Summary of Contents for ZyXEL Communications Unified Security Gateway ZyWALL 1000
Page 1
ZyWALL USG 1000 Unified Security Gateway User’s Guide Version 2.00 10/2007 Edition 1 DEFAULT LOGIN LAN Port IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com...
About This User's Guide This manual is designed to guide you through the configuration of your ZyWALL for its various applications. Generally, it is organized as follows. • Introduction (ZyWALL, web configurator) • Features (by menu item in the web configurator) •...
Page 4
Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 6
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Server Switch Computer Notebook computer Firewall Telephone Router ZyWALL USG 1000 User’s Guide...
For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
About This User's Guide ... 3 Document Conventions... 5 Safety Warnings... 7 Contents Overview ... 9 Table of Contents... 11 List of Figures ... 31 List of Tables... 43 Part I: Introduction... 51 Chapter 1 Introducing the ZyWALL ... 53 1.1 Overview and Key Default Settings ...
Page 12
Table of Contents 3.1 Web Configurator Requirements ... 65 3.2 Web Configurator Access ... 65 3.3 Web Configurator Main Screen ... 67 3.3.1 Title Bar ... 67 3.3.2 Navigation Panel ... 68 3.3.3 Main Window ... 71 3.3.4 Message Bar ... 72 Chapter 4 Wizard Setup ...
Page 13
5.2 Terminology in the ZyWALL ...112 5.3 Physical Ports, Interfaces, and Zones ...112 5.3.1 Network Topology Example ...113 5.4 Feature Configuration Overview ...114 5.4.1 Feature ...114 5.4.2 Interface ...115 5.4.3 Trunks ...115 5.4.4 IPSec VPN ...116 5.4.5 SSL VPN ...116 5.4.6 L2TP VPN ...116 5.4.7 Zones ...116 5.4.8 Device HA ...117...
Page 14
Table of Contents 6.2.2 Set up the VPN Gateway ... 132 6.2.3 Set up the VPN Connection ... 133 6.2.4 Set up the Policy Route for the VPN Tunnel ... 134 6.2.5 Set up the Zone for the VPN Tunnel ... 135 6.3 Device HA ...
Page 15
8.1 myZyXEL.com Overview ... 165 8.1.1 Subscription Services Available on the ZyWALL ... 165 8.2 Registration ... 166 8.3 Service ... 168 Chapter 9 Update... 171 9.1 Updating Anti-virus Signatures ... 171 9.2 Updating IDP and Application Patrol Signatures ... 173 9.3 Updating System Protect Signatures ...
Page 18
Table of Contents 18.1 ALG Introduction ... 265 18.1.1 Application Layer Gateway (ALG) and NAT ... 265 18.1.2 ALG and Trunks ... 265 18.1.3 FTP ... 266 18.1.4 H.323 ... 266 18.1.5 RTP ... 266 18.1.6 SIP ... 267 18.2 Peer-to-Peer Calls and the ZyWALL ... 268 18.2.1 VoIP Calls from the WAN with Multiple Outgoing Calls ...
Page 19
20.4.2 Additional Topics for IKE SA ... 310 20.4.3 VPN Gateway Summary ... 312 20.4.4 VPN Gateway Add/Edit ... 313 20.5 VPN Concentrator ... 318 20.5.1 VPN Concentrator Summary ... 319 20.5.2 VPN Concentrator Add/Edit ... 319 20.6 SA Monitor Screen ... 320 20.6.1 Regular Expressions in Searching IPSec SAs by Name or Policy ...
Page 20
Table of Contents 24.3.1 Downloading a File ... 341 24.3.2 Saving a File ... 341 24.4 Creating a New Folder ... 342 24.5 Renaming a File or Folder ... 342 24.6 Deleting a File or Folder ... 343 24.7 Uploading a File ... 344 Chapter 25 L2TP VPN...
Page 21
27.5.1 Setting the Interface’s Bandwidth ... 385 27.5.2 SIP Any to WAN Bandwidth Management Example ... 385 27.5.3 SIP WAN to Any Bandwidth Management Example ... 386 27.5.4 HTTP Any to WAN Bandwidth Management Example ... 386 27.5.5 FTP WAN to DMZ Bandwidth Management Example ... 386 27.5.6 FTP LAN to DMZ Bandwidth Management Example ...
Page 22
Table of Contents 29.3 Configuring IDP General ... 418 29.4 Configuring IDP Bindings ... 420 29.5 Introducing IDP Profiles ... 421 29.5.1 Base Profiles ... 421 29.6 Profile Summary Screen ... 422 29.7 Creating New Profiles ... 423 29.7.1 Procedure To Create a New Profile ... 423 29.8 Profiles: Packet Inspection ...
Page 24
Table of Contents 34.1.4 Access Users and the ZyWALL ... 505 34.1.5 Force User Authentication Policy ... 505 34.2 User Summary ... 506 34.2.1 User Add/Edit ... 506 34.3 Group Summary ... 508 34.3.1 Group Add/Edit ... 509 34.4 Setting Screen ... 510 34.4.1 Force User Authentication Policy Add/Edit ...
Page 25
38.2 Directory Service (AD/LDAP) Overview ... 532 38.2.1 Directory Structure ... 532 38.2.2 Distinguished Name (DN) ... 533 38.2.3 Configuring Active Directory or LDAP Default Server Settings ... 533 38.3 Active Directory or LDAP Group Summary ... 534 38.3.1 Creating an Active Directory or LDAP Group ... 535 38.4 RADIUS Server ...
Page 37
List of Figures Figure 254 Connect L2TP to ZyWALL: Security ... 359 Figure 255 Connect ZyWALL L2TP: Security > Advanced ... 359 Figure 256 L2TP to ZyWALL Properties > Security ... 360 Figure 257 L2TP to ZyWALL Properties > Security > IPSec Settings ... 360 Figure 258 L2TP to ZyWALL Properties: Networking ...
Page 38
List of Figures Figure 297 LAN to WAN, Outbound 200 kbps, Inbound 500 kbps ... 382 Figure 298 Bandwidth Management Behavior ... 383 Figure 299 Application Patrol Bandwidth Management Example ... 385 Figure 300 SIP Any to WAN Bandwidth Management Example ... 386 Figure 301 HTTP Any to WAN Bandwidth Management Example ...
Page 40
List of Figures Figure 383 Object > Service > Service > Edit ... 523 Figure 384 Object > Service > Service Group ... 524 Figure 385 Object > Service > Service Group > Edit ... 525 Figure 386 Object > Schedule ... 528 Figure 387 Object >...
Page 41
List of Figures Figure 426 Secure and Insecure Service Access From the WAN ... 587 Figure 427 HTTP/HTTPS Implementation ... 589 Figure 428 System > WWW ... 590 Figure 429 System > Service Control Rule Edit ... 592 Figure 430 Security Alert Dialog Box (Internet Explorer) ... 593 Figure 431 Security Certificate 1 (Netscape) ...
List of Tables List of Tables Table 1 Front Panel LEDs ... 54 Table 2 Managing the ZyWALL: Console Port ... 55 Table 3 Starting and Stopping the ZyWALL ... 55 Table 4 Packet Flow Key ... 58 Table 5 Title Bar: Web Configurator Icons ... 68 Table 6 Navigation Panel Summary ...
Page 45
List of Tables Table 82 Network > HTTP Redirect > Edit ... 263 Table 83 Network > ALG ... 270 Table 84 Default Firewall Rules ... 279 Table 85 Blocking All LAN to WAN IRC Traffic Example ... 281 Table 86 Limited LAN to WAN IRC Traffic Example 1 ... 282 Table 87 Limited LAN to WAN IRC Traffic Example 2 ...
Page 46
List of Tables Table 125 Anti-X > Anti-Virus > Setting > Black List Add ... 413 Table 126 Anti-X > Anti-Virus > Signature ... 414 Table 127 Anti-X > IDP > General ... 419 Table 128 Anti-X > IDP > General > Add ... 421 Table 129 Base Profiles ...
Page 47
List of Tables Table 168 Object > Address > Address Group > Add ... 518 Table 169 Object > Service > Service ... 522 Table 170 Object > Service > Service > Edit ... 523 Table 171 Object > Service > Service Group ... 524 Table 172 Object >...
Page 48
List of Tables Table 211 SNMP Traps ... 607 Table 212 System > SNMP ... 608 Table 213 System > Dial-in Mgmt ... 610 Table 214 System > Vantage CNM ...611 Table 215 Configuration Files and Shell Scripts in the ZyWALL ... 616 Table 216 Maintenance >...
Page 49
List of Tables Table 254 Interface Logs ... 699 Table 255 Account Logs ... 701 Table 256 Port Grouping Logs ... 701 Table 257 Force Authentication Logs ... 702 Table 258 File Manager Logs ... 702 Table 259 Commonly Used Services ... 703 ZyWALL USG 1000 User’s Guide...
Page 50
List of Tables ZyWALL USG 1000 User’s Guide...
Introduction Introducing the ZyWALL (53) Features and Applications (57) Web Configurator (65) Configuration Basics (111) Tutorials (125) Status (157) Registration (165) Update (171)
H A P T E R Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is an Internet Security Gateway designed for Small and Medium Businesses (SMB).
Chapter 1 Introducing the ZyWALL The following table describes the LEDs. Table 1 Front Panel LEDs COLOR Green Green Green Green P1 ~ P5 Green Orange 1.3 Management Overview You can use the following ways to manage the ZyWALL. Web Configurator The web configurator allows easy ZyWALL setup and management using an Internet browser.
Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI. Console Port You can use the console port to manage the ZyWALL.
Page 56
Chapter 1 Introducing the ZyWALL It is recommended you use the shutdown command before turning off the ZyWALL. When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network resources temporarily while the ZyWALL is applying configuration files or running shell scripts.
H A P T E R Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates.
Chapter 2 Features and Applications Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously. It detects pattern-based attacks in order to protect against network- based intrusions. See protect against. You can also create your own custom IDP rules. Anomaly Detection and Prevention (ADP) ADP (Anomaly Detection and Prevention) can detect malicious or suspicious packets and respond instantaneously.
Chapter 2 Features and Applications Ethernet -> VLAN -> Encap -> ALG -> AC -> DNAT-> Routing -> FW -> AC -> IDP -> AV -> AP -> CF -> SNAT -> IPSec E -> Routing -> BWM -> Encap -> VLAN -> Ethernet 2.3 Applications These are some example applications for your ZyWALL.
With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. You do not have to install additional client software on the remote user computers for access. Figure 4 Network Access Mode: Reverse Proxy 2.3.2.2 Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses...
Chapter 2 Features and Applications Figure 6 Applications: User-Aware Access Control 2.3.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them. Figure 7 Applications: Multiple WAN Interfaces 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always...
H A P T E R The ZyWALL web configurator allows easy ZyWALL setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the web configurator, you must • Use Internet Explorer 6.0 or later, Netscape Navigator 7.2 or later, or Firefox 1.0.7 or later •...
Chapter 3 Web Configurator Figure 9 Login Screen 3 Type the user name (default: “admin”) and password (default: “1234”). If your account is configured to use an ASAS authentication server, use the OTP (One- Time Password) token to generate a number. Enter it in the One-Time Password field. The number is only good for one login.
5 The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. Follow the directions in this screen. If you change the default password, the Login screen (Figure 9 on page main screen appears.
Chapter 3 Web Configurator The icons provide the following functions. Table 5 Title Bar: Web Configurator Icons ICON DESCRIPTION Help: Click this icon to open the help page for the current screen. Wizards: Click this icon to open one of the web configurator wizards. See on page 75 Console: Click this icon to open the console in which you can use the command line interface (CLI).
Page 69
Table 6 Navigation Panel Summary (continued) LINK Routing Policy Route Static Route OSPF Zone DDNS Virtual Server HTTP Redirect Firewall VPN Connection IPSec VPN VPN Connection VPN Gateway Concentrator SA Monitor SSL VPN Access Privilege Connection Monitor Global Setting L2TP VPN L2TP Over IPSec Use this screen to configure L2TP Over IPSec VPN settings.
Page 70
Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK General Profile Custom Signatures General Profile Content General Filter Filtering Profile Cache Device HA VRRP Group Synchronize Object User/Group User Group Setting Address Address Address Group Service Service Service Group Schedule AAA Server Active Directory-...
Table 6 Navigation Panel Summary (continued) LINK Host Name Date/Time Console Speed TELNET SNMP Dial-in Mgmt. Vantage Language Maintenance File Manager Configuration File Use this screen to manage and upload configuration files for the ZyWALL. Firmware Package Shell Script View Log Log Setting Report Traffic...
Chapter 3 Web Configurator 3.3.4 Message Bar Check the message bar when you click Apply or OK to verify that the configuration has been updated. Figure 12 Message Bar 3.3.4.1 Warning Messages Click the up arrow to view the ZyWALL’s current warning messages. These warning messages display in a popup window, such as the following.
Chapter 3 Web Configurator Figure 14 CLI Messages Click Change Display Style to show or hide the index numbers for the commands (the commands are more convenient to copy and paste without the index numbers). Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the web configurator generated to enable it.
H A P T E R This chapter provides information on configuring the Wizard setup screens in the web configurator. See the feature-specific chapters in this User’s Guide for background information. 4.1 Wizard Setup Overview Use the wizards only for initial configuration starting from the default configuration.
Chapter 4 Wizard Setup Use VPN SETUP to configure a VPN connection. See Figure 15 Wizard Setup Welcome 4.2 Installation Setup, One ISP The wizard screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Figure 16 Internet Access: Step 1 The following table describes the labels in this screen. Table 7 Internet Access: Step 1 LABEL DESCRIPTION ISP Parameters Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.
Chapter 4 Wizard Setup IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 4.3.1 Ethernet: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays.
Figure 18 Ethernet Encapsulation: Static The following table describes the labels in this screen. Table 8 Ethernet Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. WAN IP Address Assignments WAN Interface This displays the identity of the interface you configure to connect with your ISP.
Chapter 4 Wizard Setup 4.3.3 Step 2 Internet Access Ethernet You do not configure this screen if you selected Auto as the IP Address Assignment in the previous screen. Enter the Internet access information exactly as given to you by your ISP. WAN Interface: This is the number of the interface that will connect with your ISP.
You can click Next and use the following screen to perform a basic registration (see 4.4 on page 91). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.3.4 PPPoE: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays after you click Next.
Chapter 4 Wizard Setup Table 9 PPPoE Encapsulation: Auto (continued) LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. WAN IP Address Assignments WAN Interface This displays the identity of the interface you configure to connect with your ISP.
Figure 22 PPPoE Encapsulation: Static The following table describes the labels in this screen. Table 10 PPPoE Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. Service Name Type the PPPoE service name given to you by your ISP. PPPoE uses a service name to identify and reach the PPPoE server.
Chapter 4 Wizard Setup Table 10 PPPoE Encapsulation: Static (continued) LABEL DESCRIPTION First DNS Server Enter the DNS server's IP address(es) in the field(s) to the right. Second DNS Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not Server configure a DNS server, you must know the IP address of a machine in order to access it.
Figure 23 PPPoE Encapsulation: Static: Finish You have set up your ZyWALL to access the Internet. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see 4.4 on page 91).
Chapter 4 Wizard Setup Figure 24 PPTP Encapsulation: Auto The following table describes the labels in this screen. Table 11 PPTP Encapsulation: Auto LABEL ISP Parameters Encapsulation User Name Password Retype to Confirm Nailed-Up Idle Timeout PPTP Configuration Base Interface Base IP Address IP Subnet Mask Server IP...
Table 11 PPTP Encapsulation: Auto (continued) LABEL DESCRIPTION Connection ID Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. You can use alphanumeric and -_ long.
Chapter 4 Wizard Setup If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see 4.4 on page 91).
Table 12 PPTP Encapsulation: Static (continued) LABEL DESCRIPTION User Name Type the user name given to you by your ISP. You can use alphanumeric and - @$./ Password Type the password associated with the user name above. Use up to 64 ASCII characters except the [] and ?.
Chapter 4 Wizard Setup Type the Password associated with the user name. Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server.
4.3.10 Step 4 Internet Access - Finish You have set up your ZyWALL to access the Internet. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see 4.4 on page 91).
Table 13 Registration (continued) LABEL Close Next Figure 29 Registration: Registered Device 4.5 Installation Setup, Two Internet Service Providers This wizard allows you to configure two interfaces for Internet access through either two different Internet Service Providers (ISPs) or two different accounts with the same ISP. The configuration of the following screens is explained in Configure the First WAN Interface and click Next.
Chapter 4 Wizard Setup Figure 30 Internet Access: Step 1: First WAN Interface After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue. Figure 31 Internet Access: Step 3: Second WAN Interface After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces.
Figure 32 Internet Access: Finish You can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Use the myZyXEL.com link if you do already have a myZyXEL.com account. If you already have a myZyXEL.com account, you can click Next and use the following screen to register your ZyWALL and activate service trials (see Alternatively, click Close to exit the wizard.
Chapter 4 Wizard Setup Click VPN SETUP in the Wizard Setup Welcome screen following screen. Use it to select which type of VPN settings you want to configure. Figure 33 VPN Wizard: Wizard Type The following table describes the labels in this screen. Table 14 VPN Wizard: Step 1: Wizard Type LABEL DESCRIPTION...
4.7.1 VPN Express Wizard Click the Express radio button as shown in screen. Figure 34 VPN Express Wizard: Step 2 The following table describes the labels in this screen. Table 15 VPN Express Wizard: Step 2 LABEL DESCRIPTION Name Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores( character cannot be a number.
Chapter 4 Wizard Setup Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores( number. This value is case-sensitive. Secure Gateway: Enter the WAN IP address or domain name of the remote IPSec router (secure gateway).
4.8.1 VPN Express Wizard - Policy Setting The Policy Setting specifies which devices can use the VPN tunnel. Local and remote IP addresses must be static. Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet.
