Page 1 ZyWALL USG 1000 Unified Security Gateway User’s Guide Version 2.00 10/2007 Edition 1 DEFAULT LOGIN LAN Port IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com...
Page 3: About This User's Guide
About This User's Guide This manual is designed to guide you through the configuration of your ZyWALL for its various applications. Generally, it is organized as follows. • Introduction (ZyWALL, web configurator) • Features (by menu item in the web configurator) •...
Page 4 Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
Page 5: Document Conventions
Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 6 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Server Switch Computer Notebook computer Firewall Telephone Router ZyWALL USG 1000 User’s Guide...
Page 7: Safety Warnings
For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 8 Safety Warnings ZyWALL USG 1000 User’s Guide...
Page 9: Table Of Contents
Introduction ... 51 Introducing the ZyWALL ... 53 Features and Applications ... 57 Web Configurator ... 65 Wizard Setup ... 75 Configuration Basics ...111 Tutorials ... 125 Status ... 157 Registration ... 165 Update ... 171 Network ... 177 Interface ... 179 Trunks ...
Page 10 Contents Overview Content Filter Screens ... 463 Content Filter Reports ... 483 Device HA & Objects ... 491 Device HA ... 493 User/Group ... 503 Addresses ... 515 Services ... 521 Schedules ... 527 AAA Server ... 531 Authentication Objects ... 541 Certificates ...
Page 11: Table Of Contents
About This User's Guide ... 3 Document Conventions... 5 Safety Warnings... 7 Contents Overview ... 9 Table of Contents... 11 List of Figures ... 31 List of Tables... 43 Part I: Introduction... 51 Chapter 1 Introducing the ZyWALL ... 53 1.1 Overview and Key Default Settings ...
Page 12 Table of Contents 3.1 Web Configurator Requirements ... 65 3.2 Web Configurator Access ... 65 3.3 Web Configurator Main Screen ... 67 3.3.1 Title Bar ... 67 3.3.2 Navigation Panel ... 68 3.3.3 Main Window ... 71 3.3.4 Message Bar ... 72 Chapter 4 Wizard Setup ...
Page 13 5.2 Terminology in the ZyWALL ...112 5.3 Physical Ports, Interfaces, and Zones ...112 5.3.1 Network Topology Example ...113 5.4 Feature Configuration Overview ...114 5.4.1 Feature ...114 5.4.2 Interface ...115 5.4.3 Trunks ...115 5.4.4 IPSec VPN ...116 5.4.5 SSL VPN ...116 5.4.6 L2TP VPN ...116 5.4.7 Zones ...116 5.4.8 Device HA ...117...
Page 14 Table of Contents 6.2.2 Set up the VPN Gateway ... 132 6.2.3 Set up the VPN Connection ... 133 6.2.4 Set up the Policy Route for the VPN Tunnel ... 134 6.2.5 Set up the Zone for the VPN Tunnel ... 135 6.3 Device HA ...
Page 15 8.1 myZyXEL.com Overview ... 165 8.1.1 Subscription Services Available on the ZyWALL ... 165 8.2 Registration ... 166 8.3 Service ... 168 Chapter 9 Update... 171 9.1 Updating Anti-virus Signatures ... 171 9.2 Updating IDP and Application Patrol Signatures ... 173 9.3 Updating System Protect Signatures ...
Page 16 Table of Contents 10.6.1 PPPoE/PPTP Overview ... 210 10.6.2 PPPoE/PPTP Interfaces Overview ...211 10.6.3 PPPoE/PPTP Interface Summary ... 212 10.6.4 PPPoE/PPTP Interface Add/Edit ... 213 10.7 Auxiliary Interface ... 215 10.7.1 Auxiliary Interface Overview ... 215 10.7.2 Auxiliary ... 215 10.8 Virtual Interfaces ...
Page 17 13.3 OSPF Overview ... 237 13.3.1 OSPF Areas ... 238 13.3.2 OSPF Routers ... 239 13.3.3 Virtual Links ... 240 13.3.4 OSPF Configuration ... 240 13.4 OSPF Screens ... 241 13.4.1 OSPF Summary ... 241 13.4.2 OSPF Area Add/Edit ... 242 Chapter 14 Zones ...
Page 18 Table of Contents 18.1 ALG Introduction ... 265 18.1.1 Application Layer Gateway (ALG) and NAT ... 265 18.1.2 ALG and Trunks ... 265 18.1.3 FTP ... 266 18.1.4 H.323 ... 266 18.1.5 RTP ... 266 18.1.6 SIP ... 267 18.2 Peer-to-Peer Calls and the ZyWALL ... 268 18.2.1 VoIP Calls from the WAN with Multiple Outgoing Calls ...
Page 19 20.4.2 Additional Topics for IKE SA ... 310 20.4.3 VPN Gateway Summary ... 312 20.4.4 VPN Gateway Add/Edit ... 313 20.5 VPN Concentrator ... 318 20.5.1 VPN Concentrator Summary ... 319 20.5.2 VPN Concentrator Add/Edit ... 319 20.6 SA Monitor Screen ... 320 20.6.1 Regular Expressions in Searching IPSec SAs by Name or Policy ...
Page 20 Table of Contents 24.3.1 Downloading a File ... 341 24.3.2 Saving a File ... 341 24.4 Creating a New Folder ... 342 24.5 Renaming a File or Folder ... 342 24.6 Deleting a File or Folder ... 343 24.7 Uploading a File ... 344 Chapter 25 L2TP VPN...
Page 21 27.5.1 Setting the Interface’s Bandwidth ... 385 27.5.2 SIP Any to WAN Bandwidth Management Example ... 385 27.5.3 SIP WAN to Any Bandwidth Management Example ... 386 27.5.4 HTTP Any to WAN Bandwidth Management Example ... 386 27.5.5 FTP WAN to DMZ Bandwidth Management Example ... 386 27.5.6 FTP LAN to DMZ Bandwidth Management Example ...
Page 22 Table of Contents 29.3 Configuring IDP General ... 418 29.4 Configuring IDP Bindings ... 420 29.5 Introducing IDP Profiles ... 421 29.5.1 Base Profiles ... 421 29.6 Profile Summary Screen ... 422 29.7 Creating New Profiles ... 423 29.7.1 Procedure To Create a New Profile ... 423 29.8 Profiles: Packet Inspection ...
Page 23 Chapter 31 Content Filter Screens... 463 31.1 Content Filter Overview ... 463 31.1.1 Content Filter Policies ... 463 31.1.2 Content Filter Profiles ... 463 31.1.3 Content Filter Configuration Guidelines ... 464 31.2 Content Filter General Screen ... 464 31.3 Content Filter Policy Screen ... 466 31.4 Content Filter Profile Screen ...
Page 24 Table of Contents 34.1.4 Access Users and the ZyWALL ... 505 34.1.5 Force User Authentication Policy ... 505 34.2 User Summary ... 506 34.2.1 User Add/Edit ... 506 34.3 Group Summary ... 508 34.3.1 Group Add/Edit ... 509 34.4 Setting Screen ... 510 34.4.1 Force User Authentication Policy Add/Edit ...
Page 25 38.2 Directory Service (AD/LDAP) Overview ... 532 38.2.1 Directory Structure ... 532 38.2.2 Distinguished Name (DN) ... 533 38.2.3 Configuring Active Directory or LDAP Default Server Settings ... 533 38.3 Active Directory or LDAP Group Summary ... 534 38.3.1 Creating an Active Directory or LDAP Group ... 535 38.4 RADIUS Server ...
Page 26 Table of Contents Chapter 42 SSL Application ... 567 42.1 SSL Application Overview ... 567 42.1.1 Application Types ... 567 42.1.2 Remote User Screen Links ... 567 42.2 SSL Application Configuration ... 567 42.3 Creating/Editing an SSL Application ... 568 42.3.1 Web-based Application ...
Page 27 44.3 Configuring WWW ... 589 44.4 Service Control Rules ... 592 44.5 HTTPS Example ... 592 44.5.1 Internet Explorer Warning Messages ... 593 44.5.2 Netscape Navigator Warning Messages ... 593 44.5.3 Avoiding Browser Warning Messages ... 594 44.5.4 Login Screen ... 595 44.5.5 Enrolling and Importing SSL Client Certificates ...
Page 28 Table of Contents 45.2 Configuration File Screen ... 618 45.3 Firmware Package Screen ... 620 45.4 Shell Script Screen ... 622 Chapter 46 Logs ... 625 46.1 View Log Screen ... 625 46.2 Log Settings Screens ... 627 46.3 Log Settings Summary ... 628 46.3.1 Log Settings Edit E-mail ...
Page 29 Table of Contents Appendix F Open Software Announcements ... 719 Appendix G Legal Information... 755 Appendix H Customer Support... 759 Index... 765 ZyWALL USG 1000 User’s Guide...
Page 30 Table of Contents ZyWALL USG 1000 User’s Guide...
Page 31: List Of Figures
List of Figures List of Figures Figure 1 ZyWALL USG 1000 Front Panel ... 53 Figure 2 Managing the ZyWALL: Web Configurator ... 54 Figure 3 Applications: VPN Connectivity ... 60 Figure 4 Network Access Mode: Reverse Proxy ... 61 Figure 5 Network Access Mode: Full Tunnel Mode ...
Page 32 List of Figures Figure 39 VPN Advanced Wizard: Step 3 ... 104 Figure 40 VPN Advanced Wizard: Step 4 ... 106 Figure 41 VPN Advanced Wizard: Step 5 ... 108 Figure 42 VPN Wizard: Step 6: Advanced ... 109 Figure 43 Interfaces and Zones: Example ...114 Figure 44 Network >...
Page 33 List of Figures Figure 82 AppPatrol > http > Edit Default ... 144 Figure 83 Object > Schedule > Recurring > add ... 145 Figure 84 Firewall > LAN > DMZ > Edit ... 145 Figure 85 Firewall > LAN > DMZ > Add ... 146 Figure 86 Trunk Example ...
Page 34 List of Figures Figure 125 Network > Interface > Ethernet > Edit ... 190 Figure 126 Network > Interface > Ethernet > Edit > Edit static DHCP table ... 194 Figure 127 Port Grouping Example: Network ... 195 Figure 128 Port Grouping Example: Screen Figure 129 Network >...
Page 35 List of Figures Figure 168 HTTP Redirect Example ... 262 Figure 169 Network > HTTP Redirect ... 263 Figure 170 Network > HTTP Redirect > Edit ... 263 Figure 171 H.323 ALG Example ... 267 Figure 172 SIP ALG Example ... 267 Figure 173 VoIP Calls from the WAN with Multiple Outgoing Calls ...
Page 36 List of Figures Figure 211 VPN > IPSec VPN > SA Monitor ... 321 Figure 212 VPN > SSL VPN > Access Privilege ... 324 Figure 213 VPN > SSL VPN > Access Privilege > Add/Edit ... 325 Figure 214 VPN > SSL VPN > Connection Monitor ... 327 Figure 215 VPN >...
Page 37 List of Figures Figure 254 Connect L2TP to ZyWALL: Security ... 359 Figure 255 Connect ZyWALL L2TP: Security > Advanced ... 359 Figure 256 L2TP to ZyWALL Properties > Security ... 360 Figure 257 L2TP to ZyWALL Properties > Security > IPSec Settings ... 360 Figure 258 L2TP to ZyWALL Properties: Networking ...
Page 38 List of Figures Figure 297 LAN to WAN, Outbound 200 kbps, Inbound 500 kbps ... 382 Figure 298 Bandwidth Management Behavior ... 383 Figure 299 Application Patrol Bandwidth Management Example ... 385 Figure 300 SIP Any to WAN Bandwidth Management Example ... 386 Figure 301 HTTP Any to WAN Bandwidth Management Example ...
Page 39 List of Figures Figure 340 Base Profiles ... 449 Figure 341 Anti-X > ADP > Profile ... 449 Figure 342 Smurf Attack ... 452 Figure 343 TCP Three-Way Handshake ... 453 Figure 344 SYN Flood ... 453 Figure 345 Profiles: Traffic Anomaly ... 455 Figure 346 Profiles: Protocol Anomaly ...
Page 40 List of Figures Figure 383 Object > Service > Service > Edit ... 523 Figure 384 Object > Service > Service Group ... 524 Figure 385 Object > Service > Service Group > Edit ... 525 Figure 386 Object > Schedule ... 528 Figure 387 Object >...
Page 41 List of Figures Figure 426 Secure and Insecure Service Access From the WAN ... 587 Figure 427 HTTP/HTTPS Implementation ... 589 Figure 428 System > WWW ... 590 Figure 429 System > Service Control Rule Edit ... 592 Figure 430 Security Alert Dialog Box (Internet Explorer) ... 593 Figure 431 Security Certificate 1 (Netscape) ...
Page 42 List of Figures Figure 469 Maintenance > Log > Log Setting ... 628 Figure 470 Maintenance > Log > Log Setting > E-mail > Edit ... 630 Figure 471 Maintenance > Log > Log Setting > Remote Server > Edit ... 633 Figure 472 Active Log Summary ...
Page 43: List Of Tables
List of Tables List of Tables Table 1 Front Panel LEDs ... 54 Table 2 Managing the ZyWALL: Console Port ... 55 Table 3 Starting and Stopping the ZyWALL ... 55 Table 4 Packet Flow Key ... 58 Table 5 Title Bar: Web Configurator Icons ... 68 Table 6 Navigation Panel Summary ...
Page 44 List of Tables Table 39 Licensing > Registration ... 167 Table 40 Licensing > Registration > Service ... 168 Table 41 Licensing > Update > IDP/AppPatrol ... 173 Table 42 Licensing > Update > System Protect ... 175 Table 43 Ethernet, VLAN, Bridge, PPPoE/PPTP, and Virtual Interfaces Characteristics ... 180 Table 44 Example: Routing Table Entries for Interfaces ...
Page 45 List of Tables Table 82 Network > HTTP Redirect > Edit ... 263 Table 83 Network > ALG ... 270 Table 84 Default Firewall Rules ... 279 Table 85 Blocking All LAN to WAN IRC Traffic Example ... 281 Table 86 Limited LAN to WAN IRC Traffic Example 1 ... 282 Table 87 Limited LAN to WAN IRC Traffic Example 2 ...
Page 46 List of Tables Table 125 Anti-X > Anti-Virus > Setting > Black List Add ... 413 Table 126 Anti-X > Anti-Virus > Signature ... 414 Table 127 Anti-X > IDP > General ... 419 Table 128 Anti-X > IDP > General > Add ... 421 Table 129 Base Profiles ...
Page 47 List of Tables Table 168 Object > Address > Address Group > Add ... 518 Table 169 Object > Service > Service ... 522 Table 170 Object > Service > Service > Edit ... 523 Table 171 Object > Service > Service Group ... 524 Table 172 Object >...
Page 48 List of Tables Table 211 SNMP Traps ... 607 Table 212 System > SNMP ... 608 Table 213 System > Dial-in Mgmt ... 610 Table 214 System > Vantage CNM ...611 Table 215 Configuration Files and Shell Scripts in the ZyWALL ... 616 Table 216 Maintenance >...
Page 49 List of Tables Table 254 Interface Logs ... 699 Table 255 Account Logs ... 701 Table 256 Port Grouping Logs ... 701 Table 257 Force Authentication Logs ... 702 Table 258 File Manager Logs ... 702 Table 259 Commonly Used Services ... 703 ZyWALL USG 1000 User’s Guide...
Page 50 List of Tables ZyWALL USG 1000 User’s Guide...
Page 51: Introduction
Introduction Introducing the ZyWALL (53) Features and Applications (57) Web Configurator (65) Configuration Basics (111) Tutorials (125) Status (157) Registration (165) Update (171)
Page 53: Introducing The Zywall
H A P T E R Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is an Internet Security Gateway designed for Small and Medium Businesses (SMB).
Page 54: Management Overview
Chapter 1 Introducing the ZyWALL The following table describes the LEDs. Table 1 Front Panel LEDs COLOR Green Green Green Green P1 ~ P5 Green Orange 1.3 Management Overview You can use the following ways to manage the ZyWALL. Web Configurator The web configurator allows easy ZyWALL setup and management using an Internet browser.
Page 55: Starting And Stopping The Zywall
Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI. Console Port You can use the console port to manage the ZyWALL.
Page 56 Chapter 1 Introducing the ZyWALL It is recommended you use the shutdown command before turning off the ZyWALL. When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network resources temporarily while the ZyWALL is applying configuration files or running shell scripts.
Page 57: Features And Applications
H A P T E R Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates.
Page 58: Packet Flow
Chapter 2 Features and Applications Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously. It detects pattern-based attacks in order to protect against network- based intrusions. See protect against. You can also create your own custom IDP rules. Anomaly Detection and Prevention (ADP) ADP (Anomaly Detection and Prevention) can detect malicious or suspicious packets and respond instantaneously.
Page 59: Interface To Interface (Through Zywall)
Table 4 Packet Flow Key Application Classifier is the Application Protocol (AP) layer-7 classifier. DNAT Destination NAT Routing Routing includes policy routes, interface routing, static routes and load balancing for example. Firewall (Through ZyWALL) Firewall (To ZyWALL) Intrusion Detection & Protection Anomaly Detection and Protection Application Patrol Content Filtering...
Page 60: Applications
Chapter 2 Features and Applications Ethernet -> VLAN -> Encap -> ALG -> AC -> DNAT-> Routing -> FW -> AC -> IDP -> AV -> AP -> CF -> SNAT -> IPSec E -> Routing -> BWM -> Encap -> VLAN -> Ethernet 2.3 Applications These are some example applications for your ZyWALL.
Page 61: User-Aware Access Control
With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. You do not have to install additional client software on the remote user computers for access. Figure 4 Network Access Mode: Reverse Proxy 2.3.2.2 Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses...
Page 62: Multiple Wan Interfaces
Chapter 2 Features and Applications Figure 6 Applications: User-Aware Access Control 2.3.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them. Figure 7 Applications: Multiple WAN Interfaces 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always...
Page 63: Figure 8 Applications: Device Ha
Chapter 2 Features and Applications Figure 8 Applications: Device HA ZyWALL USG 1000 User’s Guide...
Page 64 Chapter 2 Features and Applications ZyWALL USG 1000 User’s Guide...
Page 65: Web Configurator
H A P T E R The ZyWALL web configurator allows easy ZyWALL setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the web configurator, you must • Use Internet Explorer 6.0 or later, Netscape Navigator 7.2 or later, or Firefox 1.0.7 or later •...
Page 66: Figure 9 Login Screen
Chapter 3 Web Configurator Figure 9 Login Screen 3 Type the user name (default: “admin”) and password (default: “1234”). If your account is configured to use an ASAS authentication server, use the OTP (One- Time Password) token to generate a number. Enter it in the One-Time Password field. The number is only good for one login.
Page 67: Web Configurator Main Screen
5 The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. Follow the directions in this screen. If you change the default password, the Login screen (Figure 9 on page main screen appears.
Page 68: Navigation Panel
Chapter 3 Web Configurator The icons provide the following functions. Table 5 Title Bar: Web Configurator Icons ICON DESCRIPTION Help: Click this icon to open the help page for the current screen. Wizards: Click this icon to open one of the web configurator wizards. See on page 75 Console: Click this icon to open the console in which you can use the command line interface (CLI).
Page 69 Table 6 Navigation Panel Summary (continued) LINK Routing Policy Route Static Route OSPF Zone DDNS Virtual Server HTTP Redirect Firewall VPN Connection IPSec VPN VPN Connection VPN Gateway Concentrator SA Monitor SSL VPN Access Privilege Connection Monitor Global Setting L2TP VPN L2TP Over IPSec Use this screen to configure L2TP Over IPSec VPN settings.
Page 70 Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK General Profile Custom Signatures General Profile Content General Filter Filtering Profile Cache Device HA VRRP Group Synchronize Object User/Group User Group Setting Address Address Address Group Service Service Service Group Schedule AAA Server Active Directory-...
Page 71: Main Window
Table 6 Navigation Panel Summary (continued) LINK Host Name Date/Time Console Speed TELNET SNMP Dial-in Mgmt. Vantage Language Maintenance File Manager Configuration File Use this screen to manage and upload configuration files for the ZyWALL. Firmware Package Shell Script View Log Log Setting Report Traffic...
Page 72: Message Bar
Chapter 3 Web Configurator 3.3.4 Message Bar Check the message bar when you click Apply or OK to verify that the configuration has been updated. Figure 12 Message Bar 3.3.4.1 Warning Messages Click the up arrow to view the ZyWALL’s current warning messages. These warning messages display in a popup window, such as the following.
Page 73: Figure 14 Cli Messages
Chapter 3 Web Configurator Figure 14 CLI Messages Click Change Display Style to show or hide the index numbers for the commands (the commands are more convenient to copy and paste without the index numbers). Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the web configurator generated to enable it.
Page 74 Chapter 3 Web Configurator ZyWALL USG 1000 User’s Guide...
Page 75: Wizard Setup
H A P T E R This chapter provides information on configuring the Wizard setup screens in the web configurator. See the feature-specific chapters in this User’s Guide for background information. 4.1 Wizard Setup Overview Use the wizards only for initial configuration starting from the default configuration.
Page 76: Installation Setup, One Isp
Chapter 4 Wizard Setup Use VPN SETUP to configure a VPN connection. See Figure 15 Wizard Setup Welcome 4.2 Installation Setup, One ISP The wizard screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Page 77: Step 1 Internet Access
Figure 16 Internet Access: Step 1 The following table describes the labels in this screen. Table 7 Internet Access: Step 1 LABEL DESCRIPTION ISP Parameters Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.
Page 78: Ethernet: Auto Ip Address Assignment
Chapter 4 Wizard Setup IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 4.3.1 Ethernet: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays.
Page 79: Figure 18 Ethernet Encapsulation: Static
Figure 18 Ethernet Encapsulation: Static The following table describes the labels in this screen. Table 8 Ethernet Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. WAN IP Address Assignments WAN Interface This displays the identity of the interface you configure to connect with your ISP.
Page 80: Step 2 Internet Access Ethernet
Chapter 4 Wizard Setup 4.3.3 Step 2 Internet Access Ethernet You do not configure this screen if you selected Auto as the IP Address Assignment in the previous screen. Enter the Internet access information exactly as given to you by your ISP. WAN Interface: This is the number of the interface that will connect with your ISP.
Page 81: Pppoe: Auto Ip Address Assignment
You can click Next and use the following screen to perform a basic registration (see 4.4 on page 91). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.3.4 PPPoE: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays after you click Next.
Page 82: Pppoe: Static Ip Address Assignment
Chapter 4 Wizard Setup Table 9 PPPoE Encapsulation: Auto (continued) LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. WAN IP Address Assignments WAN Interface This displays the identity of the interface you configure to connect with your ISP.
Page 83: Figure 22 Pppoe Encapsulation: Static
Figure 22 PPPoE Encapsulation: Static The following table describes the labels in this screen. Table 10 PPPoE Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. Service Name Type the PPPoE service name given to you by your ISP. PPPoE uses a service name to identify and reach the PPPoE server.
Page 84: Step 2 Internet Access Pppoe
Chapter 4 Wizard Setup Table 10 PPPoE Encapsulation: Static (continued) LABEL DESCRIPTION First DNS Server Enter the DNS server's IP address(es) in the field(s) to the right. Second DNS Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not Server configure a DNS server, you must know the IP address of a machine in order to access it.
