518 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers) Figure 519 Configuration > Log & Report > Log Setting > Edit (System Log ) ZyWALL ATP Series User’s Guide...
Page 754 Device will email logs to them. enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories. The Zyxel Device does not email debugging information, even if this setting is selected. ZyWALL ATP Series User’s Guide...
Page 755 Message field. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 756: Edit Log On Usb Storage Setting
(green check mark) - send the remote server log messages and alerts for all log categories. enable normal logs and debug logs (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories. ZyWALL ATP Series User’s Guide...
Page 757: Edit Remote Server Log Settings
Log Settings Summary screen (see Section 38.3.1 on page 751), and click a remote server Edit icon. Figure 522 Configuration > Log & Report > Log Setting > Edit (Remote Server - AC) ZyWALL ATP Series User’s Guide...
Page 758 (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 759: Log Category Settings Screen
This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 38.3.2 on page 752, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL ATP Series User’s Guide...
Page 760 (yellow check mark) - create log messages, alerts, and debugging information from this category; the Zyxel Device does not email debugging information, however, even if this setting is selected. ZyWALL ATP Series User’s Guide...
Page 761 (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL ATP Series User’s Guide...
Page 762: File Manager
When you apply a configuration file, the Zyxel Device uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the Zyxel Device only applies the commands that it contains. Other settings do not change. ZyWALL ATP Series User’s Guide...
Page 763 Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the Zyxel Device exit sub command mode. Note: “exit” or “!” must follow sub commands if it is to make the Zyxel Device exit sub command mode. ZyWALL ATP Series User’s Guide...
Page 764: The Configuration File Screen
Filenames beginning with autoback are automatic configuration files created when new firmware is uploaded. backup-yyyy-mm-dd-hh-mm-ss.conf is the name of the automatic backup when a secure policy is added or changed. Select a configuration file, then click Apply to apply the file to the Zyxel Device . ZyWALL ATP Series User’s Guide...
Page 765 The Zyxel Device still generates a log for any errors. Figure 526 Maintenance > File Manager > Configuration File Do not turn off the Zyxel Device while configuration file upload is in progress. ZyWALL ATP Series User’s Guide...
Page 766 Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0- 9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL ATP Series User’s Guide...
Page 767 The lastgood.conf is the most recently used (valid) configuration file that was saved when the device last restarted. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration. ZyWALL ATP Series User’s Guide...
Page 768 “.conf” filename extension. You will receive an error message if you try to upload a fie of a different format. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. ZyWALL ATP Series User’s Guide...
Page 769: Firmware Management
At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications is free when you register your Zyxel Device. The license does not expire if you have firmware version 4.32 patch 1 and later. ZyWALL ATP Series User’s Guide...
Page 770 The previous running firmware becomes the standby firmware. If you haven’t registered the Zyxel Device, a message will appear and remind you to register it. Also, Upgrade Now is grayed out. ZyWALL ATP Series User’s Guide...
Page 771: The Firmware Management Screen
If you upload the latest firmware to the standby partition, a message will appear to ask if you want to reboot the Zyxel Device. 39.3.2 The Firmware Management Screen Click Maintenance > File Manager > Firmware Management to open the Firmware Management screen. ZyWALL ATP Series User’s Guide...
Page 772 This is the model name of the device which the firmware is running on. Version This is the firmware version and the date created. Released Date This is the date that the version of the firmware was created. ZyWALL ATP Series User’s Guide...