Chapter 4 Wizard Setup Table 17 VPN Express Wizard: Step 4 (continued) LABEL DESCRIPTION Configuration These commands set the matching VPN connection settings for the remote gateway. for Remote If the remote gateway is a ZLD-based ZyWALL, you can copy and paste this list into Gateway its command line interface in order to configure it for the VPN tunnel.
If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Alternatively, click Close to exit the wizard. 4.8.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.
Chapter 4 Wizard Setup Figure 38 VPN Advanced Wizard: Step 2 The following table describes the labels in this screen. Table 18 VPN Advanced Wizard: Step 2 LABEL DESCRIPTION Remote Gateway Name Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores( character cannot be a number.
Table 18 VPN Advanced Wizard: Step 2 (continued) LABEL DESCRIPTION Certificate Use the drop-down list box to select the certificate to use for this VPN tunnel. You must have certificates already configured in the My Certificates screen. Click Certificate under the Object menu to go to the My Certificates screen where you can view the ZyWALL's list of certificates.
Chapter 4 Wizard Setup Figure 39 VPN Advanced Wizard: Step 3 The following table describes the labels in this screen. Table 19 VPN Advanced Wizard: Step 3 LABEL Negotiation Mode Encryption Algorithm Authentication Algorithm Key Group DESCRIPTION Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.
Table 19 VPN Advanced Wizard: Step 3 (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 60 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Chapter 4 Wizard Setup 4.8.6.1 Phase 2 Setting Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 40 VPN Advanced Wizard: Step 4 The following table describes the labels in this screen. Table 20 VPN Advanced Wizard: Step 4 LABEL Phase 2 Setting...
Table 20 VPN Advanced Wizard: Step 4 (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 60 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Chapter 4 Wizard Setup Figure 41 VPN Advanced Wizard: Step 5 The following table describes the labels in this screen. Table 21 VPN Advanced Wizard: Step 5 LABEL DESCRIPTION Summary Name This is the name of the VPN connection (and VPN gateway). Secure This is the WAN IP address or domain name of the remote IPSec router.
Secure Gateway: IP address or domain name of the peer IPSec device. Pre-Shared Key: VPN tunnel password. Local Policy: IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel. Remote Policy: IP address and subnet mask of the computers on the network behind the peer IPSec device that can use the tunnel.
Page 110
Chapter 4 Wizard Setup If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 91).
H A P T E R This section provides information to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL. •...
Chapter 5 Configuration Basics 5.2 Terminology in the ZyWALL This section highlights some differences in terminology or organization between the ZyWALL and other routers, particularly ZyNOS routers. Table 22 ZyWALL Terminology That is Different Than ZyNOS ZYNOS FEATURE / TERM Port forwarding IP alias Gateway policy...
A physical port is the place to which you connect the cable. As shown above, you do not usually configure physical ports to use various features. You configure interfaces and zones. The ZyWALL supports one-to-one, one-to-many, many-to-one, and many-to-none relationships between physical ports and interfaces. There are many types of interfaces in the ZyWALL.
Chapter 5 Configuration Basics Figure 43 Interfaces and Zones: Example • The LAN zone contains the ge1 (Gigabit Ethernet 1) interface. This is a protected zone and uses private IP addresses. ge1 uses 192.168.1.1 and the connected devices use IP addresses in the 192.168.1.2 to 192.168.1.254 range.
These are other features you should configure before you configure the main screen(s) for this feature. If you did not configure one of the prerequisites first, you can often select an option to create a new object. After you create the object you return to the main PREREQUISITES screen to finish configuring the feature.
Chapter 5 Configuration Basics PREREQUISITES WHERE USED Example: See Chapter 6 on page 5.4.4 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and- spoke VPN.
Zones cannot overlap. Each interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run. When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for the new zone.
Chapter 5 Configuration Basics 2 Click Network > Routing > Policy Route to go to the policy route configuration screen. Add a policy route. 3 Name the policy route. 4 Select the interface that the traffic comes in through (ge4 in this example). 5 Select the FTP server’s address as the source address.
2 Create an address object for the VoIP server (Object > Address). 3 Click Firewall to go to the firewall configuration. 4 Select from the DMZ-2 zone to the LAN zone, and add a firewall rule using the items you have configured. •...
Chapter 5 Configuration Basics 5.4.14 Anti-Virus Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or one of the wizards. MENU ITEM(S) PREREQUISITES 5.4.15 IDP Use IDP to detect and take action on malicious or suspicious packets.
11 Add a policy that uses the schedule, the filtering profile and the user that you created. 5.4.18 Virtual Server (Port Forwarding) Use this to change the address and/or port number of packets coming in from a specified interface. This is also known as port forwarding. The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by virtual server.
Chapter 5 Configuration Basics 5.4.20 ALG The ZyWALL’s Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the ZyWALL. You can also specify additional signaling port numbers. MENU ITEM(S) 5.5 Objects Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object.
Table 28 User Types TYPE ABILITIES Guest Access network services Ext-User The same as a User or a Guest. The ZyWALL looks for the specific type in an external authentication server. If the type is not available, the ZyWALL applies default settings.
Chapter 5 Configuration Basics 5.6.2 File Manager Use these screens to upload, download, delete, or run scripts of CLI commands. You can manage • Configuration files. Use configuration files to back up and restore the complete configuration of the ZyWALL. You can store multiple configuration files in the ZyWALL and switch between them without restarting.
H A P T E R This chapter provides some examples of using the web configurator to set up features in the ZyWALL. See also Chapter 26 on page 351 6.1 Interfaces and Zones The following example shows how to use port grouping, Ethernet interfaces, trunks, and zones to set up the following configuration.
Chapter 6 Tutorials Figure 44 Network > Interface > Port Grouping, Initial 2 Drag physical port 2 onto representative interface ge1, as shown below. Figure 45 Network > Interface > Port Grouping, Drag-and-Drop 3 Click Apply. 4 Click Status, and look at the Interface Status Summary, shown below. Ethernet interface ge1 has a status of Port Group Up, and Ethernet interface ge2 is disabled and has a Status of Port Group Inactive.
Figure 46 Status: Interface Status Summary After Port Grouping 6.1.2 Set up Ethernet Interfaces This example sets up the Ethernet interfaces as shown below. Table 30 Ethernet Interfaces Example ETHERNET INTERFACE You have decided to use the default settings for ge1 and ge3, so it is not necessary to edit these interfaces.
Chapter 6 Tutorials Figure 48 Network > Interface > Ethernet > ge4 3 Use the default values for the rest of the settings. Click Apply to save these changes and return to the previous screen. Click the Edit icon for ge5, and set up the IP address as shown below.
Figure 51 Status > Interface Status Summary, After Ethernet Interface Edits 6.1.3 WAN Trunk This example sets up trunk WAN_TRUNK with ge3 and ge4. This example uses the default settings for the trunk and shows how to add the interfaces to it. Table 31 Trunk Example ETHERNET TRUNK...
Chapter 6 Tutorials Figure 54 Network > Interface > Trunk > Edit > Member 4 Use the default values for the rest of the settings. Click OK to save these changes and return to the previous screen. 6.1.4 Zones This example sets up the LAN, WAN, and DMZ zones as shown below. Table 32 Zones Example ETHERNET INTERFACE...
Figure 56 Network > Zone > DMZ, Remove ge4 3 Select IFACE/ge4 and click the left arrow to remove ge4 from the Member list. Click OK to save these changes and return to the previous screen. 4 Click the Edit icon for WAN. The following screen appears. Figure 57 Network >...
Chapter 6 Tutorials 6.2 IPSec VPN This example is going to show you how to create the VPN tunnel illustrated below. Figure 59 VPN Example 192.168.1.33 ~ 192.168.1.232 In this example, the ZyWALL is router X (172.23.37.240/24), and the remote IPSec router is router Y (220.123.143.10/24).
Figure 60 VPN > IPSec VPN > VPN Gateway > Add 6.2.3 Set up the VPN Connection The VPN connection manages the IPSec SA. You have to set up the address objects for the local network and remote network before you can set up the VPN connection. 1 Click Object >...
Chapter 6 Tutorials Figure 62 VPN > IPSec VPN > VPN Connection > add 6.2.4 Set up the Policy Route for the VPN Tunnel You should create a new policy route to use the VPN tunnel. This policy route will only use the existing address objects, so you do not have to create any additional objects first.
Figure 64 Network > Routing > Policy Route > Add Because the new VPN connection has not been assigned to a zone yet, there are no restrictions (for example, firewall) on traffic to or from this VPN connection. You should set up the VPN settings on the remote IPSec router and try to establish the VPN tunnel before continuing.
Chapter 6 Tutorials 6.3 Device HA This example is going to show you how to set up device HA as illustrated below. Figure 66 Device HA Example In this example, router A is the default gateway for the network and uses IP address 192.168.1.1.
Figure 67 Device HA > VRRP Group > Add: ge1 3 Click Status, and scroll down to the Interface Status Summary. The H/A Status field is Active. Figure 68 Status: Interface Status Summary: Device HA Master Configured 4 Repeat these steps for the interface that is connected to the Internet. The second VRRP group should have a different VR ID.
Chapter 6 Tutorials Figure 69 Network > Device HA > VRRP Group > Add: ge4 Once you configure an interface in a VRRP group, you should not configure the interface to have a dynamic IP address. 6.3.3 Set up the Password for Synchronization 1 Click Device HA >...
6.3.4 Finish Configuring the Master Finish configuring the master. The backup router will get these updates later, when it synchronizes with the master. 6.3.5 Set up the Ethernet Interfaces on the Backup On the backup ZyWALL, ge1 should be configured exactly the same way it is configured on the master, including the same IP address.
Chapter 6 Tutorials 6.3.7 Synchronize the Backup 1 Connect the backup to the same network as the master. 2 Click Device HA > Synchronize. 3 Type the password for synchronization in the Password field. Enter the IP address of the master (on a secure network), and click Sync Now to get the configuration from the master.
6.4.1 Set up User Accounts Set up one user account for each user account in the RADIUS server. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead.
Chapter 6 Tutorials 6.4.3 Set up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the ZyWALL to use the authentication method.
The users will have to log in using the web configurator login screen before they can use HTTP or MSN. Figure 79 Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears.
Chapter 6 Tutorials Figure 81 AppPatrol > http > Edit Default 4 Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields.
Figure 83 Object > Schedule > Recurring > add 3 Follow the steps in in application patrol. Make sure to specify the schedule when you configure the policy for the Sales group’s MSN access. 6.4.6 Set up LAN-to-DMZ Policies Use the firewall to control access to the DMZ. 1 Click Firewall.
Chapter 6 Tutorials Figure 85 Firewall > LAN > DMZ > Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. 6.5 Trunks The following example shows how to set up a trunk for two connections (ge2 and ge3) to the Internet.
Figure 87 Network > Interface > Ethernet > Edit > ge2 2 Click the Edit icon for ge3, and enter the available bandwidth (512 kbps) in the Upstream Bandwidth and Downstream Bandwidth fields. Click OK. 6.5.2 Change WAN Trunk Algorithm 1 Click Network >...
Chapter 6 Tutorials The firewall is enabled, so you also need to create a rule to allow traffic in from the WAN zone. Figure 89 NAT 1:1 Example Network Topology 192.168.1.21 6.6.1 NAT 1:1 Address Objects First create two address objects for the private and public IP addresses (LAN_SMTP and WAN_EG) in the Object >...
6.6.2 NAT 1:1 Virtual Server This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1.1.1.1 at the ZyWALL’s ge3 (WAN) interface, to the LAN SMTP server’s IP address (192.168.1.21). This is also called Destination NAT (DNAT) Figure 92 NAT 1:1 Example Virtual Server 192.168.1.21 The ge3 WAN interface has a different IP address than 1.1.1.1, so in order for the ZyWALL...
Chapter 6 Tutorials Figure 94 NAT 1:1 Example Policy Route 192.168.1.21 Click Network > Routing > Policy Route > Add and configure the screen as shown next. Be careful of where you create the route as routes are ordered in descending priority. Figure 95 Create a Policy Route 6.6.4 NAT 1:1 Firewall Rule Create a firewall rule to allow access from the WAN zone to the mail server in the LAN zone.
Figure 96 Create a Firewall Rule 6.7 NAT Loopback The NAT 1:1 example in address of a LAN SMTP mail server to allow users to access the SMTP mail server from the WAN. LAN users can also use an IP address to access the mail server. However, you need to configure NAT loopback for LAN users to use a domain name to access the server.
Chapter 6 Tutorials 6.7.1 NAT Loopback Virtual Server When a LAN user sends SMTP traffic to IP address 1.1.1.1, the traffic comes into the ZyWALL through the ge1 (LAN) interface, thus it does not match the NAT 1:1 mapping’s virtual server rule for SMTP traffic coming to IP 1.1.1.1 from ge3 (the WAN). So you must configure a similar virtual server rule for ge1.
6.7.2 NAT Loopback Policy Route Without a NAT loopback policy route, the LAN user SMTP traffic goes to the LAN SMTP server has the LAN computer’s IP address as the source. The source address is in the same subnet, so the LAN SMTP server replies directly. The return traffic uses the SMTP server’s LAN IP address as the source address match the original destination address (1.1.1.1).
Chapter 6 Tutorials Figure 102 Create a Policy Route Now the LAN SMTP server replies to the ZyWALL’s LAN IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN user’s computer. The source in the return traffic matches the original destination address (1.1.1.1) and the LAN user can use the LAN SMTP server.
6.8 Service Control and the Firewall Service control lets you configure rules that control HTTP and HTTPS management access (to the web configurator) and separate rules that control HTTP and HTTPS user access (logging into SSL VPN for example). See The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL.
Chapter 6 Tutorials Figure 105 System > WWW > Service Control Rule Edit 4 Click Apply. Figure 106 System > WWW Now administrators can only log into the web configurator from the LAN zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL’s zones (to use SSL VPN for example).
H A P T E R This chapter explains the Status screen, which is the screen you see when you first log in to the ZyWALL or when you click Status. 7.1 Status Screen Use this screen to look at the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status.
Chapter 7 Status The following table describes the labels in this screen. Table 34 Status LABEL DESCRIPTION Device Information System Name This field displays the name used to identify the ZyWALL on any network. Click the icon on the right to open the screen where you can change it. See page Model Name This field displays the model name of this ZyWALL.
Page 159
Table 34 Status (continued) LABEL DESCRIPTION Signature This field displays the version number, date, and time of the current set of Version signatures the ZyWALL is using. Last Update This field displays the last time the ZyWALL received updated signatures. Time Total This field displays the total number of signatures in the current signature version.
Chapter 7 Status Table 34 Status (continued) LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router. Stand-By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now.
Figure 108 Status > VPN Status The following table describes the labels in this screen. Table 35 Status > VPN Status LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA. Encapsulation This field displays how the IPSec SA is encapsulated.
Chapter 7 Status Figure 109 Status > DHCP Table The following table describes the labels in this screen. Table 36 Status > DHCP Table LABEL DESCRIPTION Interface Select for which interface you want to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses.
Figure 110 Status > Port Statistics The following table describes the labels in this screen. Table 37 Status > Port Statistics LABEL DESCRIPTION Port This field displays the physical port number. status This field displays the current status of the physical port. Down - The physical port is not connected.
Chapter 7 Status Figure 111 Status > Current Users The following table describes the labels in this screen. Table 38 Status > Current Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL.
H A P T E R This chapter shows you how to register for the ZyWALL’s subscription services. 8.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Chapter 8 Registration • SSL VPN tunnels provide secure network access to remote users. You can purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels. • The content filter allows or blocks access to web sites. Subscribe to category-based content filtering to block access to categories of web sites based on content.
The following table describes the labels in this screen. Table 39 Licensing > Registration LABEL General Setup new myZyXEL.com account existing myZyXEL.com account UserName Check Password Confirm Password E-Mail Address Country Code Trial Service Activation Anti-Virus IDP/AppPatrol Content Filter Apply If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated (if any).
Chapter 8 Registration Figure 113 Licensing > Registration: Registered Device 8.3 Service After you activate a trial, you can also use this screen to register and enter your iCard’s PIN number (license key). Click Licensing > Registration > Service to open the screen as shown next.
Page 169
Table 40 Licensing > Registration > Service (continued) LABEL Expiration date Count License Upgrade License Key Service License Refresh ZyWALL USG 1000 User’s Guide DESCRIPTION This field displays the date your service expires. You can continue to use IDP/AppPatrol or Anti-Virus after the registration expires, you just won’t receive updated signatures.
H A P T E R This chapter shows you how to update the ZyWALL’s signature packages. 9.1 Updating Anti-virus Signatures When scheduling signature updates, choose a day and time when your network is least busy to minimize disruption to your network. Your custom signature configurations are not over- written when you download new signatures.
Chapter 9 Update Figure 115 Licensing > Update >Anti-Virus The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information Current Version This field displays the signatures version number currently used by the ZyWALL. This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them.
9.2 Updating IDP and Application Patrol Signatures The ZyWALL comes with signatures for the IDP and application patrol features. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the ZyWALL periodically if you have subscribed for IDP service. You need to create an account at myZyXEL.com, register your ZyWALL and then subscribe for IDP service in order to be able to download new packet inspection signatures from myZyXEL.com (see the Registration screens).
Chapter 9 Update Table 41 Licensing > Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Auto Update Select this check box to have the ZyWALL automatically check for new IDP signatures regularly at the time and day specified. You should select a time when your network is not busy for minimal interruption. Hourly Select this option to have the ZyWALL check for new IDP signatures every hour.
9.3 Updating System Protect Signatures The ZyWALL comes with signatures that the ZyWALL uses to protect itself from intrusions. These signatures are continually updated as new attack types evolve. These system protect signature updates are free and can be downloaded to the ZyWALL periodically. Click Licensing >...