Page 85: Pptp: Auto Ip Address Assignment
Figure 23 PPPoE Encapsulation: Static: Finish You have set up your ZyWALL to access the Internet. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see 4.4 on page 91).
Page 86: Figure 24 Pptp Encapsulation: Auto
Chapter 4 Wizard Setup Figure 24 PPTP Encapsulation: Auto The following table describes the labels in this screen. Table 11 PPTP Encapsulation: Auto LABEL ISP Parameters Encapsulation User Name Password Retype to Confirm Nailed-Up Idle Timeout PPTP Configuration Base Interface Base IP Address IP Subnet Mask Server IP...
Page 87: Figure 25 Pptp Encapsulation: Auto: Finish
Table 11 PPTP Encapsulation: Auto (continued) LABEL DESCRIPTION Connection ID Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. You can use alphanumeric and -_ long.
Page 88: Pptp: Static Ip Address Assignment
Chapter 4 Wizard Setup If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see 4.4 on page 91).
Page 89: Step 2 Internet Access Pptp
Table 12 PPTP Encapsulation: Static (continued) LABEL DESCRIPTION User Name Type the user name given to you by your ISP. You can use alphanumeric and - @$./ Password Type the password associated with the user name above. Use up to 64 ASCII characters except the [] and ?.
Page 90: Figure 27 Pptp Encapsulation: Static: Finish
Chapter 4 Wizard Setup Type the Password associated with the user name. Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server.
Page 91: Step 4 Internet Access - Finish
4.3.10 Step 4 Internet Access - Finish You have set up your ZyWALL to access the Internet. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see 4.4 on page 91).
Page 92: Figure 28 Registration
Chapter 4 Wizard Setup Figure 28 Registration The following table describes the labels in this screen. Table 13 Registration LABEL Device Registration new myZyXEL.com account existing myZyXEL.com account UserName Check Password Confirm Password E-Mail Address Country Code Trial Service Activation IDP/AppPatrol Anti-Virus Content Filter...
Page 93: Installation Setup, Two Internet Service Providers
Table 13 Registration (continued) LABEL Close Next Figure 29 Registration: Registered Device 4.5 Installation Setup, Two Internet Service Providers This wizard allows you to configure two interfaces for Internet access through either two different Internet Service Providers (ISPs) or two different accounts with the same ISP. The configuration of the following screens is explained in Configure the First WAN Interface and click Next.
Page 94: Figure 30 Internet Access: Step 1: First Wan Interface
Chapter 4 Wizard Setup Figure 30 Internet Access: Step 1: First WAN Interface After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue. Figure 31 Internet Access: Step 3: Second WAN Interface After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces.
Page 95: Internet Access Wizard Setup Complete
Figure 32 Internet Access: Finish You can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Use the myZyXEL.com link if you do already have a myZyXEL.com account. If you already have a myZyXEL.com account, you can click Next and use the following screen to register your ZyWALL and activate service trials (see Alternatively, click Close to exit the wizard.
Page 96: Vpn Wizards
Chapter 4 Wizard Setup Click VPN SETUP in the Wizard Setup Welcome screen following screen. Use it to select which type of VPN settings you want to configure. Figure 33 VPN Wizard: Wizard Type The following table describes the labels in this screen. Table 14 VPN Wizard: Step 1: Wizard Type LABEL DESCRIPTION...
Page 97: Vpn Express Wizard
4.7.1 VPN Express Wizard Click the Express radio button as shown in screen. Figure 34 VPN Express Wizard: Step 2 The following table describes the labels in this screen. Table 15 VPN Express Wizard: Step 2 LABEL DESCRIPTION Name Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores( character cannot be a number.
Page 98: Figure 35 Vpn Express Wizard: Step 3
Chapter 4 Wizard Setup Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores( number. This value is case-sensitive. Secure Gateway: Enter the WAN IP address or domain name of the remote IPSec router (secure gateway).
Page 99: Vpn Express Wizard - Policy Setting
4.8.1 VPN Express Wizard - Policy Setting The Policy Setting specifies which devices can use the VPN tunnel. Local and remote IP addresses must be static. Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet.
Page 100: Vpn Express Wizard - Summary
Chapter 4 Wizard Setup Table 17 VPN Express Wizard: Step 4 (continued) LABEL DESCRIPTION Configuration These commands set the matching VPN connection settings for the remote gateway. for Remote If the remote gateway is a ZLD-based ZyWALL, you can copy and paste this list into Gateway its command line interface in order to configure it for the VPN tunnel.
Page 101: Vpn Express Wizard - Finish
If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Alternatively, click Close to exit the wizard. 4.8.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.
Page 102: Figure 38 Vpn Advanced Wizard: Step 2
Chapter 4 Wizard Setup Figure 38 VPN Advanced Wizard: Step 2 The following table describes the labels in this screen. Table 18 VPN Advanced Wizard: Step 2 LABEL DESCRIPTION Remote Gateway Name Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores( character cannot be a number.
Page 103: Vpn Advanced Wizard - Remote Gateway
Table 18 VPN Advanced Wizard: Step 2 (continued) LABEL DESCRIPTION Certificate Use the drop-down list box to select the certificate to use for this VPN tunnel. You must have certificates already configured in the My Certificates screen. Click Certificate under the Object menu to go to the My Certificates screen where you can view the ZyWALL's list of certificates.
Page 104: Figure 39 Vpn Advanced Wizard: Step 3
Chapter 4 Wizard Setup Figure 39 VPN Advanced Wizard: Step 3 The following table describes the labels in this screen. Table 19 VPN Advanced Wizard: Step 3 LABEL Negotiation Mode Encryption Algorithm Authentication Algorithm Key Group DESCRIPTION Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.
Page 105: Vpn Advanced Wizard - Phase 1
Table 19 VPN Advanced Wizard: Step 3 (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 60 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 106: Figure 40 Vpn Advanced Wizard: Step 4
Chapter 4 Wizard Setup 4.8.6.1 Phase 2 Setting Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 40 VPN Advanced Wizard: Step 4 The following table describes the labels in this screen. Table 20 VPN Advanced Wizard: Step 4 LABEL Phase 2 Setting...
Page 107: Vpn Advanced Wizard - Phase 2
Table 20 VPN Advanced Wizard: Step 4 (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 60 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 108: Vpn Advanced Wizard - Summary
Chapter 4 Wizard Setup Figure 41 VPN Advanced Wizard: Step 5 The following table describes the labels in this screen. Table 21 VPN Advanced Wizard: Step 5 LABEL DESCRIPTION Summary Name This is the name of the VPN connection (and VPN gateway). Secure This is the WAN IP address or domain name of the remote IPSec router.
Page 109: Vpn Advanced Wizard - Finish
Secure Gateway: IP address or domain name of the peer IPSec device. Pre-Shared Key: VPN tunnel password. Local Policy: IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel. Remote Policy: IP address and subnet mask of the computers on the network behind the peer IPSec device that can use the tunnel.
Page 110 Chapter 4 Wizard Setup If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 91).
Page 111: Configuration Basics
H A P T E R This section provides information to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL. •...
Page 112: Terminology In The Zywall
Chapter 5 Configuration Basics 5.2 Terminology in the ZyWALL This section highlights some differences in terminology or organization between the ZyWALL and other routers, particularly ZyNOS routers. Table 22 ZyWALL Terminology That is Different Than ZyNOS ZYNOS FEATURE / TERM Port forwarding IP alias Gateway policy...
Page 113: Network Topology Example
A physical port is the place to which you connect the cable. As shown above, you do not usually configure physical ports to use various features. You configure interfaces and zones. The ZyWALL supports one-to-one, one-to-many, many-to-one, and many-to-none relationships between physical ports and interfaces. There are many types of interfaces in the ZyWALL.
Page 114: Feature Configuration Overview
Chapter 5 Configuration Basics Figure 43 Interfaces and Zones: Example • The LAN zone contains the ge1 (Gigabit Ethernet 1) interface. This is a protected zone and uses private IP addresses. ge1 uses 192.168.1.1 and the connected devices use IP addresses in the 192.168.1.2 to 192.168.1.254 range.
Page 115: Interface
These are other features you should configure before you configure the main screen(s) for this feature. If you did not configure one of the prerequisites first, you can often select an option to create a new object. After you create the object you return to the main PREREQUISITES screen to finish configuring the feature.
Page 116: Ipsec Vpn
Chapter 5 Configuration Basics PREREQUISITES WHERE USED Example: See Chapter 6 on page 5.4.4 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and- spoke VPN.
Page 117: Device Ha
Zones cannot overlap. Each interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run. When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for the new zone.
Page 118: Static Routes
Chapter 5 Configuration Basics 2 Click Network > Routing > Policy Route to go to the policy route configuration screen. Add a policy route. 3 Name the policy route. 4 Select the interface that the traffic comes in through (ge4 in this example). 5 Select the FTP server’s address as the source address.
Page 119: Application Patrol
2 Create an address object for the VoIP server (Object > Address). 3 Click Firewall to go to the firewall configuration. 4 Select from the DMZ-2 zone to the LAN zone, and add a firewall rule using the items you have configured. •...
Page 120: Anti-Virus
Chapter 5 Configuration Basics 5.4.14 Anti-Virus Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or one of the wizards. MENU ITEM(S) PREREQUISITES 5.4.15 IDP Use IDP to detect and take action on malicious or suspicious packets.
Page 121: Virtual Server (Port Forwarding)
11 Add a policy that uses the schedule, the filtering profile and the user that you created. 5.4.18 Virtual Server (Port Forwarding) Use this to change the address and/or port number of packets coming in from a specified interface. This is also known as port forwarding. The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by virtual server.
Page 122: Alg
Chapter 5 Configuration Basics 5.4.20 ALG The ZyWALL’s Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the ZyWALL. You can also specify additional signaling port numbers. MENU ITEM(S) 5.5 Objects Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object.
Page 123: System Management And Maintenance
Table 28 User Types TYPE ABILITIES Guest Access network services Ext-User The same as a User or a Guest. The ZyWALL looks for the specific type in an external authentication server. If the type is not available, the ZyWALL applies default settings.
Page 124: File Manager
Chapter 5 Configuration Basics 5.6.2 File Manager Use these screens to upload, download, delete, or run scripts of CLI commands. You can manage • Configuration files. Use configuration files to back up and restore the complete configuration of the ZyWALL. You can store multiple configuration files in the ZyWALL and switch between them without restarting.
Page 125: Tutorials
H A P T E R This chapter provides some examples of using the web configurator to set up features in the ZyWALL. See also Chapter 26 on page 351 6.1 Interfaces and Zones The following example shows how to use port grouping, Ethernet interfaces, trunks, and zones to set up the following configuration.
Page 126: Figure 44 Network > Interface > Port Grouping, Initial
Chapter 6 Tutorials Figure 44 Network > Interface > Port Grouping, Initial 2 Drag physical port 2 onto representative interface ge1, as shown below. Figure 45 Network > Interface > Port Grouping, Drag-and-Drop 3 Click Apply. 4 Click Status, and look at the Interface Status Summary, shown below. Ethernet interface ge1 has a status of Port Group Up, and Ethernet interface ge2 is disabled and has a Status of Port Group Inactive.
Page 127: Set Up Ethernet Interfaces
Figure 46 Status: Interface Status Summary After Port Grouping 6.1.2 Set up Ethernet Interfaces This example sets up the Ethernet interfaces as shown below. Table 30 Ethernet Interfaces Example ETHERNET INTERFACE You have decided to use the default settings for ge1 and ge3, so it is not necessary to edit these interfaces.
Page 128: Figure 48 Network > Interface > Ethernet > Ge4
Chapter 6 Tutorials Figure 48 Network > Interface > Ethernet > ge4 3 Use the default values for the rest of the settings. Click Apply to save these changes and return to the previous screen. Click the Edit icon for ge5, and set up the IP address as shown below.
Page 129: Wan Trunk
Figure 51 Status > Interface Status Summary, After Ethernet Interface Edits 6.1.3 WAN Trunk This example sets up trunk WAN_TRUNK with ge3 and ge4. This example uses the default settings for the trunk and shows how to add the interfaces to it. Table 31 Trunk Example ETHERNET TRUNK...
Page 130: Zones
Chapter 6 Tutorials Figure 54 Network > Interface > Trunk > Edit > Member 4 Use the default values for the rest of the settings. Click OK to save these changes and return to the previous screen. 6.1.4 Zones This example sets up the LAN, WAN, and DMZ zones as shown below. Table 32 Zones Example ETHERNET INTERFACE...
Page 131: Figure 56 Network > Zone > Dmz, Remove Ge4
Figure 56 Network > Zone > DMZ, Remove ge4 3 Select IFACE/ge4 and click the left arrow to remove ge4 from the Member list. Click OK to save these changes and return to the previous screen. 4 Click the Edit icon for WAN. The following screen appears. Figure 57 Network >...
Page 132: Ipsec Vpn
Chapter 6 Tutorials 6.2 IPSec VPN This example is going to show you how to create the VPN tunnel illustrated below. Figure 59 VPN Example 192.168.1.33 ~ 192.168.1.232 In this example, the ZyWALL is router X (172.23.37.240/24), and the remote IPSec router is router Y (220.123.143.10/24).
Page 133: Set Up The Vpn Connection
Figure 60 VPN > IPSec VPN > VPN Gateway > Add 6.2.3 Set up the VPN Connection The VPN connection manages the IPSec SA. You have to set up the address objects for the local network and remote network before you can set up the VPN connection. 1 Click Object >...
Page 134: Set Up The Policy Route For The Vpn Tunnel
Chapter 6 Tutorials Figure 62 VPN > IPSec VPN > VPN Connection > add 6.2.4 Set up the Policy Route for the VPN Tunnel You should create a new policy route to use the VPN tunnel. This policy route will only use the existing address objects, so you do not have to create any additional objects first.
Page 135: Set Up The Zone For The Vpn Tunnel
Figure 64 Network > Routing > Policy Route > Add Because the new VPN connection has not been assigned to a zone yet, there are no restrictions (for example, firewall) on traffic to or from this VPN connection. You should set up the VPN settings on the remote IPSec router and try to establish the VPN tunnel before continuing.
Page 136: Device Ha
Chapter 6 Tutorials 6.3 Device HA This example is going to show you how to set up device HA as illustrated below. Figure 66 Device HA Example In this example, router A is the default gateway for the network and uses IP address 192.168.1.1.
Page 137: Figure 67 Device Ha > Vrrp Group > Add: Ge1
Figure 67 Device HA > VRRP Group > Add: ge1 3 Click Status, and scroll down to the Interface Status Summary. The H/A Status field is Active. Figure 68 Status: Interface Status Summary: Device HA Master Configured 4 Repeat these steps for the interface that is connected to the Internet. The second VRRP group should have a different VR ID.
Page 138: Set Up The Password For Synchronization
Chapter 6 Tutorials Figure 69 Network > Device HA > VRRP Group > Add: ge4 Once you configure an interface in a VRRP group, you should not configure the interface to have a dynamic IP address. 6.3.3 Set up the Password for Synchronization 1 Click Device HA >...
Page 139: Finish Configuring The Master
6.3.4 Finish Configuring the Master Finish configuring the master. The backup router will get these updates later, when it synchronizes with the master. 6.3.5 Set up the Ethernet Interfaces on the Backup On the backup ZyWALL, ge1 should be configured exactly the same way it is configured on the master, including the same IP address.
Page 140: Synchronize The Backup
Chapter 6 Tutorials 6.3.7 Synchronize the Backup 1 Connect the backup to the same network as the master. 2 Click Device HA > Synchronize. 3 Type the password for synchronization in the Password field. Enter the IP address of the master (on a secure network), and click Sync Now to get the configuration from the master.
Page 141: Set Up User Accounts
6.4.1 Set up User Accounts Set up one user account for each user account in the RADIUS server. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead.
Page 142: Set Up User Authentication Using The Radius Server
Chapter 6 Tutorials 6.4.3 Set up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the ZyWALL to use the authentication method.
Page 143: Set Up Web Surfing Policies With Bandwidth Restrictions
The users will have to log in using the web configurator login screen before they can use HTTP or MSN. Figure 79 Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears.
Page 144: Set Up Msn Policies
Chapter 6 Tutorials Figure 81 AppPatrol > http > Edit Default 4 Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields.
Page 145: Set Up Lan-To-Dmz Policies
Figure 83 Object > Schedule > Recurring > add 3 Follow the steps in in application patrol. Make sure to specify the schedule when you configure the policy for the Sales group’s MSN access. 6.4.6 Set up LAN-to-DMZ Policies Use the firewall to control access to the DMZ. 1 Click Firewall.
Page 146: Trunks
Chapter 6 Tutorials Figure 85 Firewall > LAN > DMZ > Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. 6.5 Trunks The following example shows how to set up a trunk for two connections (ge2 and ge3) to the Internet.
Page 147: Change Wan Trunk Algorithm
Figure 87 Network > Interface > Ethernet > Edit > ge2 2 Click the Edit icon for ge3, and enter the available bandwidth (512 kbps) in the Upstream Bandwidth and Downstream Bandwidth fields. Click OK. 6.5.2 Change WAN Trunk Algorithm 1 Click Network >...
Page 148: Nat 1:1 Address Objects
Chapter 6 Tutorials The firewall is enabled, so you also need to create a rule to allow traffic in from the WAN zone. Figure 89 NAT 1:1 Example Network Topology 192.168.1.21 6.6.1 NAT 1:1 Address Objects First create two address objects for the private and public IP addresses (LAN_SMTP and WAN_EG) in the Object >...
Page 149: Nat 1:1 Virtual Server
6.6.2 NAT 1:1 Virtual Server This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1.1.1.1 at the ZyWALL’s ge3 (WAN) interface, to the LAN SMTP server’s IP address (192.168.1.21). This is also called Destination NAT (DNAT) Figure 92 NAT 1:1 Example Virtual Server 192.168.1.21 The ge3 WAN interface has a different IP address than 1.1.1.1, so in order for the ZyWALL...
Page 150: Nat 1:1 Firewall Rule
Chapter 6 Tutorials Figure 94 NAT 1:1 Example Policy Route 192.168.1.21 Click Network > Routing > Policy Route > Add and configure the screen as shown next. Be careful of where you create the route as routes are ordered in descending priority. Figure 95 Create a Policy Route 6.6.4 NAT 1:1 Firewall Rule Create a firewall rule to allow access from the WAN zone to the mail server in the LAN zone.
Page 151: Nat Loopback
Figure 96 Create a Firewall Rule 6.7 NAT Loopback The NAT 1:1 example in address of a LAN SMTP mail server to allow users to access the SMTP mail server from the WAN. LAN users can also use an IP address to access the mail server. However, you need to configure NAT loopback for LAN users to use a domain name to access the server.
Page 152: Nat Loopback Virtual Server
Chapter 6 Tutorials 6.7.1 NAT Loopback Virtual Server When a LAN user sends SMTP traffic to IP address 1.1.1.1, the traffic comes into the ZyWALL through the ge1 (LAN) interface, thus it does not match the NAT 1:1 mapping’s virtual server rule for SMTP traffic coming to IP 1.1.1.1 from ge3 (the WAN). So you must configure a similar virtual server rule for ge1.
Page 153: Nat Loopback Policy Route
6.7.2 NAT Loopback Policy Route Without a NAT loopback policy route, the LAN user SMTP traffic goes to the LAN SMTP server has the LAN computer’s IP address as the source. The source address is in the same subnet, so the LAN SMTP server replies directly. The return traffic uses the SMTP server’s LAN IP address as the source address match the original destination address (1.1.1.1).
Page 154: Figure 102 Create A Policy Route
Chapter 6 Tutorials Figure 102 Create a Policy Route Now the LAN SMTP server replies to the ZyWALL’s LAN IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN user’s computer. The source in the return traffic matches the original destination address (1.1.1.1) and the LAN user can use the LAN SMTP server.
Page 155: Service Control And The Firewall
6.8 Service Control and the Firewall Service control lets you configure rules that control HTTP and HTTPS management access (to the web configurator) and separate rules that control HTTP and HTTPS user access (logging into SSL VPN for example). See The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL.
Page 156: Figure 105 System > Www > Service Control Rule Edit
Chapter 6 Tutorials Figure 105 System > WWW > Service Control Rule Edit 4 Click Apply. Figure 106 System > WWW Now administrators can only log into the web configurator from the LAN zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL’s zones (to use SSL VPN for example).
Page 157: Status
H A P T E R This chapter explains the Status screen, which is the screen you see when you first log in to the ZyWALL or when you click Status. 7.1 Status Screen Use this screen to look at the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status.
Page 158: Table 34 Status
Chapter 7 Status The following table describes the labels in this screen. Table 34 Status LABEL DESCRIPTION Device Information System Name This field displays the name used to identify the ZyWALL on any network. Click the icon on the right to open the screen where you can change it. See page Model Name This field displays the model name of this ZyWALL.
Page 159 Table 34 Status (continued) LABEL DESCRIPTION Signature This field displays the version number, date, and time of the current set of Version signatures the ZyWALL is using. Last Update This field displays the last time the ZyWALL received updated signatures. Time Total This field displays the total number of signatures in the current signature version.
Page 160: Vpn Status
Chapter 7 Status Table 34 Status (continued) LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router. Stand-By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now.
Page 161: Dhcp Table
Figure 108 Status > VPN Status The following table describes the labels in this screen. Table 35 Status > VPN Status LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA. Encapsulation This field displays how the IPSec SA is encapsulated.
Page 162: Port Statistics
Chapter 7 Status Figure 109 Status > DHCP Table The following table describes the labels in this screen. Table 36 Status > DHCP Table LABEL DESCRIPTION Interface Select for which interface you want to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses.
Page 163: Current Users
Figure 110 Status > Port Statistics The following table describes the labels in this screen. Table 37 Status > Port Statistics LABEL DESCRIPTION Port This field displays the physical port number. status This field displays the current status of the physical port. Down - The physical port is not connected.
Page 164: Figure 111 Status > Current Users
Chapter 7 Status Figure 111 Status > Current Users The following table describes the labels in this screen. Table 38 Status > Current Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL.
Page 165: Registration
H A P T E R This chapter shows you how to register for the ZyWALL’s subscription services. 8.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 166: Registration
Chapter 8 Registration • SSL VPN tunnels provide secure network access to remote users. You can purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels. • The content filter allows or blocks access to web sites. Subscribe to category-based content filtering to block access to categories of web sites based on content.
Page 167: Table 39 Licensing > Registration
The following table describes the labels in this screen. Table 39 Licensing > Registration LABEL General Setup new myZyXEL.com account existing myZyXEL.com account UserName Check Password Confirm Password E-Mail Address Country Code Trial Service Activation Anti-Virus IDP/AppPatrol Content Filter Apply If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated (if any).
Page 168: Service
Chapter 8 Registration Figure 113 Licensing > Registration: Registered Device 8.3 Service After you activate a trial, you can also use this screen to register and enter your iCard’s PIN number (license key). Click Licensing > Registration > Service to open the screen as shown next.
Page 169 Table 40 Licensing > Registration > Service (continued) LABEL Expiration date Count License Upgrade License Key Service License Refresh ZyWALL USG 1000 User’s Guide DESCRIPTION This field displays the date your service expires. You can continue to use IDP/AppPatrol or Anti-Virus after the registration expires, you just won’t receive updated signatures.
Page 170 Chapter 8 Registration ZyWALL USG 1000 User’s Guide...
Page 171: Update
H A P T E R This chapter shows you how to update the ZyWALL’s signature packages. 9.1 Updating Anti-virus Signatures When scheduling signature updates, choose a day and time when your network is least busy to minimize disruption to your network. Your custom signature configurations are not over- written when you download new signatures.