Page 773 After five minutes, log in again and check your new firmware version in the Dashboard screen. If the upload was not successful, the following message appears in the status bar at the bottom of the screen. ZyWALL ATP Series User’s Guide...
Page 774: Firmware Upgrade Via Usb Stick
Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the Zyxel Device at the same time. ZyWALL ATP Series User’s Guide...
Page 775 Cancel to close the screen without deleting the shell script file. Download Click a shell script file’s row to select it and click Download to save the configuration to your computer. ZyWALL ATP Series User’s Guide...
Page 776 Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL ATP Series User’s Guide...
Page 777: Diagnostics
The Diagnostics screens provide an easy way for you to generate a file containing the Zyxel Device’s configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics to open the Diagnostics screens. ZyWALL ATP Series User’s Guide...
Page 778: The Diagnostics Collect Screen
Device. Use a text editor to create the shell script files. They must use a “.zysh” filename extension. Specify the new name for the shell script file. Use up to 25 characters (including a-z, A-Z, 0-9 and ;‘~!@#$%^&()_+[]{}’,.=-). Spaces are allowed. ZyWALL ATP Series User’s Guide...
Page 779: The Diagnostics Collect On Ap Screen
You may need to generate this file and send it to customer support during troubleshooting. Click Maintenance > Diagnostics > Collect on AP to open the Collect on AP screen. Figure 538 Maintenance > Diagnostics > Collect on AP ZyWALL ATP Series User’s Guide...
Page 780: The Diagnostics Files Screen
Click a file to select it and click Download to save it to your computer. This column displays the number for each file entry. The total number of files that you can save depends on the file sizes and the available storage space. ZyWALL ATP Series User’s Guide...
Page 781: The Packet Capture Screen
Capture Interfaces list. Use the [Shift] and/or [Ctrl] key to select multiple objects. IP Version Select the version of IP for which to capture packets. Select any to capture packets for all IP versions. ZyWALL ATP Series User’s Guide...
Page 782 Select this to have the Zyxel Device only store packet capture entries on the Zyxel storage only Device. The available storage size is displayed as well. Note: The Zyxel Device reserves some on board storage space as a buffer. ZyWALL ATP Series User’s Guide...
Page 783: The Packet Capture Files Screen
Zyxel Device or a connected USB storage device. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark. ZyWALL ATP Series User’s Guide...
Page 784: The Cpu / Memory Status Screen
40.4 The CPU / Memory Status Screen Click Maintenance > Diagnostics > CPU / Memory Status to open the CPU/Memory Status screen. Use this screen to view the CPU and memory performance of various applications on the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 785 This field is a sequential value, and it is not associated with any entry. Memory This field displays the current DRAM memory utilization percentage for each application used on the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 786: The System Log Screen
Zyxel Device for troubleshooting. You can also specify the port numbers the services must use to connect to the Zyxel Device. Remote assistance is disabled by default. ZyWALL ATP Series User’s Guide...
Page 787 This button is displayed when you select Use Random Settings in the Remote Settings field. Click this button to generate a random user name and password pair. User Name Select a previously created user/group object that identifies who can have external access to the Zyxel Device for troubleshooting. ZyWALL ATP Series User’s Guide...
Page 788: The Network Tool Screen
Click Reset to return the screen to its last-saved settings. 40.7 The Network Tool Screen Use this screen to perform various network tests. Click Maintenance > Diagnostics > Network Tool to display this screen. Figure 546 Maintenance > Diagnostics > Network Tool ZyWALL ATP Series User’s Guide...
Page 789 Type the subject line for the outgoing email. • Select Append system name to add the Zyxel Device system name to the subject. • Select Append date time to add the Zyxel Device date and time to the subject. ZyWALL ATP Series User’s Guide...
Page 790: The Routing Traces Screen