Chapter 9 Update Table 42 Licensing > Update > System Protect (continued) LABEL DESCRIPTION Daily Select this option to have the ZyWALL check for new signatures every day at the specified time. The time format is the 24 hour clock, so ‘23’ means 11PM for example.
H A P T E R Section 5.4.2 on page 115 10.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Chapter 10 Interface • Trunks manage load balancing between interfaces. Port groups, trunks, and the auxiliary interface have a lot of characteristics that are specific to each type of interface. They are discussed in more detail in Chapter 11 on page interfaces--Ethernet, VLAN, bridge, PPPoE/PPTP, and virtual--have a lot of similar characteristics.
Figure 122 Example: Entry in the Routing Table Derived from Interfaces Table 44 Example: Routing Table Entries for Interfaces IP ADDRESS(ES) 100.100.1.1/16 200.200.200.1/24 For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface ge1. If the ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface ge2.
Chapter 10 Interface 10.1.3 Interface Parameters The ZyWALL restricts the amount of traffic into and out of the ZyWALL through each interface. • Upstream bandwidth is the amount of traffic from the ZyWALL through the interface to the network. • Downstream bandwidth is the amount of traffic from the network through the interface into the ZyWALL.
Table 46 Example: Assigning IP Addresses from a Pool (continued) START IP ADDRESS 99.99.1.1 120.120.120.100 The ZyWALL cannot assign the first address (network address) or the last address (broadcast address) in the subnet defined by the interface’s IP address and subnet mask. For example, in the first entry, if the subnet mask is 255.255.255.0, the ZyWALL cannot assign 50.50.50.0 or 50.50.50.255.
Chapter 10 Interface 10.1.6 Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table. Table 47 Relationships Between Different Types of Interfaces INTERFACE auxiliary interface...
In addition, you use Ethernet interfaces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one. The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management.
Chapter 10 Interface Figure 123 Network > Interface > Interface Summary Each field is described in the following table. Table 48 Network > Interface > Interface Summary LABEL DESCRIPTION Interface If an Ethernet interface does not have any physical ports associated with it, its entry Summary is displayed in light gray text.
Page 187
Table 48 Network > Interface > Interface Summary (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For port groups: Inactive - The port group is disabled. Port Group Down - The port group is enabled but not connected.
Chapter 10 Interface Table 48 Network > Interface > Interface Summary (continued) LABEL DESCRIPTION Interface This table provides packet statistics for each interface. Statistics Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the statistics for virtual interfaces on top of this interface.
Each field is described in the following table. Table 49 Network > Interface > Ethernet LABEL DESCRIPTION This field is a sequential value, and it is not associated with any interface. Name This field displays the name of the interface. IP Address This field displays the current IP address of the interface.
Each field is described in the table below. Table 50 Network > Interface > Ethernet > Edit LABEL DESCRIPTION Ethernet Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only. This is the name of the Ethernet interface. Description Enter a description of this interface.
Page 192
Chapter 10 Interface Table 50 Network > Interface > Ethernet > Edit (continued) LABEL Direction Send Version Receive Version V2-Broadcast OSPF Setting Area Priority Link Cost Passive Interface Authentication Text Authentication Authentication Authentication DHCP Settings DHCP Relay Server 1 DESCRIPTION This field is effective when RIP is enabled.
Page 193
Table 50 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. IP Pool Start Enter the IP address from which the ZyWALL begins allocating IP addresses.
Chapter 10 Interface Table 50 Network > Interface > Ethernet > Edit (continued) LABEL Edit static DHCP table Ping Check Enable Check Period Check Timeout Check Fail Tolerance Ping Default Gateway Ping this address 10.3 Port Grouping This section introduces port groups and then explains the screen for port groups. 10.3.1 Port Grouping Overview Use port grouping to create port groups and to assign physical ports and port groups to Ethernet interfaces.
Each physical port is assigned to one Ethernet interface. In port grouping, the Ethernet interfaces are called representative interfaces. If you assign more than one physical port to a representative interface, you create a port group. Port groups have the following characteristics: •...
Figure 130 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. Figure 131 Example: After VLAN Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways.
Chapter 10 Interface • Better manageability - You can align network policies more appropriately for users. For example, you can create different content filtering rules for each VLAN (each department in the example above), and you can set different bandwidth limits for each VLAN. These rules are also independent of the physical network, so you can change the physical network without changing policies.
Table 52 Network > Interface > VLAN (continued) LABEL DESCRIPTION Port/VID For VLAN interfaces, this field displays • • For virtual interfaces, this field is blank. IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet.
Each field is explained in the following table. Table 53 Network > Interface > VLAN > Edit LABEL DESCRIPTION VLAN Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only if you are editing the interface. Enter the name of the VLAN interface.
Page 202
Chapter 10 Interface Table 53 Network > Interface > VLAN > Edit (continued) LABEL DHCP Relay Server 1 Relay Server 2 IP Pool Start Address Pool Size First DNS Server Second DNS Server Third DNS Server First WINS Server, Second WINS Server Lease time DESCRIPTION...
Table 53 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Edit static DHCP Click this if you want the ZyWALL to assign static IP addresses to computers. table The Static DHCP screen appears. Figure 134 Network > Interface > Edit > Edit static DHCP table The ZyWALL checks this table when it assigns IP addresses.
Chapter 10 Interface 10.5.1 Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table.
10.5.2 Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridge interface. It also becomes the ZyWALL’s interface for the resulting network. A bridge interface may consist of the following members: • Zero or one VLAN interfaces (and any associated virtual VLAN interfaces) •...
Chapter 10 Interface Table 57 Network > Interface > Bridge (continued) LABEL IP Address Member Add icon Apply Reset 10.5.4 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and ping check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen.
Chapter 10 Interface In this example, you are creating a new bridge. If you are editing a bridge, the Interface Name field is read-only. Each field is described in the table below. Table 58 Network > Interface > Bridge > Edit LABEL Bridge Interface Properties...
Page 209
Table 58 Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.
PPPoE is often used with cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services. This makes it easier for the service provider to offer the service •...
Chapter 10 Interface 10.6.3 PPPoE/PPTP Interface Summary You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lists every PPPoE/PPTP interface. To access this screen, click Network > Interface > PPPoE/PPTP. Figure 139 Network > Interface > PPPoE/PPTP Each field is described in the table below.
10.6.4 PPPoE/PPTP Interface Add/Edit You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure new or existing PPPoE/PPTP interfaces. To access this screen, click the Add icon or an Edit icon in the PPPoE/PPTP Interface Summary screen. Figure 140 Network >...
Chapter 10 Interface Each field is explained in the following table. Table 60 Network > Interface > PPPoE/PPTP > Edit LABEL PPP Interface Properties Enable Interface Name Nail_Up Dial-on-Demand Description Base Interface Account Profile Protocol User Name Service Name IP Address Assignment Automatically Use Fixed IP...
Table 60 Network > Interface > PPPoE/PPTP > Edit (continued) LABEL DESCRIPTION Ping Check The interface can regularly ping the gateway you specified to make sure it is still available. You specify how often the interface pings the gateway, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Chapter 10 Interface Figure 141 Network > Interface > Auxiliary Each field is described in the table below. Table 61 Network > Interface > Auxiliary LABEL Auxiliary Interface Properties Enable Description Port Speed Dialing Type Initial String Auxiliary Configuration Phone Number User Name Password Retype to...
Table 61 Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Authentication Select the authentication protocol to use for outgoing calls. Choices are: Type CHAP/PAP - Your ZyWALL accepts either CHAP or PAP, as requested by the computer you are dialing. CHAP - Your ZyWALL accepts CHAP only.
Chapter 10 Interface Figure 142 Network > Interface > Add Each field is described in the table below. Table 62 Network > Interface > Add LABEL Virtual Interface Properties Interface Name Description IP Address Assignment IP Address Subnet Mask Gateway Metric Interface Properties Upstream...
H A P T E R This chapter shows you how to configure trunks on your ZyWALL. See for related information on these screens. 11.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability.
Chapter 11 Trunks Maybe you have two connections with different bandwidths. For jitter-sensitive traffic (like video for example), you could set up a trunk group that uses spillover or weighted round robin load balancing to make sure that most of the jitter-sensitive traffic goes through the higher- bandwidth interface.
11.4.2 Weighted Round Robin Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming traffic on that interface. This queue then moves to the back of the list.
Chapter 11 Trunks Figure 145 Spillover Algorithm Example 11.5 Trunk Summary Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 146 Network > Interface > Trunk The following table describes the items in this screen.
Figure 147 Network > Interface > Trunk > Edit Each field is described in the table below. Table 65 Network > Interface > Trunk > Edit LABEL DESCRIPTION Name Enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores( is case-sensitive.
Page 224
Chapter 11 Trunks Table 65 Network > Interface > Trunk > Edit (continued) LABEL DESCRIPTION Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface.
H A P T E R Policy and Static Routes This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. See Section 5.4.10 on page 117 12.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Chapter 12 Policy and Static Routes IPPR follows the existing packet filtering facility of RAS in style and in implementation. 12.2.1 NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network.
Figure 148 Trigger Port Forwarding Example 12.2.3 Maximize Bandwidth Usage The maximize bandwidth usage option allows the ZyWALL to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth. When you enable maximize bandwidth usage, the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment.
Chapter 12 Policy and Static Routes Figure 149 Network > Routing > Policy Route The following table describes the labels in this screen. Table 66 Network > Routing > Policy Route LABEL DESCRIPTION Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL.
Table 66 Network > Routing > Policy Route (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the rule is enabled or not. Click the Active icon to activate or deactivate the policy.
Chapter 12 Policy and Static Routes Figure 150 Network > Routing > Policy Route > Edit The following table describes the labels in this screen. Table 67 Network > Routing > Policy Route > Edit LABEL DESCRIPTION Configuration Enable Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy.
Page 231
Table 67 Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Type Select Auto to have the ZyWALL use the routing table to find a next-hop and forward the matched packets automatically. Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gateway field.
Chapter 12 Policy and Static Routes Table 67 Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Bandwidth This allows you to allocate bandwidth to a route and prioritize traffic that matches Shaping the routing policy. You must also enable bandwidth management in the main policy route screen (Network >...
12.6 Static Route Summary Click Network > Routing > Static Route to open the Static Route screen. Figure 152 Network > Routing > Static Route The following table describes the labels in this screen. Table 68 Network > Routing > Static Route LABEL DESCRIPTION This is the number of an individual static route.
Chapter 12 Policy and Static Routes The following table describes the labels in this screen. Table 69 Network > Routing > Static Route > Edit LABEL DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination. Routing is always based on network number.
H A P T E R This chapter describes how to set up RIP and OSPF routing protocol settings for the ZyWALL. First, it provides an overview of RIP and OSPF, and, then, it introduces the RIP and OSPF screens used to configure routing protocols. See information on these screens.
Chapter 13 Routing Protocols RIP uses UDP port 520. 13.1.2 Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message.
Figure 154 Network > Routing > RIP The following table describes the labels in this screen. Table 71 Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication Authentication Select the authentication method used in the RIP network. Choices are: None, Text, and MD5.
Chapter 13 Routing Protocols • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network. • OSPF responds to changes in the network, such as the loss of a router, more quickly. • OSPF considers several factors, including bandwidth, hop count, throughput, round trip time, and reliability, when it calculates the shortest path.
This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y. Area 2 is a stub area. It has routing information about the OSPF AS, but it depends on a default route to send information to networks X and Y.
Chapter 13 Routing Protocols Figure 156 OSPF: Types of Routers In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR).
2 Set up the OSPF areas. 3 Configure the appropriate interfaces. See 4 Set up virtual links, as needed. 13.4 OSPF Screens The OSPF screens are used to specify the ID the ZyWALL uses in the OSPF AS and to maintain the policies for redistribution.
Chapter 13 Routing Protocols Table 73 Network > Routing Protocol > OSPF (continued) LABEL Active Route Type Metric Area Area Type Authentication Add icon 13.4.2 OSPF Area Add/Edit The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see click either the Add icon or an Edit icon.
Figure 159 Network > Routing > OSPF > Edit The following table describes the labels in this screen. Table 74 Network > Routing > OSPF > Edit LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type This field displays the type of area.
Page 244
Chapter 13 Routing Protocols Table 74 Network > Routing > OSPF > Edit (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the password for text Authentication authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long.
H A P T E R Set up zones to configure network security and network policies in the ZyWALL. See 5.4.7 on page 116 for related information on these screens. 14.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management.
Chapter 14 Zones Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, Figure 160 on page each zone, you can either allow or prohibit all intra-zone traffic. For example, in page 245, you might allow intra-zone traffic in the LAN2 zone but prohibit it in the WAN zone.
14.3 Zone Add/Edit The Zone Add/Edit screen allows you to define a zone or edit an existing one. To access this screen, go to the Zone screen (see an Edit icon. Figure 162 Network > Zone > Edit The following table describes the labels in this screen. Table 76 Network >...
Page 248
Chapter 14 Zones ZyWALL USG 1000 User’s Guide...
H A P T E R This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. First, it provides an overview, and then it introduces the screens. See for related information on these screens. 15.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa.
Chapter 15 DDNS 15.1.2 High Availability (HA) The DDNS server maps a domain name to the IP address of one of the ZyWALL’s WAN ports. If that WAN port loses its connection, high availability allows the ZyWALL to substitute the HA port’s IP address in the domain name mapping. 15.1.3 Mail Exchanger DynDNS can route e-mail for your domain name to a specified mail server.
15.3 DDNS Summary The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. To access this screen, login to the web configurator. When the main screen appears, click Network >...
Chapter 15 DDNS 15.4 Dynamic DNS Add/Edit The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. To access this screen, click Network > DDNS, and click either the Add icon or an Edit icon.
Page 253
Table 78 Network > DDNS > Edit (continued) LABEL DESCRIPTION HA Interface This field is only available when the IP Address Update Policy is Interface. Select the alternative WAN interface to map to the domain name when the WAN interface is not available.
H A P T E R This chapter describes how to set up, manage, and remove virtual servers. First, it provides an overview of virtual servers, and, then, it introduces the virtual server screens and commands. Section 5.4.18 on page 121 16.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation.
Chapter 16 Virtual Servers The ZyWALL checks virtual servers before it applies to-ZyWALL firewall rules, so to- ZyWALL firewall rules do not apply to traffic that is forwarded by virtual servers. The ZyWALL still checks regular (through-ZyWALL) firewall rules according to the source IP address and mapped IP address.
Figure 166 Network > Virtual Server The following table describes the labels in this screen. See for more information as well. Table 79 Network > Virtual Server LABEL DESCRIPTION Total Virtual This is how many virtual server entries are configured in the ZyWALL. Servers entries per page Select how many virtual server entries to display per page in the screen.
Chapter 16 Virtual Servers 16.4.1 Virtual Server Add/Edit The Virtual Server Add/Edit screen lets you create new virtual servers and edit existing ones. To open this window, open the Virtual Server summary screen. (See page 256.) Then, click on an Add icon or Edit icon to open the following screen. If the virtual server will send traffic to the clients, you need to create a corresponding policy route.
Page 259
Table 80 Network > Virtual Server > Edit (continued) LABEL DESCRIPTION User Defined This field is available if Original IP is User Defined. Type the destination IP address that this virtual server supports. Mapped IP Type the translated destination IP address, if this virtual server forwards the packet. Mapping Type Use the drop-down list box to select how many original destination ports this virtual server supports for the selected destination IP address (Original IP).
H A P T E R This chapter shows you how to configure HTTP redirection on your ZyWALL. See 5.4.19 on page 121 for related information on these screens. 17.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server.
Chapter 17 HTTP Redirect Figure 168 HTTP Redirect Example In the example, proxy server A is connected to ge4 in the DMZ zone. When a client connected to ge1 wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Figure 169 Network > HTTP Redirect The following table describes the labels in this screen. Table 81 Network > HTTP Redirect LABEL DESCRIPTION Name This is the descriptive name (up to 31 printable characters) of a rule. Interface This is the interface on which the request must be received. Proxy Server This is the IP address of the proxy server.
Page 264
Chapter 17 HTTP Redirect Table 82 Network > HTTP Redirect > Edit (continued) LABEL DESCRIPTION Interface Select the interface on which the HTTP request must be received for the ZyWALL to forward it to the specified proxy server. Proxy Server Enter the IP address of the proxy server.
H A P T E R This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. See screens. 18.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT.
Chapter 18 ALG You could also have a trunk with one interface set to active and a second interface set to passive. The ZyWALL does not automatically change ALG-managed connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface.
Figure 171 H.323 ALG Example 18.1.6 SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
Chapter 18 ALG 18.1.6.2 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout, the ZyWALL SIP ALG deletes the signaling session after the timeout period.
For example, you configure firewall and virtual server rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2.
Chapter 18 ALG The following table describes the labels in this screen. Table 83 Network > ALG LABEL DESCRIPTION Enable SIP SIP is a signaling protocol used in VoIP (Voice over IP), the sending of voice signals Transformations over Internet Protocol. Turn on the SIP ALG to allow SIP sessions to pass through the ZyWALL.
18.4 WAN to LAN SIP Peer-to-peer Calls Example This example shows how to configure firewall and virtual server (port forwarding) rules to allow H.323 calls to come in through WAN IP address 10.0.0.8 to computer A at IP address 192.168.1.56 on the LAN. Figure 176 WAN to LAN H.323 Peer-to-peer Calls Example Configure the virtual server policy first to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56.
Chapter 18 ALG Figure 178 Firewall > WAN to LAN 5 Configure the screen as follows. For the Destination, select Create Object. Figure 179 Firewall > WAN > LAN > Add 6 Configure an address object for the ZyWALL’s 10.0.0.8 WAN IP address as follows and click OK.