Page 172: Figure 115 Licensing > Update >Anti-Virus
Chapter 9 Update Figure 115 Licensing > Update >Anti-Virus The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information Current Version This field displays the signatures version number currently used by the ZyWALL. This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them.
Page 173: Updating Idp And Application Patrol Signatures
9.2 Updating IDP and Application Patrol Signatures The ZyWALL comes with signatures for the IDP and application patrol features. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the ZyWALL periodically if you have subscribed for IDP service. You need to create an account at myZyXEL.com, register your ZyWALL and then subscribe for IDP service in order to be able to download new packet inspection signatures from myZyXEL.com (see the Registration screens).
Page 174: Figure 117 Downloading Idp Signatures
Chapter 9 Update Table 41 Licensing > Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Auto Update Select this check box to have the ZyWALL automatically check for new IDP signatures regularly at the time and day specified. You should select a time when your network is not busy for minimal interruption. Hourly Select this option to have the ZyWALL check for new IDP signatures every hour.
Page 175: Updating System Protect Signatures
9.3 Updating System Protect Signatures The ZyWALL comes with signatures that the ZyWALL uses to protect itself from intrusions. These signatures are continually updated as new attack types evolve. These system protect signature updates are free and can be downloaded to the ZyWALL periodically. Click Licensing >...
Page 176: Figure 120 Downloading System Protect Signatures
Chapter 9 Update Table 42 Licensing > Update > System Protect (continued) LABEL DESCRIPTION Daily Select this option to have the ZyWALL check for new signatures every day at the specified time. The time format is the 24 hour clock, so ‘23’ means 11PM for example.
Page 177: Network
Network Interface (179) Trunks (219) Policy and Static Routes (225) Routing Protocols (235) Zones (245) DDNS (249) Virtual Servers (255) HTTP Redirect (261) ALG (265)
Page 179: Interface
H A P T E R Section 5.4.2 on page 115 10.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 180: Ip Address Assignment
Chapter 10 Interface • Trunks manage load balancing between interfaces. Port groups, trunks, and the auxiliary interface have a lot of characteristics that are specific to each type of interface. They are discussed in more detail in Chapter 11 on page interfaces--Ethernet, VLAN, bridge, PPPoE/PPTP, and virtual--have a lot of similar characteristics.
Page 181: Figure 122 Example: Entry In The Routing Table Derived From Interfaces
Figure 122 Example: Entry in the Routing Table Derived from Interfaces Table 44 Example: Routing Table Entries for Interfaces IP ADDRESS(ES) 100.100.1.1/16 200.200.200.1/24 For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface ge1. If the ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface ge2.
Page 182: Interface Parameters
Chapter 10 Interface 10.1.3 Interface Parameters The ZyWALL restricts the amount of traffic into and out of the ZyWALL through each interface. • Upstream bandwidth is the amount of traffic from the ZyWALL through the interface to the network. • Downstream bandwidth is the amount of traffic from the network through the interface into the ZyWALL.
Page 183: Ping Check Settings
Table 46 Example: Assigning IP Addresses from a Pool (continued) START IP ADDRESS 99.99.1.1 120.120.120.100 The ZyWALL cannot assign the first address (network address) or the last address (broadcast address) in the subnet defined by the interface’s IP address and subnet mask. For example, in the first entry, if the subnet mask is 255.255.255.0, the ZyWALL cannot assign 50.50.50.0 or 50.50.50.255.
Page 184: Relationships Between Interfaces
Chapter 10 Interface 10.1.6 Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table. Table 47 Relationships Between Different Types of Interfaces INTERFACE auxiliary interface...
Page 185: Interface Summary Screen
In addition, you use Ethernet interfaces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one. The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management.
Page 186: Figure 123 Network > Interface > Interface Summary
Chapter 10 Interface Figure 123 Network > Interface > Interface Summary Each field is described in the following table. Table 48 Network > Interface > Interface Summary LABEL DESCRIPTION Interface If an Ethernet interface does not have any physical ports associated with it, its entry Summary is displayed in light gray text.
Page 187 Table 48 Network > Interface > Interface Summary (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For port groups: Inactive - The port group is disabled. Port Group Down - The port group is enabled but not connected.
Page 188: Ethernet Summary Screen
Chapter 10 Interface Table 48 Network > Interface > Interface Summary (continued) LABEL DESCRIPTION Interface This table provides packet statistics for each interface. Statistics Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the statistics for virtual interfaces on top of this interface.
Page 189: Ethernet Edit
Each field is described in the following table. Table 49 Network > Interface > Ethernet LABEL DESCRIPTION This field is a sequential value, and it is not associated with any interface. Name This field displays the name of the interface. IP Address This field displays the current IP address of the interface.
Page 190: Figure 125 Network > Interface > Ethernet > Edit
Chapter 10 Interface Figure 125 Network > Interface > Ethernet > Edit ZyWALL USG 1000 User’s Guide...
Page 191: Table 50 Network > Interface > Ethernet > Edit
Each field is described in the table below. Table 50 Network > Interface > Ethernet > Edit LABEL DESCRIPTION Ethernet Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only. This is the name of the Ethernet interface. Description Enter a description of this interface.
Page 192 Chapter 10 Interface Table 50 Network > Interface > Ethernet > Edit (continued) LABEL Direction Send Version Receive Version V2-Broadcast OSPF Setting Area Priority Link Cost Passive Interface Authentication Text Authentication Authentication Authentication DHCP Settings DHCP Relay Server 1 DESCRIPTION This field is effective when RIP is enabled.
Page 193 Table 50 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. IP Pool Start Enter the IP address from which the ZyWALL begins allocating IP addresses.
Page 194: Port Grouping
Chapter 10 Interface Table 50 Network > Interface > Ethernet > Edit (continued) LABEL Edit static DHCP table Ping Check Enable Check Period Check Timeout Check Fail Tolerance Ping Default Gateway Ping this address 10.3 Port Grouping This section introduces port groups and then explains the screen for port groups. 10.3.1 Port Grouping Overview Use port grouping to create port groups and to assign physical ports and port groups to Ethernet interfaces.
Page 195: Port Grouping Screen
Each physical port is assigned to one Ethernet interface. In port grouping, the Ethernet interfaces are called representative interfaces. If you assign more than one physical port to a representative interface, you create a port group. Port groups have the following characteristics: •...
Page 196: Vlan Interfaces
Chapter 10 Interface Figure 129 Network > Interface > Port Grouping Each section in this screen is described below. Table 51 Network > Interface > Port Grouping LABEL Representative Interface (ge1, ge2, ge3, ge4, ge5) Physical Port (1, 2, 3, 4, 5) Apply Reset 10.4 VLAN Interfaces...
Page 197: Figure 130 Example: Before Vlan
Figure 130 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. Figure 131 Example: After VLAN Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways.
Page 198: Vlan Interfaces Overview
Chapter 10 Interface • Better manageability - You can align network policies more appropriately for users. For example, you can create different content filtering rules for each VLAN (each department in the example above), and you can set different bandwidth limits for each VLAN. These rules are also independent of the physical network, so you can change the physical network without changing policies.
Page 199: Vlan Add/Edit
Table 52 Network > Interface > VLAN (continued) LABEL DESCRIPTION Port/VID For VLAN interfaces, this field displays • • For virtual interfaces, this field is blank. IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet.
Page 200: Figure 133 Network > Interface > Vlan > Edit
Chapter 10 Interface Figure 133 Network > Interface > VLAN > Edit ZyWALL USG 1000 User’s Guide...
Page 201: Table 53 Network > Interface > Vlan > Edit
Each field is explained in the following table. Table 53 Network > Interface > VLAN > Edit LABEL DESCRIPTION VLAN Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only if you are editing the interface. Enter the name of the VLAN interface.
Page 202 Chapter 10 Interface Table 53 Network > Interface > VLAN > Edit (continued) LABEL DHCP Relay Server 1 Relay Server 2 IP Pool Start Address Pool Size First DNS Server Second DNS Server Third DNS Server First WINS Server, Second WINS Server Lease time DESCRIPTION...
Page 203: Bridge Interfaces
Table 53 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Edit static DHCP Click this if you want the ZyWALL to assign static IP addresses to computers. table The Static DHCP screen appears. Figure 134 Network > Interface > Edit > Edit static DHCP table The ZyWALL checks this table when it assigns IP addresses.
Page 204: Bridge Overview
Chapter 10 Interface 10.5.1 Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table.
Page 205: Bridge Interface Overview
10.5.2 Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridge interface. It also becomes the ZyWALL’s interface for the resulting network. A bridge interface may consist of the following members: • Zero or one VLAN interfaces (and any associated virtual VLAN interfaces) •...
Page 206: Bridge Add/Edit
Chapter 10 Interface Table 57 Network > Interface > Bridge (continued) LABEL IP Address Member Add icon Apply Reset 10.5.4 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and ping check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen.
Page 207: Figure 136 Network > Interface > Bridge > Edit
Chapter 10 Interface Figure 136 Network > Interface > Bridge > Edit ZyWALL USG 1000 User’s Guide...
Page 208: Table 58 Network > Interface > Bridge > Edit
Chapter 10 Interface In this example, you are creating a new bridge. If you are editing a bridge, the Interface Name field is read-only. Each field is described in the table below. Table 58 Network > Interface > Bridge > Edit LABEL Bridge Interface Properties...
Page 209 Table 58 Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.
Page 210: Pppoe/Pptp Interfaces
Chapter 10 Interface Table 58 Network > Interface > Bridge > Edit (continued) LABEL Edit static DHCP table Ping Check Enable Check Period Check Timeout Check Fail Tolerance Ping Default Gateway Ping this address 10.6 PPPoE/PPTP Interfaces This section introduces PPPoE, PPTP, and PPPoE/PPTP interfaces and then explains the screens for PPPoE/PPTP interfaces.
Page 211: Pppoe/Pptp Interfaces Overview
PPPoE is often used with cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services. This makes it easier for the service provider to offer the service •...
Page 212: Pppoe/Pptp Interface Summary
Chapter 10 Interface 10.6.3 PPPoE/PPTP Interface Summary You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lists every PPPoE/PPTP interface. To access this screen, click Network > Interface > PPPoE/PPTP. Figure 139 Network > Interface > PPPoE/PPTP Each field is described in the table below.
Page 213: Pppoe/Pptp Interface Add/Edit
10.6.4 PPPoE/PPTP Interface Add/Edit You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure new or existing PPPoE/PPTP interfaces. To access this screen, click the Add icon or an Edit icon in the PPPoE/PPTP Interface Summary screen. Figure 140 Network >...
Page 214: Table 60 Network > Interface > Pppoe/Pptp > Edit
Chapter 10 Interface Each field is explained in the following table. Table 60 Network > Interface > PPPoE/PPTP > Edit LABEL PPP Interface Properties Enable Interface Name Nail_Up Dial-on-Demand Description Base Interface Account Profile Protocol User Name Service Name IP Address Assignment Automatically Use Fixed IP...
Page 215: Auxiliary Interface
Table 60 Network > Interface > PPPoE/PPTP > Edit (continued) LABEL DESCRIPTION Ping Check The interface can regularly ping the gateway you specified to make sure it is still available. You specify how often the interface pings the gateway, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Page 216: Figure 141 Network > Interface > Auxiliary
Chapter 10 Interface Figure 141 Network > Interface > Auxiliary Each field is described in the table below. Table 61 Network > Interface > Auxiliary LABEL Auxiliary Interface Properties Enable Description Port Speed Dialing Type Initial String Auxiliary Configuration Phone Number User Name Password Retype to...
Page 217: Virtual Interfaces
Table 61 Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Authentication Select the authentication protocol to use for outgoing calls. Choices are: Type CHAP/PAP - Your ZyWALL accepts either CHAP or PAP, as requested by the computer you are dialing. CHAP - Your ZyWALL accepts CHAP only.
Page 218: Figure 142 Network > Interface > Add
Chapter 10 Interface Figure 142 Network > Interface > Add Each field is described in the table below. Table 62 Network > Interface > Add LABEL Virtual Interface Properties Interface Name Description IP Address Assignment IP Address Subnet Mask Gateway Metric Interface Properties Upstream...
Page 219: Trunks
H A P T E R This chapter shows you how to configure trunks on your ZyWALL. See for related information on these screens. 11.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability.
Page 220: Load Balancing Algorithms
Chapter 11 Trunks Maybe you have two connections with different bandwidths. For jitter-sensitive traffic (like video for example), you could set up a trunk group that uses spillover or weighted round robin load balancing to make sure that most of the jitter-sensitive traffic goes through the higher- bandwidth interface.
Page 221: Weighted Round Robin
11.4.2 Weighted Round Robin Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming traffic on that interface. This queue then moves to the back of the list.
Page 222: Trunk Summary
Chapter 11 Trunks Figure 145 Spillover Algorithm Example 11.5 Trunk Summary Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 146 Network > Interface > Trunk The following table describes the items in this screen.
Page 223: Figure 147 Network > Interface > Trunk > Edit
Figure 147 Network > Interface > Trunk > Edit Each field is described in the table below. Table 65 Network > Interface > Trunk > Edit LABEL DESCRIPTION Name Enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores( is case-sensitive.
Page 224 Chapter 11 Trunks Table 65 Network > Interface > Trunk > Edit (continued) LABEL DESCRIPTION Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface.
Page 225: Policy And Static Routes
H A P T E R Policy and Static Routes This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. See Section 5.4.10 on page 117 12.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 226: Nat And Snat
Chapter 12 Policy and Static Routes IPPR follows the existing packet filtering facility of RAS in style and in implementation. 12.2.1 NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network.
Page 227: Maximize Bandwidth Usage
Figure 148 Trigger Port Forwarding Example 12.2.3 Maximize Bandwidth Usage The maximize bandwidth usage option allows the ZyWALL to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth. When you enable maximize bandwidth usage, the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment.
Page 228: Figure 149 Network > Routing > Policy Route
Chapter 12 Policy and Static Routes Figure 149 Network > Routing > Policy Route The following table describes the labels in this screen. Table 66 Network > Routing > Policy Route LABEL DESCRIPTION Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL.
Page 229: Policy Route Edit
Table 66 Network > Routing > Policy Route (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the rule is enabled or not. Click the Active icon to activate or deactivate the policy.
Page 230: Figure 150 Network > Routing > Policy Route > Edit
Chapter 12 Policy and Static Routes Figure 150 Network > Routing > Policy Route > Edit The following table describes the labels in this screen. Table 67 Network > Routing > Policy Route > Edit LABEL DESCRIPTION Configuration Enable Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy.
Page 231 Table 67 Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Type Select Auto to have the ZyWALL use the routing table to find a next-hop and forward the matched packets automatically. Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gateway field.
Page 232: Ip Static Routes
Chapter 12 Policy and Static Routes Table 67 Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Bandwidth This allows you to allocate bandwidth to a route and prioritize traffic that matches Shaping the routing policy. You must also enable bandwidth management in the main policy route screen (Network >...
Page 233: Static Route Summary
12.6 Static Route Summary Click Network > Routing > Static Route to open the Static Route screen. Figure 152 Network > Routing > Static Route The following table describes the labels in this screen. Table 68 Network > Routing > Static Route LABEL DESCRIPTION This is the number of an individual static route.
Page 234: Table 69 Network > Routing > Static Route > Edit
Chapter 12 Policy and Static Routes The following table describes the labels in this screen. Table 69 Network > Routing > Static Route > Edit LABEL DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Page 235: Routing Protocols
H A P T E R This chapter describes how to set up RIP and OSPF routing protocol settings for the ZyWALL. First, it provides an overview of RIP and OSPF, and, then, it introduces the RIP and OSPF screens used to configure routing protocols. See information on these screens.
Page 236: Authentication Types
Chapter 13 Routing Protocols RIP uses UDP port 520. 13.1.2 Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message.
Page 237: Ospf Overview
Figure 154 Network > Routing > RIP The following table describes the labels in this screen. Table 71 Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication Authentication Select the authentication method used in the RIP network. Choices are: None, Text, and MD5.
Page 238: Ospf Areas
Chapter 13 Routing Protocols • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network. • OSPF responds to changes in the network, such as the loss of a router, more quickly. • OSPF considers several factors, including bandwidth, hop count, throughput, round trip time, and reliability, when it calculates the shortest path.
Page 239: Ospf Routers
This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y. Area 2 is a stub area. It has routing information about the OSPF AS, but it depends on a default route to send information to networks X and Y.
Page 240: Virtual Links
Chapter 13 Routing Protocols Figure 156 OSPF: Types of Routers In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR).
Page 241: Ospf Screens
2 Set up the OSPF areas. 3 Configure the appropriate interfaces. See 4 Set up virtual links, as needed. 13.4 OSPF Screens The OSPF screens are used to specify the ID the ZyWALL uses in the OSPF AS and to maintain the policies for redistribution.
Page 242: Ospf Area Add/Edit
Chapter 13 Routing Protocols Table 73 Network > Routing Protocol > OSPF (continued) LABEL Active Route Type Metric Area Area Type Authentication Add icon 13.4.2 OSPF Area Add/Edit The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see click either the Add icon or an Edit icon.
Page 243: Figure 159 Network > Routing > Ospf > Edit
Figure 159 Network > Routing > OSPF > Edit The following table describes the labels in this screen. Table 74 Network > Routing > OSPF > Edit LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type This field displays the type of area.
Page 244 Chapter 13 Routing Protocols Table 74 Network > Routing > OSPF > Edit (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the password for text Authentication authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long.
Page 245: Zones
H A P T E R Set up zones to configure network security and network policies in the ZyWALL. See 5.4.7 on page 116 for related information on these screens. 14.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management.
Page 246: Zone Summary
Chapter 14 Zones Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, Figure 160 on page each zone, you can either allow or prohibit all intra-zone traffic. For example, in page 245, you might allow intra-zone traffic in the LAN2 zone but prohibit it in the WAN zone.
Page 247: Zone Add/Edit
14.3 Zone Add/Edit The Zone Add/Edit screen allows you to define a zone or edit an existing one. To access this screen, go to the Zone screen (see an Edit icon. Figure 162 Network > Zone > Edit The following table describes the labels in this screen. Table 76 Network >...
Page 248 Chapter 14 Zones ZyWALL USG 1000 User’s Guide...
Page 249: Ddns
H A P T E R This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. First, it provides an overview, and then it introduces the screens. See for related information on these screens. 15.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa.
Page 250: High Availability (Ha)
Chapter 15 DDNS 15.1.2 High Availability (HA) The DDNS server maps a domain name to the IP address of one of the ZyWALL’s WAN ports. If that WAN port loses its connection, high availability allows the ZyWALL to substitute the HA port’s IP address in the domain name mapping. 15.1.3 Mail Exchanger DynDNS can route e-mail for your domain name to a specified mail server.
Page 251: Ddns Summary
15.3 DDNS Summary The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. To access this screen, login to the web configurator. When the main screen appears, click Network >...
Page 252: Dynamic Dns Add/Edit
Chapter 15 DDNS 15.4 Dynamic DNS Add/Edit The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. To access this screen, click Network > DDNS, and click either the Add icon or an Edit icon.
Page 253 Table 78 Network > DDNS > Edit (continued) LABEL DESCRIPTION HA Interface This field is only available when the IP Address Update Policy is Interface. Select the alternative WAN interface to map to the domain name when the WAN interface is not available.
Page 254 Chapter 15 DDNS ZyWALL USG 1000 User’s Guide...
Page 255: Virtual Servers
H A P T E R This chapter describes how to set up, manage, and remove virtual servers. First, it provides an overview of virtual servers, and, then, it introduces the virtual server screens and commands. Section 5.4.18 on page 121 16.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation.
Page 256: Virtual Server Example
Chapter 16 Virtual Servers The ZyWALL checks virtual servers before it applies to-ZyWALL firewall rules, so to- ZyWALL firewall rules do not apply to traffic that is forwarded by virtual servers. The ZyWALL still checks regular (through-ZyWALL) firewall rules according to the source IP address and mapped IP address.
Page 257: Figure 166 Network > Virtual Server
Figure 166 Network > Virtual Server The following table describes the labels in this screen. See for more information as well. Table 79 Network > Virtual Server LABEL DESCRIPTION Total Virtual This is how many virtual server entries are configured in the ZyWALL. Servers entries per page Select how many virtual server entries to display per page in the screen.
Page 258: Virtual Server Add/Edit
Chapter 16 Virtual Servers 16.4.1 Virtual Server Add/Edit The Virtual Server Add/Edit screen lets you create new virtual servers and edit existing ones. To open this window, open the Virtual Server summary screen. (See page 256.) Then, click on an Add icon or Edit icon to open the following screen. If the virtual server will send traffic to the clients, you need to create a corresponding policy route.
Page 259 Table 80 Network > Virtual Server > Edit (continued) LABEL DESCRIPTION User Defined This field is available if Original IP is User Defined. Type the destination IP address that this virtual server supports. Mapped IP Type the translated destination IP address, if this virtual server forwards the packet. Mapping Type Use the drop-down list box to select how many original destination ports this virtual server supports for the selected destination IP address (Original IP).
Page 260 Chapter 16 Virtual Servers ZyWALL USG 1000 User’s Guide...
Page 261: Http Redirect
H A P T E R This chapter shows you how to configure HTTP redirection on your ZyWALL. See 5.4.19 on page 121 for related information on these screens. 17.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server.
Page 262: Configuring Http Redirect
Chapter 17 HTTP Redirect Figure 168 HTTP Redirect Example In the example, proxy server A is connected to ge4 in the DMZ zone. When a client connected to ge1 wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Page 263: Http Redirect Edit
Figure 169 Network > HTTP Redirect The following table describes the labels in this screen. Table 81 Network > HTTP Redirect LABEL DESCRIPTION Name This is the descriptive name (up to 31 printable characters) of a rule. Interface This is the interface on which the request must be received. Proxy Server This is the IP address of the proxy server.
Page 264 Chapter 17 HTTP Redirect Table 82 Network > HTTP Redirect > Edit (continued) LABEL DESCRIPTION Interface Select the interface on which the HTTP request must be received for the ZyWALL to forward it to the specified proxy server. Proxy Server Enter the IP address of the proxy server.
Page 265: Alg
H A P T E R This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. See screens. 18.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT.
Page 266: Ftp
Chapter 18 ALG You could also have a trunk with one interface set to active and a second interface set to passive. The ZyWALL does not automatically change ALG-managed connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface.
Page 267: Sip
Figure 171 H.323 ALG Example 18.1.6 SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
Page 268: Peer-To-Peer Calls And The Zywall
Chapter 18 ALG 18.1.6.2 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout, the ZyWALL SIP ALG deletes the signaling session after the timeout period.
Page 269: Alg Screen
For example, you configure firewall and virtual server rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2.
Page 270: Table 83 Network > Alg
Chapter 18 ALG The following table describes the labels in this screen. Table 83 Network > ALG LABEL DESCRIPTION Enable SIP SIP is a signaling protocol used in VoIP (Voice over IP), the sending of voice signals Transformations over Internet Protocol. Turn on the SIP ALG to allow SIP sessions to pass through the ZyWALL.
Page 271: Wan To Lan Sip Peer-To-Peer Calls Example
18.4 WAN to LAN SIP Peer-to-peer Calls Example This example shows how to configure firewall and virtual server (port forwarding) rules to allow H.323 calls to come in through WAN IP address 10.0.0.8 to computer A at IP address 192.168.1.56 on the LAN. Figure 176 WAN to LAN H.323 Peer-to-peer Calls Example Configure the virtual server policy first to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56.