(source or destination). Source Enter the source IP address of traffic that you want to trace. Port Enter the source port number of traffic that you want to trace. ZyWALL ATP Series User’s Guide...
Page 791: The Wireless Frame Capture Screen
Click Maintenance > Diagnostics > Wireless Frame Capture to display this screen. Note: New capture files overwrite existing files of the same name. Change the File Prefix field’s setting to avoid this. Figure 549 Maintenance > Diagnostics > Wireless Frame Capture > Capture ZyWALL ATP Series User’s Guide...
Page 792 Stop Click this button to stop a currently running frame capture and generate a combined capture file for all APs. Reset Click this button to return the screen to its last-saved settings. ZyWALL ATP Series User’s Guide...
Page 793: The Wireless Frame Capture Files Screen
This column displays the label that identifies the file. The file name format is interface name-file suffix.cap. Size This column displays the size (in bytes) of a configuration file. Last Modified This column displays the date and time that the individual files were saved. ZyWALL ATP Series User’s Guide...
Page 794: Packet Flow Explore
• Select use policy routes to control dynamic IPSec rules in the CONFIGURATION > VPN > IPSec VPN > VPN Connection screen. Note: Once a packet matches the criteria of a routing rule, the Zyxel Device takes the corresponding action and does not perform any further flow checking. ZyWALL ATP Series User’s Guide...
Page 795 Figure 552 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) Figure 553 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 554 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) ZyWALL ATP Series User’s Guide...
Page 796 Figure 556 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 557 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 558 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL ATP Series User’s Guide...
Page 797 This is the name of an activated 1:1 or Many 1:1 NAT rule in the NAT table. Source This is the external source IP address(es). Protocol This is the transport layer protocol. Source Port This is the source port number. ZyWALL ATP Series User’s Guide...
Page 798: The Snat Status Screen
Note: Once a packet matches the criteria of an SNAT rule, the Zyxel Device takes the corresponding action and does not perform any further flow checking. Figure 559 Maintenance > Packet Flow Explore > SNAT Status (Policy Route SNAT) ZyWALL ATP Series User’s Guide...
Page 799 The table fields in this section vary depending on the function box you select in the SNAT Flow section. The following fields are available if you click Policy Route SNAT in the SNAT Flow section. This field is a sequential value, and it is not associated with any entry. ZyWALL ATP Series User’s Guide...
Page 800 This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the Zyxel Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. ZyWALL ATP Series User’s Guide...
Page 801: Shutdown
Click the Shutdown button to shut down the Zyxel Device. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the Zyxel Device. ZyWALL ATP Series User’s Guide...
Page 802: Troubleshooting
(such as a DSL modem) is working properly. • Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings. Use the same case as provided by your ISP. ZyWALL ATP Series User’s Guide...
Page 803 The Zyxel Device is not applying the custom policy route I configured. The Zyxel Device checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. ZyWALL ATP Series User’s Guide...
Page 804 I cannot set up a PPP interface. You have to set up an ISP account before you create a PPPoE or PPTP interface. The data rates through my cellular connection are no-where near the rates I expected. ZyWALL ATP Series User’s Guide...
Page 805 At the time of writing, the Zyxel Device does not support ingress bandwidth management. The Zyxel Device is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management. ZyWALL ATP Series User’s Guide...
Page 806 The Zyxel Device checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the Zyxel Device applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order). If a packet ZyWALL ATP Series User’s Guide...
Page 807 IP address or there are one or more NAT routers between the Zyxel Device and the DDNS server. • The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server. ZyWALL ATP Series User’s Guide...