H A P T E R This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. See 19.1 Firewall Overview The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Chapter 19 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
The following table explains the default firewall rules for traffic going through the ZyWALL. Section 19.2.1.2 on page 279 ZyWALL itself. Table 84 Default Firewall Rules FROM ZONE TO ZONE From LAN to LAN From LAN to WAN From LAN to DMZ From WAN to LAN From WAN to WAN From WAN to DMZ...
Chapter 19 Firewall The ZyWALL checks the firewall rules before the service control rules for traffic destined for the ZyWALL. You can configure a to-ZyWALL firewall rule (with From Any To ZyWALL direction) for traffic from an interface which is not in a zone. 19.2.2 Firewall and VPN Traffic After you create a VPN tunnel and apply it to a zone, you can set the firewall rules applied to VPN traffic.
Your firewall would have the following configuration. Table 85 Blocking All LAN to WAN IRC Traffic Example USER SOURCE Default • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN.
Chapter 19 Firewall Your firewall would have the following configuration. Table 86 Limited LAN to WAN IRC Traffic Example 1 USER Default • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. •...
You can have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection). Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets.
Chapter 19 Firewall Figure 186 Firewall The following table describes the labels in this screen. Table 88 Firewall LABEL DESCRIPTION Global Setting Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated. Allow If an alternate gateway on the LAN has an IP address in the same subnet as the Asymmetrical...
Page 285
Table 88 Firewall (continued) LABEL DESCRIPTION Maximum Use this field to set the highest number of sessions that the ZyWALL will permit a session per host computer with the same IP address to have at one time. When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions.
Chapter 19 Firewall Table 88 Firewall (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the rule is enabled or not. Click it to activate or deactivate the rule.
Table 89 Firewall > Edit (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies or select Create Object to configure a new one (see none and the rule is always effective.
Chapter 19 Firewall Figure 188 Firewall Example: Select the Traveling Direction of Traffic 2 Select From WAN and To LAN and enter a description. Select Create Object in the Destination drop-down list box. Figure 189 Firewall Example: Edit a Firewall Rule 1 3 The screen for configuring an address object opens.
Figure 190 Firewall Example: Create an Address Object 4 Select Create Object in the Service drop-down list box. 5 The screen for configuring a service object opens. Configure it as follows and click OK. Figure 191 Firewall Example: Create a Service Object 6 Enter the name of the firewall rule.
H A P T E R This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. See 5.4.4 on page 116 for related information on these screens. 20.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines.
Chapter 20 IPSec VPN Figure 195 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 20.1.1.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Chapter 20 IPSec VPN If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
• Source address in outbound packets - this translation is necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec • Source address in inbound packets - this translation hides the source address of computers in the remote network.
Chapter 20 IPSec VPN • Destination - the original destination address; the local network (A). • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. 20.1.2.2.3 Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL to forward some packets from the remote network to a specific computer in the local network.
• Make sure the to-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the to-ZyWALL firewall rules allow UDP port 4500 too.
Chapter 20 IPSec VPN Each field is discussed in the following table. See 20.3.2 on page 298 Table 90 VPN > IPSec VPN > VPN Connection LABEL Name VPN Gateway Encapsulation Algorithm Policy Add icon Apply Reset 20.3.2 VPN Connection Add/Edit IKE The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection using a VPN gateway (with IKE) or edit an existing VPN connection using a VPN gateway.
Figure 199 VPN > IPSec VPN > VPN Connection > Edit (IKE) Each field is described in the following table. Table 91 VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION VPN Connection Connection Type the name used to identify this IPSec SA. You may use 1-31 alphanumeric Name characters, underscores( number.
Page 300
Chapter 20 IPSec VPN Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Active Protocol Encapsulation Proposal Encryption Authentication Add icon SA Life Time (Seconds) Perfect Forward Secrecy (PFS) Policy DESCRIPTION Select which protocol you want to use in the IPSec SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption.
Page 301
Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Policy Select this if you want the ZyWALL to drop traffic whose source and destination Enforcement IP addresses do not match the local and remote policy. This makes the IPSec SA more secure.
Chapter 20 IPSec VPN Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL SNAT Destination NAT Original IP Mapped IP Protocol Original Port Mapped Port Add icon Cancel 20.3.3 VPN Connection Add/Edit Manual Key The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key.
Figure 200 VPN > IPSec VPN > VPN Connection > Manual Key > Edit The following table describes the labels in this screen. Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit LABEL DESCRIPTION VPN Connection Connection Type the name used to identify this IPSec SA.
Page 304
Chapter 20 IPSec VPN Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL Encapsulation Mode Active Protocol Encryption Algorithm Authentication Algorithm Encryption DESCRIPTION Select which type of encapsulation the IPSec SA uses. Choices are Tunnel - this mode encrypts the IP header information and the data Transport - this mode only encrypts the data.
Page 305
Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL DESCRIPTION Authentication Enter the authentication key, which depends on the authentication algorithm. MD5 - type a unique key 16-20 characters long SHA1 - type a unique key 20 characters long You can use any alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./<>=-".
Chapter 20 IPSec VPN Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL Source NAT Source Destination SNAT Destination Original IP Mapped IP Protocol Original Port Mapped Port Add icon Cancel 20.4 VPN Gateway Screens You use the VPN Gateway summary screen to look at the VPN gateways you have set up, and you use the VPN Gateway Add/Edit screen to create or to edit VPN gateways.
It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Both routers must use the same negotiation mode. These modes are discussed in more detail in in various examples in the rest of this section.
Chapter 20 IPSec VPN Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest. •...
In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps. Figure 203 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) You have to create (and distribute) a pre-shared key.
Chapter 20 IPSec VPN For example, in Table 93 on page each other successfully. In contrast, in IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA. Table 93 VPN Example: Matching ID Type and Content ZYWALL Local ID type: E-mail Local ID content: tom@yourcompany.com Peer ID type: IP...
20.4.2.2 VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 204 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information.
Chapter 20 IPSec VPN • Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match. • The local and peer ID type and content come from the certificates. You must set up the certificates for the ZyWALL and remote IPSec router first.
Table 95 VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Add icon This column provides icons to add, edit, and remove VPN gateways, as well as to activate / deactivate VPN gateways. To add a VPN gateway, click the Add icon at the top of the column. The VPN Gateway Add/Edit screen appears.
Chapter 20 IPSec VPN Figure 206 VPN > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. Table 96 VPN > IPSec VPN > VPN Gateway > Edit LABEL VPN Gateway VPN Gateway Name IKE Phase 1 Negotiation Mode...
Page 315
Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Proposal This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. Encryption Select which key size and encryption algorithm to use in the IKE SA.
Page 316
Chapter 20 IPSec VPN Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Secure Gateway Address Authentication Method Pre-Shared Certificate Local ID Type Content DESCRIPTION Type the IP address or the domain name of the remote IPSec router. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic IP address.
Page 317
Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by an e-mail address Any - the ZyWALL does not check the identity of the remote IPSec router...
Chapter 20 IPSec VPN Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Apply Cancel 20.5 VPN Concentrator A VPN concentrator combines several VPN connections into one secure network. on page 318 shows an example of this, as well as one alternative approach. Figure 207 VPN Topologies The VPN concentrator is used in the second approach.
20.5.1 VPN Concentrator Summary You use the VPN Concentrator summary screen to look at the VPN concentrators you have set up. The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL. To access this screen, click VPN > IPSec VPN > Concentrator. The following screen appears.
Chapter 20 IPSec VPN Each field is described in the following table. Table 98 VPN > IPSec VPN > Concentrator > Edit LABEL Name Member Add icon Cancel 20.6 SA Monitor Screen You can use the SA Monitor screen to display and to manage active IPSec SA. To access this screen, click VPN >...
Figure 211 VPN > IPSec VPN > SA Monitor Each field is described in the following table. Table 99 VPN > IPSec VPN > SA Monitor LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression.
Chapter 20 IPSec VPN 20.6.1 Regular Expressions in Searching IPSec SAs by Name or Policy A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards (*) let multiple VPN connection or policy names match the pattern.
H A P T E R This chapter shows you how to set up secure SSL VPN access for remote user login. See Section 5.4.5 on page 116 21.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: •...
Chapter 21 SSL VPN Table 100 Objects (continued) OBJECT OBJECT TYPE SCREEN Server Address Addresses VPN Network Address 21.1.2 SSL Access Policy Limitations You cannot delete an object that is used by an SSL access policy. To delete the object, you must first unassociate the object from the SSL access policy.
21.3 Creating/Editing an SSL Access Policy To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 213 VPN > SSL VPN > Access Privilege > Add/Edit The following table describes the labels in this screen. Table 102 VPN >...
Chapter 21 SSL VPN Table 102 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL User/Group SSL Application List Network Extension Enable Network Extension Assign IP Pool DNS/WINS Server 1..2 Network List Cancel 21.4 SSL Connection Monitor The ZyWALL keeps track of the users who are currently logged into the VPN SSL client portal.
• log out a user and delete related session information. Once a user logs out, the corresponding entry is removed from the Connection Monitor screen. Figure 214 VPN > SSL VPN > Connection Monitor The following table describes the labels in this screen. Table 103 VPN >...
21.5.1 Uploading a Custom Logo Follow the steps below to upload a custom logo on the ZyWALL. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configuration screen. 2 Click Browse to locate the logo graphic. Make sure the file is in GIF format. 3 Click Apply to start the file transfer process.
Chapter 21 SSL VPN Figure 217 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again.
H A P T E R This chapter introduces secure network access and gives an overview of the remote user screens on the ZyWALL. 22.1 Overview The ZyWALL provides secure connections to network resources such as applications, files, intranet sites or e-mail through a web-based interface and using Microsoft Outlook Web Access (OWA).
Chapter 22 SSL User Screens • Internet Explorer 5.5 and above (for IE7, JRE 1.6 must be enabled) • Netscape 7.2 and above • Firefox 1.0 and above • Mozilla 1.7.3 and above • Sun Java Virtual Machine (JVM) installed with a minimum version of 1.4. •...
Figure 220 Login Security Screen 3 A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. 4 Select Log into SSL VPN and click Login to log in and establish an SSL VPN connection to the network to access network resources.
Chapter 22 SSL User Screens Available resource links vary depending on the configuration your network administrator made. 22.3 SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 223 Remote User Screen The following table describes the various parts of a remote user screen. Table 105 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen.
22.4 Bookmark You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon. This allows you to access the ZyWALL using the bookmark without having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon. 2 A screen displays.
H A P T E R SSL User Application Screens This chapter describes the Application screens you use to access an application on the network through the SSL VPN connection. 23.1 Overview Depending on the configuration of your network administrator, you can use the Application screen to access web-based applications (such as web sites and e-mail).
H A P T E R SSL User File Sharing Screens This chapter describes the File Sharing screen you use to access files on a file server through the SSL VPN connection. 24.1 Overview Use the File Sharing screen to display and access shared files/folders on a file server. You can also perform the following actions: •...
Chapter 24 SSL User File Sharing Screens Figure 228 File Sharing 24.3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. 1 Log in as a remote user and click the File Sharing tab.
4 A list of files/folders displays. Click on a file to open it in a separate browser window. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 230 File Sharing: Open a Word File 24.3.1 Downloading a File You are prompted to download a file which cannot be opened using a web browser.
Chapter 24 SSL User File Sharing Screens Figure 231 File Sharing: Save a Word File 24.4 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Make sure the length of the folder name does not exceed the maximum allowed on the file server.
Figure 233 File Sharing: Rename A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Make sure the length of the name does not exceed the maximum allowed on the file server.
Chapter 24 SSL User File Sharing Screens 24.7 Uploading a File Follow the steps below to upload a file to the file server. 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of the file you want to upload. Or click Browse to locate it.
H A P T E R This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL. See 5.4.6 on page 116 for related information on these screens. 25.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’...
Chapter 25 L2TP VPN • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. 25.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
25.4 L2TP VPN Configuration Click VPN > L2TP VPN to open the following screen. Use this screen to configure the ZyWALL’s L2TP VPN settings. Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and re-establish the sessions using the new settings.
Chapter 25 L2TP VPN Table 106 VPN > IPSec VPN > VPN Connection (continued) LABEL Allowed User Keep Alive Timer First DNS Server Second DNS Server First WINS Server, Second WINS Server Apply Reset 25.5 L2TP VPN Session Monitor Click VPN > L2TP VPN > Session Monitor to open the following screen. Use this screen to display and manage the ZyWALL’s connected L2TP VPN sessions.
Page 349
Table 107 VPN > L2TP VPN > Session Monitor (continued) LABEL DESCRIPTION Disconnect Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL USG 1000 User’s Guide Chapter 25 L2TP VPN...
H A P T E R This chapter shows how to create a basic L2TP VPN tunnel. 26.1 L2TP VPN Example This chapter uses the following settings in creating a basic L2TP VPN tunnel. Figure 241 L2TP VPN Example LAN_SUBNET: 192.168.1.0/24 •...
Chapter 26 L2TP VPN Example Figure 242 VPN > IPSec VPN > VPN Gateway > Edit • Configure the My Address setting. This example uses interface ge3 with static IP address 172.23.37.205. • Configure the Pre-Shared Key. This example uses top-secret. Click OK. 2 Click the Default_L2TP_VPN_GW entry’s Enable icon and click Apply to turn on the entry.
26.3 Configuring the Default L2TP VPN Connection Example 1 Click VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Click the Default_L2TP_VPN_Connection’s Edit icon. Figure 244 VPN > IPSec VPN > VPN Connection > Edit 2 Enforce and configure the local and remote policies.
Chapter 26 L2TP VPN Example Figure 245 VPN > IPSec VPN > VPN Connection (Enable) 26.4 Configuring the L2TP VPN Settings Example 1 Click VPN > L2TP VPN to open the following screen. Figure 246 VPN > L2TP VPN Example 2 Configure the following.
Figure 247 Routing > Add: L2TP VPN Example 2 Configure the following. • Enable the policy route. • Set the policy route’s Source Address to the address object that you want to allow the remote users to access (LAN_SUBNET in this example). •...
Chapter 26 L2TP VPN Example 26.6.1 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. 1 Click Start > Control Panel > Network Connections > New Connection Wizard. 2 Click Next in the Welcome screen. 3 Select Connect to the network at my workplace and click Next.
Figure 250 New Connection Wizard: Connection Name 6 Select Do not dial the initial connection and click Next. Figure 251 New Connection Wizard: Public Network 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.23.37.205 in this example).
Figure 254 Connect L2TP to ZyWALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 255 Connect ZyWALL L2TP: Security > Advanced 12 Click IPSec Settings.
Chapter 26 L2TP VPN Example Figure 256 L2TP to ZyWALL Properties > Security 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK.
Figure 259 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 260 ZyWALL-L2TP System Tray Icon 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Chapter 26 L2TP VPN Example 1 Click Start > Run. Type regedit and click OK. Figure 262 Starting the Registry Editor 2 Click Registry > Export Registry File and save a backup copy of your registry. You can go back to using this backup if you misconfigure the registry settings. 3 Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parame ters.
Figure 265 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section. 26.6.2.2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use. 1 Click Start >...
Chapter 26 L2TP VPN Example Figure 268 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 269 Create IP Security Policy 5 Name the IP security policy L2TP to ZyWALL, and click Next.
Figure 270 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next. Figure 271 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish. Figure 272 IP Security Policy: Completing the IP Security Policy Wizard ZyWALL USG 1000 User’s Guide Chapter 26 L2TP VPN Example...
Chapter 26 L2TP VPN Example 8 In the properties dialog box, click Add > Next. Figure 273 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next. Figure 274 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next.
Figure 275 IP Security Policy Properties: Network Type 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 276 IP Security Policy Properties: Authentication Method 12 Click Add. ZyWALL USG 1000 User’s Guide Chapter 26 L2TP VPN Example...
Chapter 26 L2TP VPN Example Figure 277 IP Security Policy Properties: IP Filter List 13 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add. Figure 278 IP Security Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab.
Figure 279 Filter Properties: Addressing 15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 280 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next.
Chapter 26 L2TP VPN Example Figure 281 IP Security Policy Properties: IP Filter List 17 Select Require Security and click Next. Then click Finish and Close. Figure 282 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 283 Console: L2TP to ZyWALL Assign ZyWALL USG 1000 User’s Guide...
26.6.2.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection. 1 Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next. Figure 284 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next.
Chapter 26 L2TP VPN Example Figure 286 New Connection Wizard: Destination Address 4 Select For all users and click Next. Figure 287 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish. Figure 288 New Connection Wizard: Naming the Connection ZyWALL USG 1000 User’s Guide...
6 Click Properties. Figure 289 Connect L2TP to ZyWALL 7 Click Security and select Advanced (custom settings) and click Settings. Figure 290 Connect L2TP to ZyWALL: Security 8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button.
Chapter 26 L2TP VPN Example Figure 291 Connect L2TP to ZyWALL: Security > Advanced 9 Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box. Click OK. Figure 292 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network.
Figure 293 Connect L2TP to ZyWALL 11 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 294 ZyWALL-L2TP System Tray Icon 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
H A P T E R This chapter describes how to use application patrol for the ZyWALL. It provides an overview first and then introduces the screens. See these screens. 27.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network.
Chapter 27 Application Patrol The ZyWALL allows the first eight packets to go through the firewall, regardless of the application patrol policy for the application. The ZyWALL examines these first eight packets to identify the application. The second approach is called service ports. In this approach, the ZyWALL only uses OSI level-3 information, such as IP address and port, to identify what application is using the connection.
27.4.1 Connection and Packet Directions Application patrol looks at the connection direction, that is from which zone the connection was initiated and to which zone the connection is going. A connection has outbound and inbound packet flows. The ZyWALL controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel.
Chapter 27 Application Patrol Figure 297 LAN to WAN, Outbound 200 kbps, Inbound 500 kbps Inbound: 500 kbps 27.4.3 Bandwidth Management Priority The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. Then lower-priority traffic gets bandwidth. The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority.