Page 272: Figure 178 Firewall > Wan To Lan
Chapter 18 ALG Figure 178 Firewall > WAN to LAN 5 Configure the screen as follows. For the Destination, select Create Object. Figure 179 Firewall > WAN > LAN > Add 6 Configure an address object for the ZyWALL’s 10.0.0.8 WAN IP address as follows and click OK.
Page 273: Figure 181 Firewall > Wan > Lan > Add
Chapter 18 ALG Figure 181 Firewall > WAN > LAN > Add ZyWALL USG 1000 User’s Guide...
Page 274 Chapter 18 ALG ZyWALL USG 1000 User’s Guide...
Page 275: Firewall And Vpn
Firewall and VPN Firewall (277) IPSec VPN (291) SSL VPN (323) SSL User Screens (331) SSL User Application Screens (337) SSL User File Sharing Screens (339) L2TP VPN (345) L2TP VPN Example (351)
Page 277: Firewall
H A P T E R This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. See 19.1 Firewall Overview The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 278: Firewall Rules
Chapter 19 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
Page 279: Table 84 Default Firewall Rules
The following table explains the default firewall rules for traffic going through the ZyWALL. Section 19.2.1.2 on page 279 ZyWALL itself. Table 84 Default Firewall Rules FROM ZONE TO ZONE From LAN to LAN From LAN to WAN From LAN to DMZ From WAN to LAN From WAN to WAN From WAN to DMZ...
Page 280: Firewall And Vpn Traffic
Chapter 19 Firewall The ZyWALL checks the firewall rules before the service control rules for traffic destined for the ZyWALL. You can configure a to-ZyWALL firewall rule (with From Any To ZyWALL direction) for traffic from an interface which is not in a zone. 19.2.2 Firewall and VPN Traffic After you create a VPN tunnel and apply it to a zone, you can set the firewall rules applied to VPN traffic.
Page 281: Figure 184 Limited Lan To Wan Irc Traffic Example
Your firewall would have the following configuration. Table 85 Blocking All LAN to WAN IRC Traffic Example USER SOURCE Default • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN.
Page 282: Alerts
Chapter 19 Firewall Your firewall would have the following configuration. Table 86 Limited LAN to WAN IRC Traffic Example 1 USER Default • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. •...
Page 283: Virtual Interfaces And Asymmetrical Routes
You can have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection). Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets.
Page 284: Figure 186 Firewall
Chapter 19 Firewall Figure 186 Firewall The following table describes the labels in this screen. Table 88 Firewall LABEL DESCRIPTION Global Setting Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated. Allow If an alternate gateway on the LAN has an IP address in the same subnet as the Asymmetrical...
Page 285 Table 88 Firewall (continued) LABEL DESCRIPTION Maximum Use this field to set the highest number of sessions that the ZyWALL will permit a session per host computer with the same IP address to have at one time. When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions.
Page 286: Edit A Firewall Rule
Chapter 19 Firewall Table 88 Firewall (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the rule is enabled or not. Click it to activate or deactivate the rule.
Page 287: Firewall Rule Configuration Example
Table 89 Firewall > Edit (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies or select Create Object to configure a new one (see none and the rule is always effective.
Page 288: Figure 188 Firewall Example: Select The Traveling Direction Of Traffic
Chapter 19 Firewall Figure 188 Firewall Example: Select the Traveling Direction of Traffic 2 Select From WAN and To LAN and enter a description. Select Create Object in the Destination drop-down list box. Figure 189 Firewall Example: Edit a Firewall Rule 1 3 The screen for configuring an address object opens.
Page 289: Figure 190 Firewall Example: Create An Address Object
Figure 190 Firewall Example: Create an Address Object 4 Select Create Object in the Service drop-down list box. 5 The screen for configuring a service object opens. Configure it as follows and click OK. Figure 191 Firewall Example: Create a Service Object 6 Enter the name of the firewall rule.
Page 290: Figure 193 Firewall Example: Myservice Example Rule In Summary
Chapter 19 Firewall Figure 193 Firewall Example: MyService Example Rule in Summary ZyWALL USG 1000 User’s Guide...
Page 291: Ipsec Vpn
H A P T E R This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. See 5.4.4 on page 116 for related information on these screens. 20.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines.
Page 292: Ipsec Sa Overview
Chapter 20 IPSec VPN Figure 195 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 293: Figure 196 Vpn: Transport And Tunnel Mode Encapsulation
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 20.1.1.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Page 294: Additional Topics For Ipsec Sa
Chapter 20 IPSec VPN If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
Page 295: Figure 197 Vpn Example: Nat For Inbound And Outbound Traffic
• Source address in outbound packets - this translation is necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec • Source address in inbound packets - this translation hides the source address of computers in the remote network.
Page 296: Vpn Related Configuration
Chapter 20 IPSec VPN • Destination - the original destination address; the local network (A). • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. 20.1.2.2.3 Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL to forward some packets from the remote network to a specific computer in the local network.
Page 297: Vpn Connection Screens
• Make sure the to-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the to-ZyWALL firewall rules allow UDP port 4500 too.
Page 298: Vpn Connection Add/Edit Ike
Chapter 20 IPSec VPN Each field is discussed in the following table. See 20.3.2 on page 298 Table 90 VPN > IPSec VPN > VPN Connection LABEL Name VPN Gateway Encapsulation Algorithm Policy Add icon Apply Reset 20.3.2 VPN Connection Add/Edit IKE The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection using a VPN gateway (with IKE) or edit an existing VPN connection using a VPN gateway.
Page 299: Figure 199 Vpn > Ipsec Vpn > Vpn Connection > Edit (Ike)
Figure 199 VPN > IPSec VPN > VPN Connection > Edit (IKE) Each field is described in the following table. Table 91 VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION VPN Connection Connection Type the name used to identify this IPSec SA. You may use 1-31 alphanumeric Name characters, underscores( number.
Page 300 Chapter 20 IPSec VPN Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Active Protocol Encapsulation Proposal Encryption Authentication Add icon SA Life Time (Seconds) Perfect Forward Secrecy (PFS) Policy DESCRIPTION Select which protocol you want to use in the IPSec SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption.
Page 301 Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Policy Select this if you want the ZyWALL to drop traffic whose source and destination Enforcement IP addresses do not match the local and remote policy. This makes the IPSec SA more secure.
Page 302: Vpn Connection Add/Edit Manual Key
Chapter 20 IPSec VPN Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL SNAT Destination NAT Original IP Mapped IP Protocol Original Port Mapped Port Add icon Cancel 20.3.3 VPN Connection Add/Edit Manual Key The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key.
Page 303: Figure 200 Vpn > Ipsec Vpn > Vpn Connection > Manual Key > Edit
Figure 200 VPN > IPSec VPN > VPN Connection > Manual Key > Edit The following table describes the labels in this screen. Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit LABEL DESCRIPTION VPN Connection Connection Type the name used to identify this IPSec SA.
Page 304 Chapter 20 IPSec VPN Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL Encapsulation Mode Active Protocol Encryption Algorithm Authentication Algorithm Encryption DESCRIPTION Select which type of encapsulation the IPSec SA uses. Choices are Tunnel - this mode encrypts the IP header information and the data Transport - this mode only encrypts the data.
Page 305 Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL DESCRIPTION Authentication Enter the authentication key, which depends on the authentication algorithm. MD5 - type a unique key 16-20 characters long SHA1 - type a unique key 20 characters long You can use any alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./<>=-".
Page 306: Vpn Gateway Screens
Chapter 20 IPSec VPN Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL Source NAT Source Destination SNAT Destination Original IP Mapped IP Protocol Original Port Mapped Port Add icon Cancel 20.4 VPN Gateway Screens You use the VPN Gateway summary screen to look at the VPN gateways you have set up, and you use the VPN Gateway Add/Edit screen to create or to edit VPN gateways.
Page 307: Figure 201 Ike Sa: Main Negotiation Mode, Steps 1 - 2: Ike Sa Proposal
It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Both routers must use the same negotiation mode. These modes are discussed in more detail in in various examples in the rest of this section.
Page 308: Figure 202 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange
Chapter 20 IPSec VPN Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest. •...
Page 309: Figure 203 Ike Sa: Main Negotiation Mode, Steps 5 - 6: Authentication
In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps. Figure 203 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) You have to create (and distribute) a pre-shared key.
Page 310: Additional Topics For Ike Sa
Chapter 20 IPSec VPN For example, in Table 93 on page each other successfully. In contrast, in IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA. Table 93 VPN Example: Matching ID Type and Content ZYWALL Local ID type: E-mail Local ID content: tom@yourcompany.com Peer ID type: IP...
Page 311: Figure 204 Vpn/Nat Example
20.4.2.2 VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 204 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information.
Page 312: Vpn Gateway Summary
Chapter 20 IPSec VPN • Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match. • The local and peer ID type and content come from the certificates. You must set up the certificates for the ZyWALL and remote IPSec router first.
Page 313: Vpn Gateway Add/Edit
Table 95 VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Add icon This column provides icons to add, edit, and remove VPN gateways, as well as to activate / deactivate VPN gateways. To add a VPN gateway, click the Add icon at the top of the column. The VPN Gateway Add/Edit screen appears.
Page 314: Figure 206 Vpn > Ipsec Vpn > Vpn Gateway > Edit
Chapter 20 IPSec VPN Figure 206 VPN > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. Table 96 VPN > IPSec VPN > VPN Gateway > Edit LABEL VPN Gateway VPN Gateway Name IKE Phase 1 Negotiation Mode...
Page 315 Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Proposal This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. Encryption Select which key size and encryption algorithm to use in the IKE SA.
Page 316 Chapter 20 IPSec VPN Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Secure Gateway Address Authentication Method Pre-Shared Certificate Local ID Type Content DESCRIPTION Type the IP address or the domain name of the remote IPSec router. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic IP address.
Page 317 Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by an e-mail address Any - the ZyWALL does not check the identity of the remote IPSec router...
Page 318: Vpn Concentrator
Chapter 20 IPSec VPN Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Apply Cancel 20.5 VPN Concentrator A VPN concentrator combines several VPN connections into one secure network. on page 318 shows an example of this, as well as one alternative approach. Figure 207 VPN Topologies The VPN concentrator is used in the second approach.
Page 319: Vpn Concentrator Summary
20.5.1 VPN Concentrator Summary You use the VPN Concentrator summary screen to look at the VPN concentrators you have set up. The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL. To access this screen, click VPN > IPSec VPN > Concentrator. The following screen appears.
Page 320: Sa Monitor Screen
Chapter 20 IPSec VPN Each field is described in the following table. Table 98 VPN > IPSec VPN > Concentrator > Edit LABEL Name Member Add icon Cancel 20.6 SA Monitor Screen You can use the SA Monitor screen to display and to manage active IPSec SA. To access this screen, click VPN >...
Page 321: Figure 211 Vpn > Ipsec Vpn > Sa Monitor
Figure 211 VPN > IPSec VPN > SA Monitor Each field is described in the following table. Table 99 VPN > IPSec VPN > SA Monitor LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression.
Page 322: Regular Expressions In Searching Ipsec Sas By Name Or Policy
Chapter 20 IPSec VPN 20.6.1 Regular Expressions in Searching IPSec SAs by Name or Policy A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards (*) let multiple VPN connection or policy names match the pattern.
Page 323: Ssl Vpn
H A P T E R This chapter shows you how to set up secure SSL VPN access for remote user login. See Section 5.4.5 on page 116 21.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: •...
Page 324: Ssl Access Policy Limitations
Chapter 21 SSL VPN Table 100 Objects (continued) OBJECT OBJECT TYPE SCREEN Server Address Addresses VPN Network Address 21.1.2 SSL Access Policy Limitations You cannot delete an object that is used by an SSL access policy. To delete the object, you must first unassociate the object from the SSL access policy.
Page 325: Creating/Editing An Ssl Access Policy
21.3 Creating/Editing an SSL Access Policy To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 213 VPN > SSL VPN > Access Privilege > Add/Edit The following table describes the labels in this screen. Table 102 VPN >...
Page 326: Ssl Connection Monitor
Chapter 21 SSL VPN Table 102 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL User/Group SSL Application List Network Extension Enable Network Extension Assign IP Pool DNS/WINS Server 1..2 Network List Cancel 21.4 SSL Connection Monitor The ZyWALL keeps track of the users who are currently logged into the VPN SSL client portal.
Page 327: Configuring Ssl Global Setting
• log out a user and delete related session information. Once a user logs out, the corresponding entry is removed from the Connection Monitor screen. Figure 214 VPN > SSL VPN > Connection Monitor The following table describes the labels in this screen. Table 103 VPN >...
Page 328: Figure 215 Vpn > Ssl Vpn > Global Setting
Chapter 21 SSL VPN Figure 215 VPN > SSL VPN > Global Setting The following table describes the labels in this screen. Table 104 VPN > SSL VPN > Global Setting LABEL Global Setting Network Extension IP Address Message Login Message Logout Message Update Client Virtual Desktop...
Page 329: Uploading A Custom Logo
21.5.1 Uploading a Custom Logo Follow the steps below to upload a custom logo on the ZyWALL. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configuration screen. 2 Click Browse to locate the logo graphic. Make sure the file is in GIF format. 3 Click Apply to start the file transfer process.
Page 330: Figure 217 Ssl Vpn Client Portal Screen Example
Chapter 21 SSL VPN Figure 217 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again.
Page 331: Ssl User Screens
H A P T E R This chapter introduces secure network access and gives an overview of the remote user screens on the ZyWALL. 22.1 Overview The ZyWALL provides secure connections to network resources such as applications, files, intranet sites or e-mail through a web-based interface and using Microsoft Outlook Web Access (OWA).
Page 332: Information You Need
Chapter 22 SSL User Screens • Internet Explorer 5.5 and above (for IE7, JRE 1.6 must be enabled) • Netscape 7.2 and above • Firefox 1.0 and above • Mozilla 1.7.3 and above • Sun Java Virtual Machine (JVM) installed with a minimum version of 1.4. •...
Page 333: Figure 220 Login Security Screen
Figure 220 Login Security Screen 3 A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. 4 Select Log into SSL VPN and click Login to log in and establish an SSL VPN connection to the network to access network resources.
Page 334: Ssl Vpn User Screens
Chapter 22 SSL User Screens Available resource links vary depending on the configuration your network administrator made. 22.3 SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 223 Remote User Screen The following table describes the various parts of a remote user screen. Table 105 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen.
Page 335: Bookmark
22.4 Bookmark You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon. This allows you to access the ZyWALL using the bookmark without having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon. 2 A screen displays.
Page 336 Chapter 22 SSL User Screens ZyWALL USG 1000 User’s Guide...
Page 337: Ssl User Application Screens
H A P T E R SSL User Application Screens This chapter describes the Application screens you use to access an application on the network through the SSL VPN connection. 23.1 Overview Depending on the configuration of your network administrator, you can use the Application screen to access web-based applications (such as web sites and e-mail).
Page 338 Chapter 23 SSL User Application Screens ZyWALL USG 1000 User’s Guide...
Page 339: Ssl User File Sharing Screens
H A P T E R SSL User File Sharing Screens This chapter describes the File Sharing screen you use to access files on a file server through the SSL VPN connection. 24.1 Overview Use the File Sharing screen to display and access shared files/folders on a file server. You can also perform the following actions: •...
Page 340: Opening A File Or Folder
Chapter 24 SSL User File Sharing Screens Figure 228 File Sharing 24.3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. 1 Log in as a remote user and click the File Sharing tab.
Page 341: Downloading A File
4 A list of files/folders displays. Click on a file to open it in a separate browser window. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 230 File Sharing: Open a Word File 24.3.1 Downloading a File You are prompted to download a file which cannot be opened using a web browser.
Page 342: Creating A New Folder
Chapter 24 SSL User File Sharing Screens Figure 231 File Sharing: Save a Word File 24.4 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Make sure the length of the folder name does not exceed the maximum allowed on the file server.
Page 343: Deleting A File Or Folder
Figure 233 File Sharing: Rename A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Make sure the length of the name does not exceed the maximum allowed on the file server.
Page 344: Uploading A File
Chapter 24 SSL User File Sharing Screens 24.7 Uploading a File Follow the steps below to upload a file to the file server. 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of the file you want to upload. Or click Browse to locate it.
Page 345: L2Tp Vpn
H A P T E R This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL. See 5.4.6 on page 116 for related information on these screens. 25.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’...
Page 346: Using The Default L2Tp Vpn Connection
Chapter 25 L2TP VPN • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. 25.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 347: L2Tp Vpn Configuration
25.4 L2TP VPN Configuration Click VPN > L2TP VPN to open the following screen. Use this screen to configure the ZyWALL’s L2TP VPN settings. Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and re-establish the sessions using the new settings.
Page 348: L2Tp Vpn Session Monitor
Chapter 25 L2TP VPN Table 106 VPN > IPSec VPN > VPN Connection (continued) LABEL Allowed User Keep Alive Timer First DNS Server Second DNS Server First WINS Server, Second WINS Server Apply Reset 25.5 L2TP VPN Session Monitor Click VPN > L2TP VPN > Session Monitor to open the following screen. Use this screen to display and manage the ZyWALL’s connected L2TP VPN sessions.
Page 349 Table 107 VPN > L2TP VPN > Session Monitor (continued) LABEL DESCRIPTION Disconnect Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL USG 1000 User’s Guide Chapter 25 L2TP VPN...
Page 350 Chapter 25 L2TP VPN ZyWALL USG 1000 User’s Guide...
Page 351: L2Tp Vpn Example
H A P T E R This chapter shows how to create a basic L2TP VPN tunnel. 26.1 L2TP VPN Example This chapter uses the following settings in creating a basic L2TP VPN tunnel. Figure 241 L2TP VPN Example LAN_SUBNET: 192.168.1.0/24 •...
Page 352: Figure 242 Vpn > Ipsec Vpn > Vpn Gateway > Edit
Chapter 26 L2TP VPN Example Figure 242 VPN > IPSec VPN > VPN Gateway > Edit • Configure the My Address setting. This example uses interface ge3 with static IP address 172.23.37.205. • Configure the Pre-Shared Key. This example uses top-secret. Click OK. 2 Click the Default_L2TP_VPN_GW entry’s Enable icon and click Apply to turn on the entry.
Page 353: Configuring The Default L2Tp Vpn Connection Example
26.3 Configuring the Default L2TP VPN Connection Example 1 Click VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Click the Default_L2TP_VPN_Connection’s Edit icon. Figure 244 VPN > IPSec VPN > VPN Connection > Edit 2 Enforce and configure the local and remote policies.
Page 354: Configuring The L2Tp Vpn Settings Example
Chapter 26 L2TP VPN Example Figure 245 VPN > IPSec VPN > VPN Connection (Enable) 26.4 Configuring the L2TP VPN Settings Example 1 Click VPN > L2TP VPN to open the following screen. Figure 246 VPN > L2TP VPN Example 2 Configure the following.
Page 355: Configuring L2Tp Vpn In Windows Xp And 2000
Figure 247 Routing > Add: L2TP VPN Example 2 Configure the following. • Enable the policy route. • Set the policy route’s Source Address to the address object that you want to allow the remote users to access (LAN_SUBNET in this example). •...
Page 356: Configuring L2Tp In Windows Xp
Chapter 26 L2TP VPN Example 26.6.1 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. 1 Click Start > Control Panel > Network Connections > New Connection Wizard. 2 Click Next in the Welcome screen. 3 Select Connect to the network at my workplace and click Next.
Page 357: Figure 250 New Connection Wizard: Connection Name
Figure 250 New Connection Wizard: Connection Name 6 Select Do not dial the initial connection and click Next. Figure 251 New Connection Wizard: Public Network 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.23.37.205 in this example).
Page 358: Figure 252 New Connection Wizard: Vpn Server Selection
Chapter 26 L2TP VPN Example Figure 252 New Connection Wizard: VPN Server Selection 8 Click Finish. 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Figure 253 Connect L2TP to ZyWALL 10 Click Security, select Advanced (custom settings) and click Settings. ZyWALL USG 1000 User’s Guide...
Page 359: Figure 254 Connect L2Tp To Zywall: Security
Figure 254 Connect L2TP to ZyWALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 255 Connect ZyWALL L2TP: Security > Advanced 12 Click IPSec Settings.
Page 360: Figure 256 L2Tp To Zywall Properties > Security
Chapter 26 L2TP VPN Example Figure 256 L2TP to ZyWALL Properties > Security 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK.
Page 361: Configuring L2Tp In Windows 2000
Figure 259 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 260 ZyWALL-L2TP System Tray Icon 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Page 362: Figure 262 Starting The Registry Editor
Chapter 26 L2TP VPN Example 1 Click Start > Run. Type regedit and click OK. Figure 262 Starting the Registry Editor 2 Click Registry > Export Registry File and save a backup copy of your registry. You can go back to using this backup if you misconfigure the registry settings. 3 Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parame ters.
Page 363: Figure 265 Prohibitipsec Dword Value
Figure 265 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section. 26.6.2.2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use. 1 Click Start >...
Page 364: Figure 268 Add > Ip Security Policy Management > Finish
Chapter 26 L2TP VPN Example Figure 268 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 269 Create IP Security Policy 5 Name the IP security policy L2TP to ZyWALL, and click Next.
Page 365: Figure 270 Ip Security Policy: Name
Figure 270 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next. Figure 271 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish. Figure 272 IP Security Policy: Completing the IP Security Policy Wizard ZyWALL USG 1000 User’s Guide Chapter 26 L2TP VPN Example...
Page 366: Figure 273 Ip Security Policy Properties > Add
Chapter 26 L2TP VPN Example 8 In the properties dialog box, click Add > Next. Figure 273 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next. Figure 274 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next.
Page 367: Figure 275 Ip Security Policy Properties: Network Type
Figure 275 IP Security Policy Properties: Network Type 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 276 IP Security Policy Properties: Authentication Method 12 Click Add. ZyWALL USG 1000 User’s Guide Chapter 26 L2TP VPN Example...
Page 368: Figure 277 Ip Security Policy Properties: Ip Filter List
Chapter 26 L2TP VPN Example Figure 277 IP Security Policy Properties: IP Filter List 13 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add. Figure 278 IP Security Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab.
Page 369: Figure 279 Filter Properties: Addressing
Figure 279 Filter Properties: Addressing 15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 280 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next.
Page 370: Figure 281 Ip Security Policy Properties: Ip Filter List
Chapter 26 L2TP VPN Example Figure 281 IP Security Policy Properties: IP Filter List 17 Select Require Security and click Next. Then click Finish and Close. Figure 282 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 283 Console: L2TP to ZyWALL Assign ZyWALL USG 1000 User’s Guide...
Page 371: Figure 284 Start New Connection Wizard
26.6.2.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection. 1 Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next. Figure 284 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next.
Page 372: Figure 286 New Connection Wizard: Destination Address
Chapter 26 L2TP VPN Example Figure 286 New Connection Wizard: Destination Address 4 Select For all users and click Next. Figure 287 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish. Figure 288 New Connection Wizard: Naming the Connection ZyWALL USG 1000 User’s Guide...
Page 373: Figure 289 Connect L2Tp To Zywall
6 Click Properties. Figure 289 Connect L2TP to ZyWALL 7 Click Security and select Advanced (custom settings) and click Settings. Figure 290 Connect L2TP to ZyWALL: Security 8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button.