Page 808 Log into both Zyxel IPSec routers and check the settings in each field methodically and slowly. Make sure both the Zyxel Device and remote IPSec router have the same security settings for the VPN tunnel. It may help to display the settings for both routers side-by-side. ZyWALL ATP Series User’s Guide...
Page 809 IPSec router’s self-signed certificate or that of a trusted CA that signed the remote IPSec router’s certificate. • Multiple SAs connecting through a secure gateway must have the same negotiation mode. ZyWALL ATP Series User’s Guide...
Page 810 The Zyxel Device automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface. ZyWALL ATP Series User’s Guide...
Page 811 You cannot put access users and admin users in the same user group. I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is not being applied at the configured times. ZyWALL ATP Series User’s Guide...
Page 812 Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. ZyWALL ATP Series User’s Guide...
Page 813 If you have existing capture files you may need to set this size larger or delete existing capture files. The Zyxel Device stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires. ZyWALL ATP Series User’s Guide...
Page 814: Resetting The Zyxel Device
Release the RESET button, and wait for the Zyxel Device to restart. You should be able to access the Zyxel Device using the default settings. 43.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL ATP Series User’s Guide...
Page 815: Appendix A Customer Support
• Zyxel Communications Corporation • http://www.zyxel.com Asia China • Zyxel Communications (Shanghai) Corp. Zyxel Communications (Beijing) Corp. Zyxel Communications (Tianjin) Corp. • http://www.zyxel.cn India • Zyxel Technology India Pvt Ltd • http://www.zyxel.in Kazakhstan • Zyxel Kazakhstan • http://www.zyxel.kz ZyWALL ATP Series User’s Guide...
Page 816 • Zyxel Communications Corporation • http://www.zyxel.com/tw/zh/ Thailand • Zyxel Thailand Co., Ltd • http://www.zyxel.co.th Vietnam • Zyxel Communications Corporation-Vietnam Office • http://www.zyxel.com/vn/vi Europe Austria • Zyxel Deutschland GmbH • http://www.zyxel.de Belarus • Zyxel BY • http://www.zyxel.by ZyWALL ATP Series User’s Guide...
Page 817 • http://www.zyxel.com/ee/et/ Finland • Zyxel Communications • http://www.zyxel.fi France • Zyxel France • http://www.zyxel.fr Germany • Zyxel Deutschland GmbH • http://www.zyxel.de Hungary • Zyxel Hungary & SEE • http://www.zyxel.hu Italy • Zyxel Communications Italy • http://www.zyxel.it/ ZyWALL ATP Series User’s Guide...
Page 818 • Zyxel Communications Poland • http://www.zyxel.pl Romania • Zyxel Romania • http://www.zyxel.com/ro/ro Russia • Zyxel Russia • http://www.zyxel.ru Slovakia • Zyxel Communications Czech s.r.o. organizacna zlozka • http://www.zyxel.sk Spain • Zyxel Communications ES Ltd • http://www.zyxel.es Sweden • Zyxel Communications • http://www.zyxel.se Switzerland •...
Page 819 • Zyxel Communication Corporation • http://www.zyxel.com/ec/es/ Brazil • Zyxel Communications Brasil Ltda. • https://www.zyxel.com/br/pt/ Ecuador • Zyxel Communication Corporation • http://www.zyxel.com/ec/es/ Middle East Israel • Zyxel Communication Corporation • http://il.zyxel.com/homepage.shtml Middle East • Zyxel Communication Corporation • http://www.zyxel.com/me/en/ ZyWALL ATP Series User’s Guide...
Page 820 Appendix A Customer Support North America • Zyxel Communications, Inc. - North America Headquarters • http://www.zyxel.com/us/en/ Oceania Australia • Zyxel Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.za ZyWALL ATP Series User’s Guide...
Page 821: Appendix B Product Features
Max. Application Object In Each Profile (Object + Object Group) User Profile Max. Local User Max. Admin User Max. User Group Max User In One User Group Default Concurrent Device Login Max. Concurrent Device Upgrade (License) ZyWALL ATP Series User’s Guide...
Page 822 Max. DHCP Host Pool(Static DHCP) 1024 Max. DHCP Extended Options Max. DDNS Profiles DHCP Relay 2 per interface 2 per interface 2 per interface USB Storage Device Number Centralized Log Log Entries 1024 1024 2048 ZyWALL ATP Series User’s Guide...
Page 823 SSL VPN Max Policy AP Controller Default # Of Control AP Max. # Of Control AP Max Radio Profile Max SSID Profile Max Security Profile Max MAC Filter Profile MAX MAC Entry Per MAC Filter Profile ZyWALL ATP Series User’s Guide...