Figure 298 Bandwidth Management Behavior 27.4.5.1 Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 108 Configured Rate Effect POLICY CONFIGURED RATE MAX.
Chapter 27 Application Patrol 27.4.5.4 Priority and Over Allotment of Bandwidth Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error.
Figure 299 Application Patrol Bandwidth Management Example SIP: Any to WAN Outbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Max. B. U. HTTP: Any to WAN Outbound: 100 Kbps Inbound: 500 Kbps Priority: 2 Max. B. U. FTP: WAN to DMZ Outbound: 100 Kbps Inbound: 300 Kbps Priority: 3...
Chapter 27 Application Patrol Figure 300 SIP Any to WAN Bandwidth Management Example 27.5.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN. It is the same as the SIP Any to WAN policy, but with the directions reversed (WAN to Any instead of Any to WAN).
• Third highest priority (3). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 302 FTP WAN to DMZ Bandwidth Management Example 27.5.6 FTP LAN to DMZ Bandwidth Management Example • The LAN and DMZ zone interfaces are connected to Ethernet networks (not an ADSL device) so you limit both outbound and inbound traffic to 50 Mbps.
Chapter 27 Application Patrol 27.6 Other Applications Sometimes, the ZyWALL cannot identify the application. For example, the application might be a new application, or the packets might arrive out of sequence. (The ZyWALL does not reorder packets when identifying the application.) In these cases, you can still provide a default rule for the ZyWALL to follow.
Figure 304 AppPatrol > General The following table describes the labels in this screen. See more information as well. Table 112 AppPatrol > General LABEL DESCRIPTION Enable Select this check box to turn on application patrol. Application Patrol Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL.
Chapter 27 Application Patrol Table 112 AppPatrol > General (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 27.9 Application Patrol Applications Use the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen to manage traffic of individual applications.
27.9.1 Application Patrol Edit Use this screen to edit the settings for an application. To access this screen, go to the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen and click an application’s Edit icon. The screen displayed here is for the MSN instant messenger service.
Page 392
Chapter 27 Application Patrol Table 114 Application Edit (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific condition. Note: The ZyWALL checks conditions in the order they appear in Port This field displays the specific port number to which this policy applies. Schedule This is the schedule that defines when the policy applies.
Table 114 Application Edit (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the entry is enabled or not. Click the Active icon to activate or deactivate the entry. Make sure you click Apply to save and apply the change.
Page 394
Chapter 27 Application Patrol Table 115 Application Policy Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see none to make the policy always effective. User Select a user name or user group to which to apply the policy.
Table 115 Application Policy Edit (continued) LABEL DESCRIPTION Outbound Type how much outbound bandwidth, in kilobits per second, this policy allows the kbps application to use. Outbound refers to the traffic the ZyWALL sends out from a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the application’s traffic that the ZyWALL sends out from the initiator.
Chapter 27 Application Patrol The following table describes the labels in this screen. See more information as well. Table 116 AppPatrol > Other LABEL DESCRIPTION Policy This table lists the policies configured for traffic which does not match an application. This field is a sequential value, and it is not associated with a specific condition.
Table 116 AppPatrol > Other (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the entry is enabled or not. Click the Active icon to activate or deactivate the entry. Make sure you click Apply to save and apply the change.
Page 398
Chapter 27 Application Patrol Table 117 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see any to make the policy always effective. User Select a user name or user group to which to apply the policy.
Table 117 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Priority Enter a number between 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority. Traffic with a higher priority is given bandwidth before traffic with a lower priority. The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth between traffic flows with the same priority.
Chapter 27 Application Patrol The following table describes the labels in this screen. Table 118 AppPatrol > Statistics: General Setup LABEL DESCRIPTION Refresh Interval Select how often you want the statistics display to update. Display Select the protocols for which to display statistics. Protocols Select All selects all of the protocols.
Figure 312 AppPatrol > Statistics: Protocol Statistics The following table describes the labels in this screen. Table 119 AppPatrol > Statistics: Protocol Statistics LABEL DESCRIPTION Service This is the protocol. Click the expand icon (+) to display the statistics for each of a protocol’s rules.
Page 402
Chapter 27 Application Patrol Table 119 AppPatrol > Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Forwarded This is how much of the application’s traffic the ZyWALL has sent (in kilobytes). Data (KB) Dropped This is how much of the application’s traffic the ZyWALL has discarded without Data (KB) notifying the client (in kilobytes).
H A P T E R This chapter introduces and shows you how to configure the anti-virus scanner. See 5.4.14 on page 120 for related information on these screens. 28.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs.
Chapter 28 Anti-Virus 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially. 28.1.3 Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and network-based. A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network.
Figure 313 ZyWALL Anti-virus Example The following describes the virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets.
Chapter 28 Anti-Virus • Encrypted traffic. This could be password-protected files or VPN traffic where the ZyWALL is not the endpoint (pass-through VPN traffic). • Traffic through custom (non-standard) ports. The only exception is FTP traffic. The ZyWALL scans whatever port number is specified for FTP in the ALG screen. •...
The following table describes the labels in this screen. Table 121 Anti-X > Anti-Virus > General LABEL DESCRIPTION Enable Anti-Virus Select this check box to check traffic for viruses and spyware. The following table and Anti-Spyware lists rules that define which traffic the ZyWALL scans and the action it takes upon finding a virus.
Chapter 28 Anti-Virus Table 121 Anti-X > Anti-Virus > General (continued) LABEL Released Date This field displays the date and time the set was released. Update Signatures Apply Reset 28.3.1 Anti-Virus Policy Edit Click the Add or Edit icon in the Anti-X > Anti-Virus > General screen to display the configuration screen as shown next.
Page 409
Table 122 Anti-X > Anti-Virus > General > Edit (continued) LABEL DESCRIPTION Protocols to Scan Select which protocols of traffic to scan for viruses. FTP applies to traffic using the TCP port number specified for FTP in the ALG screen. HTTP applies to traffic using TCP ports 80, 8080 and 3128.
The following table describes the labels in this screen. Table 123 Anti-X > Anti-Virus > Setting LABEL DESCRIPTION Scan EICAR Select this option to have the ZyWALL check for the EICAR test file and treat it in the same way as a real virus file. The EICAR test file is a standardized test file for signature based anti-virus scanners.
Chapter 28 Anti-Virus Table 123 Anti-X > Anti-Virus > Setting (continued) LABEL Apply Reset 28.5 Anti-Virus White List Add/Edit From the Anti-X > Anti-Virus > Setting screen, click a white list Add icon or Edit icon to display the following screen. Use this screen to create an anti-virus white list entry for a file pattern that should cause the ZyWALL to not scan a file for viruses.
28.6 Anti-Virus Black List Add/Edit From the Anti-X > Anti-Virus > Setting screen, click a black list Add icon or Edit icon to display the following screen. Use this screen to create an anti-virus black list entry for a file pattern that should cause the ZyWALL to log and delete a file.
Chapter 28 Anti-Virus Figure 319 Anti-X > Anti-Virus > Signature: Search by Severity The following table describes the labels in this screen. Table 126 Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Select the criteria on which to perform the search. Search Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find.
Page 415
Table 126 Anti-X > Anti-Virus > Signature (continued) LABEL DESCRIPTION Severity This is the severity level of the anti-virus signature. Click the severity column header to sort your search results by ascending or descending severity. Category This column displays whether the signature is for identifying a virus or spyware. Click the column heading to sort your search results by category.
H A P T E R This chapter introduces IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic direction, custom signatures and updating signatures. See 5.4.15 on page 120 for related information on these screens. 29.1 Introduction to IDP An IDP system can detect malicious or suspicious packets and respond instantaneously.
Chapter 29 IDP 29.1.4 Signatures If a packet matches a signature, the action specified by the signature is taken. You can change the default signature actions in the profile screens. 29.2 Traffic Directions and Profiles A zone is a combination of ZyWALL interfaces and VPN connections for security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces.
Figure 320 Anti-X > IDP > General The following table describes the screens in this screen. Table 127 Anti-X > IDP > General LABEL General Setup Enable Signature Detection Bindings Priority From, To IDP Profile ZyWALL USG 1000 User’s Guide DESCRIPTION You must register for IDP service in order to use packet inspection signatures.
Chapter 29 IDP Table 127 Anti-X > IDP > General (continued) LABEL (Icons) Registration Registration Status Registration Type Apply new Registration Signature Information The following fields display information on the current signature set that the Current Version Signature Number Released Date Update Signatures Apply...
Figure 321 Anti-X > IDP > General > Add The following table describes the screens in this screen. Table 128 Anti-X > IDP > General > Add LABEL Enable From IDP Profile Cancel 29.5 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures. Packet inspection signatures examine packet content for malicious data.
Chapter 29 IDP Figure 322 Base Profiles The following table describes this screen. Table 129 Base Profiles BASE PROFILE none Cancel 29.6 Profile Summary Screen Select Anti-X > IDP > Profile. Use this screen to: • Add a new profile •...
Figure 323 Anti-X > IDP > Profile The following table describes the fields in this screen. Table 130 Anti-X > IDP > Profile LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. (Icons) Click the Add icon in the column header to create a new profile.
Chapter 29 IDP If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. 3 Type a new profile name 4 Enable or disable individual signatures. 5 Edit the default log options and actions.
Chapter 29 IDP The following table describes the fields in this screen. Table 131 Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( is case-sensitive. These are valid, unique profile names: MyProfile mYProfile Mymy12_3-4...
Table 131 Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action Select what action the ZyWALL should take when a packet matches a signature here. original setting: Select this action to return each signature in a service group to its previously saved configuration.
Chapter 29 IDP Table 132 Policy Types (continued) POLICY TYPE DoS/DDoS Scan Buffer Overflow Virus/Worm Backdoor/Trojan Access Control Web Attack 29.8.3 IDP Service Groups An IDP service group is a set of related packet inspection signatures. Table 133 IDP Service Groups WEB_PHP WEB_CGI ORACLE...
Table 133 IDP Service Groups (continued) IMAP FINGER The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server- side HTML embedded scripting language that allows web developers to build dynamic websites.
Chapter 29 IDP Figure 326 Anti-X > IDP > Profile: Query View The following table describes the fields in this screen. Table 134 Anti-X > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Group View screen.
Table 134 Anti-X > IDP > Profile: Query View (continued) LABEL DESCRIPTION Search Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were.
Chapter 29 IDP Figure 328 Query Example Search Results 29.9 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
Figure 329 IP v4 Packet Headers The header fields are discussed below: Table 135 IP v4 Packet Headers HEADER Version Type of Service Total Length Identification Flags Fragment Offset Time To Live Protocol Header Checksum Source IP Address Destination IP Address ZyWALL USG 1000 User’s Guide DESCRIPTION The value 4 indicates IP version 4.
Chapter 29 IDP Table 135 IP v4 Packet Headers (continued) HEADER Options Padding 29.10 Configuring Custom Signatures Select Anti-X > IDP > Custom Signatures. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature.
The following table describes the fields in this screen. Table 136 Anti-X > IDP > Custom Signatures LABEL DESCRIPTION Creating Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures. SID is the signature ID that uniquely identifies a signature. Click the SID header to sort signatures in ascending or descending order.
The following table describes the fields in this screen. Table 137 Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( number. This value is case-sensitive. Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent.
Page 438
Chapter 29 IDP Table 137 Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL IP Options Same IP Transport Protocol Transport Protocol: TCP Port Flow Flags Sequence Number Ack Number Window Size Transport Protocol: UDP Port Transport Protocol: ICMP Type Code Sequence...
Table 137 Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Chapter 29 IDP 29.10.2.2 Analyze Packets Then use a packet sniffer such as TCPdump or Ethereal to investigate some more. From the NetBIOS header you see that the first byte ‘00’ defines the message type. The next three bytes represent the length of data, so you can ignore it. Therefore enter |00| as the first pattern.
Chapter 29 IDP 29.10.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 to 9999999. You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile.
Figure 337 Custom Signature Log 29.10.5 Snort Signatures You may want to refer to open source Snort signatures when creating custom ZyWALL ones. Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the rule header and the rule options as shown in the following example: alert tcp any any ->...
Page 444
Chapter 29 IDP Table 138 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM Flow Flags Sequence Number Ack Number Window Size Transport Protocol: UDP Port Transport Protocol: ICMP Type Code Sequence Number Payload Options Payload Size Offset (relative to start of payload) Relative to end of last match Content Case-insensitive...
H A P T E R This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and binding an ADP profile to a traffic direction. See information on these screens. 30.1 Introduction to ADP An ADP system can detect malicious or suspicious packets and respond instantaneously. It can detect: •...
Chapter 30 ADP 30.1.3 ADP on the ZyWALL ADP on the ZyWALL protects against network-based intrusions. See Section 30.9 on page 456 protect against. You can also create your own custom ADP rules. 30.2 Traffic Directions and Profiles A zone is a combination of ZyWALL interfaces and VPN connections for security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces.
The following table describes the screens in this screen. Table 139 Anti-X > ADP > General LABEL General Setup Enable Anomaly Detection Bindings Priority From, To Anomaly Profile (Icons) Apply Reset 30.4 Configuring Anomaly Profile Bindings Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to bind an anomaly profile to a traffic direction.
Chapter 30 ADP Figure 339 Anti-X > ADP > General > Add The following table describes the screens in this screen. Table 140 Anti-X > ADP > General > Add LABEL Enable From ADP Profile Cancel 30.5 Introducing ADP Profiles An ADP profile is a set of traffic anomaly rules and protocol anomaly rules.
Figure 340 Base Profiles These are the default base profiles at the time of writing. Table 141 Base Profiles BASE PROFILE DESCRIPTION All traffic anomaly and protocol anomaly rules are enabled. Rules with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Chapter 30 ADP Table 142 Anti-X > ADP > Profile (continued) LABEL DESCRIPTION Base Profile This is the base profile from which the profile was created. (Icons) Click the Add icon in the column header to create a new profile. A pop-up screen displays requiring you to choose a base profile from which to create the new profile.
30.8.1 Port Scanning An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap. Many connection attempts to different ports (services) may indicate a port scan. These are some port scan types: •...
Chapter 30 ADP 30.8.1.4 Filtered Port Scans A filtered port scan may indicate that there were no network errors (ICMP unreachables or TCP RSTs) or responses on closed ports have been suppressed. Active network devices, such as NAT routers, may trigger these alerts if they send out many connection attempts within a very small amount of time.
30.8.2.3 TCP SYN Flood Attack Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 343 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets.
Page 454
Chapter 30 ADP 30.8.2.5 UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.
Chapter 30 ADP The following table describes the fields in this screen. Table 143 ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores( value is case-sensitive. These are valid, unique profile names: MyProfile mYProfile Mymy12_3-4...
Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder where each category reflects the packet type inspected. Protocol anomaly rules may be updated when you upload new firmware. 30.9.1 HTTP Inspection and TCP/UDP/ICMP Decoders The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.
Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL TRUNCATED-HEADER ATTACK UNDERSIZE-LEN ATTACK ICMP Decoder TRUNCATED-ADDRESS- HEADER ATTACK TRUNCATED-HEADER ATTACK TRUNCATED-TIMESTAMP- HEADER ATTACK 30.9.2 Protocol Anomaly Configuration In the Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile, then select the Protocol Anomaly tab.
The following table describes the fields in this screen. Table 145 ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( is case-sensitive. These are valid, unique profile names: MyProfile mYProfile Mymy12_3-4...
H A P T E R Content Filter Screens This chapter covers how to use the content filter feature to control web access. See 5.4.17 on page 120 for related information on these screens. 31.1 Content Filter Overview Content filter allows you to block certain web features, such as cookies, and/or block access to specific web sites.
Chapter 31 Content Filter Screens 31.1.3 Content Filter Configuration Guidelines You must configure an address object, a schedule object and a filtering profile before you can set up a content filter policy. When the ZyWALL receives an HTTP request, the content filter searches for a policy that matches the source address and time (schedule).
Page 465
Table 146 Anti-X > Content Filter > General (continued) LABEL Block web access when no policy is applied Address Schedule User Filter Profile Denied Access Message Redirect URL ZyWALL USG 1000 User’s Guide DESCRIPTION Select this check box to stop users from accessing the Internet by default when their attempted access does not match a content filter policy.
The following table describes the labels in this screen. Table 147 Anti-X > Content Filter > General > Add LABEL Schedule Address Filter Profile User/Group Cancel 31.4 Content Filter Profile Screen Click Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied.
Chapter 31 Content Filter Screens Table 148 Anti-X > Content Filter > Filter Profile (continued) LABEL Apply Reset 31.5 External Web Filtering Service When you register for and enable the external web filtering service, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories.
31.6 Content Filter Categories Screen Click Anti-X > Content Filter > Filter Profile > Add or Edit to open the Categories screen. Use this screen to enable external database content filtering and select which web site categories to block and/or log. You must register for external content filtering before you can use it.
Chapter 31 Content Filter Screens Figure 351 Anti-X > Content Filter > Filter Profile > Add The following table describes the labels in this screen. Table 149 Anti-X > Content Filter > Filter Profile > Add LABEL Name Auto Web Category Setup External Web Filter Service Status DESCRIPTION...
Page 471
Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Enable External Web Filter Service Matched Web Pages Unrated Web Pages When Web Filter Server Is Unavailable Content Filter Service Unavailable Timeout Select Categories Select All Categories Clear All Categories Adult/Mature Content Pornography...
Page 472
Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Intimate Apparel/Swimsuit Nudity Alcohol/Tobacco Illegal/Questionable Gambling Violence/Hate/Racism Weapons Abortion Hacking Phishing DESCRIPTION Selecting this category excludes pages that contain images or offer the sale of swimsuits or intimate apparel or other types of suggestive clothing.