Page 374: Figure 291 Connect L2Tp To Zywall: Security > Advanced
Chapter 26 L2TP VPN Example Figure 291 Connect L2TP to ZyWALL: Security > Advanced 9 Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box. Click OK. Figure 292 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network.
Page 375: Figure 293 Connect L2Tp To Zywall
Figure 293 Connect L2TP to ZyWALL 11 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 294 ZyWALL-L2TP System Tray Icon 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Page 376 Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide...
Page 377: Application Patrol & Anti-X
Application Patrol & Anti-X Application Patrol (379) Anti-Virus (403) IDP (417) ADP (445) Content Filter Screens (463) Content Filter Reports (483)
Page 379: Application Patrol
H A P T E R This chapter describes how to use application patrol for the ZyWALL. It provides an overview first and then introduces the screens. See these screens. 27.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network.
Page 380: Configurable Application Policies
Chapter 27 Application Patrol The ZyWALL allows the first eight packets to go through the firewall, regardless of the application patrol policy for the application. The ZyWALL examines these first eight packets to identify the application. The second approach is called service ports. In this approach, the ZyWALL only uses OSI level-3 information, such as IP address and port, to identify what application is using the connection.
Page 381: Connection And Packet Directions
27.4.1 Connection and Packet Directions Application patrol looks at the connection direction, that is from which zone the connection was initiated and to which zone the connection is going. A connection has outbound and inbound packet flows. The ZyWALL controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel.
Page 382: Bandwidth Management Priority
Chapter 27 Application Patrol Figure 297 LAN to WAN, Outbound 200 kbps, Inbound 500 kbps Inbound: 500 kbps 27.4.3 Bandwidth Management Priority The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. Then lower-priority traffic gets bandwidth. The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority.
Page 383: Figure 298 Bandwidth Management Behavior
Figure 298 Bandwidth Management Behavior 27.4.5.1 Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 108 Configured Rate Effect POLICY CONFIGURED RATE MAX.
Page 384: Application Patrol Bandwidth Management Examples
Chapter 27 Application Patrol 27.4.5.4 Priority and Over Allotment of Bandwidth Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error.
Page 385: Setting The Interface's Bandwidth
Figure 299 Application Patrol Bandwidth Management Example SIP: Any to WAN Outbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Max. B. U. HTTP: Any to WAN Outbound: 100 Kbps Inbound: 500 Kbps Priority: 2 Max. B. U. FTP: WAN to DMZ Outbound: 100 Kbps Inbound: 300 Kbps Priority: 3...
Page 386: Sip Wan To Any Bandwidth Management Example
Chapter 27 Application Patrol Figure 300 SIP Any to WAN Bandwidth Management Example 27.5.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN. It is the same as the SIP Any to WAN policy, but with the directions reversed (WAN to Any instead of Any to WAN).
Page 387: Ftp Lan To Dmz Bandwidth Management Example
• Third highest priority (3). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 302 FTP WAN to DMZ Bandwidth Management Example 27.5.6 FTP LAN to DMZ Bandwidth Management Example • The LAN and DMZ zone interfaces are connected to Ethernet networks (not an ADSL device) so you limit both outbound and inbound traffic to 50 Mbps.
Page 388: Other Applications
Chapter 27 Application Patrol 27.6 Other Applications Sometimes, the ZyWALL cannot identify the application. For example, the application might be a new application, or the packets might arrive out of sequence. (The ZyWALL does not reorder packets when identifying the application.) In these cases, you can still provide a default rule for the ZyWALL to follow.
Page 389: Figure 304 Apppatrol > General
Figure 304 AppPatrol > General The following table describes the labels in this screen. See more information as well. Table 112 AppPatrol > General LABEL DESCRIPTION Enable Select this check box to turn on application patrol. Application Patrol Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL.
Page 390: Application Patrol Applications
Chapter 27 Application Patrol Table 112 AppPatrol > General (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 27.9 Application Patrol Applications Use the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen to manage traffic of individual applications.
Page 391: Application Patrol Edit
27.9.1 Application Patrol Edit Use this screen to edit the settings for an application. To access this screen, go to the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen and click an application’s Edit icon. The screen displayed here is for the MSN instant messenger service.
Page 392 Chapter 27 Application Patrol Table 114 Application Edit (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific condition. Note: The ZyWALL checks conditions in the order they appear in Port This field displays the specific port number to which this policy applies. Schedule This is the schedule that defines when the policy applies.
Page 393: Application Patrol Policy Edit
Table 114 Application Edit (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the entry is enabled or not. Click the Active icon to activate or deactivate the entry. Make sure you click Apply to save and apply the change.
Page 394 Chapter 27 Application Patrol Table 115 Application Policy Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see none to make the policy always effective. User Select a user name or user group to which to apply the policy.
Page 395: Other Protocol Screen
Table 115 Application Policy Edit (continued) LABEL DESCRIPTION Outbound Type how much outbound bandwidth, in kilobits per second, this policy allows the kbps application to use. Outbound refers to the traffic the ZyWALL sends out from a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the application’s traffic that the ZyWALL sends out from the initiator.
Page 396: Table 116 Apppatrol > Other
Chapter 27 Application Patrol The following table describes the labels in this screen. See more information as well. Table 116 AppPatrol > Other LABEL DESCRIPTION Policy This table lists the policies configured for traffic which does not match an application. This field is a sequential value, and it is not associated with a specific condition.
Page 397: Other Configuration Add/Edit
Table 116 AppPatrol > Other (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the entry is enabled or not. Click the Active icon to activate or deactivate the entry. Make sure you click Apply to save and apply the change.
Page 398 Chapter 27 Application Patrol Table 117 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see any to make the policy always effective. User Select a user name or user group to which to apply the policy.
Page 399: Application Patrol Statistics
Table 117 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Priority Enter a number between 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority. Traffic with a higher priority is given bandwidth before traffic with a lower priority. The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth between traffic flows with the same priority.
Page 400: Application Patrol Statistics: Bandwidth Statistics
Chapter 27 Application Patrol The following table describes the labels in this screen. Table 118 AppPatrol > Statistics: General Setup LABEL DESCRIPTION Refresh Interval Select how often you want the statistics display to update. Display Select the protocols for which to display statistics. Protocols Select All selects all of the protocols.
Page 401: Figure 312 Apppatrol > Statistics: Protocol Statistics
Figure 312 AppPatrol > Statistics: Protocol Statistics The following table describes the labels in this screen. Table 119 AppPatrol > Statistics: Protocol Statistics LABEL DESCRIPTION Service This is the protocol. Click the expand icon (+) to display the statistics for each of a protocol’s rules.
Page 402 Chapter 27 Application Patrol Table 119 AppPatrol > Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Forwarded This is how much of the application’s traffic the ZyWALL has sent (in kilobytes). Data (KB) Dropped This is how much of the application’s traffic the ZyWALL has discarded without Data (KB) notifying the client (in kilobytes).
Page 403: Anti-Virus
H A P T E R This chapter introduces and shows you how to configure the anti-virus scanner. See 5.4.14 on page 120 for related information on these screens. 28.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs.
Page 404: Types Of Anti-Virus Scanner
Chapter 28 Anti-Virus 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially. 28.1.3 Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and network-based. A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network.
Page 405: Notes About The Zywall Anti-Virus
Figure 313 ZyWALL Anti-virus Example The following describes the virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets.
Page 406: Anti-Virus Summary
Chapter 28 Anti-Virus • Encrypted traffic. This could be password-protected files or VPN traffic where the ZyWALL is not the endpoint (pass-through VPN traffic). • Traffic through custom (non-standard) ports. The only exception is FTP traffic. The ZyWALL scans whatever port number is specified for FTP in the ALG screen. •...
Page 407: Table 121 Anti-X > Anti-Virus > General
The following table describes the labels in this screen. Table 121 Anti-X > Anti-Virus > General LABEL DESCRIPTION Enable Anti-Virus Select this check box to check traffic for viruses and spyware. The following table and Anti-Spyware lists rules that define which traffic the ZyWALL scans and the action it takes upon finding a virus.
Page 408: Anti-Virus Policy Edit
Chapter 28 Anti-Virus Table 121 Anti-X > Anti-Virus > General (continued) LABEL Released Date This field displays the date and time the set was released. Update Signatures Apply Reset 28.3.1 Anti-Virus Policy Edit Click the Add or Edit icon in the Anti-X > Anti-Virus > General screen to display the configuration screen as shown next.
Page 409 Table 122 Anti-X > Anti-Virus > General > Edit (continued) LABEL DESCRIPTION Protocols to Scan Select which protocols of traffic to scan for viruses. FTP applies to traffic using the TCP port number specified for FTP in the ALG screen. HTTP applies to traffic using TCP ports 80, 8080 and 3128.
Page 410: Anti-Virus Setting
Chapter 28 Anti-Virus Table 122 Anti-X > Anti-Virus > General > Edit (continued) LABEL Destroy compressed files that could not be decompressed Cancel 28.4 Anti-Virus Setting Click Anti-X > Anti-Virus > Setting screen to display the configuration screen as shown next.
Page 411: Table 123 Anti-X > Anti-Virus > Setting
The following table describes the labels in this screen. Table 123 Anti-X > Anti-Virus > Setting LABEL DESCRIPTION Scan EICAR Select this option to have the ZyWALL check for the EICAR test file and treat it in the same way as a real virus file. The EICAR test file is a standardized test file for signature based anti-virus scanners.
Page 412: Anti-Virus White List Add/Edit
Chapter 28 Anti-Virus Table 123 Anti-X > Anti-Virus > Setting (continued) LABEL Apply Reset 28.5 Anti-Virus White List Add/Edit From the Anti-X > Anti-Virus > Setting screen, click a white list Add icon or Edit icon to display the following screen. Use this screen to create an anti-virus white list entry for a file pattern that should cause the ZyWALL to not scan a file for viruses.
Page 413: Anti-Virus Black List Add/Edit
28.6 Anti-Virus Black List Add/Edit From the Anti-X > Anti-Virus > Setting screen, click a black list Add icon or Edit icon to display the following screen. Use this screen to create an anti-virus black list entry for a file pattern that should cause the ZyWALL to log and delete a file.
Page 414: Figure 319 Anti-X > Anti-Virus > Signature: Search By Severity
Chapter 28 Anti-Virus Figure 319 Anti-X > Anti-Virus > Signature: Search by Severity The following table describes the labels in this screen. Table 126 Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Select the criteria on which to perform the search. Search Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find.
Page 415 Table 126 Anti-X > Anti-Virus > Signature (continued) LABEL DESCRIPTION Severity This is the severity level of the anti-virus signature. Click the severity column header to sort your search results by ascending or descending severity. Category This column displays whether the signature is for identifying a virus or spyware. Click the column heading to sort your search results by category.
Page 416 Chapter 28 Anti-Virus ZyWALL USG 1000 User’s Guide...
Page 417: Idp
H A P T E R This chapter introduces IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic direction, custom signatures and updating signatures. See 5.4.15 on page 120 for related information on these screens. 29.1 Introduction to IDP An IDP system can detect malicious or suspicious packets and respond instantaneously.
Page 418: Signatures
Chapter 29 IDP 29.1.4 Signatures If a packet matches a signature, the action specified by the signature is taken. You can change the default signature actions in the profile screens. 29.2 Traffic Directions and Profiles A zone is a combination of ZyWALL interfaces and VPN connections for security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces.
Page 419: Figure 320 Anti-X > Idp > General
Figure 320 Anti-X > IDP > General The following table describes the screens in this screen. Table 127 Anti-X > IDP > General LABEL General Setup Enable Signature Detection Bindings Priority From, To IDP Profile ZyWALL USG 1000 User’s Guide DESCRIPTION You must register for IDP service in order to use packet inspection signatures.
Page 420: Configuring Idp Bindings
Chapter 29 IDP Table 127 Anti-X > IDP > General (continued) LABEL (Icons) Registration Registration Status Registration Type Apply new Registration Signature Information The following fields display information on the current signature set that the Current Version Signature Number Released Date Update Signatures Apply...
Page 421: Introducing Idp Profiles
Figure 321 Anti-X > IDP > General > Add The following table describes the screens in this screen. Table 128 Anti-X > IDP > General > Add LABEL Enable From IDP Profile Cancel 29.5 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures. Packet inspection signatures examine packet content for malicious data.
Page 422: Profile Summary Screen
Chapter 29 IDP Figure 322 Base Profiles The following table describes this screen. Table 129 Base Profiles BASE PROFILE none Cancel 29.6 Profile Summary Screen Select Anti-X > IDP > Profile. Use this screen to: • Add a new profile •...
Page 423: Creating New Profiles
Figure 323 Anti-X > IDP > Profile The following table describes the fields in this screen. Table 130 Anti-X > IDP > Profile LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. (Icons) Click the Add icon in the column header to create a new profile.
Page 424: Profiles: Packet Inspection
Chapter 29 IDP If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. 3 Type a new profile name 4 Enable or disable individual signatures. 5 Edit the default log options and actions.
Page 425: Figure 324 Anti-X > Idp > Profile > Edit : Group View
Chapter 29 IDP Figure 324 Anti-X > IDP > Profile > Edit : Group View ZyWALL USG 1000 User’s Guide...
Page 426: Table 131 Anti-X > Idp > Profile > Group View
Chapter 29 IDP The following table describes the fields in this screen. Table 131 Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( is case-sensitive. These are valid, unique profile names: MyProfile mYProfile Mymy12_3-4...
Page 427: Policy Types
Table 131 Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action Select what action the ZyWALL should take when a packet matches a signature here. original setting: Select this action to return each signature in a service group to its previously saved configuration.
Page 428: Idp Service Groups
Chapter 29 IDP Table 132 Policy Types (continued) POLICY TYPE DoS/DDoS Scan Buffer Overflow Virus/Worm Backdoor/Trojan Access Control Web Attack 29.8.3 IDP Service Groups An IDP service group is a set of related packet inspection signatures. Table 133 IDP Service Groups WEB_PHP WEB_CGI ORACLE...
Page 429: Profile > Query View Screen
Table 133 IDP Service Groups (continued) IMAP FINGER The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server- side HTML embedded scripting language that allows web developers to build dynamic websites.
Page 430: Figure 326 Anti-X > Idp > Profile: Query View
Chapter 29 IDP Figure 326 Anti-X > IDP > Profile: Query View The following table describes the fields in this screen. Table 134 Anti-X > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Group View screen.
Page 431: Query Example
Table 134 Anti-X > IDP > Profile: Query View (continued) LABEL DESCRIPTION Search Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were.
Page 432: Introducing Idp Custom Signatures
Chapter 29 IDP Figure 328 Query Example Search Results 29.9 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
Page 433: Figure 329 Ip V4 Packet Headers
Figure 329 IP v4 Packet Headers The header fields are discussed below: Table 135 IP v4 Packet Headers HEADER Version Type of Service Total Length Identification Flags Fragment Offset Time To Live Protocol Header Checksum Source IP Address Destination IP Address ZyWALL USG 1000 User’s Guide DESCRIPTION The value 4 indicates IP version 4.
Page 434: Configuring Custom Signatures
Chapter 29 IDP Table 135 IP v4 Packet Headers (continued) HEADER Options Padding 29.10 Configuring Custom Signatures Select Anti-X > IDP > Custom Signatures. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature.
Page 435: Creating Or Editing A Custom Signature
The following table describes the fields in this screen. Table 136 Anti-X > IDP > Custom Signatures LABEL DESCRIPTION Creating Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures. SID is the signature ID that uniquely identifies a signature. Click the SID header to sort signatures in ascending or descending order.
Page 436: Figure 331 Anti-X > Idp > Custom Signatures > Add/Edit
Chapter 29 IDP Figure 331 Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 1000 User’s Guide...
Page 437: Table 137 Anti-X > Idp > Custom Signatures > Add/Edit
The following table describes the fields in this screen. Table 137 Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( number. This value is case-sensitive. Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent.
Page 438 Chapter 29 IDP Table 137 Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL IP Options Same IP Transport Protocol Transport Protocol: TCP Port Flow Flags Sequence Number Ack Number Window Size Transport Protocol: UDP Port Transport Protocol: ICMP Type Code Sequence...
Page 439: Custom Signature Example
Table 137 Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Page 440: Figure 332 Custom Signature Example Pattern 1
Chapter 29 IDP 29.10.2.2 Analyze Packets Then use a packet sniffer such as TCPdump or Ethereal to investigate some more. From the NetBIOS header you see that the first byte ‘00’ defines the message type. The next three bytes represent the length of data, so you can ignore it. Therefore enter |00| as the first pattern.
Page 441: Figure 335 Example Custom Signature
Chapter 29 IDP Figure 335 Example Custom Signature ZyWALL USG 1000 User’s Guide...
Page 442: Applying Custom Signatures
Chapter 29 IDP 29.10.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 to 9999999. You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile.
Page 443: Snort Signatures
Figure 337 Custom Signature Log 29.10.5 Snort Signatures You may want to refer to open source Snort signatures when creating custom ZyWALL ones. Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the rule header and the rule options as shown in the following example: alert tcp any any ->...
Page 444 Chapter 29 IDP Table 138 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM Flow Flags Sequence Number Ack Number Window Size Transport Protocol: UDP Port Transport Protocol: ICMP Type Code Sequence Number Payload Options Payload Size Offset (relative to start of payload) Relative to end of last match Content Case-insensitive...
Page 445: Adp
H A P T E R This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and binding an ADP profile to a traffic direction. See information on these screens. 30.1 Introduction to ADP An ADP system can detect malicious or suspicious packets and respond instantaneously. It can detect: •...
Page 446: Adp On The Zywall
Chapter 30 ADP 30.1.3 ADP on the ZyWALL ADP on the ZyWALL protects against network-based intrusions. See Section 30.9 on page 456 protect against. You can also create your own custom ADP rules. 30.2 Traffic Directions and Profiles A zone is a combination of ZyWALL interfaces and VPN connections for security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces.
Page 447: Configuring Anomaly Profile Bindings
The following table describes the screens in this screen. Table 139 Anti-X > ADP > General LABEL General Setup Enable Anomaly Detection Bindings Priority From, To Anomaly Profile (Icons) Apply Reset 30.4 Configuring Anomaly Profile Bindings Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to bind an anomaly profile to a traffic direction.
Page 448: Introducing Adp Profiles
Chapter 30 ADP Figure 339 Anti-X > ADP > General > Add The following table describes the screens in this screen. Table 140 Anti-X > ADP > General > Add LABEL Enable From ADP Profile Cancel 30.5 Introducing ADP Profiles An ADP profile is a set of traffic anomaly rules and protocol anomaly rules.
Page 449: Profile Summary Screen
Figure 340 Base Profiles These are the default base profiles at the time of writing. Table 141 Base Profiles BASE PROFILE DESCRIPTION All traffic anomaly and protocol anomaly rules are enabled. Rules with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Page 450: Creating New Profiles
Chapter 30 ADP Table 142 Anti-X > ADP > Profile (continued) LABEL DESCRIPTION Base Profile This is the base profile from which the profile was created. (Icons) Click the Add icon in the column header to create a new profile. A pop-up screen displays requiring you to choose a base profile from which to create the new profile.
Page 451: Port Scanning
30.8.1 Port Scanning An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap. Many connection attempts to different ports (services) may indicate a port scan. These are some port scan types: •...
Page 452: Flood Detection
Chapter 30 ADP 30.8.1.4 Filtered Port Scans A filtered port scan may indicate that there were no network errors (ICMP unreachables or TCP RSTs) or responses on closed ports have been suppressed. Active network devices, such as NAT routers, may trigger these alerts if they send out many connection attempts within a very small amount of time.
Page 453: Figure 343 Tcp Three-Way Handshake
30.8.2.3 TCP SYN Flood Attack Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 343 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets.
Page 454 Chapter 30 ADP 30.8.2.5 UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.
Page 455: Profile > Traffic Anomaly Screen
Chapter 30 ADP 30.8.3 Profile > Traffic Anomaly Screen Figure 345 Profiles: Traffic Anomaly ZyWALL USG 1000 User’s Guide...
Page 456: Profiles: Protocol Anomaly
Chapter 30 ADP The following table describes the fields in this screen. Table 143 ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores( value is case-sensitive. These are valid, unique profile names: MyProfile mYProfile Mymy12_3-4...
Page 457: Http Inspection And Tcp/Udp/Icmp Decoders
Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder where each category reflects the packet type inspected. Protocol anomaly rules may be updated when you upload new firmware. 30.9.1 HTTP Inspection and TCP/UDP/ICMP Decoders The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.
Page 458 Chapter 30 ADP Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL OVERSIZE-CHUNK- ENCODING ATTACK OVERSIZE-REQUEST-URI- DIRECTORY ATTACK SELF-DIRECTORY- TRAVERSAL ATTACK U-ENCODING ATTACK UTF-8-ENCODING ATTACK WEBROOT-DIRECTORY- TRAVERSAL ATTACK TCP Decoder BAD-LENGTH-OPTIONS ATTACK EXPERIMENTAL-OPTIONS ATTACK OBSOLETE-OPTIONS ATTACK OVERSIZE-OFFSET ATTACK TRUNCATED-OPTIONS ATTACK TTCP-DETECTED ATTACK UNDERSIZE-LEN ATTACK UNDERSIZE-OFFSET...
Page 459: Protocol Anomaly Configuration
Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL TRUNCATED-HEADER ATTACK UNDERSIZE-LEN ATTACK ICMP Decoder TRUNCATED-ADDRESS- HEADER ATTACK TRUNCATED-HEADER ATTACK TRUNCATED-TIMESTAMP- HEADER ATTACK 30.9.2 Protocol Anomaly Configuration In the Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile, then select the Protocol Anomaly tab.
Page 460: Figure 346 Profiles: Protocol Anomaly
Chapter 30 ADP Figure 346 Profiles: Protocol Anomaly ZyWALL USG 1000 User’s Guide...
Page 461: Table 145 Adp > Profile > Protocol Anomaly
The following table describes the fields in this screen. Table 145 ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( is case-sensitive. These are valid, unique profile names: MyProfile mYProfile Mymy12_3-4...
Page 462 Chapter 30 ADP ZyWALL USG 1000 User’s Guide...
Page 463: Content Filter Screens
H A P T E R Content Filter Screens This chapter covers how to use the content filter feature to control web access. See 5.4.17 on page 120 for related information on these screens. 31.1 Content Filter Overview Content filter allows you to block certain web features, such as cookies, and/or block access to specific web sites.
Page 464: Content Filter Configuration Guidelines
Chapter 31 Content Filter Screens 31.1.3 Content Filter Configuration Guidelines You must configure an address object, a schedule object and a filtering profile before you can set up a content filter policy. When the ZyWALL receives an HTTP request, the content filter searches for a policy that matches the source address and time (schedule).
Page 465 Table 146 Anti-X > Content Filter > General (continued) LABEL Block web access when no policy is applied Address Schedule User Filter Profile Denied Access Message Redirect URL ZyWALL USG 1000 User’s Guide DESCRIPTION Select this check box to stop users from accessing the Internet by default when their attempted access does not match a content filter policy.
Page 466: Content Filter Policy Screen
Chapter 31 Content Filter Screens Table 146 Anti-X > Content Filter > General (continued) LABEL Registration Status Registration Type Apply new Registration Apply Reset 31.3 Content Filter Policy Screen Click Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen.
Page 467: Content Filter Profile Screen
The following table describes the labels in this screen. Table 147 Anti-X > Content Filter > General > Add LABEL Schedule Address Filter Profile User/Group Cancel 31.4 Content Filter Profile Screen Click Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied.