Page 824 Custom Web Portal Page Max Internal Web Portal Customize File Upload Zip File Size Up to 2MB Up to 2MB Up to 2MB Unzip File Size Up to 5MB Up to 5MB Up to 5MB ZyWALL ATP Series User’s Guide...
Page 825: Appendix C Legal Information
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of Zyxel Communications Corporation. Published by Zyxel Communications Corporation. All rights reserved.
Page 826 - For permanently connected devices, a readily accessible disconnect device shall be incorporated external to the device; - For pluggable devices, the socket-outlet shall be installed near the device and shall be easily accessible. • CLASS 1 LASER PRODUCT ZyWALL ATP Series User’s Guide...
Page 827 - 灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材料。 • 雷雨天氣時，不要安裝，使用或維修此設備。有遭受電擊的風險。 • 切勿重摔或撞擊設備，並勿使用不正確的電源變壓器。 • 若接上不正確的電源變壓器會有爆炸的風險。 • 請勿隨意更換產品內的電池。 • 如果更換不正確之電池型式，會有爆炸的風險，請依製造商說明書處理使用過之電池。 • 請將廢電池丟棄在適當的電器或電子設備回收處。 • 請勿將設備解體。 • 請勿阻礙設備的散熱孔，空氣對流不足將會造成設備損害。 • 請插在正確的電壓供給插座 ( 如 : 北美 / 台灣電壓 110V AC，歐洲是 230V AC)。 • 假若電源變壓器或電源變壓器的纜線損壞，請從插座拔除，若您還繼續插電使用，會有觸電死亡的風險。 • 請勿試圖修理電源變壓器或電源變壓器的纜線，若有毀損，請直接聯絡您購買的店家，購買一個新的電源變壓器。 • 請勿將此設備安裝於室外，此設備僅適合放置於室內。 ZyWALL ATP Series User’s Guide...
Page 828 North American products. Trademarks ZyNOS (Zyxel Network Operating System) and ZON (Zyxel One Network) are registered trademarks of Zyxel Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 829 The following information applies if you use the product within the European Union. CE EMC statement WARNING: This equipment is compliant with Class A of EN55032. In a residential environment this equipment may cause radio interference. ZyWALL ATP Series User’s Guide...
Page 830 - If the system has multiple sources of power, disconnect power from the system by unplugging all power cables from the power supply. • CLASS 1 LASER PRODUCT • APPAREIL À LASER DE CLASS 1 • PRODUCT COMPLIES WITH 21 CFR 1040.10 AND 1040.11. • PRODUIT CONFORME SELON 21 CFR 1040.10 ET 1040.11. ZyWALL ATP Series User’s Guide...
Page 831 - 任何液體 - 切勿讓設備接觸水、雨水、高濕度、污水腐蝕性的液體或其他水份。 - 灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材料。 • 雷雨天氣時，不要安裝，使用或維修此設備。有遭受電擊的風險。 • 切勿重摔或撞擊設備，並勿使用不正確的電源變壓器。 • 若接上不正確的電源變壓器會有爆炸的風險。 • 請勿隨意更換產品內的電池。 • 如果更換不正確之電池型式，會有爆炸的風險，請依製造商說明書處理使用過之電池。 • 請將廢電池丟棄在適當的電器或電子設備回收處。 • 請勿將設備解體。 • 請勿阻礙設備的散熱孔，空氣對流不足將會造成設備損害。 • 請插在正確的電壓供給插座 ( 如 : 北美 / 台灣電壓 110V AC，歐洲是 230V AC)。 • 假若電源變壓器或電源變壓器的纜線損壞，請從插座拔除，若您還繼續插電使用，會有觸電死亡的風險。 ZyWALL ATP Series User’s Guide...
Page 832 This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com. To obtain the source code covered under those Licenses, please contact support@zyxel.com.tw to get it. ZyWALL ATP Series User’s Guide...
Page 833: Index
SNMP Access Point Name, see APN and SSH access users and Telnet 582, 584 custom page and VPN connections forcing login and WWW idle timeout HOST ZyWALL ATP Series User’s Guide...
Page 834 Denial of Service (DoS) virus DoS/DDoS worm anti-spam 556, 559, 561 ZyWALL ATP Series User’s Guide...
Page 835 132, 133 backing up configuration files troubleshooting 804, 805 bandwidth certificate egress 246, 255 troubleshooting ingress 246, 255 Certificate Authority (CA) bandwidth limit see certificates troubleshooting Certificate Revocation List (CRL) bandwidth management vs OCSP ZyWALL ATP Series User’s Guide...
Page 836 225, 266, 280, 297, 424 external web filtering service computer virus 512, 523 filter list see also virus managed web pages concurrent e-mail sessions policies 505, 506 configuration registration status information ZyWALL ATP Series User’s Guide...
Page 837 76, 696, 702 and interfaces Default_L2TP_VPN_GW DNSBL Denial of Service (DoS) attacks 557, 559 see also anti-spam Denial of Service (Dos) attacks domain name Domain Name System, see DNS device access DoS (Denial of Service) attacks troubleshooting ZyWALL ATP Series User’s Guide...
Page 838 IPSec firmware package troubleshooting encryption algorithms firmware upload 3DES troubleshooting flags and active protocol flash usage forcing login encryption method FQDN end of IP list fragmentation flag enforcing policies in IPSec fragmentation offset 390, 411 ZyWALL ATP Series User’s Guide...
Page 839 HTTPS verifying custom signatures vs HTTPS IEEE 802.1q VLAN HTTP redirect IEEE 802.1q. See VLAN. and application patrol IEEE 802.1x and interfaces IHL (IP Header Length) and policy routes 341, 342 ZyWALL ATP Series User’s Guide...