Page 473
Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Arts/Entertainment Business/Economy Alternative Spirituality/ Occult Illegal Drugs Education Cultural/Charitable Organization Financial Services Brokerage/Trading Online Games Government/Legal Military ZyWALL USG 1000 User’s Guide Chapter 31 Content Filter Screens DESCRIPTION Selecting this category excludes pages that promote and provide information about motion pictures, videos, television, music and...
Page 474
Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Political/Activist Groups Health Computers/Internet Search Engines/Portals Spyware/Malware Sources Spyware Effects/Privacy Concerns Job Search/Careers News/Media Personals/Dating Reference DESCRIPTION Selecting this category excludes pages sponsored by or which provide information on political parties, special interest groups, or any organization that promotes change or reform in public policy, public opinion, social practice, or economic activities.
Page 475
Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Open Image/Media Search Chat/Instant Messaging Email Blogs/Newsgroups Religion Social Networking Online Storage Remote Access Tools Shopping Auctions Real Estate Society/Lifestyle ZyWALL USG 1000 User’s Guide Chapter 31 Content Filter Screens DESCRIPTION Selecting this category excludes pages with image or video search capabilities which return graphical results (i.e.
Page 476
Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Sexuality/Alternative Lifestyles Restaurants/Dining/Food Sports/Recreation/Hobbies Selecting this category excludes pages that promote or provide Travel Vehicles Humor/Jokes Software Downloads Pay to Surf Peer-to-Peer Streaming Media/MP3s Proxy Avoidance For Kids...
Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Test Against Local Cache Test Against Web Filter Server Cancel 31.7 Content Filter Customization Screen Click Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen.
Chapter 31 Content Filter Screens Figure 352 Anti-X > Content Filter > Filter Profile > Customization The following table describes the labels in this screen. Table 150 Anti-X > Content Filter > Filter Profile > Customization LABEL Filter Profile Name Customization Setup Enable Web site customization...
Page 479
Table 150 Anti-X > Content Filter > Filter Profile > Customization (continued) LABEL Allow Web traffic for trusted web sites only Restricted Web Features Block ActiveX Java Cookies Web Proxy Allow Java/ActiveX/Cookies/ Web proxy to trusted web sites Trusted Web Sites Add Trusted Web Site Trusted Web Sites Delete...
Please see Section 32.2 on page 488 categorized. Figure 353 Anti-X > Content Filter > Cache The following table describes the labels in this screen. Table 151 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL Cache Entry Flush Click this button to clear all web site addresses from the cache manually. Refresh Click this button to reload the list of content filter cache entries.
Page 482
Chapter 31 Content Filter Screens Table 151 Anti-X > Content Filter > Cache (continued) LABEL Page x of x Category Remaining Time (minutes) Remove URL Cache Setup Maximum TTL Apply Reset DESCRIPTION This is the number of the page of entries currently displayed and the total number of pages of entries.
H A P T E R Content Filter Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 8 on page 165 and activate the subscription services. 32.1 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen.
Chapter 32 Content Filter Reports ZyWALL using the Rename button in the Service Management screen (see on page 484). Figure 355 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen. Figure 356 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field.
6 Click Submit. Figure 357 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab. Figure 358 Blue Coat Content Filter Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports.
Chapter 32 Content Filter Reports Figure 359 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Chapter 32 Content Filter Reports Figure 360 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL USG 1000 User’s Guide...
Chapter 32 Content Filter Reports Figure 361 Requested URLs Example 32.2 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Chapter 32 Content Filter Reports Figure 362 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL USG 1000 User’s Guide...
H A P T E R Use device HA and Virtual Router Redundancy Protocol (VRRP) to increase network reliability. See Section 5.4.8 on page 117 33.1 Virtual Router Redundancy Protocol (VRRP) Overview Every computer on a network may send packets to a default gateway, which can become a single point of failure.
Chapter 33 Device HA Every router in a virtual router must use the same advertisement interval. If Router A becomes unavailable, it stops sending messages to Router B. Router B detects this and assumes the role of the master router. This is illustrated below. Figure 364 Example: VRRP, Master Becomes Unavailable Router B is now using the IP address of the default gateway, and it is forwarding packets for the network.
33.1.1 Additional VRRP Notes • It is possible to set up two virtual routers so that they back up each other. • VRRP uses IP protocol 112. 33.2 VRRP Group Overview In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router.
Chapter 33 Device HA 33.2.1 Link Monitoring and Remote Management With link monitoring enabled, a backup ZyWALL that takes over for an unavailable master ZyWALL takes over all of the master ZyWALL’s static IP addresses. This way the backup ZyWALL takes over all of the master ZyWALL’s functions. However, this also means you can no longer access the original master ZyWALL through one of its static IP addresses (because the backup ZyWALL now uses this address).
Figure 366 Device HA > VRRP Group The following table describes the labels in this screen. See information as well. Table 152 Device HA > VRRP Group LABEL DESCRIPTION Refresh Click this button to update the information in this screen. This field is a sequential value, and it is not associated with a specific VRRP group.
Chapter 33 Device HA Table 152 Device HA > VRRP Group (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 33.5 VRRP Group Add/Edit The VRRP Group Add/Edit screen allows you to add VRRP groups to the ZyWALL or to edit the configuration of an existing VRRP group.
Page 499
Table 153 Device HA > VRRP Group > Edit (continued) LABEL DESCRIPTION VRID Type the virtual router ID number. Description Type the description of the VRRP group. This field is only for your reference. It may be up to sixty printable ASCII characters long. VRRP Interface Select the interface in this device that is part of the virtual router.
Chapter 33 Device HA 33.6 Synchronization Overview In a virtual router, backup routers do not automatically get configuration updates from the master router. In this case, the master ZyWALL can send these updates to backup ZyWALLs. This is called synchronization. During synchronization, the master ZyWALL sends the following information to the backup ZyWALL.
You must subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL. 33.6.2 Synchronize Screen Use this screen if you want the ZyWALL to get or to send updated IDP signatures, and configuration information in the virtual router. You can only set up synchronization with other ZyWALLs of the same model running the same firmware version.
Page 502
Chapter 33 Device HA Table 154 Network > Device HA > Synchronize (continued) LABEL DESCRIPTION Sync. Now Click this button to get updated certificates, AV signatures, IDP and application patrol signatures, system protect signatures, and configuration information from the specified ZyWALL router. Note: If the new configuration is different from the existing one on Auto Select this to get updated configuration and IDP signatures automatically from the...
H A P T E R This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Chapter 34 User/Group 34.1.2 Ext-User Accounts Set up an Ext-User account if the user is authenticated by an external server and you want to set up specific policies for this user in the ZyWALL. If you do not want to set up policies for this user, you do not have to set up an Ext-User account.
Figure 370 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 34.1.2.2 Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.
Chapter 34 User/Group This works with HTTP traffic only. The ZyWALL does not force users to log in before it routes other kinds of traffic. The ZyWALL does not automatically route the request that prompted the login, however, so users have to make this request again. 34.2 User Summary The User screen provides a summary of all user accounts.
Figure 372 User/Group > User > Edit The following table describes the labels in this screen. Table 158 User/Group > User > Edit LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( number.
Chapter 34 User/Group 34.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-).
Table 160 User/Group > Group (continued) LABEL DESCRIPTION Member This field lists the members in the user group. Each member is separated by a comma. Add icon This column provides icons to add, edit, and remove user groups. To add a user group, click the Add icon at the top of the column. The Group Add/ Edit screen appears.
Chapter 34 User/Group 34.4 Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. To access this screen, login to the web configurator, and click User/Group >...
Page 511
Table 162 User/Group > Setting (continued) LABEL DESCRIPTION User Logon Setting Limit ... for Select this check box if you want to set a limit on the number of simultaneous logins administratio by admin users. If you do not select this, admin users can login as many times as n account they want at the same time using the same or different IP addresses.
Chapter 34 User/Group Table 162 User/Group > Setting (continued) LABEL DESCRIPTION Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries.
The following table describes the labels in this screen. Table 163 User/Group > Setting > Force User Authentication Policy > Add/Edit LABEL DESCRIPTION Enable Select this if you want this condition to be active. Description Enter a description for this condition. It can be up to 60 printable ASCII characters long.
Chapter 34 User/Group The following table describes the labels in this screen. Table 164 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined Access users can specify a lease time shorter than or equal to the one that you lease time (max specified.
H A P T E R This chapter describes how to set up addresses and address groups for the ZyWALL. See Section 5.5 on page 122 35.1 Addresses Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups.
Chapter 35 Addresses Figure 378 Object > Address > Address The following table describes the labels in this screen. See more information as well. Table 165 Object > Address > Address LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address. Name This field displays the name of each address.
The following table describes the labels in this screen. Table 166 Object > Address > Address > Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( number. This value is case-sensitive. Address Type Select the type of address you want to create.
Chapter 35 Addresses The following table describes the labels in this screen. See more information as well. Table 167 Object > Address > Address Group LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address group.
Page 519
Table 168 Object > Address > Address Group > Add (continued) LABEL DESCRIPTION Available This field displays the names of the address and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click the right arrow to add them to the member list.
H A P T E R Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. See 5.5 on page 122 for related information on these screens. 36.1 Services Overview Appendix C on page 703 36.1.1 IP Protocols...
Chapter 36 Services • UDP applications • ICMP messages • user-defined services (for other types of IP protocols) These objects are used in policy routes, firewall rules, and IDP profiles. Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service.
Table 169 Object > Service > Service (continued) LABEL DESCRIPTION Content This field displays a description of each service. Add icon This column provides icons to add, edit, and remove services. To add a service, click the Add icon at the top of the column. The Service Add/ Edit screen appears.
Chapter 36 Services 36.3 Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. To access this screen, log in to the web configurator, and click Object > Service > Service Group.
Figure 385 Object > Service > Service Group > Edit The following table describes the labels in this screen. Table 172 Object > Service > Service Group > Edit LABEL DESCRIPTION Name Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores( value is case-sensitive.
H A P T E R Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. See on these screens. 37.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat.
Chapter 37 Schedules Figure 386 Object > Schedule The following table describes the labels in this screen. See Section 37.2.3 on page 529 Table 173 Object > Schedule LABEL DESCRIPTION One Time This field is a sequential value, and it is not associated with a specific schedule. Name This field displays the name of the schedule, which is used to refer to the schedule.
Figure 387 Object > Schedule > Edit (One Time) The following table describes the labels in this screen. Table 174 Object > Schedule > Edit (One Time) LABEL DESCRIPTION Configuration Name Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric characters, underscores( cannot be a number.
Chapter 37 Schedules Figure 388 Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen. Table 175 Object > Schedule > Edit (Recurring) LABEL DESCRIPTION Configuration...
H A P T E R This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 38.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the ZyWALL supports.
Chapter 38 AAA Server 5 Configure the ASAS as a RADIUS server in the ZyWALL’s Object > AAA Server screens. 6 Give the OTP tokens to (local or remote) users. 38.1.2 User Authentication Method You can select to authenticate users using the local user database and/or a specified authentication server.
Figure 390 Basic Directory Structure Root Countries (c) 38.2.2 Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same “parent DN”...
Chapter 38 AAA Server Figure 391 Object > AAA Server > Active Directory (or LDAP) > Default The following table describes the labels in this screen. Table 176 Object > AAA Server > Active Directory (or LDAP) > Default LABEL Host Port Bind DN...
1 Click Object > AAA Server > Active Directory (or LDAP) > Group to display the screen. Figure 392 Object > AAA Server > Active Directory (or LDAP) > Group The following table describes the labels in this screen. Table 177 Object > AAA Server > Active Directory (or LDAP) > Group LABEL DESCRIPTION This field displays the index number.
Chapter 38 AAA Server The following table describes the labels in this screen. Table 178 Object > AAA Server > Active Directory (or LDAP) > Group > Add LABEL Configuration Name Port Password Base DN binddn CN Identifier Search time limit Use SSL Host Members...
Figure 394 RADIUS Server Network Example 38.5 Configuring a Default RADIUS Server To configure the default external RADIUS server to use for user authentication, click Object > AAA Server > RADIUS to display the screen as shown. Figure 395 Object > AAA Server > RADIUS > Default The following table describes the labels in this screen.
Chapter 38 AAA Server 38.6 Configuring a Group of RADIUS Servers You can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication server for user authentication in a network. 1 Click Object >...
The following table describes the labels in this screen. Table 181 Object > AAA Server > RADIUS > Group > Add LABEL DESCRIPTION Configuration All RADIUS servers in a group share the same settings in the fields below. Name Enter a descriptive name (up to 63 alphanumeric characters) for identification purposes.
H A P T E R Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 39.1 Authentication Objects Overview After you have created the AAA server objects in the AAA Server screens, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Chapter 39 Authentication Objects 39.3 Creating an Authentication Object Follow the steps below to create an authentication object. 1 Click Object > Auth. Method. 2 Click Add. 3 Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
The following table describes the labels in this screen. Table 183 Object > Auth. Method > Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”.
H A P T E R This chapter gives background information about public-key certificates and explains how to use the Certificates screens. See screens. 40.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Chapter 40 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default. 40.4 Certificate Configuration Screens Summary This section summarizes how to manage certificates on the ZyWALL. Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyWALL’s CA-signed certificates.
Chapter 40 Certificates Figure 402 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
The following table describes the labels in this screen. Table 184 Object > Certificate > My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 40 Certificates Figure 404 Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 185 Object > Certificate > My Certificates > Add LABEL Name Subject Information Common Name Organizational Unit DESCRIPTION Type a name to identify this certificate.
Page 551
Table 185 Object > Certificate > My Certificates > Add (continued) LABEL Organization Country Key Type Key Length Enrollment Options Create a self-signed certificate Create a certification request and save it locally for later manual enrollment Create a certification request and enroll for a certificate immediately online Enrollment Protocol...
Chapter 40 Certificates Table 185 Object > Certificate > My Certificates > Add (continued) LABEL Request Authentication Cancel If you configured the My Certificate Create screen to have the ZyWALL enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen.
Figure 405 Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. Table 186 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 554
Chapter 40 Certificates Table 186 Object > Certificate > My Certificates > Edit LABEL Type Version Serial Number Subject Issuer Signature Algorithm Valid From Valid To Key Algorithm Subject Alternative Name Key Usage Basic Constraint MD5 Fingerprint SHA1 Fingerprint Certificate in PEM (Base-64) Encoded Format DESCRIPTION...
Table 186 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Export This button displays for a certification request. Use this button to save a copy of the request without its private key. Click this button and then Save in the File Download screen.
Chapter 40 Certificates The following table describes the labels in this screen. Table 187 Object > Certificate > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL.
Table 188 Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Name This field displays the name used to identify this certificate. Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country).
Chapter 40 Certificates Figure 408 Object > Certificate > Trusted Certificates > Edit The following table describes the labels in this screen. Table 189 Object > Certificate > Trusted Certificates > Edit LABEL Name Certification Path DESCRIPTION This field displays the identifying name of this certificate. You can change the name.
Page 559
Table 189 Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Refresh Click Refresh to display the certification path. Enable X.509v3 Select this check box to have the ZyWALL check incoming certificates that are CRL Distribution signed by this certificate against a Certificate Revocation List (CRL) or an OCSP Points and OCSP server.
Figure 409 Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 190 Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL.
H A P T E R Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PPTP interfaces. See Section 5.5 on page 122 41.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP. See 10.6 on page 210 for information about PPPoE/PPTP interfaces.
Chapter 41 ISP Accounts Table 191 Object > ISP Account (continued) LABEL DESCRIPTION User Name This field displays the user name of the ISP account. Add icon This column provides icons to add, edit, and remove ISP accounts. To add information about a new ISP account, click the Add icon at the top of the column.
Page 565
Table 192 Object > ISP Account > Edit (continued) LABEL DESCRIPTION Encryption This field is available if this ISP account uses the PPTP protocol. Use the drop- Method down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are: nomppe - This ISP account does not use MPPE.
H A P T E R This chapter describes how to configure SSL application objects for use in SSL VPN. 42.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network.
Chapter 42 SSL Application The following table describes the labels in this screen. Table 193 Object > SSL Application LABEL DESCRIPTION This field displays the index number. Name This field displays the name of the object. Address This field displays the IP address/URL of the application server or the location of a file share.
The following table describes the labels in this screen. Table 194 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Object Type Select Web Application from the drop-down list box. Application Name Enter a descriptive name to identify this object. You can enter up to 31 characters (“0- 9”, “a-z”, “A-Z”, “-”...
Chapter 42 SSL Application 7 Click Apply to save the settings. The configuration screen should look similar to the following figure. Figure 414 Example: SSL Application: Specifying a Web Site for Access 42.3.3 Configuring File Sharing You can specify the name of a folder on a file server (Linux or Windows) which remote users can access.
Page 571
Table 195 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Shared Path Specify the IP address, domain name or NetBIOS name (computer name) of the file server and the name of the share to which you want to allow user access. Enter the path in one of the following formats.
H A P T E R This chapter provides information on the general system screens. See for details on the system screens that control service access. 43.1 System Overview The system screens can help you configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program.
Chapter 43 System 43.3 Time and Date This section shows you how: 1 To manually set the ZyWALL date and time. 2 To get the ZyWALL date and time from a time server. For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date.
Page 577
Table 197 System > Date and Time (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered.
Chapter 43 System Table 197 System > Date and Time (continued) LABEL End Date Offset Apply Reset 43.3.1 Pre-defined NTP Time Servers List When you turn on the ZyWALL for the first time, the date and time start at 2003-01-01 00:00:00.
Figure 418 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful. If the synchronization was not successful, a log displays in the View Log screen. Try reconfiguring the Date/Time screen. To manually set the ZyWALL date and time.
Chapter 43 System Figure 419 System > Console Port Speed The following table describes the labels in this screen. Table 199 System > Console Port Speed LABEL Configuration Console Port Speed Apply Reset 43.5 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa.
Figure 420 System > DNS The following table describes the labels in this screen. Table 200 System > DNS LABEL DESCRIPTION Address/PTR This record specifies the mapping of a fully qualified domain name (FQDN) to an IP Record address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www”...