Page 468: External Web Filtering Service
Chapter 31 Content Filter Screens Table 148 Anti-X > Content Filter > Filter Profile (continued) LABEL Apply Reset 31.5 External Web Filtering Service When you register for and enable the external web filtering service, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories.
Page 469: Content Filter Categories Screen
31.6 Content Filter Categories Screen Click Anti-X > Content Filter > Filter Profile > Add or Edit to open the Categories screen. Use this screen to enable external database content filtering and select which web site categories to block and/or log. You must register for external content filtering before you can use it.
Page 470: Figure 351 Anti-X > Content Filter > Filter Profile > Add
Chapter 31 Content Filter Screens Figure 351 Anti-X > Content Filter > Filter Profile > Add The following table describes the labels in this screen. Table 149 Anti-X > Content Filter > Filter Profile > Add LABEL Name Auto Web Category Setup External Web Filter Service Status DESCRIPTION...
Page 471 Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Enable External Web Filter Service Matched Web Pages Unrated Web Pages When Web Filter Server Is Unavailable Content Filter Service Unavailable Timeout Select Categories Select All Categories Clear All Categories Adult/Mature Content Pornography...
Page 472 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Intimate Apparel/Swimsuit Nudity Alcohol/Tobacco Illegal/Questionable Gambling Violence/Hate/Racism Weapons Abortion Hacking Phishing DESCRIPTION Selecting this category excludes pages that contain images or offer the sale of swimsuits or intimate apparel or other types of suggestive clothing.
Page 473 Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Arts/Entertainment Business/Economy Alternative Spirituality/ Occult Illegal Drugs Education Cultural/Charitable Organization Financial Services Brokerage/Trading Online Games Government/Legal Military ZyWALL USG 1000 User’s Guide Chapter 31 Content Filter Screens DESCRIPTION Selecting this category excludes pages that promote and provide information about motion pictures, videos, television, music and...
Page 474 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Political/Activist Groups Health Computers/Internet Search Engines/Portals Spyware/Malware Sources Spyware Effects/Privacy Concerns Job Search/Careers News/Media Personals/Dating Reference DESCRIPTION Selecting this category excludes pages sponsored by or which provide information on political parties, special interest groups, or any organization that promotes change or reform in public policy, public opinion, social practice, or economic activities.
Page 475 Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Open Image/Media Search Chat/Instant Messaging Email Blogs/Newsgroups Religion Social Networking Online Storage Remote Access Tools Shopping Auctions Real Estate Society/Lifestyle ZyWALL USG 1000 User’s Guide Chapter 31 Content Filter Screens DESCRIPTION Selecting this category excludes pages with image or video search capabilities which return graphical results (i.e.
Page 476 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Sexuality/Alternative Lifestyles Restaurants/Dining/Food Sports/Recreation/Hobbies Selecting this category excludes pages that promote or provide Travel Vehicles Humor/Jokes Software Downloads Pay to Surf Peer-to-Peer Streaming Media/MP3s Proxy Avoidance For Kids...
Page 477: Content Filter Customization Screen
Table 149 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL Test Against Local Cache Test Against Web Filter Server Cancel 31.7 Content Filter Customization Screen Click Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen.
Page 478: Figure 352 Anti-X > Content Filter > Filter Profile > Customization
Chapter 31 Content Filter Screens Figure 352 Anti-X > Content Filter > Filter Profile > Customization The following table describes the labels in this screen. Table 150 Anti-X > Content Filter > Filter Profile > Customization LABEL Filter Profile Name Customization Setup Enable Web site customization...
Page 479 Table 150 Anti-X > Content Filter > Filter Profile > Customization (continued) LABEL Allow Web traffic for trusted web sites only Restricted Web Features Block ActiveX Java Cookies Web Proxy Allow Java/ActiveX/Cookies/ Web proxy to trusted web sites Trusted Web Sites Add Trusted Web Site Trusted Web Sites Delete...
Page 480: Keyword Blocking Url Checking
Chapter 31 Content Filter Screens Table 150 Anti-X > Content Filter > Filter Profile > Customization (continued) LABEL Blocked URL Keywords Add Blocked URL Keyword Blocked URL Keywords Delete Cancel 31.8 Keyword Blocking URL Checking The ZyWALL checks the URL’s domain name (or IP address) and file path separately when performing keyword blocking.
Page 481: Figure 353 Anti-X > Content Filter > Cache
Please see Section 32.2 on page 488 categorized. Figure 353 Anti-X > Content Filter > Cache The following table describes the labels in this screen. Table 151 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL Cache Entry Flush Click this button to clear all web site addresses from the cache manually. Refresh Click this button to reload the list of content filter cache entries.
Page 482 Chapter 31 Content Filter Screens Table 151 Anti-X > Content Filter > Cache (continued) LABEL Page x of x Category Remaining Time (minutes) Remove URL Cache Setup Maximum TTL Apply Reset DESCRIPTION This is the number of the page of entries currently displayed and the total number of pages of entries.
Page 483: Content Filter Reports
H A P T E R Content Filter Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 8 on page 165 and activate the subscription services. 32.1 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen.
Page 484: Figure 355 Myzyxel.com: Welcome
Chapter 32 Content Filter Reports ZyWALL using the Rename button in the Service Management screen (see on page 484). Figure 355 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen. Figure 356 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field.
Page 485: Figure 357 Blue Coat: Login
6 Click Submit. Figure 357 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab. Figure 358 Blue Coat Content Filter Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports.
Page 486: Figure 359 Blue Coat: Report Home
Chapter 32 Content Filter Reports Figure 359 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 487: Figure 360 Global Report Screen Example
Chapter 32 Content Filter Reports Figure 360 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL USG 1000 User’s Guide...
Page 488: Web Site Submission
Chapter 32 Content Filter Reports Figure 361 Requested URLs Example 32.2 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Page 489: Figure 362 Web Page Review Process Screen
Chapter 32 Content Filter Reports Figure 362 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL USG 1000 User’s Guide...
Page 490 Chapter 32 Content Filter Reports ZyWALL USG 1000 User’s Guide...
Page 491: Device Ha & Objects
Device HA & Objects Device HA (493) User/Group (503) Addresses (515) Services (521) Schedules (527) AAA Server (531) Authentication Objects (541) Certificates (545) ISP Accounts (563) SSL Application (567)
Page 493: Device Ha
H A P T E R Use device HA and Virtual Router Redundancy Protocol (VRRP) to increase network reliability. See Section 5.4.8 on page 117 33.1 Virtual Router Redundancy Protocol (VRRP) Overview Every computer on a network may send packets to a default gateway, which can become a single point of failure.
Page 494: Figure 364 Example: Vrrp, Master Becomes Unavailable
Chapter 33 Device HA Every router in a virtual router must use the same advertisement interval. If Router A becomes unavailable, it stops sending messages to Router B. Router B detects this and assumes the role of the master router. This is illustrated below. Figure 364 Example: VRRP, Master Becomes Unavailable Router B is now using the IP address of the default gateway, and it is forwarding packets for the network.
Page 495: Additional Vrrp Notes
33.1.1 Additional VRRP Notes • It is possible to set up two virtual routers so that they back up each other. • VRRP uses IP protocol 112. 33.2 VRRP Group Overview In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router.
Page 496: Link Monitoring And Remote Management
Chapter 33 Device HA 33.2.1 Link Monitoring and Remote Management With link monitoring enabled, a backup ZyWALL that takes over for an unavailable master ZyWALL takes over all of the master ZyWALL’s static IP addresses. This way the backup ZyWALL takes over all of the master ZyWALL’s functions. However, this also means you can no longer access the original master ZyWALL through one of its static IP addresses (because the backup ZyWALL now uses this address).
Page 497: Figure 366 Device Ha > Vrrp Group
Figure 366 Device HA > VRRP Group The following table describes the labels in this screen. See information as well. Table 152 Device HA > VRRP Group LABEL DESCRIPTION Refresh Click this button to update the information in this screen. This field is a sequential value, and it is not associated with a specific VRRP group.
Page 498: Vrrp Group Add/Edit
Chapter 33 Device HA Table 152 Device HA > VRRP Group (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 33.5 VRRP Group Add/Edit The VRRP Group Add/Edit screen allows you to add VRRP groups to the ZyWALL or to edit the configuration of an existing VRRP group.
Page 499 Table 153 Device HA > VRRP Group > Edit (continued) LABEL DESCRIPTION VRID Type the virtual router ID number. Description Type the description of the VRRP group. This field is only for your reference. It may be up to sixty printable ASCII characters long. VRRP Interface Select the interface in this device that is part of the virtual router.
Page 500: Synchronization Overview
Chapter 33 Device HA 33.6 Synchronization Overview In a virtual router, backup routers do not automatically get configuration updates from the master router. In this case, the master ZyWALL can send these updates to backup ZyWALLs. This is called synchronization. During synchronization, the master ZyWALL sends the following information to the backup ZyWALL.
Page 501: Synchronize Screen
You must subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL. 33.6.2 Synchronize Screen Use this screen if you want the ZyWALL to get or to send updated IDP signatures, and configuration information in the virtual router. You can only set up synchronization with other ZyWALLs of the same model running the same firmware version.
Page 502 Chapter 33 Device HA Table 154 Network > Device HA > Synchronize (continued) LABEL DESCRIPTION Sync. Now Click this button to get updated certificates, AV signatures, IDP and application patrol signatures, system protect signatures, and configuration information from the specified ZyWALL router. Note: If the new configuration is different from the existing one on Auto Select this to get updated configuration and IDP signatures automatically from the...
Page 503: User/Group
H A P T E R This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 504: Ext-User Accounts
Chapter 34 User/Group 34.1.2 Ext-User Accounts Set up an Ext-User account if the user is authenticated by an external server and you want to set up specific policies for this user in the ZyWALL. If you do not want to set up policies for this user, you do not have to set up an Ext-User account.
Page 505: User Groups
Figure 370 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 34.1.2.2 Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.
Page 506: User Summary
Chapter 34 User/Group This works with HTTP traffic only. The ZyWALL does not force users to log in before it routes other kinds of traffic. The ZyWALL does not automatically route the request that prompted the login, however, so users have to make this request again. 34.2 User Summary The User screen provides a summary of all user accounts.
Page 507: Figure 372 User/Group > User > Edit
Figure 372 User/Group > User > Edit The following table describes the labels in this screen. Table 158 User/Group > User > Edit LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( number.
Page 508: Group Summary
Chapter 34 User/Group 34.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-).
Page 509: Group Add/Edit
Table 160 User/Group > Group (continued) LABEL DESCRIPTION Member This field lists the members in the user group. Each member is separated by a comma. Add icon This column provides icons to add, edit, and remove user groups. To add a user group, click the Add icon at the top of the column. The Group Add/ Edit screen appears.
Page 510: Setting Screen
Chapter 34 User/Group 34.4 Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. To access this screen, login to the web configurator, and click User/Group >...
Page 511 Table 162 User/Group > Setting (continued) LABEL DESCRIPTION User Logon Setting Limit ... for Select this check box if you want to set a limit on the number of simultaneous logins administratio by admin users. If you do not select this, admin users can login as many times as n account they want at the same time using the same or different IP addresses.
Page 512: Force User Authentication Policy Add/Edit
Chapter 34 User/Group Table 162 User/Group > Setting (continued) LABEL DESCRIPTION Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries.
Page 513: Web Configurator For Non-Admin Users
The following table describes the labels in this screen. Table 163 User/Group > Setting > Force User Authentication Policy > Add/Edit LABEL DESCRIPTION Enable Select this if you want this condition to be active. Description Enter a description for this condition. It can be up to 60 printable ASCII characters long.
Page 514: Table 164 Web Configurator For Non-Admin Users
Chapter 34 User/Group The following table describes the labels in this screen. Table 164 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined Access users can specify a lease time shorter than or equal to the one that you lease time (max specified.
Page 515: Addresses
H A P T E R This chapter describes how to set up addresses and address groups for the ZyWALL. See Section 5.5 on page 122 35.1 Addresses Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups.
Page 516: Address Add/Edit
Chapter 35 Addresses Figure 378 Object > Address > Address The following table describes the labels in this screen. See more information as well. Table 165 Object > Address > Address LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address. Name This field displays the name of each address.
Page 517: Address Group Screens
The following table describes the labels in this screen. Table 166 Object > Address > Address > Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( number. This value is case-sensitive. Address Type Select the type of address you want to create.
Page 518: Address Group Add/Edit
Chapter 35 Addresses The following table describes the labels in this screen. See more information as well. Table 167 Object > Address > Address Group LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address group.
Page 519 Table 168 Object > Address > Address Group > Add (continued) LABEL DESCRIPTION Available This field displays the names of the address and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click the right arrow to add them to the member list.
Page 520 Chapter 35 Addresses ZyWALL USG 1000 User’s Guide...
Page 521: Services
H A P T E R Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. See 5.5 on page 122 for related information on these screens. 36.1 Services Overview Appendix C on page 703 36.1.1 IP Protocols...
Page 522: Service Summary Screen
Chapter 36 Services • UDP applications • ICMP messages • user-defined services (for other types of IP protocols) These objects are used in policy routes, firewall rules, and IDP profiles. Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service.
Page 523: Service Add/Edit
Table 169 Object > Service > Service (continued) LABEL DESCRIPTION Content This field displays a description of each service. Add icon This column provides icons to add, edit, and remove services. To add a service, click the Add icon at the top of the column. The Service Add/ Edit screen appears.
Page 524: Service Group Summary Screen
Chapter 36 Services 36.3 Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. To access this screen, log in to the web configurator, and click Object > Service > Service Group.
Page 525: Figure 385 Object > Service > Service Group > Edit
Figure 385 Object > Service > Service Group > Edit The following table describes the labels in this screen. Table 172 Object > Service > Service Group > Edit LABEL DESCRIPTION Name Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores( value is case-sensitive.
Page 526 Chapter 36 Services ZyWALL USG 1000 User’s Guide...
Page 527: Schedules
H A P T E R Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. See on these screens. 37.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat.
Page 528: One-Time Schedule Add/Edit
Chapter 37 Schedules Figure 386 Object > Schedule The following table describes the labels in this screen. See Section 37.2.3 on page 529 Table 173 Object > Schedule LABEL DESCRIPTION One Time This field is a sequential value, and it is not associated with a specific schedule. Name This field displays the name of the schedule, which is used to refer to the schedule.
Page 529: Recurring Schedule Add/Edit
Figure 387 Object > Schedule > Edit (One Time) The following table describes the labels in this screen. Table 174 Object > Schedule > Edit (One Time) LABEL DESCRIPTION Configuration Name Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric characters, underscores( cannot be a number.
Page 530: Figure 388 Object > Schedule > Edit (Recurring)
Chapter 37 Schedules Figure 388 Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen. Table 175 Object > Schedule > Edit (Recurring) LABEL DESCRIPTION Configuration...
Page 531: Aaa Server
H A P T E R This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 38.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the ZyWALL supports.
Page 532: User Authentication Method
Chapter 38 AAA Server 5 Configure the ASAS as a RADIUS server in the ZyWALL’s Object > AAA Server screens. 6 Give the OTP tokens to (local or remote) users. 38.1.2 User Authentication Method You can select to authenticate users using the local user database and/or a specified authentication server.
Page 533: Distinguished Name (Dn)
Figure 390 Basic Directory Structure Root Countries (c) 38.2.2 Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same “parent DN”...
Page 534: Active Directory Or Ldap Group Summary
Chapter 38 AAA Server Figure 391 Object > AAA Server > Active Directory (or LDAP) > Default The following table describes the labels in this screen. Table 176 Object > AAA Server > Active Directory (or LDAP) > Default LABEL Host Port Bind DN...
Page 535: Creating An Active Directory Or Ldap Group
1 Click Object > AAA Server > Active Directory (or LDAP) > Group to display the screen. Figure 392 Object > AAA Server > Active Directory (or LDAP) > Group The following table describes the labels in this screen. Table 177 Object > AAA Server > Active Directory (or LDAP) > Group LABEL DESCRIPTION This field displays the index number.
Page 536: Radius Server
Chapter 38 AAA Server The following table describes the labels in this screen. Table 178 Object > AAA Server > Active Directory (or LDAP) > Group > Add LABEL Configuration Name Port Password Base DN binddn CN Identifier Search time limit Use SSL Host Members...
Page 537: Configuring A Default Radius Server
Figure 394 RADIUS Server Network Example 38.5 Configuring a Default RADIUS Server To configure the default external RADIUS server to use for user authentication, click Object > AAA Server > RADIUS to display the screen as shown. Figure 395 Object > AAA Server > RADIUS > Default The following table describes the labels in this screen.
Page 538: Configuring A Group Of Radius Servers
Chapter 38 AAA Server 38.6 Configuring a Group of RADIUS Servers You can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication server for user authentication in a network. 1 Click Object >...
Page 539: Table 181 Object > Aaa Server > Radius > Group > Add
The following table describes the labels in this screen. Table 181 Object > AAA Server > RADIUS > Group > Add LABEL DESCRIPTION Configuration All RADIUS servers in a group share the same settings in the fields below. Name Enter a descriptive name (up to 63 alphanumeric characters) for identification purposes.
Page 540 Chapter 38 AAA Server ZyWALL USG 1000 User’s Guide...
Page 541: Authentication Objects
H A P T E R Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 39.1 Authentication Objects Overview After you have created the AAA server objects in the AAA Server screens, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 542: Creating An Authentication Object
Chapter 39 Authentication Objects 39.3 Creating an Authentication Object Follow the steps below to create an authentication object. 1 Click Object > Auth. Method. 2 Click Add. 3 Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Page 543: Example: Selecting A Vpn Authentication Method
The following table describes the labels in this screen. Table 183 Object > Auth. Method > Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”.
Page 544: Figure 400 Example: Using Authentication Method In Vpn
Chapter 39 Authentication Objects Figure 400 Example: Using Authentication Method in VPN ZyWALL USG 1000 User’s Guide...
Page 545: Certificates
H A P T E R This chapter gives background information about public-key certificates and explains how to use the Certificates screens. See screens. 40.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 546: Advantages Of Certificates
Chapter 40 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 547: Certificate Configuration Screens Summary
Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default. 40.4 Certificate Configuration Screens Summary This section summarizes how to manage certificates on the ZyWALL. Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyWALL’s CA-signed certificates.
Page 548: My Certificates Screen
Chapter 40 Certificates Figure 402 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Page 549: My Certificates Add Screen
The following table describes the labels in this screen. Table 184 Object > Certificate > My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Page 550: Figure 404 Object > Certificate > My Certificates > Add
Chapter 40 Certificates Figure 404 Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 185 Object > Certificate > My Certificates > Add LABEL Name Subject Information Common Name Organizational Unit DESCRIPTION Type a name to identify this certificate.
Page 551 Table 185 Object > Certificate > My Certificates > Add (continued) LABEL Organization Country Key Type Key Length Enrollment Options Create a self-signed certificate Create a certification request and save it locally for later manual enrollment Create a certification request and enroll for a certificate immediately online Enrollment Protocol...
Page 552: My Certificate Edit Screen
Chapter 40 Certificates Table 185 Object > Certificate > My Certificates > Add (continued) LABEL Request Authentication Cancel If you configured the My Certificate Create screen to have the ZyWALL enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen.
Page 553: Figure 405 Object > Certificate > My Certificates > Edit
Figure 405 Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. Table 186 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 554 Chapter 40 Certificates Table 186 Object > Certificate > My Certificates > Edit LABEL Type Version Serial Number Subject Issuer Signature Algorithm Valid From Valid To Key Algorithm Subject Alternative Name Key Usage Basic Constraint MD5 Fingerprint SHA1 Fingerprint Certificate in PEM (Base-64) Encoded Format DESCRIPTION...
Page 555: My Certificate Import Screen
Table 186 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Export This button displays for a certification request. Use this button to save a copy of the request without its private key. Click this button and then Save in the File Download screen.
Page 556: Trusted Certificates Screen
Chapter 40 Certificates The following table describes the labels in this screen. Table 187 Object > Certificate > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL.
Page 557: Trusted Certificates Edit Screen
Table 188 Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Name This field displays the name used to identify this certificate. Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country).
Page 558: Figure 408 Object > Certificate > Trusted Certificates > Edit
Chapter 40 Certificates Figure 408 Object > Certificate > Trusted Certificates > Edit The following table describes the labels in this screen. Table 189 Object > Certificate > Trusted Certificates > Edit LABEL Name Certification Path DESCRIPTION This field displays the identifying name of this certificate. You can change the name.
Page 559 Table 189 Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Refresh Click Refresh to display the certification path. Enable X.509v3 Select this check box to have the ZyWALL check incoming certificates that are CRL Distribution signed by this certificate against a Certificate Revocation List (CRL) or an OCSP Points and OCSP server.
Page 560: Trusted Certificates Import Screen
Chapter 40 Certificates Table 189 Object > Certificate > Trusted Certificates > Edit (continued) LABEL Valid From Valid To Key Algorithm Subject Alternative Name Key Usage Basic Constraint MD5 Fingerprint SHA1 Fingerprint Certificate in PEM (Base-64) Encoded Format Export Certificate Cancel 40.9 Trusted Certificates Import Screen Click Object >...
Page 561: Figure 409 Object > Certificate > Trusted Certificates > Import
Figure 409 Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 190 Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL.
Page 562 Chapter 40 Certificates ZyWALL USG 1000 User’s Guide...
Page 563: Isp Accounts
H A P T E R Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PPTP interfaces. See Section 5.5 on page 122 41.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP. See 10.6 on page 210 for information about PPPoE/PPTP interfaces.
Page 564: Isp Account Edit
Chapter 41 ISP Accounts Table 191 Object > ISP Account (continued) LABEL DESCRIPTION User Name This field displays the user name of the ISP account. Add icon This column provides icons to add, edit, and remove ISP accounts. To add information about a new ISP account, click the Add icon at the top of the column.
Page 565 Table 192 Object > ISP Account > Edit (continued) LABEL DESCRIPTION Encryption This field is available if this ISP account uses the PPTP protocol. Use the drop- Method down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are: nomppe - This ISP account does not use MPPE.
Page 566 Chapter 41 ISP Accounts ZyWALL USG 1000 User’s Guide...
Page 567: Ssl Application
H A P T E R This chapter describes how to configure SSL application objects for use in SSL VPN. 42.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network.
Page 568: Creating/Editing An Ssl Application
Chapter 42 SSL Application The following table describes the labels in this screen. Table 193 Object > SSL Application LABEL DESCRIPTION This field displays the index number. Name This field displays the name of the object. Address This field displays the IP address/URL of the application server or the location of a file share.
Page 569: Example: Specifying A Web Site For Access
The following table describes the labels in this screen. Table 194 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Object Type Select Web Application from the drop-down list box. Application Name Enter a descriptive name to identify this object. You can enter up to 31 characters (“0- 9”, “a-z”, “A-Z”, “-”...
Page 570: Configuring File Sharing
Chapter 42 SSL Application 7 Click Apply to save the settings. The configuration screen should look similar to the following figure. Figure 414 Example: SSL Application: Specifying a Web Site for Access 42.3.3 Configuring File Sharing You can specify the name of a folder on a file server (Linux or Windows) which remote users can access.
Page 571 Table 195 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Shared Path Specify the IP address, domain name or NetBIOS name (computer name) of the file server and the name of the share to which you want to allow user access. Enter the path in one of the following formats.