Page 840 IP (Internet Protocol) and DNS servers IP options and HTTP redirect 544, 547 and layer-3 virtualization IP policy routing, see policy routes and NAT IP pool and physical ports IP protocols ZyWALL ATP Series User’s Guide...
Page 841 SA monitor MSCHAP-V2 SA see also IPSec SA see also VPN site-to-site with dynamic peer ISP accounts static site-to-site and PPPoE/PPTP interfaces 234, 668 transport encapsulation authentication type tunnel encapsulation encryption method VPN gateway stac compression ZyWALL ATP Series User’s Guide...
Page 842 643, 645 settings search time limit syslog servers system user attributes types of least connection algorithm loose source routing least load algorithm least load first load balancing LED suppression mode LED troubleshooting legitimate e-mail MAC address ZyWALL ATP Series User’s Guide...
Page 843 SSL MPPE (Microsoft Point-to-Point Encryption) Network Time Protocol (NTP) MSCHAP (Microsoft Challenge-Handshake network-based intrusions 551, 552 Authentication Protocol) Nimda MSCHAP-V2 (Microsoft Challenge-Handshake Authentication Protocol Version 2) no IP options No-IP 246, 255 multicast NSSA ZyWALL ATP Series User’s Guide...
Page 844 Personal Identification Number code, see PIN code backbone Not So Stubby Area (NSSA) PFS (Perfect Forward Secrecy) 391, 412 stub areas physical ports types of packet statistics 116, 117, 140 OSPF routers PIN code area border (ABR) PIN generator ZyWALL ATP Series User’s Guide...
Page 845 (IDP) PPP interfaces both subnet mask receiver PPPoE sender and RADIUS Relative Distinguished Name (RDN) 640, 641, 643 TCP port 1723 remote access IPSec PPPoE/PPTP interfaces 206, 233 and ISP accounts 234, 668 ZyWALL ATP Series User’s Guide...
Page 846 H.323 (ALG) direction and HTTP redirect redistribute and IPSec VPN RIP-2 broadcasting methods and logs versions and NAT vs OSPF and schedules 431, 435, 446, 482 Rivest, Shamir and Adleman public-key algorithm and service groups (RSA) ZyWALL ATP Series User’s Guide...
Page 847 (L2TP VPN) ViaNett account sessions SMS gateway sessions usage SMTP SHA1 SMTP redirect and firewall shell script and policy routes troubleshooting packet flow shell scripts SNAT and users troubleshooting downloading editing SNMP 29, 732, 733 ZyWALL ATP Series User’s Guide...
Page 848 106, 690 global setting system reports, see reports IP pool system uptime network list system-default.conf see also SSL VPN ZyWALL ATP Series User’s Guide...
Page 849 VLAN vs virtual interfaces WLAN Triple Data Encryption Standard, see 3DES zipped files trojan attacks trunks 206, 287 troubleshooting 777, 802 and ALG admin user and policy routes 287, 306 ZyWALL ATP Series User’s Guide...
Page 850 Vantage Report (VRPT) 752, 758 user group objects 582, 671 virtual interfaces 206, 229 user groups 582, 584, 671 basic characteristics and content filtering not DHCP clients and policy routes 305, 431, 435 types of ZyWALL ATP Series User’s Guide...
Page 851 379, 474 Wizard Setup 47, 70 see also IPSec SA WLAN troubleshooting troubleshooting VPN concentrator user accounts advantages WLAN interfaces and IPSec SA policy enforcement worm 525, 542 disadvantages attacks VPN connections and address objects ZyWALL ATP Series User’s Guide...
Page 852 SNMP and SSH and Telnet and VPN and WWW extra-zone traffic inter-zone traffic intra-zone traffic types of traffic ZyMesh auto provision bridge loops profile Repeater repeater Root AP root AP security SSID ZyMesh profiles ZyWALL ATP Series User’s Guide...

This manual is also suitable for:

Atp500 Atp200 Atp800

ZyXEL Communications ZyWall ATP series User Manual

Document Conventions

Contents Overview

Table of Contents

Part I: User's Guide

Chapter 1 Introduction

Chapter 2 Initial Setup Wizard

Chapter 3 Hardware, Interfaces and Zones

Chapter 4 Quick Setup Wizards

Chapter 5 Dashboard

Part II: Technical Reference

Chapter 6 Monitor

Chapter 7 Licensing

Chapter 8 Wireless

Chapter 9 Interfaces

Chapter 10 Routing

Chapter 11 DDNS

Chapter 12 NAT

Chapter 13 Redirect Service

Chapter 14 ALG

Chapter 15 Upnp

Chapter 16 IP/MAC Binding

Chapter 17 Layer 2 Isolation

Chapter 18 DNS Inbound LB

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWall ATP series

Summary of Contents for ZyXEL Communications ZyWall ATP series