Page 582
Chapter 43 System Table 200 System > DNS (continued) LABEL DESCRIPTION From This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually. DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active.
43.5.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com”...
Chapter 43 System 43.5.7 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address. The ZyWALL can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
43.5.9 MX Record A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is sent for that domain. If you do not configure proper MX records for your domain or other domain, external e-mail from other mail servers will not be able to be delivered to your mail server and vice versa.
Chapter 43 System The following table describes the labels in this screen. Table 204 System > DNS > Service Control Rule Edit LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL. Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL.
H A P T E R This chapter covers controlling access to the ZyWALL. See general system configuration screens. 44.1 Service Control Overview Use this chapter to control which services can access the ZyWALL. The following figure shows secure and insecure management of the ZyWALL coming in from the WAN.
Chapter 44 Service Control 44.1.1 Service Access Limitations A service cannot be used to access the ZyWALL when: 1 You have disabled that service in the corresponding screen. 2 The allowed IP address (address object) in the Service Control table does not match the client IP address (the ZyWALL disallows the session).
Figure 427 HTTP/HTTPS Implementation If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts. 44.3 Configuring WWW Click System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from.
Chapter 44 Service Control Figure 428 System > WWW The following table describes the labels in this screen. Table 206 System > WWW LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using secure HTTPs connections.
Page 591
Table 206 System > WWW (continued) LABEL DESCRIPTION Admin/User Admin Service Control specifies from which zones an administrator can use Service Control HTTPS to manage the ZyWALL (using the web configurator). You can also specify the IP addresses from which the administrators can manage the ZyWALL. User Service Control specifies from which zones a user can use HTTPS to log into the ZyWALL (to log into SSL VPN for example).
Chapter 44 Service Control Table 206 System > WWW (continued) LABEL DESCRIPTION Client Select a method the HTTPS or HTTP server uses to authenticate a client. Authentication You must have configured the authentication methods in the Auth. method screen. Method Apply Click Apply to save your changes back to the ZyWALL.
44.5.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL. You see the following Security Alert screen in Internet Explorer.
Chapter 44 Service Control Figure 431 Security Certificate 1 (Netscape) Figure 432 Security Certificate 2 (Netscape) 44.5.3 Avoiding Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. •...
44.5.4 Login Screen After you accept the certificate, the ZyWALL login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. Figure 433 Login Screen (Internet Explorer) 44.5.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL.
Chapter 44 Service Control Figure 435 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 44.5.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 437 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. Figure 438 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Chapter 44 Service Control Figure 439 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 440 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer.
44.5.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 442 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL.
Chapter 44 Service Control 44.6 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use.
Chapter 44 Service Control The following table describes the labels in this screen. Table 208 System > SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Figure 448 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The CLI screen displays next. 44.7.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions.
Chapter 44 Service Control 3 The CLI screen displays next. 44.8 Telnet You can use Telnet to access the ZyWALL’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come. 44.8.1 Configuring Telnet Click System >...
Table 209 System > Telnet (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 44.9 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.
Chapter 44 Service Control Table 210 System > FTP (continued) LABEL DESCRIPTION Address This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Chapter 44 Service Control 44.10.3 Configuring SNMP To change your ZyWALL’s SNMP settings, click System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come.
Table 212 System > SNMP (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to open a screen where you can add a new rule. Refer to Click the Edit icon to go to the screen where you can edit the rule. Click the Add icon in an entry to add a rule below the current entry.
Chapter 44 Service Control Figure 455 System > Dial-in Mgmt The following table describes the labels in this screen. Table 213 System > Dial-in Mgmt LABEL Enable Description Mute Answer Rings Port Speed Initial String Advanced/Basic Apply Reset 44.13 Vantage CNM Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide.
44.14 Configuring Vantage CNM Vantage CNM is disabled on the device by default. Click System > Vantage CNM to configure your device’s Vantage CNM settings. Figure 456 System > Vantage CNM The following table describes the labels in this screen. Table 214 System >...
Page 612
Chapter 44 Service Control Table 214 System > Vantage CNM (continued) LABEL HTTPS Authentication When you are using HTTPs, select this option to have the ZyWALL Vantage Certificate Advanced/Basic Apply Reset DESCRIPTION authenticate the Vantage CNM server’s certificate. In order to do this you need to import the Vantage CNM server’s public key (certificate) into the ZyWALL’s trusted certificates.
H A P T E R This chapter covers how to use the ZyWALL’s File Manager screens to handle the ZyWALL’s configuration, firmware and shell script files. 45.1 Configuration Files and Shell Scripts Overview The File Manager screens allow you to store multiple configuration files and shell script files. When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include.
Chapter 45 File Manager While configuration files and shell scripts have the same syntax, the ZyWALL applies configuration files differently than it runs shell scripts. This is explained below. Table 215 Configuration Files and Shell Scripts in the ZyWALL Configuration Files (.conf) •...
Lines 1 and 2 are comments. Line 5 exits sub command mode. ! this is from Joe # on 2006/06/05 interface ge1 ip address dhcp 45.1.2 Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script, the ZyWALL processes the file line- by-line.
Chapter 45 File Manager You can change the way the startup-config.conf file is applied. Include the startup stop-on-error off config.conf file and applies all of the valid commands. The ZyWALL still generates a log for any errors. 45.2 Configuration File Screen Click Maintenance >...
The following table describes the labels in this screen. Table 216 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Download Click a configuration file’s row to select it and click Download to save the configuration to your computer. Copy Use this button to save a duplicate of a configuration file on the ZyWALL.
Chapter 45 File Manager Table 216 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION This column displays the number for each configuration file entry. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space.
The ZyWALL’s firmware package cannot go through the ZyWALL when you enable the anti- virus Destroy compressed files that could not be decompressed option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package.
Chapter 45 File Manager Figure 462 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 463 Network Temporarily Disconnected After five minutes, log in again and check your new firmware version in the HOME screen.
Figure 465 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 218 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Download Click a shell script file’s row to select it and click Download to save the configuration to your computer.
Chapter 45 File Manager Table 218 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the ZyWALL. You cannot rename a shell script to the name of another shell script in the ZyWALL. Click a shell script’s row to select it and click Rename to open the Rename File screen.
H A P T E R This chapter provides general information about the ZyWALL’s log feature. See on page 663 for individual log descriptions. The following table displays the maximum number of system log messages in the ZyWALL. Table 219 Specifications: Logs LABEL Maximum Number of Log Messages (System Log) Maximum Number of Log Messages (Debug Log)
Chapter 46 Logs Figure 468 Maintenance > Log > View Log If an event generates log messages and alerts, it is displayed in red. Otherwise, it is displayed in black. The following table describes the labels in this screen. Table 220 Maintenance > Log > View Log LABEL DESCRIPTION Show Filter /...
Table 220 Maintenance > Log > View Log (continued) LABEL DESCRIPTION Keyword Type a keyword to look for in the Message, Source, Destination and Note fields. If a match is found in any field, the log message is displayed. You can use up to 63 alphanumeric characters and the underscore, as well as punctuation marks ()’...
Chapter 46 Logs For alerts, the Log Settings tab controls which events generate alerts and where alerts are e- mailed. The Log Settings Summary screen provides a summary of all the settings. You can use the Log Settings Edit screen to maintain the detailed settings (such as log categories, e-mail addresses, server names, etc.) for any log.
Table 221 Maintenance > Log > Log Setting (continued) LABEL DESCRIPTION Modify This column provides icons to activate or deactivate logs and to modify the settings. To activate or deactivate a log, click the Active icon. Make sure you click Apply to save and apply the change.
The following table describes the labels in this screen. Table 222 Maintenance > Log > Log Setting > E-mail > Edit LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
Chapter 46 Logs Table 222 Maintenance > Log > Log Setting > E-mail > Edit (continued) LABEL DESCRIPTION Consolidation Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Chapter 46 Logs The following table describes the labels in this screen. Table 223 Maintenance > Log > Log Setting > Remote Server > Edit LABEL DESCRIPTION Log Settings for Remote Server 1 Active Select this check box to send log information according to the information in this section.
Figure 472 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see is discussed. (The Default category includes debugging messages generated by open source software.) The following table describes the fields in this screen.
Page 636
Chapter 46 Logs Table 224 Maintenance > Log > Log Setting > Active Log Summary (continued) LABEL DESCRIPTION Selection Select what information you want to log from each Log Category (except All Logs; see below). Choices are: disable all logs (red X) - do not log any information from this category enable normal logs (green checkmark) - log regular information and alerts from this category enable all logs (yellow checkmark) - log regular information, alerts, and debugging...
H A P T E R This chapter provides information about the report screens. 47.1 Traffic Screen Click Maintenance > Report > Traffic to display the Traffic screen. The Traffic screen provides basic information about the following metrics: • Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the ZyWALL counts HTTP GET packets.
Chapter 47 Reports Figure 473 Maintenance > Report > Traffic There is a limit on the number of records shown in the report. Please see for more information. The following table describes the labels in this screen. Table 225 Maintenance > Report > Traffic LABEL DESCRIPTION Data Collection...
Page 639
Table 225 Maintenance > Report > Traffic (continued) LABEL DESCRIPTION Traffic Type Select the type of report to display. Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one.
Chapter 47 Reports Table 225 Maintenance > Report > Traffic (continued) LABEL DESCRIPTION Web Site This field displays the domain names most often visited. The ZyWALL counts each page viewed on a Web site as another hit. The maximum number of domain names in this report is indicated in Hits This field displays how many hits the Web site received.
Figure 474 Maintenance > Report > Session The following table describes the labels in this screen. Table 227 Maintenance > Report > Session LABEL DESCRIPTION View Select how you want the information to be displayed. Choices are: sessions by users - display all active sessions by user sessions by services - display all active sessions by service or protocol all sessions - filter the active sessions by the User, Service, Source Address, and Destination Address, and display them by user.
Chapter 47 Reports Table 227 Maintenance > Report > Session (continued) LABEL DESCRIPTION Protocol This field displays the protocol used in each active session. If you are looking at the sessions by services report, click the blue plus sign (+) next to each protocol to Service look at detailed session information by user.
Table 228 Maintenance > Report > Anti-Virus (continued) LABEL DESCRIPTION Infected Files This field displays the number of files in which the ZyWALL has detected a virus. Detected Top Entry By Use this field to have the following (read-only) table display the top anti-virus entries by Virus Name, Source or Destination.
Chapter 47 Reports Figure 478 Maintenance > Report > IDP: Signature Name The following table describes the labels in this screen. Table 229 Maintenance > Report > IDP LABEL DESCRIPTION Collect Select this check box to have the ZyWALL collect IDP statistics. Statistics The collection starting time displays after you click Apply.
Table 229 Maintenance > Report > IDP (continued) LABEL DESCRIPTION Type This column displays when you display the entries by Signature Name. It shows the categories of intrusions. See Severity This column displays when you display the entries by Signature Name. It shows the level of threat that the intrusions may pose.
H A P T E R This chapter covers how to use the Diagnostics screen. 48.1 Diagnostics The Diagnostics screen provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
H A P T E R Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.4 on page 55 for information on different ways to start and stop the ZyWALL. If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot.
H A P T E R This chapter offers some suggestions to solve problems you might encounter. I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers.
Chapter 50 Troubleshooting Routing policies define how the ZyWALL forwards packets to their destinations. You must create a policy route for the ZyWALL to route VPN traffic through a VPN tunnel to the remote network. The VPN wizard automatically creates a corresponding policy route. If you use the VPN > IPSec VPN or VPN >...
Page 653
If you want to reboot the device without changing the current configuration, see page 649. 1 Make sure the SYS LED is on and not blinking. 2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESET button, and wait for the ZyWALL to restart.
VIII Appendices and Index Product Specifications (657) Common Services (703) Displaying Anti-Virus Alert Messages in Windows (707) Open Software Announcements (719) Legal Information (755) Customer Support (759) Index (765)
P P E N D I X Product Specifications The following specifications are subject to change without notice. See for a general overview of key features. This table provides basic device specifications. Table 231 Default Login Information ATTRIBUTE Default IP Address (ge1) 192.168.1.1 Default Subnet Mask (ge1) Default Password...
Appendix A Product Specifications Table 233 Feature Specifications VERSION # FEATURE # of MAC Flash Size DRAM Size INTERFACE VLAN Virtual (alias) Bridge ROUTING Static Routes Policy Routes Sessions Virtual Servers Trigger Port Rules HTTP Redirect New Session Rate (sessions per second) FIREWALL Firewall ACL Rules...
Page 659
Table 233 Feature Specifications (continued) VERSION # FEATURE Service Groups Schedule Objects ISP Accounts Maximum Number of LDAP Groups Maximum Number of LDAP Servers for Each LDAP Group Maximum Number of RADIUS Groups Maximum Number of RADIUS Servers for Each RADIUS Group Maximum Number of Authentication Methods Maximum Number of Zones...
Appendix A Product Specifications Table 233 Feature Specifications (continued) VERSION # FEATURE Maximum Number of Content Filter Policies Maximum Number of Content Filter Profiles Maximum Number of Forbidden Domain Entries Maximum Number of Trusted Domain Entries Maximum Number of Keywords that Can Be Blocked Local Cache Size Maximum Number of Connections...
Page 661
Table 234 Standards Referenced by Features (continued) FEATURE Built-in service, SNMP agent Login, LDAP support. Used by Apache Built-in service, FTP server Used by Centralized log Login, new PAM module Built-in service, NTP client Used by SSH service Used by Time service Used by Telnet service Used by SIP ALG DHCP relay...
P P E N D I X This appendix provides descriptions of example log messages. Table 235 Content Filter Logs LOG MESSAGE Content filter has been enabled Content filter has been disabled Table 236 Forward Web Site Logs LOG MESSAGE %s: Trusted Web site %s: Service is not registered...
Page 664
Appendix B Log Descriptions Table 237 Blocked Web Site Logs (continued) LOG MESSAGE %s: Service is unavailable %s: %s(cache hit) %s: Not in trusted web list %s: Contains ActiveX %s: Contains Java applet %s: Contains cookie %s: Proxy mode is detected %s: Forbidden Web site The web site is in forbidden web site list.
Table 238 User Logs LOG MESSAGE %s %s has logged in from %s %s %s has logged out from %s %s %s from %s has been logged out (re-auth timeout) %s %s from %s has been logged out (lease timeout) %s %s from %s has been logged out (idle timeout)
Appendix B Log Descriptions Table 239 myZyXEL.com Logs LOG MESSAGE Send registration message to MyZyXEL.com server has failed. Get server response has failed. Timeout for get server response. User has existed. User does not exist. Internal server error. MyZyXEL.com's database had an error when checking the user name. Device registration has failed:%s.
Page 667
Table 239 myZyXEL.com Logs (continued) LOG MESSAGE Service expiration check has succeeded. Service expiration check has failed. Because of lack must fields. Server setting error. Resolve server IP has failed. Verify server's certificate has failed. Connect to MyZyXEL.com server has failed. Do account check.
Page 668
Appendix B Log Descriptions Table 239 myZyXEL.com Logs (continued) LOG MESSAGE Update server is busy now. File download after %d seconds. Device has latest file. No need to update. Device has latest signature file; no need to update Connect to update server has failed.
Page 669
Table 239 myZyXEL.com Logs (continued) LOG MESSAGE Do expiration daily- check has failed. Because of lack must fields. Server setting error. Do expiration daily- check has failed. Do expiration daily- check has succeeded. Expiration daily- check will trigger PPP interface. Do self- check.
Appendix B Log Descriptions Table 239 myZyXEL.com Logs (continued) LOG MESSAGE Certification verification failed: Depth: %d, Error Number(%d):%s. Certificate issuer name:%s. The wrong format for HTTP header. Timeout for get server response. Download file size is wrong. Parse HTTP header has failed.
Page 671
Table 240 IDP Logs (continued) LOG MESSAGE IDP service standard license is expired. Update signature failed. IDP service standard license is not registered. Update signature failed. IDP service trial license is expired. Update signature failed. IDP service trial license is not registered.
Page 677
Table 242 IKE Logs (continued) LOG MESSAGE Cannot resolve My IP Addr %s for Tunnel [%s] Cannot resolve Secure Gateway Addr %s for Tunnel [%s] Could not dial dynamic tunnel "%s" Could not dial incomplete tunnel "%s" Could not dial manual key tunnel "%s"...
Page 678
Appendix B Log Descriptions Table 242 IKE Logs (continued) LOG MESSAGE The cookie pair is : 0x%08x%08x / 0x%08x%08x The IPSec tunnel "%s" is already established Tunnel [%s] built successfully Tunnel [%s] Phase 1 pre-shared key mismatch Tunnel [%s] Recving IKE request Tunnel [%s] Sending IKE request...
Appendix B Log Descriptions Table 244 Firewall Logs LOG MESSAGE priority:%lu, from %s to %s, service %s, %s %s:%d: in %s(): Firewall has been %s. Firewall rule %d has been moved to %d. Firewall rule %d has been deleted. Firewall rules have been flushed.
Page 681
Table 246 Policy Route Logs (continued) LOG MESSAGE Cannot get handle from UAM, user-aware PR is disabled mblock: allocate memory failed! pt: allocate memory failed! To send message to policy route daemon failed! The policy route %d allocates memory fail! The policy route %d uses empty user group! The policy route %d...
Appendix B Log Descriptions Table 247 Built-in Services Logs LOG MESSAGE User on %u.%u.%u.%u has been denied access from %s HTTPS certificate:%s does not exist. HTTPS service will not work. HTTPS port has been changed to port %s. HTTPS port has been changed to default port.
Page 683
Table 247 Built-in Services Logs (continued) LOG MESSAGE Console baud has been changed to %s. Console baud has been reset to %d. DHCP Server on Interface %s will not work due to Device HA status is Stand-By DHCP Server on Interface %s will be reapplied due to Device HA status is...