Page 572 Chapter 42 SSL Application ZyWALL USG 1000 User’s Guide...
Page 573: System
System System (575) Service Control (587)
Page 575: System
H A P T E R This chapter provides information on the general system screens. See for details on the system screens that control service access. 43.1 System Overview The system screens can help you configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program.
Page 576: Time And Date
Chapter 43 System 43.3 Time and Date This section shows you how: 1 To manually set the ZyWALL date and time. 2 To get the ZyWALL date and time from a time server. For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date.
Page 577 Table 197 System > Date and Time (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered.
Page 578: Pre-Defined Ntp Time Servers List
Chapter 43 System Table 197 System > Date and Time (continued) LABEL End Date Offset Apply Reset 43.3.1 Pre-defined NTP Time Servers List When you turn on the ZyWALL for the first time, the date and time start at 2003-01-01 00:00:00.
Page 579: Console Port Speed
Figure 418 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful. If the synchronization was not successful, a log displays in the View Log screen. Try reconfiguring the Date/Time screen. To manually set the ZyWALL date and time.
Page 580: Dns Overview
Chapter 43 System Figure 419 System > Console Port Speed The following table describes the labels in this screen. Table 199 System > Console Port Speed LABEL Configuration Console Port Speed Apply Reset 43.5 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa.
Page 581: Figure 420 System > Dns
Figure 420 System > DNS The following table describes the labels in this screen. Table 200 System > DNS LABEL DESCRIPTION Address/PTR This record specifies the mapping of a fully qualified domain name (FQDN) to an IP Record address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www”...
Page 582 Chapter 43 System Table 200 System > DNS (continued) LABEL DESCRIPTION From This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually. DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active.
Page 583: Address Record
43.5.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com”...
Page 584: Domain Zone Forwarder
Chapter 43 System 43.5.7 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address. The ZyWALL can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 585: Mx Record
43.5.9 MX Record A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is sent for that domain. If you do not configure proper MX records for your domain or other domain, external e-mail from other mail servers will not be able to be delivered to your mail server and vice versa.
Page 586: Language Screen
Chapter 43 System The following table describes the labels in this screen. Table 204 System > DNS > Service Control Rule Edit LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL. Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL.
Page 587: Service Control
H A P T E R This chapter covers controlling access to the ZyWALL. See general system configuration screens. 44.1 Service Control Overview Use this chapter to control which services can access the ZyWALL. The following figure shows secure and insecure management of the ZyWALL coming in from the WAN.
Page 588: Service Access Limitations
Chapter 44 Service Control 44.1.1 Service Access Limitations A service cannot be used to access the ZyWALL when: 1 You have disabled that service in the corresponding screen. 2 The allowed IP address (address object) in the Service Control table does not match the client IP address (the ZyWALL disallows the session).
Page 589: Configuring Www
Figure 427 HTTP/HTTPS Implementation If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts. 44.3 Configuring WWW Click System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from.
Page 590: Figure 428 System > Www
Chapter 44 Service Control Figure 428 System > WWW The following table describes the labels in this screen. Table 206 System > WWW LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using secure HTTPs connections.
Page 591 Table 206 System > WWW (continued) LABEL DESCRIPTION Admin/User Admin Service Control specifies from which zones an administrator can use Service Control HTTPS to manage the ZyWALL (using the web configurator). You can also specify the IP addresses from which the administrators can manage the ZyWALL. User Service Control specifies from which zones a user can use HTTPS to log into the ZyWALL (to log into SSL VPN for example).
Page 592: Service Control Rules
Chapter 44 Service Control Table 206 System > WWW (continued) LABEL DESCRIPTION Client Select a method the HTTPS or HTTP server uses to authenticate a client. Authentication You must have configured the authentication methods in the Auth. method screen. Method Apply Click Apply to save your changes back to the ZyWALL.
Page 593: Internet Explorer Warning Messages
44.5.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL. You see the following Security Alert screen in Internet Explorer.
Page 594: Avoiding Browser Warning Messages
Chapter 44 Service Control Figure 431 Security Certificate 1 (Netscape) Figure 432 Security Certificate 2 (Netscape) 44.5.3 Avoiding Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. •...
Page 595: Login Screen
44.5.4 Login Screen After you accept the certificate, the ZyWALL login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. Figure 433 Login Screen (Internet Explorer) 44.5.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL.
Page 596: Figure 435 Ca Certificate Example
Chapter 44 Service Control Figure 435 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 44.5.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 597: Figure 437 Personal Certificate Import Wizard 2
2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 437 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. Figure 438 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Page 598: Figure 439 Personal Certificate Import Wizard 4
Chapter 44 Service Control Figure 439 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 440 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer.
Page 599: Using A Certificate When Accessing The Zywall Example
44.5.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 442 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL.
Page 600: Ssh
Chapter 44 Service Control 44.6 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 601: Ssh Implementation On The Zywall
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use.
Page 602: Secure Telnet Using Ssh Examples
Chapter 44 Service Control The following table describes the labels in this screen. Table 208 System > SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Page 603: Example 2: Linux
Figure 448 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The CLI screen displays next. 44.7.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions.
Page 604: Telnet
Chapter 44 Service Control 3 The CLI screen displays next. 44.8 Telnet You can use Telnet to access the ZyWALL’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come. 44.8.1 Configuring Telnet Click System >...
Page 605: Configuring Ftp
Table 209 System > Telnet (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 44.9 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.
Page 606: Snmp
Chapter 44 Service Control Table 210 System > FTP (continued) LABEL DESCRIPTION Address This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny).
Page 607: Supported Mibs
An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Page 608: Configuring Snmp
Chapter 44 Service Control 44.10.3 Configuring SNMP To change your ZyWALL’s SNMP settings, click System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come.
Page 609: Dial-In Management
Table 212 System > SNMP (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to open a screen where you can add a new rule. Refer to Click the Edit icon to go to the screen where you can edit the rule. Click the Add icon in an entry to add a rule below the current entry.
Page 610: Vantage Cnm
Chapter 44 Service Control Figure 455 System > Dial-in Mgmt The following table describes the labels in this screen. Table 213 System > Dial-in Mgmt LABEL Enable Description Mute Answer Rings Port Speed Initial String Advanced/Basic Apply Reset 44.13 Vantage CNM Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide.
Page 611: Configuring Vantage Cnm
44.14 Configuring Vantage CNM Vantage CNM is disabled on the device by default. Click System > Vantage CNM to configure your device’s Vantage CNM settings. Figure 456 System > Vantage CNM The following table describes the labels in this screen. Table 214 System >...
Page 612 Chapter 44 Service Control Table 214 System > Vantage CNM (continued) LABEL HTTPS Authentication When you are using HTTPs, select this option to have the ZyWALL Vantage Certificate Advanced/Basic Apply Reset DESCRIPTION authenticate the Vantage CNM server’s certificate. In order to do this you need to import the Vantage CNM server’s public key (certificate) into the ZyWALL’s trusted certificates.
Page 613: Maintenance & Troubleshooting
Maintenance & Troubleshooting File Manager (615) Logs (625) Reports (637) Diagnostics (647) Reboot (649) Troubleshooting (651)
Page 615: File Manager
H A P T E R This chapter covers how to use the ZyWALL’s File Manager screens to handle the ZyWALL’s configuration, firmware and shell script files. 45.1 Configuration Files and Shell Scripts Overview The File Manager screens allow you to store multiple configuration files and shell script files. When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include.
Page 616: Comments In Configuration Files Or Shell Scripts
Chapter 45 File Manager While configuration files and shell scripts have the same syntax, the ZyWALL applies configuration files differently than it runs shell scripts. This is explained below. Table 215 Configuration Files and Shell Scripts in the ZyWALL Configuration Files (.conf) •...
Page 617: Errors In Configuration Files Or Shell Scripts
Lines 1 and 2 are comments. Line 5 exits sub command mode. ! this is from Joe # on 2006/06/05 interface ge1 ip address dhcp 45.1.2 Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script, the ZyWALL processes the file line- by-line.
Page 618: Configuration File Screen
Chapter 45 File Manager You can change the way the startup-config.conf file is applied. Include the startup stop-on-error off config.conf file and applies all of the valid commands. The ZyWALL still generates a log for any errors. 45.2 Configuration File Screen Click Maintenance >...
Page 619: Figure 459 Maintenance > File Manager > Configuration File > Copy
The following table describes the labels in this screen. Table 216 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Download Click a configuration file’s row to select it and click Download to save the configuration to your computer. Copy Use this button to save a duplicate of a configuration file on the ZyWALL.
Page 620: Firmware Package Screen
Chapter 45 File Manager Table 216 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION This column displays the number for each configuration file entry. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space.
Page 621: Figure 461 Maintenance > File Manager > Firmware Package
The ZyWALL’s firmware package cannot go through the ZyWALL when you enable the anti- virus Destroy compressed files that could not be decompressed option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package.
Page 622: Shell Script Screen
Chapter 45 File Manager Figure 462 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 463 Network Temporarily Disconnected After five minutes, log in again and check your new firmware version in the HOME screen.
Page 623: Figure 465 Maintenance > File Manager > Shell Script
Figure 465 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 218 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Download Click a shell script file’s row to select it and click Download to save the configuration to your computer.
Page 624: Figure 467 Maintenance > File Manager > Shell Script > Rename
Chapter 45 File Manager Table 218 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the ZyWALL. You cannot rename a shell script to the name of another shell script in the ZyWALL. Click a shell script’s row to select it and click Rename to open the Rename File screen.
Page 625: Logs
H A P T E R This chapter provides general information about the ZyWALL’s log feature. See on page 663 for individual log descriptions. The following table displays the maximum number of system log messages in the ZyWALL. Table 219 Specifications: Logs LABEL Maximum Number of Log Messages (System Log) Maximum Number of Log Messages (Debug Log)
Page 626: Figure 468 Maintenance > Log > View Log
Chapter 46 Logs Figure 468 Maintenance > Log > View Log If an event generates log messages and alerts, it is displayed in red. Otherwise, it is displayed in black. The following table describes the labels in this screen. Table 220 Maintenance > Log > View Log LABEL DESCRIPTION Show Filter /...
Page 627: Log Settings Screens
Table 220 Maintenance > Log > View Log (continued) LABEL DESCRIPTION Keyword Type a keyword to look for in the Message, Source, Destination and Note fields. If a match is found in any field, the log message is displayed. You can use up to 63 alphanumeric characters and the underscore, as well as punctuation marks ()’...
Page 628: Log Settings Summary
Chapter 46 Logs For alerts, the Log Settings tab controls which events generate alerts and where alerts are e- mailed. The Log Settings Summary screen provides a summary of all the settings. You can use the Log Settings Edit screen to maintain the detailed settings (such as log categories, e-mail addresses, server names, etc.) for any log.
Page 629: Log Settings Edit E-Mail
Table 221 Maintenance > Log > Log Setting (continued) LABEL DESCRIPTION Modify This column provides icons to activate or deactivate logs and to modify the settings. To activate or deactivate a log, click the Active icon. Make sure you click Apply to save and apply the change.
Page 630: Figure 470 Maintenance > Log > Log Setting > E-Mail > Edit
Chapter 46 Logs Figure 470 Maintenance > Log > Log Setting > E-mail > Edit ZyWALL USG 1000 User’s Guide...
Page 631: Table 222 Maintenance > Log > Log Setting > E-Mail > Edit
The following table describes the labels in this screen. Table 222 Maintenance > Log > Log Setting > E-mail > Edit LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
Page 632: Log Settings Edit Syslog
Chapter 46 Logs Table 222 Maintenance > Log > Log Setting > E-mail > Edit (continued) LABEL DESCRIPTION Consolidation Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Page 633: Figure 471 Maintenance > Log > Log Setting > Remote Server > Edit
Chapter 46 Logs Figure 471 Maintenance > Log > Log Setting > Remote Server > Edit ZyWALL USG 1000 User’s Guide...
Page 634: Active Log Summary
Chapter 46 Logs The following table describes the labels in this screen. Table 223 Maintenance > Log > Log Setting > Remote Server > Edit LABEL DESCRIPTION Log Settings for Remote Server 1 Active Select this check box to send log information according to the information in this section.
Page 635: Figure 472 Active Log Summary
Figure 472 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see is discussed. (The Default category includes debugging messages generated by open source software.) The following table describes the fields in this screen.
Page 636 Chapter 46 Logs Table 224 Maintenance > Log > Log Setting > Active Log Summary (continued) LABEL DESCRIPTION Selection Select what information you want to log from each Log Category (except All Logs; see below). Choices are: disable all logs (red X) - do not log any information from this category enable normal logs (green checkmark) - log regular information and alerts from this category enable all logs (yellow checkmark) - log regular information, alerts, and debugging...
Page 637: Reports
H A P T E R This chapter provides information about the report screens. 47.1 Traffic Screen Click Maintenance > Report > Traffic to display the Traffic screen. The Traffic screen provides basic information about the following metrics: • Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the ZyWALL counts HTTP GET packets.
Page 638: Figure 473 Maintenance > Report > Traffic
Chapter 47 Reports Figure 473 Maintenance > Report > Traffic There is a limit on the number of records shown in the report. Please see for more information. The following table describes the labels in this screen. Table 225 Maintenance > Report > Traffic LABEL DESCRIPTION Data Collection...
Page 639 Table 225 Maintenance > Report > Traffic (continued) LABEL DESCRIPTION Traffic Type Select the type of report to display. Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one.
Page 640: Session Screen
Chapter 47 Reports Table 225 Maintenance > Report > Traffic (continued) LABEL DESCRIPTION Web Site This field displays the domain names most often visited. The ZyWALL counts each page viewed on a Web site as another hit. The maximum number of domain names in this report is indicated in Hits This field displays how many hits the Web site received.
Page 641: Figure 474 Maintenance > Report > Session
Figure 474 Maintenance > Report > Session The following table describes the labels in this screen. Table 227 Maintenance > Report > Session LABEL DESCRIPTION View Select how you want the information to be displayed. Choices are: sessions by users - display all active sessions by user sessions by services - display all active sessions by service or protocol all sessions - filter the active sessions by the User, Service, Source Address, and Destination Address, and display them by user.
Page 642: Anti-Virus Report Screen
Chapter 47 Reports Table 227 Maintenance > Report > Session (continued) LABEL DESCRIPTION Protocol This field displays the protocol used in each active session. If you are looking at the sessions by services report, click the blue plus sign (+) next to each protocol to Service look at detailed session information by user.
Page 643: Idp Report Screen
Table 228 Maintenance > Report > Anti-Virus (continued) LABEL DESCRIPTION Infected Files This field displays the number of files in which the ZyWALL has detected a virus. Detected Top Entry By Use this field to have the following (read-only) table display the top anti-virus entries by Virus Name, Source or Destination.
Page 644: Figure 478 Maintenance > Report > Idp: Signature Name
Chapter 47 Reports Figure 478 Maintenance > Report > IDP: Signature Name The following table describes the labels in this screen. Table 229 Maintenance > Report > IDP LABEL DESCRIPTION Collect Select this check box to have the ZyWALL collect IDP statistics. Statistics The collection starting time displays after you click Apply.
Page 645: Figure 479 Maintenance > Report > Idp: Source
Table 229 Maintenance > Report > IDP (continued) LABEL DESCRIPTION Type This column displays when you display the entries by Signature Name. It shows the categories of intrusions. See Severity This column displays when you display the entries by Signature Name. It shows the level of threat that the intrusions may pose.
Page 646 Chapter 47 Reports ZyWALL USG 1000 User’s Guide...
Page 647: Diagnostics
H A P T E R This chapter covers how to use the Diagnostics screen. 48.1 Diagnostics The Diagnostics screen provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 648 Chapter 48 Diagnostics ZyWALL USG 1000 User’s Guide...
Page 649: Reboot
H A P T E R Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.4 on page 55 for information on different ways to start and stop the ZyWALL. If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot.
Page 650 Chapter 49 Reboot ZyWALL USG 1000 User’s Guide...
Page 651: Troubleshooting
H A P T E R This chapter offers some suggestions to solve problems you might encounter. I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers.
Page 652: Getting More Troubleshooting Help
Chapter 50 Troubleshooting Routing policies define how the ZyWALL forwards packets to their destinations. You must create a policy route for the ZyWALL to route VPN traffic through a VPN tunnel to the remote network. The VPN wizard automatically creates a corresponding policy route. If you use the VPN > IPSec VPN or VPN >...
Page 653 If you want to reboot the device without changing the current configuration, see page 649. 1 Make sure the SYS LED is on and not blinking. 2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESET button, and wait for the ZyWALL to restart.
Page 654 Chapter 50 Troubleshooting ZyWALL USG 1000 User’s Guide...
Page 655: Appendices And Index
VIII Appendices and Index Product Specifications (657) Common Services (703) Displaying Anti-Virus Alert Messages in Windows (707) Open Software Announcements (719) Legal Information (755) Customer Support (759) Index (765)
Page 657: Appendix A Product Specifications
P P E N D I X Product Specifications The following specifications are subject to change without notice. See for a general overview of key features. This table provides basic device specifications. Table 231 Default Login Information ATTRIBUTE Default IP Address (ge1) 192.168.1.1 Default Subnet Mask (ge1) Default Password...
Page 658: Table 233 Feature Specifications
Appendix A Product Specifications Table 233 Feature Specifications VERSION # FEATURE # of MAC Flash Size DRAM Size INTERFACE VLAN Virtual (alias) Bridge ROUTING Static Routes Policy Routes Sessions Virtual Servers Trigger Port Rules HTTP Redirect New Session Rate (sessions per second) FIREWALL Firewall ACL Rules...
Page 659 Table 233 Feature Specifications (continued) VERSION # FEATURE Service Groups Schedule Objects ISP Accounts Maximum Number of LDAP Groups Maximum Number of LDAP Servers for Each LDAP Group Maximum Number of RADIUS Groups Maximum Number of RADIUS Servers for Each RADIUS Group Maximum Number of Authentication Methods Maximum Number of Zones...
Page 660: Table 234 Standards Referenced By Features
Appendix A Product Specifications Table 233 Feature Specifications (continued) VERSION # FEATURE Maximum Number of Content Filter Policies Maximum Number of Content Filter Profiles Maximum Number of Forbidden Domain Entries Maximum Number of Trusted Domain Entries Maximum Number of Keywords that Can Be Blocked Local Cache Size Maximum Number of Connections...
Page 661 Table 234 Standards Referenced by Features (continued) FEATURE Built-in service, SNMP agent Login, LDAP support. Used by Apache Built-in service, FTP server Used by Centralized log Login, new PAM module Built-in service, NTP client Used by SSH service Used by Time service Used by Telnet service Used by SIP ALG DHCP relay...
Page 662 Appendix A Product Specifications ZyWALL USG 1000 User’s Guide...
Page 663: Appendix B Log Descriptions
P P E N D I X This appendix provides descriptions of example log messages. Table 235 Content Filter Logs LOG MESSAGE Content filter has been enabled Content filter has been disabled Table 236 Forward Web Site Logs LOG MESSAGE %s: Trusted Web site %s: Service is not registered...
Page 664 Appendix B Log Descriptions Table 237 Blocked Web Site Logs (continued) LOG MESSAGE %s: Service is unavailable %s: %s(cache hit) %s: Not in trusted web list %s: Contains ActiveX %s: Contains Java applet %s: Contains cookie %s: Proxy mode is detected %s: Forbidden Web site The web site is in forbidden web site list.
Page 665: Table 238 User Logs
Table 238 User Logs LOG MESSAGE %s %s has logged in from %s %s %s has logged out from %s %s %s from %s has been logged out (re-auth timeout) %s %s from %s has been logged out (lease timeout) %s %s from %s has been logged out (idle timeout)
Page 666: Table 239 Myzyxel.com Logs
Appendix B Log Descriptions Table 239 myZyXEL.com Logs LOG MESSAGE Send registration message to MyZyXEL.com server has failed. Get server response has failed. Timeout for get server response. User has existed. User does not exist. Internal server error. MyZyXEL.com's database had an error when checking the user name. Device registration has failed:%s.
Page 667 Table 239 myZyXEL.com Logs (continued) LOG MESSAGE Service expiration check has succeeded. Service expiration check has failed. Because of lack must fields. Server setting error. Resolve server IP has failed. Verify server's certificate has failed. Connect to MyZyXEL.com server has failed. Do account check.
Page 668 Appendix B Log Descriptions Table 239 myZyXEL.com Logs (continued) LOG MESSAGE Update server is busy now. File download after %d seconds. Device has latest file. No need to update. Device has latest signature file; no need to update Connect to update server has failed.
Page 669 Table 239 myZyXEL.com Logs (continued) LOG MESSAGE Do expiration daily- check has failed. Because of lack must fields. Server setting error. Do expiration daily- check has failed. Do expiration daily- check has succeeded. Expiration daily- check will trigger PPP interface. Do self- check.
Page 670: Table 240 Idp Logs
Appendix B Log Descriptions Table 239 myZyXEL.com Logs (continued) LOG MESSAGE Certification verification failed: Depth: %d, Error Number(%d):%s. Certificate issuer name:%s. The wrong format for HTTP header. Timeout for get server response. Download file size is wrong. Parse HTTP header has failed.
Page 671 Table 240 IDP Logs (continued) LOG MESSAGE IDP service standard license is expired. Update signature failed. IDP service standard license is not registered. Update signature failed. IDP service trial license is expired. Update signature failed. IDP service trial license is not registered.
Page 672 Appendix B Log Descriptions Table 240 IDP Logs (continued) LOG MESSAGE IDP off-line update failed. File damaged. IDP signature update failed. File crashed. IDP signature update failed. File damaged. IDP signature update failed. File update failed. IDP signature update failed. Can not update last update time.
Page 673: Table 241 Application Patrol Logs
Table 240 IDP Logs (continued) LOG MESSAGE IDP signature update failed. Invalid signature content. System internal error. Create IDP traffic anomaly entry failed. Query signature version failed. Can not get signature version. Table 241 Application Patrol Logs LOG MESSAGE System fatal error: 60005001.
Page 674 Appendix B Log Descriptions Table 241 Application Patrol Logs (continued) LOG MESSAGE System fatal error: 60018009. System fatal error: 60018010. System fatal error: 60018011. System fatal error: 60018012. System fatal error: 60018013. System fatal error: 60018014. System fatal error: 60018015. System fatal error: 60018016.
Page 675: Table 242 Ike Logs
Table 241 Application Patrol Logs (continued) LOG MESSAGE App Patrol Name=%s Type=%s %s=%d Protocol=%s Action=%s App Patrol resources ran out. User %s is unrestricted by rule [ %s:%d ]. 1st %s: User Name, 2nd %s: Protocol Name, 1% %d: Rule Index Table 242 IKE Logs LOG MESSAGE...
Page 676 Appendix B Log Descriptions Table 242 IKE Logs (continued) LOG MESSAGE [SA] : Tunnel [%s] Phase 1 authentication algorithm mismatch [SA] : Tunnel [%s] Phase 1 authentication method mismatch [SA] : Tunnel [%s] Phase 1 encryption algorithm mismatch [SA] : Tunnel [%s] Phase 1 invalid protocol [SA] : Tunnel [%s]...
Page 677 Table 242 IKE Logs (continued) LOG MESSAGE Cannot resolve My IP Addr %s for Tunnel [%s] Cannot resolve Secure Gateway Addr %s for Tunnel [%s] Could not dial dynamic tunnel "%s" Could not dial incomplete tunnel "%s" Could not dial manual key tunnel "%s"...
Page 678 Appendix B Log Descriptions Table 242 IKE Logs (continued) LOG MESSAGE The cookie pair is : 0x%08x%08x / 0x%08x%08x The IPSec tunnel "%s" is already established Tunnel [%s] built successfully Tunnel [%s] Phase 1 pre-shared key mismatch Tunnel [%s] Recving IKE request Tunnel [%s] Sending IKE request...
Page 679: Table 243 Ipsec Logs
Table 242 IKE Logs (continued) LOG MESSAGE Tunnel [%s:%s] Sending IKE request Tunnel [%s:0x%x] is disconnected Tunnel [%s] rekeyed successfully Table 243 IPSec Logs LOG MESSAGE Corrupt packet, Inbound transform operation fail Encapsulated packet too big with length Get inbound transform fail Get outbound transform fail...
Page 680: Table 244 Firewall Logs
Appendix B Log Descriptions Table 244 Firewall Logs LOG MESSAGE priority:%lu, from %s to %s, service %s, %s %s:%d: in %s(): Firewall has been %s. Firewall rule %d has been moved to %d. Firewall rule %d has been deleted. Firewall rules have been flushed.
Page 681 Table 246 Policy Route Logs (continued) LOG MESSAGE Cannot get handle from UAM, user-aware PR is disabled mblock: allocate memory failed! pt: allocate memory failed! To send message to policy route daemon failed! The policy route %d allocates memory fail! The policy route %d uses empty user group! The policy route %d...
Page 682: Table 247 Built-In Services Logs
Appendix B Log Descriptions Table 247 Built-in Services Logs LOG MESSAGE User on %u.%u.%u.%u has been denied access from %s HTTPS certificate:%s does not exist. HTTPS service will not work. HTTPS port has been changed to port %s. HTTPS port has been changed to default port.
Page 683 Table 247 Built-in Services Logs (continued) LOG MESSAGE Console baud has been changed to %s. Console baud has been reset to %d. DHCP Server on Interface %s will not work due to Device HA status is Stand-By DHCP Server on Interface %s will be reapplied due to Device HA status is...
Page 684 Appendix B Log Descriptions Table 247 Built-in Services Logs (continued) LOG MESSAGE The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. Interface %s ping check is successful. Zone Forwarder adds DNS servers in records. Interface %s ping check is failed.
Page 685: Table 248 System Logs
Table 247 Built-in Services Logs (continued) LOG MESSAGE Access control rule %d of %s was moved to %d. SNMP trap can not be sent successfully Table 248 System Logs LOG MESSAGE Port %d is up!! Port %d is down!! %s is dead at %s %s process count is incorrect at %s %s becomes Zombie at...
Page 686 Appendix B Log Descriptions Table 248 System Logs (continued) LOG MESSAGE Receive an ARP response from an unknown client In total, received %d arp response packets for the requested IP address Clear arp cache successfully. Client MAC address is not an Ehernet address DHCP request received via interface %s (%s:%s), src_mac:...
Page 687 Table 248 System Logs (continued) LOG MESSAGE Update the profile %s has failed because the FQDN %s is not under your control. Update the profile %s has failed because the FQDN %s was blocked for abuse. Update the profile %s has failed because of authentication fail.
Page 688 Appendix B Log Descriptions Table 248 System Logs (continued) LOG MESSAGE Update the profile %s has failed because Custom IP was empty. Update the profile %s has failed because WAN interface was empty. The profile %s has been paused because the VRRP status of WAN interface was standby.
Page 689: Table 249 Connectivity Check Logs
Table 248 System Logs (continued) LOG MESSAGE DDNS has been enabled by Device-HA. Disable DDNS has succeeded. Enable DDNS has succeeded. DDNS profile %s has been renamed as %s. DDNS profile %s has been deleted. DDNS Initialization has failed. All DDNS profiles are deleted Table 249 Connectivity Check Logs LOG MESSAGE...
Page 690: Table 250 Device Ha Logs
Appendix B Log Descriptions Table 249 Connectivity Check Logs (continued) LOG MESSAGE Can't get remote address of %s interface Can't get NETMASK address of %s interface Can't get BROADCAST address of %s interface Can't use MULTICAST IP for destination The destination is invalid, because destination IP is broadcast IP...
Page 691 Table 250 Device HA Logs (continued) LOG MESSAGE Master configuration is the same with Backup. Skip updating %s file not existed, Skip syncing it for %s Master firmware version can not be recognized. Stop syncing from Master. Device HA Sync has failed when syncing %s for %s due to bad \"Sync Password\".
Page 692 Appendix B Log Descriptions Table 250 Device HA Logs (continued) LOG MESSAGE Device HA authentication type for VRRP group %s maybe wrong. Device HA authenticaton string of text for VRRP group %s maybe wrong. Device HA authentication string of AH for VRRP group %s maybe wrong.
Page 693: Table 251 Routing Protocol Logs
Table 251 Routing Protocol Logs LOG MESSAGE RIP on interface %s has been stopped because Device-HA binds this interface. RIP on all interfaces have been stopped Invalid RIP md5 authentication Invalid RIP text authentication. RIP on interface %s has been activated. RIP direction on interface %s has been changed to In-Only.
Page 694 Appendix B Log Descriptions Table 251 Routing Protocol Logs (continued) LOG MESSAGE RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP redistribute OSPF routes has been disabled. RIP redistribute static routes has been disabled.
Page 695: Table 252 Nat Logs
Table 251 Routing Protocol Logs (continued) LOG MESSAGE Invalid OSPF virtual- link %s authentication of area %s. Invalid OSPF md5 authentication on interface %s. Invalid OSPF text authentication on interface %s. Interface %s does not belong to any OSPF area. Invalid OSPF authentication of area %s on interface %s.
Page 696: Table 253 Pki Logs
Appendix B Log Descriptions Table 252 NAT Logs (continued) LOG MESSAGE Register H.323 ALG extra port=%d failed. Register H.323 ALG signal port=%d failed. Register FTP ALG extra port=%d failed. Register FTP ALG signal port=%d failed. Table 253 PKI Logs LOG MESSAGE Generate X509certifiate "%s"...
Page 697 Table 253 PKI Logs (continued) LOG MESSAGE Import X509 certificate "%s" into My Certificate successfully Import X509 certificate "%s" into Trusted Certificate successfully Import PKCS#12 certificate "%s" into "My Certificate" successfully Import PKCS#7 certificate "%s" into "My Certificate" successfully Import PKCS#7 certificate "%s"...
Page 698 Appendix B Log Descriptions Table 253 PKI Logs (continued) LOG MESSAGE Export X509 certificate "%s" from "My Certificate" failed Import PKCS#12 certificate "%s" with incorrect password Cert trusted: %s Due to %d, cert not trusted: %s CODE DESCRIPTION Algorithm mismatch between the certificate and the search constraints. Key usage mismatch between the certificate and the search constraints.
Page 699: Table 254 Interface Logs
CODE DESCRIPTION Path was not verified. Maximum path length reached. Table 254 Interface Logs LOG MESSAGE Interface %s has been deleted. AUX Interface dialing failed. This AUX interface is not enabled. AUX Interface disconnecting failed. This AUX interface is not enabled. Please type phone number of interface AUX first then dial...
Page 700 Appendix B Log Descriptions Table 254 Interface Logs (continued) LOG MESSAGE %s MTU > (%s MTU - 8), %s may not work correctly. (%s MTU - 8) < %s MTU, %s may not work correctly. Interface %s links down. Default route will not apply until interface %s links up.
Page 701: Table 255 Account Logs
Table 254 Interface Logs (continued) LOG MESSAGE Interface %s is disconnected. Interface %s connect failed: Peer not responding. Interface %s connect failed: PAP authentication failed. Interface %s connect failed: Connect timeout. Interface %s create failed because has no member. Table 255 Account Logs LOG MESSAGE Account %s %s has been deleted.
Page 702: Table 257 Force Authentication Logs
Appendix B Log Descriptions Table 257 Force Authentication Logs LOG MESSAGE Force User Authentication will be enabled due to http server is enabled. Force User Authentication will be disabled due to http server is disabled. Force User Authentication may not work properly! Table 258 File Manager Logs LOG MESSAGE...
Page 703: Appendix C Common Services
P P E N D I X The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 704 Appendix C Common Services Table 259 Commonly Used Services (continued) NAME H.323 HTTP HTTPS ICMP IGMP (MULTICAST) MSN Messenger NEW-ICQ NEWS NNTP PING POP3 PPTP PPTP_TUNNEL (GRE) RCMD REAL_AUDIO REXEC RLOGIN RTELNET PROTOCOL PORT(S) DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 705 Table 259 Commonly Used Services (continued) NAME PROTOCOL RTSP TCP/UDP SFTP SMTP SNMP TCP/UDP SNMP-TRAPS TCP/UDP SQL-NET TCP/UDP STRM WORKS SYSLOG TACACS TELNET TFTP VDOLIVE ZyWALL USG 1000 User’s Guide Appendix C Common Services PORT(S) DESCRIPTION The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet.
Page 706 Appendix C Common Services ZyWALL USG 1000 User’s Guide...
Page 707: Appendix D Displaying Anti-Virus Alert Messages In Windows
P P E N D I X Displaying Anti-Virus Alert Messages in Windows With the anti-virus packet scan, when a virus is detected, you can have the ZyWALL display an alert message on Miscrosoft Windows-based computers. If the log shows that virus files are being detected but your Miscrosoft Windows-based computer is not displaying an alert message, use one of the following procedures to make sure your computer is set to display the messages.
Page 708: Figure 484 Windows Xp: Starting The Messenger Service
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 484 Windows XP: Starting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 485 Windows 2000: Opening the Services Window 2 Select the Messenger service and click Start Service.
Page 709: Figure 486 Windows 2000: Starting The Messenger Service
Figure 486 Windows 2000: Starting the Messenger Service 3 Close the window when you are done. Windows 98 SE/Me For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages. Click Start > Run and enter “winpopup” in the field provided and click OK. The WinPopup window displays as shown.
Page 710: Figure 489 Windows 98 Se: Task Bar Properties
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 489 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 490 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next.
Page 711: Figure 491 Windows 98 Se: Startup: Create Shortcut
Figure 491 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish. Figure 492 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. ZyWALL USG 1000 User’s Guide Appendix D Displaying Anti-Virus Alert Messages in Windows...
Page 712: Figure 493 Windows 98 Se: Startup: Shortcut
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 493 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 487 on page 709). ZyWALL USG 1000 User’s Guide...
Page 713: Appendix E Importing Certificates
P P E N D I X Importing Certificates This appendix shows importing certificates examples using Netscape Navigator and Internet Explorer 5. This appendix uses the ZyWALL 70 as an example. Other models should be similiar. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
Page 714: Figure 495 Login Screen
Appendix E Importing Certificates Figure 495 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 496 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL USG 1000 User’s Guide...
Page 715: Figure 497 Certificate Import Wizard 1
Figure 497 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 498 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL USG 1000 User’s Guide Appendix E Importing Certificates...
Page 716: Figure 499 Certificate Import Wizard 3
Appendix E Importing Certificates Figure 499 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 500 Root Certificate Store ZyWALL USG 1000 User’s Guide...
Page 717: Figure 501 Certificate General Information After Import
Appendix E Importing Certificates Figure 501 Certificate General Information after Import ZyWALL USG 1000 User’s Guide...
Page 718 Appendix E Importing Certificates ZyWALL USG 1000 User’s Guide...
Page 719: Appendix F Open Software Announcements
No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ppp-2.4.2 software under the PPP License PPP License Copyright (c) 1993 The Australian National University.
Page 720 Appendix F Open Software Announcements This Product includes Netkit Telnet -0.17 software under the Netkit Telnet License Netkit Telnet License Copyright (c) 1989 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 721 This Product includes expat-1.95.6 software under the Expat License Expat License Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:...
Page 722: Openssl License
Appendix F Open Software Announcements This Product includes openssl-0.9.8d-ocf software under the OpenSSL License OpenSSL The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts.
Page 723: Original Ssleay License
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.
Page 724 Appendix F Open Software Announcements This Product includes libevent-1.1a and xinetd-2.3.14 software under the a 3- clause BSD License a 3-clause BSD-style license This is a Free Software License • This license is compatible with The GNU General Public License, Version 1 •...
Page 725 The ISC license for bind is: Copyright (c) 1993-1999 by Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
Page 726 Appendix F Open Software Announcements Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor"...
Page 727 Appendix F Open Software Announcements 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty- free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
Page 728 Appendix F Open Software Announcements 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
Page 729: Gnu Lesser General Public License
Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 730 Appendix F Open Software Announcements This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.
Page 731 Appendix F Open Software Announcements For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries.
Page 732 Appendix F Open Software Announcements 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library.
Page 733 Appendix F Open Software Announcements However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
Page 734 Appendix F Open Software Announcements It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7.
Page 735 Appendix F Open Software Announcements 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 736: Gnu General Public License
Appendix F Open Software Announcements This Product includes bridge-utils, dhcpcd-1.3.22-pl4, rp-pppoe-3.5, vlan-1.8, keepalived-1.1.11-p1, quagga-0.99.2, ez-ipupdate-3.0.11b7, proftpd-1.2.10, libol-0.3.14, syslog-ng-1.6.5, pam-0.76, bison, tzcode2006c, iproute2, iptables-1.2.11/netfilter(kernel), dhcp-helper, busybox, Linux kernel, and pptp- linux-1.4.0 software under GPL license. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
Page 737 Appendix F Open Software Announcements TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 738 Appendix F Open Software Announcements right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
Page 739 Appendix F Open Software Announcements 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
Page 740 Appendix F Open Software Announcements FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12.
Page 741 AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Product includes libxml2-2.6.8 software under the MIT License The MIT License Copyright (c) <year>...
Page 742 Appendix F Open Software Announcements THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 743 Appendix F Open Software Announcements 2.1 GUBUSOFT hereby grants Customer the following non-exclusive, non-transferable right to use the SOFTWARE. 2.1.3 LIMITATIONS Customer may not rent, lease, or transfer the rights to the SOFTWARE to someone else. Customer may redistribute and use SOFTWARE in source code form provided (a) Customer Applications of SOFTWARE add primary and substantial functionality, and are not merely a set or subset of any of the functionality of the SOFTWARE, or a set or subset of any of the code or other files of the SOFTWARE;...
Page 744 Appendix F Open Software Announcements Defensive Suspension. If Customer commences or participates in any legal proceeding against GUBUSOFT, then GUBUSOFT may, in its sole discretion, suspend or terminate all license grants and any other rights provided under this LICENSE during the pendency of such legal proceedings.
Page 745 This Product includes overLIB software under the overLIB License (Artistic) License (Artistic) Preamble The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications.
Page 746 Appendix F Open Software Announcements make other distribution arrangements with the Copyright Holder. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version.
Page 747 Appendix F Open Software Announcements BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1.
Page 748 Appendix F Open Software Announcements ii.Mechanical Rights and Statutory Royalties. Licensor waives the exclusive right to collect, whether individually or via a music rights agency or designated agent (e.g. Harry Fox Agency), royalties for any phonorecord You create from the Work ("cover version") and distribute, subject to the compulsory license created by 17 USC Section 115 of the US Copyright Act (or the equivalent in other jurisdictions).
Page 749 Appendix F Open Software Announcements 5. Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER...
Page 750 Technical Support. End-User License Agreement for "ZyWALL " WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
Page 751 Appendix F Open Software Announcements You have no ownership rights in the Software. Rather, you have a license to use the Software as long as this License Agreement remains in full force and effect. Ownership of the Software, Documentation and all intellectual property rights therein shall remain at all times with ZyXEL.
Page 752 Appendix F Open Software Announcements THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY TO YOU. IF THIS EXCLUSION IS HELD TO BE UNENFORCEABLE BY A COURT OF COMPETENT JURISDICTION, THEN ALL EXPRESS AND IMPLIED WARRANTIES SHALL BE LIMITED IN DURATION TO A PERIOD OF THIRTY (30) DAYS FROM THE DATE OF PURCHASE OF THE SOFTWARE, AND NO WARRANTIES SHALL APPLY AFTER THAT PERIOD.
Page 753 Appendix F Open Software Announcements This License Agreement is effective until it is terminated. You may terminate this License Agreement at any time by destroying or returning to ZyXEL all copies of the Software and Documentation in your possession or under your control. ZyXEL may terminate this License Agreement for any reason, including, but not limited to, if ZyXEL finds that you have violated any of the terms of this License Agreement.
Page 754 Appendix F Open Software Announcements ZyWALL USG 1000 User’s Guide...
Page 756 Appendix G Legal Information FCC Warning This device has been tested and found to comply with the limits for a Class A digital switch, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This device generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications.
Page 757 Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.
Page 758 Appendix G Legal Information ZyWALL USG 1000 User’s Guide...
Page 759: Appendix H Customer Support
• Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com, www.europe.zyxel.com • FTP: ftp.zyxel.com, ftp.europe.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan Costa Rica • Support E-mail: soporte@zyxel.co.cr • Sales E-mail: sales@zyxel.co.cr •...
Page 760 Appendix H Customer Support • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk • Telephone: +45-39-55-07-00 • Fax: +45-39-55-07-07 • Web: www.zyxel.dk • Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Denmark Finland •...
Page 761 India • Support E-mail: support@zyxel.in • Sales E-mail: sales@zyxel.in • Telephone: +91-11-30888144 to +91-11-30888153 • Fax: +91-11-30888149, +91-11-26810715 • Web: http://www.zyxel.in • Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1, New Delhi 110020, India Japan •...
Page 762 Appendix H Customer Support • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no • Telephone: +47-22-80-61-80 • Fax: +47-22-80-61-81 • Web: www.zyxel.no • Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway Poland •...
Page 763 • Telephone: +44-1344-303044, 08707-555779 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • FTP: ftp.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) ZyWALL USG 1000 User’s Guide Appendix H Customer Support...
Page 764 Appendix H Customer Support ZyWALL USG 1000 User’s Guide...
Page 765: Index
Numerics 3DES AAA servers and authentication methods and users LDAP Default LDAP Group LDAP group members RADIUS default RADIUS group RADIUS group members RADIUS. See also RADIUS. where used access control access users 503, 505 forcing login forcing login. See also force user authentication policies.
Page 766 Index and virtual servers H.323 265, 266 peer-to-peer calls See also VoIP pass through. 265, 267 SIP timeout answer rings Anti-Virus trial service activation updating signatures Anti-virus prerequisites anti-virus alert message alerts black list 411, 413 bypass black list bypass white list EICAR file decompression firmware package blocking...
Page 767 and policy routes behavior configured rate effect examples in application patrol interface, outbound. See interfaces. interface’s bandwidth maximize bandwidth usage 227, 232, 382, 383, 384, 395, 399 OSI level-7. See application patrol. over allotment of bandwidth priority priority effect See also application patrol. See also policy routes.
Page 768 Index console port speed content (pattern) content filtering 463, 464 and address groups 463, 464, 467 and address objects 463, 464, 467 and registration 466, 469 and schedules 463, 464, 467 and user groups and users by category 463, 468, 471 by keyword (in URL) 463, 480 by URL...
Page 769 and interfaces Domain Name System. See DNS. double-encoding Dynamic Domain Name System. See DDNS. Dynamic Host Configuration Protocol. See DHCP. DynDNS see also DDNS. e-Donkey EGP (Exterior Gateway Protocol) EICAR e-mail virus e-Mule Encapsulating Security Payload. See ESP. encapsulation and active protocol transport mode tunnel mode encryption algorithms...
Page 770 Index and address objects and schedules prerequisites fragmentation flag fragmentation offset additional signaling port and address groups and address objects and certificates and zones signaling port with Transport Layer Security (TLS) full tunnel mode full-tunnel mode Fully-Qualified Domain Name (FQDN) gateway policy.
Page 771 Snort signatures statistics traffic directions updating signatures verifying custom signatures IDP (Intrusion, Detection and Prevention) IDP and AppPatrol trial service activation IDP profiles IDP service group IDP signature categories IDP signatures and synchronization (device HA) IEEE 802.1q. See VLAN. IGP (Interior Gateway Protocol) IHL (IP Header Length) IIS server IIS unicode...
Page 772 Index IP static routes. See static routes. IP stream identifier IP v4 packet headers IPSec basic troubleshooting connections Default_L2TP_VPN_Connection Default_L2TP_VPN_Connection example Default_L2TP_VPN_GW Default_L2TP_VPN_GW example established in two phases L2TP VPN local network remote IPSec router remote network SA monitor See also VPN. IPSec SA active protocol and firewall...
Page 773 types of log options log options (IDP) logged in users login default settings SSL user logo logout SSL user logs and firewall configuration overview descriptions e-mail profiles e-mailing log messages 626, 631 formats log consolidation specifications syslog servers system types of loose source routing MAC addresses and VLAN...
Page 774 Index and RIP and static routes and to-ZyWALL firewall area 0 areas. See OSPF areas. authentication method autonomous system (AS) backbone Configuration steps direction link cost priority redistribute redistribute type (cost) routers. See OSPF routers. virtual links vs RIP OSPF areas and Ethernet interfaces backbone Not So Stubby Area (NSSA)
Page 775 as VPN product registration profiles packet inspection protocol usage statistics protocol anomaly 448, 457 protocol anomaly detection proxy servers web. See web proxy servers. Public-Key Infrastructure (PKI) public-private key pairs query view (IDP) 426, 429 Quick Start Guide RADIUS 531, 536 advantages and IKE SA and PPPoE...
Page 776 Index and authentication algorithms and Ethernet interfaces See also ALG. safety warnings same IP scanner types schedules and content filtering 463, 464, 467 and current date/time and firewall 287, 394, 396, 398 and force user authentication policies and policy routes 230, 392, 394, 396, 398 one-time recurring...
Page 777 and address groups and address objects and certificates and zones client requirements encryption methods for secure Telnet how connection is established versions with Linux with Microsoft Windows 326, 588 certificates computer names full-tunnel mode global setting IP pool monitor network list policy remote user login remote user logout...
Page 778 Index T/TCP task bar properties ACK (acknowledgment) ACK number connections port numbers SYN (synchronize) window size TCP Decoder TCP decoy portscan TCP distributed portscan TCP flag bits TCP portscan TCP portsweep TCP RST TCP SYN flood TCPdump Telnet and address groups and address objects and zones with SSH...
Page 779 and content filtering and firewall and policy routes 230, 392, 394, 396, 398 configuration overview user names rules user portal See SSL user screens. 331, 334 user portal links user portal logo user sessions. See sessions. user SSL screens 331, 334 access methods bookmarks certificates...
Page 780 Index advantages and IPSec SA policy enforcement disadvantages VPN connections and address objects and policy routes 230, 231, 296 VPN gateways and certificates and extended authentication and interfaces and to-ZyWALL firewall VPN. See also IKE SA, IPSec SA. VRRP advertisement interval and to-ZyWALL firewall backup router management IP...

This manual is also suitable for:

Zywall usg 1000

ZyXEL Communications Unified Security Gateway ZyWALL 1000 User Manual

Chapter 1 Introducing the Zywall

Chapter 2 Features and Applications

Chapter 3 Web Configurator

Chapter 4 Wizard Setup

Chapter 5 Configuration Basics

Chapter 6 Tutorials

Chapter 7 Status

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications Unified Security Gateway ZyWALL 1000

Summary of Contents for ZyXEL Communications Unified Security Gateway ZyWALL 1000