Page 684
Appendix B Log Descriptions Table 247 Built-in Services Logs (continued) LOG MESSAGE The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. Interface %s ping check is successful. Zone Forwarder adds DNS servers in records. Interface %s ping check is failed.
Table 247 Built-in Services Logs (continued) LOG MESSAGE Access control rule %d of %s was moved to %d. SNMP trap can not be sent successfully Table 248 System Logs LOG MESSAGE Port %d is up!! Port %d is down!! %s is dead at %s %s process count is incorrect at %s %s becomes Zombie at...
Page 686
Appendix B Log Descriptions Table 248 System Logs (continued) LOG MESSAGE Receive an ARP response from an unknown client In total, received %d arp response packets for the requested IP address Clear arp cache successfully. Client MAC address is not an Ehernet address DHCP request received via interface %s (%s:%s), src_mac:...
Page 687
Table 248 System Logs (continued) LOG MESSAGE Update the profile %s has failed because the FQDN %s is not under your control. Update the profile %s has failed because the FQDN %s was blocked for abuse. Update the profile %s has failed because of authentication fail.
Page 688
Appendix B Log Descriptions Table 248 System Logs (continued) LOG MESSAGE Update the profile %s has failed because Custom IP was empty. Update the profile %s has failed because WAN interface was empty. The profile %s has been paused because the VRRP status of WAN interface was standby.
Table 248 System Logs (continued) LOG MESSAGE DDNS has been enabled by Device-HA. Disable DDNS has succeeded. Enable DDNS has succeeded. DDNS profile %s has been renamed as %s. DDNS profile %s has been deleted. DDNS Initialization has failed. All DDNS profiles are deleted Table 249 Connectivity Check Logs LOG MESSAGE...
Appendix B Log Descriptions Table 249 Connectivity Check Logs (continued) LOG MESSAGE Can't get remote address of %s interface Can't get NETMASK address of %s interface Can't get BROADCAST address of %s interface Can't use MULTICAST IP for destination The destination is invalid, because destination IP is broadcast IP...
Page 691
Table 250 Device HA Logs (continued) LOG MESSAGE Master configuration is the same with Backup. Skip updating %s file not existed, Skip syncing it for %s Master firmware version can not be recognized. Stop syncing from Master. Device HA Sync has failed when syncing %s for %s due to bad \"Sync Password\".
Page 692
Appendix B Log Descriptions Table 250 Device HA Logs (continued) LOG MESSAGE Device HA authentication type for VRRP group %s maybe wrong. Device HA authenticaton string of text for VRRP group %s maybe wrong. Device HA authentication string of AH for VRRP group %s maybe wrong.
Table 251 Routing Protocol Logs LOG MESSAGE RIP on interface %s has been stopped because Device-HA binds this interface. RIP on all interfaces have been stopped Invalid RIP md5 authentication Invalid RIP text authentication. RIP on interface %s has been activated. RIP direction on interface %s has been changed to In-Only.
Page 694
Appendix B Log Descriptions Table 251 Routing Protocol Logs (continued) LOG MESSAGE RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP redistribute OSPF routes has been disabled. RIP redistribute static routes has been disabled.
Table 251 Routing Protocol Logs (continued) LOG MESSAGE Invalid OSPF virtual- link %s authentication of area %s. Invalid OSPF md5 authentication on interface %s. Invalid OSPF text authentication on interface %s. Interface %s does not belong to any OSPF area. Invalid OSPF authentication of area %s on interface %s.
Appendix B Log Descriptions Table 252 NAT Logs (continued) LOG MESSAGE Register H.323 ALG extra port=%d failed. Register H.323 ALG signal port=%d failed. Register FTP ALG extra port=%d failed. Register FTP ALG signal port=%d failed. Table 253 PKI Logs LOG MESSAGE Generate X509certifiate "%s"...
Page 697
Table 253 PKI Logs (continued) LOG MESSAGE Import X509 certificate "%s" into My Certificate successfully Import X509 certificate "%s" into Trusted Certificate successfully Import PKCS#12 certificate "%s" into "My Certificate" successfully Import PKCS#7 certificate "%s" into "My Certificate" successfully Import PKCS#7 certificate "%s"...
Page 698
Appendix B Log Descriptions Table 253 PKI Logs (continued) LOG MESSAGE Export X509 certificate "%s" from "My Certificate" failed Import PKCS#12 certificate "%s" with incorrect password Cert trusted: %s Due to %d, cert not trusted: %s CODE DESCRIPTION Algorithm mismatch between the certificate and the search constraints. Key usage mismatch between the certificate and the search constraints.
CODE DESCRIPTION Path was not verified. Maximum path length reached. Table 254 Interface Logs LOG MESSAGE Interface %s has been deleted. AUX Interface dialing failed. This AUX interface is not enabled. AUX Interface disconnecting failed. This AUX interface is not enabled. Please type phone number of interface AUX first then dial...
Page 700
Appendix B Log Descriptions Table 254 Interface Logs (continued) LOG MESSAGE %s MTU > (%s MTU - 8), %s may not work correctly. (%s MTU - 8) < %s MTU, %s may not work correctly. Interface %s links down. Default route will not apply until interface %s links up.
Appendix B Log Descriptions Table 257 Force Authentication Logs LOG MESSAGE Force User Authentication will be enabled due to http server is enabled. Force User Authentication will be disabled due to http server is disabled. Force User Authentication may not work properly! Table 258 File Manager Logs LOG MESSAGE...
P P E N D I X The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 704
Appendix C Common Services Table 259 Commonly Used Services (continued) NAME H.323 HTTP HTTPS ICMP IGMP (MULTICAST) MSN Messenger NEW-ICQ NEWS NNTP PING POP3 PPTP PPTP_TUNNEL (GRE) RCMD REAL_AUDIO REXEC RLOGIN RTELNET PROTOCOL PORT(S) DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 705
Table 259 Commonly Used Services (continued) NAME PROTOCOL RTSP TCP/UDP SFTP SMTP SNMP TCP/UDP SNMP-TRAPS TCP/UDP SQL-NET TCP/UDP STRM WORKS SYSLOG TACACS TELNET TFTP VDOLIVE ZyWALL USG 1000 User’s Guide Appendix C Common Services PORT(S) DESCRIPTION The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet.
Page 706
Appendix C Common Services ZyWALL USG 1000 User’s Guide...
P P E N D I X Displaying Anti-Virus Alert Messages in Windows With the anti-virus packet scan, when a virus is detected, you can have the ZyWALL display an alert message on Miscrosoft Windows-based computers. If the log shows that virus files are being detected but your Miscrosoft Windows-based computer is not displaying an alert message, use one of the following procedures to make sure your computer is set to display the messages.
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 484 Windows XP: Starting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 485 Windows 2000: Opening the Services Window 2 Select the Messenger service and click Start Service.
Figure 486 Windows 2000: Starting the Messenger Service 3 Close the window when you are done. Windows 98 SE/Me For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages. Click Start > Run and enter “winpopup” in the field provided and click OK. The WinPopup window displays as shown.
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 489 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 490 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next.
Figure 491 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish. Figure 492 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. ZyWALL USG 1000 User’s Guide Appendix D Displaying Anti-Virus Alert Messages in Windows...
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 493 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 487 on page 709). ZyWALL USG 1000 User’s Guide...
P P E N D I X Importing Certificates This appendix shows importing certificates examples using Netscape Navigator and Internet Explorer 5. This appendix uses the ZyWALL 70 as an example. Other models should be similiar. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
Appendix E Importing Certificates Figure 495 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 496 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL USG 1000 User’s Guide...
Figure 497 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 498 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL USG 1000 User’s Guide Appendix E Importing Certificates...
No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ppp-2.4.2 software under the PPP License PPP License Copyright (c) 1993 The Australian National University.
Page 720
Appendix F Open Software Announcements This Product includes Netkit Telnet -0.17 software under the Netkit Telnet License Netkit Telnet License Copyright (c) 1989 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 721
This Product includes expat-1.95.6 software under the Expat License Expat License Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:...
Appendix F Open Software Announcements This Product includes openssl-0.9.8d-ocf software under the OpenSSL License OpenSSL The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts.
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.
Page 724
Appendix F Open Software Announcements This Product includes libevent-1.1a and xinetd-2.3.14 software under the a 3- clause BSD License a 3-clause BSD-style license This is a Free Software License • This license is compatible with The GNU General Public License, Version 1 •...
Page 725
The ISC license for bind is: Copyright (c) 1993-1999 by Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
Page 726
Appendix F Open Software Announcements Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor"...
Page 727
Appendix F Open Software Announcements 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty- free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
Page 728
Appendix F Open Software Announcements 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 730
Appendix F Open Software Announcements This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.
Page 731
Appendix F Open Software Announcements For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries.
Page 732
Appendix F Open Software Announcements 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library.
Page 733
Appendix F Open Software Announcements However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
Page 734
Appendix F Open Software Announcements It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7.
Page 735
Appendix F Open Software Announcements 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Appendix F Open Software Announcements This Product includes bridge-utils, dhcpcd-1.3.22-pl4, rp-pppoe-3.5, vlan-1.8, keepalived-1.1.11-p1, quagga-0.99.2, ez-ipupdate-3.0.11b7, proftpd-1.2.10, libol-0.3.14, syslog-ng-1.6.5, pam-0.76, bison, tzcode2006c, iproute2, iptables-1.2.11/netfilter(kernel), dhcp-helper, busybox, Linux kernel, and pptp- linux-1.4.0 software under GPL license. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
Page 737
Appendix F Open Software Announcements TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 738
Appendix F Open Software Announcements right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
Page 739
Appendix F Open Software Announcements 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
Page 740
Appendix F Open Software Announcements FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12.
Page 741
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Product includes libxml2-2.6.8 software under the MIT License The MIT License Copyright (c) <year>...
Page 742
Appendix F Open Software Announcements THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 743
Appendix F Open Software Announcements 2.1 GUBUSOFT hereby grants Customer the following non-exclusive, non-transferable right to use the SOFTWARE. 2.1.3 LIMITATIONS Customer may not rent, lease, or transfer the rights to the SOFTWARE to someone else. Customer may redistribute and use SOFTWARE in source code form provided (a) Customer Applications of SOFTWARE add primary and substantial functionality, and are not merely a set or subset of any of the functionality of the SOFTWARE, or a set or subset of any of the code or other files of the SOFTWARE;...
Page 744
Appendix F Open Software Announcements Defensive Suspension. If Customer commences or participates in any legal proceeding against GUBUSOFT, then GUBUSOFT may, in its sole discretion, suspend or terminate all license grants and any other rights provided under this LICENSE during the pendency of such legal proceedings.
Page 745
This Product includes overLIB software under the overLIB License (Artistic) License (Artistic) Preamble The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications.
Page 746
Appendix F Open Software Announcements make other distribution arrangements with the Copyright Holder. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version.
Page 747
Appendix F Open Software Announcements BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1.
Page 748
Appendix F Open Software Announcements ii.Mechanical Rights and Statutory Royalties. Licensor waives the exclusive right to collect, whether individually or via a music rights agency or designated agent (e.g. Harry Fox Agency), royalties for any phonorecord You create from the Work ("cover version") and distribute, subject to the compulsory license created by 17 USC Section 115 of the US Copyright Act (or the equivalent in other jurisdictions).
Page 749
Appendix F Open Software Announcements 5. Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER...
Page 750
Technical Support. End-User License Agreement for "ZyWALL " WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
Page 751
Appendix F Open Software Announcements You have no ownership rights in the Software. Rather, you have a license to use the Software as long as this License Agreement remains in full force and effect. Ownership of the Software, Documentation and all intellectual property rights therein shall remain at all times with ZyXEL.
Page 752
Appendix F Open Software Announcements THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY TO YOU. IF THIS EXCLUSION IS HELD TO BE UNENFORCEABLE BY A COURT OF COMPETENT JURISDICTION, THEN ALL EXPRESS AND IMPLIED WARRANTIES SHALL BE LIMITED IN DURATION TO A PERIOD OF THIRTY (30) DAYS FROM THE DATE OF PURCHASE OF THE SOFTWARE, AND NO WARRANTIES SHALL APPLY AFTER THAT PERIOD.
Page 753
Appendix F Open Software Announcements This License Agreement is effective until it is terminated. You may terminate this License Agreement at any time by destroying or returning to ZyXEL all copies of the Software and Documentation in your possession or under your control. ZyXEL may terminate this License Agreement for any reason, including, but not limited to, if ZyXEL finds that you have violated any of the terms of this License Agreement.
Page 754
Appendix F Open Software Announcements ZyWALL USG 1000 User’s Guide...
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 756
Appendix G Legal Information FCC Warning This device has been tested and found to comply with the limits for a Class A digital switch, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This device generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications.
Page 757
Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.
Page 758
Appendix G Legal Information ZyWALL USG 1000 User’s Guide...
Numerics 3DES AAA servers and authentication methods and users LDAP Default LDAP Group LDAP group members RADIUS default RADIUS group RADIUS group members RADIUS. See also RADIUS. where used access control access users 503, 505 forcing login forcing login. See also force user authentication policies.
Page 766
Index and virtual servers H.323 265, 266 peer-to-peer calls See also VoIP pass through. 265, 267 SIP timeout answer rings Anti-Virus trial service activation updating signatures Anti-virus prerequisites anti-virus alert message alerts black list 411, 413 bypass black list bypass white list EICAR file decompression firmware package blocking...
Page 767
and policy routes behavior configured rate effect examples in application patrol interface, outbound. See interfaces. interface’s bandwidth maximize bandwidth usage 227, 232, 382, 383, 384, 395, 399 OSI level-7. See application patrol. over allotment of bandwidth priority priority effect See also application patrol. See also policy routes.
Page 768
Index console port speed content (pattern) content filtering 463, 464 and address groups 463, 464, 467 and address objects 463, 464, 467 and registration 466, 469 and schedules 463, 464, 467 and user groups and users by category 463, 468, 471 by keyword (in URL) 463, 480 by URL...
Page 769
and interfaces Domain Name System. See DNS. double-encoding Dynamic Domain Name System. See DDNS. Dynamic Host Configuration Protocol. See DHCP. DynDNS see also DDNS. e-Donkey EGP (Exterior Gateway Protocol) EICAR e-mail virus e-Mule Encapsulating Security Payload. See ESP. encapsulation and active protocol transport mode tunnel mode encryption algorithms...
Page 770
Index and address objects and schedules prerequisites fragmentation flag fragmentation offset additional signaling port and address groups and address objects and certificates and zones signaling port with Transport Layer Security (TLS) full tunnel mode full-tunnel mode Fully-Qualified Domain Name (FQDN) gateway policy.
Page 771
Snort signatures statistics traffic directions updating signatures verifying custom signatures IDP (Intrusion, Detection and Prevention) IDP and AppPatrol trial service activation IDP profiles IDP service group IDP signature categories IDP signatures and synchronization (device HA) IEEE 802.1q. See VLAN. IGP (Interior Gateway Protocol) IHL (IP Header Length) IIS server IIS unicode...
Page 772
Index IP static routes. See static routes. IP stream identifier IP v4 packet headers IPSec basic troubleshooting connections Default_L2TP_VPN_Connection Default_L2TP_VPN_Connection example Default_L2TP_VPN_GW Default_L2TP_VPN_GW example established in two phases L2TP VPN local network remote IPSec router remote network SA monitor See also VPN. IPSec SA active protocol and firewall...
Page 773
types of log options log options (IDP) logged in users login default settings SSL user logo logout SSL user logs and firewall configuration overview descriptions e-mail profiles e-mailing log messages 626, 631 formats log consolidation specifications syslog servers system types of loose source routing MAC addresses and VLAN...
Page 774
Index and RIP and static routes and to-ZyWALL firewall area 0 areas. See OSPF areas. authentication method autonomous system (AS) backbone Configuration steps direction link cost priority redistribute redistribute type (cost) routers. See OSPF routers. virtual links vs RIP OSPF areas and Ethernet interfaces backbone Not So Stubby Area (NSSA)
Page 775
as VPN product registration profiles packet inspection protocol usage statistics protocol anomaly 448, 457 protocol anomaly detection proxy servers web. See web proxy servers. Public-Key Infrastructure (PKI) public-private key pairs query view (IDP) 426, 429 Quick Start Guide RADIUS 531, 536 advantages and IKE SA and PPPoE...
Page 776
Index and authentication algorithms and Ethernet interfaces See also ALG. safety warnings same IP scanner types schedules and content filtering 463, 464, 467 and current date/time and firewall 287, 394, 396, 398 and force user authentication policies and policy routes 230, 392, 394, 396, 398 one-time recurring...
Page 777
and address groups and address objects and certificates and zones client requirements encryption methods for secure Telnet how connection is established versions with Linux with Microsoft Windows 326, 588 certificates computer names full-tunnel mode global setting IP pool monitor network list policy remote user login remote user logout...
Page 778
Index T/TCP task bar properties ACK (acknowledgment) ACK number connections port numbers SYN (synchronize) window size TCP Decoder TCP decoy portscan TCP distributed portscan TCP flag bits TCP portscan TCP portsweep TCP RST TCP SYN flood TCPdump Telnet and address groups and address objects and zones with SSH...
Page 779
and content filtering and firewall and policy routes 230, 392, 394, 396, 398 configuration overview user names rules user portal See SSL user screens. 331, 334 user portal links user portal logo user sessions. See sessions. user SSL screens 331, 334 access methods bookmarks certificates...
Page 780
Index advantages and IPSec SA policy enforcement disadvantages VPN connections and address objects and policy routes 230, 231, 296 VPN gateways and certificates and extended authentication and interfaces and to-ZyWALL firewall VPN. See also IKE SA, IPSec SA. VRRP advertisement interval and to-ZyWALL firewall backup router management IP...